Merge branch 'main' into aws-auto-join-fixed-versions-update

Author: ram-parameswaran

content/terraform-docs-common/docs/cloud-docs/users-teams-organizations/users.mdx

@@ -127,8 +127,16 @@ To leave an organization, click the ellipses (**...**) next to the organization
 
 Click **Password** in the sidebar to change your password. You cannot manage your HCP Terraform password directly if you linked your account to GitHub or HashiCorp Cloud Platform (HCP). Instead, manage your password through the linked service.
 
--> **Note:** Password management is not available if your Terraform Enterprise instance uses [SAML single sign on](/terraform/enterprise/saml/configuration).
--> **Note:** Passwords must be at least 10 characters in length, and you can use any type of character. Password management is not available if your Terraform Enterprise instance uses [SAML single sign on](/terraform/enterprise/saml/configuration).
+<Note>
+Passwords must be at least eight characters long, and contain at least three of the following:  
+
+* Lowercase letters (a-z)
+* Uppercase letters (A-Z)
+* Numbers (0-9)
+* Special characters (!@#$%^&*)
+
+Password management is not available if your Terraform Enterprise instance uses [SAML single sign on](/terraform/enterprise/saml/configuration).
+</Note>
 
 ### Two-factor authentication
 

content/terraform-enterprise/1.0.x/docs/partials/deprecation/policy-checks.mdx

@@ -1,5 +1,5 @@
-<Note>
+<Warning>
 
-Policy checks are deprecated and will be permanently removed in August 2025. We recommend that you start using policy evaluations to avoid disruptions.
+Policy checks support Sentinel versions up to 0.40.x, and do not support newer Sentinel versions. We recommend using [policy evaluations](/terraform/enterprise/policy-enforcement/manage-policy-sets#policy-evaluations) to avoid disruptions.
 
-</Note>
+</Warning>

content/terraform-enterprise/v202507-1/docs/partials/deprecation/policy-checks.mdx

@@ -1,5 +1,5 @@
-<Note>
+<Warning>
 
-Policy checks are deprecated and will be permanently removed in August 2025. We recommend that you start using policy evaluations to avoid disruptions.
+Policy checks support Sentinel versions up to 0.40.x, and do not support newer Sentinel versions. We recommend using [policy evaluations](/terraform/enterprise/policy-enforcement/manage-policy-sets#policy-evaluations) to avoid disruptions.
 
-</Note>
+</Warning>

content/vault/global/partials/important-changes/summary-tables/1_16.mdx

@@ -19,6 +19,7 @@ Introduced | Recommendations | Edition    | Change
 1.16.0     | **Yes**         | All        | [Secrets Sync cannot be activated from chroot namespace](/vault/docs/v1.16.x/updates/important-changes#secrets-sync-cannot-be-activated-from-chroot-namespace)
 1.16.0     | No              | Enterprise | [Secrets Sync now requires setting a one-time flag before use](/vault/docs/v1.16.x/updates/important-changes#secrets-sync-now-requires-setting-a-one-time-flag-before-use)
 1.16.18    | No              | All        | [Strict validation for Azure auth login requests](/vault/docs/v1.16.x/updates/important-changes#strict-azure)
+1.16.25    | No              | All        | [JSON Payload Limits](/vault/docs/v1.16.x/updates/important-changes#json-limits)
 
 
 ### Known issues

content/vault/global/partials/important-changes/summary-tables/1_18.mdx

@@ -19,6 +19,7 @@ Introduced | Recommendations | Edition    | Change
 1.18.0     | **Yes**         | All        | [Docker image no longer contains curl](/vault/docs/v1.18.x/updates/important-changes#docker-image-no-longer-contains-curl)
 1.18.2     | **Yes**         | All        | [Anonymous product usage metrics collection](/vault/docs/v1.18.x/updates/important-changes#product-usage-reporting)
 1.18.7     | No              | All        | [Strict validation for Azure auth login requests](/vault/docs/v1.18.x/updates/important-changes#azure-auth-plugin-requires-resource_group_name-vm_name-and-vmss_name-to-match-the-jwt-claims-on-login)
+1.18.14    | No              | All        | [JSON Payload Limits](/vault/docs/v1.18.x/updates/important-changes#json-limits)
 
