Sentinel is an enterprise feature. For a demo of Terraform Cloud, sign up here.
Sentinel is a paid feature of Terraform Cloud. The integrated Sentinel language and policy framework is embedded into Terraform Cloud to enable fine-grained, logic-based policy decisions. A Sentinel Policy is a guard-rail for Terraform deployments and defines the circumstances which certain behaviors are allowed.
Why use Sentinel?
Terraform Cloud uses Sentinel as part of the Governance & Policy Feature Set to enable granular application of infrastructure. Broadly, Sentinel functions as a safeguard with regulations your organization defines.
Most systems today have some degree of access control. You are able to define identities and what they have access to. These ACL systems solve an immediate and necessary problem of locking down a system in very broad strokes. Sentinel is a reusable system for more advanced software policy decisions. Sentinel enables:
Fine-Grained Policy: Most ACL systems only enable coarse-grained behaviors: "read", "write", etc. Sentinel enables fine-grained behavior such as disallowing a certain API call when specific parameters are present.
Logic-Based Policy: You can write policy using full conditional logic. For example, you may only allow a certain application behavior on Monday to Thursday unless there is a manager override.
Accessing External Information: Sentinel can source external information to be used in policy decisions. For example, a policy can read data from Consul and then use that data to enforce certain actions.
Enforcement levels: Sentinel allows policies to be defined along with an "enforcement level" that dictates the pass/fail behavior of a policy. Advisory policies warn if they fail, soft mandatory policies can have their failures overridden, and hard mandatory policies must pass under all circumstances. Having this as a built-in concept enables you to model policy more accurately and completely for your organization.
The Sentinel Simulator is a command-line interface which will let us apply instant rule validation locally without kicking off a Terraform plan.
Installing Sentinel Simulator
For the getting started guide, we'll use Sentinel Simulator to learn how to write policies for Terraform Cloud. Download it here.
After downloading Sentinel, unzip the package. Sentinel Simulator runs as a single binary named
sentinel. Any other files in the package can be safely removed and Sentinel will still function.
The final step is to make sure that the sentinel binary is available on the PATH. See this page for instructions on setting the PATH on Linux and Mac. This page contains instructions for setting the PATH on Windows.
Verifying the Installation
After installing Sentinel Simulator, verify the installation was successful by opening a new terminal session and checking that the
sentinel binary is available. By executing
sentinel, you should see help output similar to the following:
sentinel Usage: sentinel [--version] [--help] <command> [<args>] Available commands are: apply Execute a policy and output the result doc Show documentation for an import from a doc file fmt Format Sentinel policy to a canonical format test Test policies version Prints the Sentinel version
If you get an error that the binary could not be found, then your
PATH environment variable was not setup properly. Please go back and ensure that your
PATH variable contains the directory where Sentinel was installed.