Policy Results
When you add policy sets to a workspace, Terraform Cloud enforces those policy sets on every Terraform run. Terraform Cloud displays the results of policy checks in the UI for each run. Depending on each policy’s enforcement level, policy failures can also stop the run and prevent Terraform from provisioning infrastructure.
Policy Evaluation Run Stages
Terraform Cloud only evaluates policies for successful plans. Terraform Cloud evaluates Sentinel and OPA policy sets separately and at different points in the run.
- Sentinel policy evaluations occur after Terraform completes the plan and after both run tasks and cost estimation. This order lets you write Sentinel policies to restrict costs based on the data in the cost estimates.
- OPA policy evaluations occur after Terraform completes the plan and after any run tasks. Unlike Sentinel policies, Terraform Cloud evaluates OPA policies immediately before cost estimation.
Refer to Run States and Stages for more details.
View Policy Results
To view the policy results for both Sentinel and OPA policies:
- Go to your workspace and navigate to the Runs page.
- Click a run to view its details.
Terraform Cloud displays a timeline of the run’s events. For workspaces with both Sentinel and OPA policy sets, the run details page displays two separate run events: OPA policies for OPA policy sets and Policy check for Sentinel policy sets.
Click a policy evaluation event to view policy results and details about any failed policies.
Note: For Sentinel, the Terraform CLI also prints policy results for CLI-driven runs. CLI support for policy results is not available for OPA.
Override Policies
You need manage policy overrides permissions to override failed Sentinel and OPA policies.
Sentinel and OPA have different policy enforcement levels that determine when you need to override failed policies to allow a run to continue. To override failed policies, go to the run details page and click Override and Continue at the bottom.
For Sentinel only, you can also override soft-mandatory
policies with the Terraform CLI. Run the terraform apply
command and then enter override
when prompted.
Note: Terraform Cloud does not allow policy overrides for no-operation plans containing no infrastructure changes, unless you choose the Allow empty apply option when starting the run.
Sentinel
Policies with an advisory
enforcement level never stop runs. If they fail, Terraform Cloud displays a warning in the policy results and the run continues.
You can override soft-mandatory
policies to allow the run to continue. Overriding failed policies on a run does not affect policy evaluations on future runs in that workspace.
You cannot override hard-mandatory
policies, and all of these policies must pass for the run to continue.
OPA
Policies with an advisory
enforcement level never stop runs. If they fail, Terraform Cloud displays a warning in the policy results and the run continues.
You can override mandatory
policies to allow the run to continue.