Terraform Cloud "Policy check failed" (Sentinel / OPA) in CI
The plan succeeded, but a governance gate failed. A Sentinel or OPA policy set attached to the workspace evaluated the plan and a hard-mandatory rule failed, so HCP Terraform blocks the run from applying.
What this error means
A remote run passes plan, then fails at the policy stage with "Policy check failed" and a list of the Sentinel/OPA rules that did not pass.
Policy check failed. 1 policy evaluated, 1 failed.
restrict-instance-type (hard-mandatory) FAILED
- instance type "m5.24xlarge" is not in the allowed listCommon causes
The plan violates a hard-mandatory policy
A hard-mandatory rule cannot be overridden. If the plan breaks it (an oversized instance, a public bucket), the run is blocked.
A soft-mandatory policy needs an override
A soft-mandatory failure can be overridden by an authorized user, but an unattended CI run has no one to approve it, so it stops.
How to fix it
Bring the plan into policy
- Read which policy failed and why in the run log.
- Change the configuration so the plan complies (allowed instance type, tags, encryption).
- Re-run so the policy passes.
Override a soft-mandatory policy deliberately
For soft-mandatory failures, have an authorized user override the run in HCP Terraform, or adjust the policy set if the rule is wrong.
How to prevent it
- Run policy checks on plan output early so violations surface in review.
- Keep policy sets and configuration allowlists in sync.
- Reserve hard-mandatory for rules that must never be bypassed.