Policy Enforcement
Policies are rules that HCP Terraform enforces on Terraform runs. You can use policies to validate that the Terraform plan complies with security rules and best practices.
Note: HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
Hands-on: Try the Enforce Policy with Sentinel and Detect Infrastructure Drift and Enforce OPA Policies tutorials.
Define Policies
You can use two policy-as-code frameworks to define fine-grained, logic-based policies: Sentinel and Open Policy Agent (OPA). Depending on the settings, policies can act as advisory warnings or firm requirements that prevent Terraform from provisioning infrastructure.
- Sentinel: You define policies with the Sentinel policy language and use imports to parse the Terraform plan, state, and configuration. Refer to Defining Sentinel Policies for details.
- OPA: You define policies with the Rego policy language. Refer to Defining OPA Policies for details.
Apply Policy Sets to Workspaces and Projects
Policy sets are collections of policies you can apply globally or to specific projects and workspaces in your organization. For each run in the selected workspaces, HCP Terraform checks the Terraform plan against the policy set.
You can also exclude specific workspaces from global or project-scoped policy sets. HCP Terraform won't enforce a policy set's policies on any runs in an excluded workspace. For example, if you attach a policy set to a project and then exclude one of the project's workspaces from that policy set, HCP Terraform will not enforce the policy set on the excluded workspace.
You can create policy sets using the HCP Terraform user interface, the HCP Terraform API, or by connecting HCP Terraform to your version control system. A policy set can only contain policies written in a single policy framework (Sentinel or OPA). However, you can add Sentinel or OPA policy sets to the same workspace.
Refer to Managing Policy Sets for details.
Review Policy Results
The HCP Terraform UI displays policy results for each policy set you apply to the workspace. Depending on their enforcement level, failed policies can stop the run. You can override failed policies with the right permissions.
Refer to Policy Results for details.