Overview
Terraform Enterprise 202403-1 includes a bug fix which corrects the Sentinel worker's deserialization of null
values in the tfrun
import. Previously, null
values in the provided configuration were converted to undefined, allowing Sentinel code which mishandles null
values to erroneously execute in the Terraform Enterprise run environment. A policy such as the following, which governs resource targeting, would previously be evaluated without error in Terraform Enterprise when no target addresses were specified (making target_addrs null).
block-resource-targeting.sentinel
import "tfrun"
len_targeted_resources = length(tfrun.target_addrs) else 0
mock-tfrun.sentinel
target_addrs = null
In v202403-1, this will fail with the following error, as the length function does not accept null
as an argument.
length can only be called with strings, lists, or maps, got "null"
Affected policies will suddenly begin causing failed policy checks with syntax errors related to null values. To confirm this change as the cause, test the policy locally using mock data from an example run with a failed policy check to confirm that it fails with the same error.
Prerequisites
- Terraform Enterprise releases > v202402-1
- Sentinel policies using the
tfrun
import
Solution
Policies which previously relied on this behavior will need to be refactored to account for this correction. For example, the policy above will be modified to check if target_addrs
is null
or an empty list.
import "tfrun"
main = tfrun.target_addrs is null or tfrun.target_addrs is empty
Additional Information