Sentinel policy to use tf-run to not let a plan run when AWS_SECRET_ACCESS_KEY be non-sensitive

I am trying to get use tf-run in Sentinel to stop any workspace for running a plan when AWS_SECRET_ACCESS_KEY environment variable is not marked as sensitive.

terraform-guides/sensitive.sentinel at master · tpiercy6/terraform-guides · GitHub I am trying something along these lines. Anyone have any feedback?

Hi @tpiercy,

Thanks for reaching out. Unfortunately the outcome you are looking for is not achievable in the current implementation of Terraform Policies. Policy checks are triggered between the plan and apply stage. Since the plan stage has already taken place, Sentinel cannot block the run. You can block the run from progressing to the apply stage, but you cannot block the plan. This is definitely something that we would like to address in the future.

Hope this helps.

Ryan Hall

How specifically would you block it in the apply stage? Do you have any examples ?

Tyler Piercy
Senior Solutions Engineer
321-298-9834

Not in a repo, but the following example should help:

https://play.sentinelproject.io/p/hU8hPkIs5Jt

Thank you!

Tyler Piercy
Senior Solutions Engineer
321-298-9834