Update hashicorp/terraform Docker tag to v1 (!5) · Merge requests · Bookmarkey / infrastructure

Haseeb Majid requested to merge renovate/hashicorp-terraform-1.x into main Apr 30, 2023

This MR contains the following updates:

Package	Type	Update	Change
hashicorp/terraform	image-name	major	`0.13.2` -> `1.4.6`

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

Release Notes

hashicorp/terraform

`v1.4.6`

Compare Source

1.4.6 (April 26, 2023)

BUG FIXES

Fix bug when rendering plans that include null strings. (#33029)
Fix bug when rendering plans that include unknown values in maps. (#33029)
Fix bug where the plan would render twice when using older versions of TFE as a backend. (#33018)
Fix bug where sensitive and unknown metadata was not being propagated to dynamic types while rendering plans. (#33057)
Fix bug where sensitive metadata from the schema was not being included in the terraform show -json output. (#33059)
Fix bug where computed attributes were not being rendered with the # forces replacement suffix. (#33065)

`v1.4.5`

Compare Source

1.4.5 (April 12, 2023)

Revert change from [#32892] due to an upstream crash.
Fix planned destroy value which would cause terraform_data to fail when being replaced with create_before_destroy (#32988)

Due to an incident while migrating build systems for the 1.4.3 release where CGO_ENABLED=0 was not set, we are rebuilding that version as 1.4.4 with the flag set. No other changes have been made between 1.4.3 and 1.4.4.

`v1.4.3`

Compare Source

1.4.3 (March 30, 2023)

BUG FIXES:

Prevent sensitive values in non-root module outputs from marking the entire output as sensitive [GH-32891]
Fix the handling of planned data source objects when storing a failed plan [GH-32876]
Don't fail during plan generation when targeting prevents resources with schema changes from performing a state upgrade [GH-32900]
Skip planned changes in sensitive marks when the changed attribute is discarded by the provider [GH-32892]

`v1.4.2`

Compare Source

1.4.2 (March 16, 2023)

BUG FIXES:

Fix bug in which certain uses of setproduct caused Terraform to crash (#32860)
Fix bug in which some provider plans were not being calculated correctly, leading to an "invalid plan" error (#32860)

`v1.4.1`

Compare Source

1.4.1 (March 15, 2023)

BUG FIXES:

Enables overriding modules that have the depends_on attribute set, while still preventing the depends_on attribute itself from being overridden. (#32796)
terraform providers mirror: when a dependency lock file is present, mirror the resolved providers versions, not the latest available based on configuration. (#32749)
Fixed module downloads from S3 URLs when using AWS IAM roles for service accounts (IRSA). (#32700)
hcl: Fix a crash in Terraform when attempting to apply defaults into an incompatible type. (#32775)
Prevent panic when creating a plan which errors before the planning process has begun. (#32818)
Fix the plan renderer skipping the "no changes" messages when there are no-op outputs within the plan. (#32820)
Prevent panic when rendering null nested primitive values in a state output. (#32840)
Warn when an invalid path is specified in TF_CLI_CONFIG_FILE (#32846)

`v1.4.0`

Compare Source

1.4.0 (March 08, 2023)

UPGRADE NOTES:

config: The textencodebase64 function when called with encoding "GB18030" will now encode the euro symbol € as the two-byte sequence 0xA2,0xE3, as required by the GB18030 standard, before applying base64 encoding.
config: The textencodebase64 function when called with encoding "GBK" or "CP936" will now encode the euro symbol € as the single byte 0x80 before applying base64 encoding. This matches the behavior of the Windows API when encoding to this Windows-specific character encoding.
terraform init: When interpreting the hostname portion of a provider source address or the address of a module in a module registry, Terraform will now use non-transitional IDNA2008 mapping rules instead of the transitional mapping rules previously used.

This matches a change to the WHATWG URL spec's rules for interpreting non-ASCII domain names which is being gradually adopted by web browsers. Terraform aims to follow the interpretation of hostnames used by web browsers for consistency. For some hostnames containing non-ASCII characters this may cause Terraform to now request a different "punycode" hostname when resolving.
terraform init will now ignore entries in the optional global provider cache directory unless they match a checksum already tracked in the current configuration's dependency lock file. This therefore avoids the long-standing problem that when installing a new provider for the first time from the cache we can't determine the full set of checksums to include in the lock file. Once the lock file has been updated to include a checksum covering the item in the global cache, Terraform will then use the cache entry for subsequent installation of the same provider package. There is an interim CLI configuration opt-out for those who rely on the previous incorrect behavior. (#32129)
The Terraform plan renderer has been completely rewritten to aid with future Terraform Cloud integration. Users should not see any material change in the plan output between 1.3 and 1.4. If you notice any significant differences, or if Terraform fails to plan successfully due to rendering problems, please open a bug report issue.

BUG FIXES:

The module installer will now record in its manifest a correct module source URL after normalization when the URL given as input contains both a query string portion and a subdirectory portion. Terraform itself doesn't currently make use of this information and so this is just a cosmetic fix to make the recorded metadata more correct. (#31636)
config: The yamldecode function now correctly handles entirely-nil YAML documents. Previously it would incorrectly return an unknown value instead of a null value. It will now return a null value as documented. (#32151)
Ensure correct ordering between data sources and the deletion of managed resource dependencies. (#32209)
Fix Terraform creating objects that should not exist in variables that specify default attributes in optional objects. (#32178)
Fix several Terraform crashes that are caused by HCL creating objects that should not exist in variables that specify default attributes in optional objects within collections. (#32178)
Fix inconsistent behaviour in empty vs null collections. (#32178)
terraform workspace now returns a non-zero exit when given an invalid argument (#31318)
Terraform would always plan changes when using a nested set attribute (#32536)
Terraform can now better detect when complex optional+computed object attributes are removed from configuration (#32551)
A new methodology for planning set elements can now better detect optional+computed changes within sets (#32563)
Fix state locking and releasing messages when in -json mode, messages will now be written in JSON format (#32451)

ENHANCEMENTS:

terraform plan can now store a plan file even when encountering errors, which can later be inspected to help identify the source of the failures (#32395)
terraform_data is a new builtin managed resource type, which can replace the use of null_resource, and can store data of any type (#31757)
terraform init will now ignore entries in the optional global provider cache directory unless they match a checksum already tracked in the current configuration's dependency lock file. This therefore avoids the long-standing problem that when installing a new provider for the first time from the cache we can't determine the full set of checksums to include in the lock file. Once the lock file has been updated to include a checksum covering the item in the global cache, Terraform will then use the cache entry for subsequent installation of the same provider package. There is an interim CLI configuration opt-out for those who rely on the previous incorrect behavior. (#32129)
Interactive input for sensitive variables is now masked in the UI (#29520)
A new -or-create flag was added to terraform workspace select, to aid in creating workspaces in automated situations (#31633)
A new command was added for exporting Terraform function signatures in machine-readable format: terraform metadata functions -json (#32487)
The "Failed to install provider" error message now includes the reason a provider could not be installed. (#31898)
backend/gcs: Add kms_encryption_key argument, to allow encryption of state files using Cloud KMS keys. (#24967)
backend/gcs: Add storage_custom_endpoint argument, to allow communication with the backend via a Private Service Connect endpoint. (#28856)
backend/gcs: Update documentation for usage of gcs with terraform_remote_state (#32065)
backend/gcs: Update storage package to v1.28.0 (#29656)
When removing a workspace from the cloud backend terraform workspace delete will use Terraform Cloud's Safe Delete API if the -force flag is not provided. (#31949)
backend/oss: More robustly handle endpoint retrieval error (#32295)
local-exec provisioner: Added quiet argument. If quiet is set to true, Terraform will not print the entire command to stdout during plan. (#32116)
backend/http: Add support for mTLS authentication. (#31699)
cloud: Add support for using the generic hostname localterraform.com in module and provider sources as a substitute for the currently configured cloud backend hostname. This enhancement was also applied to the remote backend.
terraform show will now print an explanation when called on a Terraform workspace with empty state detailing why no resources are shown. (#32629)
backend/gcs: Added support for GOOGLE_BACKEND_IMPERSONATE_SERVICE_ACCOUNT env var to allow impersonating a different service account when GOOGLE_IMPERSONATE_SERVICE_ACCOUNT is configured for the GCP provider. (#32557)
backend/cos: Add support for the assume_role authentication method with the tencentcloud provider. This can be configured via the Terraform config or environment variables.
backend/cos: Add support for the security_token authentication method with the tencentcloud provider. This can be configured via the Terraform config or environment variables.

EXPERIMENTS:

Since its introduction the yamlencode function's documentation carried a warning that it was experimental. This predated our more formalized idea of language experiments and so wasn't guarded by an explicit opt-in, but the intention was to allow for small adjustments to its behavior if we learned it was producing invalid YAML in some cases, due to the relative complexity of the YAML specification.

From Terraform v1.4 onwards, yamlencode is no longer documented as experimental and is now subject to the Terraform v1.x Compatibility Promises. There are no changes to its previous behavior in v1.3 and so no special action is required when upgrading.

`v1.3.9`

Compare Source

1.3.9 (February 15, 2023)

BUG FIXES:

Fix crash when planning to remove already-deposed resource instances. (#32663)

`v1.3.8`

Compare Source

1.3.8 (February 09, 2023)

BUG FIXES:

Fixed a rare bug causing inaccurate before_sensitive / after_sensitive annotations in JSON plan output for deeply nested structures. This was only observed in the wild on the rancher/rancher2 provider, and resulted in glitched display in Terraform Cloud's structured plan log view. (#32543)
A variable only referenced by an output precondition error_message may be missing during evaluation (#32464)
Removing a NestingSingle block from configuration results in an invalid plan (#32463)
Null module outputs could be dropped, causing evaluation errors when referring to those module attributes (#32583)
Fix terraform crash when applying defaults into a collection with dynamic type constraint. (#32454)
Updated to newer github.com/mitchellh/cli version, in turn bringing in updates for several indirect dependencies with known security issues. (#32609)
Fix case where the first plan to use a new remote state could be applied twice, corrupting the state (#32614)

`v1.3.7`

Compare Source

1.3.7 (January 04, 2023)

BUG FIXES:

Fix exact version constraint parsing for modules using prerelease versions (#32377)
Prevent panic when a provider returns a null block value during refresh which is used as configuration via ignore_changes (#32428)

`v1.3.6`

Compare Source

1.3.6 (November 30, 2022)

BUG FIXES:

Terraform could crash if an orphaned resource instance was deleted externally and had condition checks in the configuration (#32246)
Module output changes were being removed and re-added to the stored plan, impacting performance with large numbers of outputs (#32307)

`v1.3.5`

Compare Source

1.3.5 (November 17, 2022)

BUG FIXES:

