Difficulty: Beginner
Estimated Time: 5 minutes

Sentinel is the Policy-as-Code product from HashiCorp that automatically enforces logic-based policy decisions across all HashiCorp Enterprise products.

It allows users to implement policy-as-code in a similar way to how Terraform implements infrastructure-as-code.

The Sentinel Command Line Interface (CLI) allows you to apply and test Sentinel policies, including those that use mocks generated from Terraform Cloud and Terraform Enterprise plans.

This Sentinel & Terraform Cloud environment provides you a place to create and test infrastructure policies against pre-populated mock data.

Congratulations! You've successfully run an infrastructure governance policy using the Sentinel CLI.

Sign up for free a 30 day trial of Terraform Cloud Team & Governance

For more tutorials like this, visit learn.hashicorp.com/terraform.

Further reading

Sentinel Introduction

Run a Sentinel policy

In this scenario, you will apply Sentinel Policy-as-Code to a Terraform specific deployment. You will create a policy that requires your configuration to have specific tags on S3 buckets and restrict the level of access to bucket objects.

Open the file terraform-sentinel/tf-config/main.tf and review the infrastructure configuration you are testing.

This configuration builds a publicly-readable S3 bucket with a unique name and deploys an example web app as a bucket object.

Review the policy

Open the terraform-sentinel/restrict-s3-buckets.sentinel file and review the policy for this scenario, which requires you to apply at least one tag to any new or updated S3 bucket.

Run an apply with the trace flag in your terminal to apply the policy against data from the infrastructure configuration you just reviewed.

sentinel apply -trace restrict-s3-buckets.sentinel

Review the trace information. You will find that this policy passed because the Terraform plan contained at least one tag and meets the requirements in your bucket_tags rule.

Create a failing policy

To see the failure behavior of your Sentinel policy, change the bucket_tags rule to a null statement.

bucket_tags = rule {
all s3_buckets as _, buckets {
    buckets.change.after.tags is null

Run an apply in the Sentinel CLI again and evaluate the output. You changed the bucket_tags rule to require that NO tags are applied to the S3 bucket. Because your plan information already contains these tags, your policy failed.

sentinel apply -trace restrict-s3-buckets.sentinel

After reviewing the failing output, change the bucket_tags rule to evaluate correctly.

bucket_tags = rule {
all s3_buckets as _, buckets {
    buckets.change.after.tags is not null
This tab will not be visible to users and provides only information to help authors when creating content.

Creating Katacoda Scenarios

Thanks for creating Katacoda scenarios. This tab is designed to help you as an author have quick access the information you need when creating scenarios.

Here are some useful links to get you started.

Running Katacoda Workshops

If you are planning to use Katacoda for workshops, please contact [email protected] to arrange capacity.

Debugging Scenarios

Below is the response from any background scripts run or files uploaded. This stream can aid debugging scenarios.

If you still need assistance, please contact [email protected]