sentinel: remove default scope for Sentinel apply command

When we add a Sentinel scope for dynamic host volumes, having a default `-scope` value for `sentinel apply` risks accidentally adding policies for volumes to the job scope. This would immediately prevent any job from being submitted. Forcing the administrator to pass a `-scope` will prevent accidental misuse. Ref: hashicorp/nomad-enterprise#2087 Ref: #24479
hashicorp · Dec 3, 2024 · 8e35e69 · 8e35e69
1 parent bef9714
commit 8e35e69
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 3 deletions.
diff --git a/.changelog/24601.txt b/.changelog/24601.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+sentinel: The sentinel apply command now requires the -scope option
+```
diff --git a/api/sentinel.go b/api/sentinel.go
@@ -82,3 +82,9 @@ type SentinelPolicyListStub struct {
 	CreateIndex      uint64
 	ModifyIndex      uint64
 }
+
+// Possible Sentinel scopes
+const (
+	SentinelScopeSubmitJob        = "submit-job"
+	SentinelScopeSubmitHostVolume = "submit-host-volume"
+)
diff --git a/command/sentinel_apply.go b/command/sentinel_apply.go
@@ -37,8 +37,9 @@ Apply Options:
   -description
     Sets a human readable description for the policy.
 
-  -scope (default: submit-job)
-    Sets the scope of the policy and when it should be enforced.
+  -scope
+    Sets the scope of the policy and when it should be enforced. One of
+    "submit-job" or "submit-host-volume".
 
   -level (default: advisory)
     Sets the enforcement level of the policy. Must be one of advisory,
@@ -73,7 +74,7 @@ func (c *SentinelApplyCommand) Run(args []string) int {
 	flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
 	flags.StringVar(&description, "description", "", "")
-	flags.StringVar(&scope, "scope", "submit-job", "")
+	flags.StringVar(&scope, "scope", "", "")
 	flags.StringVar(&enfLevel, "level", "advisory", "")
 	if err := flags.Parse(args); err != nil {
 		return 1
@@ -107,6 +108,16 @@ func (c *SentinelApplyCommand) Run(args []string) int {
 		}
 	}
 
+	switch scope {
+	case api.SentinelScopeSubmitJob, api.SentinelScopeSubmitHostVolume:
+	case "":
+		c.Ui.Error("-scope flag is required")
+		return 1
+	default:
+		c.Ui.Error(fmt.Sprintf("Error: invalid -scope value: %q", scope))
+		return 1
+	}
+
 	// Construct the policy
 	sp := &api.SentinelPolicy{
 		Name:             policyName,