Terraform
View policy enforcement results
When you add policy sets to a workspace, HCP Terraform enforces those policy sets on every Terraform run. HCP Terraform displays the policy enforcement results in the UI for each run. Depending on each policy’s enforcement level, policy failures can also stop the run and prevent Terraform from provisioning infrastructure.
Note: HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
Policy Evaluation Run Stages
HCP Terraform only evaluates policies for successful plans. HCP Terraform evaluates Sentinel and OPA policy sets separately and at different points in the run.
- Sentinel policy checks occur after Terraform completes the plan and after both run tasks and cost estimation. This order lets you write Sentinel policies to restrict costs based on the data in the cost estimates.
- Sentinel policy evaluations occur after Terraform completes the plan and after any run tasks. HCP Terraform evaluates Sentinel policy evaluations immediately before cost estimation.
- OPA policy evaluations occur after Terraform completes the plan and after any run tasks. HCP Terraform evaluates OPA policies immediately before cost estimation.
Refer to Run States and Stages for more details.
View Policy Results
To view the policy results for both Sentinel and OPA policies:
- Go to your workspace and navigate to the Runs page.
- Click a run to view its details.
HCP Terraform displays a timeline of the run’s events. For workspaces with both Sentinel and OPA policy sets, the run details page displays two separate run events: OPA policies for OPA policy sets and Policy check for Sentinel policy sets.
Click a policy evaluation event to view policy results and details about any failed policies.
Note: For Sentinel, the Terraform CLI also prints policy results for CLI-driven runs. CLI support for policy results is not available for OPA.
Override Policies
You need manage policy overrides permissions to override failed Sentinel and OPA policies.
Sentinel and OPA have different policy enforcement levels that determine when you need to override failed policies to allow a run to continue. To override failed policies, go to the run details page and click Override and Continue at the bottom.
For Sentinel only, you can also override soft-mandatory
policies with the Terraform CLI. Run the terraform apply
command and then enter override
when prompted.
Note: HCP Terraform does not allow policy overrides for no-operation plans containing no infrastructure changes, unless you choose the Allow empty apply option when starting the run.
Sentinel
Policy checks
Policies with an advisory
enforcement level never stop runs. If they fail, HCP Terraform displays a warning in the policy results and the run continues.
You can override soft-mandatory
policies to allow the run to continue. Overriding failed policies on a run does not affect policy evaluations on future runs in that workspace.
You cannot override hard-mandatory
policies, and all of these policies must pass for the run to continue.
Policy evaluations
Policies with an advisory
enforcement level never stop runs. If they fail, HCP Terraform displays a warning in the policy results and the run continues.
When running Sentinel policies as policy evaluations, soft-mandatory
and hard-mandatory
enforcement levels are internally converted to mandatory
enforcement level.
You can override mandatory
policies to allow the run to continue.
OPA
Policies with an advisory
enforcement level never stop runs. If they fail, HCP Terraform displays a warning in the policy results and the run continues.
You can override mandatory
policies to allow the run to continue.