Terraform
Terraform Enterprise v202207-1 (641)
Known Issues
- Only applicable when using External Vault. You must update your External Vault policy to use specific API paths instead of wildcard matching. Skipping this step prevents Terraform Enterprise from starting.
Highlights
- This release includes a data migration that will strengthen the association between a workspace and its current configuration version. This will improve query performance in many Terraform Enterprise workflows and reduce unnecessary
git clone
operations by keeping Terraform Enterprise from archiving the latest configuration version. This migration will lengthen the upgrade process. You can expect it to take roughly 1 to 1.5 minutes per 10,000 workspaces. - Using the new
azure_use_msi
andazure_client_id
settings, it is now possible to authenticate to Azure Blob Storage with a system-assigned or user-assigned Azure managed identity. - The
gcs_credentials
setting is now optional. Terraform Enterprise will attempt to authenticate to Google Blob Storage with the attached service account when thegcs_credentials
variable is unset. - The internally-managed PostgreSQL server has been upgraded from PostgreSQL 12 to PostgreSQL 14. This change only affects mounted disk mode. It does not affect external services installations. The first time a Terraform Enterprise installation is upgraded to v202207-1, a program will be executed that will upgrade the PostgreSQL 12 data to PostgreSQL 14. This program takes a backup of the PostgreSQL data before upgrading. Regardless, operators should back up their Terraform Enterprise data before upgrading to Terraform Enterprise v202207-1.
- External Services mode now officially supports PostgreSQL v13.x and v14.x. Follow the instructions to upgrade your PostgreSQL server: Amazon RDS, Azure PostgreSQL, Google Cloud PostgreSQL, or a self-hosted PostgreSQL database.
- The
azure_endpoint
setting is now optional. The default Azure Blob Storage endpoint will be used when this setting is unset. If you have previously set a value for this setting and wish to use the default Azure Blob Storage endpoint, usetfe-admin app-config -k azure_endpoint -v ''
to unset it to prevent adial tcp: lookup example_account.core.windows.net on 127.0.0.11:53: no such host"
error on application startup.
Note: As of November 2, 2022, Terraform Enterprise fixed an issue that prevented the previously mentioned data migration from completing when workspaces had large amounts of configuration versions. This fix also improves performance. The digest of the new tfe-atlas
container is: sha256:0814d28867f5fa1b42a192237be94c8699f5af5102afcd8c10731636fc42e5b8
Features
- When you create a new workspace in the UI from a version control repository, Terraform Enterprise scans its configuration files for Terraform variables and displays any that do not have a default value and are not defined in an existing global variable set. This lets you set values for these variables in preparation for your first Terraform run. If you skip this step, you can still create these variables manually later from within the workspace.
- You can now scope agent pools to specific workspaces from the Agent Pool settings page. This will allow you to protect sensitive workspaces by restricting which workspaces can target each agent pool.
- The Prometheus metrics endpoint now ships an additional metric
tfe_run_current_count
, which represents the current count of TFE runs in a given workspace, organization, and status. - Administrators can use Admin Settings to set the maximum number of workspaces for any single organization.
Improvements
- When listing workspaces, you can now use the
exclude-tags
parameter to exclude workspaces with specific tags. - Any trailing
/
character will now be trimmed from the External Vault address (extern_vault_addr
) to prevent making API requests to incorrect API paths. - API responses to the provider registry may now be shown in a different order than the previous release.
Bug Fixes
- Archivist will now return 500 status codes when Vault calls fail, and it is not a result of user error. Previously all Vault failures caused Archivist to return 400 status codes.
- The edit button for workspace notification configurations now displays correctly instead of appearing as an unstyled link.
- Logs no longer contain unhelpful
ruby_analytics
log messages. - The workspace variables settings page can now display all variable sets applied to a workspace, rather than just the first twenty.
- Users may now authenticate via SAML in multiple concurrent sessions. Previously a bug would log out any existing sessions when authenticating via SAML.
- Workspaces will no longer occasionally get stuck in a pending state when multiple runs are triggered at the same time.
- Long variable keys on a workspace's variable page used to hide the corresponding sensitive and/or HCL tags. These tags now appear in the UI as expected.
- VCS workspaces that end with a trailing
/
character will correctly render theREADME.md
file if present. - Structured run output will no longer attempt to display a diff for data sources in the plan UI. This prevents a spurious error when data sources are used in a Terraform plan.
- Changed ingress logic to avoid displaying unsupported GitHub repositories.
- API rate limiting logic was modified to differentiate between the types of token being used for access, reducing reliance on the IP-based fallback rule which was causing problems in some shared environment use cases.
Security
- The External Vault policy has been updated to use specific API paths instead of wildcard matching.
- The version of the internally-managed Nomad server has been updated to 1.3.1.
- Container updates have been adopted, addressing reported vulnerabilities (CVEs) in underlying packages / dependencies. This change bumps the version of Fluent Bit in
tfe-fluent-bit
to 1.9.5.