Terraform Enterprise v202308-1 (725)

Last required release: v202207-2 (642)


  1. Terraform Enterprise no longer supports the following PostgreSQL server versions due to a known defect: 14.0, 14.1, 14.2, and 14.3.
  2. In Terraform Enterprise v202309-1 the server services will be consolidated into a single container named terraform-enterprise. This container runs as a non-root user and contains the logs for all server services. Terraform runs will continue to execute in isolated, short-lived containers but will run as a non-root user. A preview of this change is available now using the optional consolidated_services setting. See consolidated services for more information on this change.
  3. When consolidated services mode is enabled in v202309-1 or higher, logs will now appear in json-lines format, and will be prepended with the name of the service that generated the log message. If you are forwarding logs, you may need to update your log forwarding configuration to accommodate the consolidated log file and the json format change. The legacy architecture will remain available until v202312-1, but will be disabled by default. If you need to revert to the legacy architecture in v202309-1 or higher, set consolidated_services = false in your settings.json file. For assistance please contact support.
  4. Docker 19.03 and 20.10 have reached end of life and are no longer supported in Terraform Enterprise.


  1. Added the ability to specify multiple dynamic provider credentials configurations per provider in a workspace. For more information, see specifying multiple configurations.


  1. Improved the load speed of the policy sets page.
  2. Credentials generated in AWS when using Vault-backed dynamic credentials for AWS with the iam_user auth type are eventually consistent, meaning they can take 5-10 seconds (or more) to be valid. This was causing unexpected InvalidClientTokenId errors to be thrown from the AWS provider for some users. You can now specify a number of seconds to wait after requesting Vault-Backed dynamic credentials for AWS before proceeding with your Terraform run, to ensure your new credentials will be ready to use before attempting to authenticate with them.
  3. The time required for Vault to issue Azure credentials is proportional to the number of Azure roles in the account. You can now specify a number of seconds to wait after requesting Vault-Backed dynamic credentials for Azure before proceeding with your Terraform run, to ensure your new credentials will be ready to use.
  4. Increased the timeout on the backup and restore API endpoint, which will prevent most timeout issues when running with large data sets.
  5. Terraform Enterprise has set the rate limit for the workspace runs endpoint (/api/v2/workspaces/…/runs) has been at 30/min.

Bug Fixes

  1. Policy Set and Run Task names no longer update page headings when editing ‘name’ fields.
  2. Fixes a bug that prevented users from updating their organization name when there is only a letter case change.
  3. Users reported seeing duplicate resources in the workspace overview for some workspaces. For those workspaces impacted, the false copies of resources will be removed.
  4. Users had reported seeing errors related to duplicate key value violates unique constraint "index_storage_deletion_requests_on_storage_record" in their log output. This has been resolved and these messages will no longer appear.
  5. Fixed an issue where users could have accidentally made private provider records with os or arch values like ${os[1]}. Then when they attempted to delete those records, the registry request would fail, since the request URL would contain invalid characters.
  6. Limited the number of repositories returned by GitHub App VCS connections to 100, to avoid timeouts that prevented the UI from loading properly when creating a workspace/module. Users with more than 100 repositories will need to use the text field to specify the repository name to connect to, if it is not loaded in the list of repos.
  7. Users can no longer see the option to update a variable in the workspace’s variables page if they don’t have permission to update variables.
  8. Organization list now refreshes after modifying an organization’s name.
  9. Email notifications are no longer sent to suspended users or users outside the organization.


  1. Updated the UI for required permissions for OPA policy set overrides.
  2. Container updates address reported vulnerabilities (CVEs) in underlying packages and dependencies.