Enforce a Policy | Terraform

Sentinel is an embedded policy-as-code framework integrated with various HashiCorp products. It enables fine-grained, logic-based policy decisions, and can be extended to use information from external sources. Terraform Cloud enables users to enforce policies during runs.

A policy consists of:

The policy controls defined as code
An enforcement level that changes how a policy affects the run lifecycle

Note: This functionality is available in the Terraform Cloud Team & Governance tier, as well as Enterprise. Organization owners can enable a 30-day free trial in their settings under Plan & Billing.

Policy sets are a named grouping of policies and their enforcement levels. Each policy must belong to a policy set before it can be evaluated during a run. Each policy set may be applied to specific workspaces, or all workspaces within an organization. Policy sets are the mapping between policies and workspaces.

In this tutorial, you will define a policy set in a Version Control System (VCS), then connect it to Terraform Cloud to verify that the Terraform version is 1.1.0 or above.

»Prerequisites

This tutorial assumes that you are familiar with Terraform Cloud and you have an existing Terraform Cloud workspace configured with AWS access credentials.

If you do not, refer to the Use VCS-Driven Workflow and Create a Variable Set tutorials for guidance.

You must be in the "owners" team or have "Manage Policies" organization-level permissions to create new policy sets and policies.

»Fork GitHub Repository

To create a policy set, you will need a VCS repository to host the policy configuration. Fork the example Enforce Policy repository.

In the repository, you will find two files — sentinel.hcl and allowed-terraform-version.sentinel.

»Explore a policy set

sentinel.hcl defines the policy set. This configuration declares a policy named allowed-terraform-version and sets a soft-mandatory enforcement level. You can define multiple policy blocks in the sentinel.hcl file to configure more policies.

policy "allowed-terraform-version" {
    enforcement_level = "soft-mandatory"
}

sentinel.hcl

policy "allowed-terraform-version" {
    enforcement_level = "soft-mandatory"
}

Enforcement levels in Terraform Cloud define behavior when policies fail to evaluate successfully. Sentinel provides three enforcement modes.

Hard-mandatory requires that the policy passes. If a policy fails, the run is halted and may not be applied until the failure is resolved.
Soft-mandatory is similar to hard-mandatory, but allows an administrator to override policy failures on a case-by-case basis.
Advisory will never interrupt the run, and instead will only surface policy failures as informational to the user.

»Explore a policy

allowed-terraform-version.sentinel defines the policy declared in the policy set. Sentinel code files must follow the naming convention of <policy name>.sentinel.

This policy will pass and return a value of true when the Terraform version is 1.1.0 and above. You can experiment with this policy and trigger a failure by changing the expression to version.new(tfplan.terraform_version).less_than("1.1.0") or changing the version in the parentheses.

import "tfplan"
import "version"

# This regular expression checks whether the Terraform version used for the plan is 0.14+, 0.15+, or 1.0+

main = rule {
  version.new(tfplan.terraform_version).greater_than("1.1.0")
}

allowed-terraform-version.sentinel

import "tfplan"
import "version"

# This regular expression checks whether the Terraform version used for the plan is 0.14+, 0.15+, or 1.0+

main = rule {
  version.new(tfplan.terraform_version).greater_than("1.1.0")
}

»Connect the Policy to Terraform Cloud

You need to connect your policy set to your Terraform Cloud organization before you are able to use it. Navigate to your organization's Settings, and then to the Policy Sets page.

Click on the Connect a new policy set button.

The policy set creation page offers a few options for creating your policy set. Connect to a VCS to source the policy set.

Select Github as the VCS provider
Select your forked learn-terraform-enforce-policies repository
On the Configure settings section, under Scope of Policies, select Policies enforced on select workspaces.
Specify the workspaces you want this policy to apply to and click the Add workspace button to complete adding the workspace to this policy set. If you are continuing from the previous tutorial, use your learn-terraform-cloud workspace
Finally, click the Connect policy set button to create the policy set.

Note: Policy set names within a Terraform Cloud organization must be unique. If your organization already has a policy named learn-terraform-enforce-policies, rename the policy so it's unique.

This creates a policy set that checks whether the Terraform version is 1.1.0 or above for the workspaces specified.

After creating the policy set, you will be taken back to the policy sets index page. The list now contains your new policy set. The VCS information, including the latest commit SHA, should appear within the policy set (if it's empty at first, allow a few moments and refresh).

Now that the policy set is configured, navigate to the learn-terraform-cloud workspace and select Start new plan from the Actions menu.

There is now an additional policy check step in the run, showing that the policy passed.

Discard the run to avoid creating the infrastructure. Then, destroy the workspace.

Tip: For detailed guidance on destroying a workspace, review the Destroy Resources and Workspaces tutorial.

»Next steps

In this tutorial, you created and used a policy check to verify the Terraform version before each run.

In the next tutorial, you will learn how to enable and integrate cost estimation into policies. Terraform Cloud's cost estimation feature helps you manage your infrastructure spending.

To learn more about policies, refer to the Terraform Cloud Sentinel documentation.

Infrastructure

Security

Applications

Networking

cloud