Sentinel Policy in Terraform: What It Is and How It Works
Sentinel policy in Terraform is a set of rules that control and enforce how infrastructure changes are applied. It acts like a gatekeeper, checking Terraform plans before they run to ensure they meet your organization's standards.How It Works
Think of a Sentinel policy as a security guard for your infrastructure changes. Before Terraform makes any updates, the policy reviews the plan to see if it follows the rules you set. If the plan breaks a rule, the policy stops it from running.
This works by using a simple language to write rules that check things like resource types, tags, or cost limits. The policy runs automatically during Terraform runs, helping teams avoid mistakes or unwanted changes.
Example
This example Sentinel policy blocks any Terraform plan that tries to create AWS EC2 instances without a specific tag called Environment.
import "tfplan/v2" as tfplan main = rule { all tfplan.resource_changes as _, rc { rc.type is not "aws_instance" or (rc.change.after.tags is not null and rc.change.after.tags["Environment"] is not null) } }
When to Use
Use Sentinel policies when you want to enforce rules on your infrastructure automatically. For example, you can require all resources to have cost center tags, prevent deletion of critical resources, or block changes outside business hours.
This helps teams stay compliant with company policies, avoid costly mistakes, and keep infrastructure safe and organized.
Key Points
- Sentinel policies run before Terraform applies changes to check rules.
- They use a simple policy language to inspect Terraform plans.
- Policies can block or allow changes based on your rules.
- They help enforce governance and compliance automatically.