HCP Terraform: Modifying Sentinel Policies to Bypass Checks During Destroy Operations in Terraform Cloud – HashiCorp Help Center

Introduction

This article explains how to configure Terraform Cloud Sentinel policies to bypass checks during a workspace destroy operation. While Sentinel policies are crucial for enforcing best practices during resource creation and management, they might not be suitable for all aspects of infrastructure destruction. It explains the use of the `tfrun.is_destroy` field to change policy behavior depending on whether the operation is a destroy run.

Expected Outcome

By following this approach, users can ensure Terraform Cloud Sentinel policies don't interfere with the intended destruction of resources within a workspace.

Prerequisites

Understanding of Terraform Cloud and Sentinel policies.
Basic knowledge of Sentinel imports and their usage.

Use Case

In some situations, it may be necessary to destroy a workspace without triggering Sentinel policy checks that are more relevant to resource creation. This article provides a solution for such situations.

Explanation

Terraform Cloud provides a `tfrun` import that can be used in Sentinel policies to gather details about the run. This import includes utilizes the `is_destroy` attribute within Sentinel policies. This attribute indicates whether the current run is a destroy operation (true) or not (false).
While this doesn't completely bypass the policy check, it can be used to alter policy behavior based on whether it's a destroy run or not. More details can be found in the Import: tfrun Terraform Cloud documentation.

For those with many policies who want to avoid modifying all of them, consider creating a shared function or module that implements the destroy check. This function or module can then be imported and used across all policies, allowing for the implementation of the destroy check in one place and its reuse across all policies.

Additional Information

tfrun import - https://developer.hashicorp.com/terraform/cloud-docs/policy-enforcement/sentinel/import/tfrun
tfrun.is_destroy - https://developer.hashicorp.com/terraform/cloud-docs/policy-enforcement/sentinel/import/tfrun#value-is_destroy

The information contained in this article has been verified as up-to-date on the date of the original publication of the article. HashiCorp endeavors to keep this information up-to-date and correct, but it makes no representations or warranties of any kind, express or implied, about the ongoing completeness, accuracy, reliability, or suitability of the information provided.

All information contained in this article is for general information purposes only. Any reliance you place on such information as it applies to your use of your HashiCorp product is therefore strictly at your own risk.