hashicorp · nithishravindra · Dec 5, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 5, 2025
@@ -1,6 +1,8 @@
 # Unreleased
 
 ## Enhancements
+
+* Policy Sets: Add `PolicyUpdatePattern []string` to `PolicySet`, `PolicySetCreateOptions`, and `PolicySetUpdateOptions` to support `policy-update-patterns`.
 * Adds `UserTokensEnabled` field to `Organization` to support enabling/disabling user tokens for an organization by @JarrettSpiker [#1225](https://github.com/hashicorp/go-tfe/pull/1225)
 
 # v1.97.0

@@ -93,14 +93,15 @@ type PolicySet struct {
 	Global       bool       `jsonapi:"attr,global"`
 	PoliciesPath string     `jsonapi:"attr,policies-path"`
 	// **Note: This field is still in BETA and subject to change.**
-	PolicyCount       int       `jsonapi:"attr,policy-count"`
-	VCSRepo           *VCSRepo  `jsonapi:"attr,vcs-repo"`
-	WorkspaceCount    int       `jsonapi:"attr,workspace-count"`
-	ProjectCount      int       `jsonapi:"attr,project-count"`
-	CreatedAt         time.Time `jsonapi:"attr,created-at,iso8601"`
-	UpdatedAt         time.Time `jsonapi:"attr,updated-at,iso8601"`
-	AgentEnabled      bool      `jsonapi:"attr,agent-enabled"`
-	PolicyToolVersion string    `jsonapi:"attr,policy-tool-version"`
+	PolicyCount          int       `jsonapi:"attr,policy-count"`
+	VCSRepo              *VCSRepo  `jsonapi:"attr,vcs-repo"`
+	WorkspaceCount       int       `jsonapi:"attr,workspace-count"`
+	ProjectCount         int       `jsonapi:"attr,project-count"`
+	CreatedAt            time.Time `jsonapi:"attr,created-at,iso8601"`
+	UpdatedAt            time.Time `jsonapi:"attr,updated-at,iso8601"`
+	AgentEnabled         bool      `jsonapi:"attr,agent-enabled"`
+	PolicyToolVersion    string    `jsonapi:"attr,policy-tool-version"`
+	PolicyUpdatePatterns []string  `jsonapi:"attr,policy-update-patterns"`
 
 	// Relations
 	// The organization to which the policy set belongs to.
@@ -188,6 +189,9 @@ type PolicySetCreateOptions struct {
 	// Optional: The policy tool version to run the evaluation against.
 	PolicyToolVersion *string `jsonapi:"attr,policy-tool-version,omitempty"`
 
+	// Optional: List of policy update patterns.
+	PolicyUpdatePatterns []*string `jsonapi:"attr,policy-update-patterns,omitempty"`
+
 	// Optional: The sub-path within the attached VCS repository to ingress. All
 	// files and directories outside of this sub-path will be ignored.
 	// This option may only be specified when a VCS repo is present.
@@ -240,6 +244,9 @@ type PolicySetUpdateOptions struct {
 	// Optional: The policy tool version to run the evaluation against.
 	PolicyToolVersion *string `jsonapi:"attr,policy-tool-version,omitempty"`
 
+	// Optional: List of policy update patterns.
+	PolicyUpdatePatterns []*string `jsonapi:"attr,policy-update-patterns,omitempty"`
+
 	// Optional: The sub-path within the attached VCS repository to ingress. All
 	// files and directories outside of this sub-path will be ignored.
 	// This option may only be specified when a VCS repo is present.

@@ -157,6 +157,7 @@ func TestPolicySetsCreate(t *testing.T) {
 		Beta:       Bool(false),
 	}
 	sv, err := client.Admin.SentinelVersions.Create(ctx, opts)
+
 	defer func() {
 		err := client.Admin.SentinelVersions.Delete(ctx, sv.ID)
 		require.NoError(t, err)
@@ -412,6 +413,7 @@ func TestPolicySetsCreate(t *testing.T) {
 				OAuthTokenID:      String(oc.ID),
 				IngressSubmodules: Bool(true),
 			},
+			PolicyUpdatePatterns: []*string{String("**"), String("*.sentinel")},
 		}
 
 		ps, err := client.PolicySets.Create(ctx, orgTest.Name, options)
@@ -433,6 +435,9 @@ func TestPolicySetsCreate(t *testing.T) {
 		assert.Equal(t, ps.VCSRepo.RepositoryHTTPURL, fmt.Sprintf("https://github.com/%s", githubIdentifier))
 		assert.Equal(t, ps.VCSRepo.ServiceProvider, string(ServiceProviderGithub))
 		assert.Regexp(t, fmt.Sprintf("^%s/webhooks/vcs/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$", regexp.QuoteMeta(DefaultConfig().Address)), ps.VCSRepo.WebhookURL)
+
+		assert.Equal(t, len(ps.PolicyUpdatePatterns), 2)
+		assert.Contains(t, ps.PolicyUpdatePatterns, "*.sentinel")
 	})
 
 	t.Run("with vcs policy updated", func(t *testing.T) {
@@ -458,6 +463,7 @@ func TestPolicySetsCreate(t *testing.T) {
 				OAuthTokenID:      String(oc.ID),
 				IngressSubmodules: Bool(false),
 			},
+			PolicyUpdatePatterns: []*string{String("**"), String("*.sentinel")},
 		}
 
 		ps, err := client.PolicySets.Update(ctx, vcsPolicyID, options)
@@ -475,6 +481,9 @@ func TestPolicySetsCreate(t *testing.T) {
 		assert.Equal(t, ps.VCSRepo.RepositoryHTTPURL, fmt.Sprintf("https://github.com/%s", githubIdentifier))
 		assert.Equal(t, ps.VCSRepo.ServiceProvider, string(ServiceProviderGithub))
 		assert.Regexp(t, fmt.Sprintf("^%s/webhooks/vcs/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$", regexp.QuoteMeta(DefaultConfig().Address)), ps.VCSRepo.WebhookURL)
+
+		assert.Equal(t, len(ps.PolicyUpdatePatterns), 1)
+		assert.Contains(t, ps.PolicyUpdatePatterns, "*.sentinel")
 	})
 
 	t.Run("without a name provided", func(t *testing.T) {