Using Sentinel outside TFE

I know Sentinel comes integrated in TFE, but is it possible to run Sentinel outside TFE?

While my institution does have TFE, we have some use cases where we run Terraform provisioning directly through CI/CD pipelines. Ideally, we would like to leverage Sentinel to enforce the policies too.

There’s a blog illustrating the use of Sentinel CLI to pull this off:

But, I’m not exactly sure how Sentinel CLI would know the existence of the generated plan to do the policy check since there’s no such thing as mock data outside of TFE.

Is this doable? Thank you.

@choonchernlim, unfortunately this is not possible as the Sentinel CLI is built to mimic policy behavior in TFE via mock data.

Have you tried Remote Operations in Terraform? I use this quite a bit when I don’t want to go down the VCS backed workspace route.

1 Like

Hmm… I assume if I use remote operations, then the state must be managed in TFE workspace too? Currently, with our non-TFE work, the states are stored remotely in Google storage buckets.

Correct, state will be managed via TFE.

1 Like