✅ 1. What is Sentinel?
Sentinel is HashiCorp’s policy-as-code framework built into Terraform Enterprise and Terraform Cloud (Business tier).
It lets you write policies to control, restrict, or validate Terraform plans before they’re applied.
You can use Sentinel to enforce security, cost, compliance, and architectural standards.
🧱 2. Sentinel Policy Examples
🔒 Example 1: Block Public S3 Buckets
import "tfplan/v2" as tfplan
main = rule {
all tfplan.resource_changes as rc {
rc.type is "aws_s3_bucket" and
rc.change.after.acl is not "public-read"
}
}
This policy:
Allows the plan only if no S3 buckets are public
🏷️ Example 2: Require Tags on All AWS Resources
import "tfplan/v2" as tfplan
required_tags = ["Environment", "Owner"]
main = rule {
all tfplan.resource_changes as rc {
rc.change.after contains "tags" and
all required_tags as tag {
tag in rc.change.after.tags
}
}
}
Denies plan if any resource is missing the required tags.
💵 Example 3: Prevent Expensive EC2 Instances
import "tfplan/v2" as tfplan
disallowed_types = ["m5.24xlarge", "c5.18xlarge"]
main = rule {
all tfplan.resource_changes as rc {
rc.type is "aws_instance" and
rc.change.after.instance_type not in disallowed_types
}
}
⚙️ 3. How Sentinel Policies Are Executed
When a terraform plan is run in a workspace linked to a Sentinel policy, the workflow becomes:
Git push → Terraform plan → Sentinel policies run → Apply (if allowed)
Depending on enforcement level, the policy may:
Just warn
Allow override (soft mandatory)
Or block the apply entirely (hard mandatory)
📂 4. How to Set Up Sentinel
Step-by-Step Setup in Terraform Enterprise / Cloud:
✅ A. Write Sentinel Policies
Create a Git repo (e.g., tfe-policies) and add your policies:
tfe-policies/
├── no-public-s3.sentinel
├── required-tags.sentinel
└── cost-controls.sentinel
✅ B. Create Policy Set in TFE UI
Go to your Terraform Enterprise/Cloud UI
Go to "Policy Sets" → Create new
Choose a Git VCS provider and repo with .sentinel policies
Select the workspaces this policy set applies to
Set enforcement level for each policy:
advisory → warn only
soft-mandatory → warn but override possible
hard-mandatory → fail and block apply
✅ C. Run a Plan in That Workspace
Now, when you do:
git push
# or terraform plan via TFE UI
Terraform will:
Create a plan
Run all linked Sentinel policies
Display pass/fail per policy
🚫 If any hard-mandatory policy fails, Terraform will block the apply.
🧪 5. How to Test Sentinel Policies
Option A: Use the Sentinel CLI (local testing)
Install Sentinel:
https://developer.hashicorp.com/sentinel/downloads
Create a test file:
# test-no-public-s3.sentinel
test {
input "tfplan/v2" {
source = "mock-tfplan.json"
}
run {
result = false
}
}
Run test:
sentinel test no-public-s3.sentinel
Option B: Use tfrun-agent to test within your CI/CD
You can also use [Terraform Run Tasks](if enabled) for inline policies in CI/CD workflows.
✅ Summary
Task | How |
Write policy | .sentinel files in Git repo |
Link to workspace | Create Policy Set in Terraform Enterprise/Cloud UI |
Choose enforcement level | Advisory / Soft-mandatory / Hard-mandatory |
Trigger policy | Any terraform plan via Git or UI |
Test locally | Use sentinel CLI with mocks |
🧠 Real-World Use Cases
Use Case | Policy Description |
Security | Block public buckets, require encryption |
Tagging | Enforce mandatory cost tracking tags |
Cost | Deny large EC2 instance types |
Architecture | Enforce use of VPC endpoints for S3 |
Identity | Only use approved IAM policies |
No comments:
Post a Comment