Native Open Policy Agent (OPA) support allows customers who have standardized on OPA to bring their policies into Terraform Cloud.
We are excited to announce native Open Policy Agent (OPA) support for Terraform Cloud is now generally available. First launched as a public beta during HashiConf Global 2022, this feature extends the policy as code capabilities of Terraform Cloud to support OPA. OPA is based on the Rego policy language and works alongside Sentinel to increase the number of supported ways customers can adopt a policy as code framework for secure multi-cloud provisioning. Native OPA support helps simplify adopting and maintaining policy enforcement workflows in Terraform Cloud.
Open Policy Agent is an open source general-purpose policy engine. OPA uses a high-level declarative language called Rego that, much like Sentinel, is used to enforce controls using policy as code. HashiCorp Sentinel is a powerful policy as code framework that has been part of Terraform Cloud and Enterprise since their inception. However, organizations that have already invested in OPA may want to leverage those existing skills and policies. Previously, this required Terraform users to create their own tooling to incorporate OPA into their Terraform Cloud workflows. Maintaining these solutions required significant time and effort, potentially reducing focus on security and resource compliance. The native OPA support in Terraform Cloud removes the need for that custom tooling.
The native OPA integration allows customers to migrate their existing Rego-based policies into Terraform Cloud with minimal engineering effort. As with Terraform and infrastructure as code, OPA allows users to rely on a single language for policy as code for different configurations and resources. This makes it easy to create and share reusable policies with the rest of the organization.
Teams can now choose their desired policy framework and collaborate seamlessly across their organization. Native OPA support also allows Terraform Cloud users to take advantage of the platform’s mature policy workflows. These workflows help simplify policy enforcement and free users from the burden of using custom or third-party tools to connect OPA and Terraform Cloud.
Adding native OPA support to Terraform Cloud allows teams to have an additional framework choice when adopting a policy as code approach. In some organizations, multiple teams are responsible for different policies, such as compliance or operational best practices. Limiting these teams to a single policy framework can cause less than optimal policy enforcement processes. OPA and Sentinel can operate side-by-side so each team can choose its preferred framework and work together seamlessly.
The native OPA support in Terraform Cloud includes:
Native OPA support gives users more flexibility to adopt a policy as code framework in Terraform Cloud. This integration helps simplify and accelerate policy enforcement workflows across multi-cloud environments.
To learn more about OPA support for Terraform Cloud, check out the documentation on Defining OPA Policies and our tutorial on how to Detect Infrastructure Drift and Enforce OPA Policies.
Get started with Terraform Cloud for free to begin provisioning and managing your infrastructure in any environment.
Introducing a more efficient, streamlined way of managing policy as code workflows in Terraform Cloud.
Terraform’s dynamic provider credentials enable secure, short-lived authentication for HashiCorp Vault and cloud providers.
Terraform 1.4 is now generally available, featuring enhanced run output in Terraform Cloud, support for OPA policy results in the CLI, and a native replacement for the null resource.