Terraform
Terraform Enterprise v202301-1 (675)
Last required release: v202207-2 (642)
Known Issues
- The logging for some services (tfe-atlas and tfe-sidekiq) are set to
debug
causing an increase in logging output. This is corrected in v202301-2. - [Updated August 14, 2024] Runs that rely on dynamic provider credentials and workload identity will fail after a certain number of signing key rotations. This problem is fixed in v202407-1, and you can avoid it by upgrading v202407-1 or above. For details on additional workarounds, including manually trimming keys, refer to our support article.
Deprecations
- The following operating systems are deprecated, and Terraform Enterprise will stop supporting them following the February 2023 release (v202302-1).
- Debian 8, 9
- Ubuntu 14.04, 16.04
- Amazon Linux 2014.03, 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03
- The following PostgreSQL server versions are deprecated, and Terraform Enterprise will stop supporting them following the February 2023 release (v202302-1).
- PostgreSQL 11
- Terraform Build Workers are deprecated and will be removed in v202305-1; the base image responsible for executing Terraform runs is changing to tfc-agent. If you are using an alternative worker image, you must migrate to a new image using the tfc-agent base image before v202305-1. If you are not using an alternative worker image no action is required, you will automatically migrate to the new base image in v202302-1 or higher. For more information, refer to the Custom Agent Image migration guide.
Breaking Changes
The "Manage Policies" Organization Permission has been modified to remove excessive access to resources. This is a breaking change as Policy Managers may now require additional permission to perform tasks. As per the API Stability Policy, backwards incompatible changes may be necessary to protect your security. The following permissions changes have been made:
- Policy Managers will no longer be able to read State Versions.
- Policy Managers will no longer be able to read State Version Outputs.
- Policy Managers will no longer be able to read Assessments and Assessment Results.
- Policy Managers will no longer be able to read variables and variable sets which are not Policy Set parameters.
- Policy Managers will no longer be able to create Workspace Comments.
- Policy Managers will no longer be able to read Workspace Resources.
- Policy Managers will no longer be able to read Run Triggers.
- Policy Managers will no longer be able to list Configuration Versions.
- Policy Managers will no longer be able to read Workspace Notification Configurations.
- Policy Managers will be able to read OAuth Client and OAuth Tokens. Without this change, policy managers cannot add VCS backed Policy Sets.
- Policy Managers be able to list runs in a workspace.
Highlights
- We've streamlined and updated the Graphical User Interface's navigation menus to match Terraform Cloud. You can now navigate the app from the side menu instead of using a mix of the top menu, side menu, and tabs.
Features
- You can now share providers in your private registries across many organizations, just like you can for modules. Choose if you want to share all modules and providers, only modules, or only providers. No more publishing and republishing providers in separate organizations.
- New workspace state feature allows rollback to an older version of state. This can be used to fall back to a known good version of state following an event such as an unfinished upgrade or unwanted state manipulation. The operation does not remove prior states and does not change underlying infrastructure.
Improvements
- Terraform Enterprise will show a summary of the resources to be created, modified, and destroyed near the prompt to apply or discard a run. It highlights failed policy checks, destroyed resources, or failed run tasks more prominently, so users have better visibility into whether they are applying a potentially dangerous plan.
- The organization access permissions are now more consistently formatted and have clearer permission subheadings.
- Rare instances of workspaces failing to delete now have more informative logging.
- The private registry will now validate providers are supported by the Terraform SDK.
- Workspace API responses now include a
self-html
link, which is a browsable URL for the workspace. - The private registry will no longer accept identifiers for prerelease versions of modules or providers that do not conform to the SemVer standard. Attempts to publish a version with an invalid prerelease version identifier (e.g.
1.2.3.4
or1.2.3-beta!
) will now fail. - Diagnostics results view for Structured Run Output can now be collapsed.
- When a workspace set to Structured Run Output mode has a successful apply, the Outputs view will be expanded by default.
Bug Fixes
- Database schemas are now created every time the application is started, fixing an issue where the
task_worker
schema was missing upon upgrade. - Sentinel policy runs no longer fail with the error
exec: "getent": executable file not found in $PATH
. - The
tfe-admin support-bundle
command no longer fails uploading support bundles to Google Cloud Storage. - Attempts to update a user's email to an invalid value will now be rejected when the update it attempted, not during confirmation of the new email.
- Old workspaces which have undergone a destroy run before Oct 3, 2023 may now be safe-deleted.
- Provider binary's name is now validated at the time of publishing, fixing an issue where a provider could be made unusable if the filename contained invalid characters.
- Sentinel will no longer assume that unknown values are boolean, fixing an issue for some Terraform plan variations.
- The teams/organization-memberships endpoint no longer gives a 500 response error when you try to delete a member whose user record could not be found.
- For modules or providers with prerelease versions (e.g.
v1.2.3-preview-2
), the registry's internal sorting was sometimes incorrect. This could result in the wrong version being presented as the "latest" version in some API responses. As new versions of a module or provider are added to the database, they will now be resorted correctly. - State version output type validations no longer cause exceptions due to optional attribute bugs in Terraform.
- State version parser service omits detailed type information in callback responses for V1-V3 statefiles since detailed types are V4 statefile specific. This prevents validation exceptions in TFC when state version outputs are processed and stored.
- When creating multiple workspaces simultaneously with the same tags, each workspace will be created successfully with respective tags attached to it, instead of sometimes returning a
404 Not Found
error. - VCS runs will no longer trigger on discarded workspaces.
Security
- Container updates address reported vulnerabilities (CVEs) in underlying packages and dependencies.