Local Execution Mode Enforcement

I’m new to using Sentinel, and I’m currently on the trial of the Team and Governance plan. During this trial phase I’m evaluating how Sentinel could be used for my team. I’m using Terraform Cloud as a backend for my state file, but using local execution mode for my workspace.

Are Sentinel policies defined in Terraform Cloud policy sets applied to Terraform plans that are being executed from the local CLI? Or do they only apply to remotely-executed plans?

I have tested out a simple policy for enforcing a naming convention for VMs, and have verified that it is working using mock data for my Sentinel policy test. However, what prompted me to post in this forum is that when running terraform plan from my CLI, the plan is carried out without any issues, which made me wonder if Sentinel policies are enforced locally.

Hi @paladin-devops

Sentinel policy checks will not execute if the workspace execution mode has been set to local. If you want to take advantage of policy checks, you will need to set the execution mode to remote so that all plan and apply operations take place in terraform cloud.

Hope this helps :slight_smile:

1 Like

Thanks for clarifying @hcrhall ! I would prefer to use remote execution, but my environment is within a private cloud and remote execution isn’t possible at the moment.

Although I’m on the Team and Governance trial right now, if I had an enterprise license with on-prem Terraform Cloud Agents, could Sentinel policies be applied during those terraform plans?

Yes they can. The plan that is generated by the agent is sent back to the Terraform platform to perform policy checks before an apply operation can occur.

1 Like