Problem
Sentinel policy checks may fail during a Terraform run with an error indicating an undefined tag value, even when the configuration appears correct.
The error message resembles the following output:
Check Failure: Tag Key: somekey ,Error: module.eks_cluster.module.eks.aws_eks_cluster.this[0]:4fd6we39 has tags.somekey with value $undefined that does not match the regex ...
Cause
This issue occurs when a resource address in the Terraform plan contains a "deposed key" suffix, such as :4fd6we39 in the example resource module.eks_cluster.module.eks.aws_eks_cluster.this[0]:4fd6we39. This suffix identifies a resource instance that Terraform is replacing.
What is a "deposed" resource in Terraform? A "deposed" state is used for resources managed with the
create_before_destroylifecycle argument. It represents the old version of a resource that Terraform will destroy after its replacement is successfully created. Terraform tracks this deposed instance in the state file to ensure the replacement is active before removing the old resource.
Sentinel policies may incorrectly evaluate these deposed resources, which can lack certain attributes and cause the check to fail.
Solution
To resolve this issue, update your Sentinel policies to explicitly ignore resources that are in a deposed state. You can identify these resources by checking for the deposed key within the resource_changes collection of the tfplan/v2 import.
Your policy logic should include a condition to skip evaluation for any resource where the deposed attribute is true.
Additional Information
For more details on the concepts discussed in this article, refer to the following documentation: