Skip to content
Latchkey

env0 deployment failed on a plan policy in CI

env0 evaluates approval and plan policies (OPA) against a deployment. If a policy denies the plan, the deployment is marked failed and does not apply. The policy result in the deployment log names the rule that denied it.

What this error means

An env0 deployment triggered from CI (via the env0 API or CLI) ends in a failed status with a policy denial in the plan step, rather than an apply error.

env0
Deployment failed: plan policy check did not pass

denied: resource "aws_db_instance" must have "deletion_protection" = true

Common causes

The plan violates an OPA policy

A policy attached to the project or template returns a deny for the proposed change, so env0 fails the deployment before apply.

A required attribute the plan omits

The policy checks a resource attribute (encryption, deletion protection, tags) that the plan does not set, producing a denial.

How to fix it

Read the denial and correct the config

  1. Open the deployment and read the plan policy output.
  2. Set the attribute the policy requires in your Terraform.
  3. Re-deploy so the plan passes.

Fix the policy only if it is wrong

If the OPA policy itself is incorrect, update it in env0 and test before re-enforcing. Do not detach a control just to unblock.

How to prevent it

  • Keep OPA policies in version control and review changes.
  • Run a plan and check policy results before merging governed config.
  • Set required security attributes in modules so plans pass by default.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →