HashiCorp Sentinel is a policy-as-code engine used to enforce governance, compliance, and security across Terraform, Vault, Nomad, Consul, and other HashiCorp products. Sentinel allows organizations to define rules that must be followed before infrastructure changes are applied. These rules are written in Sentinel’s policy language and applied automatically during plan or apply phases of IaC workflows.

Understanding Sentinel in DevSecOps

Sentinel enforces compliance at the infrastructure layer. It prevents insecure or non-compliant Terraform configurations from being deployed. It provides fine-grained, logic-based controls over:

• Terraform resources
• cloud infrastructure
• IAM and identity configurations
• networking policies
• Vault access rules
• Consul service meshes
• Nomad workloads

Sentinel ensures every IaC change follows organizational policy.

How Sentinel Works

Sentinel evaluates policies using three components:

Policy

Defines rules using Sentinel language.

Imports

Provide structured data from Terraform/Terraform Cloud, Vault, Consul, or Nomad.
Example: tfplan/v2, tfconfig/v2.

Enforcement Levels

Define strength of enforcement:

• advisory – warn only
• soft mandatory – can override
• hard mandatory – cannot override

Sentinel evaluates policies before applying infrastructure changes.

Sentinel Lifecycle in Terraform

When using Terraform Enterprise or Terraform Cloud, the Sentinel workflow is:

Run Terraform plan
Terraform exports structured plan data
Sentinel loads policies
Policies evaluate plan against compliance rules
Based on enforcement level:
• allow
• warn
• block
Only compliant infrastructure is deployed

This creates a preventive control mechanism.

Why Sentinel Matters in Compliance as Code

Sentinel provides compliance for:

• cloud governance
• cost controls
• resource restrictions
• network segmentation
• PCI/GDPR/ISO policies
• data protection rules
• IAM security
• secret management policies

Sentinel lets organizations embed all compliance logic directly into code pipelines.

Sentinel Policy Structure

A Sentinel policy includes:

• rules
• conditions
• boolean logic
• failure messages

Example basic rule:

main = rule { false }

Policy denies everything unless explicitly allowed.

More realistic example:

main = rule {
  all tfplan.resources.aws_instance as instance {
    instance.applied.tags["owner"] is not null
  }
}

This enforces the owner tag on all EC2 instances.

Key Sentinel Imports

tfconfig/v2

Reads Terraform configurations (HCL).

tfplan/v2

Reads Terraform plan data:

• resources
• changes
• variable values
• outputs

tfstate/v2

Reads existing infrastructure state.

These imports enable deep compliance checks.

Common Sentinel Compliance Rules

• require specific tags
• block public S3 buckets
• limit instance sizes
• enforce encryption
• restrict open security groups
• enforce private networking only
• restrict allowed AWS regions
• enforce version pinning
• block unapproved Terraform modules
• require logging to CloudTrail
• enforce Vault secret TTL rules

Sentinel allows highly customized logic.

Full-Length Practical Section

Hands-on Sentinel tasks for Terraform and DevSecOps compliance.

Practical 1: Install Sentinel Locally

Download binary:

curl -sSL https://releases.hashicorp.com/sentinel/ \
| grep linux | head

Place binary in path:

chmod +x sentinel
move sentinel /usr/local/bin/

Verify:

sentinel version

Practical 2: Create a Basic Sentinel Policy

Create file:

main = rule { true }

Test:

sentinel apply policy.sentinel

Shows policy passed.

Practical 3: Test Policy Failure

Change rule:

main = rule { false }

Run:

sentinel apply policy.sentinel

Policy fails.

Practical 4: Use Terraform Mock Data for Sentinel Testing

Create mock:

mocks/
  tfplan-v2.sentinel

Fill sample JSON representing Terraform plan.

Apply:

sentinel apply -mock mocks policy.sentinel

Allows offline testing.

