ENHANCEMENTS:

• config: New built-in functions try and can are intended to ease working with data structures whose shape isn't known statically. (#23794)
• config: New, optional syntax for required_providers setting in terraform blocks. This is not intended for general use yet but will support upcoming enhancements. [#23843]

BUG FIXES:

• command/show: Fix an issue with show and aliased providers (#23848)
• core: Always clean up empty resources before empty modules (#23822)
• internal/modsdir/manifest: Fix CLI issue with Windows machines (#23865)

EXPERIMENTS:

• This release includes an opt-in experiment for custom validation rules on module variables.

  The feature is not yet finalized and is subject to breaking changes even in minor releases, but we're introducing it here in order to solicit feedback from module developers about which use-cases it is meeting, any use-cases it isn't meeting, and any situations where things feel harder to express than they might be.

  Due to the experimental nature of this feature, we do not recommend using it in "production" modules yet and we require an explicit experimental feature opt-in of variable_validation. Depending on what feedback we receive, the design of this experimental feature may change significantly in future versions without an automatic upgrade path.

ENHANCEMENTS:

• command/init: Cache Terraform Registry metadata responses when handling multiple references to the same module. (#23727)
• command/state-mv: Detect and remove references elsewhere in the state to the source address in a terraform state mv operation. This does not affect any current operations but will cause the resulting state snapshot to be different than before, and a future version of Terraform may make use of this additional precision. (#23791)

BUG FIXES:

• command/init: Fix an issue with via an update to go-getter where modules would fail to download from the registry (#23792)
• command/init: use backend config from state when -backend=false is used during init. (#23802)
• core: Do not evaluate unused config values, which may not be valid during destroy (#23717)
• core: Better error handling for an odd "should never happen" situation regarding the restoration of a deposed instance during a create_before_destroy replace action. While this does not yet fix the situation (it can still happen), it now has a specialized error message to hopefully help gather some more information about the root cause in future reports. (#23718)
• core: Prevent insertion of default providers when resources are removed from the config. (#23696)
• core: Detect and handle dependencies implied by references in a connection block directly within a resource block. (#23663)
• communicator/ssh: Fix deadlock when SSH agent forwarding fails. (#23661)

NOTES:

• cli: Our darwin releases for this version and up will be signed and notarized according to Apple's requirements.

  Prior to this release, MacOS 10.15+ users attempting to run our software reported seeing the error: "'terraform' cannot be opened because the developer cannot be verified." This error affected all MacOS 10.15+ users who downloaded our software directly via web browsers, and was caused by changes to Apple's third-party software requirements.

  Our recommended approach to install and interact with the Terraform CLI can be found here.

  MacOS 10.15+ users should plan to upgrade to 0.12.18+.

UPGRADE NOTES:

• Inside provisioner blocks that have when = destroy set, and inside any connection blocks that are used by such provisioner blocks, it is now deprecated to refer to any objects other than self, count, and each.

  Terraform has historically allowed this but doing so tends to cause downstream problems with dependency cycles or incorrect destroy ordering because it causes the destroy phase of one resource to depend on the existing state of another. Although this is currently only a warning, we strongly suggest seeking alternative approaches for existing configurations that are hitting this warning in order to avoid the risk of later problems should you need to replace or destroy the related resources.

  This deprecation warning will be promoted to an error in a future release.

ENHANCEMENTS:

• provisioners: Warn about the deprecation of non-self references in destroy-time provisioners, both to allow preparation for this later becoming an error and also as an extra hint for the "Cycle" errors that commonly arise when such references are used. (#23559)
• cli: The terraform plan and terraform apply commands (and some others) now accept the additional option -compact-warnings. If set, and if Terraform produces warnings that are not also accompanied by errors, then the warnings will be presented in the output in a compact form that includes only the summary information, thus providing a compromise to avoid warnings overwhelming the output if you are not yet ready to resolve them. (#23632)

BUG FIXES:

• backend/s3: Fix for users with >1000 workspaces (#22963)
• cli: Allow moving indexed resource instances to new addresses that that don't yet exist in state (#23582)
• cli: Improved heuristics for log level filtering with the TF_LOG environment variable, although it is still not 100% reliable for levels other than TRACE due to limitations of Terraform's internal logging infrastructure. Because of that, levels other than TRACE will now cause the logs to begin with a warning about potential filtering inaccuracy. (#23577)
• command/show: Fix panic on show plan (#23581)
• config: Fixed referencing errors generally involving for_each (#23475)
• provisioners: The built-in provisioners (local-exec, remote-exec, file, etc) will no longer fail when the TF_CLI_ARGS environment variable is set. (#17400)

SECURITY NOTES:

• If you are using the Azure remote state backend and you are using a SAS Token for authentication, please refer to the Azure remote state backend security advisory.

