The current guide doesn't really explain what all can or cannot be done with OPA policies and Terraform plans.
There are notably a few areas that are not easily covered by policies due to the information available at the time the JSON plan is generated:
- Expressions: Builtin functions in the plan may not have been evaluated yet, especially tricky are unknown values, dynamic blocks, and function calls:
https://www.terraform.io/docs/configuration/expressions.html#values-not-yet-known
https://www.terraform.io/docs/configuration/expressions.html#dynamic-blocks
https://www.terraform.io/docs/configuration/expressions.html#function-calls
It is probably worth noting in the docs update how Sentinel handles (or not) these sort of things: https://www.terraform.io/docs/cloud/sentinel/import/tfconfig.html#references-with-terraform-0-12 to ensure users have a good idea of what limitations there are with the different solutions and enforcing policies on terraform plans in general.
The current guide doesn't really explain what all can or cannot be done with OPA policies and Terraform plans.
There are notably a few areas that are not easily covered by policies due to the information available at the time the JSON plan is generated:
https://www.terraform.io/docs/configuration/expressions.html#values-not-yet-known
https://www.terraform.io/docs/configuration/expressions.html#dynamic-blocks
https://www.terraform.io/docs/configuration/expressions.html#function-calls
It is probably worth noting in the docs update how Sentinel handles (or not) these sort of things: https://www.terraform.io/docs/cloud/sentinel/import/tfconfig.html#references-with-terraform-0-12 to ensure users have a good idea of what limitations there are with the different solutions and enforcing policies on terraform plans in general.