Terraform Enterprise v202303-1 (688)

Last required release: v202207-2 (642)

Breaking Changes

  1. Terraform Enterprise’s cookie format has been updated to increase security, and will no longer accept any cookies generated by releases prior to v202011-1. When upgrading from Terraform Enterprise v202010-1 or earlier without logging in to an interim release, any users currently logged in to the application may see a failure to load after upgrade. This failure to load can be solved by clearing the cookies for Terraform Enterprise. This potential issue will not affect users upgrading from versions newer than v202011-1 releases as long as they have been on an intermediate version for more than a month.

Deprecations and End of Support

  1. The following operating systems are no longer supported:
  • Debian 8, 9
  • Ubuntu 14.04, 16.04
  • Amazon Linux 2014.03, 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03
  1. The following PostgreSQL server versions are no longer supported:
  • 11
  1. Terraform Build Workers are deprecated and will be removed in Terraform Enterprise v202305-1. The base image responsible for executing Terraform runs is now hashicorp/tfc-agent. If you are using an alternative worker image you must migrate to a new image, using hashicorp/tfc-agent as the base image before Terraform Enterprise v202305-1. If you are not using an alternative worker image, then you will automatically migrate to the new base image and no futher action is required. For more information, refer to the Custom Agent Image migration guide.


  1. Introducing native Open Policy Agent (OPA) support, which extends the policy as code features of Terraform Enterprise to support the Rego policy language.
  2. You can now use Dynamic Provider Credentials in place of static credentials for the Vault, AzureRM, AzureAD, Google Cloud Platform, and AWS providers. The Dynamic Provider Credentials documentation has more information and prerequisites for usage.
  3. This release contains a data migration for an upcoming variable sets feature. This migration will lengthen the upgrade process. The migration time will vary based on the number of variable sets attached to workspaces. It will add approximately 1 minute per 50,000 workspaces.
  4. Terraform Enterprise now supports Health assessments.
  • Drift detection determines whether your real-world infrastructure matches your Terraform state file. You can enable Drift detection at a workspace level or at an organization level.
  • Terraform Enterprise sends notifications about health assessment results according to your workspace’s settings.


  1. A manage membership permission allows a team to invite users to the organization, and add or remove them from non-owner teams.
  2. Terraform Enterprise users can now manage their GitHub App token within user settings.
  3. You can use the rotate key and trim key admin endpoints to control the OIDC key used to sign Workload Identity and Dynamic Provider Credential tokens.
  4. Terraform Enterprise now uses Sentinel 0.20 for policy checks, bringing improvements to the JSON response and introducing named functions.


  1. The plan diff UI now makes paginated requests to fetch plan log output. This prevents unconstrained memory usage in the object store service for very large plans.
  2. UI workspace variables are now listed alphabetically.
  3. You can now use the Terraform Enterprise API to access authorized GitHub App Installations for the current user. Requires the User API actor to generate a GitHub App user-to-server token in Terraform Enterprise UI prior to use.
  4. UI application icons have been rejuvenated, migrating from a mixture of Font Awesome and Structure to the Flight Icon library, which is part of the Helios Design System.
  5. Resources can now be filtered by action types including, Create, Update, Replace, Delete, Read, and Move using the actions filter on the run page.
  6. The manage-workspaces and manage-projects roles no longer require read-workspaces and read-projects permissions (respectively). Introducing a new UI that makes selecting organization-level project and workspace permissions for teams clearer, by separating Project and Workspace permissions out into their own set of interactive selectors.

Bug Fixes

  1. Terraform runs using the agent run pipeline mode will no longer fail with the error dial unix /var/run/docker.sock: connect: permission denied when SELinux is enforcing.
  2. The agent job dequeuing logic will no longer result in a blocked agent pool and HTTP 500 errors in the tfc-agent logs.
  3. Saving boolean false variable values no longer causes 500 errors. Null and missing values now default to empty string (“”), which was the documented default.
  4. Terraform plan and apply operations that are executed on internal Terraform Cloud Agents in Terraform Enterprise will now function even when the “enable agents” toggle in the site admin panel is disabled.
  5. Terraform runs using the agent run pipeline mode now support the hairpin_addressing setting. When enabled, direct traffic destined for the installation’s FQDN will route toward the instance’s internal IP address.
  6. Changing a Variable Set’s scope from workspace to global will no longer result in an incorrect Variable Sets count on a workspace’s “Variables” page. This was only a visual bug and has been fixed.
  7. The log entry for rotating an OIDC key is now shown at the DEBUG level. Previously, it was set to INFO level.
  8. The Getting Started with state guide now has the correct command terraform apply to copy (it had a - in it previously).
  9. The manage-workspaces permission no longer grants read-projects.


  1. Terraform Enterprise no longer listens on public port 23001.
  2. Container updates address reported vulnerabilities (CVEs) in underlying packages and dependencies.