Virtual Event
Join us for the next HashiConf Digital October 12-15, 2020 Register for Free

Get Started - Terraform Cloud

team & governance

Enforce a Policy

Sentinel is an embedded policy-as-code framework integrated with various HashiCorp products. It enables fine-grained, logic-based policy decisions, and can be extended to use information from external sources. Terraform Cloud enables users to enforce policies during runs.

A policy consists of:

  • The policy controls defined as code
  • An enforcement level that changes how a policy affects the run lifecycle

Policy sets are a named grouping of policies and their enforcement levels. Each policy must belong to a policy set before it can be evaluated during a run. Each policy set may be applied to specific workspaces, or all workspaces within an organization. Policy sets are the mapping between policies and workspaces.

In this guide, you will define a policy set in a version control system (VCS), then connect it to Terraform Cloud to verify that the Terraform version is 0.12.0 and above.


This guide assumes that you are familiar with Terraform Cloud and you have an existing Terraform Cloud workspace configured with AWS access credentials.

If you don’t, refer to the Create a Workspace guide and Set Up Workspace guide to learn more about Terraform Cloud and set up a Terraform Cloud workspace configured with AWS access credentials.

You must be in the "owners" team or have "Manage Policies" organization-level permissions to create new policy sets and policies.

»Fork GitHub Repository

To create a policy set, you will need a VCS repository to host the policy configuration. Fork the example Enforce Policy repository.

In the repository, you will find two files — sentinel.hcl and allowed-terraform-version.sentinel.

»Explore a policy set

sentinel.hcl defines the policy set. This configuration declares a policy named allowed-terraform-version and sets a soft-mandatory enforcement level. You can define multiple policy blocks in the sentinel.hcl file to configure more policies.

policy "allowed-terraform-version" {
    enforcement_level = "soft-mandatory"

Enforcement levels in Terraform Cloud define behavior when policies fail to evaluate successfully. Sentinel provides three enforcement modes.

  • Hard-mandatory requires that the policy passes. If a policy fails, the run is halted and may not be applied until the failure is resolved.

  • Soft-mandatory is similar to hard-mandatory, but allows an administrator to override policy failures on a case-by-case basis.

  • Advisory will never interrupt the run, and instead will only surface policy failures as informational to the user.

»Explore a policy

allowed-terraform-version.sentinel defines the policy declared in the policy set. Sentinel code files must follow the naming convention of <policy name>.sentinel.

This policy will pass and return a value of true when the Terraform version is 0.12.0 and above. You can experiment with this policy and trigger a failure by changing the regular expression from ^0\\.12\\.\\d+$ to ^0\\.11\\.\\d+$.

import "tfplan"

main = rule {
  tfplan.terraform_version matches "^0\\.12\\.\\d+$"

»Connect the Policy to Terraform Cloud

You need to connect your policy set to your Terraform Cloud organization before you’re able to use it. First, go to your Terraform Cloud’s organization settings by clicking the "Settings" button in the top navigation bar.

Terraform Cloud Organization Settings

Then, click on "Policy Sets" in the left navigation bar.

Policy Set Navigation

The Policy Sets page lists all existing policy sets. The list will be empty if this is your first policy set. Click on the "Connect a new policy set" button.

Connect a new policy set

The policy set creation page offers a few options for creating your policy set. You will connect to a VSC to source the policy set.

Select "GitHub", then select your forked repository. On the "Configure settings" section, under "Scope of Policies", select "Policies enforced on select workspaces",specify the workspaces you want this policy to apply to and click the "Add workspace" button to complete adding the workspace to this policy set. Finally, click the "Connect policy set" button to create the policy set.

This will create a policy set that checks whether the Terraform version is 0.12.0 and above for the workspaces you have specified.

Connect a Policy Set

After creating the policy set, you'll be taken back to the policy sets index page. You should notice that the list now contains your new policy set. The VCS information, including the latest commit SHA, should appear within the policy set (if it's empty at first, allow a few moments and refresh).

Connected Policy Set

Now that the policy set is configured and ready, navigate to a workspace and queue a new plan. You should see the policy check phase appear in the run details, and you should see the allowed-terraform-version policy execute and pass in the policy check output.

Passed policy set

»Next steps

Congrats — you've completed and applied a policy check! This simple policy verifies the Terraform version before each run.

In the next guide, you will learn how to enable and integrate cost estimation into policies. This provides another tool to manage your infrastructure spending.

To learn more about policies, refer to the Terraform Cloud Sentinel documentation.