Terraform Cloud adds on-demand policy evaluation

We are excited to announce the release of on-demand policy evaluation, now available in beta for use in HashiCorp Terraform Cloud. This feature lets customers evaluate the effects of policy changes in Terraform Cloud before they are enforced, giving users better visibility and control over their infrastructure policy changes.

»Policy evaluation challenges

Introducing policy as code changes can be challenging for compliance teams because thorough testing is required to ensure policies function correctly. Policies that have syntax or logic errors can halt workspace runs and create significant issues for organizations. To combat this, many organizations use the testing capabilities built into policy as code frameworks like HashiCorp Sentinel and Open Policy Agent (OPA) to unit test their organization policies and catch syntax issues early in the development lifecycle.

Many HashiCorp customers have inquired about the best practices for safely implementing policy changes in Terraform Cloud. Traditionally, we have recommended integrating policy changes into a policy set assigning the Advisory enforcement mode, and then using the Terraform Cloud audit system to track policy status and determine the impact of the policy against their infrastructure. However, a notable challenge with this approach is that to gain a complete understanding of how the policies are affecting the entire organization, every workspace needs to initiate a run.

With no way to trigger runs across all workspaces at once, customers could wait for a run to occur naturally before uncovering the policy impact or develop custom workflows that wrap the Terraform Cloud API to perform this task. These shortcomings highlighted the need for a more controlled and efficient approach to managing policy changes.

»Introducing on-demand policy evaluation

To overcome these challenges, HashiCorp has introduced on-demand policy evaluation for Terraform Cloud. This feature provides a way to manually evaluate policies against a particular workspace without requiring a full plan or apply run, including workspaces not currently in scope of the policy set. This allows policy maintainers to measure the impact of new policies and policy runtime versions, as well as the compliance of resources that don't frequently change, such as identity and access management (IAM) policies, network access control lists (ACLs), security groups, and subnet configurations. Additionally, because all policy evaluations feed into the audit system, users can now easily monitor compliance across the entirety of their Terraform Cloud organization.

The new functionality is available on the Policy Sets page in Terraform Cloud. The page is now broken up into Configure and Evaluate tabs. The Configure tab contains the existing policy set settings. The Evaluate tab contains a new form specifically for on-demand policy evaluation:

»Summary and resources

With this new feature, HashiCorp continues to set the standard for cloud infrastructure automation, providing users with the tools they need to enforce policies across their infrastructure at scale.

To learn more, check out the on-demand policy evaluation documentation. Start defining policies for your infrastructure today with the HashiCorp Sentinel or Open Policy Agent (OPA) policy as code frameworks.

You can get started with Terraform Cloud for free to begin provisioning and managing your infrastructure in any environment. And don’t forget to link your Terraform Cloud and HashiCorp Cloud Platform (HCP) accounts together for a seamless sign-in experience.