Skip to main content

Introducing tfpolicy: A declarative policy workflow built for Terraform

Terraform policy brings HCL-based policy as code into Terraform, helping teams define and enforce governance policies with more lifecycle context.

As infrastructure estates continue to expand across hybrid cloud environments, platform teams are no longer managing individual resources in isolation. They're managing systems that span public cloud providers, SaaS platforms, on-premises infrastructure, and internal platforms, often with many teams contributing changes through Terraform. As a result, Terraform users can find themselves navigating multiple tools, policy languages, and disconnected workflows to manage infrastructure and enforce governance consistently at scale. 

To address these challenges, we're excited to announce that Terraform policy (tfpolicy) is now available in public beta in HCP Terraform. Terraform policy is a declarative, HCL-based policy as code framework that enables platform teams to define and enforce policies using a familiar language while introducing new governance capabilities designed for modern infrastructure systems. 

»Why infrastructure governance is evolving 

Policy as code has become a foundational component of modern infrastructure operations. Solutions such as Sentinel and Open Policy Agent (OPA) helped organizations codify governance requirements, automate compliance checks, and improve security outcomes across increasingly complex environments. These frameworks are implemented as a dedicated policy layer that evaluates infrastructure against policy rules, enabling organizations to define and enforce standards consistently across infrastructure. 

At the same time, infrastructure itself has evolved. As interconnected hybrid environments grow in scale and complexity, governance requirements increasingly depend on understanding relationships between resources, incorporating external context into policy decisions, and validating infrastructure throughout its full lifecycle. 

These evolving requirements are exposing potential limitations in traditional policy workflows. Organizations are looking for governance solutions that are easier to author, more deeply integrated into infrastructure workflows, and capable of evaluating infrastructure with greater context. 

»Introducing tfpolicy 

Terraform has become the control plane many organizations use to provision, manage, and govern their infrastructure. As governance requirements have evolved, organizations are increasingly looking for policy solutions that integrate more naturally into Terraform workflows. 

Terraform policy (tfpolicy) is a declarative, HCL-based policy as code framework deeply integrated with Terraform. It enables platform teams to define and enforce governance policies using the same language they already use to manage infrastructure, reducing context-switching across separate policy languages, tools, and governance workflows. 

Built directly on Terraform and the Terraform Provider ecosystem, Terraform policy can evaluate policies across infrastructure managed through providers, providing a consistent governance experience across infrastructure environments. This deep integration brings governance closer to the infrastructure lifecycle, with policy evaluation before and after deployment. Teams can enforce requirements based on actual infrastructure state — not just planned changes — all within the familiar workflows and practices Terraform practitioners already use every day. 

»New governance capabilities 

In addition to simplifying policy authoring and providing a more integrated experience, Terraform policy introduces new governance capabilities designed for modern infrastructure systems. 

»Evaluate policies using resource relationships 

Governance decisions often depend on understanding how resources interact with one another rather than evaluating individual resources in isolation. Terraform policy can evaluate relationships between resources during policy execution, enabling organizations to enforce governance requirements that span multiple resources and services. 

Example use case: Require every IAM role to have at least one policy attached. 

»Evaluate policies using data source lookups 

Infrastructure definitions do not always contain all the information required to make governance decisions. Terraform policy can leverage provider data sources during policy evaluation, allowing teams to incorporate organizational standards, approved inventories, and other external context directly into policy enforcement workflows. 

Example use case: Enforce that EC2 instances use only approved AMIs retrieved from an approved data source. 

»Block provider and module downloads 

Infrastructure governance increasingly includes the software components used to build infrastructure. Terraform policy introduces controls that can govern provider and module downloads before they are used within Terraform workflows. This helps organizations reduce supply chain risk, establish approved dependency controls, and prevent accidental use of unapproved providers or modules. 

 Example use case: Require all Terraform modules to come from an organization's approved private registry. 

»Evaluate policies after deployment 

Not every governance decision can be made during planning. Terraform policy can evaluate policies after infrastructure has been deployed, enabling organizations to validate provider-computed values and identify policy violations that may only become visible after resources are provisioned. 

Example use case: Verify that provider-generated ARNs and resource identifiers meet organizational requirements after infrastructure has been provisioned

»Getting started 

With this public beta release, Terraform policy introduces a new approach to policy as code for Terraform — combining a familiar HCL-based authoring experience with governance capabilities integrated into Terraform workflows. 

As infrastructure ecosystems continue to evolve, governance requirements will increasingly depend on context, relationships, and lifecycle awareness. Terraform policy represents a step toward a more integrated governance experience, one that brings policy closer to the infrastructure workflows, tools, and practices organizations already rely on to manage their environments. 

Terraform policy is currently available in public beta in HCP Terraform. To learn more, please refer to the Terraform policy documentation

Looking for help writing and testing Terraform policy files — or converting existing Sentinel policies? Check out the tfpolicy agent skill.

If you're new to Terraform, you can get started with HashiCorp-managed HCP Terraform for free to begin provisioning and managing your infrastructure in any environment. And don’t forget to link your HCP Terraform and HashiCorp Cloud Platform (HCP) accounts for a seamless sign-in experience. 

More posts like this