»Enforce and Override Policies
Note: Sentinel policies are a paid feature, available as part of the Team & Governance upgrade package. Learn more about Terraform Cloud pricing here.
Hands-on: Try the Enforce Policy with Sentinel collection on HashiCorp Learn.
You can define individual policies within larger policy sets and apply those policy sets to all or a subset of workspaces in an organization. Terraform Cloud then enforces all of those policies on every workspace run.
Policy checks occur after a plan and any enabled cost estimates are successfully executed in the run. This allows policies to restrict costs based on the data in the cost estimates. If the plan fails, Sentinel does not perform policy checks. The policy checks use data from the plan, state, configuration, workspace, and run to verify and enforce the rules in each policy.
Refer to the Managing Policies documentation for more detail about enforcement.
hard-mandatory must pass in order for the run to continue to the "Confirm & Apply" state. All
soft-mandatory policies must pass or be overridden for the run to continue to the "Confirm & Apply" state.
soft-mandatory policies fail and no
hard-mandatory policies fail, users with permission to override policies will be presented with an Override & Continue button in the run in the Terraform Cloud workspace. This allows them to override the failed
soft-mandatory policy checks and continue the execution of the run. This will not have any impact on future runs.
These users can also override
soft-mandatory policies by running the
terraform apply command and then entering "override" when prompted to override failed
soft-mandatory policies for the run.
advisory policy check fails, it will show the warning state in the run, and the execution of the run will continue to the "Confirm & Apply" state. No user action is required to override or continue the run execution.