Terraform
Terraform Enterprise v202302-1 (681)
Last required release: v202207-2 (642)
Known Issues
- When you assign a team the
manage-workspaces
permission through the API the team is also explicitly granted theread-workspaces
permission, which provides a subset of the functionality. However, using the API to revoke just themanage-workspace
permission does not revoke theread-workspaces
permission. This means that existing automation (including thetfe
provider) for revoking themanage-workspaces
permission will leave the team with theread-workspaces
permission, whereas previously the team would be left with no workspace access at the organization level. This will be resolved in upcoming versions of Terraform Enterprise and thetfe
provider. - Terraform runs remain queued indefinitely when using the
agent
run pipeline mode unless the Enable agents functionality checkbox is checked in the admin interface. The logs fortfe-task-worker
will show[ERROR] core: Unexpected HTTP response code: method=POST url=https://terraform.example.com/api/agent/register status=404
. This is resolved in Terraform Enterprise v202303-1. - [April 6, 2023] The
tfe-admin node-drain
command does not currently work when therun_pipeline_mode
configuration setting is set toagent
. See the notes under the Highlights section for more details regarding this setting. This issue is fixed in the v202305-1 release. - Saving boolean
false
variable values causes 500 errors. This has been fixed inv202303-1
. - [Updated August 14, 2024] Runs that rely on dynamic provider credentials and workload identity will fail after a certain number of signing key rotations. This problem is fixed in v202407-1, and you can avoid it by upgrading v202407-1 or above. For details on additional workarounds, including manually trimming keys, refer to our support article.
Breaking Changes
- The sub claim for workload identity tokens now contains project information. You must update the trust relationship on your cloud provider to expect project information in this claim.
Deprecations and End of Support
The following operating systems are no longer supported:
- Debian 8, 9
- Ubuntu 14.04, 16.04
- Amazon Linux 2014.03, 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03
The following PostgreSQL server versions are no longer supported:
- 11
Terraform Build Workers are deprecated and will be removed in Terraform Enterprise v202305-1. The base image responsible for executing Terraform runs is now hashicorp/tfc-agent
. If you are using an alternative worker image, you must migrate to a new image using hashicorp/tfc-agent
as its base image before Terraform Enterprise v202305-1. If you are not using an alternative worker image then you will automatically migrate to the new base image and no futher action is required. For more information, refer to the Custom Agent Image migration guide.
[Updated: August 2023] The aws
CLI utility is no longer included in the base image. If the aws
CLI utility is needed in your custom agent image, you may install it by following the AWS CLI installation instructions. For more information, refer to the Custom Agent Image migration guide.
Highlights
- Three components of the run pipeline,
tfe-build-worker
,tfe-build-manager
, andtfe-rabbitmq
, have been replaced withtfe-task-worker
, a local implementation of tfc-agent. If you are using an alternative worker image, you will need to migrate to a new image before enabling the new run pipeline. If you are not using an alternative worker image then you will automatically migrate to the new run pipeline. The new run pipeline can be manually enabled by setting therun_pipeline_mode
configuration setting toagent
or disabled by setting therun_pipeline_mode
configuration setting tolegacy
. Monitoring integrations may need to be updated if you are monitoringtfe-build-worker
,tfe-build-manager
, ortfe-rabbitmq
. - Workspaces can now be grouped into projects. Projects help users organize and centrally manage their workspaces at scale while providing more granular permissions to a subset of workspaces. Each project has a separate permissions set that you can use to grant teams access to all workspaces in the project. This blog post covers projects in more detail.
- The GitHub App Integration is now available for Terraform Enterprise. Connect your Workspaces, Policy Sets, & Registry Modules without creating an Organization OAuth Client. Requires site-admin access to setup.
- Red Hat Enterprise Linux 8.7 is now supported.
Features
- Sentinel Policy Checks now run Sentinel 0.19.5, introducing support for static imports, allowing supporting data to be imported into a policy.
- Organization owners can now assign teams read access to workspaces and projects within a particular organization.
- Added Terraform versions 1.3.8 and 1.4.0-beta1.
- Structured run output is enabled for CLI-driven workspaces when using Terraform CLI version 1.4.0-beta1 or later.
- The VCS Events page is now available for Terraform Enterprise. The page displays VCS-related messages such as when processing fails due to a duplicate webhook.
Improvements
tfe-admin support-bundle
will now upload support bundles to object storage for both external services and active/active installations.- The name of the VCS repository is now included in 400 request errors when an error occurs while creating a VCS workspace.
- When a webhook is received that contains the same commit SHA of a previously processed webhook that created a non-speculative run, it will no longer be processed and a message will be logged to the VCS Events page.
Bug Fixes
- Previously, a bug was introduced which changed the flash message design. The design bug is now fixed.
- The sidebar items of the workspace overview page are now displayed with proper height when the workspace has a long README.
- The workspace overview page now displays its sidebar component visibly in small screens.
- Terraform plans no longer error when generating Sentinel mock files.
Security
- The endpoint used for confirming a user's email address now has a tighter rate limit to reduce risk of email spam attacks.
- The endpoint used for sending "Forgot Password" emails now has a rate limit to reduce risk of email spam attacks.