HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Terraform
Terraform Home

HCP Terraform policy enforcement overview

This topic provides overview information about policies in HCP Terraform. Policies are rules for Terraform runs that let you validate that Terraform plans comply with security rules and best practices.

Note: HCP Terraform Free edition includes one policy set of up to five policies. In HCP Terraform Standard and Premium editions, you can connect a policy set to a version control repository or create policy set versions with the API. Refer to HCP Terraform pricing for details.

Hands-on: Try the Enforce Policy with Sentinel and Detect Infrastructure Drift and Enforce OPA Policies tutorials.

Introduction

You can implement policies that check for any number of conditions, such as whether infrastructure configuration adheres to security standards or best practices. For example, you may want to write a policy to check whether Terraform plans to deploy production infrastructure to the correct region.

You can also use policies to enforce standards for your organization’s workflows. For example, you could write a policy to prevent new infrastructure deployments on Fridays, reducing the risk of production incidents outside of your team’s working hours.

Workflow

The following workflow describes how to create and manage policies manually.

Create a policy set

Add a policy configuration file to a repository in your version control system (VCS), add policies, then connect them to your organization. The policy configuration file format depends on your policy framework. Refer to the following topics for more information:

You can manually write custom policies in Sentinel or OPA framework format, or implement pre-written Sentinel policies created and maintained by HashiCorp. Pre-written Sentinal policies enforce common standards, such as PCI DSS. Refer to Pre-written policy library for information about publicly available pre-written policies. For information about writing custom Sentinel policies, refer to the Sentinel documentation.

You can apply policies globally or apply them to specific projects and workspaces. For each run in the selected workspaces, HCP Terraform checks the Terraform plan against the policy set. A policy set can only contain policies written in a single policy framework, but you can add Sentinel or OPA policy sets to the same workspace.

Although the UI allows you author and store policies in the application, we recommend storing policies in a VCS to implement a policy-as-code workflow, which ensures standardization, security, and auditability. You can also create policy sets programmatically using the API. Refer to Managing Policy Sets for details.

Review policy results

The HCP Terraform UI displays policy results for each policy set you apply to the workspace. Depending on their enforcement level, failed policies can stop the run. You can override failed policies with the right permissions.

Refer to Policy Results for details.

Edit this page on GitHub