Sentinel output not shown on the CLI after switching a Policy Set from Legacy to Agent in Terraform Enterprise.

Avatar
Paul Boekschoten
  • Updated

Problem

After switching a Sentinel policy set's execution mode from Legacy to Agent in Terraform Enterprise, the policy evaluation output is no longer displayed in the CLI during a run.

Example CLI output missing the Sentinel evaluation:

Waiting for the plan to start...

Terraform v1.9.6
on linux_amd64

Initializing plugins and modules...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # null_resource.name will be created
  + resource "null_resource" "name" {
      + id = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Prerequisites

  • Terraform Enterprise v202201-1 or newer.
  • Terraform CLI v1.1.0 or newer.
  • A CLI-driven workspace with an attached Sentinel Policy Set configured with the Agent execution mode.

Cause

This issue occurs when the Terraform configuration uses the remote backend. The remote backend is only compatible with the Legacy execution mode for Sentinel policy sets.

Example of the problematic remote backend configuration:

terraform {
  backend "remote" {
    hostname     = "<your_tfe_host>"
    organization = "<your_organization>"

    workspaces {
      name = "<your_workspace>"
    }
  }
}

Solution

To resolve this issue, you must update the Terraform configuration to use the cloud block for HCP Terraform integration instead of the remote backend. The cloud block is designed to work with modern Terraform Enterprise features, including the Agent execution mode for policy sets.

Update your configuration as shown in the following example:

terraform {
  cloud {
    hostname     = "<your_tfe_host>"
    organization = "<your_organization>"

    workspaces {
      name = "<your_workspace>"
    }
  }
}

Outcome

After updating the configuration to use the cloud block, the Sentinel policy evaluation output will be correctly displayed in the CLI during a run.

Example CLI output showing the Sentinel evaluation:

Terraform v1.9.6
on linux_amd64

Initializing plugins and modules...

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # null_resource.name will be created
  + resource "null_resource" "name" {
      + id = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Post-plan Tasks:
------------------------------------------------------------------------
Policy Evaluations
--------------------------------
Sentinel Policy Evaluation

→→ Overall Result: FAILED

This result means that one or more Sentinel policies failed. More than likely,
this was due to the discovery of violations by the main rule and other sub rules

1 policies evaluated

→ Policy set 1: st (1)
↳ Policy name: always_true.sentinel
| × Failed
| No description available

╷
│ Error: Task Stage failed.
│

Additional Information

Articles in this section

See more

Related articles