feat: Add Sentinel example

.github/workflows/examples_test.yml

@@ -152,6 +152,35 @@ jobs:
  cp /tmp/infracost_comment.md
  ./testdata/multi_terraform_workspace_config_file_comment_golden.md
  if: env.UPDATE_GOLDEN_FILES == 'true'
+ open-policy-agent:
+ name: Open Policy Agent
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Setup Infracost
+ uses: ./setup
+ with:
+ api-key: ${{ secrets.INFRACOST_API_KEY }}
+ - name: Setup OPA
+ uses: infracost/setup-opa@v1
+ - name: Run Infracost
+ run: >-
+ infracost breakdown --path=examples/conftest/code/plan.json
+ --format=json --out-file=/tmp/infracost.json
+ - name: Run OPA
+ run: >-
+ opa eval --input /tmp/infracost.json -d
+ examples/opa/policy/policy.rego --format pretty "data.infracost.deny"
+ | tee /tmp/opa.out
+ - name: Check Policies
+ run: |
+ denyReasons=$(</tmp/opa.out)
+ if [ "$denyReasons" != "[]" ]; then
+ echo -e "::error::Policy check failed:\n$denyReasons"
+ exit 1
+ else
+ echo "::info::Policy check passed."
+ fi
  private-terraform-module:
  name: Private Terraform module
  runs-on: ubuntu-latest
@@ -193,6 +222,34 @@ jobs:
  cp /tmp/infracost_comment.md
  ./testdata/private-terraform-module_comment_golden.md
  if: env.UPDATE_GOLDEN_FILES == 'true'
+ sentinel:
+ name: Sentinel
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Setup Infracost
+ uses: ./setup
+ with:
+ api-key: ${{ secrets.INFRACOST_API_KEY }}
+ - name: Setup Sentinel
+ uses: innovationnorway/setup-sentinel@v1
+ - name: Run Infracost
+ run: >-
+ infracost breakdown --path=examples/sentinel/code/plan.json
+ --format=json --out-file=/tmp/infracost.json
+ - name: Run Sentinel
+ run: >-
+ sentinel apply -global breakdown="$(cat /tmp/infracost.json)"
+ examples/sentinel/policy/policy.policy | tee /tmp/sentinel.out
+ - name: Check Policies
+ run: |
+ result=$(</tmp/sentinel.out)
+ if [ "$result" != "Pass - policy.policy" ]; then
+ echo -e "::error::Policy check failed:\n$result"
+ exit 1
+ else
+ echo "::info::Policy check passed."
+ fi
  slack:
  name: Slack
  runs-on: ubuntu-latest
@@ -398,7 +455,7 @@ jobs:
  }
 
  console.log(`percent-change: ${percentChange}`);
- console.log(`cost-change: ${costChange}`);
+ console.log(`cost-change: ${costChange}`); 
 
  // Set the calculated diffs as outputs to be used in future steps
  core.setOutput('absolute-percent-change', absolutePercentChange);

README.md

@@ -106,6 +106,7 @@ The [examples](examples) directory demonstrates how these actions can be used in
  - [Thresholds](examples/thresholds): only post a comment when cost thresholds are exceeded
  - [Conftest](examples/conftest): check Infracost cost estimates against policies using Conftest
  - [OPA](examples/opa): check Infracost cost estimates against policies using Open Policy Agent
+ - [Sentinel](examples/sentinel): check Infracost cost estimates against policies using Hashicorp's Sentinel
  - [Slack](examples/slack): send cost estimates to Slack
 
 ## Actions

examples/README.md

@@ -12,6 +12,7 @@ All examples post a single comment on pull requests, which gets updated as more
 - [Thresholds](thresholds): only post a comment when cost thresholds are exceeded
 - [Conftest](conftest): check Infracost cost estimates against policies using Conftest
 - [OPA](opa): check Infracost cost estimates against policies using Open Policy Agent
+- [Sentinel](sentinel): check Infracost cost estimates against policies using Hashicorp's Sentinel 
 - [Slack](slack): send cost estimates to Slack
 
 See the [contributing](../CONTRIBUTING.md) guide if you'd like to add an example.

examples/sentinel/README.md

@@ -0,0 +1,97 @@
+# Sentinel Example
+
+This example shows how to write cost policies with Hashicorp's [Sentinel](https://www.hashicorp.com/sentinel). For simplicity, this example evaluates policies with the Sentinel CLI (a.k.a. Sentinel Simulator).
+
+When the policy checks pass, the GitHub Action step called "Check Policies" passes and outputs `Policy check passed.` in the action logs. When the policy checks fail, that step fails and the action logs show the Sentinel output indicating failing policies.
+
+Create a policy file (e.g. `policy.policy) that checks a global parameter 'breakdown' containing the Infracost JSON: 
+```policy
+import "strings"
+
+limitTotalDiff = rule {
+ float(breakdown.totalMonthlyCost) < 1500
+}
+
+awsInstances = filter breakdown.projects[0].breakdown.resources as _, resource {
+ strings.split(resource.name, ".")[0] is "aws_instance"
+}
+
+limitInstanceCost = rule {
+ all awsInstances as _, instance {
+ float(instance.hourlyCost) <= 2.00
+ }
+}
+
+instanceBaseCost = func(instance) {
+ cost = 0.0
+ for instance.costComponents as cc {
+ cost += float(cc.hourlyCost)
+ }
+ return cost
+}
+
+instanceIOPSCost = func(instance) {
+ cost = 0.0
+ for instance.subresources as sr {
+ for sr.costComponents as cc {
+ if cc.name == "Provisioned IOPS" {
+ cost += float(cc.hourlyCost)
+ }
+ }
+ }
+ return cost
+}
+
+limitInstanceIOPSCost = rule {
+ all awsInstances as _, instance {
+ instanceIOPSCost(instance) <= instanceBaseCost(instance)
+ }
+}
+
+main = rule {
+ limitTotalDiff and
+ limitInstanceCost and
+ limitInstanceIOPSCost
+}
+```
+
+Then use Sentinel to test infrastructure cost changes against the policy.
+
+[//]: <> (BEGIN EXAMPLE)
+```yml
+name: Sentinel
+on: [pull_request]
+
+jobs:
+ sentinel:
+ name: Sentinel
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Setup Infracost
+ uses: infracost/actions/setup@v1
+ with:
+ api-key: ${{ secrets.INFRACOST_API_KEY }}
+
+ - name: Setup Sentinel
+ uses: innovationnorway/setup-sentinel@v1
+
+ - name: Run Infracost
+ run: infracost breakdown --path=examples/sentinel/code/plan.json --format=json --out-file=/tmp/infracost.json
+
+ - name: Run Sentinel
+ run: sentinel apply -global breakdown="$(cat /tmp/infracost.json)" examples/sentinel/policy/policy.policy | tee /tmp/sentinel.out
+
+ - name: Check Policies
+ run: |
+ result=$(</tmp/sentinel.out)
+ if [ "$result" != "Pass - policy.policy" ]; then
+ echo -e "::error::Policy check failed:\n$result"
+ exit 1
+ else
+ echo "::info::Policy check passed."
+ fi
+```
+[//]: <> (END EXAMPLE)