Sentinel on TF Enterprise Assign Param multiple values

I am trying to understand how to assign a parameter multiple values.

we have multiple TFE orgs, however only 2 of the orgs are sharing modules with the rest of the TFE.

Would my mock file be like this?

param “organization” {
value = “TFE-Org1-shared, TFE-Org2-shared”

currently my mock test will fail if I have both TFE-Org1-shared, TFE-Org2-shared. If I have just TFE-Org2-shared in my pass/fail case it works.

How do I sent multiple values for this, I am not sure what the correct syntax is.


Can you share a policy example with some mocks in the Sentinel playground that we can review? It’s hard to provide a response without more context about the policy logic.

Hey Frank-

If you set the value like is provided, it will treat the entire value as a single string.
If you want multiple valid values for a single param name, consider using a List or Map. You can then check against each of the values to determine whether a given run is valid.

# ["TFE-Org1-shared","TFE-Org2-shared"]
param allowed_organizations

run_org_in_allowlist = allowed_organizations contains
print("Run in allowed org list:", run_org_in_allowlist)

Here is the full example that checks that a given run’s org is in a specific list of approved orgs(provided as a param):

I’m guessing at the context here- if this doesn’t answer your question, please provide your mock and policy using


I am not exactly sure what you mean @sean.meininger

In my mock pass and fail I have
param “organization” {
value = “TFE-Org1-shared”, “TFE-Org1-shared”

below is the policy I created, hope this helped.

# This policy uses the tfconfig/v2 import to require that all non-root modules come from the approved registries.

# Import the tfconfig/v2 import, but use the alias "tfconfig"
import "tfconfig/v2" as tfconfig
import "tfconfig-functions" as config
import "tfrun-functions" as tfrun

# Standard strings import
import "strings"

### Parameters ###
# The address of the TFC or TFE server
param tfe_host
# The organization on the TFC or TFE server
param organization

# Find modules called from root module that are not from approved registries
violatingMCs = filter tfconfig.module_calls as index, mc {
  mc.module_address is "" and
  not strings.has_prefix(mc.source, "" + organization) and
  not strings.has_prefix(mc.source, tfe_host + "/" + organization) and
  not strings.has_prefix(, "selfservice") and
  not strings.has_prefix(mc.source, "./modules/") and
  not (mc.source is "Azure/caf-enterprise-scale/azurerm") and
  not (strings.has_prefix(mc.source, "terraform-google-modules") and strings.has.suffix(mc.source, "google")) and
  not strings.has_prefix(mc.module_address, "module.")

# Print violation messages for invalid modules
if length(violatingMCs) > 0 {
  print("All modules called from the root module must come from approved registries")
  for violatingMCs as tfe_host, mc {
    print("The module",, "called from the root module has source",

# Find resources and data sources in root module
rootModuleResources = filter tfconfig.resources as address, r {
  #r.module_address is "" and 
  strings.has_prefix(r.module_address, "module.nonprod_wf_") and
  strings.has_prefix(r.module_address, "module.sandbox_wf_") and 
  strings.has_prefix(r.module_address, "module.prod_wf_") 

# Print violation messages for root module resources and data sources
if length(rootModuleResources) > 0 and not tfrun.is_destroy {
  print("Resources and data sources are not allowed in the root module.")
  print("Your root module has", length(rootModuleResources), "resources and", "data sources.")

# Main rule
validated = (length(violatingMCs) is 0 and length(rootModuleResources) is 0)

main = rule {
 validated is true

My sentinel CLI won’t even let me configure my param values like this.

Can you provide an example mock on the playground to test against?

You can still accomplish this by using a list param and iterating over it. Without seeing what you’re testing this policy against, I can’t really help provide specifics on how to get what you’re after.