0.13.4 (September 30, 2020)

UPGRADE NOTES:

• The built-in vendor (third-party) provisioners, which include habitat, puppet, chef, and salt-masterless are now deprecated and will be removed in a future version of Terraform. More information on Discuss.
• Deprecated interpolation-only expressions are detected in more contexts in addition to resources and provider configurations. Module calls, data sources, outputs, and locals are now also covered. Terraform also detects interpolation-only expressions in complex values such as lists and objects. An expression like "${foo}" should be rewritten as just foo. (#27272] [#26334)

BUG FIXES:

• command: Include schemas from required but unused providers in the output of terraform providers schema. This allows development tools such as the Terraform language server to offer autocompletion for the first resource for a given provider. (#26318)
• core: create_before_destroy status is now updated in the state during refresh (#26343)
• core: data sources using depends_on, either directly or through their modules, are no longer are forced to wait until apply by other planned data source reads (#26375)

0.14.0 (Unreleased)

UPGRADE NOTES:

• configs: The version argument inside provider configuration blocks has been documented as deprecated since Terraform 0.12. As of 0.14 it will now also generate an explicit deprecation warning. To avoid the warning, use provider requirements declarations instead. (#26135)

ENHANCEMENTS:

• terraform plan and terraform apply: Added an experimental concise diff renderer. By default, Terraform plans now hide most unchanged fields, only displaying the most relevant changes and some identifying context. This experiment can be disabled by setting a TF_X_CONCISE_DIFF environment variable to 0. (#26187)
• cli: A new global command line option -chdir=..., placed before the selected subcommand, instructs Terraform to switch to a different working directory before executing the subcommand. This is similar to switching to a new directory with cd before running Terraform, but it avoids changing the state of the calling shell. (#26087)
• config: Added alltrue function, which returns true if all elements in the given collection are true. This is primarily intended to make it easier to write variable validation conditions which operate on collections. (#25656)
• core: terraform plan no longer uses a separate refresh phase, all resources are updated on-demand during planning (#26270)
• terraform console: Now has distinct rendering of lists, sets, and tuples, and correctly renders objects with null attribute values. (#26189)
• terraform login: Added support for OAuth2 application scopes. (#26239)
• backend/consul: Split state into chunks when outgrowing the limit of the Consul KV store. This allows storing state larger than the Consul 512KB limit. (#25856)

BUG FIXES:

• backend/consul: Fix bug which prevented state locking when path has trailing / (#25842)
• build: fix crash with terraform binary on openBSD [#26249]
• command/clistate: return an error on a state unlock failure [#25729]
• configs: Report an error when provider configuration attributes are incorrectly added to a required_providers object. (#26184)
• core: Errors with data sources reading old data during refresh, failing to refresh, and not appearing to wait on resource dependencies are fixed by updates to the data source lifecycle and the merging of refresh and plan (#26270)
• lang/funcs: fix panic when element() is called with a negative offset (#26079)
• states/remote: fix state push -force to work for all backends (#26190)

0.13.3 (September 16, 2020)

BUG FIXES:

• build: fix crash with terraform binary on openBSD (#26250)
• core: prevent create_before_destroy cycles by not connecting module close nodes to resource instance destroy nodes (#26186)
• core: fix error where plan action changes from CreateThenDelete to DeleteThenCreate (#26192)
• core: fix Cycle when create_before_destroy status wasn't checked from state (#26263)
• core: fix "inconsistent final plan" error when changing the number of referenced resources to 0 (#26264)
• states/remote: fix state push -force to work for all backends (#26190)

0.14.0 (Unreleased)

ENHANCEMENTS:

• cli: A new global command line option -chdir=..., placed before the selected subcommand, instructs Terraform to switch to a different working directory before executing the subcommand. This is similar to switching to a new directory with cd before running Terraform, but it avoids changing the state of the calling shell. (#26087)
• command: Added an experimental concise diff renderer. By default, Terraform plans now hide most unchanged fields, only displaying the most relevant changes and some identifying context. This experiment can be disabled by setting a TF_X_CONCISE_DIFF environment variable to 0. (#26187)

BREAKING CHANGES:

• configs: The version argument inside provider configuration blocks is deprecated. Instead, use the required_providers setting. (#26135)

