Update dependency hashicorp/terraform to v1.3.0

[renovate]

This PR contains the following updates:

Package	Update	Change
hashicorp/terraform	minor	1.0.0 -> 1.3.0

---

Release Notes

hashicorp/terraform

v1.3.0

Compare Source

1.3.0 (September 21, 2022)

NEW FEATURES:

• Optional attributes for object type constraints: When declaring an input variable whose type constraint includes an object type, you can now declare individual attributes as optional, and specify a default value to use if the caller doesn't set it. For example:

  variable "with_optional_attribute" {
    type = object({
      a = string                # a required attribute
      b = optional(string)      # an optional attribute
      c = optional(number, 127) # an optional attribute with a default value
    })
  }

  Assigning { a = "foo" } to this variable will result in the value { a = "foo", b = null, c = 127 }.

• Added functions: startswith and endswith allow you to check whether a given string has a specified prefix or suffix. (#​31220)

UPGRADE NOTES:

• terraform show -json: Output changes now include more detail about the unknown-ness of the planned value. Previously, a planned output would be marked as either fully known or partially unknown, with the after_unknown field having value false or true respectively. Now outputs correctly expose the full structure of unknownness for complex values, allowing consumers of the JSON output format to determine which values in a collection are known only after apply.

• terraform import: The -allow-missing-config has been removed, and at least an empty configuration block must exist to import a resource.

• Consumers of the JSON output format expecting on the after_unknown field to be only false or true should be updated to support the change representation described in the documentation, and as was already used for resource changes. (#​31235)

• AzureRM Backend: This release concludes the deprecation cycle started in Terraform v1.1 for the azurerm backend's support of "ADAL" authentication. This backend now supports only "MSAL" (Microsoft Graph) authentication.

  This follows from Microsoft's own deprecation of Azure AD Graph, and so you must follow the migration instructions presented in that Azure documentation to adopt Microsoft Graph and then change your backend configuration to use MSAL authentication before upgrading to Terraform v1.3.

• When making requests to HTTPS servers, Terraform will now reject invalid handshakes that have duplicate extensions, as required by RFC 5246 section 7.4.1.4 and RFC 8446 section 4.2. This may cause new errors when interacting with existing buggy or misconfigured TLS servers, but should not affect correct servers.

  This only applies to requests made directly by Terraform CLI, such as provider installation and remote state storage. Terraform providers are separate programs which decide their own policy for handling of TLS handshakes.

• The following backends, which were deprecated in v1.2.3, have now been removed: artifactory, etcd, etcdv3, manta, swift. The legacy backend name azure has also been removed, because the current Azure backend is named azurerm. (#​31711)

ENHANCEMENTS:

• config: Optional attributes for object type constraints, as described under new features above. (#​31154)
• config: New built-in function timecmp allows determining the ordering relationship between two timestamps while taking potentially-different UTC offsets into account. (#​31687)
• config: When reporting an error message related to a function call, Terraform will now include contextual information about the signature of the function that was being called, as an aid to understanding why the call might have failed. (#​31299)
• config: When reporting an error or warning message that isn't caused by values being unknown or marked as sensitive, Terraform will no longer mention any values having those characteristics in the contextual information presented alongside the error. Terraform will still return this information for the small subset of error messages that are specifically about unknown values or sensitive values being invalid in certain contexts. (#​31299)
• config: moved blocks can now describe resources moving to and from modules in separate module packages. (#​31556)
• terraform fmt now accepts multiple target paths, allowing formatting of several individual files at once. (#​31687)
• terraform init: provider installation errors now mention which host Terraform was downloading from (#​31524)
• CLI: Terraform will report more explicitly when it is proposing to delete an object due to it having moved to a resource instance that is not currently declared in the configuration. (#​31695)
• CLI: When showing the progress of a remote operation running in Terraform Cloud, Terraform CLI will include information about pre-plan run tasks (#​31617)
• The AzureRM Backend now only supports MSAL (and Microsoft Graph) and no longer makes use of ADAL (and Azure Active Directory Graph) for authentication (#​31070)
• The COS backend now supports global acceleration. (#​31425)
• provider plugin protocol: The Terraform CLI now calls PlanResourceChange for compatible providers when destroying resource instances. (#​31179)
• As an implementation detail of the Terraform Cloud integration, Terraform CLI will now capture and upload the JSON integration format for state along with any newly-recorded state snapshots, which then in turn allows Terraform Cloud to provide that information to API-based external integrations. (#​31698)

