github hashicorp/terraform v0.14.0
on GitHub

latest releases: v1.8.2, v1.8.1, v1.8.0...
3 years ago

0.14.0 (December 02, 2020)

NEW FEATURES:

  • Terraform now supports marking input variables as sensitive, and will propagate that sensitivity through expressions that derive from sensitive input variables.

  • terraform init will now generate a lock file in the configuration directory which you can check in to your version control so that Terraform can make the same version selections in future. (#26524)

    If you wish to retain the previous behavior of always taking the newest version allowed by the version constraints on each install, you can run terraform init -upgrade to see that behavior.

  • Terraform will now support reading and writing all compatible state files, even from future versions of Terraform. This means that users of Terraform 0.14.0 will be able to share state files with future Terraform versions until a new state file format version is needed. We have no plans to change the state file format at this time. (#26752)

UPGRADE NOTES:

  • Outputs that reference sensitive values (which includes variables marked as sensitive, other module outputs marked as sensitive, or attributes a provider defines as sensitive if the provider_sensitive_attrs experiment is activated) must also be defined as sensitive, or Terraform will error at plan.
  • The version argument inside provider configuration blocks has been documented as deprecated since Terraform 0.12. As of 0.14 it will now also generate an explicit deprecation warning. To avoid the warning, use provider requirements declarations instead. (#26135)
  • The official MacOS builds of Terraform now require MacOS 10.12 Sierra or later. (#26357)
  • TLS certificate verification for outbound HTTPS requests from Terraform CLI no longer treats the certificate's "common name" as a valid hostname when the certificate lacks any "subject alternative name" entries for the hostname. TLS server certificates must list their hostnames as a "DNS name" in the subject alternative names field. (#26357)
  • Outbound HTTPS requests from Terraform CLI now enforce RFC 8446's client-side downgrade protection checks. This should not significantly affect normal operation, but may result in connection errors in environments where outgoing requests are forced through proxy servers and other "middleboxes", if they have behavior that resembles a downgrade attack. (#26357)
  • Terraform's HTTP client code is now slightly stricter than before in HTTP header parsing, but in ways that should not affect typical server implementations: Terraform now trims only ASCII whitespace characters, and does not allow Transfer-Encoding: identity. (#26357)
  • The terraform 0.13upgrade subcommand and the associated upgrade mechanisms are no longer available. Complete the v0.13 upgrade process before upgrading to Terraform v0.14.
  • The debug command, which did not offer additional functionality, has been removed.

ENHANCEMENTS:

  • config: Added sensitive argument for variable blocks, which supresses output where that variable is used (#26183)
  • config: Added alltrue and anytrue functions, which serve as a sort of dynamic version of the && and || or operators, respectively. These are intended to allow evaluating boolean conditions, such as in variable validation blocks, across all of the items in a collection using for expressions. (#25656], [#26498)
  • config: New functions textencodebase64 and textdecodebase64 for encoding text in various character encodings other than UTF-8. (#25470)
  • terraform plan and terraform apply: Added an experimental concise diff renderer. By default, Terraform plans now hide most unchanged fields, only displaying the most relevant changes and some identifying context. This experiment can be disabled by setting a TF_X_CONCISE_DIFF environment variable to 0. (#26187)
  • config: ignore_changes can now apply to map keys that are not listed in the configuration (#26421)
  • terraform console: Now has distinct rendering of lists, sets, and tuples, and correctly renders objects with null attribute values. Multi-line strings are rendered using the "heredoc" syntax. (#26189, #27054)
  • terraform login: Added support for OAuth2 application scopes. (#26239)
  • terraform fmt: Will now do some slightly more opinionated normalization behaviors, using the documented idiomatic syntax. (#26390)
  • terraform init's provider installation step will now abort promptly if Terraform receives an interrupt signal. (#26405)
  • cli: A new global command line option -chdir=..., placed before the selected subcommand, instructs Terraform to switch to a different working directory before executing the subcommand. This is similar to switching to a new directory with cd before running Terraform, but it avoids changing the state of the calling shell. (#26087)
  • cli: help text is been reorganized to emphasize the main commands and improve consistency (#26695)
  • cli: Ensure that provider requirements are met by the locked dependencies for every command. This will help catch errors if the configuration has changed since the last run of terraform init. (#26761)
  • core: When sensitive values are used as part of provisioner configuration, logging is disabled to ensure the values are not displayed to the UI (#26611)
  • core: terraform plan no longer uses a separate refresh phase. Instead, all resources are updated on-demand during planning (#26270)
  • modules: Adds support for loading modules with S3 virtual hosted-style access (#26914)
  • backend/consul: Split state into chunks when outgrowing the limit of the Consul KV store. This allows storing state larger than the Consul 512KB limit. (#25856)
  • backend/consul: Add force-unlock support to the Consul backend (#25837)
  • backend/gcs: Add service account impersonation to GCS backend (#26837)
  • On Unix-based operating systems other than MacOS, the SSL_CERT_DIR environment variable can now be a colon-separated list of multiple certificate search paths. (#26357)
  • On MacOS, Terraform will now use the Security.framework API to access the system trust roots, for improved consistency with other MacOS software. (#26357)