Prevent crash while serializing the plan for an empty destroy operation (#32207)
Allow a destroy plan to refresh instances while taking into account that some may no longer exist (#32208)
Fix Terraform creating objects that should not exist in variables that specify default attributes in optional objects. (#32178)
Fix several Terraform crashes that are caused by HCL creating objects that should not exist in variables that specify default attributes in optional objects within collections. (#32178)
Fix inconsistent behaviour in empty vs null collections. (#32178)
Prevent file uploads from creating unneeded temporary files when the payload size is known (#32206)
Nested attributes marked sensitive by schema no longer reveal sub-attributes in the plan diff (#32004)
Nested attributes now more consistently display when they become unknown or null values in the plan diff (#32004)
Sensitive values are now always displayed as (sensitive value) instead of sometimes as (sensitive) [GH32004]

`v1.3.4`

Compare Source

1.3.4 (November 02, 2022)

BUG FIXES:

Fix invalid refresh-only plan caused by data sources being deferred to apply (#32111)
Optimize the handling of condition checks during apply to prevent performance regressions with large numbers of instances (#32123)
Output preconditions should not be evaluated during destroy (#32051)
Fix crash from console when outputs contain preconditions (#32051)
Destroy with no state would still attempt to evaluate some values (#32051)
Prevent unnecessary evaluation and planning of resources during the pre-destroy refresh (#32051)
AzureRM Backend: support for generic OIDC authentication via the oidc_token and oidc_token_file_path properties (#31966)
Input and Module Variables: Convert variable types before attempting to apply default values. (#32027)
When installing remote module packages delivered in tar format, Terraform now limits the tar header block size to 1MiB to avoid unbounded memory usage for maliciously-crafted module packages. (#32135)
Terraform will now reject excessively-complex regular expression patterns passed to the regex, regexall, and replace functions, to avoid unbounded memory usage for maliciously-crafted patterns. This change should not affect any reasonable patterns intended for practical use. (#32135)
Terraform on Windows now rejects invalid environment variables whose values contain the NUL character when propagating environment variables to a child process such as a provider plugin. Previously Terraform would incorrectly treat that character as a separator between two separate environment variables. (#32135)

`v1.3.3`

Compare Source

1.3.3 (October 19, 2022)

BUG FIXES:

Fix error when removing a resource from configuration which has according to the provider has already been deleted. (#31850)
Fix error when setting empty collections into variables with collections of nested objects with default values. (#32033)

`v1.3.2`

Compare Source

1.3.2 (October 06, 2022)

BUG FIXES:

Fixed a crash caused by Terraform incorrectly re-registering output value preconditions during the apply phase (rather than just reusing the already-planned checks from the plan phase). (#31890)
Prevent errors when the provider reports that a deposed instance no longer exists (#31902)
Using ignore_changes = all could cause persistent diffs with legacy providers (#31914)
Fix cycles when resource dependencies cross over between independent provider configurations (#31917)
Improve handling of missing resource instances during import (#31878)

`v1.3.1`

Compare Source

1.3.1 (September 28, 2022)

NOTE:

On darwin/amd64 and darwin/arm64 architectures, terraform binaries are now built with CGO enabled. This should not have any user-facing impact, except in cases where the pure Go DNS resolver causes problems on recent versions of macOS: using CGO may mitigate these issues. Please see the upstream bug https://github.com/golang/go/issues/52839 for more details.

BUG FIXES:

Fixed a crash when using objects with optional attributes and default values in collections, most visible with nested modules. (#31847)
Prevent cycles in some situations where a provider depends on resources in the configuration which are participating in planned changes. (#31857)
Fixed an error when attempting to destroy a configuration where resources do not exist in the state. (#31858)
Data sources which cannot be read during will no longer prevent the state from being serialized. (#31871)
Fixed a crash which occured when a resource with a precondition and/or a postcondition appeared inside a module with two or more instances. (#31860)

`v1.3.0`

Compare Source

1.3.0 (September 21, 2022)

NEW FEATURES:

Optional attributes for object type constraints: When declaring an input variable whose type constraint includes an object type, you can now declare individual attributes as optional, and specify a default value to use if the caller doesn't set it. For example:
```
variable "with_optional_attribute" {
  type = object({
    a = string                # a required attribute
    b = optional(string)      # an optional attribute
    c = optional(number, 127) # an optional attribute with a default value
  })
}
```
Assigning { a = "foo" } to this variable will result in the value { a = "foo", b = null, c = 127 }.
Added functions: startswith and endswith allow you to check whether a given string has a specified prefix or suffix. (#31220)

UPGRADE NOTES:

terraform show -json: Output changes now include more detail about the unknown-ness of the planned value. Previously, a planned output would be marked as either fully known or partially unknown, with the after_unknown field having value false or true respectively. Now outputs correctly expose the full structure of unknownness for complex values, allowing consumers of the JSON output format to determine which values in a collection are known only after apply.
terraform import: The -allow-missing-config has been removed, and at least an empty configuration block must exist to import a resource.
Consumers of the JSON output format expecting on the after_unknown field to be only false or true should be updated to support the change representation described in the documentation, and as was already used for resource changes. (#31235)
AzureRM Backend: This release concludes the deprecation cycle started in Terraform v1.1 for the azurerm backend's support of "ADAL" authentication. This backend now supports only "MSAL" (Microsoft Graph) authentication.

This follows from Microsoft's own deprecation of Azure AD Graph, and so you must follow the migration instructions presented in that Azure documentation to adopt Microsoft Graph and then change your backend configuration to use MSAL authentication before upgrading to Terraform v1.3.
When making requests to HTTPS servers, Terraform will now reject invalid handshakes that have duplicate extensions, as required by RFC 5246 section 7.4.1.4 and RFC 8446 section 4.2. This may cause new errors when interacting with existing buggy or misconfigured TLS servers, but should not affect correct servers.

This only applies to requests made directly by Terraform CLI, such as provider installation and remote state storage. Terraform providers are separate programs which decide their own policy for handling of TLS handshakes.
The following backends, which were deprecated in v1.2.3, have now been removed: artifactory, etcd, etcdv3, manta, swift. The legacy backend name azure has also been removed, because the current Azure backend is named azurerm. (#31711)

ENHANCEMENTS:

config: Optional attributes for object type constraints, as described under new features above. (#31154)
config: New built-in function timecmp allows determining the ordering relationship between two timestamps while taking potentially-different UTC offsets into account. (#31687)
config: When reporting an error message related to a function call, Terraform will now include contextual information about the signature of the function that was being called, as an aid to understanding why the call might have failed. (#31299)
config: When reporting an error or warning message that isn't caused by values being unknown or marked as sensitive, Terraform will no longer mention any values having those characteristics in the contextual information presented alongside the error. Terraform will still return this information for the small subset of error messages that are specifically about unknown values or sensitive values being invalid in certain contexts. (#31299)
config: moved blocks can now describe resources moving to and from modules in separate module packages. (#31556)
terraform fmt now accepts multiple target paths, allowing formatting of several individual files at once. (#31687)
terraform init: provider installation errors now mention which host Terraform was downloading from (#31524)
CLI: Terraform will report more explicitly when it is proposing to delete an object due to it having moved to a resource instance that is not currently declared in the configuration. (#31695)
CLI: When showing the progress of a remote operation running in Terraform Cloud, Terraform CLI will include information about pre-plan run tasks (#31617)
The AzureRM Backend now only supports MSAL (and Microsoft Graph) and no longer makes use of ADAL (and Azure Active Directory Graph) for authentication (#31070)
The COS backend now supports global acceleration. (#31425)
provider plugin protocol: The Terraform CLI now calls PlanResourceChange for compatible providers when destroying resource instances. (#31179)
As an implementation detail of the Terraform Cloud integration, Terraform CLI will now capture and upload the JSON integration format for state along with any newly-recorded state snapshots, which then in turn allows Terraform Cloud to provide that information to API-based external integrations. (#31698)

BUG FIXES:

config: Terraform was not previously evaluating preconditions and postconditions during the apply phase for resource instances that didn't have any changes pending, which was incorrect because the outcome of a condition can potentially be affected by changes to other objects in the configuration. Terraform will now always check the conditions for every resource instance included in a plan during the apply phase, even for resource instances that have "no-op" changes. This means that some failures that would previously have been detected only by a subsequent run will now be detected during the same run that caused them, thereby giving the feedback at the appropriate time. (#31491)
terraform show -json: Fixed missing markers for unknown values in the encoding of partially unknown tuples and sets. (#31236)
terraform output CLI help documentation is now more consistent with web-based documentation. (#29354)
terraform init: Error messages now handle the situation where the underlying HTTP client library does not indicate a hostname for a failed request. (#31542)
terraform init: Don't panic if a child module contains a resource with a syntactically-invalid resource type name. (#31573)
CLI: The representation of destroying already-null output values in a destroy plan will no longer report them as being deleted, which avoids reporting the deletion of an output value that was already absent. (#31471)
terraform import: Better handling of resources or modules that use for_each, and situations where data resources are needed to complete the operation. (#31283)

EXPERIMENTS:

This release concludes the module_variable_optional_attrs experiment, which started in Terraform v0.14.0. The final design of the optional attributes feature is similar to the experimental form in the previous releases, but with two major differences:
- The optional function-like modifier for declaring an optional attribute now accepts an optional second argument for specifying a default value to use when the attribute isn't set by the caller. If not specified, the default value is a null value of the appropriate type as before.
- The built-in defaults function, previously used to meet the use-case of replacing null values with default values, will not graduate to stable and has been removed. Use the second argument of optional inline in your type constraint to declare default values instead.
If you have any experimental modules that were participating in this experiment, you will need to remove the experiment opt-in and adopt the new syntax for declaring default values in order to migrate your existing module to the stablized version of this feature. If you are writing a shared module for others to use, we recommend declaring that your module requires Terraform v1.3.0 or later to give specific feedback when using the new feature on older Terraform versions, in place of the previous declaration to use the experimental form of this feature:
```
terraform {
  required_version = ">= 1.3.0"
}
```

`v1.2.9`

Compare Source

1.2.9 (September 07, 2022)

ENHANCEMENTS:

terraform init: add link to documentation when a checksum is missing from the lock file. (#31726)

`v1.2.8`

Compare Source

1.2.8 (August 24, 2022)

BUG FIXES:

config: The flatten function will no longer panic if given a null value that has been explicitly converted to or implicitly inferred as having a list, set, or tuple type. Previously Terraform would panic in such a situation because it tried to "flatten" the contents of the null value into the result, which is impossible. (#31675)
config: The tolist, toset, and tomap functions, and various automatic conversions that include similar logic, will no longer panic when asked to infer an element type that is convertable from both a tuple type and a list type whose element type is not yet known. (#31675)

`v1.2.7`

Compare Source

1.2.7 (August 10, 2022)

ENHANCEMENTS:

config: Check for direct references to deprecated computed attributes. (#31576)

BUG FIXES:

config: Fix an crash if a submodule contains a resource whose implied provider local name contains invalid characters, by adding additional validation rules to turn it into a real error. (#31573)
core: Fix some handling of provider schema attributes which use the newer "structural typing" mechanism introduced with protocol version 6, and therefore with the new Terraform Plugin Framework (#31532)
command: Add missing output text for applyable refresh plans. (#31469)

