The following are the significant changes since 0.12.0-rc1.
The following are the significant changes since 0.12.0-beta2.
NEW FEATURES:
- New function
strrev
, for reversing unicode strings. (#21091)
IMPROVEMENTS:
- backend/s3: Support for the new AWS region
ap-east-1
(#21117) - backend/remote: Do not unlock a workspace after a failed state upload (#21148)
- command/init: Improve formatting of provider names during discovery (#21094)
- command/0.12upgrade: Upgrade indexing of splat syntax (#21103)
- command/0.12upgrade: Return error for invalid references (e.g. with initial digits) (#21103)
BUG FIXES:
- core: Make sure UIInput keeps working after being canceled (#21139)
- lang/funcs:
flatten
fix handling of sets and tuples; return a tuple (#21171) - states/statefile: properly upgrade dependency syntax (#21159)
BACKWARDS INCOMPATIBILITIES / NOTES:
- The
terraform state ...
family of commands have all been adjusted to more consistently match how resource addresses are resolved elsewhere in Terraform. In general the matches are now more specific than they were before (matching less, rather than more) but if you are using any of those commands in existing automation please verify that you will still getting expected behavior using the-dry-run
options. - The
project
andregion
arguments for thegcs
backend have now been removed, after having first been deprecated and then ignored in previous versions. These arguments are no longer needed because the backend expects the specified bucket to already exist. (#19285)
NEW FEATURES:
- New function
reverse
, for reversing lists. (#18887)
IMPROVEMENTS:
- The warning for undeclared variables in
.tfvars
files now consolidates multiple warnings when there are more than three, to avoid an overwhelming wall of warnings in situations where a common.tfvars
file is used across many configurations. Setting "global" variables in.tfvars
is deprecated for v0.12 and should be replaced with theTF_VAR_...
environment variables. (#20581) - backend/remote: Retry calls when the remote backend responds with a server error (#20588)
- backend/remote: Check for external updates while waiting for user input (#20620)
- config: The
coalesce
function now skips null values (#21002) - backend/pg: Switch pg backend to session-level advisory locking (#20561)
- plugin/discover: Parse and display provider warnings from the Terraform Registry (#20674)
- plugin/registry: Add friendly error for when registry unresponsive (#20853)
BUG FIXES:
- backend/remote: Ensure variables are loaded correctly when using
terraform console
(#20857) - backend/remote: Make sure workspaces are correctly uploaded (#20952)
- config: Correct
filebase64sha256
function return value (#20654) - command/fmt: "Heredoc" sequences no longer cause incorrect indentation for following blocks (#20715)
- command/state ...: The address-matching logic for all of these commands now correctly matches an address like
aws_instance.foo
only in the root module, rather than maching all resources/instances of the given type and name in descendent modules too. (#20719) - command/state list: Properly load user-supplied statefile. (#21015)
- command/state mv: Some regressions between 0.11 and 0.12 have been addressed. (#20719)
- command/plan: Diff renderer will no longer panic if an object is removed from the end of a list of objects. (#20765)
- command/plan: Diff renderer will now correctly indicate when adding a new attribute is what forces resource instance replacement. (#20827)
- config: The
coalesce
function will now correctly ignore empty strings (#21002) - helper/schema: Prevent crash when setting a
TypeSet
attribute with a typednil
of*schema.Set
(#20891) - core: Restore pre-v0.12 behavior of retaining objects in state if a delete operation fails. (#21033)
Please see the announcement post for details on how to use this release.
BACKWARDS INCOMPATIBILITIES / NOTES:
- backend/s3:
workspace_key_prefix
can no longer be defined with leading or trailing slashes. Users should verify the state paths in s3 if they need to change this in case there are extra slashes in the keys (#20432) - config:
path.module
andpath.root
now return paths with forward slashes on all operating systems, including Windows. This avoids the need to write constructed paths differently for Windows vs. other operating systems, but any existing constructed paths containing backslashes for Windows must now be rewritten to use forward slashes, like"${path.module}/foo/bar"
. (#19708) - config:
path.module
andpath.root
are now relative to the current working directory, rather than absolute as before. This avoids including a host-specific absolute path prefix on constructed paths, but may show as a diff after upgrade in situations where a constructed path is included in a resource attribute value. (#19708) - tools/terraform-bundle: use the
terraform-bundle
of the same tag as the targeted terraform binary version. This avoids adding complexity to resolve protocol versions across different terraform versions. (#20030)
IMPROVEMENTS:
- communicator/ssh: Add SSH certificate authentication (#18896)
- communicator/ssh: Enable ssh keepalive messages for long running commands (#20437)
- config: New set-theory functions
sethaselement
,setunion
,setintersection
, andsetproduct
for working with set values. - config: New type conversion functions
tostring
,tonumber
,tobool
,tolist
,toset
, andtomap
. Explicit conversions are rarely required but occasionally useful; use these functions only when necessary. - plugins: Plugin RPC connection is now authenticated (#19629)
- backend/azurerm: Support for authenticating using the Azure CLI (#19465)
- backend/remote: Return detailed version (in)compatibility information (#19659)
- backend/remote: Log early to indicate remote execution started (#19941)
- backend/remote: Make sure the correct error is shown when having version incompatibilities (#20086)
- backend/remote: Fix "token too long" errors when streaming remote operation logs (#20242)
- backend/remote: Use the
state.v2
service when using remote state only (#20379) - backend/remote: Use the
can-queue-apply
permission to detect if apply is allowed (#20460) - backend/s3: Fix missing workspace entries when using
workspace_key_prefix
with trailing slashes (#20432) - backend/s3: Support DynamoDB, IAM, and STS endpoint configurations (#19571)
- backend/s3: Support for the new AWS region
eu-north-1
(#19651) - backend/s3: Enhance retry logic and provide
max_retries
configuration to retry attempts (#19951) - backend/s3: Enhance S3
NoSuchBucket
error to include additional information (#19951) - backend/s3: Remove unused EC2 platform and AWS Account ID lookup, and deprecate equivalent
skip_get_ec2_platforms
andskip_requesting_account_id
arguments (#20374) - backend/swift: Add support for locking and workspaces (#20211)
- core: Enhance service discovery error handling and messaging (#19589)
- core: Add support to retrieve version constraints to service discovery (#19647)
- core: Validate provisioner connection blocks, and mark host field as required (#19707)
- command/format: Ignore removal of empty strings (#19990)
- command/format: Reduce whitespaces in empty fields (#19995)
- command/format: Render null in dark gray (#19616)
- command/init: Add provider protocol compatibility UI err msg during registry discovery (#19976)
- command/providers schema: Add command to export schemas for all currently-configured providers (#20446)
- command/show: Add support for machine readable output via a
-json
argument toterraform show
(#19687) - command/state: Use locking when updating states (#19939)
- provisioner/salt: Default values for
remote_state_tree
andremote_pillar_roots
(#17151)
BUG FIXES:
- config: Detect and reject self-referencing local values (#19706)
- config: Accept and ignore UTF-8 byte-order mark for configuration files (#19715)
- config: More helpful error message for a situation that may arise on upgrade from Terraform 0.11 or earlier (#19727)
- config: Backends configured with
-backend-config
are correctly applied and stored along with default values (#20480) - connection/winrm: Set the correct default port when HTTPS is used (#19540)
- plugins: GRPC plugins shutdown correctly when Close is called (#19629)
- backend/local: Avoid rendering data sources on destroy (#19613)
- backend/local: Fix incorrect destroy/update count on apply (#19610)
- backend/local: Render CBD replacement (+/-) correctly (#19642)
- backend/remote: Exit with 1 when a remote run is canceled (#20481)
- command/format: Fix rendering of nested blocks during update (#19611)
- command/format: Fix rendering of force-new updates (#19609)
- command/format: Fix rendering of nested (JSON) object (#20071)
- command/format: Fix rendering of unknown elements in set/map/list (#20067)
- command/graph: Honor user-supplied plugin path [#18083]
- command/init: Fix plugin installer using wrong protocol causing incompatiable API version with plugin (#19221)
- command/providers: Support
-no-color
argument toterraform providers
, which was previously incorrectly returning an error (#19671) - helper/schema: Fix setting a set in a list (#19552)
- states/statemgr: Avoid HTML escaping when printing LockInfo (#20005)
- core: Correct errors when referencing a resource containing count without an index (#19674)
- core: Fix occasional invalid provider errors when scaling down a counted datasource (#19676)
- core: Fix crash when applying a stored plan containing destroys (#19726)
NEW FEATURES:
- backend/pg: Support for using Postgresql for remote state storage (#19070)
NOTES: No changes to terraform; this release is only necessary to fix an incorrect version of the aws provider bundled in alpha3
BACKWARDS INCOMPATIBILITIES / NOTES:
- command: Remove
-module-depth
flag from plan, apply, and show. This flag was not widely used and the various updates and improvements to cli output should remove the need for this flag. (#19267) - plugins: The protobuf/grpc package name for the provider protocol was changed from
proto
totfplugin5
in preparation for future protocol versioning. This means that plugin binaries built for alpha1 and alpha2 are no longer compatible and will need to be rebuilt. (#19393)
IMPROVEMENTS:
- dependencies: upgrading to v21.3.0 of
github.com/Azure/azure-sdk-for-go
(#19414) - dependencies: upgrading to v10.15.4 of
github.com/Azure/go-autorest
(#19414) - backend/azurerm: Fixing a bug where locks couldn't be unlocked (#19441)
- backend/azurerm: Support for authenticating via Managed Service Identity (#19433)
- backend/azurerm: Support for authenticating using a SAS Token (#19440)
- backend/azurerm: Support for custom Resource Manager Endpoints (#19460)
- backend/azurerm: Using the proxy from the environment when set (#19414)
- backend/azurerm: Deprecating the
arm_
prefix for keys used in the backend configuration (#19448) - command/state: Update and enable the
state show
command (#19200) - command/state: Lock the state when pushing a new state using
state push
(#19411) - backend/remote: Implement the remote enhanced backend (#19299)
- backend/remote: Support remote state only usage by dynamically falling back to the local backend (#19378)
- backend/remote: Also show Sentinel policy output when there are no changes (#19403)
- backend/remote: Add support for the
console
,graph
andimport
commands (#19464) - backend/remote: Use the new force-unlock API (#19520)
- plugin/discovery: Use signing keys from the Terraform Registry when downloading providers. (#19389)
- plugin/discovery: Use default
-
namespace alias when fetching available providers from Terraform Registry. (#19494)
BUG FIXES:
- command/format: Fix rendering of attribute-agnostic diagnostics (#19453)
- core: Fix inconsistent plans when replacing instances. (#19233)
- core: Correct handling of unknown values in module outputs during planning and final resolution of them during apply. (#19237)
- core: Correct handling of wildcard dependencies when upgrading states (#19374)
- core: Fix missing validation of references to non-existing child modules, which was previously resulting in a panic. (#19487)
- helper/schema: Don't re-apply schema StateFuncs during apply (#19536)
- helper/schema: Allow providers to continue setting and empty string to a default bool value (#19521)
- helper/schema: Prevent the insertion of empty diff values when converting legacy diffs (#19253)
- helper/schema: Fix timeout parsing during Provider.Diff (plan) (#19286)
- helper/schema: Provider arguments set from environment variables now work correctly again, after regressing in the prior 0.12 alphas. (#19478)
- helper/schema: For schema attributes that have
Elem
as a nestedschema.Resource
, settingOptional: true
now forcesMinItems
to be zero, thus mimicking a previously-undocumented behavior that some providers were relying on. (#19478) - helper/schema: Always propagate NewComputed for previously zero value primitive type attributes (#19548)
- backend/remote: Fix issues with uploaded configs that contain symlinks (#19520)
IMPROVEMENTS:
- backend/s3: Support
credential_source
if specified in AWS configuration file (#19190) - command/state: Update and enable the
state mv
command (#19197) - command/state: Update and enable the
state rm
command (#19178)
BUG FIXES:
- lang: Fix crash in
lookup
function (#19161) - Hostnames inside module registry source strings may now contain segments that begin with digits, due to an upstream fix in the IDNA parsing library. (#18039)
- helper/schema: Fix panic when null values appear for nested blocks (#19201)
- helper/schema: Restore handling of the special "timeouts" block in certain resource types. (#19222)
- helper/schema: Restore handling of DiffSuppressFunc and StateFunc. (#19226)
The goal of this release is to give users an early preview of the new language features, and to collect feedback primarily about bugs and usability issues related to the language itself, while the Terraform team addresses the remaining problems. There will be at least one beta and at least one release candidate before final, which should give a more complete impression of how the final v0.12.0 release will behave.
INCOMPATIBILITIES AND NOTES:
The following list contains the most important incompatibillities and notes relative to v0.11.8, but may be incomplete. This alpha release is offered for experimentation purposes only and should not be used to manage real infrastructure. A more complete upgrade guide will be prepared in time for the final v0.12.0 release.
-
This release includes a revamped implementation of the configuration language that aims to address a wide array of feedback and known issues with the configuration language handling in prior versions. In order to resolve some ambiguities in the language, the new parser is stricter in some ways about following what was previously just idiomatic usage, and so some unusual constructs will need to be adjusted to be accepted by the new parser.
The v0.12.0 final release will include a more complete language upgrade guide and a tool that can recognize and automatically upgrade common patterns for the new parser and new idiomatic forms.
-
This release introduces new wire protocols for provider and provisioner plugins and a new automatic installation method for provider plugins. At the time of release there are no official plugin releases compatible with these new protocols and so automatic provider installation with
terraform init
is not functional. Instead, the v0.12.0-alpha1 distribution archives contain bundled experimental provider builds for use with the alpha. -
This release introduces new file formats for persisted Terraform state (both on local disk and in remote backends) and for saved plan files. Third-party tools that attempt to parse these files will need to be updated to work with the formats generated by v0.12 releases. Prior to v0.12.0 we will add a new command to obtain a JSON representation of a saved plan intended for outside consumption, but this command is not yet present in v0.12.0-alpha1.
-
terraform validate
now has a smaller scope than before, focusing only on configuration syntax and value type checking. This makes it safe to run e.g. on save in a text editor.
