Problem
In some situations, Sentinel policy checks may fail with an error message like below, even if everything is configured properly in Terraform code,
Check Failure: Tag Key: somekey ,
Error: module.eks_cluster.module.eks.aws_eks_cluster.this[0]:4fd6we39
has tags.somekey with value $undefined that does not match the regex ...
Cause
The cause of this issue is that the resource address contains a deposed key in the format of resource_address:deposed_key
, which is used to identify the resource being replaced.
module.eks_cluster.module.eks.aws_eks_cluster.this[0]:4fd6we39
What is a "deposed" resource in Terraform?
- "Deposed" is a state a Terraform resource enters during operations that use create_before_destroy.
- Terraform handles deposed resources to ensure a resource is not accidentally deleted before its replacement is successfully created.
- A deposed instance represents an old version of a resource that is still tracked in the Terraform state file, but is no longer actively used.
Solution
To resolve this issue, add Sentinel checks in your Sentinel policies to ignore/skip the Terraform resources in the resource_changes collections that contain deposed keys (tfplan/v2 - deposed).
Additional Information
- https://developer.hashicorp.com/terraform/cloud-docs/policy-enforcement/import-reference/tfplan-v2#the-resource_changes-and-resource_drift-collections
- https://developer.hashicorp.com/terraform/cloud-docs/policy-enforcement/import-reference/tfplan-v2#deposed
-
https://github.com/hashicorp/terraform/blob/main/docs/destroying.md#create-before-destroy
- https://github.com/hashicorp/terraform/blob/main/docs/planning-behaviors.md#default-planning-behavior