Problem
Policy evaluations fail with a null error after switching from a Standard to an Enhanced policy set type for non-managed policy sets with Sentinel parameters.
The following error is present in the terraform-enterprise container logs from the task-worker during the failed policy evaluation job.
operation failed: failed to read sentinel params type: no cty.Type for interface {}Prerequisites
- Terraform Enterprise versions
v202312-1throughv202401-2. - Enhanced Policy Sets.
- Non-managed policy sets with Sentinel parameters defined directly on the policy set in Terraform Enterprise.
Cause
This error can indicate a bug in versions 1.14.0 through 1.14.4 of the HCP Terraform Agent, which is used in the affected Terraform Enterprise releases. In these versions, the agent cannot deserialize Sentinel parameters that are managed by Terraform Enterprise and are a list or nested data type.
The following parameter examples would cause this issue.
["foo", "bar", "baz"]
[{"foo": {"bar": ["baz"]}}]Solutions
Solution 1: Upgrade Terraform Enterprise (Permanent)
As a permanent solution, upgrade to a Terraform Enterprise release v202401-2 or newer.
Workaround 1: Change the Policy Set Type
If an upgrade is not immediately possible, you can change the policy set type to Standard.
Workaround 2: Relocate Sentinel Parameters
Alternatively, move the Sentinel parameters defined on the policy set to the policy set's sentinel.hcl configuration file.