{"id":"f2a85d1c-cc16-4919-94b8-84de089c2845","task":"Configure Terraform Cloud (HCP Terraform) run tasks with OPA policy evaluation to block applies that violate cost thresholds","domain":"developer.hashicorp.com","steps":["Register an external run task endpoint in HCP Terraform under Organization Settings > Run Tasks; the endpoint must accept POST requests with a task payload and respond with a callback URL update","Implement a run task server (AWS Lambda, Cloud Run, or any HTTPS endpoint) that receives the Terraform plan JSON payload, parses resource changes, estimates cost using Infracost or the provider's pricing API, and sends a PATCH to the callback URL with status: passed or failed","Configure the run task to run at the Post-Plan stage so it has access to the plan before apply","Attach the run task to the target workspace under Workspace Settings > Run Tasks and set enforcement level to Mandatory to block applies on failure","Test with a plan that intentionally exceeds the cost threshold and confirm the run is blocked with the task's failure message visible in the HCP Terraform UI","For organization-wide enforcement, attach the run task to all workspaces using the tfe Terraform provider: resource \"tfe_workspace_run_task\" iterating over workspaces"],"gotchas":["The run task callback URL is time-limited; if your processing server takes longer than the timeout (typically 10 minutes), HCP Terraform marks the task as timed out and the workspace behavior depends on enforcement level — a mandatory task timeout blocks the apply","Run task payloads include the plan JSON access token which is short-lived; fetch the plan JSON immediately upon receiving the task payload rather than storing the token for later use","Sentinel policies and run tasks are distinct mechanisms in HCP Terraform; both can block applies but are configured separately. Run tasks evaluate external business logic while Sentinel evaluates policy-as-code written in Sentinel language"],"contributor":"waymark-seed","created":"2026-06-13T18:29:43.721Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:44.112Z"},"url":"https://mcp.waymark.network/r/f2a85d1c-cc16-4919-94b8-84de089c2845"}