Skip to content

Latest commit

 

History

History
78 lines (60 loc) · 9.05 KB

CHANGELOG.md

File metadata and controls

78 lines (60 loc) · 9.05 KB
Raw

1.6.0 (Unreleased)

IMPORTANT NOTES:

  • Conditional GPG Validation Bypass for Default Registry - (#309): A temporary change has been introduced to skip GPG validation under specific conditions. This behavior is tracked under issue #309 and applies as follows:

    • Registry Scope: This change only affects provider packages from the default registry.
    • Key Availability: GPG validation will be skipped when and only when the provider's GPG keys are not available in the default registry.
    • Temporary Measure: This is a stopgap measure until GPG keys for all providers can be populated in the default registry.

    While this offers operational flexibility, it does reduce the level of security assurance for affected packages. Users who prioritize security should set the OPENTOFU_ENFORCE_GPG_VALIDATION environment variable to true to enforce GPG validation of all providers.

    Future Removal: We intend to remove this feature once all GPG keys are populated in the default registry, reverting to a strict GPG validation process for all providers.

UPGRADE NOTES:

  • The cloud and remote backends will no longer default to app.terraform.io hostname and will require the hostname to be explicitly specified (#291);
  • The login and logout commands will no longer default to app.terraform.io hostname and will require the hostname to be explicitly provided as a command-line argument (#291);
  • prevent future possible incompatibility with states that include unknown check block result kinds. (#355);

NEW FEATURES:

  • tofu test: The previously experimental tofu test command has been moved out of experimental. This comes with a significant change in how OpenTofu tests are written and executed.

    OpenTofu tests are written within .tftest.hcl files, controlled by a series of run blocks. Each run block will execute an OpenTofu plan or apply command against the OpenTofu configuration under test and can execute conditions against the resultant plan and state.

ENHANCEMENTS:

  • config: OpenTofu can now track some additional detail about values that won't be known until the apply step, such as the range of possible lengths for a collection or whether an unknown value can possibly be null. When this information is available, OpenTofu can potentially generate known results for some operations on unknown values. This doesn't mean that OpenTofu can immediately track that detail in all cases, but the type system now contains the facility for that and so over time we will improve the level of detail generated by built-in functions, language operators, OpenTofu providers, etc. (#33234)
  • jsonplan: Added errored field to JSON plan output, indicating whether a plan errored. (#33372)
  • cloud: Remote plans on cloud backends can now be saved using the -out flag, referenced in the show command, and applied by specifying the plan file name. (#33492)
  • config: The import block id field now accepts an expression referencing other values such as resource attributes, as long as the value is a string known at plan time. (#33618)
  • telemetry: All checkpoint telemetry was removed (#151)
  • state: Provider addresses in the statefile referring to registry.terraform.io will be treated as referring to registry.opentofu.org unless the full provider address is specified in the config or OPENTOFU_STATEFILE_PROVIDER_ADDRESS_TRANSLATION is set to 0. (#773)

BUG FIXES:

  • The upstream dependency that OpenTofu uses for service discovery of OpenTofu-native services such as cloud backend state storage was previously not concurrency-safe, but OpenTofu was treating it as if it was in situations like when a configuration has multiple terraform_remote_state blocks all using the "remote" backend. OpenTofu is now using a newer version of that library which updates its internal caches in a concurrency-safe way. (#33364)
  • Transitive dependencies were lost during apply when the referenced resource expanded into zero instances (#33403)
  • OpenTofu will no longer override SSH settings in local git configuration when installing modules. (#33592)
  • Handle file-operation errors in internal/states/statemgr. (#278)
  • tofu init: OpenTofu will no longer allow downloading remote modules to invalid paths. (#356)
  • tofu_remote_state: Fixed a potential unsafe read panic when reading from multiple tofu_remote_state data sources (#357)
  • OpenTofu will now attempt to create the configuration directory ~/.terraform.d on startup. (#442)
  • Conditionals with an unknown condition and sensitive branch won't crash anymore. (#717)
  • Fixed panic when using sensitive inputs for the ID field of an import configuration block (#665)
  • Fixes the ability to use KMS key aliases in the S3 backend (#669)
  • GIT_SSH_COMMAND environment variable is no longer ignored when downloading modules ([#717](https://github.com/opento
  • cloud: fixed a bug that would prevent nested symlinks from being dereferenced into the config sent to Cloud (#686)
  • cloud: state snapshots could not be disabled when header x-terraform-snapshot-interval is absent (#687)
  • Fixed crash during tofu destroy inside module with variable validation (#817)

S3 BACKEND:

  • The S3 backend was upgraded to use the V2 of the AWS SDK for Go (#691)
  • Adds support for shared_config_files and shared_credentials_files arguments and deprecates the shared_credentials_file argument. (#690)
  • Arguments associated with assuming an IAM role were moved into a nested block - assume_role. This deprecates the arguments role_arn, session_name, external_id, assume_role_duration_seconds, assume_role_policy, assume_role_policy_arns, assume_role_tags, and assume_role_transitive_tag_keys. (#747)
  • Adds support for the assume_role_with_web_identity block. (#689)
  • Adds support for account whitelisting using the forbidden_account_ids and allowed_account_ids arguments. (#699)
  • Adds the custom_ca_bundle argument. (#689)
  • Adds support for the sts_region argument. (#695)
  • Adds support for ec2_metadata_service_endpoint and ec2_metadata_service_endpoint_mode arguments to enable overriding the EC2 metadata service (IMDS) endpoint. (#693)
  • Adds support for the retry_mode attribute. (#698)
  • Adds support for the http_proxy, insecure, use_dualstack_endpoint, and use_fips_endpoint attributes. (#694)
  • Adds support for the use_path_style argument and deprecates the force_path_style argument. (#783)
  • Adds support for customizing the AWS API endpoints. (#775)
  • Adds support for the skip_requesting_account_id attribute. (#774)
  • Adds support for the skip_s3_checksum argument to allow users to disable checksum on S3 uploads for compatibility with non AWS "S3-compatible" APIs. (#778)
  • tofu init: Fixed subsequent runs for s3 backend (#820).
  • S3 backend endpoints without proto:// default to https:// instead of failing (#821)
  • Most S3 compatible remote state backends should now work without checksum errors / 400s (#821)
  • Logging has been re-added to S3 remote state calls (#821)

Previous Releases

For information on prior major and minor releases, see their changelogs:

None yet