» Terraform

Terraform Enterprise uses Sentinel to enforce policy on Terraform configurations, states, and plans.

The Sentinel integration with Terraform runs within Terraform Enterprise after a terraform plan and before a terraform apply. The policies have access to the created plan, the state at the time of the plan, and the configuration at the time of the plan.

The Terraform integration with Sentinel is documented in depth in the Terraform Enterprise documentation. Please read that page for full documentation. This page will only show basic examples.

» Examples

Example: All AWS instances must have a tag

import "tfplan"

main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as _, r {
      (length(r.applied.tags) else 0) > 0
    }
  }
}

Example: Only allow GCP instance sizes smaller than n1-standard-16

import "tfplan"

allowed_machine_types = [
    "n1-standard-1",
    "n1-standard-2",
    "n1-standard-4",
    "n1-standard-8",
]

main = rule {
    all tfplan.resources as type, resources {
        all resources as r {
            r.applied.machine_type in allowed_machine_types
        }
    }
}