Policy Results

When you add policy sets to a workspace, Terraform Cloud enforces those policy sets on every Terraform run. Terraform Cloud displays the policy enforcement results in the UI for each run. Depending on each policy’s enforcement level, policy failures can also stop the run and prevent Terraform from provisioning infrastructure.

Note: Terraform Cloud Free Edition includes one policy set of up to five policies. In Terraform Cloud Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to Terraform Cloud pricing for details.

Policy Evaluation Run Stages

Terraform Cloud only evaluates policies for successful plans. Terraform Cloud evaluates Sentinel and OPA policy sets separately and at different points in the run.

Sentinel policy checks occur after Terraform completes the plan and after both run tasks and cost estimation. This order lets you write Sentinel policies to restrict costs based on the data in the cost estimates. Note: Sentinel policy evaluations are currently in beta
Sentinel policy evaluations occur after Terraform completes the plan and after any run tasks. Terraform Cloud evaluates Sentinel policy evaluations immediately before cost estimation.
OPA policy evaluations occur after Terraform completes the plan and after any run tasks. Terraform Cloud evaluates OPA policies immediately before cost estimation.

Refer to Run States and Stages for more details.

View Policy Results

To view the policy results for both Sentinel and OPA policies:

Go to your workspace and navigate to the Runs page.
Click a run to view its details.

Terraform Cloud displays a timeline of the run’s events. For workspaces with both Sentinel and OPA policy sets, the run details page displays two separate run events: OPA policies for OPA policy sets and Policy check for Sentinel policy sets.

Click a policy evaluation event to view policy results and details about any failed policies.

Note: For Sentinel, the Terraform CLI also prints policy results for CLI-driven runs. CLI support for policy results is not available for OPA.

Override Policies

You need manage policy overrides permissions to override failed Sentinel and OPA policies.

Sentinel and OPA have different policy enforcement levels that determine when you need to override failed policies to allow a run to continue. To override failed policies, go to the run details page and click Override and Continue at the bottom.

For Sentinel only, you can also override soft-mandatory policies with the Terraform CLI. Run the terraform apply command and then enter override when prompted. Note: Terraform Cloud does not allow policy overrides for no-operation plans containing no infrastructure changes, unless you choose the Allow empty apply option when starting the run.

Sentinel

Policy checks

Policies with an advisory enforcement level never stop runs. If they fail, Terraform Cloud displays a warning in the policy results and the run continues.

You can override soft-mandatory policies to allow the run to continue. Overriding failed policies on a run does not affect policy evaluations on future runs in that workspace.

You cannot override hard-mandatory policies, and all of these policies must pass for the run to continue.

Policy evaluations

Note: Sentinel policy evaluations are currently in beta

Policies with an advisory enforcement level never stop runs. If they fail, Terraform Cloud displays a warning in the policy results and the run continues.

When running Sentinel policies as policy evaluations, soft-mandatory and hard-mandatory enforcement levels are internally converted to mandatory enforcement level. You can override mandatory policies to allow the run to continue.

OPA

Policies with an advisory enforcement level never stop runs. If they fail, Terraform Cloud displays a warning in the policy results and the run continues.

You can override mandatory policies to allow the run to continue.