Terraform
Configure an OPA policy set with a VCS repository
To enable policy enforcement, you must group OPA policies into policy sets and apply those policy sets globally or to specific projects and workspaces.
Hands-on: Try the Detect Infrastructure Drift and Enforce OPA Policies tutorial.
One way to create policy sets is by connecting HCP Terraform to a version control repository. When you push changes to the repository, HCP Terraform automatically uses the updated policy set. Refer to Managing Policy Sets for more details.
An OPA policy set repository contains a HashiCorp Configuration Language (HCL) configuration file and policy files.
BEGIN: TFC:only name:pnp-callout
Note: HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
END: TFC:only name:pnp-callout
Configuration File
The root directory of your policy set repository must contain a configuration file named either policies.hcl
or policies.json
. Policy enforcement supports both HCL and the JSON variant of HCL syntax.
The configuration file contains one or more policy
blocks that define each policy in the policy set. Unlike Sentinel, OPA policies do not need to be in separate files. You use an OPA query to identify each policy rule.
The following example uses a query to define a policy named policy1
. This query may evaluate across multiple files, or a single file.
policy "policy1" {
query = "data.terraform.policy1.deny"
}
Optionally, you can also provide a description
and an enforcement_level
property. If you do not specify an enforcement level, HCP Terraform uses advisory
, meaning policy failures produce warnings but do not block Terraform runs. Refer to Policy Enforcement Levels for more details.
policy "policy1" {
query = "data.terraform.policy1.deny"
enforcement_level = "mandatory"
description = "policy1 description"
}
Policy Code Files
All Rego policy files must end with .rego
and exist in the local GitHub repository for the policy set. You can store them in separate directories from the configuration file.