Problem
You may encounter an issue where a failed Sentinel policy check cannot be overridden, even when its enforcement level is set to soft-mandatory. In the HCP Terraform or Terraform Enterprise UI, the policy check shows a "hard failed" message and the policy set status is Errored.
Cause
A Sentinel policy outcome after a policy check must return one of three statuses: Passed, Failed, or Errored.
-
Passed: The policy conditions were met. -
Failed: The policy conditions were not met. This status respects thesoft-mandatoryenforcement level, allowing an override. -
Errored: The policy itself could not be evaluated due to a syntax error, an unimported library, or another configuration problem. AnErroredstatus does not have an enforcement level and cannot be overridden.
The "override & continue" option is only available for policies that have a status of Failed and an enforcement level of soft-mandatory.
Solution
To resolve this issue, you must identify and fix any errors in the Sentinel policy configuration.
- Navigate to the run that has the errored policy check.
- Examine the Description window for the policy check to find the specific error message.
- Common causes for an
Erroredstatus include syntax errors in the policy code or references to unimported libraries or functions. - Correct the identified errors in your Sentinel policy configuration file and push the changes to your version control system.
After you update the policy, HCP Terraform or Terraform Enterprise will use the corrected version in subsequent runs, which should resolve the Errored state.