Difficulty: Beginner
Estimated Time: 30 minutes

Sentinel is the Policy-as-Code product from HashiCorp that automatically enforces logic-based policy decisions across all HashiCorp Enterprise products.

It allows users to implement policy-as-code in a similar way to how Terraform implements infrastructure-as-code.

The Sentinel Command Line Interface (CLI) allows you to apply and test Sentinel policies, including those that use mocks generated from Terraform Cloud and Terraform Enterprise plans.

This Sentinel & Terraform Cloud environment provides you a place to create and test infrastructure policies against pre-populated mock data.

Congratulations! You've successfully written and tested infrastructure policies using the Sentinel CLI.

Sign up for free a 30 day trial of Terraform Cloud Team & Governance

Further reading

Sentinel Tutorial

Step 1 of 4

Write your first Sentinel policy

In this scenario, you will apply the Sentinel Policy-as-Code principles to a Terraform specific deployment. You will create a policy that requires your configuration to have specific tags on your S3 buckets and restrict the level of access to your bucket objects.

Open the file terraform-sentinel/tf-config/main.tf and review the configuration you are testing.

This configuration builds a publicly-readable S3 bucket with a unique name and deploys an example web app as a bucket object. The acl attribute of the "aws_s3_bucket" "bucket" resource ensures this web app object is public but the viewer cannot write or edit it.

For your first policy, create a resource filter for your S3 buckets and a rule that requires that resource to have at least one tag.

Create a filter

Open the stub of this policy in terraform-sentinel/restrict-s3-buckets.sentinel.

Create a filter for the s3_bucket resources in the Terraform Cloud plan. Copy and paste the filter block below the commented line # Filter S3 buckets.

s3_buckets = filter tfplan.resource_changes as _, rc {
    rc.type is "aws_s3_bucket" and
    (rc.change.actions contains "create" or rc.change.actions is ["update"])

Create the bucket rule

Add a rule to evaluate mock data. Copy and paste the bucket_tags rule below the commented line # Rule to require at least one tag.

bucket_tags = rule {
    all s3_buckets as _, buckets {
    buckets.change.after.tags is not null

Create main rule

Your filter and bucket rule will be evaluated in the main rule. Copy and paste the main rule below the commented line # Main rule

main = rule {
    bucket_tags else false

Apply the policy

To see Sentinel policy logic in action, run an apply with the trace flag in your terminal.

sentinel apply -trace restrict-s3-buckets.sentinel

Review the trace information. You will find that this policy passed because the Terraform plan contained at least one tag and meets the requirements in your bucket_tags rule.

Create a failing policy

To see the failure behavior of your Sentinel policy, change the bucket_tags rule to a null statement.

bucket_tags = rule {
all s3_buckets as _, buckets {
    buckets.change.after.tags is null

Run an apply in the Sentinel CLI again and evaluate the output. You changed the bucket_tags rule to require that NO tags are applied to the S3 bucket. Because your plan information already contains these tags, your policy failed.

sentinel apply -trace restrict-s3-buckets.sentinel

After reviewing the failing output, change the bucket_tags rule to evaluate correctly.

bucket_tags = rule {
all s3_buckets as _, buckets {
    buckets.change.after.tags is not null

In the next step, you will build on this policy with more specific and restrictive policy information.

This tab will not be visible to users and provides only information to help authors when creating content.

Creating Katacoda Scenarios

Thanks for creating Katacoda scenarios. This tab is designed to help you as an author have quick access the information you need when creating scenarios.

Here are some useful links to get you started.

Running Katacoda Workshops

If you are planning to use Katacoda for workshops, please contact [email protected] to arrange capacity.

Debugging Scenarios

Below is the response from any background scripts run or files uploaded. This stream can aid debugging scenarios.

If you still need assistance, please contact [email protected]