Terraform
Terraform Enterprise v202309-1 (733)
Last required release: v202207-2 (642)
Flexible deployment options terraform-enterprise
container digest: amd64/linux sha256:20bab21966b1ff5743d3490404e6dfbd39e63b6f5ecc6848ba6b3557b540b139
Known Issue
- [Updated October 3, 2023] Azure DevOps VCS-backed workspaces may be unable to connect to the VCS, execute plans or runs, or import modules. The error in the logs shows
no matching host key type found. Their offer: ssh-rsa","component":"atlas"
. There are several workarounds available depending on the deployment option of TFE. Refer to this knowledge base article for more information. - [Updated September 29, 2023] Users reported a bug where after logging in to Terraform Enterprise, the application presents users with another "step-up" authentication login prompt when attempting to access the users settings page. A fix for this bug will be included in the
v202310-1
release. - [Updated August 14, 2024] Runs that rely on dynamic provider credentials and workload identity will fail after a certain number of signing key rotations. This problem is fixed in v202407-1, and you can avoid it by upgrading v202407-1 or above. For details on additional workarounds, including manually trimming keys, refer to our support article.
- [Updated November 25, 2024] Terraform Enterprise does not currently support using a username provided via
REDIS_USER
for authenticating with an external Redis instance. To use authentication with Redis, configure Redis to require only a password for the default user by updating your Redis configuration file (redis.conf
) as follows, replacing<your password>
accordingly:
requirepass <your password>
In the Terraform Enterprise environment, set only the REDIS_PASSWORD
variable with the corresponding value.
Breaking Changes
- This release enables the consolidated services architecture announced in v202306-1.
Application services are now consolidated into the terraform-enterprise
container. This container runs as a non-root user and contains the logs for all application services. The terraform-enterprise
container logs are in JSON-lines format. The 'service' key preceding the log message indicates the service that reported the log message. If using the fluentbit
log forwarding integration, the ‘component’ metadata attribute indicates which service reported the corresponding log message.
If you are monitoring containers or forwarding log messages to an external destination, you may need to update queries in your monitoring and log aggregation tools to reflect these changes. Terraform runs will continue to execute in isolated, short-lived containers, but will now run as a non-root user. This change can be disabled using the consolidated_services_enabled
setting until v202401-1, when we will remove it. You can only disable this change if you are deploying with Replicated. For more details, refer to Consolidated Services documentation.
Highlights
- Terraform Enterprise now supports more flexible deployment options. You can deploy Terraform Enterprise with cloud-managed Kubernetes services (Amazon EKS, Azure AKS, and Google Cloud GKE) using helm, or with Docker Engine using Docker Compose.
- To get started with one of the new deployment options, check out the shared requirements, the requirements for your desired deployment option (docker or cloud-managed Kubernetes, and the migration guides for migrating from Replicated.
- The new lightweight, single-container architecture provides significantly faster startup times, and includes new startup checks that can help quickly diagnose configuration issues and prevent the application from starting up in a risky state.
- Flexible Deployment Options requires a new license file to download and install Terraform Enterprise for Docker or cloud-managed Kubernetes. All existing customers will receive the new license file by Thursday, September 21. If you do not receive your license file, please contact your HashiCorp account representative.
- You can now apply policy sets to projects in your organization. For each run in a project's workspace, Terraform Enterprise checks the Terraform plan against the policy set. Refer to the Policy Enforcement documentation for details.
Improvements
- The no-code header no longer shows up in the sidebar when an organization cannot access the no-code feature.
- All TFE installations now automatically include a copy of HashiCorp's public GPG keys. This simplifies the process of hosting an official HashiCorp Terraform provider for use in an air-gapped TFE installation.
- Temporary run data will now be retained for 1 day instead of 1 week. This will reduce disk usage when using the mounted disk operation mode, and object storage usage when using external services or active/active mode. This change does not impact user-visible behavior.
Bug Fixes
- Removed a duplicate checkbox for overriding policy sets.
- Fixed the dropdown with search components on the Policy Set and Variable Set pages to return the correct options after a search.
- Allow users to search for workspaces from page 2 and above.
- Notification delivery results for emails would always display in the frontend as an error regardless of delivery outcome. The frontend status should now be updated on successful email delivery.
- Fixes a bug where certain types of corrupt files in a module upload could cause publishing to fail without notifying the user of the failure.
- Users should now be able to see an error message if their modules cannot be uploaded into Registry, even in some rare cases. Previously in those cases users would just keep seeing "publishing in progress" messages.
Security
- Container updates address reported vulnerabilities (CVEs) in underlying packages and dependencies.