Example Policies
Note: Terraform policies are a paid feature, available as part of the Team & Governance upgrade package. Learn more about Terraform Cloud pricing here.
Hands-on: Try the Enforce Policy with Sentinel collection on HashiCorp Learn.
This page lists some example policies. These examples are not exhaustive, but they demonstrate some of the most common use cases of policies with Terraform Cloud. For more examples, see the Governance section of the hashicorp/terraform-guides repository.
Important: These examples are a demonstration of the Sentinel policy language and its features. They should not be used verbatim in your Terraform Cloud organization. Make sure you fully understand the intent and behavior of a policy before relying on it in production.
Amazon Web Services
- Restrict owners of the
aws_ami
data source - Enforce mandatory tags on taggable AWS resources
- Restrict availability zones used by EC2 instances
- Disallow 0.0.0.0/0 CIDR block in security groups
- Restrict instance types of EC2 instances
- Require S3 buckets to be private and encrypted by KMS keys
- Require VPCs to have DNS hostnames enabled
Microsoft Azure
- Enforce mandatory tags of VMs
- Restrict publishers of VMs
- Restrict VM images
- Restrict the size of Azure VMs
- Enforce limits on AKS clusters
- Restrict CIDR blocks of security groups
Google Cloud Platform
- Enforce mandatory labels on VMs
- Disallow 0.0.0.0/0 CIDR block in network firewalls
- Enforce limits on GKE clusters
- Restrict machine type of VMs
VMware
- Require Storage DRS on datastore clusters
- Restrict size and type of virtual disks
- Restrict CPU count and memory of VMs
- Restrict size of VM disks
- Require NFS 4.1 and Kerberos on NAS datastores
Cloud-Agnostic
- Allowed providers
- Prohibited providers
- Limit proposed monthly costs
- Prevent providers in non-root modules
- Require all modules have version constraints
- Require all resources be created in modules in a private module registry
- Use most recent versions of modules in a private module registry
Note that the last policy illustrates how to use Sentinel's http import to send an HTTP request to an API endpoint (Terraform Cloud's own API in this case).
Note: We've also developed a number of first-class foundational policies to work out-of-the-box with Amazon Web Services, Microsoft Azure and Google Cloud Platform. These policies are based on several CIS Benchmarks. Check out the library of Terraform Foundational Policies written by HashiCorp to get up and running with your next Policy Set.