Skip to main content

Troubleshooting the Styra DAS Terraform System

This page documents common problems encountered when working with the Styra DAS Terraform system type.

General Troubleshooting

Troubleshooting details in this section apply to all Terraform system type implementations, including the run task integration with Terraform Cloud.

Enforce or Monitor Rules Are Not Evaluated

If you find your enforce or monitor rules defined for your Terraform system are not evaluated against Terraform plan inputs, ensure those rules are defined in policy packages which follow the policy.<provider>.<resource> hierarchy. Enforce and monitor rules defined in packages outside of that hierarchy will not be applied to Terraform plans.

Refer to the Terraform Policy Package and Module Structure documentation for additional details.

Sensitive Terraform Variable Values Displayed in Decision Logs

Terraform plans may include the values of variables even if those variables have the sensitive argument defined. Any decision inputs, including the Terraform plan contents, are displayed in the Styra DAS decision log. To redact these sensitive values before they are logged in Styra DAS decisions, refer to the Terraform Decision Masking documentation.

Terraform Cloud Integration Troubleshooting

Troubleshooting details in this section apply only to the Styra DAS integration with Terraform Cloud run tasks.

Error: A Run Task Already Exists

If you receive the error message "Precondition failed: A Terraform Run Task with the name styra-das-policy-check-<DAS_tenant> already exists...", this likely means your Styra DAS workspace had a previous integration with Terraform Cloud removed without deleting the run task in the Terraform Cloud organization.

Styra DAS cannot reuse a removed run task integration, as each run task has a unique and private HMAC Key to validate incoming Terraform Cloud run task requests are from the correct Terraform Cloud organization. Remove the existing run task from Terraform Cloud by following the steps in the Terraform Cloud Deleting a Run Task documentation before attempting to re-integrate Styra DAS with Terraform Cloud.

Styra DAS Policy Check Run Task Does Not Block Terraform Cloud Run

There are several scenarios which may cause the Styra DAS Policy Check run task to return a passing result for a Terraform Cloud workspace run or to fail and still allow the run to proceed to the apply phase. These can be categorized as:

  • Styra DAS Workspace System Mapping Issue

    • Terraform Cloud workspace is not mapped to a Styra DAS Terraform system. For a Styra DAS Terraform system's policies to be applied to a Terraform Cloud workspace run plan, you must associate the Terraform Cloud workspace with a Styra DAS Terraform system.
    • Terraform Cloud workspace ID is incorrect in the Styra DAS Terraform system mapping. Ensure the Terraform Cloud workspace ID defined in the Styra DAS system mapping is a valid workspace ID.
    • Terraform Cloud workspace is mapped to the incorrect Styra DAS Terraform system. Ensure the Terraform Cloud workspace is associated with the desired Styra DAS Terraform system. Refer to the Associate a Styra DAS System with Terraform Cloud Workspaces documentation for instructions.
  • Advisory Run Task

    • Terraform Cloud run task was added to the Terraform Cloud workspace in "advisory" mode. In the Terraform Cloud workspace Run Task settings, change the run task to "mandatory" mode.
  • Monitor or Ignore Rule

    • Styra DAS Terraform system rules are defined as monitor or ignore rules and will not produce a policy failure. For policy rules to result in a policy failure in Styra DAS, the rules must be defined either as enforce or deny rules. Refer to the Terraform Rule Formats documentation for additional details.
  • Invalid Policy Package Structure