`v1.2.6`

Compare Source

1.2.6 (July 27, 2022)

ENHANCEMENTS:

Add a warning and guidance when terraform init fails to fully populate the .terraform.lock.hcl file. (#31399)
Add a direct link to the relevant documentation when terraform init fails on missing checksums. (#31408)

BUG FIXES:

Fix panic on terraform show when state file is invalid or unavailable. (#31444)
Fix terraform providers lock command failing on missing checksums. (#31389)
Some combinations of move block operations would be executed in the wrong order (#31499)
Don't attribute an error to the provider when a computed attribute is listed in ignore_changes (#31509)

`v1.2.5`

Compare Source

1.2.5 (July 13, 2022)

BUG FIXES:

Report correct error message when a prerelease field is included in the required_version global constraint. (#31331)
Fix case when extra blank lines were inserted into the plan for unchanged blocks. (#31330)

`v1.2.4`

Compare Source

1.2.4 (June 29, 2022)

ENHANCEMENTS:

Improved validation of required_providers to prevent single providers from being required with multiple names. (#31218)
Improved plan performance by optimizing addrs.Module.String for allocations. (#31293)

BUG FIXES:

backend/http: Fixed bug where the HTTP backend would fail to retry acquiring the state lock and ignored the -lock-timeout flag. (#31256)
Fix crash if a precondition or postcondition block omitted the required condition argument. (#31290)

`v1.2.3`

Compare Source

1.2.3 (June 15, 2022)

UPGRADE NOTES:

The following remote state backends are now marked as deprecated, and are planned to be removed in a future Terraform release. These backends have been unmaintained since before Terraform v1.0, and may contain known bugs, outdated packages, or security vulnerabilities.
- artifactory
- etcd
- etcdv3
- manta
- swift

BUG FIXES:

Missing check for error diagnostics in GetProviderSchema could result in panic (#31184)
Module registries returning X-Terraform-Get locations with no URL would error with "no getter available for X-Terraform-Get source protocol" (#31237)
Fix crash from concurrent operation on shared set of resource instance dependencies (#31246)
backend/cos: tencentcloud-terraform-lock tag was not removed in all cases (#31223)

`v1.2.2`

Compare Source

1.2.2 (June 01, 2022)

ENHANCEMENTS:

Invalid -var arguments with spaces between the name and value now have an improved error message (#30985)

BUG FIXES:

Terraform now hides invalid input values for sensitive root module variables when generating error diagnostics (#30552)
Fixed crash on CLI autocomplete (#31160)
The "Configuration contains unknown values" error message now includes attribute paths (#31111)

`v1.2.1`

Compare Source

1.2.1 (May 23, 2022)

BUG FIXES:

SSH provisioner connections fail when using signed ed25519 keys (#31092)
Crash with invalid module source (#31060)
Incorrect "Module is incompatible with count, for_each, and depends_on" error when a provider is nested within a module along with a sub-module using count or for_each (#31091)

`v1.2.0`

Compare Source

1.2.0 (May 18, 2022)

UPGRADE NOTES:

If you use the third-party credentials helper plugin terraform-credentials-env, you should disable it as part of upgrading to Terraform v1.2 because similar functionality is now built in to Terraform itself.

The new behavior supports the same environment variable naming scheme but has a difference in priority order from the credentials helper: TF_TOKEN_... environment variables will now take priority over credentials blocks in CLI configuration and credentials stored automatically by terraform login, which is not true for credentials provided by any credentials helper plugin. If you see Terraform using different credentials after upgrading, check to make sure you do not specify credentials for the same host in multiple locations.

If you use the credentials helper in conjunction with the hashicorp/tfe Terraform provider to manage Terraform Cloud or Terraform Enterprise objects with Terraform, you should also upgrade to version 0.31 of that provider, which added the corresponding built-in support for these environment variables.
The official Linux packages for the v1.2 series now require Linux kernel version 2.6.32 or later.
When making outgoing HTTPS or other TLS connections as a client, Terraform now requires the server to support TLS v1.2. TLS v1.0 and v1.1 are no longer supported. Any safely up-to-date server should support TLS 1.2, and mainstream web browsers have required it since 2020.
When making outgoing HTTPS or other TLS connections as a client, Terraform will no longer accept CA certificates signed using the SHA-1 hash function. Publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

(Note: the changes to Terraform's requirements when interacting with TLS servers apply only to requests made by Terraform CLI itself, such as provider/module installation and state storage requests. Terraform provider plugins include their own TLS clients which may have different requirements, and may add new requirements in their own releases, independently of Terraform CLI changes.)

NEW FEATURES:

precondition and postcondition check blocks for resources, data sources, and module output values: module authors can now document assumptions and assertions about configuration and state values. If these conditions are not met, Terraform will report a custom error message to the user and halt further execution.
replace_triggered_by is a new lifecycle argument for managed resources which triggers replacement of an object based on changes to an upstream dependency.
You can now specify credentials for Terraform-native services using an environment variable named as TF_TOKEN_ followed by an encoded version of the hostname. For example, Terraform will use variable TF_TOKEN_app_terraform_io as a bearer token for requests to "app.terraform.io", for the Terraform Cloud integration and private registry requests.

ENHANCEMENTS:

When showing a plan, Terraform CLI will now only show "Changes outside of Terraform" if they relate to resources and resource attributes that contributed to the changes Terraform is proposing to make. (#30486)
Error messages for preconditions, postconditions, and custom variable validations are now evaluated as expressions, allowing interpolation of relevant values into the output. (#30613)
When showing the progress of a remote operation running in Terraform Cloud, Terraform CLI will include information about post-plan run tasks. (#30141)
Terraform will now show a slightly different note in the plan output if a data resource read is deferred to the apply step due to it depending on a managed resource that has changes pending. (#30971)
The "Invalid for_each argument" error message for unknown maps/sets now includes an additional paragraph to try to help the user notice they can move apply-time values into the map values instead of the map keys, and thus avoid the problem without resorting to -target. (#30327)
There are some small improvements to the error and warning messages Terraform will emit in the case of invalid provider configuration passing between modules. There are no changes to which situations will produce errors and warnings, but the messages now include additional information intended to clarify what problem Terraform is describing and how to address it. (#30639)
The environment variables TF_CLOUD_ORGANIZATION and TF_CLOUD_HOSTNAME now serve as fallbacks for the arguments of the same name inside a cloud block configuring integration with Terraform Cloud.
The environment variable TF_WORKSPACE will now additionally serve as an implicit configuration of a single selected workspace on Terraform Cloud if (and only if) the cloud block does not include an explicit workspaces configuration.
The AzureRM Backend now defaults to using MSAL (and Microsoft Graph) rather than ADAL (and Azure Active Directory Graph) for authentication. (#30891)
The AzureRM Backend now supports authenticating as a service principal using OpenID Connect. (#30936)
When running on macOS, Terraform will now use platform APIs to validate certificates presented by TLS (HTTPS) servers. This may change exactly which root certificates Terraform will accept as valid. (#30768)
Show remote host in error message for clarity when installation of provider fails (#30810)
Terraform now prints a warning when adding an attribute to ignore_changes that is managed only by the provider. Specifying non-configurable attributes in ignore_changes has no effect because ignore_changes tells Terraform to ignore future changes made in the configuration. (#30517)
terraform show -json now includes exact type information for output values. (#30945)
The ssh provisioner connection now supports SSH over HTTP proxy. (#30274)
- The SSH client for provisioners now supports newer key algorithms, allowing it to connect to servers running more recent versions of OpenSSH. (#30962)

BUG FIXES:

Terraform now handles type constraints, nullability, and custom variable validation properly for root module variables. Previously there was an order of operations problem where the nullability and custom variable validation were checked too early, prior to dealing with the type constraints, and thus that logic could potentially "see" an incorrectly-typed value in spite of the type constraint, leading to incorrect errors. (#29959)
When reporting a type mismatch between the true and false results of a conditional expression when both results are of the same structural type kind (object/tuple, or a collection thereof), Terraform will no longer return a confusing message like "the types are object and object, respectively", and will instead attempt to explain how the two structural types differ. (#30920)
Applying the various type conversion functions like tostring, tonumber, etc to null will now return a null value of the intended type. For example, tostring(null) converts from a null value of an unknown type to a null value of string type. Terraform can often handle such conversions automatically when needed, but explicit annotations like this can help Terraform to understand author intent when inferring type conversions for complex-typed values. (#30879)
Terraform now returns an error when cidrnetmask() is called with an IPv6 address, as it was previously documented to do. IPv6 standards do not preserve the "netmask" syntax sometimes used for IPv4 network configuration; use CIDR prefix syntax instead. (#30703)
When performing advanced state management with the terraform state commands, Terraform now checks the required_version field in the configuration before proceeding. (#30511)
When rendering a diff, Terraform now quotes the name of any object attribute whose string representation is not a valid identifier. (#30766)
Terraform will now prioritize local terraform variables over remote terraform variables in operations such as import, plan, refresh and apply for workspaces in local execution mode. This behavior applies to both remote backend and the cloud integration configuration. (#29972)
terraform show -json: JSON plan output now correctly maps aliased providers to their configurations, and includes the full provider source address alongside the short provider name. (#30138)
The local token configuration in the cloud and remote backend now has higher priority than a token specified in a credentials block in the CLI configuration. (#30664)
The cloud integration now gracefully exits when -input=false and an operation requires some user input.
Terraform will now reliably detect an inteerruptiong (e.g. Ctrl+C) during planning for terraform apply -auto-approve. Previously there was a window of time where interruption would cancel the plan step but not prevent Terraform from proceeding to the apply step. (#30979)
Terraform will no longer crash if a provider fails to return a schema. (#30987)

`v1.1.9`

Compare Source

1.1.9 (April 20, 2022)

BUG FIXES:

cli: Fix crash when using sensitive values in sets. (#30825)
cli: Fix double-quoted map keys when rendering a diff. (#30855)
core: Prevent errors when handling a data source with incompatible schema changes (#30830)

ENHANCEMENTS:

cli: Terraform now supports run tasks, a Terraform Cloud integration for executing remote operations, for the post plan stage of a run.

`v1.1.8`

Compare Source

1.1.8 (April 07, 2022)

BUG FIXES:

cli: Fix missing identifying attributes (e.g. "id", "name") when displaying plan diffs with nested objects. (#30685)
functions: Fix error when sum() function is called with a collection of string-encoded numbers, such as sum(["1", "2", "3"]). (#30684)
When rendering a diff, Terraform now quotes the name of any object attribute whose string representation is not a valid identifier. (#30766)
Terraform will no longer crash in the terraform apply phase if an error occurs during backend configuration. (#30780)

`v1.1.7`

Compare Source

1.1.7 (March 02, 2022)

BUG FIXES:

terraform show -json: Improve performance for deeply-nested object values. The previous implementation was accidentally quadratic, which could result in very long execution time for generating JSON plans, and timeouts on Terraform Cloud and Terraform Enterprise. (#30561)
cloud: Update go-slug for terraform.tfstate exclusion to prevent a user from getting an error after migrating state to TFC.

