When you add policy sets to a workspace, HCP Terraform enforces those policy sets on every Terraform run. HCP Terraform displays the policy enforcement results in the UI for each run. Depending on each policy’s enforcement level, policy failures can also stop the run and prevent Terraform from provisioning infrastructure.
Note: HCP Terraform Free edition includes one policy set of up to five policies. In HCP Terraform Plus and Premium editions, you can connect a policy set to a version control repository or create policy set versions with the API. Refer to HCP Terraform pricing for details.
HCP Terraform only evaluates policies for successful plans. HCP Terraform evaluates Sentinel and OPA policy sets separately and at different points in the run.
Refer to Run States and Stages for more details.
To view the policy results for both Sentinel and OPA policies:
HCP Terraform displays a timeline of the run’s events. For workspaces with both Sentinel and OPA policy sets, the run details page displays two separate run events: OPA policies for OPA policy sets and Policy check for Sentinel policy sets.
Click a policy evaluation event to view policy results and details about any failed policies.
Note: For Sentinel, the Terraform CLI also prints policy results for CLI-driven runs. CLI support for policy results is not available for OPA.
You need manage policy overrides permissions to override failed Sentinel and OPA policies.
Sentinel and OPA have different policy enforcement levels that determine when you need to override failed policies to allow a run to continue. To override failed policies, go to the run details page and click Override and Continue at the bottom.
For Sentinel only, you can also override soft-mandatory policies with the Terraform CLI. Run the terraform apply command and then enter override when prompted.
Note: HCP Terraform does not allow policy overrides for no-operation plans containing no infrastructure changes, unless you choose the Allow empty apply option when starting the run.
Sentinel Policy checksPolicies with an advisory enforcement level never stop runs. If they fail, HCP Terraform displays a warning in the policy results and the run continues.
You can override soft-mandatory policies to allow the run to continue. Overriding failed policies on a run does not affect policy evaluations on future runs in that workspace.
You cannot override hard-mandatory policies, and all of these policies must pass for the run to continue.
Policies with an advisory enforcement level never stop runs. If they fail, HCP Terraform displays a warning in the policy results and the run continues.
When running Sentinel policies as policy evaluations, soft-mandatory and hard-mandatory enforcement levels are internally converted to mandatory enforcement level. You can override mandatory policies to allow the run to continue.
Policies with an advisory enforcement level never stop runs. If they fail, HCP Terraform displays a warning in the policy results and the run continues.
You can override mandatory policies to allow the run to continue.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4