Skip to content
Latchkey

HCP Terraform run errored on Sentinel policy check failed in CI

HCP Terraform ran the plan, then evaluated your Sentinel policy set. A hard-mandatory policy returned false, so the run is errored and the apply is blocked until the plan complies. The failing policy and rule are named in the policy check output.

What this error means

The run shows "Policy check failed" or "policy check hard failed" and the run status becomes errored. CI that polls the run (or a terraform apply in agent mode) exits non-zero.

terraform
Sentinel Result: false

This result means that Sentinel policies returned false and the protected
behavior is not allowed. ...
  Policy "restrict-instance-type.sentinel" (hard-mandatory): FAILED

Common causes

The plan violates a hard-mandatory policy

A hard-mandatory Sentinel policy cannot be overridden. If the plan proposes something it forbids (a disallowed instance type, a missing tag), the run fails.

A policy input the plan does not satisfy

The policy inspects tfplan/tfconfig data; a resource attribute that does not meet the rule makes the policy evaluate to false.

How to fix it

Read the failing rule and change the plan

  1. Open the policy check output and find the named policy and the rule that returned false.
  2. Adjust the Terraform config so the plan satisfies the rule (correct the attribute, add the required tag).
  3. Re-run so the plan passes the policy set.

Lower enforcement only where appropriate

If the policy should be advisory, an org owner can set that policy to advisory or soft-mandatory in the policy set. Do not weaken a control just to unblock a run.

How to prevent it

  • Run terraform plan and review policy output before merging config that touches governed resources.
  • Keep policy sets versioned so the rules a plan must satisfy are visible in review.
  • Fix the plan rather than downgrading hard-mandatory policies.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →