Introduction
This article addresses an issue where Open Policy Agent (OPA) policy evaluation output does not appear in the command line during CLI-driven runs connected to an HCP Terraform or Terraform Enterprise workspace.
Problem
When you perform a CLI-driven Terraform run using a remote backend, the policy check output from OPA policies is not displayed on the command line.
Cause
This issue occurs because, prior to Terraform version 1.4, OPA evaluation output was not streamed to the CLI for remote operations.
Solutions
Solution 1: Upgrade the Workspace Terraform Version
The recommended solution is to upgrade the Terraform version used in your HCP Terraform or Terraform Enterprise workspaces to version 1.4.0 or newer.
- Navigate to your workspace settings.
- Under the General settings, find the Terraform Version setting.
- Select a version of
1.4.0or a more recent version. - Save the settings and run a new plan from your CLI to see the policy output.
Outcome
After you upgrade the workspace's Terraform version, the OPA policy evaluation output will appear in your terminal under the "post plan tasks" section.
OPA Policy Evaluation→→ Overall Result: FAILED This result means that one or more OPA policies failed. More than likely, this was due to the discovery of violations by the main rule and other sub rules1 policies evaluated→ Policy set 1: example-policy-set-opa (1) ↳ Policy name: example-opa-policy | × Failed | No description availableDo you want to override the failed policy check? Only 'override' will be accepted to override. Enter a value:
Additional Information
For more details on this change, refer to the blog post about Terraform 1.4 improvements for the HCP Terraform CLI experience.