Sentinel output not shown on the CLI after switching a Policy Set from Legacy to Agent in Terraform Enterprise.

Avatar
Paul Boekschoten
  • Updated

Introduction

Problem

After switching a Sentinel policy set from Legacy to Agent execution Mode, the output is no longer shown on the CLI.

 

Example CLI output not showing the Sentinel output:

Waiting for the plan to start...

Terraform v1.9.6
on linux_amd64
Initializing plugins and modules...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# null_resource.name will be created
+ resource "null_resource" "name" {
+ id = (known after apply)
}

Plan: 1 to add, 0 to change, 0 to destroy.

 

Prerequisites

  • Terraform Enterprise
  • A CLI workspace with a Sentinel Policy Set attached
  • The Execution Mode of the Policy Set is set to Agent.

Cause

  • A remote backend is used in the terraform code like so:

terraform { 
  backend "remote" { 
    hostname = "<your_tfe_host>" 
    organization = "<your_organization>"

    workspaces { 
      name = "<your_workspace>" 
    } 
  } 
}

 

The remote backend only supports the Legacy Execution Mode on a Policy Set.

 

Solution:

  • Change the backend to cloud like so:
terraform { 
  cloud { 
    hostname = "<your_tfe_host>" 
    organization = "<your_organization>"

    workspaces { 
      name = "<your_workspace>" 
    } 
  } 
}

Please note that this cloud backend is available from Terraform CLI version 1.1.0 and Terraform Enterprise v202201-1.

 

Outcome

Sentinel output will be shown on the CLI.

 

Example CLI output showing the Sentinel output:

Terraform v1.9.6
on linux_amd64
Initializing plugins and modules...

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# null_resource.name will be created
+ resource "null_resource" "name" {
+ id = (known after apply)
}

Plan: 1 to add, 0 to change, 0 to destroy.

Post-plan Tasks:

------------------------------------------------------------------------

Policy Evaluations

--------------------------------

Sentinel Policy Evaluation

→→ Overall Result: FAILED
This result means that one or more Sentinel policies failed. More than likely, this was due to the discovery of violations by the main rule and other sub rules
1 policies evaluated

→ Policy set 1: st (1)
↳ Policy name: always_true.sentinel
| × Failed
| No description available

│ Error: Task Stage failed.

 

Additional Information

Articles in this section

See more