NEW FEATURES:
The overall theme for the v0.12 release is configuration language fixes and improvements. The fixes and improvements are too numerous to list out exhaustively, but the list below covers some highlights:
-
First-class expressions: Prior to v0.12, expressions could be used only via string interpolation, like
"${var.foo}"
. Expressions are now fully integrated into the language, allowing them to be used directly as argument values, likeami = var.ami
. -
for
expressions: This new expression construct allows the construction of a list or map by transforming and filtering elements from another list or map. For more information, refer to thefor
expressions documentation. -
Dynamic configuration blocks: For nested configuration blocks accepted as part of a resource configuration, it is now possible to dynamically generate zero or more blocks corresponding to items in a list or map using the special new
dynamic
block construct. This is the official replacement for the common (but buggy) unofficial workaround of treating a block type name as if it were an attribute expecting a list of maps value, which worked occasionally before as a result of some unintended coincidences in the implementation. -
Generalised "splat" operator: The
aws_instance.foo.*.id
syntax was previously a special case only for resources withcount
set. It is now an operator within the expression language that can be applied to any list value. There is also an optional new splat variant that allows both index and attribute access operations on each item in the list. For more information, refer to the Splat Expressions documentation. -
Nullable argument values: It is now possible to use a conditional expression like
var.foo != "" ? var.foo : null
to conditionally leave an argument value unset, whereas before Terraform required the configuration author to provide a specific default value in this case. Assigningnull
to an argument is equivalent to omitting that argument entirely. -
Rich types in module inputs variables and output values: Terraform v0.7 added support for returning flat lists and maps of strings, but this is now generalized to allow returning arbitrary nested data structures with mixed types. Module authors can specify a precise expected type for each input variable to allow early validation of caller values.
-
Resource and module object values: An entire resource or module can now be treated as an object value within expressions, including passing them through input variables and output values to other modules, using an attribute-less reference syntax, like
aws_instance.foo
. -
Extended template syntax: The simple interpolation syntax from prior versions is extended to become a simple template language, with support for conditional interpolations and repeated interpolations through iteration. For more information, see the String Templates documentation.
-
jsondecode
andcsvdecode
interpolation functions: Due to the richer type system in the new configuration language implementation, we can now offer functions for decoding serialization formats.jsondecode
is the opposite ofjsonencode
, whilecsvdecode
provides a way to load in lists of maps from a compact tabular representation. -
New Function:
fileexists
(#19086)
IMPROVEMENTS:
-
terraform validate
now accepts an argument-json
which produces machine-readable output. Please refer to the documentation for this command for details on the format and some caveats that consumers must consider when using this interface. (#17539) -
The JSON-based variant of the Terraform language now has a more tightly-specified and reliable mapping to the native syntax variant. In prior versions, certain Terraform configuration features did not function as expected or were not usable via the JSON-based forms. For more information, see the JSON Configuration Syntax documentation.
BUG FIXES:
- The conditional operator
... ? ... : ...
now works with result values of any type and only returns evaluation errors for the chosen result expression, as those familiar with this operator in other languages might expect.
KNOWN ISSUES:
Since v0.12.0-alpha1 is an experimental build, this list is certainly incomplete. Please let us know via GitHub issues if you run into a problem not covered here!
-
As noted above, the alpha1 release is bundled with its own special builds of a subset of providers because there are not yet any official upstream releases of providers that are compatible with the new v0.12 provider plugin protocol. Automatic installation of providers with
terraform init
is therefore not functional at the time of release of alpha1.Provider developers may wish to try building their plugins against the v0.12-alpha1 tag of Terraform Core to use them with this build. We cannot yet promise that all providers will be buildable in this way and that they will work flawlessly after building. Official releases of all HashiCorp-hosted providers compatible with v0.12 will follow at some point before v0.12.0 final.
-
For providers that have required configuration arguments that can be set using environment variables, such as
AWS_REGION
in theaws
provider, the detection of these environment variables is currently happening too "late" and so Terraform will prompt for these to be entered interactively or generate incorrect error messages saying that they are not set. To work around this, set these arguments inline within the configuration block. In most cases this does not apply to arguments related to API credentials, since most providers declare these ones as optional and then handle the environment variables directly in their own code. The environment variable defaults will be restored before final release. -
There are several error messages in Terraform Core that claim that a problem is caused by a bug in the provider and ask for an issue to be filed against that provider's repository. For this alpha release, we ask that users disregard this advice and report such problems instead within the Terraform Core repository, since they are more likely to be problems with the new protocol version bridge code that is included in the plugin SDK.
-
Some secondary Terraform CLI subcommands are not yet updated for this release and will return errors or produce partial results. Please focus most testing and experimentation with this release on the core workflow commands
terraform init
,terraform validate
,terraform plan
,terraform apply
, andterraform destroy
.
In addition to the high-level known issues above, please refer also to the GitHub issues for this alpha release. This list will be updated with new reports throughout the alpha1 period, including workarounds where possible to allow for continued testing. (Issues shown in that list as closed indicate that the problem has been fixed for a future release; it is probably still present in the alpha1 release.)
NOTE: Subsequent releases in the v0.11.x line occurred after this branch pivoted to v0.12.0 development. For more information on these, see the v0.11 maintenance changelog.
IMPROVEMENTS:
- backend/remote: Return detailed version (in)compatibility information (#19660)
- core: Enhance service discovery error handling and messaging (#19660)
- core: Add support to retrieve version constraints to service discovery (#19660)
BUG FIXES:
- backend/remote: Fix symlink issues and Windows support when uploading configurations (#19573)
BUG FIXES:
- backend/local: Do not use backend operation variables (#19175)
IMPROVEMENTS:
- backend/remote: Also show policy check output when running a plan (#19088)
IMPROVEMENTS:
- provisioner/chef: Use user:group chown syntax (#18533)
- helper/resource: Add
ParallelTest()
to allow opt-in acceptance testing concurrency witht.Parallel()
(#18688) - backend/manta: Deprecate the
objectName
attribute in favor of the newobject_name
attribute (#18759) - backend/migrations: Migrate existing non-empty default states when the backend only supports named states (#18760)
- provider/terraform:
terraform_remote_state
now accepts complex backend configurations (#18759) - backend/remote: Implement the state.Locker interface to support state locking (#18826)
- backend/remote: Add initial support for the apply command (#18950)
- backend/remote: Ask to cancel pending remote operations when Ctrl-C is pressed (#18979)
- backend/remote: Add support for the
-no-color
command line flag (#19002) - backend/remote: Prevent running plan or apply without permissions (#19012)
- backend/remote: Add checks for all flags we currently don’t support (#19013)
- backend/remote: Allow enhanced backends to pass custom exit codes (#19014)
- backend/remote: Properly handle workspaces that auto apply changes (#19022)
- backend/remote: Don’t ask questions when
-auto-approve
is set (#19035) - backend/remote: Print status updates while waiting for the run to start (#19047)
BUG FIXES:
- backend/azurerm: Update endpoint for Azure Government (SDK Update) (#18877)
- backend/migrations: Check all workspaces for existing non-empty states (#18757)
- provider/terraform: Always call the backend validation method to prevent a possible panic (#18759)
- backend/remote: Take working directories (optional on workspaces) into account (#18773)
- backend/remote: Use pagination when retrieving states (workspaces) (#18817)
- backend/remote: Add the run ID to associate state when being used in TFE (#18818)
- core: Make sure the state is locked before it is used when
(un)tainting
(#18894)
NEW FEATURES:
- New
remote
backend: Inital release of theremote
backend for use with Terraform Enterprise and Private Terraform Enterprise (#18596)
IMPROVEMENTS:
- cli: display workspace name in apply and destroy commands if not default (#18253)
- cli: Remove error on empty outputs when
-json
is set (#11721) - helper/schema: Resources have a new
DeprecationMessage
property that can be set to a string, allowing full resources to be deprecated (#18286) - backend/s3: Allow fallback to session-derived credentials (e.g. session via
AWS_PROFILE
environment variable and shared configuration) (#17901) - backend/s3: Allow usage of
AWS_EC2_METADATA_DISABLED
environment variable (#17901)
BUG FIXES:
- config: The
rsadecrypt
interpolation function will no longer include the private key in an error message if it cannot be processed. (#18333) - provisioner/habitat: add missing space for service url (#18400)
- backend/s3: Skip extraneous EC2 metadata redirect (#18570)
BUG FIXES:
- core: Fix handling of interpolated counts when applying a destroy plan (#17824)
PROVIDER SDK CHANGES (not user-facing):
- helper/schema: Invoking
ForceNew
on a key being removed from config during diff customization now correctly exposes that key as being removed in the updated diff. This prevents diff mismatches under certain circumstances. (#17811) - helper/schema: Invoking
ForceNew
during diff customization on its own no longer writes any new data to the diff. This prevents writing of new nil to zero value diffs for sub-fields of complex lists and sets where a diff did not exist before. (#17811)
BUG FIXES:
- cli: Don't allow -target without arguments (#16360)
- cli: Fix strange formatting of list and map values in the
terraform console
command (#17714) - core: Don't evaluate unused outputs during a full destroy operation (#17768)
- core: Fix local and output evaluation when they reference a resource being scaled down to 0 (#17765)
- connection/ssh: Retry on authentication failures when the remote service is available before it is completely configured (#17744)
- connection/winrm: Get execution errors from winrm commands (#17788)
- connection/winrm: Support NTLM authentication (#17748)
- provisioner/chef: Fix regression causing connection to be prematurely closed (#17609)
- provisioner/habitat: Set channel and builder URL during install, and enable service before start (#17403) (#17781)
PROVIDER SDK CHANGES (not user-facing):
- helper/schema: Attribute value is no longer included in error message when
ConflictsWith
keys are used together. (#17738)
IMPROVEMENTS:
- provisioner/chef: Allow specifying a channel (#17355)
BUG FIXES:
- core: Fix the timeout handling for provisioners (#17646)
- core: Ensure that state is unlocked after running console, import, graph or push commands (#17645)
- core: Don't open multiple file descriptors for local state files, which would cause reading the state to fail on Windows (#17636)
IMPROVEMENTS:
- cli:
terraform state list
now accepts a new argument-id=...
for filtering resources for display by their remote ids (#17221) - cli:
terraform destroy
now uses the option-auto-approve
instead of-force
, for consistency withterraform apply
. The old flag is preserved for backward-compatibility, but is now deprecated; it will be retained for at least one major release. (#17218) - connection/ssh: Add support for host key verification (#17354)
- backend/s3: add support for the cn-northwest-1 region (#17216)
- provisioner/local-exec: Allow setting custom environment variables when running commands (#13880)
- provisioner/habitat: Detect if hab user exists and only create if necessary (#17195)
- provisioner/habitat: Allow custom service name (#17196)
- general: https URLs are now supported in the HTTP_PROXY environment variable for URLs interpreted by Terraform Core. (This will not immediately be true for all Terraform provider plugins, since each must upgrade its own HTTP client.) go1.10:net/http
BUG FIXES:
- core: Make sure state is locked during initial refresh (#17422)
- core: Halt on fatal provisioner errors, rather than retrying until a timeout (#17359)
- core: When handling a forced exit due to multiple interrupts, prevent the process from exiting while the state is being written (#17323)
- core: Fix handling of locals and outputs at destroy time (#17241)
- core: Fix regression in handling of
count
arguments that refer tocount
attributes from other resources (#17548) - provider/terraform: restore support for the deprecated
environment
argument to theterraform_remote_state
data source (#17545) - backend/gcs: Report the correct lock ID for GCS state locks (#17397)
PROVIDER SDK CHANGES (not user-facing):
- helper/schema: Prevent crash on removal of computed field in CustomizeDiff (#17261)
- helper/schema: Allow ResourceDiff.ForceNew on nested fields (avoid crash) (#17463)
- helper/schema: Allow
TypeMap
to have a*schema.Schema
as itsElem
, for consistency withTypeSet
andTypeList
(#17097) - helper/validation: Add ValidateRFC3339TimeString function (#17484)
IMPROVEMENTS:
- backend/s3: add support for the eu-west-3 region (#17193)
BUG FIXES:
- core: fix crash when an error is encountered during refresh (#17076)
- config: fixed crash when module source is invalid (#17134)
- config: allow the count pseudo-attribute of a resource to be interpolated into
provisioner
andconnection
blocks without errors (#17133) - backend/s3: allow the workspace name to be a prefix of workspace_key_prefix (#17086)
- provisioner/chef: fix crash when validating
use_policyfile
(#17147)
BACKWARDS INCOMPATIBILITIES / NOTES:
- backend/gcs: The gcs remote state backend was erroneously creating the state bucket if it didn't exist. This is not the intended behavior of backends, as Terraform cannot track or manage that resource. The target bucket must now be created separately, before using it with Terraform. (#16865)
NEW FEATURES:
IMPROVEMENTS:
- core: removed duplicate prompts and clarified working when migration backend configurations (#16939)
- config: new
rsadecrypt
interpolation function allows decrypting a base64-encoded ciphertext using a given private key. This is particularly useful for decrypting the password for a Windows instance on AWS EC2, but is generic and may find other uses too. (#16647) - config: new
timeadd
interpolation function allows calculating a new timestamp relative to an existing known timestamp. (#16644) - cli: Passing an empty string to
-plugin-dir
during init will remove previously saved paths (#16969) - cli: Module and provider installation (and some other Terraform features) now implement RFC6555 when making outgoing HTTP requests, which should improve installation reliability for dual-stack (both IPv4 and IPv6) hosts running on networks that have non-performant or broken IPv6 Internet connectivity by trying both IPv4 and IPv6 connections. (#16805)
- backend/s3: it is now possible to disable the region check, for improved compatibility with third-party services that attempt to mimic the S3 API. (#16757)
- backend/s3: it is now possible to for the path-based S3 API form, for improved compatibility with third-party services that attempt to mimic the S3 API. (#17001)
- backend/s3: it is now possible to use named credentials from the
~/.aws/credentials
file, similarly to the AWS plugin (#16661) - backend/manta: support for Triton RBAC (#17003)
- backend/gcs: support for customer-supplied encryption keys for remote state buckets (#16936)
- provider/terraform: in
terraform_remote_state
, the argumentenvironment
is now deprecated in favor ofworkspace
. Theenvironment
argument will be removed in a later Terraform release. (#16558)
BUG FIXES:
- config: fixed crash in
substr
interpolation function with invalid offset (#17043) - config: Referencing a count attribute in an output no longer generates a warning (#16866)
- cli: Terraform will no longer crash when
terraform plan
,terraform apply
, and some other commands encounter an invalid provider version constraint in configuration, generating a proper error message instead. (#16867) - backend/gcs: The usage of the GOOGLE_CREDENTIALS environment variable now matches that of the google provider (#16865)
- backend/gcs: fixed the locking methodology to avoid "double-locking" issues when used with the
terraform_remote_state
data source (#16852) - backend/s3: the
workspace_key_prefix
can now be an empty string or contain slashes (#16932) - provisioner/salt-masterless: now waits for all of the remote operations to complete before returning (#16704)
IMPROVEMENTS:
- modules: Modules can now receive a specific provider configuration in the
providers
map, even if it's only implicitly used (#16619) - config: Terraform will now detect and warn about outputs containing potentially-problematic references to resources with
count
set where the references does not use the "splat" syntax. This identifies situations where an output may reference a resource withcount = 0
even if thecount
expression does not currently evaluate to0
, allowing the bug to be detected and fixed before the value is later changed to0
and would thus become an error. This usage will become a fatal error in Terraform 0.12. (#16735) - core: A new environment variable
TF_WARN_OUTPUT_ERRORS=1
is supported to opt out of the behavior introduced in 0.11.0 where errors in output expressions halt execution. This restores the previous behavior where such errors are ignored, allowing users to apply problematic configurations without fixing all of the errors. This opt-out will be removed in Terraform 0.12, so it is strongly recommended to use the new warning described in the previous item to detect and fix these problematic expressions. (#16782)
BUG FIXES:
- cli: fix crash when subcommands with sub-subcommands are accidentally provided as a single argument, such as
terraform "workspace list"
(#16789)
The following list combines the changes from 0.11.0-beta1 and 0.11.0-rc1 to give the full set of changes since 0.10.8. For details on each of the individual pre-releases, please see the 0.11.0-rc1 CHANGELOG.