BUG FIXES:

• config: Terraform was not previously evaluating preconditions and postconditions during the apply phase for resource instances that didn't have any changes pending, which was incorrect because the outcome of a condition can potentially be affected by changes to other objects in the configuration. Terraform will now always check the conditions for every resource instance included in a plan during the apply phase, even for resource instances that have "no-op" changes. This means that some failures that would previously have been detected only by a subsequent run will now be detected during the same run that caused them, thereby giving the feedback at the appropriate time. (#​31491)
• terraform show -json: Fixed missing markers for unknown values in the encoding of partially unknown tuples and sets. (#​31236)
• terraform output CLI help documentation is now more consistent with web-based documentation. (#​29354)
• terraform init: Error messages now handle the situation where the underlying HTTP client library does not indicate a hostname for a failed request. (#​31542)
• terraform init: Don't panic if a child module contains a resource with a syntactically-invalid resource type name. (#​31573)
• CLI: The representation of destroying already-null output values in a destroy plan will no longer report them as being deleted, which avoids reporting the deletion of an output value that was already absent. (#​31471)
• terraform import: Better handling of resources or modules that use for_each, and situations where data resources are needed to complete the operation. (#​31283)

EXPERIMENTS:

• This release concludes the module_variable_optional_attrs experiment, which started in Terraform v0.14.0. The final design of the optional attributes feature is similar to the experimental form in the previous releases, but with two major differences:

  • The optional function-like modifier for declaring an optional attribute now accepts an optional second argument for specifying a default value to use when the attribute isn't set by the caller. If not specified, the default value is a null value of the appropriate type as before.
  • The built-in defaults function, previously used to meet the use-case of replacing null values with default values, will not graduate to stable and has been removed. Use the second argument of optional inline in your type constraint to declare default values instead.

  If you have any experimental modules that were participating in this experiment, you will need to remove the experiment opt-in and adopt the new syntax for declaring default values in order to migrate your existing module to the stablized version of this feature. If you are writing a shared module for others to use, we recommend declaring that your module requires Terraform v1.3.0 or later to give specific feedback when using the new feature on older Terraform versions, in place of the previous declaration to use the experimental form of this feature:

  terraform {
    required_version = ">= 1.3.0"
  }

v1.2.9

Compare Source

1.2.9 (September 07, 2022)

ENHANCEMENTS:

• terraform init: add link to documentation when a checksum is missing from the lock file. (#​31726)

v1.2.8

Compare Source

1.2.8 (August 24, 2022)

BUG FIXES:

• config: The flatten function will no longer panic if given a null value that has been explicitly converted to or implicitly inferred as having a list, set, or tuple type. Previously Terraform would panic in such a situation because it tried to "flatten" the contents of the null value into the result, which is impossible. (#​31675)
• config: The tolist, toset, and tomap functions, and various automatic conversions that include similar logic, will no longer panic when asked to infer an element type that is convertable from both a tuple type and a list type whose element type is not yet known. (#​31675)

v1.2.7

Compare Source

1.2.7 (August 10, 2022)

ENHANCEMENTS:

• config: Check for direct references to deprecated computed attributes. (#​31576)

BUG FIXES:

• config: Fix an crash if a submodule contains a resource whose implied provider local name contains invalid characters, by adding additional validation rules to turn it into a real error. (#​31573)
• core: Fix some handling of provider schema attributes which use the newer "structural typing" mechanism introduced with protocol version 6, and therefore with the new Terraform Plugin Framework (#​31532)
• command: Add missing output text for applyable refresh plans. (#​31469)

v1.2.6

Compare Source

1.2.6 (July 27, 2022)

ENHANCEMENTS:

• Add a warning and guidance when terraform init fails to fully populate the .terraform.lock.hcl file. (#​31399)
• Add a direct link to the relevant documentation when terraform init fails on missing checksums. (#​31408)

BUG FIXES:

• Fix panic on terraform show when state file is invalid or unavailable. (#​31444)
• Fix terraform providers lock command failing on missing checksums. (#​31389)
• Some combinations of move block operations would be executed in the wrong order (#​31499)
• Don't attribute an error to the provider when a computed attribute is listed in ignore_changes (#​31509)

v1.2.5

Compare Source

1.2.5 (July 13, 2022)

BUG FIXES:

