Overview
Some organizations enforce tagging requirements through Sentinel policies in HCP Terraform. A common policy requires all AWS resources to include specific tags such as CostCenter and Environment. If these tags are missing, the Terraform run will fail during the policy check stage. This document explains how to identify and resolve Sentinel policy failures related to missing AWS tags.
Symptoms
When running a Terraform plan or apply in HCP Terraform, you may encounter an error similar to:
Sentinel policy "require_tags.sentinel" failedResource: aws_s3_bucket.example Missing required tags: CostCenter, Environment
The run will not proceed (if the policy is set to Hard Mandatory).
Common Causes
- Tags not defined in resource blocks
- Incorrect tag keys
- Sentinel policies often check for exact key names (case-sensitive).
- Tags applied at the module level but not passed down
- Updating existing resources without tags
Resolution
Step 1: Review the Policy Failure Message
- Navigate to the failed run in HCP Terraform.
- Expand the Sentinel policy failure details to see which resources are missing tags.
Step 2: Add or Correct Tags in Configuration
- Add a tags block to each resource, ensuring required keys are present.
Step 3: Re-run the Plan
- Commit and push the changes to your version control system.
- Trigger a new run in HCP Terraform to validate compliance.
Step 4: For Existing Resources
- If resources already exist without required tags, add the missing tags directly in Terraform configuration and run terraform apply to update them.