Terraform Cloud Sentinel Policy and Remote Backends

In this article we are going to cover Terraform Cloud Sentinel Policy and Remote Backends.

Terraform is an open-source infrastructure as code (IaC) tool that allows users to define and provision infrastructure using a declarative configuration language. Terraform Cloud is a hosted service by HashiCorp that provides collaboration, infrastructure automation, and other features to enhance Terraform workflows.

Terraform Cloud is a collaboration platform for Terraform, an open-source infrastructure as code (IaC) tool by HashiCorp. It provides a web-based interface, version control integration, and a registry for modules. It allows teams to collaborate on infrastructure configurations.

Terraform Cloud Sentinel Policy:

Sentinel is a policy as code framework developed by HashiCorp. It allows users to define and enforce policies in the Terraform workflow.Sentinel enables fine-grained, logic-based policy decisions for your infrastructure. Sentinel policies can be used to ensure compliance, security, and other governance requirements. It’s often used in conjunction with Terraform Enterprise and Terraform Cloud to manage and enforce policies across infrastructure provisioning.

Step #1:Terraform Spell

Create a file named main.tf:

provider "aws" {
  region = "us-east-1"

resource "aws_instance" "example" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"

  tags = {
    Name = "Demo"

This spell creates a tiny server on Amazon Web Services with a “Name” tag set to “Demo.”

Step #2:Create GitHub Repository

  1. Create a new GitHub repository.
  2. Upload your spell (main.tf) directly to the repository.( here sentinel.tf)

Step 3#:Terraform Cloud

  1. Sign up for a Terraform Cloud account if you don’t have one.
  2. Create a new workspace in Terraform Cloud and set variables.
  3. Connect your GitHub repository to the workspace.

Step #4:Sentinel Rules for Tags

Create a file named sentinel.tf :

import "tfplan"

main = rule {
  all tfplan.resources.aws_instance as _, instances {
    all instances as _, r {
      r.aws_instance.tags contains "Name" and r.aws_instance.tags.Name != ""

This Sentinel rule checks if every AWS instance has a “Name” tag and it’s not empty.

Step #5:Connect Sentinel to Terraform Cloud

In your Terraform Cloud workspace:

  1. Go to Settings > General Settings.
  2. In the “Sentinel Policies” section, enable Sentinel and set the sentinel.hcl file.
image 8

Step #6:Run the Spell

  1. Queue a plan in your Terraform Cloud workspace.
  2. Sentinel will check if your spell follows the tag rules. If the spell doesn’t have the required tags, Sentinel stops it and provides feedback.

Reference Link :

Terraform Cloud Sentinel Policy official page

Terraform Remote Backends:

Remote backends in Terraform refer to storing the Terraform state file in a remote location rather than locally. This is crucial for collaboration and avoiding conflicts in a team environment. Examples of remote backends include Amazon S3, Azure Blob Storage, HashiCorp Consul, and Terraform Cloud.

Implementing Remote Backend Operations in Terraform

Implementing remote backend operations in Terraform involves using an external service or storage to store your Terraform state. This can enhance collaboration and provide better state management. There are several ways to implement remote backends. That are AWS S3 and HashiCorp Terraform Cloud . In this article we will learn it using Terraform cloud.

Step #1:Set Up Terraform Cloud Workspace

  1. Sign In to Terraform Cloud:
  2. Create a New Organization:
    • After signing in, create a new organization. Organizations help you group and manage your Terraform workspaces.
  3. Create a New Workspace:
    • Inside your organization, create a new workspace by clicking on “New Workspace.”
    • Choose “CLI-driven workflow” as the workflow type.
  4. Configure Workspace:
    • Provide a name for your workspace (e.g., “my-terraform-workspace”).
    • Choose the version control system (e.g., GitHub) and connect it to your version control repository.
  5. Configure Variables (Optional):
    • If your Terraform configuration uses variables, you can set them in the “Variables” tab.
  6. Create Workspace:
    • Click on the “Create Workspace” button to create the workspace.
image 7

Step #2:Configure Local Terraform CLI

  1. Install Terraform CLI:

Make sure you have the Terraform CLI installed on your local machine. You can download it from the official website.