• Report correct error message when a prerelease field is included in the required_version global constraint. (#​31331)
• Fix case when extra blank lines were inserted into the plan for unchanged blocks. (#​31330)

v1.2.4

Compare Source

1.2.4 (June 29, 2022)

ENHANCEMENTS:

• Improved validation of required_providers to prevent single providers from being required with multiple names. (#​31218)
• Improved plan performance by optimizing addrs.Module.String for allocations. (#​31293)

BUG FIXES:

• backend/http: Fixed bug where the HTTP backend would fail to retry acquiring the state lock and ignored the -lock-timeout flag. (#​31256)
• Fix crash if a precondition or postcondition block omitted the required condition argument. (#​31290)

v1.2.3

Compare Source

1.2.3 (June 15, 2022)

UPGRADE NOTES:

• The following remote state backends are now marked as deprecated, and are
  planned to be removed in a future Terraform release. These backends have
  been unmaintained since before Terraform v1.0, and may contain known bugs,
  outdated packages, or security vulnerabilities.
  • artifactory
  • etcd
  • etcdv3
  • manta
  • swift

BUG FIXES:

• Missing check for error diagnostics in GetProviderSchema could result in panic (#​31184)
• Module registries returning X-Terraform-Get locations with no URL would error with "no getter available for X-Terraform-Get source protocol" (#​31237)
• Fix crash from concurrent operation on shared set of resource instance dependencies (#​31246)
• backend/cos: tencentcloud-terraform-lock tag was not removed in all cases (#​31223)

v1.2.2

Compare Source

1.2.2 (June 01, 2022)

ENHANCEMENTS:

• Invalid -var arguments with spaces between the name and value now have an improved error message (#​30985)

BUG FIXES:

• Terraform now hides invalid input values for sensitive root module variables when generating error diagnostics (#​30552)
• Fixed crash on CLI autocomplete (#​31160)
• The "Configuration contains unknown values" error message now includes attribute paths (#​31111)

v1.2.1

Compare Source

1.2.1 (May 23, 2022)

BUG FIXES:

• SSH provisioner connections fail when using signed ed25519 keys (#​31092)
• Crash with invalid module source (#​31060)
• Incorrect "Module is incompatible with count, for_each, and depends_on" error when a provider is nested within a module along with a sub-module using count or for_each (#​31091)

v1.2.0

Compare Source

1.2.0 (May 18, 2022)

UPGRADE NOTES:

• If you use the third-party credentials helper plugin terraform-credentials-env, you should disable it as part of upgrading to Terraform v1.2 because similar functionality is now built in to Terraform itself.

  The new behavior supports the same environment variable naming scheme but has a difference in priority order from the credentials helper: TF_TOKEN_... environment variables will now take priority over credentials blocks in CLI configuration and credentials stored automatically by terraform login, which is not true for credentials provided by any credentials helper plugin. If you see Terraform using different credentials after upgrading, check to make sure you do not specify credentials for the same host in multiple locations.

  If you use the credentials helper in conjunction with the hashicorp/tfe Terraform provider to manage Terraform Cloud or Terraform Enterprise objects with Terraform, you should also upgrade to version 0.31 of that provider, which added the corresponding built-in support for these environment variables.

• The official Linux packages for the v1.2 series now require Linux kernel version 2.6.32 or later.

• When making outgoing HTTPS or other TLS connections as a client, Terraform now requires the server to support TLS v1.2. TLS v1.0 and v1.1 are no longer supported. Any safely up-to-date server should support TLS 1.2, and mainstream web browsers have required it since 2020.

• When making outgoing HTTPS or other TLS connections as a client, Terraform will no longer accept CA certificates signed using the SHA-1 hash function. Publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

(Note: the changes to Terraform's requirements when interacting with TLS servers apply only to requests made by Terraform CLI itself, such as provider/module installation and state storage requests. Terraform provider plugins include their own TLS clients which may have different requirements, and may add new requirements in their own releases, independently of Terraform CLI changes.)

NEW FEATURES:

• precondition and postcondition check blocks for resources, data sources, and module output values: module authors can now document assumptions and assertions about configuration and state values. If these conditions are not met, Terraform will report a custom error message to the user and halt further execution.
• replace_triggered_by is a new lifecycle argument for managed resources which triggers replacement of an object based on changes to an upstream dependency.
• You can now specify credentials for Terraform-native services using an environment variable named as TF_TOKEN_ followed by an encoded version of the hostname. For example, Terraform will use variable TF_TOKEN_app_terraform_io as a bearer token for requests to "app.terraform.io", for the Terraform Cloud integration and private registry requests.

