1.12.2

SECURITY ADVISORIES:

• Previous releases in the v1.12 series could be affected by several vulnerabilities:

  • If for state encryption, OpenBao key provider is used with wrapping algorithms, it could generate panics or hangs on compromised systems where the JWE is specifically crafted.

  This is fixed now by (#4177)

• Previous releases in the v1.12 series could be affected by several vulnerabilities:

  • When using SSH connections through OpenTofu, the errors that were returned from attempting a connection could include unescaped input bytes.
  • If using an attacker-controlled server to run tofu against, it might end up in high CPU consumption.

  These are now fixed by (#4247)

BUG FIXES:

• Properly handle EDEADLK during provider installation. On Unix systems, the kernel may erroneously detect a deadlock between tofu processes using the global plugin cache. (#4166)
• Fix race condition while handling closing signals during tofu login, both when the signal is sent by the user and when the browser fails to successfully connect. (4016)
• Prevent panic when using ephemeral resources during tofu test`. (#4254)

Full Changelog: v1.12.1...v1.12.2

1.11.9

SECURITY ADVISORIES:

• Previous releases in the v1.11 series could be affected by several vulnerabilities:

  • ssh usage through OpenTofu generate hangs or panics.
  • Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

  This is fixed now by (#4145)

• If for state encryption, OpenBao key provider is used with wrapping algorithms, it could generate panics or hangs on compromised systems where the JWE is specifically crafted. (#4177)

• Previous releases in the v1.11 series could be affected by several vulnerabilities:

  • When using SSH connections through OpenTofu, the errors that were returned from attempting a connection could include unescaped input bytes.
  • If using an attacker-controlled server to run tofu against, it might end up in high CPU consumption.

  These are now fixed by (#4248)

BUG FIXES:

• Fix race condition while handling closing signals during tofu login, both when the signal is sent by the user and when the browser fails to successfully connect. (4016)
• Prevent panic when using ephemeral resources during tofu test`. (#4254)

Full Changelog: v1.11.8...v1.11.9

SECURITY ADVISORIES:

• Previous releases in the v1.12 series could be affected by several vulnerabilities:

  • ssh usage through OpenTofu generate hangs or panics.
  • Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

  This is fixed now by (#4145)

BUG FIXES:

• Address a bug introduced in v1.12.0 causing excessive memory usage by providers. (#4126)
• Address a bug introduced in v1.12.0 where replace_triggered_by was validated incorrectly. (#4133
• The Azure key provider will now accept the tenant_id, subscription_id, environment, and metadata_host variables; a bug previously only allowed these to be set through environment variables. (#4091)

Full Changelog: https://github.com/opentofu/opentofu/blob/v1.12/CHANGELOG.md

OpenTofu 1.12.0

We're proud to announce that OpenTofu 1.12.0 is now officially available! 🎉

Highlights

This release cycle introduces major new capabilities and integrations:

Dynamic prevent_destroy

OpenTofu v1.12.0 now allows prevent_destroy to be defined dynamically in terms of other values available elsewhere in the same module. For example:

variable "prevent_destroy_database" {
  type    = bool
  default = true
}

resource "example_database" "example" {
  # ...

  lifecycle {
    prevent_destroy = var.prevent_destroy_database
  }
}

Provider Checksum Improvements

The default provider installation behavior in OpenTofu is designed to mostly "just work" by getting the needed providers installed and making the necessary changes to the dependency lock file, but in previous versions friction appeared for any teams using many of the non-default installation settings such as the shared provider plugin cache, or local mirrors of upstream providers.

For OpenTofu v1.12, OpenTofu Registry now provides a full set of official checksums in all of the checksum formats needed by other installation methods. This means that after running tofu init the dependency lock file will immediately have all of the information required to successfully use a global plugin cache directory and to verify matching packages served from a local mirror, without needing to run tofu providers lock separately.

Simultaneous Human-readable and Machine-readable Output

Many OpenTofu commands support both human-oriented UI output and machine-readable JSON output, but previously those commands could be run with only one or the other. This was bothersome for those implementing alternative UIs in terms of the machine-readable output because it meant they would need to implement all possible features of the UI before their tool could actually be used.

