Overview
Terraform Enterprise 202403-1 includes a bug fix which corrects the Sentinel worker's deserialization of null values in the tfrun import. Previously, null values in the provided configuration were converted to undefined, allowing Sentinel code which mishandles null values to erroneously execute in the Terraform Enterprise run environment. A policy such as the following, which governs resource targeting, would previously be evaluated without error in Terraform Enterprise when no target addresses were specified (making target_addrs null).
block-resource-targeting.sentinel
import "tfrun"
len_targeted_resources = length(tfrun.target_addrs) else 0mock-tfrun.sentinel
target_addrs = nullIn v202403-1, this will fail with the following error, as the length function does not accept null as an argument.
length can only be called with strings, lists, or maps, got "null"Affected policies will suddenly begin causing failed policy checks with syntax errors related to null values. To confirm this change as the cause, test the policy locally using mock data from an example run with a failed policy check to confirm that it fails with the same error.
Prerequisites
- Terraform Enterprise releases > v202402-1
- Sentinel policies using the
tfrunimport
Solution
Policies which previously relied on this behavior will need to be refactored to account for this correction. For example, the policy above will be modified to check if target_addrs is null or an empty list.
import "tfrun"
main = tfrun.target_addrs is null or tfrun.target_addrs is empty
Additional Information