Book a 90-minute product workshop led by HashiCorp engineers and product experts during HashiConf Digital Reserve your spot

Enforce Policy with Sentinel [Team & Governance]

team & governance

The Terraform Cloud & Sentinel Workflow

Now that we have a basic policy understanding, let's look at how Sentinel fits in to the Terraform Cloud workflow.

»Creating Policies

In your Terraform Cloud UI, create a new workspace called "Sentinel" and configure it with your AWS credentials. Once created and configured with your environment variables, fork to your VCS account of choice. Once forked and downloaded, link the repository in your Terraform Cloud sentinel workspace. We'll create some resources with this demo and see Sentinel working in reality.

Back in our terminal, we'll make some changes to the Terraform config in this repo:

terraform {
  backend "remote" {
    organization = "<YOUR-ORG>"
    workspaces {
      name = "<YOUR-WORKSPACE>"

provider "aws" {
  region = "us-west-2"

data "aws_ami" "ubuntu" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"]

  filter {
    name   = "virtualization-type"
    values = ["hvm"]

  owners = ["099720109477"] # Canonical

resource "aws_instance" "web" {
  ami           =
  instance_type = "t2.micro"

»Creating Policy Sets

By committing and pushing this to your git repo, a Terraform Cloud plan should be triggered. However, we want to ensure that members of your Terraform Cloud organization are abiding by your company or organization standards. Next, we will look at one way to apply a Sentinel policy to your workspace.

Create a new VCS repo called "Sentinel-Training" and create two files called sentinel.hcl and tags_enforced.sentinel there.

New Policy Repo

In the body of tags_enforced.sentinel we will implement the actual policy:

import "tfplan"

main = rule {
    all tfplan.resources.aws_instance as _, instances {
        all instances as _, r {
            r.applied.tags else null is not null

In sentinel.hcl we define the policy enforcement level:

policy "tags_enforced" {
    enforcement_level = "hard-mandatory"

There are three levels of enforcement associated with policies in Terraform Cloud: hard-mandatory, soft-mandatory, and advisory. We will choose hard-mandatory here and see what happens when we fail that policy on purpose.

Once the policy repo is created, we can create policy sets to apply one or more policies. In the Terraform Cloud UI, navigate to Settings > Policy Sets > Create a new policy set.

Policy Sets

We will now select the Policy Set Source as the repo we used previously. For more information or for other VCS connection settings, visit our documentation on VCS Integrations.

Policy Sets Continued

We can also choose to have this policy set apply to a selected workspaces or all workspaces. Choose all workspaces for now and select Create Policy Set. A successful policy set is visible from the Policy Sets Settings page now:


»Triggering Sentinel Checks

In your terminal, trigger another terraform plan and follow the url to see what happens under this policy now.

Plan Failure

This speculative plan fails (as expected!) and the resources are not created. If we make a push to the repo to add a tag:

# ...
resource "aws_instance" "web" {
  ami           =
  instance_type = "t2.micro"
  tags = {
    Name = "Wolverine"

Plan Success

When we commit and push these changes, Terraform Cloud will trigger an apply operation, but we still have to verify the policy check. Once we see the policy has passed in the UI, we can confirm and apply the changes.