HashiCorp Developer AI Private beta now available Sign up today
Terraform
Terraform Home

You are viewing documentation for version v202303-1. View latest version.

Policies API

Note: Sentinel and OPA policies are available in the Terraform Cloud Team & Governance tier.

Policies are rules that Terraform Cloud enforces on Terraform runs. You can use policies to validate that the Terraform plan complies with security rules and best practices. Terraform Cloud policy enforcement lets you use the policy-as-code frameworks Sentinel and Open Policy Agent (OPA) to apply policy checks to Terraform Cloud workspaces. Refer to [Policy Enforcement]((/cloud-docs/policy-enforcement) for more details.

You group policies into policy sets and apply those policy sets to one or more workspaces in your organization. For each run in those workspaces, Terraform Cloud checks the Terraform plan against the policy set and displays the results in the UI.

This page documents the API endpoints to create, read, update, and delete policies in an organization. To manage policy sets, use the Policy Sets API. To manage the policy results, use the Runs API.

Note: We no longer recommend using these endpoints to manage Sentinel policies in Terraform Cloud. For Sentinel, we recommend creating policy sets with the Policy Sets API. This approach lets you integrate with version control systems and upload policy set data and configuration together.

Create a Policy

POST /organizations/:organization_name/policies

ParameterDescription
:organization_nameThe organization to create the policy in. The organization must already exist in the system, and the token authenticating the API request must have permission to manage policies. ((More about permissions.)

[permissions-citation]: #intentionally-unused---keep-for-maintainers)

This creates a new policy object for the organization, but does not upload the actual policy code. After creation, you must use the Upload a Policy endpoint (below) with the new policy's upload path. (This endpoint's response body includes the upload path in its links.upload property.)

StatusResponseReason
200JSON API document (type: "policies")Successfully created a policy
404JSON API error objectOrganization not found, or user unauthorized to perform action
422JSON API error objectMalformed request body (missing attributes, wrong types, etc.)

Request Body

This POST endpoint requires a JSON object with the following properties as a request payload.

Properties without a default value are required.

Key pathTypeDefaultDescription
data.typestringMust be "policies".
data.attributes.namestringThe name of the policy, which can include letters, numbers, -, and _. You cannot modify this name after creation.
data.attributes.descriptionstringnullText describing the policy's purpose. This field supports Markdown and appears in the Terraform Cloud UI.
data.attributes.kindstringsentinelThe policy-as-code framework for the policy. Valid values are "sentinel" and "opa".
data.attributes.querystringThe OPA query to run. Only valid for OPA policies.
data.attributes.enforcearray[object]An array of enforcement configurations that map policy file paths to their enforcement modes. Policies support a single file, so this array should consist of a single element. For Sentinel, if the path in the enforcement map does not match the Sentinel policy (<NAME>.sentinel), then Terraform Cloud uses the default hard-mandatory enforcement level. For OPA, the default enforcement level is advisory.
data.attributes.enforce[].pathstringFor Sentinel, must be <NAME>.sentinel, where <NAME> has the same value as data.attributes.name. For OPA, must be <NAME>.rego.
data.attributes.enforce[].modestringThe enforcement level of the policy. For Sentinel, valid values are "hard-mandatory", "soft-mandatory", and "advisory". For OPA, Valid values are "mandatory"and "advisory". Refer to Managing Policies for details.
data.relationships.policy-sets.data[]array[object][]A list of resource identifier objects to define which policy sets include the new policy. These objects must contain id and type properties, and the type property must be policy-sets. For example,{ "id": "polset-3yVQZvHzf5j3WRJ1","type": "policy-sets" }.

