Terraform Enterprise 1.2.0 is available

The Terraform Enterprise team would like to announce the release 1.2.0 is now available.

Some key highlights and important bits from the release notes:

Known Issues

1. (Updated 12 Feb 2026) Explorer is GA as of 1.2.0. Explorer is incorrectly identified as a beta feature in the navigation sidebar and page header.

Deprecations

1. The following Terraform Enterprise admin CLI subcommands are deprecated. HashiCorp plans to remove these commands in the next major release:

• tfectl db last-applied-migration

• tfectl db backup

• tfectl db reindex

• tfectl db restore

• tfectl app status

1. The /_health_check endpoint has been replaced with a readiness endpoint /api/v1/health/readiness and a diagnostics endpoint /api/v1/diagnostics. IBM plans to remove the health check endpoint in the next major release.

2. Removing the ‘opa-latest-deprecation’ feature flag. This will deprecate the ‘latest’ tag for the OPA version policy set.

Highlights

1. Explorer is now generally available for Terraform Enterprise. Run the backfill process to populate the Explorer database. For Terraform Enterprise installations that use external agents, the agents must be based on tfc-agent:1.26 or greater. Otherwise, the Explorer backfill process will fail. For more information about the Explorer and the backfill process, refer to Enable Explorer on Terraform Enterprise. For information about Explorer API endpoints, refer to the API documentation. For information about using Explorer, refer to the workspaces documentation.

2. Terraform Enterprise now includes the following health check endpoints:

   • /api/v1/health/readiness is a lightweight endpoint for load balancer integration.

   • /api/v1/diagnostics provides detailed component status for faster root cause analysis during troubleshooting. This endpoint requires authentication. You can trigger both endpoints by either calling the API or by running the tfectl app health readiness and tfectl app diagnostics CLI commands.

3. Terraform actions is now generally available for Terraform Enterprise. Actions introduce a way to codify and automate Day 2 infrastructure operations by triggering third-party tools outside of Terraform. Built directly into Terraform providers, actions provide preset operations that extend Terraform’s automation capabilities for common Day 2 tasks. These actions can be invoked before or after a resource’s lifecycle events, such as create or update, or ad hoc via the CLI terraform apply -invoke command. By codifying more Day 2 operations, organizations can reduce operational costs and accelerate delivery by automating previously manual, error-prone tasks. Actions provide two major benefits for Terraform users:

   • Unified Day 2 management: Module authors can define Day 2 infrastructure operations in code alongside the rest of their infrastructure — offering a clear association between Day 2 actions and managed resources — and optionally invoke the operations with lifecycle triggers.

   • Native workflow: By bringing more Day 2 infrastructure operations within Terraform, users can extend its utility by unifying more operations in one control plane. This ensures consistency and brings teams closer to having a single source of truth for all infrastructure.

   With general availability, Terraform Enterprise users can now see actions in run output, either directly invoked or triggered by resource operations. This gives users visibility into all the actions that were triggered by creating or updating resources. Also, if anyone runs terraform apply -invoke directly, it will show up as its own entry in the run output.

4. You can now discover resources faster using the new Search & Import experience in Terraform Enterprise. With a new query construct and visual results directly in your workspace, it’s easier to explore infrastructure, understand what’s managed, and confidently decide what to import.

Features

1. Users can now configure Microsoft Exchange SMTP using OAuth 2.0.

2. Module test runs now support OIDC-based dynamic credentials, eliminating the need for static cloud provider credentials. You can configure OpenID Connect trust relationships with AWS, Azure, GCP, and Vault to generate short-lived, automatically rotating tokens for each test run. Refer to Use dynamic credentials with module testing for configuration details, and the Test Configuration API for programmatic management.

Improvements

1. User tokens can no longer be used to disable user tokens on an organization, to prevent clients from locking themselves out

2. Adds a warning message to the email notifications that are sent when a run fails or is cancelled, telling the user that this will prevent health assessments from being made until the problem is fixed.

3. The organization users page now loads more efficiently when navigating between pages or searching for users. Previously, when viewing users who belonged to many teams, the page could generate excessive API requests that resulted in performance degradation in Terraform Enterprise. This issue was particularly noticeable in organizations with large numbers of teams and users.

