---
layout: docs
page_title: Sentinel in Consul
description: >-
  Consul Enterprise uses Sentinel to augment the built-in ACL system to provide
  advanced policy enforcement. Sentinel policies can currently execute on KV
  modify and service registration.
---

# Sentinel Overview

<EnterpriseAlert />

Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement.
Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny"
policies to support full conditional logic and integration with external systems.

## Sentinel in Consul

Sentinel policies are applied during writes to the KV Store.

An optional `sentinel` field specifying code and enforcement level can be added to [ACL policy definitions](/docs/security/acl/acl-rules#sentinel-integration) for Consul KV. The following policy ensures that the value written during a KV update must end with "dc1".

<CodeBlockConfig heading="Ensure values written during KV updates end in 'dc1'">

```go
key "datacenter_name" {
  policy = "write"
  sentinel {
      code = <<EOF
import "strings"
main = rule { strings.has_suffix(value, "dc1") }
EOF
      enforcementlevel = "soft-mandatory"
  }
}
```

</CodeBlockConfig>

If the `enforcementlevel` property is not set, it defaults to "hard-mandatory".

## Imports

Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http/). All functions in these imports are available to be used in policies.

## Injected Variables

Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.

#### Variables injected during KV store writes

| Variable Name | Type     | Description            |
| ------------- | -------- | ---------------------- |
| `key`         | `string` | Key being written      |
| `value`       | `string` | Value being written    |
| `flags`       | `uint64` | [Flags](/api-docs/kv#flags) |

## Sentinel Examples

The following are two examples of ACL policies with Sentinel rules.

### Required Key Suffix

<CodeBlockConfig heading="Any values stored under the key 'dc1' end with 'dev'">

```go
key "dc1" {
    policy = "write"
    sentinel {
        code = <<EOF
import "strings"
main = rule { strings.has_suffix(value, "dev") }
EOF
    }
}
```

</CodeBlockConfig>

### Restricted Update Time

<CodeBlockConfig heading="The key 'haproxy_version' can only be updated during business hours">

```go
key "haproxy_version" {
    policy = "write"
    sentinel {
        code = <<EOF
import "time"
main = rule { time.now.hour > 8 and time.now.hour < 17 }
EOF
    }
}
```

</CodeBlockConfig>