TFE Release v202207-1 (641 Required)

Data Migration

  1. This release includes a data migration that will strengthen the association between a workspace and its current configuration version. This will improve query performance in many Terraform Enterprise workflows and reduce unnecessary git clone operations by keeping Terraform Enterprise from archiving the latest configuration version. This migration will lengthen the upgrade process. You can expect it to take roughly 1 to 1.5 minutes per 10,000 workspaces.

»Highlights

  1. Using the new azure_use_msi and azure_client_id settings, it is now possible to authenticate to Azure Blob Storage with a system-assigned or user-assigned Azure managed identity.
  2. The gcs_credentials setting is now optional. Terraform Enterprise will attempt to authenticate to Google Blob Storage with the attached service account when the gcs_credentials variable is unset.
  3. The PostgreSQL server has been upgraded from PostgreSQL 12 to PostgreSQL 14. This change only affects mounted disk mode. It does not affect external services installations.

»Features

  1. When you create a new workspace in the UI from a version control repository, Terraform Enterprise scans its configuration files for Terraform variables and displays any that do not have a default value and are not defined in an existing global variable set. This lets you set values for these variables in preparation for your first Terraform run. If you skip this step, you can still create these variables manually later from within the workspace.
  2. You can now scope agent pools to specific workspaces from the Agent Pool settings page. This will allow you to protect sensitive workspaces by restricting which workspaces can target each agent pool.
  3. The Prometheus metrics endpoint now ships an additional metric tfe_run_current_count, which represents the current count of TFE runs in a given workspace, organization, and status.
  4. Administrators can use Admin Settings to set the maximum number of workspaces for any single organization.

»Improvements

  1. When listing workspaces, you can now use the exclude-tags parameter to exclude workspaces with specific tags.
  2. Any trailing / character will now be trimmed from the External Vault address (extern_vault_addr) to prevent making API requests to incorrect API paths.
  3. API responses to the provider registry may now be shown in a different order than the previous release.

»Bug Fixes

  1. Archivist will now return 500 status codes when Vault calls fail, and it is not a result of user error. Previously all Vault failures caused Archivist to return 400 status codes.
  2. The edit button for workspace notification configurations now displays correctly instead of appearing as an unstyled link.
  3. Logs no longer contain unhelpful ruby_analytics log messages.
  4. The workspace variables settings page can now display all variable sets applied to a workspace, rather than just the first twenty.
  5. Users may now authenticate via SAML in multiple concurrent sessions. Previously a bug would log out any existing sessions when authenticating via SAML.
  6. Workspaces will no longer occasionally get stuck in a pending state when multiple runs are triggered at the same time.
  7. Long variable keys on a workspace’s variable page used to hide the corresponding sensitive and/or HCL tags. These tags now appear in the UI as expected.
  8. VCS workspaces that end with a trailing / character will correctly render the README.md file if present.
  9. Structured run output will no longer attempt to display a diff for data sources in the plan UI. This prevents a spurious error when data sources are used in a Terraform plan.
  10. Changed ingress logic to avoid displaying unsupported GitHub repositories.
  11. API rate limiting logic was modified to differentiate between the types of token being used for access, reducing reliance on the IP-based fallback rule which was causing problems in some shared environment use cases.

»Security

  1. The External Vault policy has been updated to use specific API paths instead of wildcard matching.
  2. The version of the internally-managed Nomad server has been updated to to 1.3.1.
  3. Container updates have been adopted, addressing reported vulnerabilities (CVEs) in underlying packages / dependencies.

»PostgreSQL Upgrade

The internally-managed PostgreSQL server has been upgraded from PostgreSQL 12 to PostgreSQL 14. This change only affects mounted disk mode. It does not affect external services installations.

The first time a Terraform Enterprise installation is upgraded to v202207-1, a program will be executed that will upgrade the PostgreSQL 12 data to PostgreSQL 14. This program takes a backup of the PostgreSQL data before upgrading. Regardless, operators should back up their Terraform Enterprise data before upgrading to Terraform Enterprise v202207-1.