» tfe_policy_set

Sentinel Policy as Code is an embedded policy as code framework integrated with Terraform Enterprise.

Policy sets are groups of policies that are applied together to related workspaces. By using policy sets, you can group your policies by attributes such as environment or region. Individual policies that are members of policy sets will only be checked for workspaces that the policy set is attached to.

» Example Usage

Basic usage (VCS-based policy set):

resource "tfe_policy_set" "test" {
  name                   = "my-policy-set"
  description            = "A brand new policy set"
  organization           = "my-org-name"
  policies_path          = "policies/my-policy-set"
  workspace_external_ids = ["${tfe_workspace.test.external_id}"]

  vcs_repo {
    identifier         = "my-org-name/my-policy-set-repository"
    branch             = "master"
    ingress_submodules = false
    oauth_token_id     = "${tfe_oauth_client.test.oauth_token_id}"
  }
}

Using manually-specified policies:

resource "tfe_policy_set" "test" {
  name                   = "my-policy-set"
  description            = "A brand new policy set"
  organization           = "my-org-name"
  policy_ids             = ["${tfe_sentinel_policy.test.id}"]
  workspace_external_ids = ["${tfe_workspace.test.external_id}"]
}

» Argument Reference

The following arguments are supported:

  • name - (Required) Name of the policy set.
  • description - (Optional) A description of the policy set's purpose.
  • global - (Optional) Whether or not policies in this set will apply to all workspaces. Defaults to false. This value must not be provided if workspace_external_ids are provided.
  • organization - (Required) Name of the organization.
  • policies_path - (Optional) The sub-path within the attached VCS repository to ingress when using vcs_repo. All files and directories outside of this sub-path will be ignored. This option can only be supplied when vcs_repo is present. Forces a new resource if changed.
  • policy_ids - (Optional) A list of Sentinel policy IDs. This value must not be provided if vcs_repo is provided.
  • vcs_repo - (Optional) Settings for the policy sets VCS repository. Forces a new resource if changed. This value must not be provided if policy_ids are provided.
  • workspace_external_ids - (Optional) A list of workspace external IDs. This value must not be provided if global is provided.

The vcs_repo block supports:

  • identifier - (Required) A reference to your VCS repository in the format :org/:repo where :org and :repo refer to the organization and repository in your VCS provider.
  • branch - (Optional) The repository branch that Terraform will execute from. Default to master.
  • ingress_submodules - (Optional) Whether submodules should be fetched when cloning the VCS repository. Defaults to false.
  • oauth_token_id - (Required) Token ID of the VCS Connection (OAuth Conection Token) to use.

» Attributes Reference

  • id - The ID of the policy set.

» Import

Policy sets can be imported; use <POLICY SET ID> as the import ID. For example:

terraform import tfe_policy_set.test polset-wAs3zYmWAhYK7peR