Problem
Sometimes, when we have sentinel policies being used in the HCP Terraform workspaces, runs can get into status Policy Override state as shown in the screenshot-1 below. However, when we filter on the workspace page with the same status, we do not see any workspaces listed as shows in screenshot-2
screenshot-1
screenshot-2
Cause
This behaviour actually depends on the nature of the policy sets, which determines the external_status of the run when a policy check fails.
While provisioning the policy sets, users can choose the Execution Mode of each policy set:
If the user selects Agent as the
Execution Modeand the run fails due to a policy check, the run’s external status becomespost_plan_awaiting_decision.If the user selects Legacy as the
Execution Modeand the run fails due to a policy check, the run’s external status becomespolicy_override.
This is because, in Agent mode, the run goes through Policy Evaluations, whereas in Legacy mode, it goes through Policy Checks and this applies to Sentinel policies.
For OPA policies, only Agent mode is supported, so the run always goes through policy evaluation. As a result, if an OPA policy fails, you won’t see a policy_override status — instead, the status will be post_plan_awaiting_decision.
So these types of runs for which the OPA policy fails can currently be filtered in the run list using the "Tasks - post-plan (awaiting decision)" filter, as shown
Outcome
In the policies where the user selects Agent as the Execution Mode and the run fails due to a policy check, the run’s external status becomes post_plan_awaiting_decision. As for OPA policies, only Agent mode is supported, if the run fails due to a policy check, the run’s external status becomes post_plan_awaiting_decision
Additional Information