HashiCorp Developer AI Private beta now available Sign up today
Terraform
Terraform Home

You are viewing documentation for version v202309-1. View latest version.

Terraform Enterprise v202302-1 (681)

Last required release: v202207-2 (642)

Known Issues

  1. When you assign a team the manage-workspaces permission through the API the team is also explicitly granted the read-workspaces permission, which provides a subset of the functionality. However, using the API to revoke just the manage-workspace permission does not revoke the read-workspaces permission. This means that existing automation (including the tfe provider) for revoking the manage-workspaces permission will leave the team with the read-workspaces permission, whereas previously the team would be left with no workspace access at the organization level. This will be resolved in upcoming versions of Terraform Enterprise and the tfe provider.
  2. Terraform runs remain queued indefinitely when using the agent run pipeline mode unless the Enable agents functionality checkbox is checked in the admin interface. The logs for tfe-task-worker will show [ERROR] core: Unexpected HTTP response code: method=POST url=https://terraform.example.com/api/agent/register status=404. This is resolved in Terraform Enterprise v202303-1.
  3. [April 6, 2023] The tfe-admin node-drain command does not currently work when the run_pipeline_mode configuration setting is set to agent. See the notes under the Highlights section for more details regarding this setting. This issue is fixed in the v202304-1 release.
  4. Saving boolean false variable values causes 500 errors. This has been fixed in v202303-1.
  5. [Updated August 14, 2024] Runs that rely on dynamic provider credentials and workload identity will fail after a certain number of signing key rotations. This problem is fixed in v202407-1, and you can avoid it by upgrading v202407-1 or above. For details on additional workarounds, including manually trimming keys, refer to our support article.

Breaking Changes

  1. The sub claim for workload identity tokens now contains project information. You must update the trust relationship on your cloud provider to expect project information in this claim.

Deprecations and End of Support

The following operating systems are no longer supported:

  • Debian 8, 9
  • Ubuntu 14.04, 16.04
  • Amazon Linux 2014.03, 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03

The following PostgreSQL server versions are no longer supported:

  • 11

Terraform Build Workers are deprecated and will be removed in Terraform Enterprise v202305-1. The base image responsible for executing Terraform runs is now hashicorp/tfc-agent. If you are using an alternative worker image, you must migrate to a new image using hashicorp/tfc-agent as its base image before Terraform Enterprise v202305-1. If you are not using an alternative worker image then you will automatically migrate to the new base image and no futher action is required. For more information, refer to the Custom Agent Image migration guide.

[Updated: August 2023] The aws CLI utility is no longer included in the base image. If the aws CLI utility is needed in your custom agent image, you may install it by following the AWS CLI installation instructions. For more information, refer to the Custom Agent Image migration guide.

Highlights

  1. Three components of the run pipeline, tfe-build-worker, tfe-build-manager, and tfe-rabbitmq, have been replaced with tfe-task-worker, a local implementation of tfc-agent. If you are using an alternative worker image, you will need to migrate to a new image before enabling the new run pipeline. If you are not using an alternative worker image then you will automatically migrate to the new run pipeline. The new run pipeline can be manually enabled by setting the run_pipeline_mode configuration setting to agent or disabled by setting the run_pipeline_mode configuration setting to legacy. Monitoring integrations may need to be updated if you are monitoring tfe-build-worker, tfe-build-manager, or tfe-rabbitmq.
  2. Workspaces can now be grouped into projects. Projects help users organize and centrally manage their workspaces at scale while providing more granular permissions to a subset of workspaces. Each project has a separate permissions set that you can use to grant teams access to all workspaces in the project. This blog post covers projects in more detail.
  3. The GitHub App Integration is now available for Terraform Enterprise. Connect your Workspaces, Policy Sets, & Registry Modules without creating an Organization OAuth Client. Requires site-admin access to setup.
  4. Red Hat Enterprise Linux 8.7 is now supported.

Features

  1. Sentinel Policy Checks now run Sentinel 0.19.5, introducing support for static imports, allowing supporting data to be imported into a policy.
  2. Organization owners can now assign teams read access to workspaces and projects within a particular organization.
  3. Added Terraform versions 1.3.8 and 1.4.0-beta1.
  4. Structured run output is enabled for CLI-driven workspaces when using Terraform CLI version 1.4.0-beta1 or later.
  5. The VCS Events page is now available for Terraform Enterprise. The page displays VCS-related messages such as when processing fails due to a duplicate webhook.

Improvements

  1. tfe-admin support-bundle will now upload support bundles to object storage for both external services and active/active installations.
  2. The name of the VCS repository is now included in 400 request errors when an error occurs while creating a VCS workspace.
  3. When a webhook is received that contains the same commit SHA of a previously processed webhook that created a non-speculative run, it will no longer be processed and a message will be logged to the VCS Events page.

Bug Fixes

  1. Previously, a bug was introduced which changed the flash message design. The design bug is now fixed.
  2. The sidebar items of the workspace overview page are now displayed with proper height when the workspace has a long README.
  3. The workspace overview page now displays its sidebar component visibly in small screens.
  4. Terraform plans no longer error when generating Sentinel mock files.

Security

  1. The endpoint used for confirming a user's email address now has a tighter rate limit to reduce risk of email spam attacks.
  2. The endpoint used for sending "Forgot Password" emails now has a rate limit to reduce risk of email spam attacks.