Virtual Event
Join us for the next HashiConf Digital October 12-15, 2020 Register for Free

Enforce Policy with Sentinel [Team & Governance]

team & governance

Download Policy Mock Data


For this tutorial you will need:

»Define your infrastructure requirements

Before you begin writing policies, define your organization's requirements for your infrastructure.

In the following tutorials your Sentinel policy will enforce three infrastructure requirements:

  • The operator performing the Terraform Cloud just must add their name as a tag to the S3 bucket
  • The operator must also tag the S3 bucket with the environment this bucket will service (prod, dev, or qa).
  • Restrict the object access to your S3 bucket to private or public-read only.

If your S3 buckets do not meet all of these criteria, your Terraform operation will fail with no recovery.

If you tried the embedded tutorial in the last guide, you ran a policy against the tfplan/v2 import. This import provides access to Terraform plan data. Sentinel can use several types of imports from the Terraform Cloud API: configuration, plan, state, and run.

The import keyword at the top of your policy specifies the name of the import you want to use, in this case tfplan/v2, which is optimized for the data structure in Terraform 0.12.

To learn more about import, reference the Sentinel Language Specification Documentation.

Terraform Cloud generates this import data during the terraform plan operation CLI or from a VCS backed Terraform Cloud workspace.

»Generate mock import data

In your browser, navigate to your Terraform Cloud organization and create a new workspace. Do not connect it to a VCS provider.

Create a new workspace in Terraform Cloud with no VCS provider

Name the workspace sentinel-example.

Name the workspace in Terraform Cloud

Create two Terraform variables named prefix and region. The prefix in your configuration is environment where your Terraform infrastructure will be deployed. Use training for this prefix. Choose an AWS region geographically close to you like us-east-1.

Create two environment variables for your AWS Access Key IDs and Secret Keys named AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. For information on obtaining your AWS access keys, see the AWS documentation.

Set environment and Terraform variables in Terraform Cloud

»Clone and plan the example Terraform configuration

In your local terminal, clone the example code repository here.

$ git clone

Navigate to the directory.

$ cd learn-sentinel-tfc

This Terraform configuration will create an S3 bucket and deploy a web application. Open the file and add the remote backend block to the beginning of this configuration. Change the organization name to the name of your Terraform Cloud organization.

terraform {
  backend "remote" {
    hostname = ""
    organization = "<YOUR_TERRAFORM_ORG>"
    workspaces {
      name = "sentinel-example"

Login to your Terraform Cloud organization by using the terraform login command. This command generates an API token from your Terraform Cloud account in the Terraform Cloud UI, which you copy and paste into your local terminal when prompted. Follow the prompts to log in.

$ terraform login

Initialize the directory and run a plan.

$ terraform init && terraform plan

Terraform will confirm that the plan is running and provide you with a link to the plan in Terraform Cloud.

Running plan in the remote backend. Output will stream here. Pressing Ctrl-C
will stop streaming the logs, but will not stop the plan running remotely.

Preparing the remote plan...

To view this run in a browser, visit:

When you run a remote terraform plan operation, Terraform Cloud generates a group of files named mocks.

Visit the link in your browser and your Terraform Cloud UI and follow the plan log. When the plan is finished, the Terraform Cloud UI will have a new option to "Download Sentinel Mocks".

Download the mock data in the Terraform Cloud UI from the run tab

Click "Download the Sentinel Mocks". Navigate to your downloads directory in your terminal.

»Create a local Sentinel development directory

On your local machine, create a new directory named learn-sentinel-policies for your Sentinel development environment.

$ mkdir ~/learn-sentinel-policies

Unzip the mock data file you downloaded from Terraform and copy it to the development directory. Change your run-xxx filename to match the on you downloaded

$ tar xzf ~/Downloads/run-ymMPBGiphnEELoKy-sentinel-mocks -C ~/learn-sentinel-policies

The files in this directory are now in your policy development environment for you to test. Change into that directory.

$ cd ~/learn-sentinel-policies

Review the mock data files available.

$ tree
├── mock-tfconfig-v2.sentinel
├── mock-tfconfig.sentinel
├── mock-tfplan-v2.sentinel
├── mock-tfplan.sentinel
├── mock-tfrun.sentinel
├── mock-tfstate-v2.sentinel
├── mock-tfstate.sentinel
└── sentinel.json

Open the sentinel.json file for review. Your file contents will be similar to those below.

  "mock": {
    "tfconfig": "mock-tfconfig.sentinel",
    "tfconfig/v1": "mock-tfconfig.sentinel",
    "tfconfig/v2": "mock-tfconfig-v2.sentinel",
    "tfplan": "mock-tfplan.sentinel",
    "tfplan/v1": "mock-tfplan.sentinel",
    "tfplan/v2": "mock-tfplan-v2.sentinel",
    "tfrun": "mock-tfrun.sentinel",
    "tfstate": "mock-tfstate.sentinel",
    "tfstate/v1": "mock-tfstate.sentinel",
    "tfstate/v2": "mock-tfstate-v2.sentinel"

»Review the mock data files

Each of the mock data file contains information Terraform captures during the plan operation. Sentinel parses these files when you import them in your policies. Which mock data file you import depends on the type of restrictions or requirements you implement in your policies.

Sentinel uses the four Terraform Cloud imports to define policy rules: plan, configuration, state, run as well as a library of standard imports. The types of data contained in each of these imports are:

  • tfplan - This provides access to a Terraform plan, the file Terraform creates as a result of a plan. The plan data represent the changes that Terraform needs to make to infrastructure to reach the desired state represented by the configuration.
  • tfconfig - This provides access to data describing a Terraform configuration, the set of ".tf" files that you write to describe the desired infrastructure state.
  • tfstate - This provides access to data describing the Terraform state, the file Terraform uses to map real world resources to your configuration.
  • tfrun - This provides access to data associated with a run in Terraform Cloud, such as the run's workspace.

In the Terraform workflow, your terraform plan command creates an ephemeral execution plan to determine what operations run against your infrastructure. The output of terraform plan in the CLI is the representation of what your configuration creates when you approve the plan. For a policy like the one in your requirements above, you would choose the tfplan import in your Sentinel policy files to determine if the planned resources meet your criteria.

»Next steps

In the next tutorial, you will use this import data in a Sentinel policy.