Terraform Enterprise v202312-1 (745)

This is a required release: v202312-1 (745)

Flexible Deployment Options terraform-enterprise container manifest: amd64/linux sha256:dc2331d574af4bd40facdb8b35f735354292164b


  1. You can now designate variable sets as a priority, marking all variables within the set as a priority. Priority variables overwrite any variables with the same key set at more specific scopes in the applied workspaces.


  1. Terraform Enterprise now supports saving plans and applying them later, with the standard terraform plan -out <FILE> and terraform apply <FILE> commands. This feature requires Terraform CLI v1.6.0 or newer. You can also create saved plan runs in the API with the save-plan run attribute.
  2. The configuration versions API now includes a new provisional attribute. Provisional configurations delay becoming the configuration version for their workspace upon creation. Instead, provisional configurations only become current after you apply a run using that configuration. Use this attribute when creating save-plan runs via the API.
  3. Workload identity tokens now work natively with the Kubernetes and Helm providers.


  1. We have improved screen reader usability for the variable sets page.
  2. You can now configure auto-destroy runs to remove resources managed by a workspace after a period of workspace inactivity.
  3. When performing a request to the /account/details API with an authentication token, you can now follow the authenticated-resource relationship to access the underlying token holder.

Bug Fixes

  1. Policy evaluations (i.e. native OPA support) will now be able to once again run on remote agents after a regression was introduced in v202309-1.
  2. When a proxy is configured, it will be properly used during all jobs. Previously, in some situations, the proxy was not properly recognized and could lead to failures when accessing modules.
  3. Custom S3 endpoints will now work properly in all configurations.
  4. Project and registry module names could previously contain a newline as the final character due to an incorrect validation.
  5. tfe-task-worker will now properly recycle connections to the host Docker socket.
  6. Fixed a bug which cached administrative settings incorrectly: leading to the settings changes not applying until instance restart.
  7. Deleting an organization will no longer fail when that organization has a default agent pool
  8. Previously specifying multiple configurations for Vault-backed AWS or Vault-backed GCP authentication would return errors related to invalid auth types being specified in certain situations when the auth type specified was actually valid. This has been fixed and these errors should no longer be thrown when a valid auth type is specified.
  9. An organization could fail to delete if an API token had been generated for that organization’s owners team. Users should now be able to delete these organizations successfully.
  10. The workspace count is properly outputted from the tfe-admin license-info now.
  11. We fixed an issue with a small number of assessments triggering “create” operations that would cause assessments to fail unnecessarily.


  1. The version of Ruby used has been upgraded to 3.1.4
  2. Container and binary updates address reported vulnerabilities (CVEs) in underlying base images, packages, and dependencies.