Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
9.0 KiB
1.6.0 (Unreleased)
IMPORTANT NOTES:
-
Conditional GPG Validation Bypass for Default Registry - (#309): A temporary change has been introduced to skip GPG validation under specific conditions. This behavior is tracked under issue #309 and applies as follows:
- Registry Scope: This change only affects provider packages from the default registry.
- Key Availability: GPG validation will be skipped when and only when the provider's GPG keys are not available in the default registry.
- Temporary Measure: This is a stopgap measure until GPG keys for all providers can be populated in the default registry.
While this offers operational flexibility, it does reduce the level of security assurance for affected packages. Users who prioritize security should set the
OPENTOFU_ENFORCE_GPG_VALIDATION
environment variable totrue
to enforce GPG validation of all providers.Future Removal: We intend to remove this feature once all GPG keys are populated in the default registry, reverting to a strict GPG validation process for all providers.
UPGRADE NOTES:
- The
cloud
andremote
backends will no longer default toapp.terraform.io
hostname and will require the hostname to be explicitly specified (#291); - The
login
andlogout
commands will no longer default toapp.terraform.io
hostname and will require the hostname to be explicitly provided as a command-line argument (#291); - prevent future possible incompatibility with states that include unknown
check
block result kinds. (#355);
NEW FEATURES:
-
tofu test
: The previously experimentaltofu test
command has been moved out of experimental. This comes with a significant change in how OpenTofu tests are written and executed.OpenTofu tests are written within
.tftest.hcl
files, controlled by a series ofrun
blocks. Eachrun
block will execute an OpenTofu plan or apply command against the OpenTofu configuration under test and can execute conditions against the resultant plan and state.
ENHANCEMENTS:
- config: OpenTofu can now track some additional detail about values that won't be known until the apply step, such as the range of possible lengths for a collection or whether an unknown value can possibly be null. When this information is available, OpenTofu can potentially generate known results for some operations on unknown values. This doesn't mean that OpenTofu can immediately track that detail in all cases, but the type system now contains the facility for that and so over time we will improve the level of detail generated by built-in functions, language operators, OpenTofu providers, etc. (#33234)
- jsonplan: Added
errored
field to JSON plan output, indicating whether a plan errored. (#33372) - cloud: Remote plans on cloud backends can now be saved using the
-out
flag, referenced in theshow
command, and applied by specifying the plan file name. (#33492) - config: The
import
blockid
field now accepts an expression referencing other values such as resource attributes, as long as the value is a string known at plan time. (#33618) - telemetry: All checkpoint telemetry was removed (#151)
- state: Provider addresses in the statefile referring to registry.terraform.io will be treated as referring to registry.opentofu.org unless the full provider address is specified in the config or
OPENTOFU_STATEFILE_PROVIDER_ADDRESS_TRANSLATION
is set to0
. (#773)
BUG FIXES:
- The upstream dependency that OpenTofu uses for service discovery of OpenTofu-native services such as cloud backend state storage was previously not concurrency-safe, but OpenTofu was treating it as if it was in situations like when a configuration has multiple
terraform_remote_state
blocks all using the "remote" backend. OpenTofu is now using a newer version of that library which updates its internal caches in a concurrency-safe way. (#33364) - Transitive dependencies were lost during apply when the referenced resource expanded into zero instances (#33403)
- OpenTofu will no longer override SSH settings in local git configuration when installing modules. (#33592)
- Handle file-operation errors in
internal/states/statemgr
. (#278) tofu init
: OpenTofu will no longer allow downloading remote modules to invalid paths. (#356)- tofu_remote_state: Fixed a potential unsafe read panic when reading from multiple tofu_remote_state data sources (#357)
- OpenTofu will now attempt to create the configuration directory
~/.terraform.d
on startup. (#442) - Conditionals with an unknown condition and sensitive branch won't crash anymore. (#717)
- Fixed panic when using sensitive inputs for the ID field of an import configuration block (#665)
- Fixes the ability to use KMS key aliases in the S3 backend (#669)
GIT_SSH_COMMAND
environment variable is no longer ignored when downloading modules ([#717](https://github.com/opento- cloud: fixed a bug that would prevent nested symlinks from being dereferenced into the config sent to Cloud (#686)
- cloud: state snapshots could not be disabled when header x-terraform-snapshot-interval is absent (#687)
- Fixed crash during tofu destroy inside module with variable validation (#817)
- S3 backend endpoints without proto:// now default to https:// instead of failing (#821)
- Most S3 compatible remote state backends should now work without checksum errors / 400s by default (#821)
- Logging has been re-added to S3 remote state calls (#821)
S3 BACKEND:
- The S3 backend was upgraded to use the V2 of the AWS SDK for Go (#691)
- Adds support for
shared_config_files
andshared_credentials_files
arguments and deprecates theshared_credentials_file
argument. (#690) - Arguments associated with assuming an IAM role were moved into a nested block -
assume_role
. This deprecates the argumentsrole_arn
,session_name
,external_id
,assume_role_duration_seconds
,assume_role_policy
,assume_role_policy_arns
,assume_role_tags
, andassume_role_transitive_tag_keys
. (#747) - Adds support for the
assume_role_with_web_identity
block. (#689) - Adds support for account whitelisting using the
forbidden_account_ids
andallowed_account_ids
arguments. (#699) - Adds the
custom_ca_bundle
argument. (#689) - Adds support for the
sts_region
argument. (#695) - Adds support for
ec2_metadata_service_endpoint
andec2_metadata_service_endpoint_mode
arguments to enable overriding the EC2 metadata service (IMDS) endpoint. (#693) - Adds support for the
retry_mode
attribute. (#698) - Adds support for the
http_proxy
,insecure
,use_dualstack_endpoint
, anduse_fips_endpoint
attributes. (#694) - Adds support for the
use_path_style
argument and deprecates theforce_path_style
argument. (#783) - Adds support for customizing the AWS API endpoints. (#775)
- Adds support for the
skip_requesting_account_id
attribute. (#774) - Adds support for the
skip_s3_checksum
argument to allow users to disable checksum on S3 uploads for compatibility with non AWS "S3-compatible" APIs. (#778)
Previous Releases
For information on prior major and minor releases, see their changelogs:
None yet