Problem
After upgrading to Terraform Enterprise v202403-1 or later, Sentinel policy checks may fail with the following error message, particularly when a run has no targeted resources.
length can only be called with strings, lists, or maps, got "null"
This occurs in policies that use the length() function on the tfrun.target_addrs import, which is null when no target addresses are specified.
Prerequisites
- Terraform Enterprise version v202403-1 or later.
- Sentinel policies that use the
tfrunimport.
Cause
Terraform Enterprise version v202403-1 includes a correction for how the Sentinel worker deserializes null values in the tfrun import. Previously, the worker incorrectly converted null values from the configuration into undefined values. This behavior allowed policies that mishandle null values to pass validation incorrectly.
With the fix, null values are now correctly passed to the policy. As a result, functions like length(), which do not accept null arguments, now fail as expected, revealing the latent issue in the policy code.
For example, a policy that governs resource targeting might contain the following code.
block-resource-targeting.sentinel
import "tfrun" len_targeted_resources = length(tfrun.target_addrs) else 0
When tested with mock data where target_addrs is null, this policy will now correctly raise an error.
mock-tfrun.sentinel
target_addrs = null
To confirm this is the cause of your policy failure, you can test the policy locally using mock data from a failed run.
Solutions
Solution 1: Refactor the Policy to Handle Null Values
You must refactor policies that previously relied on the incorrect behavior to explicitly handle null values. Modify the policy to check if tfrun.target_addrs is null or empty before attempting to evaluate its length.
The following example demonstrates the corrected policy logic.
import "tfrun" main = tfrun.target_addrs is null or tfrun.target_addrs is empty
This change ensures the policy is robust and correctly handles cases where no resources are targeted.