HashiConf 2024 Now streaming live from Boston! Attend for free
Sentinel
Sentinel Home

Language: Parameters

Sentinel allows a policy author to supply parameters to help facilitate policy reuse and ensure sensitive values do not need to be hard-coded in a policy.

Parameters are supplied by using the param keyword, followed by an identifier. A default value can also be supplied by using the default keyword.

param foo             // assigned to foo, required
param bar default 42  // assigned to bar, optional, default 42

Once declared, parameters can be used like any other variable, including being re-assigned.

param foo default 1  // 1 (default)

foo = foo + 1        // 2

Variable Descriptions

You can supply a description to a parameter by adding a comment at the top of it. This value can be communicated to a specific implementation of Sentinel to provide information about what the parameter is for during configuration.

// An example parameter. Must be supplied or the policy will fail.
param foo

Supplying Parameter Values Using the Sentinel CLI

In a production implementation, supplying parameters to a policy is an implementation-specific detail - see the documentation for your particular implementation for details.

Using the Sentinel CLI, you can supply parameters one of four ways.

Supplying Parameter Values Using the Configuration File

You can supply parameters using the param section of the configuration file.

param "foo" {
  value = "bar"
}

This method works for both sentinel apply and sentinel test.

In addition to the above, you can supply targeted parameters to each policy block in the configuration file.

policy "foo" {
  source = "foo.sentinel"
  enforcement_level = "hard-mandatory"
  params = {
    "name" = "Sample"
  }
}

Supplying Parameter Values Using the Environment

NOTE: This method of supplying parameters is only supported by sentinel apply.

You can supply a value using environment variables - prefix the parameter with SENTINEL_PARAM_, using the name of the parameter to supply.

SENTINEL_PARAM_foo=bar sentinel apply policy.sentinel

Supplying Parameter Values Using CLI Arguments

NOTE: This method of supplying parameters is only supported by sentinel apply.

You can also use the -param CLI argument to supply parameter in a key=value pair.

sentinel apply -param foo=bar policy.sentinel

Interactive CLI Prompting

NOTE: This method of supplying parameters is only supported by sentinel apply.

If a required value has not been supplied when a policy is run with sentinel apply, it will be prompted for, along with its description:

$ sentinel apply policy.sentinel
policy.sentinel:2:7: requires value for parameter foo
  An example parameter. Must be supplied or the policy will fail.

  Values can be strings, floats, or JSON array or object values. To force
  strings, use quotes.

  Enter a value: bar

Pass

CLI Value Format

NOTE: This section contains details for the parameter features supported by sentinel apply.

The CLI takes either strings, or JSON numbers, arrays, or maps. If you need a literal string value, quote the value.

foo         // string
42          // number (float)
"42"        // string ("42", without quotes)
[1, 2]      // array (list)
{"a": "b"}  // object (map)

NOTE: Boolean values are not supported by this method.