Terraform Enterprise v202311-1 (742)
Last required release: v202304-1 (692)
Flexible Deployment Options terraform-enterprise
container digest: amd64/linux sha256:93fad2721b712ab78723b31c8cc98d317d48d43a3acd8c0ace2425b7e372360d
Known Issues
- [Updated April 16, 2024] If you set the maximum run time on the site admin page to be longer than 24 hours, Terraform Enterprise will not trigger runs on this release version (v202311-1). Configure your maximum run time to 24 hours or less.
- [Updated February 26, 2024] In rare cases, no code modules created before upgrading to this release could contain errors that would cause upgrade failures. This issue is fixed in v202401-2.
- [Updated: February 26, 2024] Customers using
terraform-bundle
and that have defined a working directory may see an error in their runs that readsOperation failed: failed packing filesystem: illegal slug error: invalid symlink
. You can work around this error using a custom agent image built ontfc-agent
v1.12. This issue is resolved in v202401-1 of Terraform Enterprise. Contact support for help with this issue. - [Updated August 14, 2024] Runs that rely on dynamic provider credentials and workload identity will fail after a certain number of signing key rotations. This problem is fixed in v202407-1, and you can avoid it by upgrading v202407-1 or above. For details on additional workarounds, including manually trimming keys, refer to our support article.
- [Updated November 25, 2024] Terraform Enterprise does not currently support using a username provided via
REDIS_USER
for authenticating with an external Redis instance. To use authentication with Redis, configure Redis to require only a password for the default user by updating your Redis configuration file (redis.conf
) as follows, replacing<your password>
accordingly:
In the Terraform Enterprise environment, set only the REDIS_PASSWORD
variable with the corresponding value.
Highlights
The v202311-1 release contains two significant changes that improve storage utilization:
- You can now configure data retention policies that allow Terraform Enterprise to automatically delete old configuration versions and state versions. This prevents unbounded storage growth.
- The overall executable plan storage footprint has been dramatically reduced by removing the provider version cache from the executable plan storage for every plan.
Features
- You can now delete configuration versions and state versions to reclaim storage space.
- State versions may be created and uploaded separately, allowing large state transmissions in terraform v1.6+ to complete without exceeding the API timeout. Previously, create and upload was a single process that could lead to timeouts when dealing with large state files.
- Prior to Terraform v.1.6.x, the state version API returned archivist URLs. The API now returns TFE API URLs, which redirect to archivist URLs. To download state versions, you must follow redirects and include authentication as described in the API overview.
Improvements
- We have improved screen reader usability for the policy sets page.
- Users that do not have access to a project receive a warning when attempting to view the project's policy set(s).
- When creating or modifying workspaces, the version control provider section now has seperate sections for public providers and private providers.
- We have adjusted the way we detect and report drift. These changes are targeted toward reducing noise within drift reports.
Bug Fixes
- Errors parsing state (HandleParseStateJob) were incorrectly marked as successful. This has been fixed and failures will now properly return
Success == false
. - Workspace deletion will no longer be potentially blocked by an attached Run Task.
- OPA policies evaluations now have more robust handling for unexpected response formats.
- TFE installations with
consolidated_services_enabled
set to enabled now support using a service account when authenticating to GCP object storage. Previously an error would be reported on start -{"component":"terraform-enterprise","log":"2023-10-06T04:13:52.167Z [ERROR] terraform-enterprise: check failed: name=config duration=\"34.838µs\" err=\"google storage bucket, credentials, and project must be set\""}
.
Security
- Addressed HTTP/2 "Rapid Reset" (CVE-2023-44487, CVE-2023-39325) with adoption of new Go releases and associated dependencies.
- Container and binary updates address reported vulnerabilities (CVEs) in underlying base images, packages, and dependencies.