1---
2layout: docs
3page_title: Sentinel in Consul
4description: >-
5  Consul Enterprise uses Sentinel to augment the built-in ACL system to provide
6  advanced policy enforcement. Sentinel policies can currently execute on KV
7  modify and service registration.
8---
9
10# Sentinel Overview
11
12<EnterpriseAlert />
13
14Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement.
15Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny"
16policies to support full conditional logic and integration with external systems.
17
18## Sentinel in Consul
19
20Sentinel policies are applied during writes to the KV Store.
21
22An optional `sentinel` field specifying code and enforcement level can be added to [ACL policy definitions](/docs/agent/acl-rules#sentinel-integration) for Consul KV. The following policy ensures that the value written during a KV update must end with "dc1".
23
24```text
25key "datacenter_name" {
26  policy = "write"
27  sentinel {
28      code = <<EOF
29import "strings"
30main = rule { strings.has_suffix(value, "dc1") }
31EOF
32      enforcementlevel = "soft-mandatory"
33  }
34}
35```
36
37If the `enforcementlevel` property is not set, it defaults to "hard-mandatory".
38
39## Imports
40
41Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http/). All functions in these imports are available to be used in policies.
42
43## Injected Variables
44
45Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.
46
47#### Variables injected during KV store writes
48
49| Variable Name | Type     | Description            |
50| ------------- | -------- | ---------------------- |
51| `key`         | `string` | Key being written      |
52| `value`       | `string` | Value being written    |
53| `flags`       | `uint64` | [Flags](/api/kv#flags) |
54
55## Sentinel Examples
56
57The following are two examples of ACL policies with Sentinel rules.
58
59### Required Key Suffix
60
61Any values stored under the key prefix "dc1" must end with "dev"
62
63```text
64key "dc1" {
65    policy = "write"
66    sentinel {
67        code = <<EOF
68import "strings"
69main = rule { strings.has_suffix(value, "dev") }
70EOF
71    }
72}
73```
74
75### Restricted Update Time
76
77The key "haproxy_version" can only be updated during business hours.
78
79```text
80key "haproxy_version" {
81    policy = "write"
82    sentinel {
83        code = <<EOF
84import "time"
85main = rule { time.now.hour > 8 and time.now.hour < 17 }
86EOF
87    }
88}
89```
90