`v1.1.6`

Compare Source

1.1.6 (February 16, 2022)

BUG FIXES:

cli: Prevent complex uses of the console-only type function. This function may only be used at the top level of console expressions, to display the type of a given value. Attempting to use this function in complex expressions will now display a diagnostic error instead of crashing. (#30476)
terraform state mv: Will now correctly exit with error code 1 when the specified resources cannot be found in state. Previously Terraform would display appropriate diagnostic errors, but exit successfully. (#29365)

`v1.1.5`

Compare Source

1.1.5 (February 02, 2022)

ENHANCEMENTS:

backend/s3: Update AWS SDK to allow the use of the ap-southeast-3 region (#30363)

BUG FIXES:

cli: Fix crash when using autocomplete with long commands, such as terraform workspace select (#30193)

`v1.1.4`

Compare Source

1.1.4 (January 19, 2022)

BUG FIXES:

config: Non-nullable variables with null inputs were not given default values when checking validation statements (#30330)
config: Terraform will no longer incorrectly report "Cross-package move statement" when an external package has changed a resource from no count to using count, or vice-versa. (#30333)

`v1.1.3`

Compare Source

1.1.3 (January 06, 2022)

BUG FIXES:

terraform init: Will now remove from the dependency lock file entries for providers not used in the current configuration. Previously it would leave formerly-used providers behind in the lock file, leading to "missing or corrupted provider plugins" errors when other commands verified the consistency of the installed plugins against the locked plugins. (#30192)
config: Fix panic when encountering an invalid provider block within a module (#30095)
config: Fix cycle error when the index of a module containing move statements is changed (#30232)
config: Fix inconsistent ordering with nested move operations (#30253)
config: Fix moved block refactoring to include nested modules (#30233)
functions: Redact sensitive values from function call error messages (#30067)
terraform show: Disable plan state lineage checks, ensuring that we can show plan files which were generated against non-default state files (#30205)

`v1.1.2`

Compare Source

1.1.2 (December 17, 2021)

If you are using Terraform CLI v1.1.0 or v1.1.1, please upgrade to this new version as soon as possible.

Terraform CLI v1.1.0 and v1.1.1 both have a bug where a failure to construct the apply-time graph can cause Terraform to incorrectly report success and save an empty state, effectively "forgetting" all existing infrastructure. Although configurations that already worked on previous releases should not encounter this problem, it's possible that incorrect future configuration changes would trigger this behavior during the apply step.

BUG FIXES:

config: Fix panic when using -target in combination with moved blocks within modules (#30189)
core: Fix condition which could lead to an empty state being written when there is a failure building the apply graph (#30199)

`v1.1.1`

Compare Source

1.1.1 (December 15, 2021)

If you are using Terraform CLI v1.1.0 or v1.1.1, please upgrade to the latest version as soon as possible.

BUG FIXES:

core: Fix crash with orphaned module instance due to changed count or for_each value (#30151)
core: Fix regression where some expressions failed during validation when referencing resources expanded with count or for_each (#30171)

`v1.1.0`

Compare Source

1.1.0 (December 08, 2021)

If you are using Terraform CLI v1.1.0 or v1.1.1, please upgrade to the latest version as soon as possible.

Terraform v1.1.0 is a new minor release, containing some new features and some bug fixes whose scope was too large for inclusion in a patch release.

NEW FEATURES:

moved blocks for refactoring within modules: Module authors can now record in module source code whenever they've changed the address of a resource or resource instance, and then during planning Terraform will automatically migrate existing objects in the state to new addresses.

This therefore avoids the need for users of a shared module to manually run terraform state mv after upgrading to a version of the module, as long as the change is expressible as static configuration. However, terraform state mv will remain available for use in more complex migration situations that are not well-suited to declarative configuration.
A new cloud block in the terraform settings block introduces a native Terraform Cloud integration for the CLI-driven run workflow.

The Cloud integration includes several enhancements, including per-run variable support using the -var flag, the ability to map Terraform Cloud workspaces to the current configuration via Workspace Tags, and an improved user experience for Terraform Cloud and Enterprise users with actionable error messages and prompts.
terraform plan and terraform apply both now include additional annotations for resource instances planned for deletion to explain why Terraform has proposed that action.

For example, if you change the count argument for a resource to a lower number then Terraform will now mention that as part of proposing to destroy any existing objects that exceed the new count.

UPGRADE NOTES:

This release is covered by the Terraform v1.0 Compatibility Promises, but does include some changes permitted within those promises as described below.

Terraform on macOS now requires macOS 10.13 High Sierra or later; Older macOS versions are no longer supported.
The terraform graph command no longer supports -type=validate and -type=eval options. The validate graph is always the same as the plan graph anyway, and the "eval" graph was just an implementation detail of the terraform console command. The default behavior of creating a plan graph should be a reasonable replacement for both of the removed graph modes. (Please note that terraform graph is not covered by the Terraform v1.0 compatibility promises, because its behavior inherently exposes Terraform Core implementation details, so we recommend it only for interactive debugging tasks and not for use in automation.)
terraform apply with a previously-saved plan file will now verify that the provider plugin packages used to create the plan fully match the ones used during apply, using the same checksum scheme that Terraform normally uses for the dependency lock file. Previously Terraform was checking consistency of plugins from a plan file using a legacy mechanism which covered only the main plugin executable, not any other files that might be distributed alongside in the plugin package.

This additional check should not affect typical plugins that conform to the expectation that a plugin package's contents are immutable once released, but may affect a hypothetical in-house plugin that intentionally modifies extra files in its package directory somehow between plan and apply. If you have such a plugin, you'll need to change its approach to store those files in some other location separate from the package directory. This is a minor compatibility break motivated by increasing the assurance that plugins have not been inadvertently or maliciously modified between plan and apply.
terraform state mv will now error when legacy -backup or -backup-out options are used without the -state option on non-local backends. These options operate on a local state file only. Previously, these options were accepted but ignored silently when used with non-local backends.
In the AzureRM backend, the new opt-in option use_microsoft_graph switches to using MSAL authentication tokens and Microsoft Graph rather than using ADAL tokens and Azure Active Directory Graph, which is now deprecated by Microsoft. The new mode will become the default in Terraform v1.2, so please plan to migrate to using this setting and test with your own Azure AD tenant prior to the Terraform v1.2 release.

ENHANCEMENTS:

config: Terraform now checks the syntax of and normalizes module source addresses (the source argument in module blocks) during configuration decoding rather than only at module installation time. This is largely just an internal refactoring, but a visible benefit of this change is that the terraform init messages about module downloading will now show the canonical module package address Terraform is downloading from, after interpreting the special shorthands for common cases like GitHub URLs. (#28854)
config: Variables can now be declared as "nullable", which defines whether a variable can be null within a module. Setting nullable = false ensures that a variable value will never be null, and may instead take on the variable's default value if the caller sets it explicitly to null. (#29832)
terraform plan and terraform apply: When Terraform plans to destroy a resource instance due to it no longer being declared in the configuration, the proposed plan output will now include a note hinting at what situation prompted that proposal, so you can more easily see what configuration change might avoid the object being destroyed. (#29637)
terraform plan and terraform apply: Terraform will now report explicitly in the UI if it automatically moves a resource instance to a new address as a result of adding or removing the count argument from an existing resource. For example, if you previously had resource "aws_subnet" "example" without count, you might have aws_subnet.example already bound to a remote object in your state. If you add count = 1 to that resource then Terraform would previously silently rebind the object to aws_subnet.example[0] as part of planning, whereas now Terraform will mention that it did so explicitly in the plan description. (#29605)
terraform workspace delete: will now allow deleting a workspace whose state contains only data resource instances and output values, without running terraform destroy first. Previously the presence of data resources would require using -force to override the safety check guarding against accidentally forgetting about remote objects, but a data resource is not responsible for the management of its associated remote object(s) and so there's no reason to require explicit deletion. (#29754)
terraform validate: Terraform now uses precise type information for resources during config validation, allowing more problems to be caught that that step rather than only during the planning step. (#29862)
provisioner/remote-exec and provisioner/file: When using SSH agent authentication mode on Windows, Terraform can now detect and use the Windows 10 built-in OpenSSH Client's SSH Agent, when available, in addition to the existing support for the third-party solution Pageant that was already supported. (#29747)
cli: terraform state mv will now return an error for -backup or -backup-out options used without the -state option, unless the working directory is initialized to use the local backend. Previously Terraform would silently ignore those options, since they are applicable only to the local backend. (#27908)
terraform console: now has a new type() function, available only in the interactive console, for inspecting the exact type of a particular value as an aid to debugging. (#28501)

BUG FIXES:

config: ignore_changes = all now works in override files. (#29849)
config: Upgrading an unknown single value to a list using a splat expression now correctly returns an unknown value and type. Previously it would sometimes "overpromise" a particular return type, leading to an inconsistency error during the apply step. (#30062)
config: Terraform is now more precise in its detection of data resources that must be deferred to the apply step due to their depends_on arguments referring to not-yet-converged managed resources. (#29682)
config: ignore_changes can no longer cause a null map to be converted to an empty map, which would otherwise potentially cause surprising side-effects in provider logic. (#29928)
core: Provider configuration obtained from interactive prompts will now be merged properly with settings given in the configuration. Previously this merging was incorrect in some cases. (#29000)
terraform plan: Improved rendering of changes inside attributes that accept lists, sets, or maps of nested object types. (#29827, #29983, #29986)
terraform apply: Will no longer try to apply a stale plan that was generated against an originally-empty state. Previously this was an unintended exception to the rule that a plan can only be applied to the state snapshot it was generated against. (#29755)
terraform show -json: Attributes that are declared as using the legacy Attributes as Blocks behavior are now represented more faithfully in the JSON plan output. (#29522)
terraform init: Will now update the backend configuration hash value at a more approprimate time, to ensure properly restarting a backend migration process that failed on the first attempt. (#29860)
backend/oss: Flatten assume_role block arguments, so that they are more compatible with the terraform_remote_state data source. (#29307)

`v1.0.11`

Compare Source

1.0.11 (November 10, 2021)

ENHANCEMENTS:

backend/oss: Added support for sts_endpoint (#29841)

BUG FIXES:

config: Fixed a bug in which ignore_changes = all would not work in override files (#29849)
config: Numbers are now compared for equality based on their protocol representation, eliminating unexpected changes due to small precision errors (#29864)

`v1.0.10`

Compare Source

1.0.10 (October 28, 2021)

BUG FIXES:

backend/oss: Fix panic when there's an error looking up OSS endpoints (#29784)
backend/remote: Fix version check when migrating state (#29793)
cli: Restore -lock and -lock-timeout flags for the init command, which were removed in 0.15.0 (#29773)
cli: Fix bug where terraform init -input=false would hang waiting for user input to choose a workspace (#29805)

`v1.0.9`

Compare Source

1.0.9 (October 13, 2021)