2. Configure Remote Backend:

provider "aws" {
  region = "us-east-1"

terraform {
  backend "remote" {
    organization = "your-terraform-cloud-organization"
    workspaces {
      name = "my-terraform-workspace"

resource "aws_instance" "example" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
  • Replace "your-terraform-cloud-organization" with your Terraform Cloud organization name.
  • Replace "my-terraform-workspace" with your Terraform Cloud workspace name.

3. Initialize Terraform:

Run the following commands:

terraform init

4. Authenticate with Terraform Cloud:

During initialization, Terraform will prompt you to log in to Terraform Cloud. Follow the instructions to authenticate.

5. Apply Changes:

After initialization, apply the changes

terraform apply

Confirm the changes, and Terraform will create the infrastructure, storing the state remotely on Terraform Cloud.

Step #3:Observe Changes on Terraform Cloud Web Interface

  1. View State in Terraform Cloud:
    • Go back to the Terraform Cloud web interface.
    • In your workspace, you can now see the state, latest run, and other details.
  2. Trigger Runs from Web Interface (Optional):
    • You can trigger runs directly from the web interface, and Terraform Cloud will automatically pull the latest configuration from your version control system.
image 6

Air Gapped Environments in Terraform

An air-gapped environment is one that is isolated from external networks, including the internet. In such environments, traditional methods of fetching dependencies and updates may not be possible. For Terraform, this means you need to plan and manage your infrastructure in a way that doesn’t rely on external resources. You might need to manually provide dependencies and manage state files securely. This could involve creating a local mirror of necessary modules and providers.

An air-gapped environment refers to a secure network or system that is physically isolated from external networks, especially the internet. This isolation is designed to enhance security by preventing unauthorized access, data exfiltration, or potential cyber threats. In such environments, there is no direct or indirect connection to external networks, making it difficult for information to leak in or out.

Key Concepts in Air-Gapped Environments in Terraform:

  1. Isolation:
  • Physical Separation: Air-gapped systems are physically disconnected from external networks, preventing data transmission through traditional network connections.
  • Logical Separation: In addition to physical isolation, there is often a logical separation to ensure that even if physical security is breached, the systems remain protected.

2. Security Measures:

  • Strict Access Controls: Access to air-gapped systems is highly restricted, and only authorized personnel are allowed to interact with the isolated environment.
  • Controlled Data Movement: Data transfer into or out of the air-gapped environment is carefully controlled using secure methods such as manual transfers, removable media, or dedicated communication channels.

3. No Internet Connectivity:

  • No External Network Access: Air-gapped systems have no direct connection to the internet, preventing potential cyber threats and unauthorized access.

4. Challenges:

  • Data Transfer: Transferring data between air-gapped systems and external networks requires careful planning. It often involves physically transporting storage media (like USB drives) or using specialized communication channels.
  • Software Updates: Applying software updates or patches can be challenging in air-gapped environments. Updates may need to be manually transferred and installed.

Concepts Clarification:

  1. Purpose:
  • Security Assurance: Air-gapped environments are used in scenarios where the highest level of security assurance is required. This includes government systems, critical infrastructure, and sensitive corporate networks.

2. Use Cases:

  • Military Systems: Air-gapped networks are common in military environments where the security of sensitive information is of utmost importance.
  • Critical Infrastructure: Power plants, nuclear facilities, and other critical infrastructure may use air-gapped systems to protect against cyber threats.

3. Data Exfiltration Concerns:

  • Reduced Risk: Air-gapped environments significantly reduce the risk of data exfiltration since there is no direct network connection for attackers to exploit.

4. Communication Challenges:

  • Manual Processes: Communication and data transfer often rely on manual processes, such as physically carrying storage media or using controlled communication channels.

5. Balancing Security and Functionality:

  • Trade-Offs: While air-gapped environments offer high security, they may face trade-offs in terms of convenience, ease of maintenance, and the ability to quickly adapt to technological changes.

Understanding air-gapped environments is crucial for those responsible for managing sensitive data or critical systems. It involves careful planning, stringent security measures, and a deep understanding of the potential risks and challenges associated with maintaining such isolated networks.

Related Articles:

How to use Data Sources in Terraform

About Monica Mahire

Working as DevOps Intern, Likes to explore new tools and share knowledge.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link