OpenTofu v1.12.0 introduces a new option -json-into=FILENAME, which produces the same output format that -json would have produced but sends that output to the given filename instead of to the standard output stream. The OpenTofu UI output then appears on the standard output stream as normal, so that software interpreting the JSON output can behave as just a supplement to the normal UI rather than a complete replacement.

New destroy lifecycle meta-argument

The new destroy = false lifecycle option for managed resources allows removing an object from the state without first destroying the remote object.

Deprecation Notices

WinRM for Provisioners is Now Deprecated

Some of the Go libraries that OpenTofu uses for WinRM connection support in provisioners have become unmaintained over time, and so unfortunately we are phasing out support for WinRM in OpenTofu starting with deprecation warnings in this release.

If your configuration includes a connection block with type = "winrm" then OpenTofu v1.12 will warn that this connection type is deprecated, but provisioning should otherwise still work as it did before.

We intend to remove WinRM support completely in the forthcoming OpenTofu v1.13 series, and so if you are currently relying on WinRM support we recommend that you begin planning to migrate to using OpenSSH for Windows instead.

Phasing Out Support for 32-bit CPU Architectures

We are also planning to stop producing official releases for 32-bit CPU architectures (386 and arm) in a future version of OpenTofu. Support for 64-bit architectures (amd64 and arm64) is unaffected.

OpenTofu v1.12 does not include any changes to CPU support yet, but we expect that the official builds in the forthcoming v1.13 series will begin producing warnings when running on 32-bit CPU architectures, before we stop producing those packages altogether in a future release series.

Compatibility Notes

• macOS: Requires macOS 12 Monterey or later
• The OPENTOFU_USER_AGENT environment variable, which allowed fully overriding the default User-Agent header on all HTTP requests, has been removed.
• On Unix systems OpenTofu now considers the BROWSER environment variable as a possible override for the default behavior for launching a web browser. If you run OpenTofu in a context where an environment variable of that name is already set, it may cause OpenTofu to now open a web browser in a different way than previous versions would have. Unsetting that environment variable will restore the previous platform-specific behavior.

Reference

• Full Changelog
• Blog Post

Thank you for your continued support and testing of the OpenTofu project!

SECURITY ADVISORIES:

• Previous releases in the v1.11 series could potentially take an excessive amount of time and send extraneous data to an HTTP2 server that specifies a maximum frame size of zero. This is now fixed. (#4094)

  An attacker that can coerce an operator to install a dependency from an attacker-controlled server could use this to cause unexpected resource consumption during tofu init.

Full Changelog: v1.11.7...v1.11.8

BUG FIXES:

• When installing provider packages into a local cache directory, the installer will now return an error if a conflicting entry is already present in the cache that doesn't match the expected checksum. Previously OpenTofu would just silently write over the existing entry in that case. (#4082)

Full Changelog: v1.11.6...v1.11.7

BUG FIXES:

• When installing provider packages into a local cache directory, the installer will now return an error if a conflicting entry is already present in the cache that doesn't match the expected checksum. Previously OpenTofu would just silently write over the existing entry in that case. (#4082)
• Fixed provider-defined functions in import block id expressions causing "BUG: Uninitialized function provider" error. (#3803)

Full Changelog: v1.10.9...v1.10.10

UPGRADE NOTES:

• The "winrm" connection type for the remote-exec and file provisioners is now deprecated. (#3899)

  The library ecosystem around the WinRM protocol is no longer in a healthy state, with some libraries unmaintained. Therefore we cannot continue to offer this functionality, and will phase it out over the next few release series. In OpenTofu v1.12 this connection type is still supported, but will generate a warning each time it is used. We expect that use of this connection type will begin returning an error in OpenTofu v1.13.

  Modern Windows versions now support OpenSSH, and so we suggest that anyone currently relying on WinRM should begin planning to migrate to using SSH instead.

• The OPENTOFU_USER_AGENT environment variable, which allowed fully overriding the default User-Agent header on all HTTP requests, has been removed.

• This is the last OpenTofu release series that will support macOS 12 Monterey. We expect that OpenTofu v1.13 will require macOS 13 Ventura or later.

• On Unix systems OpenTofu now considers the BROWSER environment variable as a possible override for the default behavior for launching a web browser.

