From 726e3a0a4726ea74755fee1d8a9796ada73db5f2 Mon Sep 17 00:00:00 2001 From: Andrew Assaf Date: Wed, 29 Oct 2025 16:08:17 +1100 Subject: [PATCH 1/7] Clarify Sentinel override behavior for hard-mandatory policies --- .../v202301-1/docs/enterprise/sentinel/enforce.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx index 79d1f10271..28b70668cc 100644 --- a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx +++ b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx @@ -20,6 +20,8 @@ Refer to the [Managing Policies](/enterprise/sentinel/manage-policies) documenta All `hard-mandatory` must pass in order for the run to continue to the "Confirm & Apply" state. All `soft-mandatory` policies must pass or be overridden for the run to continue to the "Confirm & Apply" state. +-> **Note:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override both soft- and hard-mandatory policy failures. This override setting takes precedence over the individual policy’s enforcement level. + If any `soft-mandatory` policies fail and no `hard-mandatory` policies fail, users with [permission to override policies](/enterprise/users-teams-organizations/permissions#manage-policy-overrides) will be presented with an **Override & Continue** button in the run in the Terraform Cloud workspace. This allows them to override the failed `soft-mandatory` policy checks and continue the execution of the run. This will not have any impact on future runs. These users can also override `soft-mandatory` policies by running the `terraform apply` command and then entering "override" when prompted to override failed `soft-mandatory` policies for the run. From 38a5f98487d741e99c972c2b4d58ebd0f044a218 Mon Sep 17 00:00:00 2001 From: Andrew Assaf Date: Thu, 30 Oct 2025 16:13:13 +1100 Subject: [PATCH 2/7] Fix formatting of note regarding policy set overrides in enforce.mdx --- .../v202301-1/docs/enterprise/sentinel/enforce.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx index 28b70668cc..69cb6024fe 100644 --- a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx +++ b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx @@ -20,7 +20,7 @@ Refer to the [Managing Policies](/enterprise/sentinel/manage-policies) documenta All `hard-mandatory` must pass in order for the run to continue to the "Confirm & Apply" state. All `soft-mandatory` policies must pass or be overridden for the run to continue to the "Confirm & Apply" state. --> **Note:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override both soft- and hard-mandatory policy failures. This override setting takes precedence over the individual policy’s enforcement level. +-> **Note:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override both soft- and hard-mandatory policy failures. This override setting takes precedence over the individual policy’s enforcement level If any `soft-mandatory` policies fail and no `hard-mandatory` policies fail, users with [permission to override policies](/enterprise/users-teams-organizations/permissions#manage-policy-overrides) will be presented with an **Override & Continue** button in the run in the Terraform Cloud workspace. This allows them to override the failed `soft-mandatory` policy checks and continue the execution of the run. This will not have any impact on future runs. From 9a8e1b05ecee060989d4cc9ba9f715c546f14835 Mon Sep 17 00:00:00 2001 From: Andrew Assaf Date: Thu, 30 Oct 2025 16:13:44 +1100 Subject: [PATCH 3/7] Fix punctuation in note about policy set overrides in enforce.mdx --- .../v202301-1/docs/enterprise/sentinel/enforce.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx index 69cb6024fe..28b70668cc 100644 --- a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx +++ b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx @@ -20,7 +20,7 @@ Refer to the [Managing Policies](/enterprise/sentinel/manage-policies) documenta All `hard-mandatory` must pass in order for the run to continue to the "Confirm & Apply" state. All `soft-mandatory` policies must pass or be overridden for the run to continue to the "Confirm & Apply" state. --> **Note:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override both soft- and hard-mandatory policy failures. This override setting takes precedence over the individual policy’s enforcement level +-> **Note:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override both soft- and hard-mandatory policy failures. This override setting takes precedence over the individual policy’s enforcement level. If any `soft-mandatory` policies fail and no `hard-mandatory` policies fail, users with [permission to override policies](/enterprise/users-teams-organizations/permissions#manage-policy-overrides) will be presented with an **Override & Continue** button in the run in the Terraform Cloud workspace. This allows them to override the failed `soft-mandatory` policy checks and continue the execution of the run. This will not have any impact on future runs. From a895564cd19ec0db75c94e81166998546efb8c77 Mon Sep 17 00:00:00 2001 From: Andrew Assaf Date: Thu, 30 Oct 2025 17:33:11 +1100 Subject: [PATCH 4/7] Clarify note on policy set overrides in enforce.mdx --- .../v202301-1/docs/enterprise/sentinel/enforce.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx index 28b70668cc..39ed00e648 100644 --- a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx +++ b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx @@ -20,7 +20,7 @@ Refer to the [Managing Policies](/enterprise/sentinel/manage-policies) documenta All `hard-mandatory` must pass in order for the run to continue to the "Confirm & Apply" state. All `soft-mandatory` policies must pass or be overridden for the run to continue to the "Confirm & Apply" state. --> **Note:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override both soft- and hard-mandatory policy failures. This override setting takes precedence over the individual policy’s enforcement level. +-> **Note:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override any failed policy checks in that set, including those marked as hard mandatory. This override setting takes precedence over the individual policy’s enforcement level. If any `soft-mandatory` policies fail and no `hard-mandatory` policies fail, users with [permission to override policies](/enterprise/users-teams-organizations/permissions#manage-policy-overrides) will be presented with an **Override & Continue** button in the run in the Terraform Cloud workspace. This allows them to override the failed `soft-mandatory` policy checks and continue the execution of the run. This will not have any impact on future runs. From 66737e00f7614a086c75c9e52572ca67e400ccec Mon Sep 17 00:00:00 2001 From: Andrew Assaf Date: Thu, 30 Oct 2025 17:38:28 +1100 Subject: [PATCH 5/7] Fix formatting of note regarding hard-mandatory policies in enforce.mdx --- .../v202301-1/docs/enterprise/sentinel/enforce.