BACKWARDS INCOMPATIBILITIES / NOTES:
The following items give an overview of the incompatibilities and other noteworthy changes in this release. For more details on some of these changes, along with information on how to upgrade existing configurations where needed, see the v0.11 upgrade guide.
- Output interpolation errors are now fatal. Module configs with unused outputs which contained errors will no longer be valid.
- Module configuration blocks have 2 new reserved attribute names, "providers" and "version". Modules using these as input variables will need to be updated.
- The module provider inheritance rules have changed. Inherited provider configurations will no longer be merged with local configurations, and additional (aliased) provider configurations must be explicitly passed between modules when shared. See the upgrade guide for more details.
- The command
terraform apply
with no explicit plan argument is now interactive by default. Specifically, it will show the generated plan and wait for confirmation before applying it, similar to the existing behavior ofterraform destroy
. The behavior is unchanged when a plan file argument is provided, and the previous behavior can be obtained without a plan file by using the-auto-approve
option. - The
terraform
provider (that is, the provider that contains theterraform_remote_state
data source) has been re-incorporated as a built-in provider in the Terraform Core executable. In 0.10 it was split into a separate plugin along with all of the other providers, but this provider uses several internal Terraform Core APIs and so in practice it's been confusing to version that separately from Terraform Core. As a consequence, this provider no longer supports version constraints, and soversion
attributes for this provider in configuration must be removed. - When remote state is enabled, Terraform will no longer generate a local
terraform.tfstate.backup
file before updating remote state. Previously this file could potentially be used to recover a previous state to help recover after a mistake, but it also caused a potentially-sensitive state file to be generated in an unexpected location that may be inadvertently copied or checked in to version control. With this local backup now removed, we recommend instead relying on versioning or backup mechanisms provided by the backend, such as Amazon S3 versioning or Terraform Enterprise's built-in state history mechanism. (Terraform will still create the local fileerrored.tfstate
in the unlikely event that there is an error when writing to the remote backend.)
NEW FEATURES:
- modules: Module configuration blocks now have a "version" attribute, to set a version constraint for modules sourced from a registry. (#16466)
- modules: Module configuration blocks now have a "providers" attribute, to map a provider configuration from the current module into a submodule (#16379)
- backend/gcs: The gcs remote state backend now supports workspaces and locking.
- backend/manta: The Manta backend now supports workspaces and locking (#16296)
IMPROVEMENTS:
- cli: The
terraform apply
command now waits for interactive approval of the generated plan before applying it, unless an explicit plan file is provided. (#16502) - cli: The
terraform version
command now prints out the version numbers of initialized plugins as well as the version of Terraform core, so that they can be more easily shared when opening GitHub Issues, etc. (#16439) - cli: A new
TF_DATA_DIR
environment variable can be used to override the location where Terraform stores the files normally placed in the.terraform
directory. (#16207) - provider/terraform: now built in to Terraform Core so that it will always have the same backend functionality as the Terraform release it corresponds to. (#16543)
BUG FIXES:
- config: Provider config in submodules will no longer be overridden by parent providers with the same name. (#16379)
- cli: When remote state is enabled, Terraform will no longer generate a local
terraform.tfstate.backup
file before updating remote state. (#16464) - core: state now includes a reference to the provider configuration most recently used to create or update a resource, so that the same configuration can be used to destroy that resource if its configuration (including the explicit pointer to a provider configuration) is removed (#16586)
- core: Module outputs can now produce errors, preventing them from silently propagating through the config. (#16204)
- backend/gcs: will now automatically add a slash to the given prefix if not present, since without it the workspace enumeration does not function correctly (#16585)
PROVIDER FRAMEWORK CHANGES (not user-facing):
- helper/schema: Loosen validation for 'id' field (#16456)
NEW FEATURES:
- New
etcdv3
backend, for use with the newer etcd api (#15680) - New interpolation function
chunklist
, for spliting a list into a list of lists with specified sublist chunk sizes. (#15112)
IMPROVEMENTS:
- backend/s3: Add options to skip AWS validation which allows non-AWS S3 backends (#15553)
BUG FIXES:
- command/validate: Respect
-plugin-dir
overridden plugin paths in theterraform validate
command. (#15985) - provisioner/chef: Clean clients from
chef-vault
whenrecreate_client
enabled (#16357) - communicator/winrm: Support the
cacert
option for custom certificate authorities when provisioning over WinRM (#14783)
NEW FEATURES:
- Provider plugins can now optionally be cached in a shared directory to avoid re-downloading them for each configuration working directory. For more information, see the documentation. (#16000)
IMPROVEMENTS:
- config: New
abs
interpolation function, returning the absolute value of a number (#16168) - config: New
transpose
interpolation function, which swaps the keys and values in a map of lists of strings. (#16192) - cli: The Terraform CLI now supports tab-completion for commands and certain arguments for
bash
andzsh
users. See the tab-completion docs for information on how to enable it. (#16176) - cli:
terraform state rm
now includes in its output the count of resources that were removed from the state. (#16137)
BUG FIXES:
- modules: Update go-getter to fix crash when fetching invalid source subdir (#16161)
- modules: Fix regression in the handling of modules sourcing other modules with relative paths (#16160)
- core: Skip local value interpolation during destroy (#16213)
UPGRADE NOTES:
- The internal storage of modules has changed in this release, so after
upgrading
terraform init
must be run to re-install modules in the new on-disk format. The existing installed versions of modules will be ignored, so the latest version of each module will be installed.
IMPROVEMENTS:
- Modules can now be installed from the Terraform Registry
- cli:
terraform import
now accepts an option-allow-missing-config
that overrides the default requirement that a configuration block must already be present for the resource being imported. (#15876)
NEW FEATURES:
- config:
indent
interpolation function appends spaces to all but the first line of a multi-line string (#15311)
IMPROVEMENTS:
- cli:
terraform fmt
has a new option-check
which makes it return a non-zero exit status if any formatting changes are required (#15387) - cli: When running Terraform in automation, a new environment variable
TF_IN_AUTOMATION
can be used to disable or adjust certain prompts that would normally include specific CLI commands to run. This assumes that the wrapping automation tool is providing its own UI for guiding the user through the workflow, and thus the standard advice would be redundant and/or confusing. (#16059)
BUG FIXES:
- cli: restore the "(forces new resource)" annotations on attributes that were inadvertently disabled in 0.10.4. (#16067)
- cli: fix regression with installing modules from git when the
GIT_SSH_COMMAND
environment variable is set (#16099)
IMPROVEMENTS:
terraform apply
now uses the standard resource address syntax to refer to resources in its log (#15884)terraform plan
output has some minor adjustments to improve readability and accessibility for those who can't see its colors (#15884)
BUG FIXES:
- backend/consul: fix crash during consul backend initialization (#15976)
- backend/azurerm: ensure that blob storage metadata is preserved when updating state blobs, to avoid losing track of lock metadata (#16015)
- config: local values now work properly in resource
count
and in modules with more than one.tf
file (#15995] [#15982) - cli: removed some inconsistencies in how data sources are counted and tallied in plan vs. apply and apply vs. destroy. In particular, data sources are no longer incorrectly counted as destroyed in
terraform destroy
(#15884)
BACKWARDS INCOMPATIBILITIES / NOTES:
- LGPL Dependencies Removed (#15862)
NEW FEATURES:
- Local Values: this new configuration language feature allows assigning a symbolic local name to an expression so it can be used multiple times in configuration without repetition. See the documentation for how to define and use local values. (#15449)
base64gzip
interpolation function: compresses a string with gzip and then base64-encodes the result (#3858)flatten
interpolation function: turns a list of lists, or list of lists of lists, etc into a flat list of primitive values (#15278)urlencode
interpolation function: applies standard URL encoding to a string so that it can be embedded in a URL without making it invalid and without any of the characters being interpreted as part of the URL structure (#15871)salt-masterless
provisioner: runs Salt in masterless mode on a target server (#14720)
IMPROVEMENTS:
- config: The
jsonencode
interpolation function now accepts nested list and map structures, where before it would accept only strings, lists of strings, and maps of strings. (#14884) - cli: The "creation complete" (and similar) messages from
terraform apply
now include a total elapsed time for each operation. (#15548) - cli: Module installation (with either
terraform init
orterraform get
) now detects and recursively initializes submodules when the source is a git repository. (#15891) - cli: Modules can now be installed from
.tar.xz
archives, in addition to the existing.tar.gz
,.tar.bz2
and.zip
. (#15891) - provisioner/local-exec: now possible to specify a custom "interpreter", overriding the default of either
bash -c
(on Unix) orcmd.exe /C
(on Windows) (#15166) - backend/consul: can now set the path to a specific CA certificate file, client certificate file, and client key file that will be used when configuring the underlying Consul client. (#15405)
- backend/http: now has optional support for locking, with special support from the target server. Additionally, the update operation can now optionally be implemented via
PUT
rather thanPOST
. (#15793) - helper/resource: Add
TestStep.SkipFunc
(#15957)
BUG FIXES:
- cli:
terraform init
now verifies the required Terraform version from the root module config. Previously this was verified only on subsequent commands, after initialization. (#15935) - cli:
terraform validate
now consultsterraform.tfvars
, if present, to set variable values. This is now consistent with the behavior of other commands. (#15938)
BUG FIXES:
- tools/terraform-bundle: Add missing Ui to ProviderInstaller (fix crash) (#15826)
- go-plugin: don't crash when server emits non-key-value JSON (go-plugin#43)
BUG FIXES:
- Fix
terraform state rm
andmv
commands to work correctly with remote state backends (#15652) - Fix errors when interpolations fail during input (#15780)
- Backoff retries in remote-execution provisioner (#15772)
- Load plugins from
~/.terraform.d/plugins/OS_ARCH/
and.terraformrc
(#15769) - The
import
command was ignoring the remote state configuration (#15768) - Don't allow leading slashes in s3 bucket names for remote state (#15738)
IMPROVEMENTS:
- helper/schema: Add
GetOkExists
schema function (#15723) - helper/schema: Make 'id' a reserved field name (#15695)
- command/init: Display version + source when initializing plugins (#15804)
INTERNAL CHANGES:
- DiffFieldReader.ReadField caches results to optimize deeply nested schemas (#15663)
This is the complete 0.9.11 to 0.10.0 CHANGELOG
BACKWARDS INCOMPATIBILITIES / NOTES:
- A new flag
-auto-approve
has been added toterraform apply
. This flag controls whether an interactive approval is applied before making the changes in the plan. For now this flag defaults totrue
to preserve previous behavior, but this will become the new default in a future version. We suggest that anyone runningterraform apply
in wrapper scripts or automation refer to the upgrade guide to learn how to prepare such wrapper scripts for the later breaking change. - The
validate
command now checks that all variables are specified by default. The validation will fail by default if that's not the case. (#13872) terraform state rm
now requires at least one argument. Previously, calling it with no arguments would remove all resources from state, which is consistent with the otherterraform state
commands but unlikely enough that we considered it better to be inconsistent here to reduce the risk of accidentally destroying the state.- Terraform providers are no longer distributed as part of the main Terraform distribution. Instead, they are installed automatically as
part of running
terraform init
. It is therefore now mandatory to runterraform init
before any other operations that use provider plugins, to ensure that the required plugins are installed and properly initialized. - The
terraform env
family of commands have been renamed toterraform workspace
, in response to feedback that the previous naming was confusing due to collisions with other concepts of the same name. The commands still work the same as they did before, and theenv
subcommand is still supported as an alias for backward compatibility. Theenv
subcommand will be removed altogether in a future release, so it's recommended to update any automation or wrapper scripts that use these commands. - The
terraform init
subcommand no longer takes a SOURCE argument to copy to the current directory. The behavior has been changed to match that ofplan
andapply
, so that a configuration can be provided as an argument on the commandline while initializing the current directory. If a module needs to be copied into the current directory before initialization, it will have to be done manually. - The
-target
option available on several Terraform subcommands has changed behavior and now matches potentially more resources. In particular, given an option-target=module.foo
, resources in any descendent modules offoo
will also be targeted, where before this was not true. After upgrading, be sure to look carefully at the set of changes proposed byterraform plan
when using-target
to ensure that the target is being interpreted as expected. Note that the-target
argument is offered for exceptional circumstances only and is not intended for routine use. - The
import
command requires that imported resources be specified in the configuration file. Previously, users were encouraged to import a resource and then write the configuration block for it. This creates the risk that users could import a resource and subsequently create no configuration for it, which results in Terraform deleting the resource. If the imported resource is not present in the configuration file, theimport
command will fail.
