Terraform Enterprise v202410-1 (798)
Last required release: v202406-1 (776)
Flexible Deployment Options terraform-enterprise
container digest: amd64/linux sha256:b27c789bf92e1ee835a5fba9eba26705d71783df0eb73fbd08275ad761fbcbaa
Terraform Enterprise v202410-1
Deprecations
[Updated January 21, 2025] Terraform Enterprise now supports new deployment options and will end support for the Replicated Native Scheduler option. The final Replicated release of Terraform Enterprise will be in March 2025 (extended from November 2024). Effective December 2024, only pre-existing workflows and capabilities will be tested for continued quality on Replicated releases. New features and product improvements will not be validated on Replicated releases. HashiCorp Support will support this release until April 1, 2026, but bug and security fixes backports will not be available after March.
The
terraform-build-worker-plan-timeout
andterraform-build-worker-apply-timeout
attributes in the admin organization and general settings API have been deprecated and will be removed in a future release of Terraform Enterprise. Use the newplan-timeout
andapply-timeout
attributes instead.Terraform Enterprise now supports new deployment options and will end support for the Replicated Native Scheduler option. The final Replicated release of Terraform Enterprise will be in November 2024. HashiCorp will support this release until April 1, 2026.
To ensure you continue to receive the latest features and fixes, including security updates, please plan to migrate to a new deployment option by November 2024. For more information, refer to Terraform Enterprise deployment overview or contact your HashiCorp account representative.
The variables API endpoint,
/vars
, is deprecated and will be removed in a future release. All existing integrations with this API should transition to the workspace variables API/workspaces/:workspace_id/vars
.PostgreSQL v12 will reach end of life on November 12 2024 and will no longer be supported in Terraform Enterprise after that date. Refer to the requirements for connecting a PostgreSQL ddatabase for a complete list of supported versions.
Known Issues
- [Updated October 28, 2024] A minor issue with Azure Kubernetes Service (AKS) workload identity authentication may prevent Terraform Enterprise from using the service consistently. To work around this issue, you must set
TFE_OBJECT_STORAGE_AZURE_ACCOUNT_KEY
in youroverrides.yaml
file to a non empty string. You must also set theTFE_OBJECT_STORAGE_AZURE_USE_MSI
setting tofalse
:
TFE_OBJECT_STORAGE_AZURE_ACCOUNT_KEY: a25vd25faXNzdWUK # Set to any non empty string.
TFE_OBJECT_STORAGE_AZURE_USE_MSI: false
- [Updated November 25, 2024] Terraform Enterprise does not currently support using a username provided via REDIS_USER for authenticating with an external Redis instance. To use authentication with Redis, configure Redis to require only a password for the default user by updating your Redis configuration file (redis.conf) as follows:
requirepass securepassword123
In the Terraform Enterprise environment, set only the REDIS_PASSWORD variable with the corresponding value.
Features
- Extends Azure's object storage configuration with workload identity fields by providing workload identity credentials authentication for the Azure backend.
- TFE now supports AKS workload identity authentication and authorization.
Improvements
- You can now use a SHA3 certificate for SAML signing validation.
- Teams with admin access on the default project no longer need to specify a project ID when creating a new workspace via the API. If a
project
relationship is not specified in the request, the workspace will be created in the default project as long as the caller has appropriate permission. - A small but constant memory leak has been discovered in the API serialization layer and fixed, which should reduce the overall memory consumption of Puma processes over time.
Bug Fixes
- Fixed a bug where some variable sets weren't visible in the
projects/:project_id/varsets
API endpoint for projects that contain no workspaces. - Fixed a bug where attempted eager loading of a user's teams negatively affected performance.
- When using
tfectl app config --format docker
to generate Docker compose configurations, the output has been enhanced to heighten clarity around generated values and formatting has been corrected of some environment variables. - Fixed unhandled exceptions when malformed filter parameters are used in /api/v2 endpoints.
- Workspaces API unlock action will now return a 400 status instead of 503 when the latest state version is still pending, but only for Terraform CLI 1.10+ clients.
- Users had reported the workspace-variables page returning 404/429 responses and/or rate limiting errors when the workspace is scoped to many projects/variables. This bug has been resolved and the performance of that page has improved.
- Services no longer fail to read the CA bundle when PostgreSQL settings are configured to either
verify-ca
orverify-full
- Fixes a known issue with the execution of tfectl node drain, where the task worker would not receive a signal from the command, and the node drain would not work.
Security
- We have resolved a vulnerability in which users were able to copy their session cookie from the browser and continue to use it with the API, even after logging out, when API rate limiting was disabled in their admin settings. Terraform Enterprise always requires the cookie session to be active when making an API request authenticated with a cookie.
- Container and binary updates address reported vulnerabilities (CVEs) in underlying base images, packages, and dependencies.