Terraform
TFE Release v202103-3 (523)
Bug Fixes Since v202103-2:
- Fixed an issue where certain ephemeral Docker volumes were inadvertently included in Replicated snapshots, leading to snapshot timeouts.
Bug Fixes Since v202103-1:
- Fixed an issue where runs would fail to plan when using Terraform 0.13.x versions created with
terraform-bundle
.
Application Level Breaking Changes:
- The internally-managed PostgreSQL server has been upgraded from PostgreSQL 9.5 to PostgreSQL 12. Operators should back up their Terraform Enterprise data before upgrading to v202103-1. This change only affects mounted disk and proof of concept installations. Please refer to the "PostgreSQL Upgrade" section for more information.
- Changed organization name requirements to not be ambiguous with organization ID format. Although very unlikely, if an existing organization name matches a pattern
org-<16 base58 chars>
, it must be renamed.
Upcoming Deprecation Notifications:
- The Admin API endpoint to list an organization's module consumers has been deprecated, and will be removed in Terraform Enterprise v202106-1. Clients should transition to the new JSON:API compliant endpoint: List Module Consumers for an Organization.
- The Admin API endpoint to update an organization's module consumers has been deprecated, and will be removed in Terraform Enterprise v202106-1. Clients should transition to the new JSON:API compliant endpoint: Update an Organization's Module Consumers
Application Level Features:
- Added support for PostgreSQL SCRAM-SHA-256 password authentication.
- Added
db-backup-poc
,db-restore-poc
, anddb-reindex-poc
admin commands to allow proof of concept installations to backup, restore, and reindex the PostgreSQL database. - Changes how TBW handles initialization during the apply phase, removing the
-backend=false
reinitialization in favor of persisting the entire filesystem between plan and apply. - Adds Sensitive Variable Override File, which will mark TFE sensitive variables as sensitive in Terraform during runs.
- Support IMDSv2 when configuring object storage with S3 and Use Instance Profile for Access.
- Update the base OS image to Ubuntu Bionic (18.04) for the default Terraform worker image.
- Add support for forcing TLS via HSTS response headers and
Secure
cookie flags. - Added a link to an example Terraform config repo when creating a VCS workspace.
- Added the
hostname
argument to example commands in the UI where applicable - Added Terraform CLI versions up through 0.15.0-beta1 to Terraform Enterprise.
- Added run relationship to policy-checks API responses.
- Added ability to rename organizations in organization settings.
- Added the ability to filter JSON results in select places where JSON data is available (such as the state viewer). The filter language is a jq subset; see the documentation for more details.
- Added the ability to see the JSON response for policy checks within the run viewer, along with a shortcut to quickly see the results for all "main" rules within a policy check.
- Added the workspace name to the page title
- Fixed streamed log undefined waiting text
- Fixed log viewer printing "undefined" for empty logs
- Added Additional VCS Info to Workspace API Response
- Added ability to view module submodules in the private registry
- Added ability to view module examples in the private registry.
- Added JSON:API compliant endpoint to fetch an organization's module consumers.
- Added JSON:API compliant endpoint to update an organization's module consumers.
- Added ability to filter module producing organizations to the admin/organizations API endpoint.
- Added the ability to include the related run and workspace to the policy checks API endpoint.
- Changed team access API to only use pagination when requested.
Application Level Bug Fixes:
- Upgrades go-isolation to pick up bug fix for directories with spaces in the name.
- Adjust container permissions to support running
tfe-admin
commands in environments where SELinux operates inenforcing
mode. - Fix a race condition in Active/Active deployments that would potentially result in transient Vault authentication failures when using an internal Vault deployment.
- Fixed an issue where the footer did not display for logged-in users.
- Fixed a bug where a workspace would think it had a working configuration version after someone ran
terraform plan
, but it wouldn't be able to queue new runs. - Fixed keyboard accessibility for modules in the private registry
- Changed admin organizations api returns 422 if global_module_sharing: null passed in
- Fixed an issue with the reliability of copying text from log output in the Google Chrome browser
- Fixed an inconsistency of icon colors within certain button types.
- Fixed alignment and icon issues on Notifications page
- Added ability to keyboard-navigate into streamed logs on a run and provisioning instructions on a module
- Fixed pagination params for page size and number for audit trail endpoint
- Fixed sourceable run trigger dropdown when there are more than 50 workspaces available
- Changed instructions to add a new GitHub.com (custom) provider to align with a change to the GitHub UI/UX
- Fixed email logos not rendering if
ASSET_HOST
is not set in a TFE instance - Fixed GitHub icon rendering in Firefox
- Added keyboard-only navigation to workspace heading links
- Added keyboard-only navigation for accordion elements such as run phase expanding boxes.
- Fixed accessibility of heading order for screen readers
- Fixed price error for certain AWS Elasticache node types during Cost Estimation.
- Fixed a potential issue where some cost estimates might be off by 1-2%
- Fixed the user invitation modal list of teams, ensuring teams are correctly paginated to include all of them.
- Fixed an issue where working directories were having their leading and trailing slashes stripped during updating.
- Fixed Modules ingress for Bitbucket Webhook events containing multiple changes.
- Fixed an issue where custom CA certificates were not being passed to the
telegraf
container. - Fixed API issue where includable resource parameters were required to be underscored, even as the API is generally hyphenated.
- Fixed workspace variables API to require the correct workspace in URL
- Fixed issue not showing all teams when adding team access to a workspace.
Application Level Security Fixes:
- Enforce organization-level setting that requires users within an organization to have two-factor authentication enabled (CVE-2021-3153).
- Reduce exposure by proactively revoking per-run tokens on run completion.
- Update go-slug to v0.5.0 to pick up security fixes for maliciously crafted tarballs.
- Update Rails to 6.0.3.5, addressing security vulnerabilities.
- Ongoing container updates to address reported vulnerabilities in underlying packages / dependencies.
PostgreSQL Upgrade:
The PostgreSQL versioning policy states that PostgreSQL 9.5 had its final release on February 11, 2021. As such, the internally-managed PostgreSQL server has been upgraded from PostgreSQL 9.5 to PostgreSQL 12. This change only affects mounted disk and proof of concept installations. It does not affect external services installations.
The first time a Terraform Enterprise installation is upgraded to v202103-1, a program will be executed that will upgrade the PostgreSQL 9.5 data to PostgreSQL 12. This program takes a backup of the PostgreSQL data before upgrading. Regardless, operators should back up their Terraform Enterprise data before upgrading to Terraform Enterprise v202103-1.
Additionally, operators should familiarize themselves with the following knowledge base articles.