Terraform
Terraform Enterprise v202310-1 (741)
Last required release: v202304-1 (692)
Flexible Deployment Options terraform-enterprise
container digest: amd64/linux sha256:b29fddcf650f384066995e7da1ddc11432851bb07c942840359e91eadf3381c2
Known Issues
- Azure DevOps VCS-backed workspaces may be unable to connect to the VCS, execute plans or runs, or import modules. The error in the logs shows
no matching host key type found. Their offer: ssh-rsa","component":"atlas"
. There are several workarounds available depending on the deployment option of TFE. Refer to this knowledge base article for more information. - [Updated October 26, 2023] For installations with
consolidated_services_enabled
set to enabled, startup checks may fail when authenticating to GCP object storage with a service account. This has been fixed in thev202311-1
release. - [Updated February 26, 2024] In rare cases, no code modules created before upgrading to this release could contain errors that would cause upgrade failures. This issue is fixed in v202401-2.
- [Updated August 14, 2024] Runs that rely on dynamic provider credentials and workload identity will fail after a certain number of signing key rotations. This problem is fixed in v202407-1, and you can avoid it by upgrading v202407-1 or above. For details on additional workarounds, including manually trimming keys, refer to our support article.
Breaking Changes
- Consolidated services mode is enabled by default as of v202309-1, but you can disable it using the
consolidated_services_enabled
setting until v202401-1, when we permanently remove it. This setting only applies to Replicated deployments.
Highlights
- You can now exclude specific workspaces from global or project-scoped policy sets. Terraform Enterprise will not enforce a policy set's policies on any runs in an excluded workspace.
- Workspace admins can now schedule automatic destroy runs to trigger the deletion of all ephemeral infrastructure managed by a workspace at some point in the future.
- You can schedule an automatic destroy in Destruction and Deletion under Workspace Settings.
- Workspace Event notification triggers now include auto destroy notifications. For more details, refer to the Notification Configuration documentation.
Features
- Organizations now specify a default execution mode, which their workspaces may inherit. By default, new workspaces will inherit the organization default execution mode (and default agent pool, if applicable), but can override this default with a different execution mode.
- Terraform Enterprise now includes an upgrade startup check that ensures that upgrades occur in a sequential manner and do not forego required Terraform Enterprise releases.
Improvements
- Terraform Enterprise can now connect to an external Vault server using TLS v1.3.
- Added fallback mechanism for persisting Terraform state when backend errors occur during runs.
Bug Fixes
- Terraform Enterprise can now connect to Redis servers using a password containing certain special characters (e.g.,
+
,<
, etc.). - Terraform Enterprise can now connect to database servers using a password containing certain special characters (e.g.,
+
,<
, etc.). - Terraform Enterprise now respects the
redis_port
configuration setting when consolidated services is enabled. - A user without read access to a project can no longer assign it to a policy set or see if it's already assigned.
- Fixed premature expiration of Terraform artifacts during runs.
- Fixed bug preventing repository publishing by ID when using ADO VCS provider.
- Fixed validation issue for creating GitLab.com providers in regards to new key format.
- Policy Checks will now error when attempting to queue if associated Policies or Policy Sets have been deleted, as the Policy Check is no longer valid.
- Instruct terraform CLI to save snapshot state versions on a 1 hour interval to compensate for a terraform CLI bug in 1.5.0 ~ 1.5.7 that is saving state versions every 20 seconds in the absence of the header.
- Users reported a bug where after logging in to Terraform Enterprise, the application presents users with another "step-up" authentication login prompt when attempting to access the user settings page. This bug has been resolved and SSO users can now access their user settings.
- Triggering a high number of remote runs in a short time now reliably works. Previously, some jobs might be stuck in the
plan_queued
stage.
Security
- Container updates address reported vulnerabilities (CVEs) in underlying packages and dependencies.