Sample Payload (Sentinel)

{
  "data": {
    "attributes": {
      "enforce": [
        {
          "path": "my-example-policy.sentinel",
          "mode": "hard-mandatory"
        }
      ],
      "name": "my-example-policy",
      "description": "An example policy.",
      "kind": "sentinel"
    },
    "relationships": {
      "policy-sets": {
        "data": [
          { "id": "polset-3yVQZvHzf5j3WRJ1", "type": "policy-sets" }
        ]
      }
    },
    "type": "policies"
  }
}

Sample Payload (OPA)

{
  "data": {
    "attributes": {
      "enforce": [
        {
          "path": "my-example-policy.rego",
          "mode": "advisory"
        }
      ],
      "name": "my-example-policy",
      "description": "An example policy.",
      "kind": "opa",
      "query": "terraform.main"
    },
    "relationships": {
      "policy-sets": {
        "data": [
          { "id": "polset-3yVQZvHzf5j3WRJ1", "type": "policy-sets" }
        ]
      }
    },
    "type": "policies"
  }
}

Sample Request

curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request POST \
  --data @payload.json \
  https://app.terraform.io/api/v2/organizations/my-organization/policies

Sample Response (Sentinel)

{
  "data": {
    "id":"pol-u3S5p2Uwk21keu1s",
    "type":"policies",
    "attributes": {
      "name":"my-example-policy",
      "description":"An example policy.",
      "enforce": [
        {
          "path":"my-example-policy.sentinel",
          "mode":"advisory"
        }
      ],
      "policy-set-count": 1,
      "updated-at": null
    },
    "relationships": {
      "organization": {
        "data": { "id": "my-organization", "type": "organizations" }
      },
      "policy-sets": {
        "data": [
          { "id": "polset-3yVQZvHzf5j3WRJ1", "type": "policy-sets" }
        ]
      }
    },
    "links": {
      "self":"/api/v2/policies/pol-u3S5p2Uwk21keu1s",
      "upload":"/api/v2/policies/pol-u3S5p2Uwk21keu1s/upload"
    }
  }
}

Sample Response (OPA)

{
  "data": {
    "id":"pol-u3S5p2Uwk21keu1s",
    "type":"policies",
    "attributes": {
      "name":"my-example-policy",
      "description":"An example policy.",
      "kind": "opa",
      "query": "terraform.main",
      "enforce": [
        {
          "path":"my-example-policy.rego",
          "mode":"advisory"
        }
      ],
      "policy-set-count": 1,
      "updated-at": null
    },
    "relationships": {
      "organization": {
        "data": { "id": "my-organization", "type": "organizations" }
      },
      "policy-sets": {
        "data": [
          { "id": "polset-3yVQZvHzf5j3WRJ1", "type": "policy-sets" }
        ]
      }
    },
    "links": {
      "self":"/api/v2/policies/pol-u3S5p2Uwk21keu1s",
      "upload":"/api/v2/policies/pol-u3S5p2Uwk21keu1s/upload"
    }
  }
}

Show a Policy

GET /policies/:policy_id

ParameterDescription
:policy_idThe ID of the policy to show. Use the "List Policies" endpoint to find IDs.
StatusResponseReason
200JSON API document (type: "policies")The request was successful
404JSON API error objectPolicy not found or user unauthorized to perform action

Sample Request

curl --request GET \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/vnd.api+json" \
  https://app.terraform.io/api/v2/policies/pol-oXUppaX2ximkqp8w

Sample Response

{
  "data": {
    "id": "pol-oXUppaX2ximkqp8w",
    "type": "policies",
    "attributes": {
      "name": "my-example-policy",
      "description":"An example policy.",
      "kind": "sentinel",
      "enforce": [
        {
          "path": "my-example-policy.sentinel",
          "mode": "soft-mandatory"
        }
      ],
      "policy-set-count": 1,
      "updated-at": "2018-09-11T18:21:21.784Z"
    },
    "relationships": {
      "organization": {
        "data": { "id": "my-organization", "type": "organizations" }
      },
      "policy-sets": {
        "data": [
          { "id": "polset-3yVQZvHzf5j3WRJ1", "type": "policy-sets" }
        ]
      }
    },
    "links": {
      "self": "/api/v2/policies/pol-oXUppaX2ximkqp8w",
      "upload": "/api/v2/policies/pol-oXUppaX2ximkqp8w/upload",
      "download": "/api/v2/policies/pol-oXUppaX2ximkqp8w/download"
    }
  }
}

Upload a Policy

PUT /policies/:policy_id/upload

ParameterDescription
:policy_idThe ID of the policy to upload code to. Use the "List Policies" endpoint (or the response to a "Create Policy" request) to find IDs.

