Policy as Code with Sentinel is a powerful governance framework integrated into HCP Terraform that enables organizations to define, manage, and enforce compliance policies programmatically. Sentinel acts as a policy-as-code framework developed by HashiCorp, allowing teams to write fine-grained, log…Policy as Code with Sentinel is a powerful governance framework integrated into HCP Terraform that enables organizations to define, manage, and enforce compliance policies programmatically. Sentinel acts as a policy-as-code framework developed by HashiCorp, allowing teams to write fine-grained, logic-based policies that automatically evaluate Terraform runs before infrastructure changes are applied.
Sentinel policies are written in a declarative language designed specifically for policy enforcement. These policies can inspect the planned changes, existing state, and configuration details of Terraform runs. They operate at different enforcement levels: advisory (warnings only), soft-mandatory (can be overridden by authorized users), and hard-mandatory (cannot be bypassed).
Key benefits of Sentinel include standardizing security practices across teams, ensuring compliance with regulatory requirements, and preventing costly misconfigurations. For example, organizations can create policies that require all S3 buckets to have encryption enabled, restrict instance types to approved sizes, or mandate specific tagging conventions for cost allocation.
Sentinel policies integrate into the HCP Terraform workflow by evaluating during the plan phase. When a terraform plan is executed, Sentinel checks the proposed changes against defined policies. If violations occur, the run can be blocked or flagged depending on the enforcement level.
Policies are organized into policy sets, which can be applied to specific workspaces or across entire organizations. This allows granular control over which policies apply to different environments or projects. Policy sets can be version-controlled in VCS repositories, enabling collaborative policy development and change tracking.
The Sentinel framework provides imports specifically for Terraform, including tfplan, tfconfig, tfstate, and tfrun. These imports give policy authors access to comprehensive data about infrastructure changes, making it possible to write sophisticated policies that address complex compliance requirements while maintaining developer productivity.
Policy as Code with Sentinel - Complete Guide for Terraform Associate Exam
What is Policy as Code with Sentinel?
Sentinel is HashiCorp's policy as code framework that enables you to define and enforce governance policies across your Terraform infrastructure. It integrates natively with HCP Terraform (formerly Terraform Cloud) and Terraform Enterprise, allowing organizations to implement fine-grained, logic-based policy decisions.
Policy as Code means writing policies in a programming language rather than documenting them in wikis or relying on manual reviews. Sentinel policies are written in the Sentinel language, which is designed to be approachable for both developers and operations teams.
Why is Sentinel Important?
• Compliance Enforcement: Automatically enforce regulatory requirements (SOC2, HIPAA, PCI-DSS) before infrastructure is deployed • Cost Control: Prevent deployment of expensive resources or enforce tagging for cost allocation • Security Guardrails: Ensure security best practices like encryption, proper network configurations, and access controls • Standardization: Enforce naming conventions, required tags, and approved resource configurations • Shift-Left Security: Catch policy violations during the plan phase, not after deployment
How Sentinel Works in HCP Terraform
Sentinel policies are evaluated between the plan and apply phases of a Terraform run. Here's the workflow:
1. Plan Phase: Terraform generates an execution plan 2. Policy Check: Sentinel evaluates the plan against defined policies 3. Pass/Fail: If policies pass, the run can proceed to apply; if they fail, the run is halted
Policy Enforcement Levels
Sentinel supports three enforcement levels:
• Advisory: Logs policy failures but allows the run to continue. Used for informational purposes or gradual policy rollout • Soft Mandatory: Requires policy to pass, but authorized users can override failures. Useful for exceptions that need human approval • Hard Mandatory: Requires policy to pass with no override option. Used for critical compliance requirements
Policy Sets
Policies are organized into policy sets which can be: • Applied to specific workspaces • Applied to all workspaces in an organization • Scoped to workspaces with specific tags • Version controlled in a VCS repository
Sentinel Imports for Terraform
Sentinel provides several imports to access Terraform data:
• tfplan: Access the Terraform plan data (most commonly used) • tfconfig: Access the Terraform configuration files • tfstate: Access the current state file • tfrun: Access run metadata like workspace name
Example Sentinel Policy
A simple policy to require tags on AWS instances:
import "tfplan/v2" as tfplan main = rule { all tfplan.resource_changes as _, rc { rc.type is "aws_instance" implies rc.change.after.tags contains "Environment" } }
Key Features to Remember
• Sentinel is a paid feature available in HCP Terraform Team & Governance tier and Terraform Enterprise • Policies run after plan but before apply • Policy sets can be sourced from VCS repositories for version control • The Sentinel CLI can be used for local policy development and testing • Mocking allows testing policies against sample plan data
Exam Tips: Answering Questions on Policy as Code with Sentinel
1. Remember the timing: Sentinel runs between plan and apply - this is frequently tested
2. Know the enforcement levels: Distinguish between advisory (warning only), soft mandatory (overridable), and hard mandatory (no exceptions)
3. Understand availability: Sentinel requires HCP Terraform paid tiers or Terraform Enterprise - it's not available in the free tier or open-source Terraform
4. Policy Sets vs Policies: Policies are grouped into policy sets, and policy sets are applied to workspaces
5. Common use cases: Questions often reference cost control, compliance, security requirements, and tagging enforcement
6. Override permissions: Only users with appropriate permissions can override soft mandatory policy failures
7. VCS integration: Policy sets can be managed through version control for better governance and audit trails
8. Sentinel vs OPA: Know that Sentinel is HashiCorp's native solution, while Open Policy Agent (OPA) is an alternative that can be used with run tasks
9. Key terminology: Be familiar with terms like policy check, policy evaluation, and policy set scope
10. Failed policy behavior: When a hard mandatory policy fails, the entire run is stopped and cannot proceed to apply