Practical 5: Enforce Owner Tags for All Resources

Policy:

import "tfplan/v2" as tfplan

main = rule {
  all tfplan.resources as r {
    r.applied.tags.owner is not null
  }
}

Test using mock plan.

Practical 6: Enforce Encryption on S3 Buckets

import "tfplan/v2" as tfplan

main = rule {
  all tfplan.resources.aws_s3_bucket as bucket {
    bucket.applied.server_side_encryption_configuration != null
  }
}

Prevents unencrypted buckets.

Practical 7: Block Open Security Groups

main = rule {
  all tfplan.resources.aws_security_group as sg {
    all sg.applied.ingress as rule {
      rule.cidr_blocks not contains "0.0.0.0/0"
    }
  }
}

Rejects wide-open ingress.

Practical 8: Restrict EC2 Instance Types

allowed = ["t3.micro", "t3.small"]

main = rule {
  all tfplan.resources.aws_instance as inst {
    inst.applied.instance_type in allowed
  }
}

Prevents oversized instances.

Practical 9: Require Private Subnets Only

main = rule {
  all tfplan.resources.aws_instance as inst {
    inst.applied.subnet_id matches "private-"
  }
}

Practical 10: Enforce Allowed Regions

allowed_regions = ["us-east-1", "us-west-2"]

main = rule {
  tfplan.config["provider"]["aws"]["region"] in allowed_regions
}

Practical 11: Block Unapproved Terraform Modules

main = rule {
  all tfconfig.module_calls as call {
    startswith(call.source, "git::ssh://git.mycompany.com/")
  }
}

Rejects modules from unknown sources.

Practical 12: Enforce Vault Secret TTL

import "vault"

main = rule {
  vault.secret.ttl <= 3600
}

Ensures ephemeral secrets.

Practical 13: Integrate Sentinel Into Terraform Cloud

In Sentinel policy set:

• attach policy to workspace
• define enforcement mode
• test Terraform run

Terraform Cloud denies non-compliant plans.

Practical 14: Apply Advisory vs Mandatory Policies

Set modes:

• advisory – warns but allows
• soft mandatory – override allowed
• hard mandatory – strict block

Policies gain flexibility across teams.

Practical 15: Build a Cost Control Policy

Block large instance types like r5, m5:

main = rule {
  all tfplan.resources.aws_instance as inst {
    not inst.applied.instance_type matches "^r|^m"
  }
}

Practical 16: Validate IAM Role Restrictions

main = rule {
  all tfplan.resources.aws_iam_role as role {
    role.applied.max_session_duration <= 3600
  }
}

Practical 17: Prevent KMS Key Deletion

main = rule {
  all tfplan.resources.aws_kms_key as key {
    key.applied.deletion_window_in_days >= 7
  }
}

Practical 18: Enforce Logging Configuration

main = rule {
  all tfplan.resources.aws_cloudtrail as ct {
    ct.applied.enable_logging == true
  }
}

Practical 19: Validate Terraform Variable Policies

import "tfconfig/v2" as tfconfig

main = rule {
  tfconfig.variables["environment"].default in ["dev", "staging", "prod"]
}

Practical 20: Build Full Sentinel Compliance Architecture

Architecture includes:

• Sentinel policies stored in Git
• CI pipeline running sentinel mock tests
• Terraform Cloud evaluating policies pre-apply
• policy sets assigned per environment
• cost, security, IAM, networking, logging policies
• cloud audit integration
• SIEM alerts for policy failures
• periodic drift audits with Sentinel + Terraform plan

This creates full compliance-as-code with complete prevention of insecure IaC deployments.

Intel Dump

• HashiCorp Sentinel enforces policy-as-code for Terraform, Vault, Nomad, and Consul
• uses Rego-like language to evaluate infrastructure plans
• integrates with Terraform Cloud/Terraform Enterprise for full governance
• practicals included writing policies, testing with mocks, enforcing tags, blocking insecure resources, governing IAM, S3, EC2, networking, Vault TTLs, and building a complete compliance architecture