Using Sentinel outside TFE

choonchernlim · December 16, 2020, 8:59pm

I know Sentinel comes integrated in TFE, but is it possible to run Sentinel outside TFE?

While my institution does have TFE, we have some use cases where we run Terraform provisioning directly through CI/CD pipelines. Ideally, we would like to leverage Sentinel to enforce the policies too.

There’s a blog illustrating the use of Sentinel CLI to pull this off:

But, I’m not exactly sure how Sentinel CLI would know the existence of the generated plan to do the policy check since there’s no such thing as mock data outside of TFE.

Is this doable? Thank you.

hcrhall · December 16, 2020, 9:14pm

@choonchernlim, unfortunately this is not possible as the Sentinel CLI is built to mimic policy behavior in TFE via mock data.

Have you tried Remote Operations in Terraform? I use this quite a bit when I don’t want to go down the VCS backed workspace route.

choonchernlim · December 16, 2020, 10:12pm

Hmm… I assume if I use remote operations, then the state must be managed in TFE workspace too? Currently, with our non-TFE work, the states are stored remotely in Google storage buckets.

hcrhall · December 16, 2020, 10:18pm

Correct, state will be managed via TFE.

Topic		Replies	Views
Using Sentinel without Terraform Cloud plus or enterprise Sentinel	2	715	October 26, 2023
Does anybody have a good development workflow for Sentinel Policies? Sentinel	1	429	May 4, 2022
Local Execution Mode Enforcement Sentinel	3	1006	December 13, 2021
Using `sentinel apply` cli to develop new policies by testing against real tf configs Sentinel	1	463	September 14, 2021
Run sentinel checks on modules HCP Terraform	3	71	January 18, 2025

Using Sentinel outside TFE

Related topics