Problem
Policy Evaluations fail with "null" after switching from Standard to Enhanced policy set type for non-managed policy sets with Sentinel parameters.
The following error is present in the terraform-enterprise container logs from the task-worker surrounding the failed policy evaluation job.
operation failed: failed to read sentinel params type: no cty.Type for interface {}
Prerequisites
- Terraform Enterprise v202312-1 through v202401-2
- Enhanced Policy Sets
- Non-managed policy sets with Sentinel parameters defined directly on policy set in Terraform Enterprise
Cause
While this error output broadly indicates that there was a unrecoverable error executing the policy check, a known cause is a bug in versions 1.14.0 through 1.14.4 of the Terraform Cloud Agent (used in affected Terraform Enterprise releases) in which Sentinel parameters managed by Terraform Enterprise (defined directly on a policy set) which are a list or nested data type cannot be deserialized by the agent during the policy evaluation. The following parameters are examples of those which would manifest this issue.
["foo", "bar", "baz"]
[{"foo": {"bar": ["baz"]}}]
Solutions
As a permanent solution, upgrade to a Terraform Enterprise release >=v202401-2. If an upgrade is not immediately possible, use one of the following workarounds.
- Change the policy set type to Standard
- Move the Sentinel parameters defined on the policy set to the policy set's
sentinel.hclconfiguration file instead.
Additional Information
If you continue to experience issues, please contact HashiCorp Support.