What is Policy as Code with Sentinel in Terraform?
Answer
Sentinel is HashiCorp's policy-as-code framework embedded in Terraform Cloud/Enterprise. Policies are Go-like rules evaluated between plan and apply — if a policy fails, the apply is blocked. Example policy: import "tfplan/v2" as tfplan; all_ec2 = filter tfplan.resource_changes as _, rc { rc.type == "aws_instance" } rule "require_tags" { all all_ec2 as _, instance { instance.change.after.tags contains "Environment" and instance.change.after.tags contains "Owner" } }. Enforcement levels: advisory (warn only), soft-mandatory (overridable by approved users), hard-mandatory (never overridable). Common policies: require specific tags, deny resources in unapproved regions, enforce encryption on storage, require minimum security group rules. OPA (Open Policy Agent) with Conftest is the open-source alternative for Sentinel-like checks in any CI system without Terraform Cloud.
Previous
What is Terraform's provider development and custom providers?
Next
How does Terraform handle dependencies between resources?
More Terraform / IaC Questions
View all →- Advanced What is Terraform's provider development and custom providers?
- Advanced How does Terraform handle dependencies between resources?
- Advanced What is the Terraform CDK (CDKTF)?
- Advanced What are advanced Terraform state management operations?
- Advanced How do you implement a CI/CD pipeline for Terraform?