Terraform
Terraform Enterprise v202305-1 (703)
Last required release: v202304-1 (692)
Known Issues
- Some installations may experience longer page loads on pages that load a list of organizations. This issue is resolved in v202305-2.
- [Updated August 14, 2024] Runs that rely on dynamic provider credentials and workload identity will fail after a certain number of signing key rotations. This problem is fixed in v202407-1, and you can avoid it by upgrading v202407-1 or above. For details on additional workarounds, including manually trimming keys, refer to our support article.
Deprecations
Note: The deadline for the deprecation of Terraform Build Workers has been extended to v202306-1 to ensure we support writing to environment variables.
- [New date] Terraform Build Workers are deprecated and will be removed in Terraform Enterprise v202306-1. The base image responsible for executing Terraform runs is now
hashicorp/tfc-agent
. If you are using an alternative worker image you must migrate to a new image, usinghashicorp/tfc-agent
as the base image before Terraform Enterprise v202306-1. If you are not using an alternative worker image, then you will automatically migrate to the new base image and no futher action is required. For more information, refer to the Custom Agent Image migration guide. - [Updated: August 2023] The
aws
CLI utility is no longer included in the base image. If theaws
CLI utility is needed in your custom agent image, you may install it by following the AWS CLI installation instructions. For more information, refer to the Custom Agent Image migration guide.
Features
- Users can now apply variable sets to specified projects. Applying a variable set to a project(s) means that the variable set is accessible to all existing and future workspaces within that project(s). Users can apply variable sets to projects through:
- You can now specify a base64 encoded PEM format CA certificate for usage when connecting with Vault for dynamic or Vault-backed credentials via the
TFC_VAULT_ENCODED_CACERT
environment variable. - When creating authentication tokens for users, teams, and organizations, you can now set an expiration date and time for that token. You can no longer authenticate with tokens past their expiration date and time.
- Dynamic Provider Credentials now support generating credentials with Vault Dynamic Secrets Engines for AWS, Azure, and Google Cloud.
- A TTL can now be set on a user token through the user settings of the user interface.
- Added automated license utilization reporting, which sends minimal product-license metering data to HashiCorp without requiring you to manually collect and report them.
Improvements
- Optimize workspace variable overwrite creation to speed up varset creation. Requests to create variable sets should not time out now.
- Fixed date/timestamp on workspace resource table in Terraform Cloud's user interface.
- Octokit now logs an error when there is a problem editing the settings of a workspace.
- Updated the variable sets user interface to use the new Helios design system components.
- Updated the project user interface to use the new Helios design system PowerSelect style override.
- Improve the user interface for organization, team, and user API tokens, by updating the tokens' icon and last used text.
- OPA tool versions are now added automatically, no longer requiring manual effort.
- Team management at the workspace level is paginated.
- Team management at the workspace level is searchable.
- Workspace settings now use a fluid page layout, matching Organization settings.
- All headings and subheadings now use the new Helios design system typography, font weight, and color to create consistency in page styling and information hierarchy for users.
Bug Fixes
- Granting a team the
manage-workspaces
ormanage-projects
organization permissions would prevent a team from accessing some resources granted by their read-only equivalents,read-workspaces
andread-projects
. For example, the manage permissions were not providing access to non-global variable sets, even though read permissions grant this access at the same level. - TFE now supports the
node-drain
command when running inagent
run pipeline mode. - The
gcs_credentials
setting can now be set to{}
to configure Terraform Enterprise to authenticate to Google Cloud Storage using the attached service account.
Security
- Updated the Nokogiri Gem, which can now resolve multiple CVEs with libxml
- Container updates address reported vulnerabilities (CVEs) in underlying packages and dependencies.