IMPORTANT NOTES:
-
Conditional GPG Validation Bypass for Default Registry - (#309): A temporary change has been introduced to skip GPG validation under specific conditions. This behavior is tracked under issue #309 and applies as follows:
- Registry Scope: This change only affects provider packages from the default registry.
- Key Availability: GPG validation will be skipped when and only when the provider's GPG keys are not available in the default registry.
- Temporary Measure: This is a stopgap measure until GPG keys for all providers can be populated in the default registry.
While this offers operational flexibility, it does reduce the level of security assurance for affected packages. Users who prioritize security should set the
OPENTOFU_ENFORCE_GPG_VALIDATION
environment variable totrue
to enforce GPG validation of all providers.Future Removal: We intend to remove this feature once all GPG keys are populated in the default registry, reverting to a strict GPG validation process for all providers.
UPGRADE NOTES:
- The
cloud
andremote
backends will no longer default toapp.terraform.io
hostname and will require the hostname to be explicitly specified (#291); - The
login
andlogout
commands will no longer default toapp.terraform.io
hostname and will require the hostname to be explicitly provided as a command-line argument (#291); - prevent future possible incompatibility with states that include unknown
check
block result kinds. (#355);
NEW FEATURES:
-
tofu test
: The previously experimentaltofu test
command has been moved out of experimental. This comes with a significant change in how OpenTofu tests are written and executed.OpenTofu tests are written within
.tftest.hcl
files, controlled by a series ofrun
blocks. Eachrun
block will execute an OpenTofu plan or apply command against the OpenTofu configuration under test and can execute conditions against the resultant plan and state.
ENHANCEMENTS:
- config: OpenTofu can now track some additional detail about values that won't be known until the apply step, such as the range of possible lengths for a collection or whether an unknown value can possibly be null. When this information is available, Terraform can potentially generate known results for some operations on unknown values. This doesn't mean that Terraform can immediately track that detail in all cases, but the type system now contains the facility for that and so over time we will improve the level of detail generated by built-in functions, language operators, Terraform providers, etc. (#33234)
- jsonplan: Added
errored
field to JSON plan output, indicating whether a plan errored. (#33372) - cloud: Remote plans on cloud backends can now be saved using the
-out
flag, referenced in theshow
command, and applied by specifying the plan file name. (#33492) - config: The
import
blockid
field now accepts an expression referencing other values such as resource attributes, as long as the value is a string known at plan time. (#33618) - telemetry: All checkpoint telemetry was removed (#151)
BUG FIXES:
- The upstream dependency that OpenTofu uses for service discovery of OpenTofu-native services such as cloud backend state storage was previously not concurrency-safe, but OpenTofu was treating it as if it was in situations like when a configuration has multiple
terraform_remote_state
blocks all using the "remote" backend. OpenTofu is now using a newer version of that library which updates its internal caches in a concurrency-safe way. (#33364) - Transitive dependencies were lost during apply when the referenced resource expanded into zero instances (#33403)
- OpenTofu will no longer override SSH settings in local git configuration when installing modules. (#33592)
- Handle file-operation errors in
internal/states/statemgr
. (#278) tofu init
: OpenTofu will no longer allow downloading remote modules to invalid paths. (#356)- tofu_remote_state: Fixed a potential unsafe read panic when reading from multiple tofu_remote_state data sources (#357)
- OpenTofu will now attempt to create the configuration directory
~/.terraform.d
on startup. (#442) - Conditionals with an unknown condition and sensitive branch won't crash anymore. (#659)
- Fixed panic when using sensitive inputs for the ID field of an import configuration block (#665)
- Fixes the ability to use KMS key aliases in the S3 backend (#669)
For information on prior major and minor releases, see their changelogs:
None yet