Skip to content
Latchkey

Terraform Cloud "Policy check failed" (Sentinel / OPA) in CI

The plan succeeded, but a governance gate failed. A Sentinel or OPA policy set attached to the workspace evaluated the plan and a hard-mandatory rule failed, so HCP Terraform blocks the run from applying.

What this error means

A remote run passes plan, then fails at the policy stage with "Policy check failed" and a list of the Sentinel/OPA rules that did not pass.

terraform
Policy check failed. 1 policy evaluated, 1 failed.

  restrict-instance-type (hard-mandatory) FAILED
    - instance type "m5.24xlarge" is not in the allowed list

Common causes

The plan violates a hard-mandatory policy

A hard-mandatory rule cannot be overridden. If the plan breaks it (an oversized instance, a public bucket), the run is blocked.

A soft-mandatory policy needs an override

A soft-mandatory failure can be overridden by an authorized user, but an unattended CI run has no one to approve it, so it stops.

How to fix it

Bring the plan into policy

  1. Read which policy failed and why in the run log.
  2. Change the configuration so the plan complies (allowed instance type, tags, encryption).
  3. Re-run so the policy passes.

Override a soft-mandatory policy deliberately

For soft-mandatory failures, have an authorized user override the run in HCP Terraform, or adjust the policy set if the rule is wrong.

How to prevent it

  • Run policy checks on plan output early so violations surface in review.
  • Keep policy sets and configuration allowlists in sync.
  • Reserve hard-mandatory for rules that must never be bypassed.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →