Language: Parameters

Sentinel allows a policy author to supply parameters to help facilitate policy reuse and ensure sensitive values do not need to be hard-coded in a policy.

Parameters are supplied by using the param keyword, followed by an identifier. A default value can also be supplied by using the default keyword.

param foo             // assigned to foo, required
param bar default 42  // assigned to bar, optional, default 42

Once declared, parameters can be used like any other variable, including being re-assigned.

param foo default 1  // 1 (default)

foo = foo + 1        // 2

Variable Descriptions

You can supply a description to a parameter by adding a comment at the top of it. This value can be communicated to a specific implementation of Sentinel to provide information about what the parameter is for during configuration.

// An exmaple parameter. Must be supplied or the policy will fail.
param foo

Supplying Parameter Values Using the Sentinel CLI

In a production implementation, supplying parameters to a policy is an implementation-specific detail - see the documentation for your particular implementation for details.

Using the Sentinel CLI, you can supply parameters one of four ways.

Supplying Parameter Values Using the Configuration File

You can supply parameters using the param section of the configuration file.

{
  "param": {
    "foo": "bar"
  }
}

This method works for both sentinel apply and sentinel test.

Supplying Parameter Values Using the Environment

You can supply a value using environment variables - prefix the parameter with SENTINEL_PARAM_, using the name of the parameter to supply.

SENTINEL_PARAM_foo=bar sentinel apply policy.sentinel

Supplying Parameter Values Using the CLI

You can also use the -param CLI argument to supply parameter in a key=value pair.

sentinel apply -param foo=bar policy.sentinel

Interactive CLI Prompting

If a required value has not been supplied when a policy is run with sentinel apply, it will be prompted for, along with its description:

$ sentinel apply policy.sentinel
policy.sentinel:2:7: requires value for parameter foo
  An exmaple parameter. Must be supplied or the policy will fail.

  Values can be strings, floats, or JSON array or object values. To force
  strings, use quotes.

  Enter a value: bar

Pass

CLI Value Format

The CLI takes either strings, or JSON numbers, arrays, or maps. If you need a literal string value, quote the value.

foo         // string
42          // number (float)
"42"        // string ("42", without quotes)
[1, 2]      // array (list)
{"a": "b"}  // object (map)