Create a Sentinel policy file (e.g., `enforce-tags.sentinel`) that imports `tfplan/v2` and checks `tfplan.resource_changes` for required tag keys.
Create a `sentinel.hcl` manifest file listing each policy file and its enforcement level (`soft-mandatory`, `hard-mandatory`, or `advisory`).
In HCP Terraform navigate to Settings > Policy Sets > Connect a new policy set and point it at the VCS repository containing your Sentinel files, or upload a tarball via the API using `PUT /api/v2/policies/{policy-id}/upload`.
Attach the policy set to one or more workspaces or to the entire organization from the policy set configuration page.
Trigger a plan run in an attached workspace; after the plan phase the policy check phase runs automatically and posts pass/fail results on the run page.
For `soft-mandatory` failures a workspace admin can override the failure; `hard-mandatory` failures block the run entirely and cannot be overridden.
Known gotchas
Sentinel policies in HCP Terraform run in a sandbox and can only import `tfplan/v2`, `tfconfig/v2`, `tfstate/v2`, and `tfrun`; they cannot make external HTTP calls.
The `tfplan/v2` import exposes proposed resource changes; always check the `change.actions` array rather than assuming all resources are being created.
Policy sets connected to a VCS repo require the VCS provider OAuth token to already be configured in HCP Terraform; uploading via API bypasses VCS entirely.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp