TF Attributes or Plan Attributes?

I’m writing some Sentinel policies and have been using the TF docs to get the attributes for searching, etc. I ran into an issue and now think I may be doing this wrong. Should I instead be using the attributes in the plan? If so, which block do I use to get the attributes (planned_values, resource_changes, or configuration)?

Hi @wblanchard-concurren.

I recommend using the resource_changes collection in the tfplan/v2 import so you can prevent your policy from being applied when a resources is being permanently deleted. This is what I do in the find_resources() function in the hashicorp/terraform-guides repository that has a lot of good sample Sentinel policies and functions for use with Terraform Cloud and Terraform Enterprise under governance/third-generation. You can probably write 90% or more of the Sentinel policies you’ll want to write for TFC/E by calling the functions I’ve written in the tfplan-functions Sentinel module without having to use more complex Sentinel language elements like for loops and if/else conditionals.

I think you might also find the following documents useful:

And if you would like to do some hands-on exercises to learn how to write and test Sentinel policies for Terraform using the common-functions mentioned above, see the Sentinel for Terraform v3 workshop slides in which you’ll find links to 2 Instruqt tracks that contain that workshop’s labs.

I hope that helps,
Roger Berlind
Global Technology Specialist

1 Like

Hey @rberlind Thanks for the links. I’ve reviewed all of those and was hoping for something a little more in-depth like The Java® Language Specification (

Hi @wblanchard-concurren,

The most detailed document on the Sentinel language is

I might be able to provide better guidance if you describe the actual issue you are having.


Hey @rberlind ,

Just trying to get up to speed as quickly as possible as well as understand the limitations of Sentinel so I don’t overpromise.