Skip or ignore a sentinel policy during speculative plan run

Hi -

Is there any way to skip a Sentinel policy during a speculative plan run? Alternatively, is there a way to make a sentinel policy execute and always pass during a speculative plan run? I basically have a requirement where I want to execute the sentinel policy in between the standard plan and apply mode.

I was thinking that if the run mode information appeared in the tfplan output, I could check that first using the sentinel policy, and if it was a speculative plan I would force the policy to pass. However, it does not appear that this information is stored in the tfplan output.

Any ideas on work arounds to skip/ignore the policy or force the policy to pass during a speculative plan run?

Hello Mark!

You can check the speculative attribute in the tfrun import and use a predicate rule to allow it to pass:

Here’s a simple example:

import "tfrun"

is_speculative_run = rule when tfrun.speculative is not true {
1 Like

Hi @mark.harrison.mcdona

Are you at all concerned about how this may effect the developer experience for terraform engineers that are authoring their configuration locally, and using the CLI as a client for Terraform Cloud to execute the plan?

This may not be a workflow that you wish to support, but if you do, I think you may find that engineers may have a poor experience. Policies are enabled on speculative plans so you can ensure that your configuration passes before you merge to your main branch. If you ignore speculative runs, you run the risk of an increase in blocked runs which require a lot of rework from a configuration perspective.

I’m conscious that I don’t completely understand your use-case, and it may be a single policy that you wish to ignore, but thought I would ask the question anyway.

Thanks for raising that concern @hcrhall. I do in fact have a very specific use case for this that is probably pretty unconventional. I’m using the Terraform Cloud Operator for Kubernetes to deploy tf. By itself, this operator does not allow for a pause between the plan and the apply. In order for a human to be in the loop and review the plan, I’m using a very broad sentinel policy that will soft fail if any resources are being changed or destroyed. This is definitely a hacky workaround, but it’s the best I can come up with given the rigidity of the Terraform Cloud Operator. For the speculative plan run during the PR, I don’t want the plan to fail because of the sentinel policy hack.

Let me know if you have any other ideas or work arounds to consider.