BUG FIXES:

core: Fix panic when planning new resources with nested object attributes (#29701)
core: Do not refresh deposed instances when the provider is not configured during destroy (#29720)
core: Prevent panic when encountering a missing change when destroying a resource (#29734)

`v1.0.8`

Compare Source

1.0.8 (September 29, 2021)

BUG FIXES:

cli: Check required_version as early as possibly during init so that version incompatibility can be reported before errors about new syntax (#29665)
core: Don't plan to remove orphaned resource instances in refresh-only plans (#29640)

`v1.0.7`

Compare Source

1.0.7 (September 15, 2021)

BUG FIXES:

core: Remove check for computed attributes which is no longer valid with optional structural attributes (#29563)
core: Prevent object types with optional attributes from being instantiated as concrete values, which can lead to failures in type comparison (#29559)
core: Empty containers in the configuration were not planned correctly when used with optional structural attributes (#29580)

`v1.0.6`

Compare Source

1.0.6 (September 03, 2021)

ENHANCEMENTS:

backend/s3: Improve SSO handling and add new endpoints in the AWS SDK (#29017)

BUG FIXES:

cli: Suppress confirmation prompt when initializing with the -force-copy flag and migrating state between multiple workspaces. (#29438)
cli: Update tencentcount dependency versions to fix errors when building from source (#29445)
core: Fix panic while handling computed attributes within nested objects, and improve plan validation for unknown values (#29482)

`v1.0.5`

Compare Source

1.0.5 (August 18, 2021)

BUG FIXES:

json-output: Add an output change summary message as part of the terraform plan -json structured logs, bringing this format into parity with the human-readable UI. (#29312)
core: Handle null nested single attribute values (#29411)
cli: Fix crash when planning a diff between null and empty sets in nested attributes (#29398)
cli: Fix crash when planning a new resource containing a set of nested object attributes (#29398)
cli: Fix crash when displaying a resource diff where a possibly identifying attribute is sensitive (#29397)
cli: Fix crash when a diff with unknown nested map attributes (#29410)
config: Fix handling of dynamically types arguments in formatlist, ensuring the correct resulting type. (#29408)
config: Floating point operations like floor and ceil can no longer mutate their arguments. (#29408)

`v1.0.4`

Compare Source

1.0.4 (August 04, 2021)

BUG FIXES:

backend/consul: Fix a bug where the state value may be too large for consul to accept (#28838)
cli: Fixed a crashing bug with some edge-cases when reporting syntax errors that happen to be reported at the position of a newline. (#29048)

`v1.0.3`

Compare Source

1.0.3 (July 21, 2021)

ENHANCEMENTS

terraform plan: The JSON logs (-json option) will now include resource_drift, showing changes detected outside of Terraform during the refresh step. (#29072)
core: The automatic provider installer will now accept providers that are recorded in their registry as using provider protocol version 6. (#29153)
backend/etcdv3: New argument max_request_bytes allows larger requests and for the client, to match the server request limit. (#28078)

BUG FIXES:

terraform plan: Will no longer panic when trying to render null maps. (#29207)
backend/pg: Prevent the creation of multiple workspaces with the same name. (#29157)
backend/oss: STS auth is now supported. (#29167)
config: Dynamic blocks with unknown for_each values were not being validated. Ensure block attributes are valid even when the block is unknown (#29208)
config: Unknown values in string templates could lose sensitivity, causing the planned change to be inaccurate (#29208)

`v1.0.2`

Compare Source

1.0.2 (July 07, 2021)

BUG FIXES:

terraform show: Fix crash when rendering JSON plan with sensitive values in state (#29049)
config: The floor and ceil functions no longer lower the precision of arguments to what would fit inside a 64-bit float, instead preserving precision in a similar way as most other arithmetic functions. (#29110)
config: The flatten function was incorrectly treating null values of an unknown type as if they were unknown values. Now it will treat them the same as any other non-list/non-tuple value, flattening them down into the result as-is. (#29110)

`v1.0.1`

Compare Source

1.0.1 (June 24, 2021)

ENHANCEMENTS:

json-output: The JSON plan output now indicates which state values are sensitive. (#28889)
cli: The darwin builds can now make use of the host DNS resolver, which will fix many network related issues on MacOS.

BUG FIXES:

backend/remote: Fix faulty Terraform Cloud version check when migrating state to the remote backend with multiple local workspaces (#28864)
cli: Fix crash with deposed instances in json plan output (#28922)
core: Fix crash when provider modifies and unknown block during plan (#28941)
core: Diagnostic context was missing for some errors when validating blocks (#28979)
core: Fix crash when calling setproduct with unknown values (#28984)
json-output: Fix an issue where the JSON configuration representation was missing fully-unwrapped references. (#28884)
json-output: Fix JSON plan resource drift to remove unchanged resources. (#28975)

`v1.0.0`

Compare Source

1.0.0 (June 08, 2021)

Terraform v1.0 is an unusual release in that its primary focus is on stability, and it represents the culmination of several years of work in previous major releases to make sure that the Terraform language and internal architecture will be a suitable foundation for forthcoming additions that will remain backward compatible.

Terraform v1.0.0 intentionally has no significant changes compared to Terraform v0.15.5. You can consider the v1.0 series as a direct continuation of the v0.15 series; we do not intend to issue any further releases in the v0.15 series, because all of the v1.0 releases will be only minor updates to address bugs.

For all future minor releases with major version 1, we intend to preserve backward compatibility as described in detail in the Terraform v1.0 Compatibility Promises. The later Terraform v1.1.0 will, therefore, be the first minor release with new features that we will implement with consideration of those promises.

`v0.15.5`

Compare Source

0.15.5 (June 02, 2021)

BUG FIXES:

terraform plan and terraform apply: Don't show "Objects have changed" notification when the detected changes are only internal details related to legacy SDK quirks. (#28796)
core: Prevent crash during planning when encountering a deposed instance that has been removed from the configuration. (#28766)
core: Fix crash when rendering changes to deposed instances outside of Terraform. (#28796)
core: Restore a missing error when attempting to import a non-existent remote object. (#28808)
core: Fix bug where Terraform failed to release the state lock when applying a stale saved plan failed. (#28819)

`v0.15.4`

Compare Source

0.15.4 (May 19, 2021)

NEW FEATURES:

Noting changes made outside of Terraform: Terraform has always, by default, made a point during the planning operation of reading the current state of remote objects in order to detect any changes made outside of Terraform, to make sure the plan will take those into account.

Terraform will now report those detected changes as part of the plan result, in order to give additional context about the planned changes. We've often heard that people find it confusing when a plan includes a change that doesn't seem to be prompted by any recent change in the configuration, and so this feature is aiming to provide the previously-missing explanation for situations where Terraform is planning to undo a change.

It can also be useful just as general information when the change won't be undone by Terraform: if you've intentionally made a change outside of Terraform and mirrored that change in your configuration then Terraform will now confirm that it noticed the change you made and took it into account when planning.

By default this new output is for information only and doesn't change any behavior. If Terraform detects a change you were expecting then you don't need to take any additional action to respond to it. However, we've also added a new planning mode -refresh-only which allows you to explicitly plan and apply the action of writing those detected changes to the Terraform state, which serves as a plannable replacement for terraform refresh. We don't have any plans to remove the long-standing terraform refresh command, but we do recommend using terraform apply -refresh-only instead in most cases, because it will provide an opportunity to review what Terraform detected before updating the Terraform state.

UPGRADE NOTES:

This release adds some new reserved reference prefixes to make them available for later work. These are resource., template., arg., and lazy.. We don't expect these additions to cause problems for most existing configurations, but could cause a conflict if you are using a custom provider which has a resource type named exactly "resource", "template", "arg", or "lazy". In that unlikely event, you can escape references to resources of those types by adding a resource. prefix; for example, if you have a resource "template" "foo" then you can change references to it from template.foo to resource.template.foo in order to escape the new meaning.

ENHANCEMENTS:

config: The various functions that compute hashs of files on disk, like filesha256, will now stream the contents of the given file into the hash function in smaller chunks. Previously they would always read the entire file into memory before hashing it, due to following a similar implementation strategy as the file function. (#28681)
config: Some new escaping syntax which is not yet useful but will be part of the backward-compatibility story for certain future language editions. (#28709)
core: Rsource diagnostics are no longer lost on remote state storage fails (#28724)
core: Diagnostics from provisioner failures are now shown in CLI output (#28753)
terraform init: add a new -migrate-state flag instead of automatic state migration, to prevent failing when old backend config is not usable (#28718)
terraform plan and terraform apply: will now report any changes Terraform detects during the "refresh" phase for each managed object, providing confirmation that Terraform has seen those changes and, where appropriate, extra context to help understand the planned change actions that follow. (#28634)
terraform plan and terraform apply: now have a new option -refresh-only to activate the "refresh only" planning mode, which causes Terraform to ignore any changes suggested by the configuration but still detect any changes made outside of Terraform since the latest terraform apply. (#28634)
backend/gcs: Terraform Core now supports Workload Identity Federation. The federated JSON credentials must be loaded through the GOOGLE_APPLICATION_CREDENTIALS environment variable. This is also available in the Google Provider in versions newer than v3.61. (#28296)
backend/remote: supports several new CLI options when running plans and applies with Terraform Cloud: -refresh=false, -replace, and -refresh-only. (#28746)

BUG FIXES:

core: Fix sensitivity handling with plan values, which could cause the sensitive marks to be lost during apply leading to a perpetual diff (#28687)
core: Fix crash when specifying SSH bastion_port in a resource connection block (#28665)
core: Terraform will now upgrade and refresh (unless disabled) deposed objects during planning, in a similar manner as for objects that have been removed from the configuration. "Deposed" is how Terraform represents the situation where a create_before_destroy replacement failed to destroy the old object, in which case Terraform needs to track both the new and old objects until the old object is successfully deleted. Refreshing these during planning means that you can, if you wish, delete a "deposed" object manually outside of Terraform and then have Terraform detect that you've done so. (#28634)
config: Improve the sensitivity support for lookup and length functions, which were accidentally omitted from the larger update in 0.15.1 (#28509)
backend/gcs: Fixed a bug where service account impersonation didn't work if the original identity was another service account (#28139)

`v0.15.3`

Compare Source

0.15.3 (May 06, 2021)

ENHANCEMENTS:

terraform show: Add data to the JSON plan output describing which changes caused a resource to be replaced (#28608)

BUG FIXES:

terraform show: Fix crash for JSON plan output of new resources with sensitive attributes in nested blocks (#28624)

`v0.15.2`

Compare Source

0.15.2 (May 05, 2021)

ENHANCEMENTS:

terraform plan and terraform apply: Both now support a new planning option -replace=... which takes the address of a resource instance already tracked in the state and forces Terraform to upgrade either an update or no-op plan for that instance into a "replace" (either destroy-then-create or create-then-destroy depending on configuration), to allow replacing a degraded object with a new object of the same configuration in a single action and preview the effect of that before applying it.
terraform apply: Now has a -destroy option for symmetry with terraform plan -destroy, which makes terraform destroy effectively an alias for terraform apply -destroy. This change is only for consistency between terraform plan and terraform apply; there are no current plans to deprecate terraform destroy. (#28489)
core: Update HCL to allow better planning of dynamic blocks (#28424)
core: Unmark values when planning data sources (#28539)

BUG FIXES:

command/format: Fix various issues with nested-type attribute formatting (#28600)
core: Fix JSON plan output to add sensitivity data for provider-specified sensitive attribute values (#28523)
cli: Fix missing "forces replacement" UI for attribute changes which are marked as sensitive by the provider (#28583)
cli: Fix crash when rendering diagnostic caused by missing trailing quote (#28598)
functions: Fix crash when calling setproduct with one or more empty collections (#28607)

`v0.15.1`

Compare Source

0.15.1 (April 26, 2021)

ENHANCEMENTS:

config: Various Terraform language functions now have more precise inference rules for propagating the "sensitive" characteristic values.

