Language: Parameters
Sentinel allows a policy author to supply parameters to help facilitate policy reuse and ensure sensitive values do not need to be hard-coded in a policy.
Parameters are supplied by using the param
keyword, followed by an identifier.
A default value can also be supplied by using the default
keyword.
param foo // assigned to foo, requiredparam bar default 42 // assigned to bar, optional, default 42
Once declared, parameters can be used like any other variable, including being re-assigned.
param foo default 1 // 1 (default) foo = foo + 1 // 2
Variable Descriptions
You can supply a description to a parameter by adding a comment at the top of it. This value can be communicated to a specific implementation of Sentinel to provide information about what the parameter is for during configuration.
// An example parameter. Must be supplied or the policy will fail.param foo
Supplying Parameter Values Using the Sentinel CLI
In a production implementation, supplying parameters to a policy is an implementation-specific detail - see the documentation for your particular implementation for details.
Using the Sentinel CLI, you can supply parameters one of four ways.
Supplying Parameter Values Using the Configuration File
You can supply parameters using the
param
section of the
configuration file.
param "foo" { value = "bar"}
This method works for both sentinel apply
and sentinel test
.
In addition to the above, you can supply targeted parameters to each policy block in the configuration file.
policy "foo" { source = "foo.sentinel" enforcement_level = "hard-mandatory" params = { "name" = "Sample" }}
Supplying Parameter Values Using the Environment
NOTE: This method of supplying parameters is only supported by sentinel apply
.
You can supply a value using environment variables - prefix the parameter with
SENTINEL_PARAM_
, using the name of the parameter to supply.
SENTINEL_PARAM_foo=bar sentinel apply policy.sentinel
Supplying Parameter Values Using CLI Arguments
NOTE: This method of supplying parameters is only supported by sentinel apply
.
You can also use the -param
CLI argument to supply parameter in a key=value
pair.
sentinel apply -param foo=bar policy.sentinel
Interactive CLI Prompting
NOTE: This method of supplying parameters is only supported by sentinel apply
.
If a required value has not been supplied when a policy is run with sentinel apply
, it will be prompted for, along with its description:
$ sentinel apply policy.sentinel
policy.sentinel:2:7: requires value for parameter foo
An example parameter. Must be supplied or the policy will fail.
Values can be strings, floats, or JSON array or object values. To force
strings, use quotes.
Enter a value: bar
Pass
CLI Value Format
NOTE: This section contains details for the parameter features supported by sentinel apply
.
The CLI takes either strings, or JSON numbers, arrays, or maps. If you need a literal string value, quote the value.
foo // string42 // number (float)"42" // string ("42", without quotes)[1, 2] // array (list){"a": "b"} // object (map)
NOTE: Boolean values are not supported by this method.