  Prior versions of the backend may have transmitted your state to the storage service using cleartext HTTP unless you specifically requested HTTPS when generating your SAS Token. This does not affect any other backends, and does not affect the Azure backend when using other authentication mechanisms.

NEW FEATURES:

• lang/funcs: Add trim* functions

ENHANCEMENTS:

• cli: Terraform will now consolidate many warnings with the same summary text into fewer warning items, in order to avoid excessive amounts of warnings making it hard to read other output from Terraform commands. (#23425)
• core: The upgrade logic for moving from the Terraform 0.11 to the Terraform 0.12 state snapshot format (internally, format version 3 to version 4) will now tolerate and ignore dependencies with invalid addresses, which tend to be left behind when following the terraform 0.11checklist directive to rename resources whose names start with digits prior to upgrading to Terraform 0.12. This should allow upgrading the state for a configuration that in the past had digit-prefixed resource names, once those names have been fixed in the configuration and state using the instructions given by terraform 0.11checklist in Terraform 0.11.14. (#23443)

0.12.16 (November 18, 2019)

BUG FIXES:

• command/0.12upgrade: fix panic when int value is out of range (#23394)
• core: fix cycle between dependencies with create_before_destroy (#23399)
• backend/remote: default .terraformignore paths will now work on Windows (#23311)

BUG FIXES:

• various commands: Fixed errant error "Initialization required. Please see the error message above." (#23383)

  The error was produced on some of Terraform's subcommands (in particular terraform show and terraform output, but possibly others) if a warning was emitted during configuration loading and if a backend block was present. This issue has been present since v0.12.0 for any configuration that produces configuration-related deprecation warnings, but it became more visible in v0.12.14 due to the addition of several more situations that could produce warnings.

UPGRADE NOTES:

• Terraform v0.12.0 included several changes to the Terraform language involving making expressions, type constraints, keywords, and references first-class in the language syntax, removing the need for placing thee items either in quoted strings or in interpolation syntax. Terraform v0.11 required these items to be quoted because the underlying language could not represent them any other way, while Terraform v0.12 expects them to be unquoted in order to improve readability.

  We have been accepting both forms for backward-compatibility with existing configurations and examples since the inititial v0.12.0 release. Having maintained compatibility for both forms for several versions we are now beginning the deprecation cycle for the old usage by having Terraform emit deprecation warnings.

  Terraform will still accept the older forms in spite of these warnings, so no immediate action is required. If your modules are targeting Terraform v0.12.0 and later exclusively, you can silence the warnings by removing the quotes, as directed in the warning message. In a future major version of Terraform, some of these warnings will be elevated to be errors.

  The summary of the warning for these situations will be one of the following:

  • Interpolation-only expressions are deprecated: an expression like "${foo}" should be rewritten as just foo.
  • Quoted type constraints are deprecated: In a variable block, a type constraint "map" should be written as map(string), "list" as list(string), and "string" as just string.
  • Quoted keywords are deprecated: In certain contexts that expect special keywords, such as when in provisioner blocks, the keyword should be unquoted.
  • Quoted references are deprecated: In the depends_on and ignore_changes meta-arguments, quoted references like "aws_instance.foo" should be rewritten without the quotes, e.g. as aws_instance.foo.

  The above changes are made automatically by the upgrade tool for users who are upgrading from Terraform 0.11. These warnings are intended to help those who are using Terraform for the first time at Terraform 0.12 but who may have found examples online that are written for older versions of Terraform, in order to guide towards the modern Terraform style.

• The terraform output command would formerly treat no outputs at all as an error, exiting with a non-zero status. Since it's expected for some root modules to have no outputs, the command now returns with success status zero in this situation, but still returns the error on stderr as a compromise to provide an explanation for why nothing is being shown.