The affected functions are chunklist, concat, flatten, keys, length, lookup, merge, setproduct, tolist, tomap, values, and zipmap. The details are a little different for each of these but the general idea is to, as far as possible, preserve the sensitive characteristic on individual element or attribute values in result structures rather than always conservatively applying sensitivity to the whole result.

The primary benefit of these improvements is that you can now use these functions as part of constructing maps for for_each in situations where the input collection is never sensitive but some of the elements/attributes inside might be. (#28446] [#28460)
cli: Update the HashiCorp public key (#28505)
cli: Diagnostic messages can now be annotated with resource and provider addresses. (#28275)
cli: terraform login now has a new user experience for successful log-ins to Terraform Cloud and Terraform Enterprise. (#28487)
core: Minor graph performance optimizations. (#28329)

BUG FIXES:

config: Fix validation error when passing providers from a non-default namespace into modules. (#28414)
cli: Fix missing colors and extraneous resource summary for plan/apply with the remote backend. (#28409)
cli: Diagnostics messages will only indicate that a referenced value is sensitive if that value is directly sensitive, as opposed to being a complex-typed value that contains a sensitive value. (#28442)
core: Don't trigger data source reads from changes in sibling module instances. (#28267)
core: Restore saved dependencies when a resource destroy operation fails. (#28317)
core: Fix crash when setting sensitive attributes to a sensitive value. (#28383)
core: Loosen output value sensitivity requirement for non-root modules. This means that modules which may receive sensitive values as input variables no longer need to mark all related outputs as sensitive. The requirement for root modules to specify the sensitive attribute for sensitive values remains, with an extended diagnostic message to explain why. (#28472)
provisioner: Fix panic with unexpected null values in provisioner configuration (#28457)

`v0.15.0`

Compare Source

0.15.0 (April 14, 2021)

UPGRADE NOTES AND BREAKING CHANGES:

The following is a summary of each of the changes in this release that might require special consideration when upgrading. Refer to the Terraform v0.15 upgrade guide for more details and recommended upgrade steps.

"Proxy configuration blocks" (provider blocks with only alias set) in shared modules are now replaced with a more explicit configuration_aliases argument within the required_providers block. Some support for the old syntax is retained for backward compatibility, but we've added explicit error messages for situations where Terraform would previously silently misinterpret the purpose of an empty provider block. (#27739)
The list and map functions, both of which were deprecated since Terraform v0.12, are now removed. You can replace uses of these functions with tolist([...]) and tomap({...}) respectively. (#26818)
Terraform now requires UTF-8 character encoding and virtual terminal support when running on Windows. This unifies Terraform's terminal handling on Windows with that of other platforms, as per Microsoft recommendations. Terraform previously required these terminal features on all other platforms, and now requires them on Windows too.

UTF-8 and virtual terminal support were introduced across various Windows 10 updates, and so Terraform is no longer officially supported on the original release of Windows 10 or on Windows 8 and earlier. However, there are currently no technical measures to artificially prevent Terraform from running on these obsolete Windows releases, and so you may still be able to use Terraform v0.15 on older Windows versions if you either disable formatting (using the -no-color) option, or if you use a third-party terminal emulator package such as ConEmu, Cmder, or mintty.

We strongly encourage planning to migrate to a newer version of Windows rather than relying on these workarounds for the long term, because the Terraform team will test future releases only on up-to-date Windows 10 and can therefore not guarantee ongoing support for older versions.
Built-in vendor provisioners (chef, habitat, puppet, and salt-masterless) have been removed. (#26938)
Interrupting execution will now cause terraform to exit with a non-zero exit status. (#26738)
The trailing [DIR] argument to specify the working directory for various commands is no longer supported. Use the global -chdir option instead. (#27664)

For example, instead of terraform init infra, write terraform -chdir=infra init.
The -lock and -lock-timeout options are no longer available on terraform init (#27464)
The -verify-plugins=false option is no longer available on terraform init. (Terraform now always verifies plugins.) (#27461)
The -get-plugins=false option is no longer available on terraform init. (Terraform now always installs plugins.) (#27463)
The -force option is no longer available on terraform destroy. Use -auto-approve instead (#27681)
The -var and -var-file options are no longer available on terraform validate. These were deprecated and have had no effect since Terraform v0.12. (#27906)
terraform version -json output no longer includes the (previously-unpopulated) "revision" property (#27484)
In the gcs backend the path config argument, which was deprecated since Terraform v0.11, is now removed. Use the prefix argument instead. (#26841)
The deprecated ignore_changes = ["*"] wildcard syntax is no longer supported. Use ignore_changes = all instead. (#27834)
Previously deprecated quoted variable type constraints are no longer supported. Follow the instructions in the error message to update your type signatures to be more explicit. For example, use map(string) instead of "map". (#27852)
Terraform will no longer make use of the HTTP_MROXY environment variable to determine proxy settings for connecting to HTTPS servers. You must always set HTTPS_MROXY if you intend to use a proxy to connect to an HTTPS server. (Note: This affects only connections made directly from Terraform CLI. Terraform providers are separate programs that make their own requests and may thus have different proxy configuration behaviors.)
Provider-defined sensitive attributes will now be redacted throughout the plan output. You may now see values redacted as (sensitive) that were previously visible, because sensitivity did not follow provider-defined sensitive attributes.

If you are transforming a value and wish to force it not to be sensitive, such as if you are transforming a value in such a way that removes the sensitive data, we recommend using the new nonsensitive function to hint Terraform that the result is not sensitive.
The atlas backend, which was deprecated since Terraform v0.12, is now removed. (#26651)
We've upgraded the underlying TLS and certificate-related libraries that Terraform uses when making HTTPS requests to remote systems. This includes the usual tweaks to preferences for different cryptographic algorithms during handshakes and also some slightly-stricter checking of certificate syntax. These changes should not cause problems for correctly-implemented HTTPS servers, but can sometimes cause unexpected behavior changes with servers or middleboxes that don't comply fully with the relevant specifications.

ENHANCEMENTS:

config: A required_providers entry can now contain configuration_aliases to declare additional configuration aliases names without requirring a configuration block (#27739)
config: Improved type inference for conditional expressions. (#28116)
config: Provider-defined sensitive attributes will now be redacted throughout the plan output. (#28036)
config: New function one for concisely converting a zero-or-one element list/set into a single value that might be null. (#27454)
config: New functions sensitive and nonsensitive allow module authors to explicitly override Terraform's default infererence of value sensitivity for situations where it's too conservative or not conservative enough. (#27341)
config: Terraform will now emit a warning if you declare a backend block in a non-root module. Terraform has always ignored such declarations, but previously did so silently. This is a warning rather than an error only because it is sometimes convenient to temporarily use a root module as if it were a child module in order to test or debug its behavior separately from its main backend. (#26954)
config: Removed warning about interpolation-only expressions being deprecated, because terraform fmt now automatically fixes most cases that the warning would previously highlight. We still recommend using simpler expressions where possible, but the deprecation warning had caused a common confusion in the community that the interpolation syntax is always deprecated, rather than only in the interpolation-only case. (#27835)
config: The family of error messages with the summary "Invalid for_each argument" will now include some additional context about which external values contributed to the result, making it easier to find the root cause of the error. (#26747)
config: Terraform now does text processing using the rules and tables defined for Unicode 13. Previous versions were using Unicode 12 rules.
terraform init: Will now make suggestions for possible providers on some registry failures, and generally remind of required_providers on all registry failures. (#28014)
terraform init: Provider installation will now only attempt to rewrite .terraform.lock.hcl if it would contain new information. (#28230)
terraform init: New -lockfile=readonly option, which suppresses writing changes to the dependency lock file. Any installed provider packages must already be recorded in the lock file, or initialization will fail. Use this if you are managing the lock file via a separate process and want to avoid adding new checksums for existing dependencies. (#27630)
terraform show: Improved performance when rendering large plans as JSON. (#27998)
terraform validate: The JSON output now includes a code snippet object for each diagnostic. If present, this object contains an excerpt of the source code which triggered the diagnostic, similar to what Terraform would include in human-oriented diagnostic messages. (#28057)
cli: Terraform now uses UTF-8 and full VT mode even when running on Windows. Previously Terraform was using the "classic" Windows console API, which was far more limited in what formatting sequences it supported and which characters it could render. (#27487)
cli: Improved support for Windows console UI on Windows 10, including bold colors and underline for HCL diagnostics. (#26588)
cli: Diagnostic messages now have a vertical line along their left margin, which we hope will achieve a better visual hierarchy for sighted users and thus make it easier to see where the errors and warnings start and end in relation to other content that might be printed alongside. (#27343)
cli: Typing an invalid top-level command, like terraform destory instead of destroy, will now print out a specific error message about the command being invalid, rather than just printing out the usual help directory. (#26967)
cli: Plugin crashes will now be reported with more detail, pointing out the plugin name and the method call along with the stack trace (#26694)
cli: Core and Provider logs can now be enabled separately for debugging, using TF_LOG_CORE and TF_LOG_MROVIDER (#26685)
backend/azurerm: Support for authenticating as AzureAD users/roles. (#28181)
backend/pg: Now allows locking of each workspace separately, whereas before the locks were global across all workspaces. (#26924)

BUG FIXES:

config: Fix multiple upstream crashes with optional attributes and sensitive values. (#28116)
config: Fix various panics in the experimental defaults function. (#27979, #28067)
config: Fix crash with resources which have sensitive iterable attributes. (#28245)
config: Fix crash when referencing resources with sensitive fields that may be unknown. (#28180)
terraform validate: Validation now ignores providers that lack configuration, which is useful for validating modules intended to be called from other modules which therefore don't include their own provider configurations. (#24896)
terraform fmt: Fix fmt output when unwrapping redundant multi-line string interpolations (#28202)
terraform console: expressions using path (path.root, path.module) now return the same result as they would in a configuration (#27263)
terraform show: Fix crash when rendering JSON plans containing iterable unknown values. (#28253)
terraform show: fix issue with child_modules not properly displaying in certain circumstances. (#27352)
terraform state list: fix bug where nested modules' resources were missing (#27268)
terraform state mv: fix display names in errors and improve error when failing to target a whole resource (#27482)
terraform taint: show resource name in -allow-missing warning (#27501)
terraform untaint: show resource name in -allow-missing warning (#27502)
cli: All commands will now exit with an error if unable to read input at an interactive prompt. For example, this may happen when running in a non-interactive environment but without -input=false. Previously Terraform would behave as if the user entered an empty string, which often led to confusing results. (#26509)
cli: TF_LOG levels other than trace will now work reliably. (#26632)
core: Fix crash when trying to create a destroy plan with -refresh=false. (#28272)
core: Extend the Terraform plan file format to include information about sensitivity and required-replace. This ensures that the output of terraform show saved.tfplan matches terraform plan, and sensitive values are elided. (#28201)
core: Ensure that stored dependencies are retained when a resource is removed entirely from the configuration, and create_before_destroy ordering is preserved. (#28228)
core: Resources removed from the configuration will now be destroyed before their dependencies are updated. (#28165)
core: Refresh data sources while creating a destroy plan, in case their results are important for destroy operations. (#27408)
core: Fix missing deposed object IDs in apply logs (#27796)
backend/azurerm: Fix nil pointer crashes with some state operations. (#28181, #26721)
backend/azure: Fix interactions between state reading, state creating, and locking. (#26561)

EXPERIMENTS:

provider_sensitive_attrs: This experiment has now concluded, and its functionality is now on by default. If you were previously participating in this experiment then you can remove the experiment opt-in with no other necessary configuration changes.
There is now a terraform test command, which is currently an experimental feature serving as part of the Module Testing Experiment.

