Imagine your Lego city is thriving, but now the mayor (your company) sets rules:

• “Every building must have fire exits.”
• “No skyscraper taller than 50 floors in the residential zone.”
• “Parks must always include green space.”

Terraform Cloud enforces such rules using Sentinel policies. Sentinel is a policy‑as‑code framework that checks your Terraform plans against compliance rules before applying them. This ensures infrastructure changes are not only functional but also secure, compliant, and aligned with organizational standards.

Key Concepts

1. What is Sentinel?

• Sentinel = Policy‑as‑Code framework by HashiCorp.
• Runs during the Terraform plan phase.
• Blocks non‑compliant changes before they reach production.

2. Sentinel Policy Workflow

1. Developer pushes Terraform code.
2. Terraform Cloud runs plan.
3. Sentinel evaluates the plan against policies.
4. If compliant → proceed to apply.
5. If non‑compliant → run is blocked.

3. Example Policies

Region Restriction Policy:

import "tfplan"
main = rule {
  all tfplan.resources.aws_instance as _, instance {
    instance.region is "us-east-1"
  }
}

→ Ensures resources are deployed only in approved regions.

Instance Size Policy:

import "tfplan"
main = rule {
  all tfplan.resources.aws_instance as _, instance {
    instance.instance_type in ["t2.micro", "t3.medium"]
  }
}

→ Blocks oversized instances in dev environments.

S3 Bucket Encryption Policy:

import "tfplan"
main = rule {
  all tfplan.resources.aws_s3_bucket as _, bucket {
    bucket.encryption.enabled is true
  }
}

→ Ensures all S3 buckets have encryption enabled.

Hands‑On Lab / Demo

Lab: Writing a Sentinel Policy

1. Create a new policy file enforce-encryption.sentinel.
2. Upload policy to Terraform Cloud workspace.
3. Push Terraform code with a non‑encrypted bucket.
4. Sentinel blocks the run → compliance enforced.

Add rule:

import "tfplan"
main = rule {
  all tfplan.resources.aws_s3_bucket as _, bucket {
    bucket.encryption.enabled is true
  }
}

Pro Tips & Best Practices

• Write policies for critical compliance areas (security, cost, governance).
• Keep policies simple and focused.
• Test policies in staging before enforcing in production.
• Document policies for your team.
• Combine Sentinel with RBAC for stronger governance.

Summary & Cheatsheet

• Sentinel = Policy‑as‑Code for Terraform Cloud.
• Workflow: Push → Plan → Policy check → Apply/Block.
• Examples: Encryption, instance size, region restrictions.
• Best practice: Keep policies simple, test before production, document clearly.

Quick mnemonic: Sentinel = Guardrails for Infrastructure

The Hackers Notebook

Sentinel policies are Terraform Cloud’s compliance enforcers. They ensure infrastructure changes meet organizational standards before they’re applied, protecting against misconfigurations and security risks. With Sentinel, your infrastructure is not only automated but also governed by rules you define.