Terraformcloud~5 mins

Sentinel policy as code in Terraform - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you want to make sure your cloud resources follow rules before they are created. Sentinel lets you write these rules as code to check your Terraform plans automatically.

When you want to block creating resources that don't meet your company's security rules.

When you need to enforce cost limits on cloud resources before deployment.

When you want to ensure naming conventions are followed for all infrastructure.

When you want to prevent accidental deletion of critical resources.

When you want to automate policy checks in your Terraform workflow.

Config File - policy.sentinel

policy.sentinel

import "tfplan/v2" as tfplan

# Check that no AWS EC2 instance is of type t2.micro
main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as instance {
      instance.applied.instance_type is not "t2.micro"
    }
  }
}

This Sentinel policy imports the Terraform plan data and checks all AWS EC2 instances. It ensures none of them use the instance type "t2.micro". If any instance is of that type, the policy fails and blocks deployment.

Commands

Initializes the Terraform working directory and downloads required providers.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.0.0... - Installed hashicorp/aws v4.0.0 (signed by HashiCorp) Terraform has been successfully initialized!

Creates an execution plan and saves it to a file for Sentinel to evaluate.

Terminal

terraform plan -out=tfplan.binary

Expected OutputExpected

An execution plan has been generated and is saved to tfplan.binary. To perform exactly these actions, run the following command to apply: terraform apply "tfplan.binary"

→

-out=tfplan.binary - Saves the plan to a file for later use

Runs the Sentinel policy against the saved Terraform plan to check if it passes the rules.

Terminal

sentinel apply -policy=policy.sentinel -input=tfplan.binary

Expected OutputExpected

Policy 'policy.sentinel' passed.

→

-policy=policy.sentinel - Specifies the Sentinel policy file to use

→

-input=tfplan.binary - Provides the Terraform plan file as input for evaluation

Key Concept

If you remember nothing else from this pattern, remember: Sentinel lets you write code rules that automatically check your Terraform plans before applying changes.

Common Mistakes

Running Sentinel without generating a Terraform plan file first.

Sentinel needs the Terraform plan as input to evaluate resources; without it, Sentinel cannot check anything.

Always run 'terraform plan -out=tfplan.binary' before running Sentinel with that plan file.

Writing Sentinel rules that do not match the Terraform resource structure.

If the policy code does not correctly access resource fields, it will not evaluate properly and may always pass or fail incorrectly.

Use the official Sentinel Terraform import documentation to write rules that correctly access resource attributes.

Ignoring Sentinel policy failures and applying Terraform changes anyway.

This defeats the purpose of policy enforcement and can lead to non-compliant infrastructure.

Treat Sentinel policy failures as blockers and fix the Terraform code or policy before applying.

Summary

Initialize Terraform to prepare your working directory.

Create a Terraform plan and save it to a file for policy evaluation.

Run Sentinel with your policy file against the saved plan to enforce rules before deployment.