Introduction
Problem
A Sentinel Policy Set has been added from a Github repository (VCS connected) and Terraform Enterprise (TFE) is not updating the policy set to the latest commit available in Github.
Prerequisites
- TFE application
- A VCS connected Sentinel policy set
Cause
Broken or unresponsive GitHub webhook preventing commit notifications from reaching Terraform Enterprise.
Prerequisites
-
TFE API Token (with access to read policy sets)
-
Access to your GitHub repository settings
-
Admin/SSH access to the TFE host (for log inspection)
Resolution Steps
🔍 Step 1: Retrieve Webhook URL from TFE
Use the Terraform API to get the policy set’s webhook:
-
Replace
<your-tfe-hostname>
with your TFE hostname. -
Replace
polset-<ID>
with the policy set ID found in the TFE UI. -
Use a valid API token for
$TOKEN
.
In the output, find the line:
Copy the UUID at the end of the webhook URL.
🔗 Step 2: Verify Webhook in GitHub
-
Go to your GitHub repository.
-
Navigate to: Settings > Webhooks
-
Confirm a webhook exists that ends in the UUID you copied above.
-
If not present or incorrect, re-add the webhook manually or trigger a VCS re-sync in TFE.
🧾 Step 3: Check Logs for Webhook Requests
For Replicated Deployments:
For FDO Deployments:
Expected Output:
If you get no results or a non-200
status:
🔧 Step 4: Troubleshoot Connectivity
-
Firewall/WAF/Proxy: Ensure nothing is blocking GitHub’s webhook POST requests.
-
Certificate Trust: Confirm GitHub trusts the TLS cert on TFE:
-
A successful response means the cert is trusted and the app is reachable.
✅ Solution
-
If the webhook is missing or incorrect, re-add it in GitHub or trigger a manual sync from the TFE policy set UI.
-
If the webhook is present but not received, check your network and TLS certificate.
🧾 Still Having Issues?
Open a support ticket and include the following:
-
Commit hashes visible in GitHub but not in TFE
-
Webhook URL (from the API response)
-
Output from:
-
A TFE support bundle (Replicated or FDO)