Problem
When writing and testing Sentinel policies for HCP Terraform or Terraform Enterprise, supplying parameters via a sentinel.hcl configuration file does not work, even though this method is supported by the Sentinel CLI.
Attempting to use a param block in a configuration file within HCP Terraform or Terraform Enterprise results in the following error:
Unsupported block type; Blocks of type “param” are not expected here
Cause
HCP Terraform and Terraform Enterprise do not parse sentinel.hcl files for parameter definitions during a run. The parameter values must be supplied directly to the platform through its own mechanisms, such as the UI or API.
Solutions
There are three primary methods to supply parameters to Sentinel policies in HCP Terraform and Terraform Enterprise.
Solution 1: Use the User Interface (UI)
You can directly create and manage Sentinel parameters within a policy set's settings in the UI. This method is useful for manually setting values that do not change frequently.
For detailed steps, refer to the documentation on editing a policy set to manage Sentinel parameters.
Solution 2: Use the API
For programmatic management, you can create and update parameters using the policy set params API. This approach is ideal for automation and integrating with CI/CD pipelines.
Solution 3: Use Default Values in Policy Code
You can declare default values for parameters directly within the Sentinel policy code. This ensures that a parameter always has a value if one is not explicitly provided through the UI or API.
param "foo" default "default_value"
Note that this approach may be less flexible, as changing the default value requires modifying and recommitting the policy code.
Additional Information
For further questions and community discussions about Sentinel, visit the HashiCorp Sentinel Discussion board.