4. Refreshing Explorer for an organization is now faster and has a greatly reduced burden on Sidekiq. Previously, refreshing Explorer had the potential to create a high volume of Sidekiq jobs, which could put pressure on infrastructure and take time to sync.

5. Fixed tooltip info icons in Add variable modal to meet WCAG 2.1 Level AAA accessibility standards (24x24px minimum interactive area).

6. Introducing support for more optimised Opa-Wrapper binary(Hashicorp vended).

7. Workspace overview now shows when the current state version is being processed for the latest resources. It now includes a processing or timeout state instead of always “Current as of most recent state version”

8. Workspace resources overview now supports very large state files or very large numbers of resources. Users who observed “resources-processed” remaining false on a state version after uploading it due to database timeouts or memory exhaustion should now see this status eventually resolve and workspace resources updated.

9. Workspace Overview UI now loads faster when a great many outputs are present

10. Site admins can now filter VCS Events based on event type and even view the list of workspaces affected, which helps customers troubleshoot VCS problems independently

Bug Fixes

1. Variable sets now maintain proper inheritance during no-code module upgrades. Previously, variables from variable sets were duplicated as workspace variables during upgrades, overriding the inherited values.

2. Fix bug where API for explorer CSV download returned an error after atlas startup.

3. Fix bug in explorer filters, the “is empty” and “is not empty” conditions now work properly when the column value is an empty string.

4. Fixed problem with azure cost-estimation when two or more items have the same SKU prefix, as commonly happens when a new version is available.

5. Fixed problem with AWS cost-estimation when two or more items are in the same product family; separately fixed logic for macOS instances

6. No-code workspace version updates now include additional validation steps to prevent stale no-code version upgrade runs from changing the workspace’s no-code module version to one that no longer applies. Previously, if a workspace was upgraded by another run or a newer module version was published after the upgrade run was created, applying the stale run could cause the workspace to be updated to an outdated version. Stale no-code version upgrade runs now return a 409 Conflict error with a message explaining why the upgrade cannot be applied.

7. No-code workspace upgrades now don’t bypass a failed plan before completing the upgrade. Previously, a bug allowed upgrades to proceed even when the plan had failed or was canceled. This has been resolved, and upgrades now return an error if the plan has not completed successfully, preventing the no-code workspace version update.

8. No-code module versions can no longer be deleted while no-code provisioned workspaces are still using them. Previously, deleting a registry module version could cause linked no-code workspaces to lose their connection to the no-code module, leaving them in a broken state. Attempting to delete a no-code module version with linked workspaces now returns an error, and users must first upgrade or unlink those workspaces.

9. Customers using S3‑compatible storage that does not support SHA‑256 validation can configure the system to use MD5 validation instead. Support for this fallback depends on the storage provider and may not function in all environments.

10. the button to Create a team token is now always shown unless the user is impersonating

11. Update project header icon to use file-text instead of dashboard

12. Add Terraform brand color to project header IconTile

13. Organizations in TFE can now correctly set assessments_enforced field during creation, ensuring the values are applied as expected.

14. Improved the search experience in the Projects list view so the search bar remains fully visible while results load. Previously, the search input could appear clipped as results refreshed. Users can now review and edit their search terms without the input field being cut off.

15. Users can now clear selections in the Variable Set Scope selector without errors for Global Varsets. Previously, clicking ‘Clear selected’ triggered an undefined error in the console. The selector now resets reliably for a smoother filtering experience.

16. Fixed inconsistent VCS commit status types by basing passing statuses on workspace policy execution mode, ensuring consistent ‘sentinel’ and ‘policy’ status reporting for both triggered and untriggered runs in version‑managed Terraform execution workspaces.

17. Remove twice encoding of tags

18. Fixed pending runs not showing inherited agent pools, ensuring accurate pool resolution across all levels

Security

1. Security vulnerabilities have been addressed and resolved in this update to enhance overall system protection.

To review the full release note, please visit here. As always, please contact support with any issues, and your account team with any feedback or feature requests.