ENHANCEMENTS:

• When showing a plan, Terraform CLI will now only show "Changes outside of Terraform" if they relate to resources and resource attributes that contributed to the changes Terraform is proposing to make. (#​30486)
• Error messages for preconditions, postconditions, and custom variable validations are now evaluated as expressions, allowing interpolation of relevant values into the output. (#​30613)
• When showing the progress of a remote operation running in Terraform Cloud, Terraform CLI will include information about post-plan run tasks. (#​30141)
• Terraform will now show a slightly different note in the plan output if a data resource read is deferred to the apply step due to it depending on a managed resource that has changes pending. (#​30971)
• The "Invalid for_each argument" error message for unknown maps/sets now includes an additional paragraph to try to help the user notice they can move apply-time values into the map values instead of the map keys, and thus avoid the problem without resorting to -target. (#​30327)
• There are some small improvements to the error and warning messages Terraform will emit in the case of invalid provider configuration passing between modules. There are no changes to which situations will produce errors and warnings, but the messages now include additional information intended to clarify what problem Terraform is describing and how to address it. (#​30639)
• The environment variables TF_CLOUD_ORGANIZATION and TF_CLOUD_HOSTNAME now serve as fallbacks for the arguments of the same name inside a cloud block configuring integration with Terraform Cloud.
• The environment variable TF_WORKSPACE will now additionally serve as an implicit configuration of a single selected workspace on Terraform Cloud if (and only if) the cloud block does not include an explicit workspaces configuration.
• The AzureRM Backend now defaults to using MSAL (and Microsoft Graph) rather than ADAL (and Azure Active Directory Graph) for authentication. (#​30891)
• The AzureRM Backend now supports authenticating as a service principal using OpenID Connect. (#​30936)
• When running on macOS, Terraform will now use platform APIs to validate certificates presented by TLS (HTTPS) servers. This may change exactly which root certificates Terraform will accept as valid. (#​30768)
• Show remote host in error message for clarity when installation of provider fails (#​30810)
• Terraform now prints a warning when adding an attribute to ignore_changes that is managed only by the provider. Specifying non-configurable attributes in ignore_changes has no effect because ignore_changes tells Terraform to ignore future changes made in the configuration. (#​30517)
• terraform show -json now includes exact type information for output values. (#​30945)
• The ssh provisioner connection now supports SSH over HTTP proxy. (#​30274)
• • The SSH client for provisioners now supports newer key algorithms, allowing it to connect to servers running more recent versions of OpenSSH. (#​30962)

BUG FIXES:

• Terraform now handles type constraints, nullability, and custom variable validation properly for root module variables. Previously there was an order of operations problem where the nullability and custom variable validation were checked too early, prior to dealing with the type constraints, and thus that logic could potentially "see" an incorrectly-typed value in spite of the type constraint, leading to incorrect errors. (#​29959)
• When reporting a type mismatch between the true and false results of a conditional expression when both results are of the same structural type kind (object/tuple, or a collection thereof), Terraform will no longer return a confusing message like "the types are object and object, respectively", and will instead attempt to explain how the two structural types differ. (#​30920)
• Applying the various type conversion functions like tostring, tonumber, etc to null will now return a null value of the intended type. For example, tostring(null) converts from a null value of an unknown type to a null value of string type. Terraform can often handle such conversions automatically when needed, but explicit annotations like this can help Terraform to understand author intent when inferring type conversions for complex-typed values. (#​30879)
• Terraform now returns an error when cidrnetmask() is called with an IPv6 address, as it was previously documented to do. IPv6 standards do not preserve the "netmask" syntax sometimes used for IPv4 network configuration; use CIDR prefix syntax instead. (#​30703)
• When performing advanced state management with the terraform state commands, Terraform now checks the required_version field in the configuration before proceeding. (#​30511)
• When rendering a diff, Terraform now quotes the name of any object attribute whose string representation is not a valid identifier. (#​30766)
• Terraform will now prioritize local terraform variables over remote terraform variables in operations such as import, plan, refresh and apply for workspaces in local execution mode. This behavior applies to both remote backend and the cloud integration configuration. (#​29972)
• terraform show -json: JSON plan output now correctly maps aliased providers to their configurations, and includes the full provider source address alongside the short provider name. (#​30138)
• The local token configuration in the cloud and remote backend now has higher priority than a token specified in a credentials block in the CLI configuration. (#​30664)
• The cloud integration now gracefully exits when -input=false and an operation requires some user input.
• Terraform will now reliably detect an inteerruptiong (e.g. Ctrl+C) during planning for terraform apply -auto-approve. Previously there was a window of time where interruption would cancel the plan step but not prevent Terraform from proceeding to the apply step. (#​30979)
• Terraform will no longer crash if a provider fails to return a schema. (#​30987)

v1.1.9

Compare Source

1.1.9 (April 20, 2022)

