Terraform Cloud adds on-demand policy evaluation
On-demand policy evaluation improves visibility and control by letting users evaluate the effects of policy changes in Terraform Cloud before they are enforced.
We are excited to announce the release of on-demand policy evaluation, now available in beta for use in HashiCorp Terraform Cloud. This feature lets customers evaluate the effects of policy changes in Terraform Cloud before they are enforced, giving users better visibility and control over their infrastructure policy changes.
» Policy evaluation challenges
Introducing policy as code changes can be challenging for compliance teams because thorough testing is required to ensure policies function correctly. Policies that have syntax or logic errors can halt workspace runs and create significant issues for organizations. To combat this, many organizations use the testing capabilities built into policy as code frameworks like HashiCorp Sentinel and Open Policy Agent (OPA) to unit test their organization policies and catch syntax issues early in the development lifecycle.
Many HashiCorp customers have inquired about the best practices for safely implementing policy changes in Terraform Cloud. Traditionally, we have recommended integrating policy changes into a policy set assigning the Advisory enforcement mode, and then using the Terraform Cloud audit system to track policy status and determine the impact of the policy against their infrastructure. However, a notable challenge with this approach is that to gain a complete understanding of how the policies are affecting the entire organization, every workspace needs to initiate a run.
With no way to trigger runs across all workspaces at once, customers could wait for a run to occur naturally before uncovering the policy impact or develop custom workflows that wrap the Terraform Cloud API to perform this task. These shortcomings highlighted the need for a more controlled and efficient approach to managing policy changes.
» Introducing on-demand policy evaluation
To overcome these challenges, HashiCorp has introduced on-demand policy evaluation for Terraform Cloud. This feature provides a way to manually evaluate policies against a particular workspace without requiring a full plan or apply run, including workspaces not currently in scope of the policy set. This allows policy maintainers to measure the impact of new policies and policy runtime versions, as well as the compliance of resources that don't frequently change, such as identity and access management (IAM) policies, network access control lists (ACLs), security groups, and subnet configurations. Additionally, because all policy evaluations feed into the audit system, users can now easily monitor compliance across the entirety of their Terraform Cloud organization.
The new functionality is available on the Policy Sets page in Terraform Cloud. The page is now broken up into Configure and Evaluate tabs. The Configure tab contains the existing policy set settings. The Evaluate tab contains a new form specifically for on-demand policy evaluation:
» Summary and resources
With this new feature, HashiCorp continues to set the standard for cloud infrastructure automation, providing users with the tools they need to enforce policies across their infrastructure at scale.
To learn more, check out the on-demand policy evaluation documentation. Start defining policies for your infrastructure today with the HashiCorp Sentinel or Open Policy Agent (OPA) policy as code frameworks.
You can get started with Terraform Cloud for free to begin provisioning and managing your infrastructure in any environment. And don’t forget to link your Terraform Cloud and HashiCorp Cloud Platform (HCP) accounts together for a seamless sign-in experience.
Sign up for the latest HashiCorp news
More blog posts like this one
New Terraform integrations with Crowdstrike, Datadog, JFrog, Red Hat, and more
12 new Terraform integrations from 9 partners provide more options to automate and secure cloud infrastructure management.
Terraform delivers launch-day support for Amazon S3 Tables, EKS Hybrid Nodes, and more at re:Invent
The Terraform provider for AWS now enables users to manage a variety of new services just announced at re:Invent.
HashiCorp at re:Invent 2024: Infrastructure Lifecycle Management with AWS
A recap of HashiCorp infrastructure news and developments on AWS from the past year, from a new provider launch to simplifying infrastructure provisioning and more.