ENHANCEMENTS:

• config: Redundant interpolation syntax for attribute values and legacy (0.11-style) variable type constrants will now emit deprecation warnings. (#23348)
• config: Keywords and references in depends_on, ignore_changes, and in provisioner when and on_failure will now emit deprecation warnings. (#23329)
• command/output: Now treats no defined outputs as a success case rather than an error case, returning exit status zero instead of non-zero. (#23008] [#21136)
• backend/artifactory: Will now honor the HTTP_PROXY and HTTPS_PROXY environment variables when appropriate, to allow sending requests to the Artifactory endpoints via a proxy. (#18629)

BUG FIXES:

• backend/remote: Filter environment variables when loading context for remote backend (#23283)
• command/plan: Previously certain changes to lists would cause the list diff in the plan output to miss items. Now terraform plan will show those items as expected. (#22695)
• command/show: When showing a saved plan file not in JSON mode, use the same presentation as terraform plan itself would've used. (#23292)
• command/force-unlock: Return an explicit error when the local-filesystem lock implementation receives the wrong lock id. Previously it was possible to see either an incorrect error or no error at all in that case. (#23336)
• core: Store absolute instance dependencies in state to allow for proper destroy ordering (#23252)
• core: Ensure tainted status is maintained when a destroy operation fails (#23304)
• config: transpose function will no longer panic when it should produce an empty map as its result. (#23321)
• cli: When running Terraform as a sub-process of itself, we will no longer produce errant prefixes on the console output. While we don't generally recommend using Terraform recursively like this, it was behaving in this strange way due to an implementation detail of how Terraform captures "panic" crashes from the Go runtime, and that subsystem is now updated to avoid that strange behavior. (#23281)
• provisioners: Sanitize output to filter invalid utf8 sequences (#23302)

UPGRADE NOTES:

• Remote backend local-only operations: Previously the remote backend was not correctly handling variables marked as "HCL" in the remote workspace when running local-only operations like terraform import, instead interpreting them as literal strings as described in #23228.

  That behavior is now corrected in this release, but in the unlikely event that an existing remote workspace contains a variable marked as "HCL" whose value is not valid HCL syntax these local-only commands will now fail with a syntax error where previously the value would not have been parsed at all and so an operation not relying on that value may have succeeded in spite of the problem. If you see an error like "Invalid expression for var.example" on local-only commands after upgrading, ensure that the remotely-stored value for the given variable uses correct HCL value syntax.

  This does not affect true remote operations like terraform plan and terraform apply, because the processing of variables for those always happens in the remote system.

BUG FIXES:

• config: Fix regression where self wasn't properly evaluated when using for_each (#23215)
• config: dotfiles are no longer excluded when copying existing modules; previously, any dotfile/dir was excluded in this copy, but this change makes the local copy behavior match go-getter behavior (#22946)
• core: Ensure create_before_destroy ordering is enforced with dependencies between modules (#22937)
• core: Fix some destroy-time cycles due to unnecessary edges in the graph, and remove unused resource nodes (#22976)
• backend/remote: Correctly handle remotely-stored variables that are marked as "HCL" when running local-only operations like terraform import. Previously they would produce a type mismatch error, due to misinterpreting them as literal strings. (#23229)

BUG FIXES:

• backend/remote: Don't do local validation of whether variables are set prior to submitting, because only the remote system knows the full set of configured stored variables and environment variables that might contribute. This avoids erroneous error messages about unset required variables for remote runs when those variables will be set by stored variables in the remote workspace. (#23122)

ENHANCEMENTS:

• backend/s3: Support role_arn in AWS configuration files (#22994)
• backend/remote: Remote backend will now ignore all .terraform/ (exclusive of .terraform/modules) and .git/ directories for uploads during remote plans/applies. You can exclude files from upload to TFC by adding a .terraformignore file to your configuration directory, more details at https://www.terraform.io/docs/backends/types/remote.html (#23105)

BUG FIXES:

• config: Clean up orphan modules in the presence of -target (#21313)
• config: Always evaluate whole resources rather than instances in expressions, so that invalid instance indexes can return a useful error rather than unknown (#22846)
• command/jsonplan: fix bug with missing nested modules planned_values output (#23092)
• command/show: Fix panic when the only resource instance is deposed (#23027)
• commands: When required root module variables are not provided and interactive input is disabled (-input=false), produce a proper "variable not defined" error rather than falling through to an internal assertion failure. (#23040)
• provisioner/puppet: fix bug when connection type was not set in config (#23057)