How do I apply policy to CLI runs?

All Terraform runs, including CLI runs, through Scalr can have automatic policy checks applied to them. However for the CLI it isn’t always obvious how that works given that CLI runs are triggered outside of Scalr.

  • Policy automation is implemented for all types of runs by linking OPA based policy groups to the required environments. There is a quick example of that below and full details of setting up OPA policies can be found here Policy as Code.

  • CLI runs through Scalr are different to other types of runs (VCS, Template Registry) because the Terraform configuration must be explicitly configured to use Scalr as a remote backend.

Configure the Terraform configuration with a Remote Backend

  1. Create an API token and add it to ~/.terraformrc or %APPDATA%\terrafrom.rc. Example below is for hosted Scalr so change the hostname if required.

credentials "" {
  token = "<user-token>"
  1. Get the organization ID for the environment (same one the policy group is linked to) and add a terraform { } block to the Terraform configuration with the org id and a workspace name.

terraform {
  backend "remote" {
    hostname = ""
    organization = "<organization-id of environment>"
    workspaces {
      name = "<workspace-name>"
  1. Run terraform init to create and initialize the workspace.

Now all the CLI runs (terraform plan, terraform apply) will run through Scalr a policies will be applied.


See CLI Driven Workspace for more details.

Linking Policies to Environments

OPA Policies are held as code in a VCS repository. Example Scalr sample OPA policies NEWWIN

  • in the account got to “Policy Engine” –> “Policy Groups” and create and new policy group of type “Open Policy Agent” linked to the policy repo.

  • The policies will be listed with their corresponding enforcement levels:

  • Now link the policy group to the Environment where the CLI workspaces will be created.


See Policy as Code for full details on creating and linking policies.