HashiConf 2024 Now streaming live from Boston! Attend for free
Sentinel
Sentinel Home

Terraform

HCP Terraform and Terraform Enterprise use Sentinel to enforce policy on Terraform configurations, states, and plans.

The Sentinel integration with Terraform runs within HCP Terraform and Terraform Enterprise after a terraform plan and before a terraform apply. The policies have access to the created plan, the state at the time of the plan, and the configuration at the time of the plan.

The Terraform integration with Sentinel is documented in depth in the HCP Terraform and Terraform Enterprise documentation. Please read that page for full documentation. This page will only show basic examples.

Examples

Example: All AWS instances must have a tag

import "tfplan"

main = rule {
  all tfplan.resources.aws*instance as *, instances {
    all instances as \_, r {
      (length(r.applied.tags) else 0) > 0
    }
  }
}

Example: Only allow GCP instance sizes smaller than n1-standard-16

import "tfplan"

allowed_machine_types = [
  "n1-standard-1",
  "n1-standard-2",
  "n1-standard-4",
  "n1-standard-8",
]

main = rule {
  all tfplan.resources.google_compute_instance as _, instances {
    all instances as _, r {
      r.applied.machine_type in allowed_machine_types
    }
  }
}