CoursesAtlantisIntermediate

Policy checks in the flow

Conftest/OPA gating applies.

Advanced12 min · lesson 8 of 12

Atlantis has native policy checking that gates applies on OPA/Conftest policies. With policy checks enabled, after the plan step Atlantis evaluates your Rego policies against the plan and, if a mandatory policy fails, blocks apply until either the code is fixed or an authorized owner approves the policy failure. This puts the guardrails from the OPA and Checkov courses directly in the Terraform PR flow, enforced by the same server that runs the apply.

POLICY AS A GATE ON APPLY
1Plan
Atlantis posts the plan
2Policy check
Rego/Conftest run against the plan
3Mandatory fail
deny rule matches
4Apply blocked
until fixed or owner-approved
5Apply
runs once gate passes
Mandatory policies block apply; only a designated owner can approve the exception, recorded in the PR.
server config + policy
policies:
owners:
users: [security-lead] # who may approve a policy failure
policy_sets:
- name: iac-guardrails
path: /policies # Rego policies (deny rules) run against the plan
source: local
# a failing mandatory policy blocks `atlantis apply` until fixed or owner-approved

Policy as a first-class gate

The difference from just running a scanner in CI is that Atlantis makes the policy result a gate on the apply it controls, with an approval path owned by the right people. A public bucket or an open security group in the plan fails the policy, the apply is blocked, and only a designated policy owner can approve the exception — recorded in the PR. This is defense in depth: policy at the exact moment of change, enforced by the tool that holds the credentials.

PR comment
Policy Check Failed: iac-guardrails
deny: aws_s3_bucket.assets is public without approval
apply is blocked. Fix the plan, or have a policy owner approve.
Advisory policies do not block — mark mandatory ones
As with Conftest’s warn vs deny, an Atlantis policy configured as advisory reports but does not block the apply. If a rule must prevent a change, make it mandatory and ensure the owner-approval path is restricted to the right people — otherwise a policy “failure” that anyone can wave through is not a gate. Confirm your critical policies actually block apply, not just annotate the PR.