BUG FIXES:

• cli: Fix crash when using sensitive values in sets. (#​30825)
• cli: Fix double-quoted map keys when rendering a diff. (#​30855)
• core: Prevent errors when handling a data source with incompatible schema changes (#​30830)

ENHANCEMENTS:

• cli: Terraform now supports run tasks, a Terraform Cloud integration for executing remote operations, for the post plan stage of a run.

v1.1.8

Compare Source

1.1.8 (April 07, 2022)

BUG FIXES:

• cli: Fix missing identifying attributes (e.g. "id", "name") when displaying plan diffs with nested objects. (#​30685)
• functions: Fix error when sum() function is called with a collection of string-encoded numbers, such as sum(["1", "2", "3"]). (#​30684)
• When rendering a diff, Terraform now quotes the name of any object attribute whose string representation is not a valid identifier. (#​30766)
• Terraform will no longer crash in the terraform apply phase if an error occurs during backend configuration. (#​30780)

v1.1.7

Compare Source

1.1.7 (March 02, 2022)

BUG FIXES:

• terraform show -json: Improve performance for deeply-nested object values. The previous implementation was accidentally quadratic, which could result in very long execution time for generating JSON plans, and timeouts on Terraform Cloud and Terraform Enterprise. (#​30561)
• cloud: Update go-slug for terraform.tfstate exclusion to prevent a user from getting an error
  after migrating state to TFC.

v1.1.6

Compare Source

1.1.6 (February 16, 2022)

BUG FIXES:

• cli: Prevent complex uses of the console-only type function. This function may only be used at the top level of console expressions, to display the type of a given value. Attempting to use this function in complex expressions will now display a diagnostic error instead of crashing. (#​30476)
• terraform state mv: Will now correctly exit with error code 1 when the specified resources cannot be found in state. Previously Terraform would display appropriate diagnostic errors, but exit successfully. (#​29365)

v1.1.5

Compare Source

1.1.5 (February 02, 2022)

ENHANCEMENTS:

• backend/s3: Update AWS SDK to allow the use of the ap-southeast-3 region (#​30363)

BUG FIXES:

• cli: Fix crash when using autocomplete with long commands, such as terraform workspace select (#​30193)

v1.1.4

Compare Source

1.1.4 (January 19, 2022)

BUG FIXES:

• config: Non-nullable variables with null inputs were not given default values when checking validation statements (#​30330)
• config: Terraform will no longer incorrectly report "Cross-package move statement" when an external package has changed a resource from no count to using count, or vice-versa. (#​30333)

v1.1.3

Compare Source

1.1.3 (January 06, 2022)

BUG FIXES:

• terraform init: Will now remove from the dependency lock file entries for providers not used in the current configuration. Previously it would leave formerly-used providers behind in the lock file, leading to "missing or corrupted provider plugins" errors when other commands verified the consistency of the installed plugins against the locked plugins. (#​30192)
• config: Fix panic when encountering an invalid provider block within a module (#​30095)
• config: Fix cycle error when the index of a module containing move statements is changed (#​30232)
• config: Fix inconsistent ordering with nested move operations (#​30253)
• config: Fix moved block refactoring to include nested modules (#​30233)
• functions: Redact sensitive values from function call error messages (#​30067)
• terraform show: Disable plan state lineage checks, ensuring that we can show plan files which were generated against non-default state files (#​30205)

v1.1.2

Compare Source

1.1.2 (December 17, 2021)

If you are using Terraform CLI v1.1.0 or v1.1.1, please upgrade to this new version as soon as possible.

Terraform CLI v1.1.0 and v1.1.1 both have a bug where a failure to construct the apply-time graph can cause Terraform to incorrectly report success and save an empty state, effectively "forgetting" all existing infrastructure. Although configurations that already worked on previous releases should not encounter this problem, it's possible that incorrect future configuration changes would trigger this behavior during the apply step.

