Terraform
Policy Set Parameters API
Sentinel parameters are a list of key/value pairs that HCP Terraform sends to the Sentinel runtime when performing policy checks on workspaces. They can help you avoid hardcoding sensitive parameters into a policy.
Note: HCP Terraform Free Edition includes one policy set of up to five policies. In HCP Terraform Plus Edition, you can connect a policy set to a version control repository or create policy set versions via the API. Refer to HCP Terraform pricing for details.
Parameters are only available for Sentinel policies. This set of APIs provides endpoints to create, update, list and delete parameters.
Create a Parameter
POST /policy-sets/:policy_set_id/parameters
| Parameter | Description |
|---|---|
:policy_set_id | The ID of the policy set to create the parameter in. |
Request Body
This POST endpoint requires a JSON object with the following properties as a request payload.
Properties without a default value are required.
| Key path | Type | Default | Description |
|---|---|---|---|
data.type | string | Must be "vars". | |
data.attributes.key | string | The name of the parameter. | |
data.attributes.value | string | "" | The value of the parameter. |
data.attributes.category | string | The category of the parameters. Must be "policy-set". | |
data.attributes.sensitive | bool | false | Whether the value is sensitive. If true then the parameter is written once and not visible thereafter. |
Sample Payload
{
"data": {
"type":"vars",
"attributes": {
"key":"some_key",
"value":"some_value",
"category":"policy-set",
"sensitive":false
}
}
}
Sample Request
curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request POST \
--data @payload.json \
https://app.terraform.io/api/v2/policy-sets/polset-u3S5p2Uwk21keu1s/parameters
Sample Response
{
"data": {
"id":"var-EavQ1LztoRTQHSNT",
"type":"vars",
"attributes": {
"key":"some_key",
"value":"some_value",
"sensitive":false,
"category":"policy-set"
},
"relationships": {
"configurable": {
"data": {
"id":"pol-u3S5p2Uwk21keu1s",
"type":"policy-sets"
},
"links": {
"related":"/api/v2/policy-sets/polset-u3S5p2Uwk21keu1s"
}
}
},
"links": {
"self":"/api/v2/policy-sets/polset-u3S5p2Uwk21keu1s/parameters/var-EavQ1LztoRTQHSNT"
}
}
}
List Parameters
GET /policy-sets/:policy_set_id/parameters
| Parameter | Description |
|---|---|
:policy_set_id | The ID of the policy set to list parameters for. |
Query Parameters
This endpoint supports pagination with standard URL query parameters. Remember to percent-encode [ as %5B and ] as %5D if your tooling doesn't automatically encode URLs. If neither pagination query parameters are provided, the endpoint will not be paginated and will return all results.
| Parameter | Description |
|---|---|
page[number] | Optional. If omitted, the endpoint will return the first page. |
page[size] | Optional. If omitted, the endpoint will return 20 parameters per page. |
Sample Request
$ curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
"https://app.terraform.io/api/v2/policy-sets/polset-u3S5p2Uwk21keu1s/parameters"
Sample Response
{
"data": [
{
"id":"var-AD4pibb9nxo1468E",
"type":"vars",
"attributes": {
"key":"name",
"value":"hello",
"sensitive":false,
"category":"policy-set",
},
"relationships": {
"configurable": {
"data": {
"id":"pol-u3S5p2Uwk21keu1s",
"type":"policy-sets"
},
"links": {
"related":"/api/v2/policy-sets/polset-u3S5p2Uwk21keu1s"
}
}
},
"links": {
"self":"/api/v2/policy-sets/polset-u3S5p2Uwk21keu1s/parameters/var-AD4pibb9nxo1468E"
}
}
]
}
Update Parameters
PATCH /policy-sets/:policy_set_id/parameters/:parameter_id
| Parameter | Description |
|---|---|
:policy_set_id | The ID of the policy set that owns the parameter. |
:parameter_id | The ID of the parameter to be updated. |
Request Body
This POST endpoint requires a JSON object with the following properties as a request payload.
Properties without a default value are required.
| Key path | Type | Default | Description |
|---|---|---|---|
data.type | string | Must be "vars". | |
data.id | string | The ID of the parameter to update. | |
data.attributes | object | New attributes for the parameter. This object can include key, value, category and sensitive properties, which are described above under create a parameter. All of these properties are optional; if omitted, a property will be left unchanged. |
Sample Payload
{
"data": {
"id":"var-yRmifb4PJj7cLkMG",
"attributes": {
"key":"name",
"value":"mars",
"category":"policy-set",
"sensitive": false
},
"type":"vars"
}
}
Sample Request
$ curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request PATCH \
--data @payload.json \
https://app.terraform.io/api/v2/policy-sets/polset-u3S5p2Uwk21keu1s/parameters/var-yRmifb4PJj7cLkMG
Sample Response
{
"data": {
"id":"var-yRmifb4PJj7cLkMG",
"type":"vars",
"attributes": {
"key":"name",
"value":"mars",
"sensitive":false,
"category":"policy-set",
},
"relationships": {
"configurable": {
"data": {
"id":"pol-u3S5p2Uwk21keu1s",
"type":"policy-sets"
},
"links": {
"related":"/api/v2/policy-sets/polset-u3S5p2Uwk21keu1s"
}
}
},
"links": {
"self":"/api/v2/policy-sets/polset-u3S5p2Uwk21keu1s/parameters/var-yRmifb4PJj7cLkMG"
}
}
}
Delete Parameters
DELETE /policy-sets/:policy_set_id/parameters/:parameter_id
| Parameter | Description |
|---|---|
:policy_set_id | The ID of the policy set that owns the parameter. |
:parameter_id | The ID of the parameter to be deleted. |
Sample Request
$ curl \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/vnd.api+json" \
--request DELETE \
https://app.terraform.io/api/v2/policy-sets/polset-u3S5p2Uwk21keu1s/parameters/var-yRmifb4PJj7cLkMG