Terraform Learning Resources: Getting Started with Sentinel in Terraform Cloud

Terraform Learning Resources: Getting Started with Sentinel in Terraform Cloud

Aug 28, 2019 | Rachel Sharp

The Sentinel governance feature in Terraform Cloud allows you to enable logic-based policy decisions and enforce best practices in your organization. We are excited to announce a new Sentinel Getting Started track on HashiCorp Learn to help you use Sentinel in your Terraform Cloud workflow.

» An introduction to Sentinel with Terraform Cloud

Sentinel is a tool for preventing mistakes and placing guardrails around operations in your organization. Without it, you may find that accidental charges for large EC2 Instances, improperly configured Security Groups, or under-utilzed resources are harder to track and prevent.

An example of a standard TFC workflow without Sentinel

Without Sentinel, it is the job of the operator to ensure their resource configuration adheres to the organizations standards.

A workflow with Sentinel

With Sentinel in Terraform Cloud, the operator will not be allowed to create resources that deviate from the defined parameters of your organization's Sentinel policy. If you would like to learn how to get started with Sentinel in Terraform Cloud, the HashiCorp Learn platform now has a Sentinel Getting Started track with hands-on guides for implementing Policy-As-Code in your organization.

» What You'll Learn

The Sentinel Getting Started track on the Learn platform will teach new users:

  • Policy vocabulary
  • How to build policies
  • How to create policy sets
  • Mocking and testing policies with the Sentinel Simulator
  • How to use the Terraform Sentinel Provider

The Sentinel Simulator is featured heavily to run tests and mock data, so be sure to download it here.

For an example of how the Sentinel Simulator works, let's start by looking at a real Sentinel policy:

hour = 4
main = rule { hour >= and hour < 12 }

This first line of this example declares a variable named hour with the value 4. The second line declares a rule that will return true if hour is between 0 and 12.

This policy can be applied using Sentinel Simulator to determine whether this policy passed or failed. Save this file as policy.sentinel and run the Sentinel Simulator against it.

$ sentinel apply policy.sentinel

You should receive an output of PASS from this command. Check out the guide to find out why!

» New Sentinel Features

For those familiar with Sentinel, the Governance team is excited to announce that managing policies is even easier in Sentinel with VCS integrated Policy Sets.

Instead of managing single policies one by one, Sentinel now allows organizations to manage policies in VCS repositories and instantly enforce them across as many Terraform Cloud workspaces as necessary. To learn more about this new feature, visit the HashiCorp Learn platform to see it in action.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now