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx index 39ed00e648..d3af03cbb2 100644 --- a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx +++ b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx @@ -20,7 +20,7 @@ Refer to the [Managing Policies](/enterprise/sentinel/manage-policies) documenta All `hard-mandatory` must pass in order for the run to continue to the "Confirm & Apply" state. All `soft-mandatory` policies must pass or be overridden for the run to continue to the "Confirm & Apply" state. --> **Note:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override any failed policy checks in that set, including those marked as hard mandatory. This override setting takes precedence over the individual policy’s enforcement level. +-> **Note:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override any failed policy checks in that set, including those marked as `hard-mandatory`. This override setting takes precedence over the individual policy’s enforcement level. If any `soft-mandatory` policies fail and no `hard-mandatory` policies fail, users with [permission to override policies](/enterprise/users-teams-organizations/permissions#manage-policy-overrides) will be presented with an **Override & Continue** button in the run in the Terraform Cloud workspace. This allows them to override the failed `soft-mandatory` policy checks and continue the execution of the run. This will not have any impact on future runs. From fdf31cf0730109c653611236318927940e3b1faf Mon Sep 17 00:00:00 2001 From: Andrew Assaf Date: Mon, 10 Nov 2025 15:52:17 +1100 Subject: [PATCH 6/7] Add clarification on policy set overrides in Sentinel documentation --- .../enterprise/policy-enforcement/manage-policy-sets/index.mdx | 3 +++ .../v202301-1/docs/enterprise/sentinel/enforce.mdx | 2 -- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/content/terraform-enterprise/1.0.x/docs/enterprise/policy-enforcement/manage-policy-sets/index.mdx b/content/terraform-enterprise/1.0.x/docs/enterprise/policy-enforcement/manage-policy-sets/index.mdx index b5899c295f..a58ca105df 100644 --- a/content/terraform-enterprise/1.0.x/docs/enterprise/policy-enforcement/manage-policy-sets/index.mdx +++ b/content/terraform-enterprise/1.0.x/docs/enterprise/policy-enforcement/manage-policy-sets/index.mdx @@ -65,6 +65,9 @@ Sentinel provides three policy enforcement levels: - **soft mandatory:** Failed policies stop the run, but any user with [Manage Policy Overrides permission](/terraform/enterprise/users-teams-organizations/permissions#manage-policy-overrides) can override these failures and allow the run to complete. - **hard mandatory:** Failed policies stop the run. Terraform does not apply runs with failed **hard mandatory** policies until a user fixes the issue that caused the failure. +~> **Tip:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override any failed policy checks in that set, including those marked as `hard-mandatory`. This override setting takes precedence over the individual policy’s enforcement level. + + ### OPA OPA provides two policy enforcement levels: diff --git a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx index d3af03cbb2..79d1f10271 100644 --- a/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx +++ b/content/terraform-enterprise/v202301-1/docs/enterprise/sentinel/enforce.mdx @@ -20,8 +20,6 @@ Refer to the [Managing Policies](/enterprise/sentinel/manage-policies) documenta All `hard-mandatory` must pass in order for the run to continue to the "Confirm & Apply" state. All `soft-mandatory` policies must pass or be overridden for the run to continue to the "Confirm & Apply" state. --> **Note:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override any failed policy checks in that set, including those marked as `hard-mandatory`. This override setting takes precedence over the individual policy’s enforcement level. - If any `soft-mandatory` policies fail and no `hard-mandatory` policies fail, users with [permission to override policies](/enterprise/users-teams-organizations/permissions#manage-policy-overrides) will be presented with an **Override & Continue** button in the run in the Terraform Cloud workspace. This allows them to override the failed `soft-mandatory` policy checks and continue the execution of the run. This will not have any impact on future runs. These users can also override `soft-mandatory` policies by running the `terraform apply` command and then entering "override" when prompted to override failed `soft-mandatory` policies for the run. From 2426d61decf878a71fb6886367b2708eae3d244e Mon Sep 17 00:00:00 2001 From: Andrew Assaf Date: Mon, 10 Nov 2025 15:53:54 +1100 Subject: [PATCH 7/7] Remove unnecessary blank line in policy enforcement section of documentation --- .../enterprise/policy-enforcement/manage-policy-sets/index.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/content/terraform-enterprise/1.0.x/docs/enterprise/policy-enforcement/manage-policy-sets/index.mdx b/content/terraform-enterprise/1.0.x/docs/enterprise/policy-enforcement/manage-policy-sets/index.mdx index a58ca105df..f6fb20717b 100644 --- a/content/terraform-enterprise/1.0.x/docs/enterprise/policy-enforcement/manage-policy-sets/index.mdx +++ b/content/terraform-enterprise/1.0.x/docs/enterprise/policy-enforcement/manage-policy-sets/index.mdx @@ -67,7 +67,6 @@ Sentinel provides three policy enforcement levels: ~> **Tip:** If the policy set option “This policy set can be overridden in the event of mandatory failures” is enabled, users with the appropriate permissions (such as admins or team owners) can override any failed policy checks in that set, including those marked as `hard-mandatory`. This override setting takes precedence over the individual policy’s enforcement level. - ### OPA OPA provides two policy enforcement levels: