When does Sentinel enforce policy logic in a Terraform Enterprise run?

Sentinel enforces policy logic during the apply phase in a Terraform Enterprise run. This is a crucial checkpoint where the actual infrastructure changes are about to be made based on the plan generated earlier. By implementing governance and compliance checks at this stage, organizations can ensure that any infrastructure modifications conform to defined policies before they take effect. This helps prevent undesired changes and maintains adherence to security and operational policies.

While the plan phase allows for the assessment of what resources will change, Sentinel enforcement is specifically designed to occur before these changes are executed. It does not take place after the apply phase, as that would mean changes have been made before any compliance checks, which undermines the purpose of enforcing policy. Similarly, refreshing the state of the resources does not involve policy enforcement; it is more about updating Terraform's knowledge of the current infrastructure state. By aligning policy checks with the apply phase, organizations can effectively manage risk and maintain control over their infrastructure as code environments.