This endpoint uploads code to an existing Sentinel or OPA policy.

Note: This endpoint does not use JSON-API's conventions for HTTP headers and body serialization.

Note: This endpoint limits the size of uploaded policies to 10MB. If a larger payload is uploaded, an HTTP 413 error will be returned, and the policy will not be saved. Consider refactoring policies into multiple smaller, more concise documents if you reach this limit.

Request Body

This PUT endpoint requires the text of a valid Sentinel or OPA policy with a Content-Type of application/octet-stream.

Sample Payload

main = rule { true }

Sample Request

curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/octet-stream" \
  --request PUT \
  --data-binary @payload.file \
  https://app.terraform.io/api/v2/policies/pol-u3S5p2Uwk21keu1s/upload

Update a Policy

PATCH /policies/:policy_id

ParameterDescription
:policy_idThe ID of the policy to update. Use the "List Policies" endpoint to find IDs.

This endpoint can update the enforcement mode of an existing policy. To update the policy code itself, use the upload endpoint.

StatusResponseReason
200JSON API document (type: "policies")Successfully updated the policy
404JSON API error objectPolicy not found, or user unauthorized to perform action
422JSON API error objectMalformed request body (missing attributes, wrong types, etc.)

Request Body

This PATCH endpoint requires a JSON object with the following properties as a request payload.

Properties without a default value are required.

Key pathTypeDefaultDescription
data.typestringMust be "policies".
data.attributes.descriptionstringnullText describing the policy's purpose. This field supports Markdown and appears in the Terraform Cloud UI.
data.attributes.querystringThe OPA query to run. This is only valid for OPA policies.
data.attributes.enforcearray[object]An array of enforcement configurations that map policy file paths to their enforcement modes. Policies support a single file, so this array should consist of a single element. For Sentinel, if the path in the enforcement map does not match the Sentinel policy (<NAME>.sentinel), then Terraform Cloud uses the default hard-mandatory enforcement level. For OPA, the default enforcement level is advisory.
data.attributes.enforce[].pathstringFor Sentinel, must be <NAME>.sentinel, where <NAME> has the same value as data.attributes.name. For OPA, must be <NAME>.rego.
data.attributes.enforce[].modestringhard-mandatory(Sentinel) , advisory (OPA)The enforcement level of the policy. For Sentinel, valid values are "hard-mandatory", "soft-mandatory", and "advisory". For OPA, valid values are "mandatory"and "advisory". Refer to Managing Policies for details.

Sample Payload

{
  "data": {
    "attributes": {
      "enforce": [
        {
          "path": "my-example-policy.sentinel",
          "mode": "soft-mandatory"
        }
      ],
    },
    "type":"policies"
  }
}

Sample Request

curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request PATCH \
  --data @payload.json \
  https://app.terraform.io/api/v2/policies/pol-u3S5p2Uwk21keu1s

Sample Response

{
  "data": {
    "id":"pol-u3S5p2Uwk21keu1s",
    "type":"policies",
    "attributes": {
      "name":"my-example-policy",
      "description":"An example policy.",
      "kind": "sentinel",
      "enforce": [
        {
          "path":"my-example-policy.sentinel",
          "mode":"soft-mandatory"
        }
      ],
      "policy-set-count": 0,
      "updated-at":"2017-10-10T20:58:04.621Z"
    },
    "relationships": {
      "organization": {
        "data": { "id": "my-organization", "type": "organizations" }
      },
    },
    "links": {
      "self":"/api/v2/policies/pol-u3S5p2Uwk21keu1s",
      "upload":"/api/v2/policies/pol-u3S5p2Uwk21keu1s/upload",
      "download":"/api/v2/policies/pol-u3S5p2Uwk21keu1s/download"
    }
  }
}