BUG FIXES:

• command/clistate: return an error on a state unlock failure [#25729]
• lang/funcs: fix panic when element() is called with a negative offset (#26079)
• states/remote: fix state push -force to work for all backends (#26190)

0.13.2 (September 02, 2020)

NEW FEATURES:

• Network-based Mirrors for Provider Installation: As an addition to the existing capability of "mirroring" providers into the local filesystem, a network mirror allows publishing copies of providers on an HTTP server and using that as an alternative source for provider packages, for situations where directly accessing the origin registries is impossible or undesirable. (#25999)

ENHANCEMENTS:

• backend/http: add support for configuration by environment variable. (#25439)
• command: Add support for provider redirects to 0.13upgrade. If a provider in the Terraform Registry has moved to a new namespace, the 0.13upgrade subcommand now detects this and follows the redirect where possible. (#26061)
• command: Improve init error diagnostics when encountering what appears to be an in-house provider required by a pre-0.13 state file. Terraform will now display suggested terraform state replace-provider commands which will fix this specific problem. (#26066)

BUG FIXES:

• command: Warn instead of error when the output subcommand with no arguments results in no outputs. This aligns the UI to match the 0 exit code in this situation, which is notable but not necessarily an error. (#26036)
• terraform: Fix crashing bug when reading data sources during plan with blocks backed by objects, not collections (#26028)
• terraform: Fix bug where variables values were asked for twice on the command line and provider input values were asked for but not saved (#26063)

0.13.1 (August 26, 2020)

ENHANCEMENTS:

• config: cidrsubnet and cidrhost now support address extensions of more than 32 bits (#25517)
• cli: The directories that Terraform searches by default for provider plugins can now be symlinks to directories elsewhere. (This applies only to the top-level directory, not to nested directories inside it.) (#25692)
• backend/s3: simplified mock handling and assume role testing (#25903)
• backend/s3: support for appending data to the User-Agent request header with the TF_APPEND_USER_AGENT environment variable (#25903)

BUG FIXES:

• config: Override files containing module blocks can now override the special providers argument. (#25496)
• cli: The state lock will now be unlocked consistently across both the local and remote backends in the terraform console and terraform import commands. [#25454]
• cli: The -target option to terraform plan and terraform apply now correctly handles addresses containing module instance indexes. (#25760)
• cli: terraform state mv can now move the last resource from a module without panicking. (#25523)
• cli: If the output of terraform version contains an outdated version notice, this is now printed after the version number and not before. (#25811)
• command: Prevent creation of workspaces with invalid names via the TF_WORKSPACE environment variable, and allow any existing invalid workspaces to be deleted. (#25262)
• command: Fix error when multiple -no-color flags are set on the command line. (#25847)
• command: Fix backend config override validation, allowing the use of -backend-config override files with the enhanced remote backend. (#25960)
• core: State snapshots now use a consistent ordering for resources that have the same name across different modules. Previously the ordering was undefined. (#25498)
• core: A dynamic block producing an unknown number of blocks will no longer incorrectly produce the error "Provider produced inconsistent final plan" when the block type is backed by a set of objects. (#25662)
• core: Terraform will now silently drop attributes that appear in the state but are not present in the corresponding resource type schema, on the assumption that those attributes existed in a previous version of the provider and have now been removed. (#25779)
• core: The state upgrade logic for handling unqualified provider addresses from Terraform v0.11 and earlier will no longer panic when it encounters references to the built-in terraform provider. (#25861)
• internal: Clean up provider package download temporary files after installing. (#25990)
• terraform: Evaluate module call arguments for terraform import even if defaults are given for input variables (#25890)
• terraform: Fix misleading Terraform required_version constraint diagnostics when multiple required_version settings exist in a single module (#25898)

0.13.0 (August 10, 2020)

This is a list of changes relative to Terraform v0.12.29. To see the
incremental changelogs for the v0.13.0 prereleases, see
the v0.13.0-rc1 changelog.

This section contains details about various changes in the v0.13 major release. If you are upgrading from Terraform v0.12, we recommend first referring to the v0.13 upgrade guide for information on some common concerns during upgrade and guidance on ways to address them. (The final upgrade guide and the documentation for the new features will be published only when v0.13.0 final is released; until then, some links in this section will be non-functional.)

