Register an external run task endpoint in HCP Terraform under Organization Settings > Run Tasks; the endpoint must accept POST requests with a task payload and respond with a callback URL update
Implement a run task server (AWS Lambda, Cloud Run, or any HTTPS endpoint) that receives the Terraform plan JSON payload, parses resource changes, estimates cost using Infracost or the provider's pricing API, and sends a PATCH to the callback URL with status: passed or failed
Configure the run task to run at the Post-Plan stage so it has access to the plan before apply
Attach the run task to the target workspace under Workspace Settings > Run Tasks and set enforcement level to Mandatory to block applies on failure
Test with a plan that intentionally exceeds the cost threshold and confirm the run is blocked with the task's failure message visible in the HCP Terraform UI
For organization-wide enforcement, attach the run task to all workspaces using the tfe Terraform provider: resource "tfe_workspace_run_task" iterating over workspaces
Known gotchas
The run task callback URL is time-limited; if your processing server takes longer than the timeout (typically 10 minutes), HCP Terraform marks the task as timed out and the workspace behavior depends on enforcement level — a mandatory task timeout blocks the apply
Run task payloads include the plan JSON access token which is short-lived; fetch the plan JSON immediately upon receiving the task payload rather than storing the token for later use
Sentinel policies and run tasks are distinct mechanisms in HCP Terraform; both can block applies but are configured separately. Run tasks evaluate external business logic while Sentinel evaluates policy-as-code written in Sentinel language
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp