How to write Sentinel policies

Hi @bruun963,

You’ll find many examples of Sentinel policies for Terraform here: https://github.com/hashicorp/terraform-guides/tree/master/governance.

If you’re using Terraform 0.12, then I recommend looking at the third-generation policies which use the new Terraform Sentinel v2 imports such as tfplan/v2: https://www.terraform.io/docs/cloud/sentinel/import/tfplan-v2.html. These policies use a number of useful Sentinel functions that are in Sentinel modules and minimize the need of complex Sentinel language elements such as if/else conditionals and for loops in the actual policies.

If you’re using Terraform 0.11, then I recommend you look at the second-generation policies which use the older Terraform Sentinel imports and do not use Sentinel modules.

As far as restricting region of VMs, it is possible to do it with the tfconfig import that has information about the providers. But if you’re using AWS, it is actually easier to restrict the availability zones instead of the regions using the tfplan import. The following third-generation policy restricts AWS availability zones: https://github.com/hashicorp/terraform-guides/blob/master/governance/third-generation/aws/restrict-availability-zones.sentinel

Roger Berlind

1 Like