  If you run OpenTofu in a context where an environment variable of that name is already set, it may cause OpenTofu to now open a web browser in a different way than previous versions would have. Unsetting that environment variable will restore the previous platform-specific behavior.

• If you are installing providers from the registry (most users), you should expect to see additional h1:value provider hashes in your .terraform.lock.hcl file.

  We have improved the OpenTofu registry to serve both zh:value and h1:value hashes, as well as instructing OpenTofu in how to integrate this data into its existing provider trust chain. Including these additional hashes will reduce friction in cross-platform environments. These and other related changes below should subsume the need to use tofu providers lock in most scenarios, simplifying many existing cross-platform workflows. For more information, see the corresponding RFC and discussion

• The OpenTofu project is planning to stop providing official release packages for 32-bit CPU architectures (*_386 and *_arm platforms) in a future release series.

  We intend to continue producing packages for these platforms at least throughout the v1.12.x and v1.13.x series and so no immediate action is required, but if you are currently relying on our official packages for these platforms then we suggest that you begin planning to migrate to running OpenTofu on a 64-bit CPU architecture (*_amd64 or *_arm64 platforms).

ENHANCEMENTS:

• A prevent_destroy argument in the lifecycle block for managed resources can now refer to other symbols in the same module, such as to the module's input variables. (#3474, #3507)
• New lifecycle meta-argument destroy: when set to false OpenTofu will plan to just remove the affected object from state without asking the provider to destroy it first, similar to destroy = false in removed blocks. (#3409)
• Comparing an object or other complex-typed value to null using the == operator now returns a sensitive boolean result only if the object as a whole is sensitive, and not when the object merely contains a sensitive value nested inside one of its attributes. This means that comparisons to null can now be used in parts of the configuration where sensitive values are not allowed, such as in the enabled meta-argument on resources and modules. (#3793)
• Resources using replace_triggered_by in their lifecycle block are now replaced when a resource they refer to is itself being replaced, whereas before this triggered only when it was being updated. (#3714)
• OpenTofu now produces warnings for any references to attributes or blocks of a resource type that are marked as deprecated in the provider schema, unless disabled by the -deprecation= option. (#3973)
• The yamldecode function now supports the "merge" tag, most commonly written as << where a map key would be expected, with sequences of mappings rather than just individual mappings. (#3607)
• A new configuration block type language offers a more general way to define version constraints that separates OpenTofu constraints from other software. Note that module authors should delay adopting this new syntax until they are ready to require OpenTofu v1.12.0 or later, but there is an interim solution available that is backward-compatible with earlier OpenTofu versions. (#3300)
• Input variables can now be declared as const = true to require that the assigned value is compatible with static evaluation. (#3946)
• New CLI argument -json-into=<outfile> allows emitting both human-readable and machine-readable logs. (#3606)
• Provider installation now makes concurrent requests to download provider packages, which may allow tofu init to complete faster. (#2729)
• Provider checksum verification and schema loading are now better optimized, including no longer verifying checksums for providers that are present in the local cache but will not be used by a particular command. (#2730)
• tofu init now includes a full set of checksums for all supported platforms when updating a dependency lock file, using additional information now reported by the provider registry. This should remove the need to run tofu providers lock in many situations where it was previously required. (#3868)
• The network_mirror configuration now includes an option to trust all hashes reported by the mirror. This also simplifies managing lockfiles in cross-platform environments. (3885)
• Module registries can now specify that package downloads should use the same credentials as the registry's API calls, without needing to configure credentials separately in a .netrc file. This approach is helpful when the module packages are served by the registry itself, rather than when the registry just links to an external location such as a GitHub repository. (#3313)
• tofu destroy now supports -suppress-forget-errors to suppress errors and exit with a zero status code when resources are forgotten during destroy operations. (#3588)
• tofu console now supports -lock=false and -lock-timeout=DURATION to control whether and how this command uses state locks. (#3800)
• tofu login now uses the BROWSER environment variable when launching a web browser on Unix platforms, as long as it's set to a single command that can accept a URL to open as its first and only argument. (#3456)
• Most of the commands now prints the usage text when arguments parsing fails, prints previously legacy error messages as regular diagnostics and received support for JSON output. (#3941)
• The s3 backend now automatically discovers and uses AWS credentials issued using the aws login command in AWS CLI. (#3767)
• The azurerm backend now supports authentication using Azure DevOps and Azure Pipelines workload identity federation. (#3820)
• The local backend now writes pretty-printed JSON state files, making diffs more readable when state is tracked in version control. (#1947)
• The azurerm backend now supports Customer-Provided Keys(CPK) as well as Customer-Managed Keys(CMK) to enable server-side encryption. (#3886)

