HashiCorp Sentinel with Mondoo Policies for Terraform: A Compact Guide


In today's fast-paced DevOps environments, ensuring infrastructure compliance and security is paramount. Traditionally, HashiCorp Sentinel has been a go-to for policy as code within the HashiCorp ecosystem, particularly for Terraform users. However, Mondoo offers a compelling alternative, providing extensive security and compliance capabilities that can seamlessly integrate with Terraform. This article explores how to use Mondoo policies as a replacement for HashiCorp Sentinel with practical examples.

Why Consider Mondoo for Terraform Policy Management?

Mondoo is a security and compliance platform that offers robust capabilities for continuous security assessments and compliance checks across cloud, on-premises, and hybrid environments. Here are some key reasons to consider Mondoo:

  • Broad Integrations: Mondoo supports multiple cloud providers, CI/CD pipelines, Kubernetes, and more.
  • Comprehensive Security: In-depth security and compliance checks with pre-built and customizable policies.
  • Ease of Use: User-friendly platform with extensive documentation and support.

Writing Mondoo Policies

Mondoo policies are written using Mondoo's policy language. Here’s an example of a simple Mondoo policy to check that no AWS S3 bucket is publicly accessible:

 2  - uid: terraform-aws-s3-public-access
 3    name: "Ensure no S3 bucket is publicly accessible."
 4    version: 1.0.0
 5    scoring_system: highest impact
 6    tags:
 7      mondoo.com/category: security
 8    groups:
 9      - title: AWS S3 Bucket Policies
10        filters: asset.runtime == "terraform"
11        checks:
12          - uid: aws-s3-public-access
15  - uid: aws-s3-public-access
16    title: AWS S3 Public Access
17    impact: 50
18    mql: |
19        terraform.plan.resourceChanges.where(r: r.type == "aws_s3_bucket_acl" ).all(i:  i.change.after.acl.in( props.allowedACLs ) )        
21    props:
22      - uid: allowedACLs
23        title: Allowed ACLs
24        mql: |
25          ["private", "authenticated-read"]          

To ensure your policy definition is valid, you can use the Mondoo CLI to validate the policy file:

1cnspec policy lint aws_s3_bucket_policy.mql.yaml

Integrating Mondoo with Terraform

Integrating Mondoo with Terraform involves running Mondoo checks as part of your Terraform workflow based on the terraform plan. So we need some terraform code that creates a plan and then we can scan it with Mondoo. In our example, we will use an AWS S3 bucket as a sample resource. We will also rely on the Mondoo CLI to scan the Terraform plan with local policy files. On a production system, you would typically use the Mondoo platform to manage policies, scan results and integrate with CI/CD pipelines.

 1resource "aws_s3_bucket" "example" {
 2  bucket = "my-tf-example-bucket"
 5resource "aws_s3_bucket_ownership_controls" "example" {
 6  bucket = aws_s3_bucket.example.id
 7  rule {
 8    object_ownership = "BucketOwnerPreferred"
 9  }
12resource "aws_s3_bucket_acl" "example" {
13  depends_on = [aws_s3_bucket_ownership_controls.example]
15  bucket = aws_s3_bucket.example.id
16  acl    = "private"
  1. Create a Terraform Plan:
1terraform plan -out=tfplan
  1. Convert the Plan to JSON:
1terraform show -json tfplan > tfplan.json
  1. Run Mondoo Scan:

Use Mondoo to scan the Terraform plan:

 1cnspec scan terraform plan tfplan.json -f aws_s3_bucket_policy.mql.yaml
 3→ discover related assets for 1 asset(s)
 5 Terraform Static Analysis tfplan ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: A
 7Asset: Terraform Static Analysis tfplan
11✓ Pass:  100  AWS S3 Public Access
13Scanned 1 asset
15Terraform Plan
16    [100/100]   Terraform Static Analysis tfplan

Example: Enforcing Security Groups Policies

Let's enforce a policy to ensure that no security group allows SSH access from anywhere.

Mondoo Policy

 2  - uid: terraform-aws-sec-group-ssh-access
 3    name: "Ensure No Security Group Allows SSH from"
 4    version: 1.0.0
 5    scoring_system: highest impact
 6    tags:
 7      mondoo.com/category: security
 8    groups:
 9      - title: AWS SSH Security Group Check
10        filters: asset.runtime == "terraform"
11        checks:
12          - uid: aws-ssh-security-group
14  - uid: aws-ssh-security-group
15    title: AWS SSH Security Group Check
16    impact: 20
17    mql: |
18      terraform.plan.resourceChanges.where(r: r.type == "aws_security_group" || r.type == "aws_security_group_rule" ).all(i:
19        i.change.after.from_port == 22
20        && i.change.after.to_port == 22
21        && i.change.after.cidr_blocks.not_in( props.disAllowedCIDRs )
22        && i.change.after.ipv6_cidr_blocks.not_in( props.disAllowedCIDRs )
23        )      
25    props:
26      - uid: disAllowedCIDRs
27        title: Disallowed CIDRs
28        mql: |
29          ["", "::/0" ]          

Terraform Configuration

Here’s a sample Terraform configuration for an AWS security group:

 1resource "aws_security_group" "example" {
 2  name        = "example-sg"
 3  description = "Example security group"
 5  ingress {
 6    from_port   = 22
 7    to_port     = 22
 8    protocol    = "tcp"
 9    cidr_blocks = [""]
10  }
12resource "aws_security_group_rule" "example" {
13  type              = "ingress"
14  from_port         = 22
15  to_port           = 22
16  protocol          = "tcp"
17  ipv6_cidr_blocks = [ "::/0" ]
18  security_group_id = aws_security_group.example.id

Running the Mondoo Policy Against the Terraform Plan

  1. Create and Show Plan:
1terraform plan -out=tfplan
2terraform show -json tfplan > tfplan.json
  1. Scan with Mondoo:
1cnspec scan terraform plan tfplan.json -f aws_security_group_policy.mql.yaml

The Mondoo scan will analyze the Terraform plan and enforce the policy, alerting you if any security group allows SSH access from


Mondoo provides a powerful and flexible alternative to HashiCorp Sentinel for enforcing policies in your Terraform workflows. By integrating Mondoo, you can enhance your infrastructure's security and compliance posture with minimal effort. With its broad integration capabilities and comprehensive policy management features, Mondoo is well-suited for modern DevOps environments.

Overall, Mondoo offers a robust platform for continuous security and compliance checks across your infrastructure, ensuring that your Terraform-managed resources adhere to your organization's security policies. These policies can be maintained on the Mondoo platform and enforced as part of your Terraform workflows and CI/CD pipelines.

Start leveraging Mondoo today and ensure your Terraform-managed infrastructure remains secure and compliant.

Go Back explore our courses

We are here for you

You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.

Contact us