Virtual Event
Join us for the next HashiConf Digital October 12-15, 2020 Register for Free

Enforce Policy with Sentinel [Team & Governance]

team & governance

Install the Sentinel CLI

Terraform Cloud uses Sentinel as part of Teams & Governance to enable granular policy control for your infrastructure. Sentinel is a language and policy framework, which restricts Terraform actions to defined, allowed behaviors. Policy authors manage Sentinel policies in Terraform Cloud with policy sets which are groups of policies. Organization owners control the scope of policy sets by applying certain policy sets to the entire organization or to select workspaces.

The Policy-as-Code framework enables you to treat your governance requirements as you would your applications: written by operators, controlled in VCS, reviewed, and automated during your deployment process.


The Sentinel CLI (command-line interface) validates and tests rules so you can develop Sentinel policies.

After you install the Sentinel CLI, the following tutorials will walk you thorough writing, testing, and importing policies for Terraform Cloud.

»Install Sentinel CLI

To install the Sentinel CLI, find the appropriate package for your system and download it. The CLI is packaged as a zip archive.

After downloading Sentinel, unzip the package. The CLI runs as a single binary named sentinel. Any other files in the package can be safely removed and Sentinel will still function.

Finally, make sure that the sentinel binary is available on your PATH. This process will differ depending on your operating system.

Have your terminal print a colon-separated list of locations in your PATH.

$ echo $PATH

Move the sentinel binary to one of the listed locations. The below command assumes that the binary is currently in your downloads folder and that your PATH includes /usr/local/bin, but you can customize it if your locations are different.

$ mv ~/Downloads/sentinel /usr/local/bin/sentinel

For more detail about adding binaries to your path, see this stack overflow article.

»Verify Sentinel Installation

After installing Sentinel CLI, verify the installation was successful by opening a new terminal session and checking that the sentinel binary is available. By executing sentinel, you should see help output similar to the following:

$ sentinel
Usage: sentinel [--version] [--help] <command> [<args>]

Available commands are:
    apply      Execute a policy and output the result
    fmt        Format Sentinel policy to a canonical format
    test       Test policies
    version    Prints the Sentinel runtime version

If you get an error that the binary could not be found, then your PATH environment variable was not set-up properly. Please go back and ensure you set your PATH correctly.

»Run a policy

Before you begin running the Sentinel CLI locally, launch this scenario to run a policy with Terraform plan data already generated for you.

In order for Sentinel to run a policy, it needs data to test the policy against. Open the embedded terminal session to test a policy against pre-populated Terraform Cloud plan data. The policy makes sure S3 buckets have tags attached. If so, the policy passes. If any S3 bucket found does not have a tag, the policy fails.

This is the policy you will test.

import "tfplan/v2" as tfplan

s3_buckets = filter tfplan.resource_changes as _, rc {
    rc.type is "aws_s3_bucket" and
    (rc.change.actions contains "create" or rc.change.actions is ["update"])

bucket_tags = rule {
    all s3_buckets as _, instances {
        instances.change.after.tags is not null

main = rule {

»Next Steps

In the next guide, you will generate Terraform data for Sentinel policy development.