`v0.14.11`

Compare Source

0.14.11 (April 26, 2021)

ENHANCEMENTS:

cli: Update the HashiCorp public key (#28503)

`v0.14.10`

Compare Source

0.14.10 (April 07, 2021)

BUG FIXES:

cli: Only rewrite provider locks file if its contents has changed. (#28230)

`v0.14.9`

Compare Source

0.14.9 (March 24, 2021)

BUG FIXES:

backend/remote: Fix error when migrating existing state to a new workspace on Terraform Cloud/Enterprise. (#28093)

`v0.14.8`

Compare Source

BUG FIXES:

config: Update HCL package to fix panics when indexing using sensitive values (#28034)
core: Fix error when using sensitive values in provisioner configuration (#27819)
core: Fix empty diags not getting associated with source (#28029)
backend/remote: Fix non-functional -lock-timeout argument when using the remote backend with local operations (#27845)

ENHANCEMENTS:

config: Terraform now does text processing using the rules and tables defined for Unicode 13. Previous versions were using Unicode 12 rules (#28034)

`v0.14.7`

Compare Source

0.14.7 (February 17, 2021)

ENHANCEMENTS:

cli: Emit an "already installed" event when a provider is found already installed (#27722)
provisioner/remote-exec: Can now run in a mode that expects the remote system to be running Windows and excuting commands using the Windows command interpreter, rather than a Unix-style shell. Specify the target_platform as "windows" in the connection block. (#26865)

BUG FIXES:

cli: Fix show -json not outputting the full module tree when some child modules have no resources (#27352)
cli: Fix excessively slow rendering of very large multi-line string outputs (#27746)
cli: Fix missing provider requirements in JSON plan when specified using required_providers instead of provider config (#27697)

`v0.14.6`

Compare Source

0.14.6 (February 04, 2021)

ENHANCEMENTS:

backend/s3: Add support for AWS Single-Sign On (SSO) cached credentials (#27620)

BUG FIXES:

cli: Rerunning init will reuse installed providers rather than fetching the provider again (#27582)
config: Fix panic when applying a config using sensitive values in some block sets (#27635)
core: Fix "Invalid planned change" error when planning tainted resource which no longer exists (#27563)
core: Fix panic when refreshing data source which contains sensitive values (#27567)
core: Fix init with broken link in plugin_cache_dir (#27447)
core: Prevent evaluation of removed data source instances during plan (#27621)
core: Don't plan changes for outputs that remain null (#27512)

`v0.14.5`

Compare Source

0.14.5 (January 20, 2021)

ENHANCEMENTS:

backend/pg: The Postgres backend now supports the "scram-sha-256" authentication method. (#26886)

BUG FIXES:

cli: Fix formatting of long integers in outputs and console (#27479)
cli: Fix redundant check of remote workspace version for local operations (#27498)
cli: Fix missing check of remote workspace version for state migration (#27556)
cli: Fix world-writable permissions on dependency lock file (#27205)

`v0.14.4`

Compare Source

0.14.4 (January 06, 2021)

UPGRADE NOTES:

This release disables the remote Terraform version check feature for plan and apply operations. This fixes an issue with using custom Terraform version bundles in Terraform Enterprise. (#27319)

BUG FIXES:

backend/remote: Disable remote Terraform workspace version check when the remote workspace is in local operations mode ([#27407])
core: Fix panic when using sensitive values as arguments to data sources ([#27335])
core: Fix panic when using sensitive values as count arguments on validate ([#27410])
core: Fix panic when passing sensitive values to module input variables which have custom variable validation ([#27412])
dependencies: Upgrade HCL to v2.8.2, fixing several bugs with sensitive values ([#27420])

`v0.14.3`

Compare Source

0.14.3 (December 17, 2020)

ENHANCEMENTS:

terraform output: Now supports a new "raw" mode, activated by the -raw option, for printing out the raw string representation of a particular output value. (#27212)

Only primitive-typed values have a string representation, so this formatting mode is not compatible with complex types. The -json mode is still available as a general way to get a machine-readable representation of an output value of any type.
config: for_each now allows maps whose element values are sensitive, as long as the element keys and the map itself are not sensitive. (#27247)

BUG FIXES:

config: Fix anytrue and alltrue functions when called with values which are not known until apply. (#27240)
config: Fix sum function when called with values which are not known until apply. Also allows sum to cope with numbers too large to represent in float64, along with correctly handling errors around infinite values. (#27249)
config: Fixed panic when referencing sensitive values in resource count expressions (#27238)
config: Fix incorrect attributes in diagnostics when validating objects (#27010)
core: Prevent unexpected updates during plan when multiple sensitive values are involved (#27318)
dependencies: Fix several small bugs related to the use of sensitive values with expressions and functions.
lang: Fix panic when calling coalescelist with a null argument (#26988)
terraform apply: -refresh=false was skipped when running apply directly (#27233)
terraform init: setting -get-plugins to false will now cause a warning, as this flag has been a no-op since 0.13.0 and usage is better served through using provider_installation blocks (#27092)
terraform init and other commands which interact with the dependency lock file: These will now generate a normal error message if the lock file is incorrectly a directory, rather than crashing as before. (#27250)

`v0.14.2`

Compare Source

0.14.2 (December 08, 2020)

BUG FIXES:

backend/remote: Disable the remote backend version compatibility check for workspaces set to use the "latest" pseudo-version. (#27199)
providers/terraform: Disable the remote backend version compatibility check for the terraform_remote_state data source. This check is unnecessary, because the data source is read-only by definition. (#27197)

`v0.14.1`

Compare Source

0.14.1 (December 08, 2020)

ENHANCEMENTS:

backend/remote: When using the enhanced remote backend with commands which locally modify state, verify that the local Terraform version and the configured remote workspace Terraform version are compatible. This prevents accidentally upgrading the remote state to an incompatible version. The check is skipped for commands which do not write state, and can also be disabled by the use of a new command-line flag, -ignore-remote-version. (#26947)

BUG FIXES:

configs: Fix for errors when using multiple layers of sensitive input variables (#27095)
configs: Fix error when using sensitive input variables in conditionals (#27107)
core: Fix permanent diff when a resource changes only in sensitivity, for example due to changing the sensitivity of a variable or output used as an attribute value. (#27128)
core: Fix issues where ignore_changes appears to not work, or causes validation errors with some resources. (#27141)
terraform fmt: Fix incorrect formatting with attribute expressions enclosed in parentheses. (#27040)

`v0.14.0`

Compare Source

0.14.0 (December 02, 2020)

NEW FEATURES:

Terraform now supports marking input variables as sensitive, and will propagate that sensitivity through expressions that derive from sensitive input variables.
terraform init will now generate a lock file in the configuration directory which you can check in to your version control so that Terraform can make the same version selections in future. (#26524)

If you wish to retain the previous behavior of always taking the newest version allowed by the version constraints on each install, you can run terraform init -upgrade to see that behavior.
Terraform will now support reading and writing all compatible state files, even from future versions of Terraform. This means that users of Terraform 0.14.0 will be able to share state files with future Terraform versions until a new state file format version is needed. We have no plans to change the state file format at this time. (#26752)

UPGRADE NOTES:

Outputs that reference sensitive values (which includes variables marked as sensitive, other module outputs marked as sensitive, or attributes a provider defines as sensitive if the provider_sensitive_attrs experiment is activated) must also be defined as sensitive, or Terraform will error at plan.
The version argument inside provider configuration blocks has been documented as deprecated since Terraform 0.12. As of 0.14 it will now also generate an explicit deprecation warning. To avoid the warning, use provider requirements declarations instead. (#26135)
The official MacOS builds of Terraform now require MacOS 10.12 Sierra or later. (#26357)
TLS certificate verification for outbound HTTPS requests from Terraform CLI no longer treats the certificate's "common name" as a valid hostname when the certificate lacks any "subject alternative name" entries for the hostname. TLS server certificates must list their hostnames as a "DNS name" in the subject alternative names field. (#26357)
Outbound HTTPS requests from Terraform CLI now enforce RFC 8446's client-side downgrade protection checks. This should not significantly affect normal operation, but may result in connection errors in environments where outgoing requests are forced through proxy servers and other "middleboxes", if they have behavior that resembles a downgrade attack. (#26357)
Terraform's HTTP client code is now slightly stricter than before in HTTP header parsing, but in ways that should not affect typical server implementations: Terraform now trims only ASCII whitespace characters, and does not allow Transfer-Encoding: identity. (#26357)
The terraform 0.13upgrade subcommand and the associated upgrade mechanisms are no longer available. Complete the v0.13 upgrade process before upgrading to Terraform v0.14.
The debug command, which did not offer additional functionality, has been removed.

