Problem
When you use Open Policy Agent (OPA) policies in HCP Terraform or Terraform Enterprise, external data from custom-named JSON or YAML files (e.g., roles.json, config.yaml) fails to load during policy evaluation. This behavior differs from local testing with the opa eval command, where these files typically load as expected.
Prerequisites
- An active HCP Terraform account or a Terraform Enterprise instance.
- Familiarity with creating and managing OPA policies within HCP Terraform or Terraform Enterprise.
- Policy sets stored in a version control system (VCS) repository connected to your organization.
Cause
The different behavior occurs because local OPA commands and the Terraform policy evaluation engine use different flags to load data.
-
Local Testing: When running
opa evallocally, you often use the-dor--dataflag. This flag recursively loads all.jsonand.yamlfiles from a specified directory, regardless of their names. -
HCP Terraform & Terraform Enterprise: These products execute
opa evalusing the-bor--bundleflag. According to the OPA Bundle documentation, this mode only loads data from files with the specific namesdata.jsonordata.yaml. Any other JSON or YAML files in the policy set's directory are ignored during evaluation.
Solution
To ensure HCP Terraform or Terraform Enterprise loads your JSON or YAML data files, you must rename them to data.json or data.yaml and place them in the appropriate directory within your policy set's file structure.
OPA roots the loaded data under the global data variable, following the directory path from the root of the bundle. For example, given the following directory structure in your VCS repository:
policies/ ├── vpc-policy/ │ ├── data.json │ └── main.rego └── manifest.json
The contents of policies/vpc-policy/data.json will be accessible in your Rego policies at the path data.policies.vpc-policy.
Outcome
After you rename your data files to data.json or data.yaml and commit the changes to your VCS, HCP Terraform or Terraform Enterprise will correctly load the data during policy checks. Policies that reference this data will then evaluate successfully. You can verify this by observing successful policy evaluations on applicable Terraform runs.