BUG FIXES:

• config: Fix panic when using -target in combination with moved blocks within modules (#​30189)
• core: Fix condition which could lead to an empty state being written when there is a failure building the apply graph (#​30199)

v1.1.1

Compare Source

1.1.1 (December 15, 2021)

If you are using Terraform CLI v1.1.0 or v1.1.1, please upgrade to the latest version as soon as possible.

Terraform CLI v1.1.0 and v1.1.1 both have a bug where a failure to construct the apply-time graph can cause Terraform to incorrectly report success and save an empty state, effectively "forgetting" all existing infrastructure. Although configurations that already worked on previous releases should not encounter this problem, it's possible that incorrect future configuration changes would trigger this behavior during the apply step.

---

BUG FIXES:

• core: Fix crash with orphaned module instance due to changed count or for_each value (#​30151)
• core: Fix regression where some expressions failed during validation when referencing resources expanded with count or for_each (#​30171)

v1.1.0

Compare Source

1.1.0 (December 08, 2021)

If you are using Terraform CLI v1.1.0 or v1.1.1, please upgrade to the latest version as soon as possible.

Terraform CLI v1.1.0 and v1.1.1 both have a bug where a failure to construct the apply-time graph can cause Terraform to incorrectly report success and save an empty state, effectively "forgetting" all existing infrastructure. Although configurations that already worked on previous releases should not encounter this problem, it's possible that incorrect future configuration changes would trigger this behavior during the apply step.

---

Terraform v1.1.0 is a new minor release, containing some new features and some bug fixes whose scope was too large for inclusion in a patch release.

NEW FEATURES:

• moved blocks for refactoring within modules: Module authors can now record in module source code whenever they've changed the address of a resource or resource instance, and then during planning Terraform will automatically migrate existing objects in the state to new addresses.

  This therefore avoids the need for users of a shared module to manually run terraform state mv after upgrading to a version of the module, as long as the change is expressible as static configuration. However, terraform state mv will remain available for use in more complex migration situations that are not well-suited to declarative configuration.

• A new cloud block in the terraform settings block introduces a native Terraform Cloud integration for the CLI-driven run workflow.

  The Cloud integration includes several enhancements, including per-run variable support using the -var flag, the ability to map Terraform Cloud workspaces to the current configuration via Workspace Tags, and an improved user experience for Terraform Cloud and Enterprise users with actionable error messages and prompts.

• terraform plan and terraform apply both now include additional annotations for resource instances planned for deletion to explain why Terraform has proposed that action.

  For example, if you change the count argument for a resource to a lower number then Terraform will now mention that as part of proposing to destroy any existing objects that exceed the new count.

UPGRADE NOTES:

This release is covered by the Terraform v1.0 Compatibility Promises, but does include some changes permitted within those promises as described below.

• Terraform on macOS now requires macOS 10.13 High Sierra or later; Older macOS versions are no longer supported.

• The terraform graph command no longer supports -type=validate and -type=eval options. The validate graph is always the same as the plan graph anyway, and the "eval" graph was just an implementation detail of the terraform console command. The default behavior of creating a plan graph should be a reasonable replacement for both of the removed graph modes. (Please note that terraform graph is not covered by the Terraform v1.0 compatibility promises, because its behavior inherently exposes Terraform Core implementation details, so we recommend it only for interactive debugging tasks and not for use in automation.)

• terraform apply with a previously-saved plan file will now verify that the provider plugin packages used to create the plan fully match the ones used during apply, using the same checksum scheme that Terraform normally uses for the dependency lock file. Previously Terraform was checking consistency of plugins from a plan file using a legacy mechanism which covered only the main plugin executable, not any other files that might be distributed alongside in the plugin package.

  This additional check should not affect typical plugins that conform to the expectation that a plugin package's contents are immutable once released, but may affect a hypothetical in-house plugin that intentionally modifies extra files in its package directory somehow between plan and apply. If you have such a plugin, you'll need to change its approach to store those files in some other location separate from the package directory. This is a minor compatibility break motivated by increasing the assurance that plugins have not been inadvertently or maliciously modified between plan and apply.

• terraform state mv will now error when legacy -backup or -backup-out options are used without the -state option on non-local backends. These options operate on a local state file only. Previously, these options were accepted but ignored silently when used with non-local backends.

