• Policy-as-code framework
  • Guardrails that prevent Terraform from performing dangerous of disallowed actions
  • Integrated with HashiCorp Enterprise products
  • Enforced between plan and apply phases


  • Written in Sentinel language
  • Single rule/policy/guardrail

Policy Sets

  • Groups of policies that can be enforced on workspaces
  • Managed at the organisation level
  • Scope to workspaces, or global

Policy Enforcement Levels

  • hard-mandatory—requires that the policy passes
  • soft-mandatory—as hard-mandatory, but ca be overridden by users with Manage Policy Overrides permission on a case-by-case basis
  • advisory—informational only


  • sentinel.hcl—contains:
    • Each policy in the set
    • Enforcement level of each poli
    • Modules required
    • e.g.
policy "tf_maintenance_window" {
  source            = "tf_maintenance_window.sentinel" # Local file or http/s
  enforcement_level = "hard-mandatory"


  • Allows testing of policies—best practice
  • Terraform Cloud can generate mock data from existing configurations—via the console or API
    • Terraform Cloud attempts to redact sensitive data, but not 100% guaranteed

Graph View