Terraform Enterprise v202301-1 (675)

Last required release: v202207-2 (642)


  • The following operating systems are deprecated, and Terraform Enterprise will stop supporting them following the February 2023 release (v202302-1).
    • Debian 8, 9
    • Ubuntu 14.04, 16.04
    • Amazon Linux 2014.03, 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03
  • The following PostgreSQL server versions are deprecated, and Terraform Enterprise will stop supporting them following the February 2023 release (v202302-1).
    • PostgreSQL 11
  • Terraform Build Workers are deprecated and will be removed in v202305-1; the base image responsible for executing Terraform runs is changing to tfc-agent. If you are using an alternative worker image, you must migrate to a new image using the tfc-agent base image before v20. If you are not using an alternative worker image no action is required, you will automatically migrate to the new base image in v202302-1 or higher. For more information, refer to the Custom Agent Image migration guide for more information.

Breaking Changes

  1. The “Manage Policies” Organization Permission has been modified to remove excessive access to resources. This is a breaking change as Policy Managers may now require additional permission to perform tasks. As per the API Stability Policy, backwards incompatible changes may be necessary to protect your security. The following permissions changes have been made:
  • Policy Managers will no longer be able to read State Versions.
  • Policy Managers will no longer be able to read State Version Outputs.
  • Policy Managers will no longer be able to read Assessments and Assessment Results.
  • Policy Managers will no longer be able to read variables and variable sets which are not Policy Set parameters.
  • Policy Managers will no longer be able to create Workspace Comments.
  • Policy Managers will no longer be able to read Workspace Resources.
  • Policy Managers will no longer be able to read Run Triggers.
  • Policy Managers will no longer be able to list Configuration Versions.
  • Policy Managers will no longer be able to read Workspace Notification Configurations.
  • Policy Managers will be able to read OAuth Client and OAuth Tokens. Without this change, policy managers cannot add VCS backed Policy Sets.
  • Policy Managers be able to list runs in a workspace.


  1. You can now share providers in your private registries across many organizations, just like you can for modules. Choose if you want to share all modules and providers, only modules, or only providers. No more publishing and republishing providers in separate organizations.
  2. New workspace state feature allows rollback to an older version of state. This can be used to fall back to a known good version of state following an event such as an unfinished upgrade or unwanted state manipulation. The operation does not remove prior states and does not change underlying infrastructure.


  1. Terraform Enterprise will show a summary of the resources to be created, modified, and destroyed near the prompt to apply or discard a run. It highlights failed policy checks, destroyed resources, or failed run tasks more prominently, so users have better visibility into whether they are applying a potentially dangerous plan.
  2. The organization access permissions are now more consistently formatted and have clearer permission subheadings.
  3. Rare instances of workspaces failing to delete now have more informative logging.
  4. The private registery will now validate providers are supported by the Terraform SDK. supported by Golang.
  5. Workspace API responses now include a self-html link, which is a browsable URL for the workspace.
  6. The private registry will no longer accept identifiers for prerelease versions of modules or providers that do not conform to the SemVer standard. Attempts to publish a version with an invalid prerelease version identifier (e.g. or 1.2.3-beta!) will now fail.
  7. Diagnostics results view for Structured Run Output can now be collapsed.
  8. Outputs view, available upon a successful apply in the workspaces, set to Structured Run Output mode, is shown expanded by default, instead of being in a collapsed state.

Bug Fixes

  1. Database schemas are now created every time the application is started, fixing an issue where the task_worker schema was missing upon upgrade.
  2. Sentinel policy runs no longer fail with the error exec: "getent": executable file not found in $PATH.
  3. The tfe-admin support-bundle command no longer fails uploading support bundles to Google Cloud Storage.
  4. Attempts to update a user’s email to an invalid value will now be rejected when the update it attempted, not during confirmation of the new email
  5. Old workspaces which have undergone a destroy run before Oct 3, 2023 may now be safe-deleted
  6. Provider binary’s name is now validated at the time of publishing, fixing an issue where a provider could be made unusable if the filename contained invalid characters.
  7. Sentinel will no longer assume that unknown values are boolean, fixing an issue for some Terraform plan variations.
  8. Fixed an 500 response error on the teams/organization-memberships endpoint when trying to delete a member whose user record could not be found.
  9. For modules or providers with prerelease versions (e.g. v1.2.3-preview-2), the registry’s internal sorting was sometimes incorrect. This could result in the wrong version being presented as the “latest” version in some API responses. As new versions of a module or provider are added to the database, they will now be resorted correctly.
  10. State version output type validations no longer cause exceptions due to optional attribute bugs in Terraform.
  11. State version parser service omits detailed type information in callback responses for V1-V3 statefiles since detailed types are V4 statefile specific. This prevents validation exceptions in TFC when state version outputs are processed and stored.
  12. When creating multiple workspaces simultaneously with the same tags, each workspace will be created successfully with respective tags attached to it, instead of sometimes returning a 404 Not Found error.
  13. Prevent VCS runs from being triggered on discarded workspaces.


  1. Container updates address reported vulnerabilities (CVEs) in underlying packages and dependencies.