Terraform
Terraform Enterprise v202407-1 (779)
Last required release: v202406-1 (776)
Flexible Deployment Options terraform-enterprise
container digest: amd64/linux sha256:5d1bab736bc7fe41f7425df0f2ea5942f97091e8422e788a86a540324acb50cd
Known Issues
- [Updated September 30, 2024] Some deployments are experiencing memory growth issues on v202401-1 or higher, sometimes resulting in out of memory errors that require a restart to resolve. This issue is currently being investigated. It is strongly recommended that you test in a non-production environment before deploying v202401-1 or higher in production, and monitor memory for unexpected growth. This message will be updated when a fix is available in a published release.
Deprecations
Terraform Enterprise now supports new deployment options and will end support for the Replicated Native Scheduler option. The final Replicated release of Terraform Enterprise will be in November 2024. HashiCorp will support this release until April 1, 2026.
To ensure you continue to receive the latest features and fixes, including security updates, please plan to migrate to a new deployment option by November 2024. For more information, check out Flexible Deployment Options or contact your HashiCorp account representative.
The variables API endpoint,
/vars
, is deprecated and will be removed in a future release. All existing integrations with this API should transition to the workspace variables API/workspaces/:workspace_id/vars
.PostgreSQL v12 will reach end of life on November 12 2024 and will no longer be supported in Terraform Enterprise after that date. Please refer to PostgreSQL Requirements for Terraform Enterprise for a complete list of supported versions.
Highlights
- You can now deploy Terraform Enterprise to OpenShift. We have updated the Helm chart with a new
openshift.enabled
value, which simplifies configuring Terraform Enterprise for OpenShift's security context requirements. For more information, refer to Operate Terraform Enterprise on Red Hat OpenShift. - We are migrating three columns on the user table to be encrypted via Vault:
confirmation_token
,two_factor_secret_key
, andtwo_factor_recovery_secret_key
. As part of this change, a synchronous migration will be performed when updating to this release to populate the encrypted columns based on the existing plaintext columns. For customers using Terraform Enterprise's username/password authentication or the two factor authentication feature, this migration could take a little while to execute. We estimate 4ms per user to update, but the time may vary based on a variety of factors, including your hardware. All other Terraform Enterprise customers should not be impacted. After the synchronous migration has been completed, the plaintext columns will be dropped from the users table.
Improvements
- We have improved the responsiveness of your organization's users page.
- Ephemeral workspace auto-destroy runs now run within five minutes of the scheduled time.
- The rounding threshold for run details has been increased to show a more accurate change summary.
- The structured run output (SRO) now lists and sets planned changes according to individual elements when the collection has not changed.
- Added the ability to pass two comma-separated Terraform versions as a constraint on workspaces.
Bug Fixes
- OPA versions are listed correctly when creating a new OPA policy set.
- You can now reconnect a VCS provider to an organization once the connection was revoked.
- Terraform now directs you to the agent pools page and presents a notification when you delete an agent pool that has the Grant access to specific workspaces option selected with no workspaces.
- The VCS 'File Limit Reached' message provides additional context on the VCS provider limit encountered by Terraform.
- Dynamic credentials no longer issue invalid JWTs after the OIDC key is rotated more than nine times.
- Terraform now waits to parse the run logs before rendering the change summary after a
plan
orapply
operation. This prevents change summaries from flickering between no changes and the actual summary for very large changes. - Invalid time display will no longer appear before a health assessment has run.
- Workspaces ending in
-
or_
are now able to successfully executeplan
andapply
operations in a Kubernetes runtime environment. - When creating teams using an organization authentication token, the created team's visibility will now default to secret. A bug had prevented such teams from being secret, by default and by update.
Security
- The version of Ruby used has been upgraded to 3.1.5.
- Email notifications are now sent when your session or your user token are used to create new API tokens. This provides additional security to your account.
- Container and binary updates address reported vulnerabilities (CVEs) in underlying base images, packages, and dependencies. Updated components included
hashicorp/go-getter
(CVE-2024-6257) andhashicorp/go-retryablehttp
(CVE-2024-6104). - Multiple database columns that contain user data, like two factor authentication private keys and email tokens, are now encrypted.