Sentinel Policy set connected to VCS is not automatically updated

Avatar
Daniela Lavric
  • Updated

Problem

A Sentinel Policy Set connected to a GitHub version control system (VCS) repository does not automatically update in Terraform Enterprise (TFE) to reflect the latest commit available in the repository.

Prerequisites

  • A Terraform Enterprise instance.
  • A Sentinel policy set connected to a VCS provider (GitHub).
  • A TFE API Token with permissions to read policy sets.
  • Administrative access to the GitHub repository settings.
  • Administrative or SSH access to the TFE host for log inspection.

Cause

This issue typically occurs when the GitHub webhook is broken, misconfigured, or unresponsive. This prevents commit notifications from successfully reaching the Terraform Enterprise instance, so TFE is not aware of new versions of the policy set.

Solutions

Follow these solutions to diagnose and resolve the webhook communication issue.

Solution 1: Verify the Webhook Configuration

First, retrieve the unique webhook URL from TFE and confirm it is correctly configured in your GitHub repository.

  1. Retrieve the policy set's webhook URL using the TFE API. Replace the placeholder values for your TFE hostname, policy set ID, and API token.

    $ curl --request GET \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/vnd.api+json" \
  https://<TFE_HOSTNAME>/api/v2/policy-sets/polset-<ID>?include=current_version

  2. In the JSON response, locate the webhook-url attribute and copy the full URL.

    {
  // ...
  "attributes": {
    // ...
    "webhook-url": "https://<TFE_HOSTNAME>/webhooks/vcs/2641bdca-09ad-4252-bd9b-fbba8a091dc2"
  }
  // ...
}
  3. Navigate to your repository in GitHub and go to Settings > Webhooks.
  4. Verify that a webhook exists with a Payload URL that matches the URL you retrieved from the TFE API. If the webhook is missing or incorrect, you can re-add it manually or trigger a VCS re-sync from the policy set's settings page in the TFE UI.

Solution 2: Inspect TFE Logs for Webhook Activity

Check the TFE NGINX logs to see if webhook POST requests from GitHub are being received. Use the unique UUID from your webhook URL to filter the logs.

  • For Replicated deployments:

    $ docker logs tfe-nginx 2>&1 | grep 2641bdca-09ad-4252-bd9b-fbba8a091dc2

  • For Flexible Deployment Options (FDO) deployments:

    $ docker exec terraform-enterprise-tfe-1 grep 2641bdca-09ad-4252-bd9b-fbba8a091dc2 /var/log/terraform-enterprise/nginx.log

A successful log entry should show an HTTP 200 status code.

## Expected Output
140.82.115.148 - - [06/Sep/2023:12:33:58 +0000] "POST /webhooks/vcs/... HTTP/1.1" 200 12 "-" "GitHub-Hookshot/..."

If you see no log entries or the status code is not 200, proceed to the next solution.

Solution 3: Troubleshoot Network Connectivity

If logs show that TFE is not receiving webhook requests, investigate potential network and TLS issues.

  • Firewall, WAF, or Proxy: Ensure that your network infrastructure is not blocking incoming POST requests from GitHub's IP addresses to your TFE instance's webhook URL.

  • TLS Certificate Trust: Confirm that GitHub can trust the TLS certificate presented by your TFE instance. You can run a health check from an external machine to verify reachability and certificate validity.

    $ curl https://<TFE_HOSTNAME>/_health_check

A successful response indicates that the certificate is likely trusted and the application is reachable.

Additional Information

  • Terraform Enterprise Policy Sets API
  • Managing Policy Sets
  • GitHub Webhooks Troubleshooting

Articles in this section

See more

Related articles