Terraform
Sentinel Overview
Note: Sentinel policies are a paid feature, available as part of the Team & Governance upgrade package. Learn more about Terraform Cloud pricing here.
Hands-on: Try the Enforce Policy with Sentinel collection on HashiCorp Learn.
Sentinel is an embedded policy-as-code framework integrated with the HashiCorp Enterprise products. It enables fine-grained, logic-based policy decisions, and can be extended to use information from external sources.
To learn how to use Sentinel and begin writing policies with the Sentinel language, see the Sentinel documentation.
You can also use the
tfe_sentinel_policy
resource
from the Terraform Enterprise provider to upload a
policy using Terraform itself.
Sentinel in Terraform Cloud
Sentinel now supports native VCS integration and direct policy set uploads. See Managing policies for organizations for details or to read about the migration utility.
Using Sentinel with Terraform Cloud involves:
- Defining the policies - Policies are defined using the policy language with imports for parsing the Terraform plan, state and configuration.
- Managing policies for organizations - Users with permission to manage policies can add policies to their organization by configuring VCS integration or uploading policy sets through the API. They also define which workspaces the policy sets are checked against during runs. (More about permissions.)
- Enforcing policy checks on runs - Policies are checked when
a run is performed, after the
terraform plan
but before it can be confirmed or theterraform apply
is executed. - Mocking Sentinel Terraform data - Terraform Cloud provides the ability to generate mock data for any run within a workspace. This data can be used with the Sentinel CLI to test policies before deployment.
Standard Imports
The Terraform integration for HashiCorp Sentinel implements all of the available standard imports.