Problem
When using Open Policy Agent (OPA) policies in Terraform Enterprise (TFE), external data from custom-named JSON or YAML files (e.g., roles.json, config.yaml) fails to load during policy evaluation. This behavior differs from local testing with the opa eval command, where these files typically load as expected.
Prerequisites
- An active Terraform Enterprise instance or an HCP Terraform account.
- Familiarity with creating and managing OPA policies within TFE/HCP Terraform.
- Policy sets stored in a version control system (VCS) repository connected to your TFE/HCP Terraform organization.
Cause
The discrepancy in behavior is due to the different flags used by local OPA commands versus Terraform Enterprise's policy evaluation engine.
-
Local Testing: When running
opa evallocally, developers often use the-dor--dataflag. This flag recursively loads all.jsonand.yamlfiles from a specified directory, regardless of their names. -
Terraform Enterprise: TFE executes
opa evalusing the-bor--bundleflag. According to the OPA Bundle documentation, this mode only loads data from files with the specific namesdata.jsonordata.yaml. Any other JSON or YAML files in the policy set's directory are ignored during evaluation.
Solution
To ensure your JSON or YAML data files are loaded by Terraform Enterprise, you must rename them to data.json or data.yaml and place them in the appropriate directory within your policy set's file structure.
OPA roots the loaded data under the global data variable, following the directory path from the root of the bundle. For example, given the following directory structure in your VCS repository:
policies/ ├── vpc-policy/ │ ├── data.json │ └── main.rego └── manifest.json
The contents of policies/vpc-policy/data.json will be accessible in your Rego policies at the path data.policies.vpc-policy.
Outcome
After renaming your data files to data.json or data.yaml and committing the changes to your VCS, Terraform Enterprise will correctly load the data during policy checks. Policies that reference this data will now evaluate successfully, which can be verified by observing successful Policy Evaluations on applicable Terraform runs.