0
0
Terraformcloud~10 mins

Sentinel policy as code in Terraform - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Sentinel policy as code
Write Sentinel Policy
Load Policy in Terraform
Terraform Plan/Apply
Sentinel Evaluates Policy
Allow Apply
The flow shows writing a Sentinel policy, loading it in Terraform, running Terraform commands, and Sentinel evaluating to allow or block changes.
Execution Sample
Terraform
import "tfplan"

condition = length(tfplan.resource_changes) > 0

main = rule { condition }
This Sentinel policy checks if there are any resource changes in the Terraform plan.
Process Table
StepActionEvaluationResult
1Terraform plan generates resource_changes listresource_changes length = 2True
2Sentinel evaluates condition length(tfplan.resource_changes) > 02 > 0True
3Policy rule passescondition is TrueAllow apply
4Terraform apply proceedsPolicy passedResources created/updated
5No errorsEnd of executionSuccess
💡 Terraform apply allowed because Sentinel policy condition was True
Status Tracker
VariableStartAfter Step 1After Step 2Final
tfplan.resource_changes[][resource1, resource2][resource1, resource2][resource1, resource2]
conditionundefinedundefinedTrueTrue
Key Moments - 2 Insights
Why does the policy block apply if the condition is False?
Because in the execution_table at Step 2, if the condition evaluates to False, the policy fails and Terraform apply is blocked to prevent unwanted changes.
What does tfplan.resource_changes represent?
It represents the list of changes Terraform plans to make; in the execution_table Step 1, it shows the resources Terraform will create or update.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the value of 'condition' at Step 2?
AUndefined
BTrue
CFalse
DZero
💡 Hint
Check the 'Evaluation' column at Step 2 in the execution_table.
At which step does Terraform apply get blocked if the policy fails?
AStep 3
BStep 4
CStep 2
DStep 1
💡 Hint
Look at the 'Result' column in the execution_table for when the policy rule passes or fails.
If tfplan.resource_changes was empty, how would the condition evaluate?
AError
BTrue
CFalse
DNull
💡 Hint
Refer to the condition logic length(tfplan.resource_changes) > 0 in the execution_sample.
Concept Snapshot
Sentinel policy as code:
- Write policies in Sentinel language
- Load policies in Terraform workflow
- Terraform plan triggers Sentinel evaluation
- Policy returns pass or fail
- Pass allows apply, fail blocks it
- Use tfplan data to check planned changes
Full Transcript
Sentinel policy as code means writing rules that Terraform checks before applying changes. The flow starts with writing a policy that inspects the Terraform plan. When you run terraform plan or apply, Terraform sends the plan data to Sentinel. Sentinel evaluates the policy condition, for example checking if there are any resource changes. If the condition is true, the policy passes and Terraform proceeds with apply. If false, the policy fails and Terraform blocks the apply to prevent unwanted changes. Variables like tfplan.resource_changes hold the planned resources. The execution table shows step-by-step how Terraform generates the plan, Sentinel evaluates the condition, and the result allows or blocks the apply. This helps enforce rules automatically in infrastructure deployment.