BUG FIXES:

  • config: Report an error when provider configuration attributes are incorrectly added to a required_providers object. (#26184)
  • config: Better errors for invalid terraform version constraints (#26543)
  • config: fix panic when element() is called with a negative offset (#26079)
  • config: lookup() will now only treat map as unknown if it is wholly unknown (#26427)
  • config: Fix provider detection for resources when local name does not match provider type (#26871)
  • terraform fmt: Fix incorrect heredoc syntax in plan diff output (#25725)
  • terraform show: Hide sensitive outputs from display (#26740)
  • terraform taint: If the configuration's required_version constraint is not met, the taint subcommand will now correctly exit early. (#26345)
  • terraform taint and terraform untaint: Fix issue when using taint (and untaint) with workspaces where statefile was not found. (#22467)
  • terraform init: Fix locksfile constraint output for versions like "1.2". (#26637)
  • terraform init: Omit duplicate version constraints when installing packages or writing locksfile. (#26678)
  • cli: return an error on a state unlock failure [#25729]
  • core: Prevent "Inconsistent Plan" errors when using dynamic with a block of TypeSet (#26638)
  • core: Errors with data sources reading old data during refresh, failing to refresh, and not appearing to wait on resource dependencies are fixed by updates to the data source lifecycle and the merging of refresh and plan (#26270)
  • core: Prevent evaluation of deposed instances, which in turn prevents errors when referencing create_before_destroy resources that have changes to their count or for_each values (#25631)
  • core: fix state push -force to work for all backends (#26190)
  • backend/consul: Fix bug which prevented state locking when path has trailing / (#25842)
  • backend/pg: Always have the default workspace in the pg backend (#26420)
  • backend/pg: Properly quote schema_name in the pg backend configuration (#26476)
  • build: Fix crash with terraform binary on OpenBSD. (#26249)
  • internal: Use default AWS credential handling when fetching modules (#26762)

EXPERIMENTS:

Experiments are Terraform language features that are not yet finalized but that we've included in a release so you can potentially try them out and share feedback. These features are only available if you explicitly enable the relevant experiment for your module. To share feedback on active experiments, please open an enhancement request issue in the main Terraform repository.

  • module_variable_optional_attrs: When declaring an input variable for a module whose type constraint (type argument) contains an object type constraint, the type expressions for the attributes can be annotated with the experimental optional(...) modifier.

    Marking an attribute as "optional" changes the type conversion behavior for that type constraint so that if the given value is a map or object that has no attribute of that name then Terraform will silently give that attribute the value null, rather than returning an error saying that it is required. The resulting value still conforms to the type constraint in that the attribute is considered to be present, but references to it in the recieving module will find a null value and can act on that accordingly.

    This experiment also includes a function named defaults which you can use in a local value to replace the null values representing optional attributes with non-null default values. The function also requires that you enable the module_variable_optional_attrs experiment for any module which calls it.

  • provider_sensitive_attrs: This is an unusual experiment in that it doesn't directly allow you to use a new feature in your module configuration but instead it changes the automatic behavior of Terraform in modules where it's enabled.

    For modules where this experiment is active, Terraform will consider the attribute sensitivity flags set in provider resource type schemas when propagating the "sensitive" flag through expressions in the configuration. This is experimental because it has the potential to make far more items in the output be marked as sensitive than before, and so we want to get some experience and feedback about it before hopefully making this the default behavior.

    One important consequence of enabling this experiment is that you may need to mark more of your module's output values as sensitive = true, in any case where a particular output value is derived from a value a provider has indicated as being sensitive. Without that explicit annotation, Terraform will return an error to avoid implicitly exposing a sensitive value via an output value.

If you try either of these features during their experimental periods and have feedback about them, please open a feature request issue. We are aiming to stabilize both features in the forthcoming v0.15 release, but their design may change in the meantime based on feedback. If we make further changes to the features during the v0.15 period then they will be reflected in v0.15 alpha releases.

Check out latest releases or
releases around hashicorp/terraform v0.14.0

Don't miss a new terraform release

NewReleases is sending notifications on new releases.

Get notifications