Understanding Policy Execution Modes in Terraform Enterprise

Avatar
Bruce Lok
  • Updated

Introduction

In Terraform Enterprise (TFE), the policy enforcement phase executes after a plan and before an apply. Understanding how this phase operates can help you optimize run performance, scale your environment, and troubleshoot issues.

TFE supports two execution modes for policy enforcement: Legacy and Agent. These modes determine where and how policies are evaluated during a run. You can configure the execution mode at the organization level in the TFE web UI under Settings > Policy Sets > [Your Policy Set] > Execution Mode.

Terraform Enterprise UI showing the Execution Mode setting for a policy set.

Policy Execution Modes

Legacy Mode

Legacy mode is available only for Sentinel policy sets. In this mode, the policy check job is executed internally by the main TFE application containers.

Pros:

  • Quick startup with minimal overhead, as no new agent containers are created.
  • Supports the use of cost estimation data in policies.

Cons:

  • Shares CPU and memory with the TFE application, which can lead to slower performance during high volumes of policy runs.
  • Lacks runtime pinning (e.g., fixed Sentinel versions) and workload isolation, making it less scalable for large environments.
  • Not available for OPA policy sets.
  • Only supports Sentinel versions up to 0.40.x.

Agent Mode

Agent mode is available for both Sentinel and OPA policy sets. When a policy run begins, TFE creates an agent job and dispatches it to a tfc-agent container. This offloads policy execution from the main TFE application containers to dedicated agents.

Note: OPA policy sets do not have an Execution Mode option in the UI and are fixed to Agent mode.

Pros:

  • Offloads resource consumption from the TFE application containers.
  • Allows you to run agents in separate namespaces, Kubernetes pods, or dedicated agent pools.
  • Supports runtime pinning for consistent execution environments.
  • Provides better isolation for improved security and scalability.

Cons:

  • Slightly slower startup due to agent dispatch and potential container creation time.
  • Does not support the use of cost estimation data in policies.

Recommendation

We recommend migrating all policy sets to Agent mode. This mode is required for OPA policies and is better suited for large-scale deployments or environments where you need to distribute the load of policy evaluations. Configure agent pools strategically to minimize potential delays.

Additional Information

Articles in this section

See more

Related articles