env0 deployment failed on a plan policy in CI
env0 evaluates approval and plan policies (OPA) against a deployment. If a policy denies the plan, the deployment is marked failed and does not apply. The policy result in the deployment log names the rule that denied it.
What this error means
An env0 deployment triggered from CI (via the env0 API or CLI) ends in a failed status with a policy denial in the plan step, rather than an apply error.
Deployment failed: plan policy check did not pass
denied: resource "aws_db_instance" must have "deletion_protection" = trueCommon causes
The plan violates an OPA policy
A policy attached to the project or template returns a deny for the proposed change, so env0 fails the deployment before apply.
A required attribute the plan omits
The policy checks a resource attribute (encryption, deletion protection, tags) that the plan does not set, producing a denial.
How to fix it
Read the denial and correct the config
- Open the deployment and read the plan policy output.
- Set the attribute the policy requires in your Terraform.
- Re-deploy so the plan passes.
Fix the policy only if it is wrong
If the OPA policy itself is incorrect, update it in env0 and test before re-enforcing. Do not detach a control just to unblock.
How to prevent it
- Keep OPA policies in version control and review changes.
- Run a plan and check policy results before merging governed config.
- Set required security attributes in modules so plans pass by default.