• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Terraform
  • Install
  • Tutorials
    • About the Docs
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • CDK for Terraform
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
  • Registry(opens in new tab)
  • Try Cloud(opens in new tab)
  • Sign up
Terraform Home

Terraform Cloud

Skip to main content
  • Terraform Cloud
  • Plans and Features
  • Getting Started
  • Migrating to Terraform Cloud
    • Overview
    • Managing Policy Sets
    • Policy Results

  • Terraform Cloud Agents

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  • Terraform Registry
    (opens in new tab)
  1. Developer
  2. Terraform
  3. Terraform Cloud
  4. Policy Enforcement

ยปPolicy Enforcement

Note: Policies are available in the Terraform Cloud Team and Governance tier. OPA policies are not available in Terraform Enterprise.

Policies are rules that Terraform Cloud enforces on Terraform runs. You can use policies to validate that the Terraform plan complies with security rules and best practices.

Hands-on: Try the Enforce Policy with Sentinel and Detect Infrastructure Drift and Enforce OPA Policies tutorials.

Define Policies

You can use two policy-as-code frameworks to define fine-grained, logic-based policies: Sentinel and Open Policy Agent (OPA). Depending on the settings, policies can act as advisory warnings or firm requirements that prevent Terraform from provisioning infrastructure.

  • Sentinel: You define policies with the Sentinel policy language and use imports to parse the Terraform plan, state, and configuration. Refer to Defining Sentinel Policies for details.
  • OPA: You define policies with the Rego policy language. Refer to Defining OPA Policies for details.

Apply Policy Sets to Workspaces

You group policies into policy sets and apply those policy sets to one or more workspaces in your organization. For each run in those workspaces, Terraform Cloud checks the Terraform plan against the policy set. You can create policy sets directly in the Terraform Cloud UI, by connecting Terraform Cloud to your version control system, or through the Terraform Cloud API. A policy set must only contain policies written in a single policy framework (Sentinel or OPA), but you can add both Sentinel and OPA policy sets to each workspace.

Refer to Managing Policy Sets for details.

Review Policy Results

The Terraform Cloud UI displays policy results for each policy set you apply to the workspace. Depending on their enforcement level, failed policies can stop the run. You can override failed policies with the right permissions.

Refer to Policy Results for details.

Edit this page on GitHub

On this page

  1. Policy Enforcement
  2. Define Policies
  3. Apply Policy Sets to Workspaces
  4. Review Policy Results
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)