TFE Release v202104-1 (528)
Application Level Breaking Changes:
- Added a new organization permission, "Manage Policy Overrides", to isolate the permission for allowing overrides of
soft-mandatory
policy checks. The existing "Manage Policies" permission will no longer allow forsoft-mandatory
overrides. - Increased minimim required Replicated version to 2.50.0.
Application Level Features:
- Added policy check events to the audit log and audit trail APIs.
- Added ability to define working directory while changing a workspace's VCS source
- Changed the Sentinel runtime to version 0.18.0. For the latest changes, see the release notes.
- Changed Modules page to be Registry and updated urls
- Added Terraform CLI versions up through 0.15.0 to Terraform Enterprise.
- Added the ability to restrict state access (usually performed via the
terraform_remote_state
data source) to specific workspaces within an organization, along with an admin setting to configure the default setting for new workspaces and a command line migration assistant. - Added UI for disabling automatic speculative plans in VCS-connected workspaces. (This already existed in the API, and is now also available in each workspace's VCS settings page.)
- Added Firefox ESR and older Chrome/Firefox/Safari/Edge versions (latest 2) to browser support list
- Added Replicated configuration to restrict Terraform run environments from being able to reach cloud provider metadata endpoints, e.g.,
http://169.254.169.254
. - Active/Active configurations now require fewer tokens during install, only needing
enc_password
across all nodes (previously required tokens such ascookie_hash
,install_id
etc) See documentation for more details.
Application Level Bug Fixes:
- Fixed an issue where
tfe-admin support-bundle
would fail to upload support bundles to S3 due to permissions issues. - Fixed an issue where the Backup and Restore API would restore files to the root of the Azure storage account instead of inside the configured Azure blob container.
- Changed GitHub token validation to accept new formats
- Changed maximum displayable teams to 500 from 250 on team access selection wizard
- Fixed an issue in JSON filtering where unknown keys were not being handled as expected by jq (missing keys should render null values).
Application Level Security Fixes:
- Removed the logic to upgrade the internally-managed PostgreSQL server from PostgreSQL 9.5 to PostgreSQL 12. Installations running a release of Terraform Enterprise prior to v202103-1 must upgrade to required release v202103-1 in order to upgrade the internally-managed PostgreSQL server. This change only affects mounted disk and proof of concept installations.
- Rotated the secret used to generate password reset tokens and account unlock tokens. Existing password reset tokens and account unlock tokens generated before this change is deployed will be rendered invalid.
- Removed the ability for run tokens used in build workers to list all workspaces in the organization, a permission that is not required for the run token's intended purpose of reading workspaces to share state across workspaces using the terraform_remote_state data source.
- Removed the ability for Terraform code in a run environment to initiate network communication with internal TFE services.
- Ongoing container updates to address reported vulnerabilities in underlying packages / dependencies.
- Introduced additional security controls to prevent SSRF attacks in various TFE components.