BUG FIXES:

• During validation and planning phase, replace_triggered_by expressions are now checked to ensure that the referenced resource attributes actually exist. (#3967)
• length(module.example) now returns the correct result for a module that has no output values when called using count or for_each. It would previously incorrectly return zero unless at least one output - A call to a module containing check blocks can now use depends_on without causing a dependency cycle error. (#3060)
  value was declared inside the module. (#3067)
• for_each arguments in dynamic blocks can now call provider-defined functions. (#3429)
• Calls to provider-defined functions in the id argument of an import block no longer cause "BUG: Uninitialized function provider" error. (#3803)
• local-exec and file provisioners no longer crash when their command or destination argumen...

UPGRADE NOTES:

• The "winrm" connection type for the remote-exec and file provisioners is now deprecated. (#3899)

  The library ecosystem around the WinRM protocol is no longer in a healthy state, with some libraries unmaintained. Therefore we cannot continue to offer this functionality, and will phase it out over the next few release series. In OpenTofu v1.12 this connection type is still supported, but will generate a warning each time it is used. We expect that use of this connection type will begin returning an error in OpenTofu v1.13.

  Modern Windows versions now support OpenSSH, and so we suggest that anyone currently relying on WinRM should begin planning to migrate to using SSH instead.

• The OPENTOFU_USER_AGENT environment variable, which allowed fully overriding the default User-Agent header on all HTTP requests, has been removed.

• This is the last OpenTofu release series that will support macOS 12 Monterey. We expect that OpenTofu v1.13 will require macOS 13 Ventura or later.

• On Unix systems OpenTofu now considers the BROWSER environment variable as a possible override for the default behavior for launching a web browser.

  If you run OpenTofu in a context where an environment variable of that name is already set, it may cause OpenTofu to now open a web browser in a different way than previous versions would have. Unsetting that environment variable will restore the previous platform-specific behavior.

• If you are installing providers from the registry (most users), you should expect to see additional h1:value provider hashes in your .terraform.lock.hcl file.

  We have improved the OpenTofu registry to serve both zh:value and h1:value hashes, as well as instructing OpenTofu in how to integrate this data into its existing provider trust chain. Including these additional hashes will reduce friction in cross-platform environments. These and other related changes below should subsume the need to use tofu providers lock in most scenarios, simplifying many existing cross-platform workflows. For more information, see the corresponding RFC and discussion

• The OpenTofu project is planning to stop providing official release packages for 32-bit CPU architectures (*_386 and *_arm platforms) in a future release series.

  We intend to continue producing packages for these platforms at least throughout the v1.12.x and v1.13.x series and so no immediate action is required, but if you are currently relying on our official packages for these platforms then we suggest that you begin planning to migrate to running OpenTofu on a 64-bit CPU architecture (*_amd64 or *_arm64 platforms).

ENHANCEMENTS:

