HashiConf 2024 Now streaming live from Boston! Attend for free
Sentinel
Get started

What is Policy as Code with Sentinel?

  • 3min
  • |
  • Sentinel

Policy as Code (PoC) enables you to define, version, test, and deploy policies in a safe, consistent, and repeatable way for expressing policy logic in code that you can version, reuse, and share.

Sentinel is HashiCorp's policy as code framework. It lets you define fine-grained, logic-based policies in a human-readable language, and manages your policy lifecycle. Using Sentinel has several advantages over manually managing your policies:

  • Sentinel can enforce policies across multiple HashiCorp products and custom integrations.
  • Sentinel's high-level policy language helps you write complex policy logic quickly and clearly.
  • Sentinel's testing framework allows you to verify policy behavior before deployment. You can commit your policies to version control to safely collaborate on policy development.

You can use Sentinel with the enterprise and HCP offerings of HashiCorp Terraform, Vault, Consul, and Nomad. This lets you enforce policies across your entire infrastructure, security, and application lifecycle.

Sentinel and policy as code

Sentinel fully embraces policy as code in a number of ways:

  • Language. All Sentinel policies are written using the Sentinel language. This language is made to be inputted directly to text files. As an additional benefit, all Sentinel-enabled applications share the same policy language.

  • Development. Sentinel provides a CLI for development and testing. This local CLI can be used to verify policies before deploying them to a system.

  • Testing. Sentinel provides a test framework designed specifically for automation. This allows developers and CI systems to further verify policies.

Standardize your policy workflow

Sentinel provides a consistent language and workflow for defining and managing policies across different systems. You can compose complex policies from simpler building blocks, and reuse common policy logic across different applications.

Sentinel's policy language is declarative and purpose-built for expressing policy logic. It supports complex conditions, external data lookups, and custom functions, allowing you to model sophisticated real-world policies.

The following is the standard workflow to implement policies with Sentinel:

  • Scope. Identify the policy requirements for your system or organization.
  • Author. Write the policy code using the Sentinel language.
  • Test. Use Sentinel's testing framework to verify policy behavior.
  • Apply. Apply the policies to your Sentinel-enabled systems.
  • Monitor. Track policy evaluations and adjust as needed.

You typically use the Sentinel CLI to author and test policies locally on your machine. This is useful when developing Sentinel policies. When you integrate Sentinel policies with a HashiCorp product, you can use Sentinel to apply policies at scale and monitor its results.

In this tutorial collection, you will author and test Sentinel policies scoped by HashiCups, a ficitious coffeeshop. The tutorial will not cover apply Sentinel policies on HashiCorp products and show you how to monitor them. Refer the Next steps section of the "Test Sentinel policies" tutorial for resources to integrate Sentinel with HashiCorp products.

Next steps

Now that you are familiar with the core concepts of policy as code and Sentinel, you are ready to write your first policy.

Continue to the next tutorial to install the Sentinel CLI on your local machine and create a basic policy for HashiCafe.

Collection Overview

Get started

 Next

Install Sentinel