Save 10-15% Register for HashiConf and save big when you buy 2+ tickets Get your passes
Terraform
Terraform Home

View policy enforcement results

When you add policy sets to a workspace, HCP Terraform enforces those policy sets on every Terraform run. HCP Terraform displays the policy enforcement results in the UI for each run. Depending on each policy’s enforcement level, policy failures can also stop the run and prevent Terraform from provisioning infrastructure.

Note: HCP Terraform Free edition includes one policy set of up to five policies. In HCP Terraform Plus and Premium editions, you can connect a policy set to a version control repository or create policy set versions with the API. Refer to HCP Terraform pricing for details.

Policy Evaluation Run Stages

HCP Terraform only evaluates policies for successful plans. HCP Terraform evaluates Sentinel and OPA policy sets separately and at different points in the run.

  • Sentinel policy checks occur after Terraform completes the plan and after both run tasks and cost estimation. This order lets you write Sentinel policies to restrict costs based on the data in the cost estimates.
  • Sentinel policy evaluations occur after Terraform completes the plan and after any run tasks. HCP Terraform evaluates Sentinel policy evaluations immediately before cost estimation.
  • OPA policy evaluations occur after Terraform completes the plan and after any run tasks. HCP Terraform evaluates OPA policies immediately before cost estimation.

Refer to Run States and Stages for more details.

View Policy Results

To view the policy results for both Sentinel and OPA policies:

  1. Go to your workspace and navigate to the Runs page.
  2. Click a run to view its details.

HCP Terraform displays a timeline of the run’s events. For workspaces with both Sentinel and OPA policy sets, the run details page displays two separate run events: OPA policies for OPA policy sets and Policy check for Sentinel policy sets.

Click a policy evaluation event to view policy results and details about any failed policies.

Note: For Sentinel, the Terraform CLI also prints policy results for CLI-driven runs. CLI support for policy results is not available for OPA.

Override Policies

You need manage policy overrides permissions to override failed Sentinel and OPA policies.

Sentinel and OPA have different policy enforcement levels that determine when you need to override failed policies to allow a run to continue. To override failed policies, go to the run details page and click Override and Continue at the bottom.

For Sentinel only, you can also override soft-mandatory policies with the Terraform CLI. Run the terraform apply command and then enter override when prompted.

Note: HCP Terraform does not allow policy overrides for no-operation plans containing no infrastructure changes, unless you choose the Allow empty apply option when starting the run.

Sentinel

Policy checks

Policies with an advisory enforcement level never stop runs. If they fail, HCP Terraform displays a warning in the policy results and the run continues.

You can override soft-mandatory policies to allow the run to continue. Overriding failed policies on a run does not affect policy evaluations on future runs in that workspace.

You cannot override hard-mandatory policies, and all of these policies must pass for the run to continue.

Policy evaluations

Policies with an advisory enforcement level never stop runs. If they fail, HCP Terraform displays a warning in the policy results and the run continues.

When running Sentinel policies as policy evaluations, soft-mandatory and hard-mandatory enforcement levels are internally converted to mandatory enforcement level. You can override mandatory policies to allow the run to continue.

OPA

Policies with an advisory enforcement level never stop runs. If they fail, HCP Terraform displays a warning in the policy results and the run continues.

You can override mandatory policies to allow the run to continue.

Edit this page on GitHub