Unable to get valid policy results on TFE server (on prem)

Facing a weird issue:

On terraform cloud (team and governance subscription) :

when i try to run the terrafrom plan the sentinle policies are working as expected (i.e pass and fail scenarios working as expected)

When I try to run the same terraform plan for terraform enterprise on prem server , the sentinel policy passes eevrything , even the fail scenario it passess, which is incorrect.

on prem terraform enterprise server is v202209-2

I checked the mock data of the plan on both of these servers and they are identical.

Not sure, why on the terraform enterprise server the sentinel policy is failing to fail the terraform plan

Has anyone encountered an issue like this ?

Are you using newer capabilities in the Sentinel configuration file that may not be available in the on-premises instance?

Hi @hcrhall , thanks for responding…

my sentinel.hcl configuration file looks like below:

module "tfplan-functions" {
    source = "../common-functions/tfplan-functions/tfplan-functions.sentinel"

module "tfstate-functions" {
    source = "../common-functions/tfstate-functions/tfstate-functions.sentinel"

module "tfconfig-functions" {
    source = "../common-functions/tfconfig-functions/tfconfig-functions.sentinel"

module "azure-functions" {
    source = "./azure-functions/azure-functions.sentinel"

policy "storage-acccount-policy" {
    source = "./storage-account-policy.sentinel"
    enforcement_level = "soft-mandatory"

policy "vm-policy" {
    source = "./vm-policy.sentinel"
    enforcement_level = "soft-mandatory"

My policy files makes use of functions which are called from the main rule. I am using version 2 policy constructs.

Do you think this kind of sentinel.hcl configuration not supported for terraform enterprise server (on prem) ?

No that looks fine.

I think the best path forward is to raise a support request so we can try and work out what is happening at a platform level and compare the policy against all mock data. etc.

I got the issue, the policy filter condition for provider name on tfe cloud was for public registry where as in the on prem setup it should have been a private registry so the policies were not working there.

I fixed it and its working as expected.

Thanks @hcrhall for looking into the issue.