NEW FEATURES:

• count and for_each for modules: Similar to the arguments of the same name in resource and data blocks, these create multiple instances of a module from a single module block. (#24461)

• depends_on for modules: Modules can now use the depends_on argument to ensure that all module resource changes will be applied after any changes to the depends_on targets have been applied. (#25005)

• Automatic installation of third-party providers: Terraform now supports a decentralized namespace for providers, allowing for automatic installation of community providers from third-party namespaces in the public registry and from private registries. (More details will be added about this prior to release.)

• Custom validation rules for input variables: A new validation block type inside variable blocks allows module authors to define validation rules at the public interface into a module, so that errors in the calling configuration can be reported in the caller's context rather than inside the implementation details of the module. (#25054)

• New Kubernetes remote state storage backend: This backend stores state snapshots as Kubernetes secrets. (#19525)

BREAKING CHANGES:

• As part of introducing a new heirarchical namespace for providers, Terraform now requires an explicit source specification for any provider that is not in the "hashicorp" namespace in the main public registry. (#24477)

  For more information, including information on the automatic upgrade process, refer to the v0.13 upgrade guide.

• terraform import: the previously-deprecated -provider option is now removed. (#24090)

  To specify a non-default provider configuration for import, add the provider meta-argument to the target resource block.

• config: Inside provisioner blocks that have when = destroy set, and inside any connection blocks that are used by such provisioner blocks, it is no longer valid to refer to any objects other than self, count, or each. (This was previously deprecated in a v0.12 minor release.) (#24083)

  If you are using null_resource to define provisioners not attached to a real resource, include any values your provisioners need in the triggers map and change the provisioner configuration to refer to those values via self.triggers.

• configs: At most one terraform required_providers block is permitted per module (#24763)

  If you previously had multiple required_providers blocks in the same module, consolidate their requirements together into a single block.

• The official MacOS builds of Terraform CLI are no longer compatible with Mac OS 10.10 Yosemite; Terraform now requires at least Mac OS 10.11 El Capitan.

  Terraform 0.13 is the last major release that will support 10.11 El Capitan, so if you are upgrading your OS we recommend upgrading to Mac OS 10.12 Sierra or later.

• The official FreeBSD builds of Terraform CLI are no longer compatible with FreeBSD 10.x, which has reached end-of-life. Terraform now requires FreeBSD 11.2 or later.

• backend/oss: The TableStore schema now requires a primary key named LockID of type String. (#24149)

• backend/s3: The previously-deprecated lock_table, skip_get_ec2_platforms, and skip_requesting_account_id arguments are now removed. (#25134)

• backend/s3: The credential source preference order now considers EC2 instance profile credentials as lower priority than shared configuration, web identity, and ECS role credentials. (#25134)

• backend/s3: The AWS_METADATA_TIMEOUT environment variable is no longer used. The timeout is now fixed at one second with two retries. (#25134)

NOTES:

• The terraform plan and terraform apply commands will now detect and report changes to root module outputs as needing to be applied even if there are no resource changes in the plan.

  This is an improvement in behavior for most users, since it will now be possible to change output blocks and use terraform apply to apply those changes.

  If you have a configuration where a root module output value is changing for every plan (for example, by referring to an unstable data source), you will need to remove or change that output value in order to allow convergence on an empty plan. Otherwise, each new plan will propose more changes.

• Terraform CLI now supports TLS 1.3 and supports Ed25519 certificates when making outgoing connections to remote TLS servers.

  While both of these changes are backwards compatible in principle, certain legacy TLS server implementations can reportedly encounter problems when attempting to negotiate TLS 1.3. (These changes affects only requests made by Terraform CLI itself, such as to module registries or backends. Provider plugins have separate TLS implementations that will gain these features on a separate release schedule.)

• On Unix systems where use-vc is set in resolv.conf, Terraform will now use TCP for DNS resolution.

  We don't expect this to cause any problem for most users, but if you find you are seeing DNS resolution failures after upgrading please verify that you can either reach your configured nameservers using TCP or that your resolver configuration does not include the use-vc directive.