• In the AzureRM backend, the new opt-in option use_microsoft_graph switches to using MSAL authentication tokens and Microsoft Graph rather than using ADAL tokens and Azure Active Directory Graph, which is now deprecated by Microsoft. The new mode will become the default in Terraform v1.2, so please plan to migrate to using this setting and test with your own Azure AD tenant prior to the Terraform v1.2 release.

ENHANCEMENTS:

• config: Terraform now checks the syntax of and normalizes module source addresses (the source argument in module blocks) during configuration decoding rather than only at module installation time. This is largely just an internal refactoring, but a visible benefit of this change is that the terraform init messages about module downloading will now show the canonical module package address Terraform is downloading from, after interpreting the special shorthands for common cases like GitHub URLs. (#​28854)
• config: Variables can now be declared as "nullable", which defines whether a variable can be null within a module. Setting nullable = false ensures that a variable value will never be null, and may instead take on the variable's default value if the caller sets it explicitly to null. (#​29832)
• terraform plan and terraform apply: When Terraform plans to destroy a resource instance due to it no longer being declared in the configuration, the proposed plan output will now include a note hinting at what situation prompted that proposal, so you can more easily see what configuration change might avoid the object being destroyed. (#​29637)
• terraform plan and terraform apply: Terraform will now report explicitly in the UI if it automatically moves a resource instance to a new address as a result of adding or removing the count argument from an existing resource. For example, if you previously had resource "aws_subnet" "example" without count, you might have aws_subnet.example already bound to a remote object in your state. If you add count = 1 to that resource then Terraform would previously silently rebind the object to aws_subnet.example[0] as part of planning, whereas now Terraform will mention that it did so explicitly in the plan description. (#​29605)
• terraform workspace delete: will now allow deleting a workspace whose state contains only data resource instances and output values, without running terraform destroy first. Previously the presence of data resources would require using -force to override the safety check guarding against accidentally forgetting about remote objects, but a data resource is not responsible for the management of its associated remote object(s) and so there's no reason to require explicit deletion. (#​29754)
• terraform validate: Terraform now uses precise type information for resources during config validation, allowing more problems to be caught that that step rather than only during the planning step. (#​29862)
• provisioner/remote-exec and provisioner/file: When using SSH agent authentication mode on Windows, Terraform can now detect and use the Windows 10 built-in OpenSSH Client's SSH Agent, when available, in addition to the existing support for the third-party solution Pageant that was already supported. (#​29747)
• cli: terraform state mv will now return an error for -backup or -backup-out options used without the -state option, unless the working directory is initialized to use the local backend. Previously Terraform would silently ignore those options, since they are applicable only to the local backend. (#​27908)
• terraform console: now has a new type() function, available only in the interactive console, for inspecting the exact type of a particular value as an aid to debugging. (#​28501)

BUG FIXES:

• config: ignore_changes = all now works in override files. (#​29849)
• config: Upgrading an unknown single value to a list using a splat expression now correctly returns an unknown value and type. Previously it would sometimes "overpromise" a particular return type, leading to an inconsistency error during the apply step. (#​30062)
• config: Terraform is now more precise in its detection of data resources that must be deferred to the apply step due to their depends_on arguments referring to not-yet-converged managed resources. (#​29682)
• config: ignore_changes can no longer cause a null map to be converted to an empty map, which would otherwise potentially cause surprising side-effects in provider logic. (#​29928)
• core: Provider configuration obtained from interactive prompts will now be merged properly with settings given in the configuration. Previously this merging was incorrect in some cases. (#​29000)
• terraform plan: Improved rendering of changes inside attributes that accept lists, sets, or maps of nested object types. (#​29827, #​29983, #​29986)
• terraform apply: Will no longer try to apply a stale plan that was generated against an originally-empty state. Previously this was an unintended exception to the rule that a plan can only be applied to the state snapshot it was generated against. (#​29755)
• terraform show -json: Attributes that are declared as using the legacy Attributes as Blocks behavior are now represented more faithfully in the JSON plan output. (#​29522)
• terraform init: Will now update the backend configuration hash value at a more approprimate time, to ensure properly restarting a backend migration process that failed on the first attempt. (#​29860)
• backend/oss: Flatten assume_role block arguments, so that they are more compatible with the terraform_remote_state data source. (#​29307)

v1.0.11

Compare Source

1.0.11 (November 10, 2021)

ENHANCEMENTS:

• backend/oss: Added support for sts_endpoint (#​29841)

