» Import: tfrun

The tfrun import provides access to data associated with a Terraform run.

This import currently consists of run attributes, as well as namespaces for the organization, workspace and cost-estimate. Each namespace provides static data regarding the Terraform Cloud application that can then be consumed by Sentinel during a policy evaluation.

tfrun
├── id (string)
├── created_at (string)
├── message (string)
├── commit_sha (string)
├── speculative (boolean)
├── is_destroy (boolean)
├── variables (map of keys)
├── target_addrs (array of strings)
├── organization
│   └── name (string)
├── workspace
│   ├── id (string)
│   ├── name (string)
│   ├── description (string)
│   ├── auto_apply (bool)
│   ├── working_directory (string)
│   └── vcs_repo (map of keys)
└── cost_estimate
    ├── prior_monthly_cost (string)
    ├── proposed_monthly_cost (string)
    └── delta_monthly_cost (string)

» Namespace: root

The root namespace contains data associated with the current run.

» Value: id

  • Value Type: String.

Specifies the ID that is associated with the current Terraform run.

» Value: created_at

  • Value Type: String.

The created_at value within the root namespace specifies the time that the run was created. The timestamp returned follows the format outlined in RFC3339.

Users can use the time import to load a run timestamp and create a new timespace from the specicied value. See the time import documentation for available actions that can be performed on timespaces.

» Value: message

  • Value Type: String.

Specifies the message that is associated with the Terraform run.

The default value is "Queued manually via the Terraform Enterprise API".

» Value: commit_sha

  • Value Type: String.

Specifies the checksum hash (SHA) that identifies the commit.

» Value: speculative

  • Value Type: Boolean.

Specifies whether the plan associated with the run is a speculative plan only.

» Value: is_destroy

  • Value Type: Boolean.

Specifies if the plan is a destroy plan, which will destroy all provisioned resources.

» Value: variables

  • Value Type: A string-keyed map of values.

Provides the names of the variables that are configured within the run and the sensitivity state of the value.

variables (map of keys)
└── name (string)
    └── category (string)
    └── sensitive (boolean)

» Value: target_addrs

Provides the targets specified using the -target flag in the CLI or the target-addrs attribute in the API. Will be undefined if no resource targets are specified.

To prohibit targeted runs altogether, make sure the target_addrs value is undefined or empty:

import "tfrun"

main = (length(tfrun.target_addrs) else 0) == 0

» Namespace: organization

The organization namespace contains data associated with the current run's Terraform Cloud organization.

» Value: name

  • Value Type: String.

Specifies the name assigned to the Terraform Cloud organization.

» Namespace: workspace

The workspace namespace contains data associated with the current run's workspace.

» Value: id

  • Value Type: String.

Specifies the ID that is associated with the Terraform workspace.

» Value: name

  • Value Type: String.

The name of the workspace, which can only include letters, numbers, -, and _.

As an example, in a workspace named app-us-east-dev the following policy would evaluate to true:

# Enforces production rules on all non-development workspaces

import "tfrun"
import "strings"

# (Actual policy logic omitted)
evaluate_production_policy = rule { ... }

main = rule when strings.has_suffix(tfrun.workspace.name, "-dev") is false {
    evaluate_production_policy
}

» Value: description

  • Value Type: String.

Contains the description for the workspace.

This value can be null.

» Value: auto_apply

  • Value Type: Boolean.

Contains the workspace's auto-apply setting.

» Value: working_directory

  • Value Type: String.

Contains the configured Terraform working directory of the workspace.

This value can be null.

» Value: vcs_repo

  • Value Type: A string-keyed map of values.

Contains data associated with a VCS repository connected to the workspace.

Details regarding each attribute can be found in the documentation for the Terraform Cloud Workspaces API.

This value can be null.

vcs_repo (map of keys)
├── identifier (string)
├── display_identifier (string)
├── branch (string)
└── ingress_submodules (bool)

» Namespace: cost_estimate

The cost_estimation namespace contains data associated with the current run's cost estimate.

This namespace is only present if a cost estimate is available.

» Value: prior_monthly_cost

  • Value Type: String.

Contains the monthly cost estimate at the beginning of a plan.

This value contains a positive decimal and can be "0.0".

» Value: proposed_monthly_cost

  • Value Type: String.

Contains the monthly cost estimate if the plan were to be applied.

This value contains a positive decimal and can be "0.0".

» Value: delta_monthly_cost

  • Value Type: String.

Contains the difference between the prior and proposed monthly cost estimates.

This value may contain a positive or negative decimal and can be "0.0".