ENHANCEMENTS:

config: Added sensitive argument for variable blocks, which supresses output where that variable is used (#26183)
config: Added alltrue and anytrue functions, which serve as a sort of dynamic version of the && and || or operators, respectively. These are intended to allow evaluating boolean conditions, such as in variable validation blocks, across all of the items in a collection using for expressions. (#25656], [#26498)
config: New functions textencodebase64 and textdecodebase64 for encoding text in various character encodings other than UTF-8. (#25470)
terraform plan and terraform apply: Added an experimental concise diff renderer. By default, Terraform plans now hide most unchanged fields, only displaying the most relevant changes and some identifying context. This experiment can be disabled by setting a TF_X_CONCISE_DIFF environment variable to 0. (#26187)
config: ignore_changes can now apply to map keys that are not listed in the configuration (#26421)
terraform console: Now has distinct rendering of lists, sets, and tuples, and correctly renders objects with null attribute values. Multi-line strings are rendered using the "heredoc" syntax. (#26189, #27054)
terraform login: Added support for OAuth2 application scopes. (#26239)
terraform fmt: Will now do some slightly more opinionated normalization behaviors, using the documented idiomatic syntax. (#26390)
terraform init's provider installation step will now abort promptly if Terraform receives an interrupt signal. (#26405)
cli: A new global command line option -chdir=..., placed before the selected subcommand, instructs Terraform to switch to a different working directory before executing the subcommand. This is similar to switching to a new directory with cd before running Terraform, but it avoids changing the state of the calling shell. (#26087)
cli: help text is been reorganized to emphasize the main commands and improve consistency (#26695)
cli: Ensure that provider requirements are met by the locked dependencies for every command. This will help catch errors if the configuration has changed since the last run of terraform init. (#26761)
core: When sensitive values are used as part of provisioner configuration, logging is disabled to ensure the values are not displayed to the UI (#26611)
core: terraform plan no longer uses a separate refresh phase. Instead, all resources are updated on-demand during planning (#26270)
modules: Adds support for loading modules with S3 virtual hosted-style access (#26914)
backend/consul: Split state into chunks when outgrowing the limit of the Consul KV store. This allows storing state larger than the Consul 512KB limit. (#25856)
backend/consul: Add force-unlock support to the Consul backend (#25837)
backend/gcs: Add service account impersonation to GCS backend (#26837)
On Unix-based operating systems other than MacOS, the SSL_CERT_DIR environment variable can now be a colon-separated list of multiple certificate search paths. (#26357)
On MacOS, Terraform will now use the Security.framework API to access the system trust roots, for improved consistency with other MacOS software. (#26357)

BUG FIXES:

config: Report an error when provider configuration attributes are incorrectly added to a required_providers object. (#26184)
config: Better errors for invalid terraform version constraints (#26543)
config: fix panic when element() is called with a negative offset (#26079)
config: lookup() will now only treat map as unknown if it is wholly unknown (#26427)
config: Fix provider detection for resources when local name does not match provider type (#26871)
terraform fmt: Fix incorrect heredoc syntax in plan diff output (#25725)
terraform show: Hide sensitive outputs from display (#26740)
terraform taint: If the configuration's required_version constraint is not met, the taint subcommand will now correctly exit early. (#26345)
terraform taint and terraform untaint: Fix issue when using taint (and untaint) with workspaces where statefile was not found. (#22467)
terraform init: Fix locksfile constraint output for versions like "1.2". (#26637)
terraform init: Omit duplicate version constraints when installing packages or writing locksfile. (#26678)
cli: return an error on a state unlock failure [#25729]
core: Prevent "Inconsistent Plan" errors when using dynamic with a block of TypeSet (#26638)
core: Errors with data sources reading old data during refresh, failing to refresh, and not appearing to wait on resource dependencies are fixed by updates to the data source lifecycle and the merging of refresh and plan (#26270)
core: Prevent evaluation of deposed instances, which in turn prevents errors when referencing create_before_destroy resources that have changes to their count or for_each values (#25631)
core: fix state push -force to work for all backends (#26190)
backend/consul: Fix bug which prevented state locking when path has trailing / (#25842)
backend/pg: Always have the default workspace in the pg backend (#26420)
backend/pg: Properly quote schema_name in the pg backend configuration (#26476)
build: Fix crash with terraform binary on OpenBSD. (#26249)
internal: Use default AWS credential handling when fetching modules (#26762)

EXPERIMENTS:

Experiments are Terraform language features that are not yet finalized but that we've included in a release so you can potentially try them out and share feedback. These features are only available if you explicitly enable the relevant experiment for your module. To share feedback on active experiments, please open an enhancement request issue in the main Terraform repository.

module_variable_optional_attrs: When declaring an input variable for a module whose type constraint (type argument) contains an object type constraint, the type expressions for the attributes can be annotated with the experimental optional(...) modifier.

Marking an attribute as "optional" changes the type conversion behavior for that type constraint so that if the given value is a map or object that has no attribute of that name then Terraform will silently give that attribute the value null, rather than returning an error saying that it is required. The resulting value still conforms to the type constraint in that the attribute is considered to be present, but references to it in the recieving module will find a null value and can act on that accordingly.

This experiment also includes a function named defaults which you can use in a local value to replace the null values representing optional attributes with non-null default values. The function also requires that you enable the module_variable_optional_attrs experiment for any module which calls it.
provider_sensitive_attrs: This is an unusual experiment in that it doesn't directly allow you to use a new feature in your module configuration but instead it changes the automatic behavior of Terraform in modules where it's enabled.

For modules where this experiment is active, Terraform will consider the attribute sensitivity flags set in provider resource type schemas when propagating the "sensitive" flag through expressions in the configuration. This is experimental because it has the potential to make far more items in the output be marked as sensitive than before, and so we want to get some experience and feedback about it before hopefully making this the default behavior.

One important consequence of enabling this experiment is that you may need to mark more of your module's output values as sensitive = true, in any case where a particular output value is derived from a value a provider has indicated as being sensitive. Without that explicit annotation, Terraform will return an error to avoid implicitly exposing a sensitive value via an output value.

If you try either of these features during their experimental periods and have feedback about them, please open a feature request issue. We are aiming to stabilize both features in the forthcoming v0.15 release, but their design may change in the meantime based on feedback. If we make further changes to the features during the v0.15 period then they will be reflected in v0.15 alpha releases.

`v0.13.7`

Compare Source

0.13.7 (April 26, 2021)

ENHANCEMENTS:

cli: Update the HashiCorp public key (#28500)

`v0.13.6`

Compare Source

0.13.6 (January 06, 2021)

UPGRADE NOTES:

The builtin provider's terraform_remote_state data source no longer enforces Terraform version checks on the remote state file. This allows Terraform 0.13.6 to access remote state from future Terraform versions, up until a future incompatible state file version upgrade is required. (#26692)

BUG FIXES:

init: setting -get-plugins to false will now cause a warning, as this flag has been a no-op since 0.13.0 and usage is better served through using provider_installation blocks (#27092)

`v0.13.5`

Compare Source

0.13.5 (October 21, 2020)

BUG FIXES:

terraform: fix issue where the provider configuration was not properly attached to the configured provider source address by localname (#26567)
core: fix a performance issue when a resource contains a very large and deeply nested schema (#26577)
backend/azurerm: fix an issue when using the metadata host to lookup environments (#26463)

`v0.13.4`

Compare Source

0.13.4 (September 30, 2020)

UPGRADE NOTES:

The built-in vendor (third-party) provisioners, which include habitat, puppet, chef, and salt-masterless are now deprecated and will be removed in a future version of Terraform. More information on Discuss.
Deprecated interpolation-only expressions are detected in more contexts in addition to resources and provider configurations. Module calls, data sources, outputs, and locals are now also covered. Terraform also detects interpolation-only expressions in complex values such as lists and objects. An expression like "${foo}" should be rewritten as just foo. (#27272] [#26334)

BUG FIXES:

command: Include schemas from required but unused providers in the output of terraform providers schema. This allows development tools such as the Terraform language server to offer autocompletion for the first resource for a given provider. (#26318)
core: create_before_destroy status is now updated in the state during refresh (#26343)
core: data sources using depends_on, either directly or through their modules, are no longer are forced to wait until apply by other planned data source reads (#26375)

`v0.13.3`

Compare Source

0.13.3 (September 16, 2020)

BUG FIXES:

build: fix crash with terraform binary on openBSD (#26250)
core: prevent create_before_destroy cycles by not connecting module close nodes to resource instance destroy nodes (#26186)
core: fix error where plan action changes from CreateThenDelete to DeleteThenCreate (#26192)
core: fix Cycle when create_before_destroy status wasn't checked from state (#26263)
core: fix "inconsistent final plan" error when changing the number of referenced resources to 0 (#26264)
states/remote: fix state push -force to work for all backends (#26190)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Update hashicorp/terraform Docker tag to v1

⚠ Dependency Lookup Warnings ⚠

Release Notes

1.4.6 (April 26, 2023)

1.4.5 (April 12, 2023)

1.4.4 (March 30, 2023)

1.4.3 (March 30, 2023)

1.4.2 (March 16, 2023)

1.4.1 (March 15, 2023)

1.4.0 (March 08, 2023)

1.3.9 (February 15, 2023)

1.3.8 (February 09, 2023)

1.3.7 (January 04, 2023)

1.3.6 (November 30, 2022)

1.3.5 (November 17, 2022)

1.3.4 (November 02, 2022)

1.3.3 (October 19, 2022)

1.3.2 (October 06, 2022)

1.3.1 (September 28, 2022)

1.3.0 (September 21, 2022)

1.2.9 (September 07, 2022)

1.2.8 (August 24, 2022)

1.2.7 (August 10, 2022)

1.2.6 (July 27, 2022)

1.2.5 (July 13, 2022)

1.2.4 (June 29, 2022)

1.2.3 (June 15, 2022)

1.2.2 (June 01, 2022)

1.2.1 (May 23, 2022)

1.2.0 (May 18, 2022)

1.1.9 (April 20, 2022)

1.1.8 (April 07, 2022)

1.1.7 (March 02, 2022)

1.1.6 (February 16, 2022)

1.1.5 (February 02, 2022)

1.1.4 (January 19, 2022)

1.1.3 (January 06, 2022)

1.1.2 (December 17, 2021)

1.1.1 (December 15, 2021)

1.1.0 (December 08, 2021)

1.0.11 (November 10, 2021)

1.0.10 (October 28, 2021)

1.0.9 (October 13, 2021)

1.0.8 (September 29, 2021)

1.0.7 (September 15, 2021)

1.0.6 (September 03, 2021)

1.0.5 (August 18, 2021)

1.0.4 (August 04, 2021)

1.0.3 (July 21, 2021)

1.0.2 (July 07, 2021)

1.0.1 (June 24, 2021)

1.0.0 (June 08, 2021)

0.15.5 (June 02, 2021)

0.15.4 (May 19, 2021)

0.15.3 (May 06, 2021)

0.15.2 (May 05, 2021)

0.15.1 (April 26, 2021)

0.15.0 (April 14, 2021)

0.14.11 (April 26, 2021)

0.14.10 (April 07, 2021)

0.14.9 (March 24, 2021)

0.14.7 (February 17, 2021)

0.14.6 (February 04, 2021)

0.14.5 (January 20, 2021)

0.14.4 (January 06, 2021)

0.14.3 (December 17, 2020)

0.14.2 (December 08, 2020)

0.14.1 (December 08, 2020)

0.14.0 (December 02, 2020)

0.13.7 (April 26, 2021)

0.13.6 (January 06, 2021)

0.13.5 (October 21, 2020)

0.13.4 (September 30, 2020)

0.13.3 (September 16, 2020)

Configuration

Merge request reports