Introduction When Terraform compliance checks fail, the plan is blocked from execution. This happens when infrastructure changes violate organizational policies enforced through Sentinel, OPA, Checkov, or other policy-as-code tools.
Symptoms - `terraform plan` blocked by: "Sentinel policy check failed" - Checkov scan returns: "FAILED for resource: aws_s3_bucket.example" - OPA/Conftest returns: "deny[msg]" for specific rules - CI/CD pipeline fails at compliance check stage - Specific rules flagged: "S3 bucket encryption not enabled"
Common Causes - Resource configuration violates security policy - Missing required tags (cost center, owner, environment) - Public access enabled on storage resources - Encryption not configured for databases - IAM policies overly permissive - Resource in wrong region or availability zone
Step-by-Step Fix 1. **Review the specific policy violations**: ```bash # For Checkov checkov -d . --framework terraform # For OPA/Conftest conftest test plan.json # For Sentinel terraform apply (shows Sentinel violations in output) ```
- 1.Fix the violating resource configuration:
- 2.For example, if S3 bucket encryption is required:
- 3.```hcl
- 4.resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
- 5.bucket = aws_s3_bucket.example.id
- 6.rule {
- 7.apply_server_side_encryption_by_default {
- 8.sse_algorithm = "aws:kms"
- 9.}
- 10.}
- 11.}
- 12.
` - 13.Test locally before committing:
- 14.```bash
- 15.terraform plan -out=tfplan
- 16.terraform show -json tfplan > plan.json
- 17.checkov -f plan.json --framework terraform_plan
- 18.
`