Terraform
Policy Checks API
Note: HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
Policy checks are the default workflow for Sentinel. Policy checks use the latest version of the Sentinel runtime and have access to cost estimation data. This set of APIs provides endpoints to get, list, and override policy checks.
Warning: Policy checks are deprecated and will be permanently removed in August 2025. We recommend that you start using policy evaluations to avoid disruptions.
List Policy Checks
This endpoint lists the policy checks in a run.
Note: The sentinel
hash in the result
attribute structure represents low-level Sentinel details generated by the policy engine. The keys or structure may change over time. Use the data in this hash at your own risk.
GET /runs/:run_id/policy-checks
Parameter | Description |
---|---|
run_id | The ID of the run to list policy checks for. |
Query Parameters
This endpoint supports pagination with standard URL query parameters. Remember to percent-encode [
as %5B
and ]
as %5D
if your tooling doesn't automatically encode URLs. If neither pagination query parameters are provided, the endpoint will not be paginated and will return all results.
Parameter | Description |
---|---|
page[number] | Optional. If omitted, the endpoint will return the first page. |
page[size] | Optional. If omitted, the endpoint will return 20 policy checks per page. |
Sample Request
curl \
--header "Authorization: Bearer $TOKEN" \
https://app.terraform.io/api/v2/runs/run-CZcmD7eagjhyXavN/policy-checks
Sample Response
{
"data": [
{
"id": "polchk-9VYRc9bpfJEsnwum",
"type": "policy-checks",
"attributes": {
"result": {
"result": false,
"passed": 0,
"total-failed": 1,
"hard-failed": 0,
"soft-failed": 1,
"advisory-failed": 0,
"duration-ms": 0,
"sentinel": {...}
},
"scope": "organization",
"status": "soft_failed",
"status-timestamps": {
"queued-at": "2017-11-29T20:02:17+00:00",
"soft-failed-at": "2017-11-29T20:02:20+00:00"
},
"actions": {
"is-overridable": true
},
"permissions": {
"can-override": false
}
},
"relationships": {
"run": {
"data": {
"id": "run-veDoQbv6xh6TbnJD",
"type": "runs"
}
}
},
"links": {
"output": "/api/v2/policy-checks/polchk-9VYRc9bpfJEsnwum/output"
}
}
]
}
Show Policy Check
This endpoint gets information about a specific policy check ID. Policy check IDs can appear in audit logs.
Note: The sentinel
hash in the result
attribute structure represents low-level Sentinel details generated by the policy engine. The keys or structure may change over time. Use the data in this hash at your own risk.
GET /policy-checks/:id
Parameter | Description |
---|---|
id | The ID of the policy check to show. |
Sample Request
curl \
--header "Authorization: Bearer $TOKEN" \
https://app.terraform.io/api/v2/policy-checks/polchk-9VYRc9bpfJEsnwum
Sample Response
{
"data": {
"id": "polchk-9VYRc9bpfJEsnwum",
"type": "policy-checks",
"attributes": {
"result": {
"result": false,
"passed": 0,
"total-failed": 1,
"hard-failed": 0,
"soft-failed": 1,
"advisory-failed": 0,
"duration-ms": 0,
"sentinel": {...}
},
"scope": "organization",
"status": "soft_failed",
"status-timestamps": {
"queued-at": "2017-11-29T20:02:17+00:00",
"soft-failed-at": "2017-11-29T20:02:20+00:00"
},
"actions": {
"is-overridable": true
},
"permissions": {
"can-override": false
}
},
"relationships": {
"run": {
"data": {
"id": "run-veDoQbv6xh6TbnJD",
"type": "runs"
}
}
},
"links": {
"output": "/api/v2/policy-checks/polchk-9VYRc9bpfJEsnwum/output"
}
}
}
Override Policy
This endpoint overrides a soft-mandatory or warning policy.
Note: The sentinel
hash in the result
attribute structure represents low-level Sentinel details generated by the policy engine. The keys or structure may change over time. Use the data in this hash at your own risk.
POST /policy-checks/:id/actions/override
Parameter | Description |
---|---|
id | The ID of the policy check to override. |
Sample Request
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request POST \
https://app.terraform.io/api/v2/policy-checks/polchk-EasPB4Srx5NAiWAU/actions/override
Sample Response
{
"data": {
"id": "polchk-EasPB4Srx5NAiWAU",
"type": "policy-checks",
"attributes": {
"result": {
"result": false,
"passed": 0,
"total-failed": 1,
"hard-failed": 0,
"soft-failed": 1,
"advisory-failed": 0,
"duration-ms": 0,
"sentinel": {...}
},
"scope": "organization",
"status": "overridden",
"status-timestamps": {
"queued-at": "2017-11-29T20:13:37+00:00",
"soft-failed-at": "2017-11-29T20:13:40+00:00",
"overridden-at": "2017-11-29T20:14:11+00:00"
},
"actions": {
"is-overridable": true
},
"permissions": {
"can-override": false
}
},
"links": {
"output": "/api/v2/policy-checks/polchk-EasPB4Srx5NAiWAU/output"
}
}
}
Available Related Resources
The GET endpoints above can optionally return related resources, if requested with the include
query parameter. The following resource types are available:
Resource Name | Description |
---|---|
run | The run this policy check belongs to. |
run.workspace | The associated workspace of the run. |