FEATURES:
- Separate Provider Releases: Providers are now released independently from Terraform.
- Automatic Provider Installation: The required providers will be automatically installed during
terraform init
. - Provider Constraints: Provider are now versioned, and version constraints may be declared in the configuration.
PROVIDERS:
- Providers now maintain their own CHANGELOGs in their respective repositories: terraform-providers
IMPROVEMENTS:
- cli: Add a
-from-module
flag toterraform init
to re-introduce the legacyterraform init
behavior of fetching a module. (#15666) - backend/s3: Add
workspace_key_prefix
to allow a user-configurable prefix for workspaces in the S3 Backend. (#15370) - cli:
terraform apply
now has an option-auto-approve=false
that produces an interactive prompt to approve the generated plan. This will become the default workflow in a future Terraform version. (#7251) - cli:
terraform workspace show
command prints the current workspace name in a way that's more convenient for processing in wrapper scripts. (#15157) - cli:
terraform state rm
will now generate an error if no arguments are passed, whereas before it treated it as an open resource address selecting all resources (#15283) - cli: Files in the config directory ending in
.auto.tfvars
are now loaded automatically (in lexicographical order) in addition to the singleterraform.tfvars
file that auto-loaded previously. (#13306) - Providers no longer in the main Terraform distribution; installed automatically by init instead (#15208)
- cli:
terraform env
command renamed toterraform workspace
(#14952) - cli:
terraform init
command now has-upgrade
option to download the latest versions (within specified constraints) of modules and provider plugins. - cli: The
-target
option to various Terraform operation can now target resources in descendent modules. (#15314) - cli: Minor updates to
terraform plan
output: use standard resource address syntax, more visually-distinct-/+
actions, and more (#15362) - config: New interpolation function
contains
, to find if a given string exists in a list of strings. (#15322)
BUG FIXES:
- provisioner/chef: fix panic (#15617)
- Don't show a message about the path to the state file if the state is remote (#15435)
- Fix crash when
terraform graph
is run with no configuration (#15588) - Handle correctly the
.exe
suffix on locally-compiled provider plugins on Windows systems. (#15587) - config: Fixed a parsing issue in the interpolation language HIL that was causing misinterpretation of literal strings ending with escaped backslashes (#15415)
- core: the S3 Backend was failing to remove the state file checksums from DynamoDB when deleting a workspace (#15383)
- core: Improved reslience against crashes for a certain kind of inconsistency in the representation of list values in state. (#15390)
- core: Display correct to and from backends in copy message when migrating to new remote state (#15318)
- core: Fix a regression from 0.9.6 that was causing the tally of resources to create to be double-counted sometimes in the plan output (#15344)
- cli: the state
rm
andmv
commands were always loading a state from a Backend, and ignoring the-state
flag (#15388) - cli: certain prompts in
terraform init
were respecting-input=false
but not theTF_INPUT
environment variable (#15391) - state: Further work, building on #15423, to improve the internal design of the state managers to make this code more maintainable and reduce the risk of regressions; this may lead to slight changes to the number of times Terraform writes to remote state and how the serial is implemented with respect to those writes, which does not affect outward functionality but is worth noting if you log or inspect state updates for debugging purposes.
- config: Interpolation function
cidrhost
was not correctly calcluating host addresses under IPv6 CIDR prefixes (#15321) - provisioner/chef: Prevent a panic while trying to read the connection info (#15271)
- provisioner/file: Refactor the provisioner validation function to prevent false positives (#15273)
INTERNAL CHANGES:
- helper/schema: Actively disallow reserved field names in schema (#15522)
- helper/schema: Force field names to be alphanum lowercase + underscores (#15562)
BUG FIXES:
- provisioner/chef: fix panic (#15617)
IMPROVEMENTS:
- cli: Add a
-from-module
flag toterraform init
to re-introduce the legacyterraform init
behavior of fetching a module. (#15666)
BUG FIXES:
- Don't show a message about the path to the state file if the state is remote (#15435)
- Fix crash when
terraform graph
is run with no configuration (#15588) - Handle correctly the
.exe
suffix on locally-compiled provider plugins on Windows systems. (#15587)
INTERNAL CHANGES:
- helper/schema: Actively disallow reserved field names in schema (#15522)
- helper/schema: Force field names to be alphanum lowercase + underscores (#15562)
BACKWARDS INCOMPATIBILITIES / NOTES:
- A new flag
-auto-approve
has been added toterraform apply
. This flag controls whether an interactive approval is applied before making the changes in the plan. For now this flag defaults totrue
to preserve previous behavior, but this will become the new default in a future version. We suggest that anyone runningterraform apply
in wrapper scripts or automation refer to the upgrade guide to learn how to prepare such wrapper scripts for the later breaking change. - The
validate
command now checks that all variables are specified by default. The validation will fail by default if that's not the case. (#13872) terraform state rm
now requires at least one argument. Previously, calling it with no arguments would remove all resources from state, which is consistent with the otherterraform state
commands but unlikely enough that we considered it better to be inconsistent here to reduce the risk of accidentally destroying the state.
IMPROVEMENTS:
- backend/s3: Add
workspace_key_prefix
to allow a user-configurable prefix for workspaces in the S3 Backend. (#15370) - cli:
terraform apply
now has an option-auto-approve=false
that produces an interactive prompt to approve the generated plan. This will become the default workflow in a future Terraform version. (#7251) - cli:
terraform workspace show
command prints the current workspace name in a way that's more convenient for processing in wrapper scripts. (#15157) - cli:
terraform state rm
will now generate an error if no arguments are passed, whereas before it treated it as an open resource address selecting all resources (#15283) - cli: Files in the config directory ending in
.auto.tfvars
are now loaded automatically (in lexicographical order) in addition to the singleterraform.tfvars
file that auto-loaded previously. (#13306)
BUG FIXES:
- config: Fixed a parsing issue in the interpolation language HIL that was causing misinterpretation of literal strings ending with escaped backslashes (#15415)
- core: the S3 Backend was failing to remove the state file checksums from DynamoDB when deleting a workspace (#15383)
- core: Improved reslience against crashes for a certain kind of inconsistency in the representation of list values in state. (#15390)
- core: Display correct to and from backends in copy message when migrating to new remote state (#15318)
- core: Fix a regression from 0.9.6 that was causing the tally of resources to create to be double-counted sometimes in the plan output (#15344)
- cli: the state
rm
andmv
commands were always loading a state from a Backend, and ignoring the-state
flag (#15388) - cli: certain prompts in
terraform init
were respecting-input=false
but not theTF_INPUT
environment variable (#15391) - state: Further work, building on #15423, to improve the internal design of the state managers to make this code more maintainable and reduce the risk of regressions; this may lead to slight changes to the number of times Terraform writes to remote state and how the serial is implemented with respect to those writes, which does not affect outward functionality but is worth noting if you log or inspect state updates for debugging purposes.
BACKWARDS INCOMPATIBILITIES / NOTES:
- Terraform providers are no longer distributed as part of the main Terraform distribution. Instead, they are installed automatically
as part of running
terraform init
. It is therefore now mandatory to runterraform init
before any other operations that use provider plugins, to ensure that the required plugins are installed and properly initialized. - The
terraform env
family of commands have been renamed toterraform workspace
, in response to feedback that the previous naming was confusing due to collisions with other concepts of the same name. The commands still work the same as they did before, and theenv
subcommand is still supported as an alias for backward compatibility. Theenv
subcommand will be removed altogether in a future release, so it's recommended to update any automation or wrapper scripts that use these commands. - The
terraform init
subcommand no longer takes a SOURCE argument to copy to the current directory. The behavior has been changed to match that ofplan
andapply
, so that a configuration can be provided as an argument on the commandline while initializing the current directory. If a module needs to be copied into the current directory before initialization, it will have to be done manually. - The
-target
option available on several Terraform subcommands has changed behavior and now matches potentially more resources. In particular, given an option-target=module.foo
, resources in any descendent modules offoo
will also be targeted, where before this was not true. After upgrading, be sure to look carefully at the set of changes proposed byterraform plan
when using-target
to ensure that the target is being interpreted as expected. Note that the-target
argument is offered for exceptional circumstances only and is not intended for routine use. - The
import
command requires that imported resources be specified in the configuration file. Previously, users were encouraged to import a resource and then write the configuration block for it. This creates the risk that users could import a resource and subsequently create no configuration for it, which results in Terraform deleting the resource. If the imported resource is not present in the configuration file, theimport
command will fail.
IMPROVEMENTS:
- Providers no longer in the main Terraform distribution; installed automatically by init instead (#15208)
- cli:
terraform env
command renamed toterraform workspace
(#14952) - cli:
terraform init
command now has-upgrade
option to download the latest versions (within specified constraints) of modules and provider plugins. - cli: The
-target
option to various Terraform operation can now target resources in descendent modules. (#15314) - cli: Minor updates to
terraform plan
output: use standard resource address syntax, more visually-distinct-/+
actions, and more (#15362) - config: New interpolation function
contains
, to find if a given string exists in a list of strings. (#15322)
BUG FIXES:
- config: Interpolation function
cidrhost
was not correctly calcluating host addresses under IPv6 CIDR prefixes (#15321) - provisioner/chef: Prevent a panic while trying to read the connection info (#15271)
- provisioner/file: Refactor the provisioner validation function to prevent false positives (#15273)
BUG FIXES:
- core: Hotfix for issue where a state from a plan was reported as not equal to the same state stored to a backend. This arose from the fix for the previous issue where the incorrect copy of the state was being used when applying with a plan. (#15460)
BUG FIXES:
- core: Hotfix for issue where state index wasn't getting properly incremented when applying a change containing only data source updates and/or resource drift. (That is, state changes made during refresh.) This issue is significant only for the "atlas" backend, since that backend verifies on the server that state serial numbers are being used consistently. (#15423)
BUG FIXES:
- provisioner/file: Refactor the provisioner validation function to prevent false positives (#15273))
- provisioner/chef: Prevent a panic while trying to read the connection info (#15271))
NOTE:
- The 0.9.7 release had a bug with its new feature of periodically persisting state to the backend during an apply, as part of [#14834]. This change has been reverted in this release and will be re-introduced at a later time once it has been made to work properly.
