While the run phases Plan and Apply are dispatched and executed on tfc-agent containers, you might wonder how the policy enforcement phase (Policy Checks and Policy Evaluations) operates. The policy phase is conceptually similar to plan and apply but it differs in execution environment and resource usage. Gaining insight into this area can help optimise run performance, scaling of your setup, and troubleshoot issues like delays or failures.
In Terraform Enterprise (TFE), policy enforcement supports two execution modes: Legacy and Agent. These modes determine where and how policies are evaluated during the Terraform workflow (after the Plan phase but before Apply). Execution modes are configured at the organisation level in the TFE web UI under Settings > Policy Sets > [Your Policy Set] > Execution Mode.
Legacy Mode (Policy Checks)
Legacy mode is only available for Sentinel policy sets (not OPA). In this mode, when a policy run starts, the job is executed internally by the TFE container.
Pros:
- Quick startup with minimal overhead, as no new agent containers are created
- Supports cost estimation data use in policies
Cons:
- Shares CPU and memory allocations with the TFE container, potentially leading to slower overall application performance during high policy run volumes
Lacks runtime pinning (e.g., fixed Sentinel versions) and isolation, making it less scalable for large environments
Not available for OPA
Agent Mode (Policy Evaluations)
Agent mode is available for both Sentinel and OPA policy sets. Once a policy run begins, an Agent Job is created and dispatched to a tfc-agent container, offloading policy execution from the TFE container to tfc-agents for improved efficiency.
📝 Note: OPA policy sets have no Execution Mode option in the UI. They are fixed to Agent mode.
Pros:
Offloads resource consumption from the TFE container.
Run agents in separate namespaces, Kubernetes pods, or dedicated agent pools away from TFE node.
Supports runtime pinning
Better isolation for security and scalability
Cons:
Slightly slower startup due to agent dispatch and potential container spin-up
Does not support cost estimation in policies
In summary, Legacy mode is suitable for smaller setups or when cost estimation is needed, but it supports Sentinel versions up to 0.40.x, and do not support newer Sentinel versions. We recommend migrating to Agent mode for all policy sets, especially for large-scale deployments, OPA policies, or to distribute load. Configure agent pools strategically to minimise delays.