A team uses Terraform to manage infrastructure. They want to ensure that all Terraform code passes policy checks before being applied. They use Terraform Cloud. Which built-in feature allows them to define policies that are checked during the plan phase?
Sentinel is Terraform Cloud's native policy framework for plan-time checks.
Why this answer
Sentinel is Terraform Cloud's built-in policy-as-code framework that allows teams to define and enforce policies during the plan phase. It integrates directly with Terraform Cloud's run lifecycle, enabling policy checks to be evaluated against the planned infrastructure changes before they are applied. This ensures compliance and governance without requiring external tools.
Exam trap
The trap here is that candidates may confuse `terraform validate` (a syntax checker) with a policy enforcement tool, or assume that external policy engines like OPA or Conftest are built into Terraform Cloud, when in fact Sentinel is the native policy-as-code solution.
How to eliminate wrong answers
Option A is wrong because `terraform validate` is a CLI command that checks configuration syntax and internal consistency, but it does not support custom policy definitions or integrate with Terraform Cloud's plan-phase checks. Option C is wrong because Conftest is an open-source policy testing tool that works with OPA and can be used with Terraform, but it is not a built-in feature of Terraform Cloud; it requires external setup and integration. Option D is wrong because OPA (Open Policy Agent) is a general-purpose policy engine that can be used with Terraform via external tools like Conftest, but it is not a built-in feature of Terraform Cloud and does not natively integrate into the plan phase without additional configuration.