Terraformcloud~30 mins

Sentinel policy as code in Terraform - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Sentinel Policy as Code with Terraform

📖 Scenario: You are working in a cloud team that uses Terraform to manage infrastructure. Your team wants to enforce a policy that limits the size of virtual machines (VMs) to control costs. You will write a Sentinel policy as code to check Terraform plans and ensure no VM exceeds a specified size.

🎯 Goal: Build a Sentinel policy that reads Terraform plan data and enforces a maximum VM size limit. This policy will help your team automatically prevent deploying VMs larger than allowed.

📋 What You'll Learn

Create a Sentinel policy file with a variable for maximum VM size

Access Terraform plan resource data in the policy

Write a rule that checks VM sizes against the maximum allowed

Return a boolean result indicating if the plan passes the policy

💡 Why This Matters

🌍 Real World

Sentinel policies help teams enforce rules automatically before infrastructure changes are applied, reducing errors and cost overruns.

💼 Career

Cloud engineers and DevOps professionals use Sentinel policies to implement governance and compliance in infrastructure as code workflows.

Progress0 / 4 steps

Create the Sentinel policy file with max VM size variable

Create a Sentinel policy file named vm_size_policy.sentinel. Define a variable called max_vm_size and set it to the string "Standard_DS2_v2".

Terraform

# Your code here

Need a hint?

Use the syntax variable_name = "value" to define variables in Sentinel.

Import Terraform plan data and select VM resources

Add a block to import the Terraform plan data using import "tfplan/v2". Then create a variable called vms that selects all resources of type azurerm_virtual_machine from the planned values.

Terraform

max_vm_size = "Standard_DS2_v2"
# Your code here

Need a hint?

Use import "tfplan/v2" as tfplan to access Terraform plan data. Then access VM resources with tfplan.planned_values.resources["azurerm_virtual_machine"].

Write a rule to check VM sizes against max_vm_size

Write a rule named vm_size_check that returns true only if all VMs in vms have their attributes.vm_size less than or equal to max_vm_size in lexicographical order. Use a for loop with variables vm to iterate over vms.

Terraform

max_vm_size = "Standard_DS2_v2"
import "tfplan/v2" as tfplan

vms = tfplan.planned_values.resources["azurerm_virtual_machine"]

# Your code here

Need a hint?

Use rule { all vm in vms as vm { condition } } to check all VMs meet the size condition.

Return the final policy result

Add a main rule that returns the result of vm_size_check. This will be the final policy result.

Terraform

max_vm_size = "Standard_DS2_v2"
import "tfplan/v2" as tfplan

vms = tfplan.planned_values.resources["azurerm_virtual_machine"]

vm_size_check = rule {
    all vm in vms as vm {
        vm.instances[0].attributes.vm_size <= max_vm_size
    }
}

# Your code here

Need a hint?

The main rule is the entry point and should return the result of your checks.