IMPROVEMENTS:
- provider/google:
network
argument ingoogle_compute_instance_group
is now optional (#13493) - provider/google: Add support for
draining_timeout_sec
togoogle_compute_backend_service
. (#14559)
BUG FIXES:
- provider/aws: fixed reading network configurations for
spot_fleet_request
(#13748)
BACKWARDS INCOMPATIBILITIES / NOTES:
- The
lock_table
attribute in the S3 backend configuration has been deprecated in favor ofdynamodb_table
, which better reflects that the table is no longer only used for locks. (#14949)
FEATURES:
- New Data Source:
aws_elastic_beanstalk_solution_stack
(#14944) - New Data Source:
aws_elasticache_cluster
(#14895) - New Data Source:
aws_ssm_parameter
(#15035) - New Data Source:
azurerm_public_ip
(#15110) - New Resource:
aws_ssm_parameter
(#15035) - New Resource:
aws_ssm_patch_baseline
(#14954) - New Resource:
aws_ssm_patch_group
(#14954) - New Resource:
librato_metric
(#14562) - New Resource:
digitalocean_certificate
(#14578) - New Resource:
vcd_edgegateway_vpn
(#13123) - New Resource:
vault_mount
(#14456) - New Interpolation Function:
bcrypt
(#14725)
IMPROVEMENTS:
- backend/consul: Storing state to Consul now uses Check-And-Set (CAS) by default to avoid inconsistent state, and will automatically attempt to re-acquire a lock if it is lost during Terraform execution. (#14930)
- core: Remote state is now persisted more frequently to minimize data loss in the event of a crash. (#14834)
- provider/alicloud: Add the function of replacing ecs instance's system disk (#15048)
- provider/aws: Expose RDS instance and cluster resource id (#14882)
- provider/aws: Export internal tunnel addresses + document (#14835)
- provider/aws: Fix misleading error in aws_route validation (#14972)
- provider/aws: Support import of aws_lambda_event_source_mapping (#14898)
- provider/aws: Add support for a configurable timeout in db_option_group (#15023)
- provider/aws: Add task_parameters parameter to aws_ssm_maintenance_window_task resource (#15104)
- provider/aws: Expose reason of EMR cluster termination (#15117)
- provider/aws:
data.aws_acm_certificate
can now filter bytype
(#15063) - provider/azurerm: Ignore case sensivity in Azurerm resource enums (#14861)
- provider/digitalocean: Add support for changing TTL on DigitalOcean domain records. (#14805)
- provider/google: Add ability to import Google Compute persistent disks (#14573)
- provider/google:
google_container_cluster.master_auth
should be optional (#14630) - provider/google: Add CORS support for
google_storage_bucket
(#14695) - provider/google: Allow resizing of Google Cloud persistent disks (#15077)
- provider/google: Add private_ip_google_access update support to google_compute_subnetwork (#15125)
- provider/heroku: can now import Heroku Spaces (#14973)
- provider/kubernetes: Upgrade K8S from 1.5.3 to 1.6.1 (#14923)
- provider/kubernetes: Provide more details about why PVC failed to bind (#15019)
- provider/kubernetes: Allow sourcing config_path from
KUBECONFIG
env var (#14889) - provider/openstack: Add support provider networks (#10265)
- provider/openstack: Allow numerical protocols in security group rules (#14917)
- provider/openstack: Sort request/response headers in debug output (#14956)
- provider/openstack: Add support for FWaaS routerinsertion extension (#12589)
- provider/openstack: Add Terraform version to UserAgent string (#14955)
- provider/openstack: Optimize the printing of debug output (#15086)
- provisioner/chef: Use
helpers.shema.Provisoner
in Chef provisioner V2 (#14681)
BUG FIXES:
- provider/alicloud: set
alicloud_nat_gateway
zone to be Computed to avoid perpetual diffs (#15050) - provider/alicloud: set provider to read env vars for access key and secrey key if empty strings (#15050)
- provider/alicloud: Fix vpc and vswitch bugs while creating vpc and vswitch (#15082)
- provider/alicloud: Fix allocating public ip bug (#15049)
- provider/alicloud: Fix security group rules nic_type bug (#15114)
- provider/aws: ForceNew aws_launch_config on ebs_block_device change (#14899)
- provider/aws: Avoid crash when EgressOnly IGW disappears (#14929)
- provider/aws: Allow IPv6/IPv4 addresses to coexist (#13702)
- provider/aws: Expect exception on deletion of APIG Usage Plan Key (#14958)
- provider/aws: Fix panic on nil dead_letter_config (#14964)
- provider/aws: Work around IAM eventual consistency in CW Log Subs (#14959)
- provider/aws: Fix ModifyInstanceAttribute on new instances (#14992)
- provider/aws: Fix issue with removing tags in aws_cloudwatch_log_group (#14886)
- provider/aws: Raise timeout for VPC DHCP options creation to 5 mins (#15084)
- provider/aws: Retry Redshift cluster deletion on InvalidClusterState (#15068)
- provider/aws: Retry Lambda func creation on IAM error (#15067)
- provider/aws: Retry ECS service creation on ClusterNotFoundException (#15066)
- provider/aws: Retry ECS service update on ServiceNotFoundException (#15073)
- provider/aws: Retry DB parameter group delete on InvalidDBParameterGroupState (#15071)
- provider/aws: Guard against panic when no aws_default_vpc found (#15070)
- provider/aws: Guard against panic if no NodeGroupMembers returned in
elasticache_replication_group
(#13488) - provider/aws: Revoke default ipv6 egress rule for aws_security_group (#15075)
- provider/aws: Lambda ENI deletion fails on destroy (#11849)
- provider/aws: Add gov and cn hosted zone Ids to aws_elb_hosted_zone data source (#15149)
- provider/azurerm: VM - making
os_profile
optional (#14176) - provider/azurerm: Preserve the Subnet properties on Update (#13877)
- provider/datadog: make datadog_user verified a computed attribute (#15034)
- provider/datadog: use correct evaluation_delay parameter (#14878)
- provider/digitalocean: Refresh DO loadbalancer from state if 404 (#14897)
- provider/github: Do not set incorrect values in github_team data source (#14859)
- provider/google: use a mutex to prevent concurrent sql instance operations (#14424)
- provider/google: Set instances to computed in compute_instance_group (#15025)
- provider/google: Make google_compute_autoscaler use Update instead of Patch. (#15101)
- provider/kubernetes: Ignore internal k8s labels in
kubernetes_persistent_volume
(#13716) - provider/librato: Add retry to librato_alert (#15118)
- provider/postgresql: Fix for leaking credentials in the provider (#14817)
- provider/postgresql: Drop the optional WITH token from CREATE ROLE. (#14864)
- provider/rancher: refresh rancher_host from state on nil or removed host (#15015)
BACKWARDS INCOMPATIBILITIES / NOTES:
- When assigning a "splat variable" to a resource attribute, like
foo = "${some_resource.foo.*.baz}"
, it is no longer required (nor recommended) to wrap the string in list brackets. The extra brackets continue to be allowed for resource attributes for compatibility, but this will cease to be allowed in a future version. (#14737) - provider/aws: Allow lightsail resources to work in other regions. Previously Terraform would automatically configure lightsail resources to run solely in
us-east-1
. This means that if a provider was initialized with a different region thanus-east-1
, users will need to create a provider alias to maintain their lightsail resources in us-east-1 [#14685]. - provider/aws: Users of
aws_cloudfront_distribution
default_cache_behavior
will notice that cookies is now a required value - even if that value is none (#12628) - provider/google: Users of
google_compute_health_check
who were not setting a value for thehost
property ofhttp_health_check
orhttps_health_check
previously had a faulty default value. This has been fixed and will show as a change in terraform plan/apply. (#14441)
FEATURES:
- New Provider:
ovh
(#12669) - New Resource:
aws_default_subnet
(#14476) - New Resource:
aws_default_vpc
(#11710) - New Resource:
aws_default_vpc_dhcp_options
(#14475) - New Resource:
aws_devicefarm_project
(#14288) - New Resource:
aws_wafregional_ipset
(#13705) - New Resource:
aws_wafregional_byte_match_set
(#13705) - New Resource:
azurerm_express_route_circuit
(#14265) - New Resource:
gitlab_deploy_key
(#14734) - New Resource:
gitlab_group
(#14490) - New Resource:
google_compute_router
(#12411) - New Resource:
google_compute_router_interface
(#12411) - New Resource:
google_compute_router_peer
(#12411) - New Resource:
kubernetes_horizontal_pod_autoscaler
(#14763) - New Resource:
kubernetes_service
(#14554) - New Resource:
openstack_dns_zone_v2
(#14721) - New Resource:
openstack_dns_recordset_v2
(#14813) - New Data Source:
aws_db_snapshot
(#10291) - New Data Source:
aws_kms_ciphertext
(#14691) - New Data Source:
github_user
(#14570) - New Data Source:
github_team
(#14614) - New Data Source:
google_storage_object_signed_url
(#14643) - New Interpolation Function:
pow
(#14598)
IMPROVEMENTS:
- core: After
apply
, if the state cannot be persisted to remote for some reason then write out a local state file for recovery (#14423) - core: It's no longer required to surround an attribute value that is just a "splat" variable with a redundant set of array brackets. (#14737)
- core/provider-split: Split out the Oracle OPC provider to new structure (#14362)
- provider/aws: Show state reason when EC2 instance fails to launch (#14479)
- provider/aws: Show last scaling activity when ASG creation/update fails (#14480)
- provider/aws: Add
tags
(list of maps) foraws_autoscaling_group
(#13574) - provider/aws: Support filtering in ASG data source (#14501)
- provider/aws: Add ability to 'terraform import' aws_kms_alias resources (#14679)
- provider/aws: Allow lightsail resources to work in other regions (#14685)
- provider/aws: Configurable timeouts for EC2 instance + spot instance (#14711)
- provider/aws: Add ability to define timeouts for DMS replication instance (#14729)
- provider/aws: Add support for X-Ray tracing to aws_lambda_function (#14728)
- provider/azurerm: Virtual Machine Scale Sets with managed disk support (#13717)
- provider/azurerm: Virtual Machine Scale Sets with single placement option support (#14510)
- provider/azurerm: Adding support for VMSS Data Disks using Managed Disk feature (#14608)
- provider/azurerm: Adding support for 4TB disks (#14688)
- provider/cloudstack: Load the provider configuration from a CloudMonkey config file (#13926)
- provider/datadog: Add last aggregator to datadog_timeboard resource (#14391)
- provider/datadog: Added new evaluation_delay parameter (#14433)
- provider/docker: Allow Windows Docker containers to map volumes (#13584)
- provider/docker: Add
network_alias
todocker_container
resource (#14710) - provider/fastly: Mark the
s3_access_key
,s3_secret_key
, &secret_key
fields as sensitive (#14634) - provider/gitlab: Add namespcace ID attribute to
gitlab_project
(#14483) - provider/google: Add a
url
attribute togoogle_storage_bucket
(#14393) - provider/google: Make google resource storage bucket importable (#14455)
- provider/google: Add support for privateIpGoogleAccess on subnetworks (#14234)
- provider/google: Add import support to
google_sql_user
(#14457) - provider/google: add failover parameter to
google_sql_database_instance
(#14336) - provider/google: resource_compute_disks can now reference snapshots using the snapshot URL (#14774)
- provider/heroku: Add import support for
heroku_pipeline
resource (#14486) - provider/heroku: Add import support for
heroku_pipeline_coupling
resource (#14495) - provider/heroku: Add import support for
heroku_addon
resource (#14508) - provider/openstack: Add support for all protocols in Security Group Rules (#14307)
- provider/openstack: Add support for updating Subnet Allocation Pools (#14782)
- provider/openstack: Enable Security Group Updates (#14815)
- provider/rancher: Add member support to
rancher_environment
(#14563) - provider/rundeck: adds
description
tocommand
schema inrundeck_job
resource (#14352) - provider/scaleway: allow public_ip to be set on server resource (#14515)
- provider/vsphere: Exposing moid value from vm resource (#14793)
BUG FIXES:
- core: Store and verify checksums for S3 remote state to prevent fetching a stale state (#14746)
- core: Allow -force-unlock of an S3 named state (#14680)
- core: Fix incorrect errors when validatin nested objects (#14784] [#14801)
- core: When using
-target
, any outputs that include attributes of the targeted resources are now updated (#14186) - core: Fixed 0.9.5 regression with the conditional operator
.. ? .. : ..
failing to type check with unknown/computed values (#14454) - core: Fixed 0.9 regression causing issues during refresh when adding new data resource instances using
count
(#14098) - core: Fixed crasher when populating a "splat variable" from an empty (nil) module state. (#14526)
- core: fix bad Sprintf in backend migration message (#14601)
- core: Addressed 0.9.5 issue with passing partially-unknown splat results through module variables, by removing the requirement to pass a redundant list level. (#14737)
- provider/aws: Allow updating constraints in WAF SizeConstraintSet + no constraints (#14661)
- provider/aws: Allow updating tuples in WAF ByteMatchSet + no tuples (#14071)
- provider/aws: Allow updating tuples in WAF SQLInjectionMatchSet + no tuples (#14667)
- provider/aws: Allow updating tuples in WAF XssMatchSet + no tuples (#14671)
- provider/aws: Increase EIP update timeout (#14381)
- provider/aws: Increase timeout for creating security group (#14380] [#14724)
- provider/aws: Increase timeout for (dis)associating IPv6 addr to/from subnet (#14401)
- provider/aws: Increase timeout for retrying creation of IAM server cert (#14609)
- provider/aws: Increase timeout for deleting IGW (#14705)
- provider/aws: Increase timeout for retrying creation of CW log subs (#14722)
- provider/aws: Using the new time schema helper for RDS Instance lifecycle mgmt (#14369)
- provider/aws: Using the timeout schema helper to make alb timeout cofigurable (#14375)
- provider/aws: Refresh from state when CodePipeline Not Found (#14431)
- provider/aws: Override spot_instance_requests volume_tags schema (#14481)
- provider/aws: Allow Internet Gateway IPv6 routes (#14484)
- provider/aws: ForceNew aws_launch_config when root_block_device changes (#14507)
- provider/aws: Pass IAM Roles to codepipeline actions (#14263)
- provider/aws: Create rule(s) for prefix-list-only AWS security group permissions on 'terraform import' (#14528)
- provider/aws: Set aws_subnet ipv6_cidr_block to computed (#14542)
- provider/aws: Change of aws_subnet ipv6 causing update failure (#14545)
- provider/aws: Nothing to update in cloudformation should not result in errors (#14463)
- provider/aws: Handling data migration in RDS snapshot restoring (#14622)
- provider/aws: Mark cookies in
default_cache_behaviour
of cloudfront_distribution as required (#12628) - provider/aws: Fall back to old tagging mechanism for AWS gov and aws China (#14627)
- provider/aws: Change AWS ssm_maintenance_window Read func (#14665)
- provider/aws: Increase timeout for creation of route_table (#14701)
- provider/aws: Retry ElastiCache cluster deletion when it's snapshotting (#14700)
- provider/aws: Retry ECS service update on InvalidParameterException (#14708)
- provider/aws: Retry IAM Role deletion on DeleteConflict (#14707)
- provider/aws: Do not dereference source_Dest_check in aws_instance (#14723)
- provider/aws: Add validation function for IAM Policies (#14669)
- provider/aws: Fix panic on instance shutdown (#14727)
- provider/aws: Handle migration when restoring db cluster from snapshot (#14766)