List Policies

GET /organizations/:organization_name/policies

ParameterDescription
:organization_nameThe organization to list policies for.
StatusResponseReason
200Array of JSON API documents (type: "policies")Success
404JSON API error objectOrganization not found, or user unauthorized to perform action

Query Parameters

This endpoint supports pagination with standard URL query parameters; remember to percent-encode [ as %5B and ] as %5D if your tooling doesn't automatically encode URLs.

ParameterDescription
page[number]Optional. If omitted, the endpoint will return the first page.
page[size]Optional. If omitted, the endpoint will return 20 policies per page.
search[name]Optional. Allows searching the organization's policies by name.
filter[kind]Optional. If specified, restricts results to those with the matching policy kind value. Valid values are sentinel and opa

Sample Request

curl \
  --header "Authorization: Bearer $TOKEN" \
  https://app.terraform.io/api/v2/organizations/my-organization/policies

Sample Response

{
  "data": [
    {
      "attributes": {
        "enforce": [
          {
            "mode": "advisory",
            "path": "my-example-policy.sentinel"
          }
        ],
        "name": "my-example-policy",
        "description": "An example policy.",
        "policy-set-count": 0,
        "updated-at": "2017-10-10T20:52:13.898Z",
        "kind": "sentinel"
      },
      "id": "pol-u3S5p2Uwk21keu1s",
      "relationships": {
        "organization": {
          "data": { "id": "my-organization", "type": "organizations" }
        },
      },
      "links": {
        "download": "/api/v2/policies/pol-u3S5p2Uwk21keu1s/download",
        "self": "/api/v2/policies/pol-u3S5p2Uwk21keu1s",
        "upload": "/api/v2/policies/pol-u3S5p2Uwk21keu1s/upload"
      },
      "type": "policies"
    },
    {
       "id":"pol-vM2rBfj7V2Faq8By",
       "type":"policies",
       "attributes":{
       "name":"policy1",
       "description":null,
       "enforce":[
         {
            "path":"policy1.rego",
            "mode":"advisory"
         }
       ],
       "policy-set-count":1,
       "updated-at":"2022-09-13T04:57:43.516Z",
       "kind":"opa",
       "query":"data.terraform.rules.policy1.rule"
       },
       "relationships":{
          "organization":{
            "data":{
              "id":"hashicorp",
              "type":"organizations"
            }
          },
          "policy-sets":{
            "data":[
              {
                "id":"polset-FYu3k5WY5eecwwdt",
                "type":"policy-sets"
              }
            ]
          }
       },
       "links":{
         "self":"/api/v2/policies/pol-vM2rBfj7V2Faq8By",
         "upload":"/api/v2/policies/pol-vM2rBfj7V2Faq8By/upload",
         "download":"/api/v2/policies/pol-vM2rBfj7V2Faq8By/download"
       }
    }
  ]
}

Delete a Policy

DELETE /policies/:policy_id

ParameterDescription
:policy_idThe ID of the policy to delete. Use the "List Policies" endpoint to find IDs.
StatusResponseReason
204NothingSuccessfully deleted the policy
404JSON API error objectPolicy not found, or user unauthorized to perform action

Sample Request

curl \
  --header "Authorization: Bearer $TOKEN" \
  --header "Content-Type: application/vnd.api+json" \
  --request DELETE \
  https://app.terraform.io/api/v2/policies/pl-u3S5p2Uwk21keu1s

Available Related Resources

The GET endpoints above can optionally return related resources, if requested with the include query parameter. The following resource types are available:

Resource NameDescription
policy_setsPolicy sets that any returned policies are members of.