HCP Terraform policy enforcement overview
This topic provides overview information about policies in HCP Terraform. Policies are rules for Terraform runs that let you validate that Terraform plans comply with security rules and best practices.
Note: HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
Hands-on: Try the Enforce Policy with Sentinel and Detect Infrastructure Drift and Enforce OPA Policies tutorials.
Introduction
You can implement policies that check for any number of conditions, such as whether infrastructure configuration adheres to security standards or best practices. For example, you may want to write a policy to check whether Terraform plans to deploy production infrastructure to the correct region.
You can also use policies to enforce standards for your organization’s workflows. For example, you could write a policy to prevent new infrastructure deployments on Fridays, reducing the risk of production incidents outside of your team’s working hours.
Workflow
The following workflow describes how to create and manage policies manually.
Define policy
You can use either the Sentinel or OPA framework to create custom policies. You can also copy pre-written Sentinel policies created and maintained by HashiCorp.
Create and apply policy sets
Policy sets are collections of policies you can apply globally or to specific projects and workspaces in your organization. For each run in the selected workspaces, HCP Terraform checks the Terraform plan against the policy set.
You can also exclude specific workspaces from global or project-scoped policy sets. HCP Terraform won't enforce a policy set's policies on any runs in an excluded workspace. For example, if you attach a policy set to a project and then exclude one of the project's workspaces from that policy set, HCP Terraform will not enforce the policy set on the excluded workspace.
You can create policy sets from the user interface, the API, or by connecting HCP Terraform to your version control system. A policy set can only contain policies written in a single policy framework, but you can add Sentinel or OPA policy sets to the same workspace.
Refer to Managing Policy Sets for details.
Review policy results
The HCP Terraform UI displays policy results for each policy set you apply to the workspace. Depending on their enforcement level, failed policies can stop the run. You can override failed policies with the right permissions.
Refer to Policy Results for details.