OPA Policy Set VCS Repositories

To enable policy enforcement, you must group OPA policies into policy sets and apply those policy sets globally or to specific projects and workspaces.

Hands-on: Try the Detect Infrastructure Drift and Enforce OPA Policies tutorial.

One way to create policy sets is by connecting Terraform Cloud to a version control repository. When you push changes to the repository, Terraform Cloud automatically uses the updated policy set. Refer to Managing Policy Sets for more details.

An OPA policy set repository contains a HashiCorp Configuration Language (HCL) configuration file and policy files.

Configuration File

The root directory of your policy set repository must contain a configuration file named either policies.hcl or policies.json. Policy enforcement supports both HCL and the JSON variant of HCL syntax. The configuration file contains one or more policy blocks that define each policy in the policy set. Unlike Sentinel, OPA policies do not need to be in separate files. You use an OPA query to identify each policy rule.

The following example uses a query to define a policy named policy1. This query may evaluate across multiple files, or a single file.

policy "policy1" {
   query = "data.terraform.policy1.deny"
}

Optionally, you can also provide a description and an enforcement_level property. If you do not specify an enforcement level, Terraform Cloud uses advisory, meaning policy failures produce warnings but do not block Terraform runs. Refer to Policy Enforcement Levels for more details.

policy "policy1" {
   query = "data.terraform.policy1.deny"
   enforcement_level = "mandatory"
   description = "policy1 description"
}

Policy Code Files

All Rego policy files must end with .rego and exist in the local GitHub repository for the policy set. You can store them in separate directories from the configuration file.