Terraform
Terraform Enterprise v202312-1 (745)
Last required release: v202207-2 (642)
Flexible Deployment Options terraform-enterprise
container digest: amd64/linux sha256:b709ccad0e3d4e4f1a8d33bea4459a70234f50e1784a11cc0cbd4056c055ecb1
Known Issues
- [Updated April 16, 2024] If you set the maximum run time on the site admin page to be longer than 24 hours, Terraform Enterprise will not trigger runs on this release version. Configure your maximum run time to 24 hours or less.
- [Updated: February 26, 2024] Customers using
terraform-bundle
and that have defined a working directory may see an error in their runs that readsOperation failed: failed packing filesystem: illegal slug error: invalid symlink
. You can work around this error using a custom agent image built ontfc-agent
v1.12. This issue is resolved in v202401-1 of Terraform Enterprise. Contact support for help with this issue. - [Updated February 26, 2024] In rare cases, no code modules created before upgrading to this release could contain errors that would cause upgrade failures. This issue is fixed in v202401-2.
- [Updated August 14, 2024] Runs that rely on dynamic provider credentials and workload identity will fail after a certain number of signing key rotations. This problem is fixed in v202407-1, and you can avoid it by upgrading v202407-1 or above. For details on additional workarounds, including manually trimming keys, refer to our support article.
- [Updated November 25, 2024] Terraform Enterprise does not currently support using a username provided via
REDIS_USER
for authenticating with an external Redis instance. To use authentication with Redis, configure Redis to require only a password for the default user by updating your Redis configuration file (redis.conf
) as follows, replacing<your password>
accordingly:
requirepass <your password>
In the Terraform Enterprise environment, set only the REDIS_PASSWORD
variable with the corresponding value.
Highlights
- You can now designate variable sets as a priority, marking all variables within the set as a priority. Priority variables overwrite any variables with the same key set at more specific scopes in the applied workspaces.
Features
- Terraform Enterprise now supports saving plans and applying them later, with the standard
terraform plan -out <FILE>
andterraform apply <FILE>
commands. This feature requires Terraform CLI v1.6.0 or newer. You can also create saved plan runs in the API with thesave-plan
run attribute. - The configuration versions API now includes a new
provisional
attribute. Provisional configurations delay becoming the configuration version for their workspace upon creation. Instead, provisional configurations only become current after you apply a run using that configuration. Use this attribute when creatingsave-plan
runs via the API. - Workload identity tokens now work natively with the Kubernetes and Helm providers.
Improvements
- We have improved screen reader usability for the variable sets page.
- You can now configure auto-destroy runs to remove resources managed by a workspace after a period of workspace inactivity.
- When performing a request to the
/account/details
API with an authentication token, you can now follow theauthenticated-resource
relationship to access the underlying token holder.
Bug Fixes
- Policy evaluations (i.e. native OPA support) will now be able to once again run on remote agents after a regression was introduced in v202309-1.
- When a proxy is configured, it will be properly used during all jobs. Previously, in some situations, the proxy was not properly recognized and could lead to failures when accessing modules.
- Custom S3 endpoints will now work properly in all configurations.
- Project and registry module names could previously contain a newline as the final character due to an incorrect validation.
tfe-task-worker
will now properly recycle connections to the host Docker socket.- Fixed a bug which cached administrative settings incorrectly: leading to the settings changes not applying until instance restart.
- Deleting an organization will no longer fail when that organization has a default agent pool
- Previously specifying multiple configurations for Vault-backed AWS or Vault-backed GCP authentication would return errors related to invalid auth types being specified in certain situations when the auth type specified was actually valid. This has been fixed and these errors should no longer be thrown when a valid auth type is specified.
- An organization could fail to delete if an API token had been generated for that organization's owners team. Users should now be able to delete these organizations successfully.
- The workspace count is properly outputted from the
tfe-admin license-info
now. - We fixed an issue with a small number of assessments triggering "create" operations that would cause assessments to fail unnecessarily.
Security
- The version of Ruby used has been upgraded to 3.1.4
- Container and binary updates address reported vulnerabilities (CVEs) in underlying base images, packages, and dependencies.