Terraform
Terraform Enterprise v202212-1 (665)
Last required release: v202207-2 (642)
Known Issues
The Certificate Authority (CA) bundle is not injected into the
tfe-task-worker
container, resulting in x509 errors in Sentinel policies when connecting to HTTPS endpoints. This is fixed in Terraform Enterprise v202212-2.The logging for some services (tfe-atlas and tfe-sidekiq) are set to
debug
causing an increase in logging output. This is corrected in v202301-2.[Updated August 14, 2024] Runs that rely on dynamic provider credentials and workload identity will fail after a certain number of signing key rotations. This problem is fixed in v202407-1, and you can avoid it by upgrading v202407-1 or above. For details on additional workarounds, including manually trimming keys, refer to our support article.
Deprecations
The following operating systems are deprecated, and Terraform Enterprise will stop supporting them following the February 2023 release (v202302-1).
- Debian 8, 9
- Ubuntu 14.04, 16.04
- Amazon Linux 2014.03, 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03
The following PostgreSQL server versions are deprecated, and Terraform Enterprise will stop supporting them following the February 2023 release (v202302-1).
- PostgreSQL 11
Highlights
- The
tfe-nomad
container has been removed and replaced with a newtfe-task-worker
container. Thetfe-task-worker
container is now responsible for runningsentinel
,cost-estimation
, andplan-exporter
tasks. Logs for these tasks can now be found in thetfe-task-worker
container logs. This change is part of a larger effort to refresh the architecture of Terraform Enterprise, improve performance and reliability of runs, and support future application-level features. - A new
tfe-atlas-ui
container has been added to serve the Terraform Enterprise frontend and static assets. - Terraform Enterprise no longer starts when connected to an unsupported PostgreSQL server version to prevent potential database incompatibility issues when upgrading. The entry
PostgreSQL version X does not meet PostgreSQL version requirements
will appear in the logs. - Terraform Enterprise now supports Run tasks in the Pre-plan and Pre-apply stages of a run. Run tasks are custom integrations that can send run data to external services. They can either produce warnings or stop runs, depending on your workspace settings.
Features
- For Terraform versions 1.2+, Terraform Enterprise hides data sources reads in the plan UI by default. Use the filter checkbox to show them when necessary.
- The List Workspaces API endpoint now supports wildcard matching. For example, searching with
search[wildcard-name]=*-prod
returns all workspaces ending in-prod
.
Improvements
- Improved the performance of a data migration added in Terraform Enterprise v202207-1 for installations with large amounts of configuration versions.
- You no longer need to confirm plans with no infrastructure changes that Terraform created with the
allow-empty-apply
option. You may want to use this option when you upgrade your workspace's state to a new Terraform version. - The users administration page now displays a warning next to accounts with an unconfirmed email address.
Bug Fixes
- Terraform Enterprise no longer occasionally fails to save outputs associated with a new state.
- The
tfe-registry-worker
now consistently cleans up the temp disk space that it used during module ingress. - Using the the API to create a module version beginning with
v
no longer prevents the registry from displaying other module versions. Versions likev1.0.3
previously caused failures. - You can now download Sentinel mocks for older Terraform runs.
- When you cancel a Terraform run during the apply process, Terraform Enterprise now displays the resource state as
Unknown
. Previously, the UI showed a message incorrectly implying that Terraform was still attempting to complete the apply. - The VCS provider settings no longer displays a blank page for organizations with large numbers of VCS providers.
- Failed attempts to reauthorize VCS providers no longer prevent new reauthorization workflows.
- OAuth clients that the
tfe-provider
is managing can no longer start VCS provider reauthorization. - Public GitHub avatars will no longer be used for private provider logos when the namespace for the private provider matches a GitHub username.
Security
- Container updates address reported vulnerabilities (CVEs) in underlying packages and dependencies.