 
 ### Known issues

content/vault/global/partials/important-changes/summary-tables/1_19.mdx

@@ -22,6 +22,7 @@ Introduced | Recommendations | Edition    | Change
 1.19.0     | No              | All        | [RADIUS authentication is no longer case sensitive](/vault/docs/v1.19.x/updates/important-changes#case-sensitive)
 1.19.0     | No              | All        | [Transit support for Ed25519ph and Ed25519ctx signatures](/vault/docs/v1.19.x/updates/important-changes#ed25519)
 1.19.1     | **Yes**         | All        | [Strict validation for Azure auth login requests](/vault/docs/v1.19.x/updates/important-changes#strict-azure)
+1.19.9     | No              | All        | [JSON Payload Limits](/vault/docs/v1.19.x/updates/important-changes#json-limits)
 
 
 ### Known issues

content/vault/global/partials/important-changes/summary-tables/1_20.mdx

@@ -14,6 +14,8 @@ Introduced | Recommendations | Edition    | Change
 ---------- | --------------- | ---------- | ------
 1.20.0     | **Yes**         | All        | [Key pair authentication for Snowflake DB secrets engine](/vault/docs/v1.20.x/updates/important-changes#snowflake-keypair-auth)
 1.20.0     | **Yes**         | All        | [Audience warning for Kubernetes authentication roles](#k8-audience-warning)
+1.20.3     | No              | All        | [JSON Payload Limits](/vault/docs/v1.20.x/updates/important-changes#json-limits)
+
 
 
 ### Known issues

content/vault/v1.16.x/content/api-docs/index.mdx

@@ -316,4 +316,19 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
+Vault also supports several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 [proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza

content/vault/v1.18.x/content/api-docs/index.mdx

@@ -340,4 +340,19 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
+Vault also supports several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 [proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza

content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.16.x.mdx

@@ -2,8 +2,8 @@
 layout: docs
 page_title: Upgrade to Vault 1.16.x - Guides
 description: |-
-  Deprecations, important or breaking changes, and remediation recommendations
-  for anyone upgrading to 1.16.x from Vault 1.15.x.
+    Deprecations, important or breaking changes, and remediation recommendations
+    for anyone upgrading to 1.16.x from Vault 1.15.x.
 ---
 
 # Overview
@@ -18,6 +18,31 @@ Vault 1.15. **Please read carefully**.
 
 ## Important changes
 
+### JSON Payload Limits ((#json-limits))
+
+| Change       | Affected version                 | Vault edition |
+|--------------|----------------------------------|---------------|
+| New behavior | 1.16.25, 1.18.14, 1.19.9, 1.20.3 | All           |
+|              |                                  |               |
+|              |                                  |               |
+
+To guard against potential Denial-of-Service (DoS) attacks, Vault now supports
+several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
+
 ### Strict validation for Azure auth login requests ((#strict-azure))
 
 | Change       | Affected version
@@ -54,9 +79,9 @@ more details on plugin environment variables.
 
 <Highlight title="Avoid conflicts with containerized plugins">
 
-  Containerized plugins do not inherit system-defined environment variables. As
-  a result, containerized plugins cannot have conflicts with Vault environment
-  variables.
+    Containerized plugins do not inherit system-defined environment variables. As
+    a result, containerized plugins cannot have conflicts with Vault environment
+    variables.
 
 </Highlight>
 
@@ -73,10 +98,10 @@ $ export VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING=true
 Setting `VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING` to `true` tells Vault to:
 
 1. prioritize environment variables from the Vault server environment whenever
-   the system detects a variable conflict.
+the system detects a variable conflict.
 1. report on plugin variable conflicts during the unseal process by printing
-   warnings for plugins with conflicting environment variables or logging an
-   informational entry when there are no conflicts.
+warnings for plugins with conflicting environment variables or logging an
+informational entry when there are no conflicts.
 
 For example, assume you set `VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING` to `true`
 and have an environment variable `SOURCE=parent`.
@@ -136,14 +161,14 @@ endpoint, will result in the following warning from Vault:
 
 <CodeBlockConfig hideClipboard>
 
-  ```shell-session
+    ```shell-session
 
-  WARNING! The following warnings were returned from Vault:
+    WARNING! The following warnings were returned from Vault:
 
-  * default_report_months is deprecated: defaulting to billing start time
+    * default_report_months is deprecated: defaulting to billing start time
 
 
-  ```
+    ```
 
 </CodeBlockConfig>
 
@@ -155,14 +180,15 @@ Attempts to set `current_billing_period` will result in the following warning fr
 
 <CodeBlockConfig hideClipboard>
 
-  ```shell-session
+    ```shell-session
 
-  WARNING! The following warnings were returned from Vault:
+    WARNING! The following warnings were returned from Vault:
 
-  * current_billing_period is deprecated; unless otherwise specified, all requests will default to the current billing period
+    * current_billing_period is deprecated; unless otherwise specified, all requests will default to the current billing
+    period
 
 
-  ```
+    ```
 
 </CodeBlockConfig>