Terraform Enterprise v202302-1 (681)

Last required release: v202207-2 (642)

Known Issues

  1. When you assign a team the manage-workspaces permission through the API the team is also explicitly granted the read-workspaces permission, which provides a subset of the functionality. However, using the API to revoke just the manage-workspace permission does not revoke the read-workspaces permission. This means that existing automation (including the tfe provider) for revoking the manage-workspaces permission will leave the team with the read-workspaces permission, whereas previously the team would be left with no workspace access at the organization level. This will be resolved in upcoming versions of Terraform Enterprise and the tfe provider.

Breaking Changes

  1. The sub claim for workload identity tokens now contains project information. You must update the trust relationship on your cloud provider to expect project information in this claim.

Deprecations and End of Support

The following operating systems are no longer supported:

  • Debian 8, 9
  • Ubuntu 14.04, 16.04
  • Amazon Linux 2014.03, 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03

The following PostgreSQL server versions are no longer supported:

  • 11

Terraform Build Workers are deprecated and will be removed in Terraform Enterprise v202305-1. The base image responsible for executing Terraform runs is now hashicorp/tfc-agent. If you are using an alternative worker image, you must migrate to a new image using hashicorp/tfc-agent as its base image before Terraform Enterprise v202305-1. If you are not using an alternative worker image then you will automatically migrate to the new base image and no futher action is required. For more information, refer to the Custom Agent Image migration guide.


  1. Three components of the run pipeline, tfe-build-worker, tfe-build-manager, and tfe-rabbitmq, have been replaced with tfe-task-worker, a local implementation of tfc-agent. If you are using an alternative worker image, you will need to migrate to a new image before enabling the new run pipeline. If you are not using an alternative worker image then you will automatically migrate to the new run pipeline. The new run pipeline can be manually enabled by setting the run_pipeline_mode configuration setting to agent or disabled by setting the run_pipeline_mode configuration setting to legacy. Monitoring integrations may need to be updated if you are monitoring tfe-build-worker, tfe-build-manager, or tfe-rabbitmq.
  2. Workspaces can now be grouped into projects. Projects help users organize and centrally manage their workspaces at scale while providing more granular permissions to a subset of workspaces. Each project has a separate permissions set that you can use to grant teams access to all workspaces in the project. This blog post covers projects in more detail.
  3. The GitHub App Integration is now available for Terraform Enterprise. Connect your Workspaces, Policy Sets, & Registry Modules without creating an Organization OAuth Client. Requires site-admin access to setup.
  4. Red Hat Enterprise Linux 8.7 is now supported.
  5. Docker Engine 23.0 is now supported.


  1. Sentinel Policy Checks now run Sentinel 0.19.5, introducing support for static imports, allowing supporting data to be imported into a policy.
  2. Organization owners can now assign teams read access to workspaces and projects within a particular organization.
  3. Added Terraform versions 1.3.8 and 1.4.0-beta1.
  4. Structured run output is enabled for CLI-driven workspaces when using Terraform CLI version 1.4.0-beta1 or later.
  5. The VCS Events page is now available for Terraform Enterprise. The page displays VCS-related messages such as when processing fails due to a duplicate webhook.


  1. tfe-admin support-bundle will now upload support bundles to object storage for both external services and active/active installations.
  2. The name of the VCS repository is now included in 400 request errors when an error occurs while creating a VCS workspace.
  3. When a webhook is received that contains the same commit SHA of a previously processed webhook that created a non-speculative run, it will no longer be processed and a message will be logged to the VCS Events page.

Bug Fixes

  1. Previously, a bug was introduced which changed the flash message design. The design bug is now fixed.
  2. The sidebar items of the workspace overview page are now displayed with proper height when the workspace has a long README.
  3. The workspace overview page now displays its sidebar component visibly in small screens.
  4. Terraform plans no longer error when generating Sentinel mock files.


  1. The endpoint used for confirming a user’s email address now has a tighter rate limit to reduce risk of email spam attacks.
  2. The endpoint used for sending “Forgot Password” emails now has a rate limit to reduce risk of email spam attacks.