• A prevent_destroy argument in the lifecycle block for managed resources can now refer to other symbols in the same module, such as to the module's input variables. (#3474, #3507)
• New lifecycle meta-argument destroy: when set to false OpenTofu will plan to just remove the affected object from state without asking the provider to destroy it first, similar to destroy = false in removed blocks. (#3409)
• Comparing an object or other complex-typed value to null using the == operator now returns a sensitive boolean result only if the object as a whole is sensitive, and not when the object merely contains a sensitive value nested inside one of its attributes. This means that comparisons to null can now be used in parts of the configuration where sensitive values are not allowed, such as in the enabled meta-argument on resources and modules. (#3793)
• Resources using replace_triggered_by in their lifecycle block are now replaced when a resource they refer to is itself being replaced, whereas before this triggered only when it was being updated. (#3714)
• OpenTofu now produces warnings for any references to attributes or blocks of a resource type that are marked as deprecated in the provider schema, unless disabled by the -deprecation= option. (#3973)
• The yamldecode function now supports the "merge" tag, most commonly written as << where a map key would be expected, with sequences of mappings rather than just individual mappings. (#3607)
• A new configuration block type language offers a more general way to define version constraints that separates OpenTofu constraints from other software. Note that module authors should delay adopting this new syntax until they are ready to require OpenTofu v1.12.0 or later, but there is an interim solution available that is backward-compatible with earlier OpenTofu versions. (#3300)
• Input variables can now be declared as const = true to require that the assigned value is compatible with static evaluation. (#3946)
• New CLI argument -json-into=<outfile> allows emitting both human-readable and machine-readable logs. (#3606)
• Provider installation now makes concurrent requests to download provider packages, which may allow tofu init to complete faster. (#2729)
• Provider checksum verification and schema loading are now better optimized, including no longer verifying checksums for providers that are present in the local cache but will not be used by a particular command. (#2730)
• tofu init now includes a full set of checksums for all supported platforms when updating a dependency lock file, using additional information now reported by the provider registry. This should remove the need to run tofu providers lock in many situations where it was previously required. (#3868)
• The network_mirror configuration now includes an option to trust all hashes reported by the mirror. This also simplifies managing lockfiles in cross-platform environments. (3885)
• Module registries can now specify that package downloads should use the same credentials as the registry's API calls, without needing to configure credentials separately in a .netrc file. This approach is helpful when the module packages are served by the registry itself, rather than when the registry just links to an external location such as a GitHub repository. (#3313)
• tofu destroy now supports -suppress-forget-errors to suppress errors and exit with a zero status code when resources are forgotten during destroy operations. (#3588)
• tofu console now supports -lock=false and -lock-timeout=DURATION to control whether and how this command uses state locks. (#3800)
• tofu login now uses the BROWSER environment variable when launching a web browser on Unix platforms, as long as it's set to a single command that can accept a URL to open as its first and only argument. (#3456)
• Most of the commands now prints the usage text when arguments parsing fails, prints previously legacy error messages as regular diagnostics and received support for JSON output. (#3941)
• The s3 backend now automatically discovers and uses AWS credentials issued using the aws login command in AWS CLI. (#3767)
• The azurerm backend now supports authentication using Azure DevOps and Azure Pipelines workload identity federation. (#3820)
• The local backend now writes pretty-printed JSON state files, making diffs more readable when state is tracked in version control. (#1947)
• The azurerm backend now supports Customer-Provided Keys(CPK) as well as Customer-Managed Keys(CMK) to enable server-side encryption. (#3886)

BUG FIXES:

• During validation and planning phase, replace_triggered_by expressions are now checked to ensure that the referenced resource attributes actually exist. (#3967)
• length(module.example) now returns the correct result for a module that has no output values when called using count or for_each. It would previously incorrectly return zero unless at least one output - A call to a module containing check blocks can now use depends_on without causing a dependency cycle error. (#3060)
  value was declared inside the module. (#3067)
• for_each arguments in dynamic blocks can now call provider-defined functions. (#3429)
• Calls to provider-defined functions in the id argument of an import block no longer cause "BUG: Uninitialized function provider" error. (#3803)
• local-exec and file provisioners no longer crash when their command or destination argumen...

BUG FIXES:

• Running tofu apply -refresh-only with a configuration that contains ephemeral resources does not fail anymore because the refresh produced changes (#3776)
• Fixed tofu init crashing when a module version uses a variable and the module is referenced from a test file. (#3686)
• Fixed provider-defined functions in import block id expressions causing "BUG: Uninitialized function provider" error. (#3803)
• tofu test no longer fails during cleanup when using a mocked version of a resource type with write-only attributes. (#3964)
• A malicious remote TLS server can no longer deadlock OpenTofu by sending multiple key update messages in a single record. (#3966)
• When installing module packages from "tar" archives, OpenTofu now accepts only a limited number of sparse file entries to avoid unbounded memory usage from maliciously-crafted archives containing many sparse regions. (#3966)

Full Changelog: v1.11.5...v1.11.6