HCP Terraform and Terraform Enterprise use Sentinel to enforcepolicy on Terraform configurations, states, and plans.
The Sentinel integration with Terraform runs withinHCP Terraform and Terraform Enterpriseafter a terraform plan
and before a terraform apply
. The policieshave access to the created plan, the state at the time of the plan,and the configuration at the time of the plan.
The Terraform integration with Sentinel is documented in depth in the HCP Terraform and Terraform Enterprise documentation.Please read that page for full documentation. This page will only show basic examples.
Examples
Example: All AWS instances must have a tag
import "tfplan"main = rule { all tfplan.resources.aws*instance as *, instances { all instances as \_, r { (length(r.applied.tags) else 0) > 0 } }}
Example: Only allow GCP instance sizes smaller than n1-standard-16
import "tfplan"allowed_machine_types = [ "n1-standard-1", "n1-standard-2", "n1-standard-4", "n1-standard-8",]main = rule { all tfplan.resources.google_compute_instance as _, instances { all instances as _, r { r.applied.machine_type in allowed_machine_types } }}