- provider/aws: Provider ability to enable snapshotting on ElastiCache RG (#14757)
- provider/cloudstack:
cloudstack_firewall
panicked when used with older (< v4.6) CloudStack versions (#14044) - provider/datadog: Allowed method on aggregator is
avg
!average
(#14414) - provider/digitalocean: Fix parsing of digitalocean dns records (#14215)
- provider/github: Log HTTP requests and responses in DEBUG mode (#14363)
- provider/github Check for potentially nil response from GitHub API client (#14683)
- provider/google: Fix health check http/https defaults (#14441)
- provider/google: Fix issue with GCP Cloud SQL Instance
disk_autoresize
(#14582) - provider/google: Fix crash creating Google Cloud SQL 2nd Generation replication instance (#14373)
- provider/google: Disks now detach before getting deleted (#14651)
- provider/google: Update
google_compute_target_pool
's session_affinity default (#14807) - provider/heroku: Fix issue with setting correct CName in heroku_domain (#14443)
- provider/opc: Correctly export
ip_address
in IP Addr Reservation (#14543) - provider/openstack: Handle Deleted Resources in Floating IP Association (#14533)
- provider/openstack: Catch error during instance network parsing (#14704)
- provider/vault: Prevent panic when no secret found (#14435)
BACKWARDS INCOMPATIBILITIES / NOTES:
- provider/aws: Users of aws_cloudfront_distributions with custom_origins have been broken due to changes in the AWS API requiring
OriginReadTimeout
being set for updates. This has been fixed and will show as a change in terraform plan / apply. (#13367) - provider/aws: Users of China and Gov clouds, cannot use the new tagging of volumes created as part of aws_instances (#14055)
- provider/aws: Skip tag operations on cloudwatch logs in govcloud partition. Currently not supported by Amazon. (#12414)
- provider/aws: More consistent (un)quoting of long TXT/SPF
aws_route53_record
s. Previously we were trimming first 2 quotes and now we're (correctly) trimming first and last one. Depending on the use of quotes in your TXT/SPF records this may result in extra diff in plan/apply (#14170)
FEATURES:
- New Provider:
gitlab
(#13898) - New Resource:
aws_emr_security_configuration
(#14080) - New Resource:
aws_ssm_maintenance_window
(#14087) - New Resource:
aws_ssm_maintenance_window_target
(#14087) - New Resource:
aws_ssm_maintenance_window_task
(#14087) - New Resource:
azurerm_sql_elasticpool
(#14099) - New Resource:
google_bigquery_table
(#13743) - New Resource:
google_compute_backend_bucket
(#14015) - New Resource:
google_compute_snapshot
(#12482) - New Resource:
heroku_app_feature
(#14035) - New Resource:
heroku_pipeline
(#14078) - New Resource:
heroku_pipeline_coupling
(#14078) - New Resource:
kubernetes_limit_range
(#14285) - New Resource:
kubernetes_resource_quota
(#13914) - New Resource:
vault_auth_backend
(#10988) - New Data Source:
aws_efs_file_system
(#14041) - New Data Source:
http
, for retrieving text data from generic HTTP servers (#14270) - New Data Source:
google_container_engine_versions
, for retrieving valid versions for clusters (#14280) - New Interpolation Function:
log
, for computing logarithms (#12872)
IMPROVEMENTS:
- core:
sha512
andbase64sha512
interpolation functions, similar to theirsha256
equivalents. (#14100) - core: It's now possible to use the index operator
[ ]
to select a known value out of a partially-known list, such as using "splat syntax" and increasing thecount
. (#14135) - provider/aws: Add support for CustomOrigin timeouts to aws_cloudfront_distribution (#13367)
- provider/aws: Add support for IAMDatabaseAuthenticationEnabled (#14092)
- provider/aws: aws_dynamodb_table Add support for TimeToLive (#14104)
- provider/aws: Add
security_configuration
support toaws_emr_cluster
(#14133) - provider/aws: Add support for the tenancy placement option in
aws_spot_fleet_request
(#14163) - provider/aws:
aws_db_option_group
normalizes name to lowercase (#14192, #14366) - provider/aws: Add support description to aws_iam_role (#14208)
- provider/aws: Add support for SSM Documents to aws_cloudwatch_event_target (#14067)
- provider/aws: add additional custom service endpoint options for CloudFormation, KMS, RDS, SNS & SQS (#14097)
- provider/aws: Add ARN to security group data source (#14245)
- provider/aws: Improve the wording of DynamoDB Validation error message (#14256)
- provider/aws: Add support for importing Kinesis Streams (#14278)
- provider/aws: Add
arn
attribute toaws_ses_domain_identity
resource (#14306) - provider/aws: Add support for targets to aws_ssm_association (#14246)
- provider/aws: native redis clustering support for elasticache (#14317)
- provider/aws: Support updating
aws_waf_rule
predicates (#14089) - provider/azurerm:
azurerm_template_deployment
now supports String/Int/Boolean outputs (#13670) - provider/azurerm: Expose the Private IP Address for a Load Balancer, if available (#13965)
- provider/dns: Fix data dns txt record set (#14271)
- provider/dnsimple: Add support for import for dnsimple_records (#9130)
- provider/dyn: Add verbose Dyn provider logs (#14076)
- provider/google: Add support for networkIP in compute instance templates (#13515)
- provider/google: google_dns_managed_zone is now importable (#13824)
- provider/google: Add support for
compute_route
(#14065) - provider/google: Add
path
togoogle_pubsub_subscription
(#14238) - provider/google: Improve Service Account by offering to recreate if missing (#14282)
- provider/google: Log HTTP requests and responses in DEBUG mode (#14281)
- provider/google: Add additional properties for google resource storage bucket object (#14259)
- provider/google: Handle all 404 checks in read functions via the new function (#14335)
- provider/heroku: import heroku_app resource (#14248)
- provider/nomad: Add TLS options (#13956)
- provider/triton: Add support for reading provider configuration from
TRITON_*
environment variables in addition toSDC_*
(#14000) - provider/triton: Add
cloud_config
argument totriton_machine
resources for Linux containers (#12840) - provider/triton: Add
insecure_skip_tls_verify
(#14077)
BUG FIXES:
- core:
module
blocks without names are now caught in validation, along with various other block types (#14162) - core: no longer will errors and normal log output get garbled together on Windows (#14194)
- core: Avoid crash on empty TypeSet blocks (#14305)
- provider/aws: Update aws_ebs_volume when attached (#14005)
- provider/aws: Set aws_instance volume_tags to be Computed (#14007)
- provider/aws: Fix issue getting partition for federated users (#13992)
- provider/aws: aws_spot_instance_request not forcenew on volume_tags (#14046)
- provider/aws: Exclude aws_instance volume tagging for China and Gov Clouds (#14055)
- provider/aws: Fix source_dest_check with network_interface (#14079)
- provider/aws: Fixes the bug where SNS delivery policy get always recreated (#14064)
- provider/aws: Increase timeouts for Route Table retries (#14345)
- provider/aws: Prevent Crash when importing aws_route53_record (#14218)
- provider/aws: More consistent (un)quoting of long TXT/SPF
aws_route53_record
s (#14170) - provider/aws: Retry deletion of AWSConfig Rule on ResourceInUseException (#14269)
- provider/aws: Refresh ssm document from state on 404 (#14279)
- provider/aws: Allow zero-value ELB and ALB names (#14304)
- provider/aws: Update the ignoring of AWS specific tags (#14321)
- provider/aws: Adding IPv6 address to instance causes perpetual diff (#14355)
- provider/aws: Fix SG update on instance with multiple network interfaces (#14299)
- provider/azurerm: Fixing a bug in
azurerm_network_interface
(#14365) - provider/digitalocean: Prevent diffs when using IDs of images instead of slugs (#13879)
- provider/fastly: Changes setting conditionals to optional (#14103)
- provider/google: Ignore certain project services that can't be enabled directly via the api (#13730)
- provider/google: Ability to add more than 25 project services (#13758)
- provider/google: Fix compute instance panic with bad disk config (#14169)
- provider/google: Handle
google_storage_bucket_object
not being found (#14203) - provider/google: Handle
google_compute_instance_group_manager
not being found (#14190) - provider/google: better visibility for compute_region_backend_service (#14301)
- provider/heroku: Configure buildpacks correctly for both Org Apps and non-org Apps (#13990)
- provider/heroku: Fix
heroku_cert
update of ssl cert (#14240) - provider/openstack: Handle disassociating deleted FloatingIP's from a server (#14210)
- provider/postgres grant role when creating database (#11452)
- provider/triton: Make triton machine deletes synchronous. (#14368)
- provisioner/remote-exec: Fix panic from remote_exec provisioner (#14134)
BACKWARDS INCOMPATIBILITIES / NOTES:
- provider/template: Fix invalid MIME formatting in
template_cloudinit_config
. While the change itself is not breaking the data source it may be referenced e.g. inaws_launch_configuration
and similar resources which are immutable and the formatting change will therefore trigger recreation (#13752)
FEATURES:
- New Provider:
opc
- Oracle Public Cloud (#13468) - New Provider:
oneandone
(#13633) - New Data Source:
aws_ami_ids
(#13844] [#13866) - New Data Source:
aws_ebs_snapshot_ids
(#13844] [#13866) - New Data Source:
aws_kms_alias
(#13669) - New Data Source:
aws_kinesis_stream
(#13562) - New Data Source:
digitalocean_image
(#13787) - New Data Source:
google_compute_network
(#12442) - New Data Source:
google_compute_subnetwork
(#12442) - New Resource:
local_file
for creating local files (please see the docs for caveats) (#12757) - New Resource:
alicloud_ess_scalinggroup
(#13731) - New Resource:
alicloud_ess_scalingconfiguration
(#13731) - New Resource:
alicloud_ess_scalingrule
(#13731) - New Resource:
alicloud_ess_schedule
(#13731) - New Resource:
alicloud_snat_entry
(#13731) - New Resource:
alicloud_forward_entry
(#13731) - New Resource:
aws_cognito_identity_pool
(#13783) - New Resource:
aws_network_interface_attachment
(#13861) - New Resource:
github_branch_protection
(#10476) - New Resource:
google_bigquery_dataset
(#13436) - New Resource:
heroku_space
(#13921) - New Resource:
template_dir
for producing a directory from templates (#13652) - New Interpolation Function:
coalescelist()
(#12537)
IMPROVEMENTS:
- core: Add a
-reconfigure
flag to theinit
command, to configure a backend while ignoring any saved configuration (#13825) - helper/schema: Disallow validation+diff suppression on computed fields (#13878)
- config: The interpolation function
cidrhost
now accepts a negative host number to count backwards from the end of the range (#13765) - config: New interpolation function
matchkeys
for using values from one list to filter corresponding values from another list using a matching set. (#13847) - state/remote/swift: Support Openstack request logging (#13583)
- provider/aws: Add an option to skip getting the supported EC2 platforms (#13672)
- provider/aws: Add
name_prefix
support toaws_cloudwatch_log_group
(#13273) - provider/aws: Add
bucket_prefix
toaws_s3_bucket
(#13274) - provider/aws: Add replica_source_db to the aws_db_instance datasource (#13842)
- provider/aws: Add IPv6 outputs to aws_subnet datasource (#13841)
- provider/aws: Exercise SecondaryPrivateIpAddressCount for network interface (#10590)
- provider/aws: Expose execution ARN + invoke URL for APIG deployment (#13889)
- provider/aws: Expose invoke ARN from Lambda function (for API Gateway) (#13890)
- provider/aws: Add tagging support to the 'aws_lambda_function' resource (#13873)
- provider/aws: Validate WAF metric names (#13885)
- provider/aws: Allow AWS Subnet to change IPv6 CIDR Block without ForceNew (#13909)
- provider/aws: Allow filtering of aws_subnet_ids by tags (#13937)
- provider/aws: Support aws_instance and volume tagging on creation (#13945)
- provider/aws: Add network_interface to aws_instance (#12933)
- provider/azurerm: VM Scale Sets - import support (#13464)
- provider/azurerm: Allow Azure China region support (#13767)
- provider/digitalocean: Export droplet prices (#13720)
- provider/fastly: Add support for GCS logging (#13553)
- provider/google:
google_compute_address
andgoogle_compute_global_address
are now importable (#13270) - provider/google:
google_compute_network
is now importable (#13834) - provider/google: add attached_disk field to google_compute_instance (#13443)
- provider/heroku: Set App buildpacks from config (#13910)
- provider/heroku: Create Heroku app in a private space (#13862)
- provider/vault:
vault_generic_secret
resource can now optionally detect drift if it has appropriate access (#11776)
BUG FIXES:
- core: Prevent resource.Retry from adding untracked resources after the timeout: (#13778)
- core: Allow a schema.TypeList to be ForceNew and computed (#13863)
- core: Fix crash when refresh or apply build an invalid graph (#13665)
- core: Add the close provider/provisioner transformers back (#13102)
- core: Fix a crash condition by improving the flatmap.Expand() logic (#13541)
- provider/alicloud: Fix create PrePaid instance (#13662)
- provider/alicloud: Fix allocate public ip error (#13268)
- provider/alicloud: alicloud_security_group_rule: check ptr before use it [#13731)
- provider/alicloud: alicloud_instance: fix ecs internet_max_bandwidth_out cannot set zero bug (#13731)
- provider/aws: Allow force-destroying
aws_route53_zone
which has trailing dot (#12421) - provider/aws: Allow GovCloud KMS ARNs to pass validation in
kms_key_id
attributes (#13699) - provider/aws: Changing aws_opsworks_instance should ForceNew (#13839)
- provider/aws: Fix DB Parameter Group Name (#13279)
- provider/aws: Fix issue importing some Security Groups and Rules based on rule structure (#13630)
- provider/aws: Fix issue for cross account IAM role with
aws_lambda_permission
(#13865) - provider/aws: Fix WAF IPSet descriptors removal on update (#13766)
- provider/aws: Increase default number of retries from 11 to 25 (#13673)
- provider/aws: Remove aws_vpc_dhcp_options if not found (#13610)
- provider/aws: Remove aws_network_acl_rule if not found (#13608)
- provider/aws: Use mutex & retry for WAF change operations (#13656)
- provider/aws: Adding support for ipv6 to aws_subnets needs migration (#13876)
- provider/aws: Fix validation of the
name_prefix
parameter of theaws_alb
resource (#13441) - provider/azurerm: azurerm_redis_cache resource missing hostname (#13650)
- provider/azurerm: Locking around Network Security Group / Subnets (#13637)
- provider/azurerm: Locking route table on subnet create/delete (#13791)
- provider/azurerm: VM's - fixes a bug where ssh_keys could contain a null entry (#13755)
- provider/azurerm: VM's - ignoring the case on the
create_option
field during Diff's (#13933) - provider/azurerm: fixing a bug refreshing the
azurerm_redis_cache
(#13899) - provider/fastly: Fix issue with using 0 for
default_ttl
(#13648) - provider/google: Fix panic in GKE provisioning with addons (#13954)
- provider/fastly: Add ability to associate a healthcheck to a backend (#13539)
- provider/google: Stop setting the id when project creation fails (#13644)
- provider/google: Make ports in resource_compute_forwarding_rule ForceNew (#13833)
- provider/google: Validation fixes for forwarding rules (#13952)
- provider/ignition: Internal cache moved to global, instead per provider instance (#13919)
- provider/logentries: Refresh from state when resources not found (#13810)