BUG FIXES:

• config: Fixed a bug in which ignore_changes = all would not work in override files (#​29849)
• config: Numbers are now compared for equality based on their protocol representation, eliminating unexpected changes due to small precision errors (#​29864)

v1.0.10

Compare Source

1.0.10 (October 28, 2021)

BUG FIXES:

• backend/oss: Fix panic when there's an error looking up OSS endpoints (#​29784)
• backend/remote: Fix version check when migrating state (#​29793)
• cli: Restore -lock and -lock-timeout flags for the init command, which were removed in 0.15.0 (#​29773)
• cli: Fix bug where terraform init -input=false would hang waiting for user input to choose a workspace (#​29805)

v1.0.9

Compare Source

1.0.9 (October 13, 2021)

BUG FIXES:

• core: Fix panic when planning new resources with nested object attributes (#​29701)
• core: Do not refresh deposed instances when the provider is not configured during destroy (#​29720)
• core: Prevent panic when encountering a missing change when destroying a resource (#​29734)

v1.0.8

Compare Source

1.0.8 (September 29, 2021)

BUG FIXES:

• cli: Check required_version as early as possibly during init so that version incompatibility can be reported before errors about new syntax (#​29665)
• core: Don't plan to remove orphaned resource instances in refresh-only plans (#​29640)

v1.0.7

Compare Source

1.0.7 (September 15, 2021)

BUG FIXES:

• core: Remove check for computed attributes which is no longer valid with optional structural attributes (#​29563)
• core: Prevent object types with optional attributes from being instantiated as concrete values, which can lead to failures in type comparison (#​29559)
• core: Empty containers in the configuration were not planned correctly when used with optional structural attributes (#​29580)

v1.0.6

Compare Source

1.0.6 (September 03, 2021)

ENHANCEMENTS:

• backend/s3: Improve SSO handling and add new endpoints in the AWS SDK (#​29017)

BUG FIXES:

• cli: Suppress confirmation prompt when initializing with the -force-copy flag and migrating state between multiple workspaces. (#​29438)
• cli: Update tencentcount dependency versions to fix errors when building from source (#​29445)
• core: Fix panic while handling computed attributes within nested objects, and improve plan validation for unknown values (#​29482)

v1.0.5

Compare Source

1.0.5 (August 18, 2021)

BUG FIXES:

• json-output: Add an output change summary message as part of the terraform plan -json structured logs, bringing this format into parity with the human-readable UI. (#​29312)
• core: Handle null nested single attribute values (#​29411)
• cli: Fix crash when planning a diff between null and empty sets in nested attributes (#​29398)
• cli: Fix crash when planning a new resource containing a set of nested object attributes (#​29398)
• cli: Fix crash when displaying a resource diff where a possibly identifying attribute is sensitive (#​29397)
• cli: Fix crash when a diff with unknown nested map attributes (#​29410)
• config: Fix handling of dynamically types arguments in formatlist, ensuring the correct resulting type. (#​29408)
• config: Floating point operations like floor and ceil can no longer mutate their arguments. (#​29408)

v1.0.4

Compare Source

1.0.4 (August 04, 2021)

BUG FIXES:

• backend/consul: Fix a bug where the state value may be too large for consul to accept (#​28838)
• cli: Fixed a crashing bug with some edge-cases when reporting syntax errors that happen to be reported at the position of a newline. (#​29048)

v1.0.3

Compare Source

1.0.3 (July 21, 2021)

ENHANCEMENTS

• terraform plan: The JSON logs (-json option) will now include resource_drift, showing changes detected outside of Terraform during the refresh step. (#​29072)
• core: The automatic provider installer will now accept providers that are recorded in their registry as using provider protocol version 6. (#​29153)
• backend/etcdv3: New argument max_request_bytes allows larger requests and for the client, to match the server request limit. (#​28078)

BUG FIXES:

• terraform plan: Will no longer panic when trying to render null maps. (#​29207)
• backend/pg: Prevent the creation of multiple workspaces with the same name. (#​29157)
• backend/oss: STS auth is now supported. (#​29167)
• config: Dynamic blocks with unknown for_each values were not being validated. Ensure block attributes are valid even when the block is unknown (#​29208)
• config: Unknown values in string templates could lose sensitivity, causing the planned change to be inaccurate (#​29208)

v1.0.2

[Compare Source](https://togithub.com/

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Mend Renovate. View repository job log here.