Note: This functionality is available in the Terraform Cloud Team & Governance plan, as well as Enterprise. Organization owners can enable a 30-day free trial in their settings under “Plan & Billing”.
The integrated Sentinel language and policy framework is embedded into Terraform Cloud to enable fine-grained, logic-based policy decisions. A Sentinel Policy is a guard-rail for Terraform deployments and defines the circumstances which certain behaviors are allowed.
Policies are verified with the Sentinel CLI tool, a command-line interface which will let us apply instant rule validation locally without kicking off a Terraform plan. Sentinel can also use external information for policy decisions with imports from other resources.
In this guide, you will learn how Sentinel can be used to enhance your current workflows and install the Sentinel CLI.
Over the course of this track you will learn how to use the Sentinel CLI to write policies for Terraform Cloud, how to test Sentinel policies with mock data, and how to import policy sets to your Terraform Cloud organization.
For this guide you will need:
- Owners group access in your Terraform Cloud account
- A GitHub account
- An AWS account to create example resources write policies for Terraform Cloud.
»Why use Sentinel?
Terraform Cloud uses Sentinel as part of the Governance & Policy Feature Set to enable granular application of infrastructure. Broadly, Sentinel functions as a safeguard, preventing Terraform from performing specific actions as defined by Sentinel policies.
Sentinel also allows cost-centric policies to be created and then automatically enforced in the Terraform workflow. Administrators then have the ability to approve significant changes or to completely prevent specific workspaces from exceeding predetermined thresholds. For more information, review the Cost Estimation announcement.
Most systems today have some degree of access control. You are able to define identities and what they have access to. These ACL systems solve an immediate and necessary problem of locking down a system in very broad strokes. Sentinel is a reusable system for more advanced software policy decisions. Sentinel enables:
Fine-Grained Policy: Most ACL systems only enable coarse-grained behaviors: "read", "write", etc. Sentinel enables fine-grained behavior such as disallowing a certain API call when specific parameters are present.
Logic-Based Policy: You can write policy using full conditional logic. For example, you may only allow a certain application behavior on Monday to Thursday unless there is a manager override.
Enforcement levels: Sentinel allows policies to be defined along with an "enforcement level" that dictates the pass/fail behavior of a policy. Advisory policies warn if they fail, soft mandatory policies can have their failures overridden, and hard mandatory policies must pass for the action to continue. Having this as a built-in concept enables you to model policy more accurately and completely for your organization.
»Install Sentinel CLI
To install the Sentinel CLI, find the appropriate package for your system and download it. The CLI is packaged as a zip archive.
After downloading Sentinel, unzip the package. The CLI runs as a single binary
sentinel. Any other files in the package can be safely removed and
Sentinel will still function.
The final step is to make sure that the sentinel binary is available on the PATH.
If you are on a Linux or Mac, see this page for instructions on how to set the PATH.
If you are on a Windows, see this page for instructions on how to set the PATH.
»Verify Sentinel Installation
After installing Sentinel CLI, verify the installation was successful by opening
a new terminal session and checking that the
sentinel binary is available.
sentinel, you should see help output similar to the following:
sentinel Usage: sentinel [--version] [--help] <command> [<args>] Available commands are: apply Execute a policy and output the result fmt Format Sentinel policy to a canonical format test Test policies version Prints the Sentinel runtime version
If you get an error that the binary could not be found, then your
environment variable was not setup properly. Please go back and ensure that
PATH variable contains the directory where Sentinel was installed.