- provider/newrelic: newrelic_alert_condition -
condition_scope
must beapplication
orinstance
(#12972) - provider/opc: fixed issue with unqualifying nats (#13826)
- provider/opc: Fix instance label if unset (#13846)
- provider/openstack: Fix updating Ports (#13604)
- provider/rabbitmq: Allow users without tags (#13798)
BACKWARDS INCOMPATIBILITIES / NOTES:
- provider/aws: Fix a critical bug in
aws_emr_cluster
in order to preserve the ordering of any arguments inbootstrap_action
. Terraform will now enforce the ordering from the configuration. As a result,aws_emr_cluster
resources may need to be recreated, as there is no API to update them in-place (#13580)
FEATURES:
- New Resource:
aws_api_gateway_method_settings
(#13542) - New Resource:
aws_api_gateway_stage
(#13540) - New Resource:
aws_iam_openid_connect_provider
(#13456) - New Resource:
aws_lightsail_static_ip
(#13175) - New Resource:
aws_lightsail_static_ip_attachment
(#13207) - New Resource:
aws_ses_domain_identity
(#13098) - New Resource:
azurerm_managed_disk
(#12455) - New Resource:
kubernetes_persistent_volume
(#13277) - New Resource:
kubernetes_persistent_volume_claim
(#13527) - New Resource:
kubernetes_secret
(#12960) - New Data Source:
aws_iam_role
(#13213)
IMPROVEMENTS:
- core: add
-lock-timeout
option, which will block and retry locks for the given duration (#13262) - core: new
chomp
interpolation function which returns the given string with any trailing newline characters removed (#13419) - backend/remote-state: Add support for assume role extensions to s3 backend (#13236)
- backend/remote-state: Filter extra entries from s3 environment listings (#13596)
- config: New interpolation functions
basename
anddirname
, for file path manipulation (#13080) - helper/resource: Allow unknown "pending" states (#13099)
- command/hook_ui: Increase max length of state IDs from 20 to 80 (#13317)
- provider/aws: Add support to set iam_role_arn on cloudformation Stack (#12547)
- provider/aws: Support priority and listener_arn update of alb_listener_rule (#13125)
- provider/aws: Deprecate roles in favour of role in iam_instance_profile (#13130)
- provider/aws: Make alb_target_group_attachment port optional (#13139)
- provider/aws:
aws_api_gateway_domain_name
certificate_private_key
field marked as sensitive (#13147) - provider/aws:
aws_directory_service_directory
password
field marked as sensitive (#13147) - provider/aws:
aws_kinesis_firehose_delivery_stream
password
field marked as sensitive (#13147) - provider/aws:
aws_opsworks_application
app_source.0.password
&ssl_configuration.0.private_key
fields marked as sensitive (#13147) - provider/aws:
aws_opsworks_stack
custom_cookbooks_source.0.password
field marked as sensitive (#13147) - provider/aws: Support the ability to enable / disable ipv6 support in VPC (#12527)
- provider/aws: Added API Gateway integration update (#13249)
- provider/aws: Add
identifier
|name_prefix
to RDS resources (#13232) - provider/aws: Validate
aws_ecs_task_definition.container_definitions
(#12161) - provider/aws: Update caller_identity data source (#13092)
- provider/aws:
aws_subnet_ids
data source for getting a list of subnet ids matching certain criteria (#13188) - provider/aws: Support ip_address_type for aws_alb (#13227)
- provider/aws: Migrate
aws_dms_*
resources away from AWS waiters (#13291) - provider/aws: Add support for treat_missing_data to cloudwatch_metric_alarm (#13358)
- provider/aws: Add support for evaluate_low_sample_count_percentiles to cloudwatch_metric_alarm (#13371)
- provider/aws: Add
name_prefix
toaws_alb_target_group
(#13442) - provider/aws: Add support for EMR clusters to aws_appautoscaling_target (#13368)
- provider/aws: Add import capabilities to codecommit_repository (#13577)
- provider/bitbucket: Improved error handling (#13390)
- provider/cloudstack: Do not force a new resource when updating
cloudstack_loadbalancer_rule
members (#11786) - provider/fastly: Add support for Sumologic logging (#12541)
- provider/github: Handle the case when issue labels already exist (#13182)
- provider/google: Mark
google_container_cluster
'sclient_key
&password
insidemaster_auth
as sensitive (#13148) - provider/google: Add node_pool field in resource_container_cluster (#13402)
- provider/kubernetes: Allow defining custom config context (#12958)
- provider/openstack: Add support for 'value_specs' options to
openstack_compute_servergroup_v2
(#13380) - provider/statuscake: Add support for StatusCake TriggerRate field (#13340)
- provider/triton: Move to joyent/triton-go (#13225)
- provisioner/chef: Make sure we add new Chef-Vault clients as clients (#13525)
BUG FIXES:
- core: Escaped interpolation-like sequences (like
$${foo}
) now permitted in variable defaults (#13137) - core: Fix strange issues with computed values in provider configuration that were worked around with
-input=false
(#11264], [#13264) - core: Fix crash when providing nested maps as variable values in a
module
block (#13343) - core:
connection
block attributes are now subject to basic validation of attribute names during validate walk (#13400) - provider/aws: Add Support for maintenance_window and back_window to rds_cluster_instance (#13134)
- provider/aws: Increase timeout for AMI registration (#13159)
- provider/aws: Increase timeouts for ELB (#13161)
- provider/aws:
volume_type
ofaws_elasticsearch_domain.0.ebs_options
marked asComputed
which prevents spurious diffs (#13160) - provider/aws: Don't set DBName on
aws_db_instance
from snapshot (#13140) - provider/aws: Add DiffSuppression to aws_ecs_service placement_strategies (#13220)
- provider/aws: Refresh aws_alb_target_group stickiness on manual updates (#13199)
- provider/aws: Preserve default retain_on_delete in cloudfront import (#13209)
- provider/aws: Refresh aws_alb_target_group tags (#13200)
- provider/aws: Set aws_vpn_connection to recreate when in deleted state (#13204)
- provider/aws: Wait for aws_opsworks_instance to be running when it's specified (#13218)
- provider/aws: Handle
aws_lambda_function
missing s3 key error (#10960) - provider/aws: Set stickiness to computed in alb_target_group (#13278)
- provider/aws: Increase timeout for deploying
cloudfront_distribution
from 40 to 70 mins (#13319) - provider/aws: Increase AMI retry timeouts (#13324)
- provider/aws: Increase subnet deletion timeout (#13356)
- provider/aws: Increase launch_configuration creation timeout (#13357)
- provider/aws: Increase Beanstalk env 'ready' timeout (#13359)
- provider/aws: Raise timeout for deleting APIG REST API (#13414)
- provider/aws: Raise timeout for attaching/detaching VPN Gateway (#13457)
- provider/aws: Recreate opsworks_stack on change of service_role_arn (#13325)
- provider/aws: Fix KMS Key reading with Exists method (#13348)
- provider/aws: Fix DynamoDB issues about GSIs indexes (#13256)
- provider/aws: Fix
aws_s3_bucket
drift detection of logging options (#13281) - provider/aws: Update ElasticTranscoderPreset to have default for MaxFrameRate (#13422)
- provider/aws: Fix aws_ami_launch_permission refresh when AMI disappears (#13469)
- provider/aws: Add support for updating SSM documents (#13491)
- provider/aws: Fix panic on nil route configs (#13548)
- provider/azurerm: Network Security Group - ignoring protocol casing at Import time (#13153)
- provider/azurerm: Fix crash when importing Local Network Gateways (#13261)
- provider/azurerm: Defaulting the value of
duplicate_detection_history_time_window
forazurerm_servicebus_topic
(#13223) - provider/azurerm: Event Hubs making the Location field idempotent (#13570)
- provider/bitbucket: Fixed issue where provider would fail with an "EOF" error on some operations (#13390)
- provider/dnsimple: Handle 404 on DNSimple records (#13131)
- provider/kubernetes: Use PATCH to update namespace (#13114)
- provider/ns1: No splitting answer on SPF records. (#13260)
- provider/openstack: Refresh volume_attachment from state if NotFound (#13342)
- provider/openstack: Add SOFT_DELETED to delete status (#13444)
- provider/profitbricks: Changed output type of ips variable of ip_block ProfitBricks resource (#13290)
- provider/template: Fix panic in cloudinit config (#13581)
BACKWARDS INCOMPATIBILITIES / NOTES:
- provider/openstack: Port Fixed IPs are able to be read again using the original numerical notation. However, Fixed IP configurations which are obtaining addresses via DHCP must now use the
all_fixed_ips
attribute to reference the returned IP address. - Environment names must be safe to use as a URL path segment without escaping, and is enforced by the CLI.
FEATURES:
- New Resource:
alicloud_db_instance
(#12913) - New Resource:
aws_api_gateway_usage_plan
(#12542) - New Resource:
aws_api_gateway_usage_plan_key
(#12851) - New Resource:
github_repository_webhook
(#12924) - New Resource:
random_pet
(#12903) - New Interpolation:
substr
(#12870) - S3 Environments: The S3 remote state backend now supports named environments
IMPROVEMENTS:
- core: fix interpolation error when referencing computed values from an
aws_instance
cidr_block
(#13046) - core: fix
ignore_changes
causing fields to be removed during apply (#12897) - core: add
-force-copy
option toterraform init
to supress prompts for copying state (#12939) - helper/acctest: Add NewSSHKeyPair function (#12894)
- provider/alicloud: simplify validators (#12982)
- provider/aws: Added support for EMR AutoScalingRole (#12823)
- provider/aws: Add
name_prefix
toaws_autoscaling_group
andaws_elb
resources (#12629) - provider/aws: Updated default configuration manager version in
aws_opsworks_stack
(#12979) - provider/aws: Added aws_api_gateway_api_key value attribute (#9462)
- provider/aws: Allow aws_alb subnets to change (#12850)
- provider/aws: Support Attachment of ALB Target Groups to Autoscaling Groups (#12855)
- provider/aws: Support Import of iam_server_certificate (#13065)
- provider/azurerm: Add support for setting the primary network interface (#11290)
- provider/cloudstack: Add
zone_id
tocloudstack_ipaddress
resource (#11306) - provider/consul: Add support for basic auth to the provider (#12679)
- provider/digitalocean: Support disk only resize (#13059)
- provider/dnsimple: Allow dnsimple_record.priority attribute to be set (#12843)
- provider/google: Add support for service_account, metadata, and image_type fields in GKE cluster config (#12743)
- provider/google: Add local ssd count support for container clusters (#12281)
- provider/ignition: ignition_filesystem, explicit option to create the filesystem (#12980)
- provider/kubernetes: Internal K8S annotations are ignored in
config_map
(#12945) - provider/ns1: Ensure provider checks for credentials (#12920)
- provider/openstack: Adding Timeouts to Blockstorage Resources (#12862)
- provider/openstack: Adding Timeouts to FWaaS v1 Resources (#12863)
- provider/openstack: Adding Timeouts to Image v2 and LBaaS v2 Resources (#12865)
- provider/openstack: Adding Timeouts to Network Resources (#12866)
- provider/openstack: Adding Timeouts to LBaaS v1 Resources (#12867)
- provider/openstack: Deprecating Instance Volume attribute (#13062)
- provider/openstack: Decprecating Instance Floating IP attribute (#13063)
- provider/openstack: Don't log the catalog (#13075)
- provider/openstack: Handle 409/500 Response on Pool Create (#13074)
- provider/pagerduty: Validate credentials (#12854)
- provider/openstack: Adding all_metadata attribute (#13061)
- provider/profitbricks: Handling missing resources (#13053)
BUG FIXES:
- core: Remove legacy remote state configuration on state migration. This fixes errors when saving plans. (#12888)
- provider/arukas: Default timeout for launching container increased to 15mins (was 10mins) (#12849)
- provider/aws: Fix flattened cloudfront lambda function associations to be a set not a slice (#11984)
- provider/aws: Consider ACTIVE as pending state during ECS svc deletion (#12986)
- provider/aws: Deprecate the usage of Api Gateway Key Stages in favor of Usage Plans (#12883)
- provider/aws: prevent panic in resourceAwsSsmDocumentRead (#12891)
- provider/aws: Prevent panic when setting AWS CodeBuild Source to state (#12915)
- provider/aws: Only call replace Iam Instance Profile on existing machines (#12922)
- provider/aws: Increase AWS AMI Destroy timeout (#12943)
- provider/aws: Set aws_vpc ipv6 for associated only (#12899)
- provider/aws: Fix AWS ECS placement strategy spread fields (#12998)
- provider/aws: Specify that aws_network_acl_rule requires a cidr block (#13013)
- provider/aws: aws_network_acl_rule treat all and -1 for protocol the same (#13049)
- provider/aws: Only allow 1 value in alb_listener_rule condition (#13051)
- provider/aws: Correct handling of network ACL default IPv6 ingress/egress rules (#12835)
- provider/aws: aws_ses_receipt_rule: fix off-by-one errors (#12961)
- provider/aws: Fix issue upgrading to Terraform v0.9+ with AWS OpsWorks Stacks (#13024)
- provider/fastly: Fix issue importing Fastly Services with Backends (#12538)
- provider/google: turn compute_instance_group.instances into a set (#12790)
- provider/mysql: recreate user/grant if user/grant got deleted manually (#12791)
- provider/openstack: Fix monitor_id typo in LBaaS v1 Pool (#13069)
- provider/openstack: Resolve issues with Port Fixed IPs (#13056)
- provider/rancher: error when no api_url is provided (#13086)
- provider/scaleway: work around parallel request limitation (#13045)
BACKWARDS INCOMPATIBILITIES / NOTES:
- provider/pagerduty: the deprecated
name_regex
field has been removed from vendor data source (#12396)
FEATURES:
- New Provider:
kubernetes
(#12372) - New Resource:
kubernetes_namespace
(#12372) - New Resource:
kubernetes_config_map
(#12753) - New Data Source:
dns_a_record_set
(#12744) - New Data Source:
dns_cname_record_set
(#12744) - New Data Source:
dns_txt_record_set
(#12744)
IMPROVEMENTS:
- command/init:
-backend-config
acceptskey=value
pairs - provider/aws: Improved error when failing to get S3 tags (#12759)
- provider/aws: Validate CIDR Blocks in SG and SG rule resources (#12765)
- provider/aws: Add KMS key tag support (#12243)
- provider/aws: Allow
name_prefix
to be used with various IAM resources (#12658) - provider/openstack: Add timeout support for Compute resources (#12794)
- provider/scaleway: expose public IPv6 information on scaleway_server (#12748)
BUG FIXES:
- core: Fix panic when an undefined module is reference (#12793)
- core: Fix regression from 0.8.x when using a data source in a module (#12837)
- command/apply: Applies from plans with backends set will reuse the backend rather than local (#12785)
- command/init: Changing only
-backend-config
detects changes and reconfigures (#12776) - command/init: Fix legacy backend init error that could occur when upgrading (#12818)
- command/push: Detect local state and error properly (#12773)
- command/refresh: Allow empty and non-existent state (#12777)
- provider/aws: Get the aws_lambda_function attributes when there are great than 50 versions of a function (#11745)
- provider/aws: Correctly check for nil cidr_block in aws_network_acl (#12735)
- provider/aws: Stop setting weight property on route53_record read (#12756)
- provider/google: Fix the Google provider asking for account_file input on every run (#12729)
- provider/profitbricks: Prevent panic on profitbricks volume (#12819)
This is the complete 0.8.8 to 0.9 CHANGELOG. Below this section we also have a 0.9.0-beta2 to 0.9.0 final CHANGELOG.
