Terraform

Sentinel is used by Terraform Enterprise to enforce policy on Terraform configurations, states, and plans.

The Sentinel integration with Terraform runs within Terraform Enterprise after a terraform plan and before a terraform apply. The policies have access to the created plan, the state at the time of the plan, and the configuration at the time of the plan. If a policy fails, Terraform Enterprise doesn't allow the plan to be applied.

Example policies of Sentinel and Terraform are shown below. Please see the navigation on the left for documentation on the available imports for Terraform.

Examples

Example: All AWS instances must have a tag

import "tfplan"

main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as _, r {
      (length(r.applied.tags) else 0) > 0
    }
  }
}

Example: Only allow GCP instance sizes smaller than n1-standard-16

import "tfplan"

allowed_machine_types = [
    "n1-standard-1",
    "n1-standard-2",
    "n1-standard-4",
    "n1-standard-8",
]

main = rule {
    all tfplan.resources as type, resources {
        all resources as r {
            r.applied.machine_type in allowed_machine_types
        }
    }
}