• The terraform 0.12upgrade command is no longer available. (#24403)

  To upgrade from Terraform v0.11, first upgrade to the latest v0.12 release and then upgrade to v0.13 from there.

ENHANCEMENTS:

• config: templatefile function will now return a helpful error message if a given variable has an invalid name, rather than relying on a syntax error in the template parsing itself. (#24184)
• config: The configuration language now uses Unicode 12.0 character tables for certain Unicode-version-sensitive operations on strings, such as the upper and lower functions. Those working with strings containing new characters introduced since Unicode 9.0 may see small differences in behavior as a result of these table updates.
• config: The new sum function takes a list or set of numbers and returns the sum of all elements. (#24666)
• config: Modules authored by the same vendor as the main provider they use can now pass metadata to the provider to allow for instrumentation and analytics. (#22583)
• cli: The terraform plan and terraform apply commands now recognize changes to root module outputs as side-effects to be approved and applied. This means you can apply root module output changes using the normal plan and apply workflow. (#25047)
• cli: When installing providers from the Terraform Registry, Terraform will verify the trust signature for partner providers, and allow for self-signed community providers. (#24617)
• cli: terraform init will display detailed trust signature information when installing providers from the Terraform Registry and other provider registries. (#24932)
• cli: It is now possible to optionally specify explicitly which installation methods can be used for different providers in the CLI configuration, such as forcing a particular provider to be loaded from a particular directory on local disk instead of consulting its origin provider registry. (#24728)
• cli: The new terraform state replace-provider subcommand allows changing the selected provider for existing resource instances in the Terraform state. (#24523)
• cli: The new terraform providers mirror subcommand can automatically construct or update a local filesystem mirror directory containing the providers required for the current configuration. ([#25084](https://github.com/h...

0.13.0-rc1 (July 22, 2020)

BUG FIXES:

• command/init: Fix confusing error message for locally-installed providers with invalid package structure (#25504)
• core: Prevent outputs from being evaluated during destroy (#25500)
• core: Fix the pruning of temporary values from the root module which will fail to evaluate during destroy (#25543)
• core: Don't create redundant dependency edges between objects in different instances of the same module. (#25599)
• core: Prevent quadratic memory usage with large numbers of instances by not storing the complete resource state in each instance (#25544)
• core: Fix errors and remove cycles when a provider configuration references resources during a full destroy, and fix empty evaluation results when using self references in a destroy provisioner. (#25681)

0.12.29 (July 22, 2020)

BUG FIXES:

• core: core: Prevent quadratic memory usage with large numbers of instances by not storing the complete resource state in each instance (#25633)

0.13.0-beta3 (July 01, 2020)

BUG FIXES:

• backend/azurerm: support for snapshotting the blob used for remote state storage prior to change (#24069)
• backend/remote: Prevent panic when there's a connection error (#25341)
• command: Fix bug with global -v/-version/--version flags introduced in 0.13.0beta2 (#25277)
• command: Fix command test fixture modify-in-place bugs, which could cause state leak between tests (#25299)
• command: Preserve more comments when rerunning 0.13upgrade (#25381)
• command/console: enable use of impure functions in console (for example, bcrypt()) (#25442)
• command/import: Fix -allow-missing-config option (#25352)
• command/init: return an error with invalid -backend-config files (#25411)
• communicator/winrm: Inlcude any user-configured timeout for winrm connection (#25350)
• config: Add missing validation to prevent provider configuration within modules using depends_on (#25345)
• configs: Fix nested provider requirements bug introduced in 0.13.0beta2 (#25334)
• configs: Fix panic when required_providers blocks have non-string attribute values (#25369)
• configs: Fix panic for invalid resource provider (#25408)
• core: Hide empty plans for misbehaving data sources (#25302)
• provider/terraform: Don't change non-computed attribute, which result in a perpetual diff (#25297)
• terraform: Relax import-specific provider configuration constraints, to permit any values that can be evaluated statically (#25420)
• vendor: The merge function will no longer panic if all given maps are empty (#25303)
• vendor: The various set-manipulation functions, like setunion, will no longer panic if given an unknown set value (#25318)

BREAKING CHANGES:

• command/state: exit code 1 if state rm is called on a resource that does not exist (#22300)
• command/login: Require "yes" to confirm, no longer accepting "y" (#25379)