BACKWARDS INCOMPATIBILITIES / NOTES:
- provider/aws:
aws_codebuild_project
renamedtimeout
tobuild_timeout
(#12503) - provider/azurem:
azurerm_virtual_machine
andazurerm_virtual_machine_scale_set
now store has of custom_data not all custom_data (#12214) - provider/azurerm: scale_sets
os_profile_master_password
now marked as sensitive - provider/azurerm: sql_server
administrator_login_password
now marked as sensitive - provider/dnsimple: Provider has been upgraded to APIv2 therefore, you will need to use the APIv2 auth token
- provider/google: storage buckets have been updated with the new storage classes. The old classes will continue working as before, but should be migrated as soon as possible, as there's no guarantee they'll continue working forever. (#12044)
- provider/google: compute_instance, compute_instance_template, and compute_disk all have a subtly changed logic when specifying an image family as the image; in 0.8.x they would pin to the latest image in the family when the resource is created; in 0.9.x they pass the family to the API and use its behaviour. New input formats are also supported. (#12223)
- provider/google: removed the unused and deprecated region field from google_compute_backend_service (#12663)
- provider/google: removed the deprecated account_file field for the Google Cloud provider (#12668)
- provider/google: removed the deprecated fields from google_project (#12659)
FEATURES:
- Remote Backends: This is a successor to "remote state" and includes
file-based configuration, an improved setup process (just run
terraform init
), no more local caching of remote state, and more. (#11286) - Destroy Provisioners: Provisioners can now be configured to run on resource destruction. (#11329)
- State Locking: State will be automatically locked when supported by the backend. Backends supporting locking in this release are Local, S3 (via DynamoDB), and Consul. (#11187)
- State Environments: You can now create named "environments" for states. This allows you to manage distinct infrastructure resources from the same configuration.
- New Provider:
Circonus
(#12578) - New Data Source:
openstack_networking_network_v2
(#12304) - New Resource:
aws_iam_account_alias
(#12648) - New Resource:
datadog_downtime
(#10994) - New Resource:
ns1_notifylist
(#12373) - New Resource:
google_container_node_pool
(#11802) - New Resource:
rancher_certificate
(#12717) - New Resource:
rancher_host
(#11545) - helper/schema: Added Timeouts to allow Provider/Resource developers to expose configurable timeouts for actions (#12311)
IMPROVEMENTS:
- core: Data source values can now be used as part of a
count
calculation. (#11482) - core: "terraformrc" can contain env var references with $FOO (#11929)
- core: report all errors encountered during config validation (#12383)
- command: CLI args can be specified via env vars. Specify
TF_CLI_ARGS
orTF_CLI_ARGS_name
(where name is the name of a command) to specify additional CLI args (#11922) - command/init: previous behavior is retained, but init now also configures the new remote backends as well as downloads modules. It is the single command to initialize a new or existing Terraform configuration.
- command: Display resource state ID in refresh/plan/destroy output (#12261)
- provider/aws: AWS Lambda DeadLetterConfig support (#12188)
- provider/aws: Return errors from Elastic Beanstalk (#12425)
- provider/aws: Set aws_db_cluster to snapshot by default (#11668)
- provider/aws: Enable final snapshots for aws_rds_cluster by default (#11694)
- provider/aws: Enable snapshotting by default on aws_redshift_cluster (#11695)
- provider/aws: Add support for ACM certificates to
api_gateway_domain_name
(#12592) - provider/aws: Add support for IPv6 to aws_security_group_rule (#12645)
- provider/aws: Add IPv6 Support to aws_route_table (#12640)
- provider/aws: Add support for IPv6 to aws_network_acl_rule (#12644)
- provider/aws: Add support for IPv6 to aws_default_route_table (#12642)
- provider/aws: Add support for IPv6 to aws_network_acl (#12641)
- provider/aws: Add support for IPv6 in aws_route (#12639)
- provider/aws: Add support for IPv6 to aws_security_group (#12655)
- provider/aws: Add replace_unhealthy_instances to spot_fleet_request (#12681)
- provider/aws: Remove restriction on running aws_opsworks_* on us-east-1 (#12688)
- provider/aws: Improve error message on S3 Bucket Object deletion (#12712)
- provider/aws: Add log message about if changes are being applied now or later (#12691)
- provider/azurerm: Mark the azurerm_scale_set machine password as sensitive (#11982)
- provider/azurerm: Mark the azurerm_sql_server admin password as sensitive (#12004)
- provider/azurerm: Add support for managed availability sets. (#12532)
- provider/azurerm: Add support for extensions on virtual machine scale sets (#12124)
- provider/dnsimple: Upgrade DNSimple provider to API v2 (#10760)
- provider/docker: added support for linux capabilities (#12045)
- provider/fastly: Add Fastly SSL validation fields (#12578)
- provider/ignition: Migrate all of the igition resources to data sources (#11851)
- provider/openstack: Set Availability Zone in Instances (#12610)
- provider/openstack: Force Deletion of Instances (#12689)
- provider/rancher: Better comparison of compose files (#12561)
- provider/azurerm: store only hash of
azurerm_virtual_machine
andazurerm_virtual_machine_scale_set
custom_data - reduces size of state (#12214) - provider/vault: read vault token from
~/.vault-token
as a fallback for theVAULT_TOKEN
environment variable. (#11529) - provisioners: All provisioners now respond very quickly to interrupts for fast cancellation. (#10934)
BUG FIXES:
- core: targeting will remove untargeted providers (#12050)
- core: doing a map lookup in a resource config with a computed set no longer crashes (#12210)
- provider/aws: Fixes issue for aws_lb_ssl_negotiation_policy of already deleted ELB (#12360)
- provider/aws: Populate the iam_instance_profile uniqueId (#12449)
- provider/aws: Only send iops when creating io1 devices (#12392)
- provider/aws: Fix spurious aws_spot_fleet_request diffs (#12437)
- provider/aws: Changing volumes in ECS task definition should force new revision (#11403)
- provider/aws: Ignore whitespace in json diff for aws_dms_replication_task options (#12380)
- provider/aws: Check spot instance is running before trying to attach volumes (#12459)
- provider/aws: Add the IPV6 cidr block to the vpc datasource (#12529)
- provider/aws: Error on trying to recreate an existing customer gateway (#12501)
- provider/aws: Prevent aws_dms_replication_task panic (#12539)
- provider/aws: output the task definition name when errors occur during refresh (#12609)
- provider/aws: Refresh iam saml provider from state on 404 (#12602)
- provider/aws: Add address, port, hosted_zone_id and endpoint for aws_db_instance datasource (#12623)
- provider/aws: Allow recreation of
aws_opsworks_user_profile
when theuser_arn
is changed (#12595) - provider/aws: Guard clause to prevent panic on ELB connectionSettings (#12685)
- provider/azurerm: bug fix to prevent crashes during azurerm_container_service provisioning (#12516)
- provider/cobbler: Fix Profile Repos (#12452)
- provider/datadog: Update to datadog_monitor to use default values (#12497)
- provider/datadog: Default notify_no_data on datadog_monitor to false (#11903)
- provider/google: Correct the incorrect instance group manager URL returned from GKE (#4336)
- provider/google: Fix a plan/apply cycle in IAM policies (#12387)
- provider/google: Fix a plan/apply cycle in forwarding rules when only a single port is specified (#12662)
- provider/google: Minor correction : "Deleting disk" message in Delete method (#12521)
- provider/mysql: Avoid crash on un-interpolated provider cfg (#12391)
- provider/ns1: Fix incorrect schema (causing crash) for 'ns1_user.notify' (#12721)
- provider/openstack: Handle cases where volumes are disabled (#12374)
- provider/openstack: Toggle Creation of Default Security Group Rules (#12119)
- provider/openstack: Change Port fixed_ip to a Set (#12613)
- provider/openstack: Add network_id to Network data source (#12615)
- provider/openstack: Check for ErrDefault500 when creating/deleting pool member (#12664)
- provider/rancher: Apply the set value for finish_upgrade to set to prevent recurring plans (#12545)
- provider/scaleway: work around API concurrency issue (#12707)
- provider/statuscake: use default status code list when updating test (#12375)
This only includes changes from 0.9.0-beta2 to 0.9.0 final. The section above has the complete 0.8.x to 0.9.0 CHANGELOG.
FEATURES:
- New Provider:
Circonus
(#12578)
BACKWARDS INCOMPATIBILITIES / NOTES:
- provider/aws:
aws_codebuild_project
renamedtimeout
tobuild_timeout
(#12503) - provider/azurem:
azurerm_virtual_machine
andazurerm_virtual_machine_scale_set
now store has of custom_data not all custom_data (#12214) - provider/google: compute_instance, compute_instance_template, and compute_disk all have a subtly changed logic when specifying an image family as the image; in 0.8.x they would pin to the latest image in the family when the resource is created; in 0.9.x they pass the family to the API and use its behaviour. New input formats are also supported. (#12223)
- provider/google: removed the unused and deprecated region field from google_compute_backend_service (#12663)
- provider/google: removed the deprecated account_file field for the Google Cloud provider (#12668)
- provider/google: removed the deprecated fields from google_project (#12659)
IMPROVEMENTS:
- provider/azurerm: store only hash of
azurerm_virtual_machine
andazurerm_virtual_machine_scale_set
custom_data - reduces size of state (#12214) - report all errors encountered during config validation (#12383)
BUG FIXES:
- provider/google: Correct the incorrect instance group manager URL returned from GKE (#4336)
- provider/google: Fix a plan/apply cycle in IAM policies (#12387)
- provider/google: Fix a plan/apply cycle in forwarding rules when only a single port is specified (#12662)
BACKWARDS INCOMPATIBILITIES / NOTES:
- provider/azurerm: scale_sets
os_profile_master_password
now marked as sensitive - provider/azurerm: sql_server
administrator_login_password
now marked as sensitive - provider/google: storage buckets have been updated with the new storage classes. The old classes will continue working as before, but should be migrated as soon as possible, as there's no guarantee they'll continue working forever. (#12044)
- provider/dnsimple: Provider has been upgraded to APIv2 therefore, you will need to use the APIv2 auth token
FEATURES:
- State Environments: You can now create named "environments" for states. This allows you to manage distinct infrastructure resources from the same configuration.
- helper/schema: Added Timeouts to allow Provider/Resource developers to expose configurable timeouts for actions (#12311)
IMPROVEMENTS:
- core: "terraformrc" can contain env var references with $FOO (#11929)
- command: Display resource state ID in refresh/plan/destroy output (#12261)
- provider/aws: AWS Lambda DeadLetterConfig support (#12188)
- provider/azurerm: Mark the azurerm_scale_set machine password as sensitive (#11982)
- provider/azurerm: Mark the azurerm_sql_server admin password as sensitive (#12004)
- provider/dnsimple: Upgrade DNSimple provider to API v2 (#10760)
BUG FIXES:
- core: targeting will remove untargeted providers (#12050)
- core: doing a map lookup in a resource config with a computed set no longer crashes (#12210)
0.9.0-beta1 FIXES:
- core: backends are validated to not contain interpolations (#12067)
- core: fix local state locking on Windows (#12059)
- core: destroy provisioners dependent on module variables work (#12063)
- core: resource destruction happens after dependent resources' destroy provisioners (#12063)
- core: invalid resource attribute interpolation in a destroy provisioner errors (#12063)
- core: legacy backend loading of Consul now works properly (#12320)
- command/init: allow unsetting a backend properly (#11988)
- command/apply: fix crash that could happen with an empty directory (#11989)
- command/refresh: fix crash when no configs were in the pwd (#12178)
- command/{state,taint}: work properly with backend state (#12155)
- providers/terraform: remote state data source works with new backends (#12173)
BACKWARDS INCOMPATIBILITIES / NOTES:
- Once an environment is updated to use the new "remote backend" feature (from a prior remote state), it cannot be used with prior Terraform versions. Remote backends themselves are fully backwards compatible with prior Terraform versions.
- provider/aws:
aws_db_instance
now defaults to making a final snapshot on delete - provider/aws:
aws_rds_cluster
now defaults to making a final snapshot on delete - provider/aws:
aws_redshift_cluster
now defaults to making a final snapshot on delete - provider/aws: Deprecated fields
kinesis_endpoint
&dynamodb_endpoint
were removed. Usekinesis
&dynamodb
inside theendpoints
block instead. (#11778) - provider/datadog:
datadog_monitor
now defaultsnotify_no_data
tofalse
as per the datadog API
FEATURES:
- Remote Backends: This is a successor to "remote state" and includes
file-based configuration, an improved setup process (just run
terraform init
), no more local caching of remote state, and more. (#11286) - Destroy Provisioners: Provisioners can now be configured to run on resource destruction. (#11329)
- State Locking: State will be automatically locked when supported by the backend. Backends supporting locking in this release are Local, S3 (via DynamoDB), and Consul. (#11187)
IMPROVEMENTS:
- core: Data source values can now be used as part of a
count
calculation. (#11482) - command: CLI args can be specified via env vars. Specify
TF_CLI_ARGS
orTF_CLI_ARGS_name
(where name is the name of a command) to specify additional CLI args (#11922) - command/init: previous behavior is retained, but init now also configures the new remote backends as well as downloads modules. It is the single command to initialize a new or existing Terraform configuration.
- provisioners: All provisioners now respond very quickly to interrupts for fast cancellation. (#10934)
- provider/aws: Set aws_db_cluster to snapshot by default (#11668)
- provider/aws: Enable final snapshots for aws_rds_cluster by default (#11694)
- provider/aws: Enable snapshotting by default on aws_redshift_cluster (#11695)
- provider/vault: read vault token from
~/.vault-token
as a fallback for theVAULT_TOKEN
environment variable. (#11529)
BUG FIXES:
- provider/datadog: Default notify_no_data on datadog_monitor to false (#11903)
For earlier versions, see the changelog as of v0.8.8.