v1.4.4

1.4.4 (March 30, 2023)

Due to an incident while migrating build systems for the 1.4.3 release where
CGO_ENABLED=0 was not set, we are rebuilding that version as 1.4.4 with the
flag set. No other changes have been made between 1.4.3 and 1.4.4.

v1.4.3

1.4.3 (March 30, 2023)

BUG FIXES:

• Prevent sensitive values in non-root module outputs from marking the entire output as sensitive [GH-32891]
• Fix the handling of planned data source objects when storing a failed plan [GH-32876]
• Don't fail during plan generation when targeting prevents resources with schema changes from performing a state upgrade [GH-32900]
• Skip planned changes in sensitive marks when the changed attribute is discarded by the provider [GH-32892]

v1.4.2

1.4.2 (March 16, 2023)

BUG FIXES:

• Fix bug in which certain uses of setproduct caused Terraform to crash (#32860)
• Fix bug in which some provider plans were not being calculated correctly, leading to an "invalid plan" error (#32860)

v1.4.1

1.4.1 (March 15, 2023)

BUG FIXES:

• Enables overriding modules that have the depends_on attribute set, while still preventing the depends_on attribute itself from being overridden. (#32796)
• terraform providers mirror: when a dependency lock file is present, mirror the resolved providers versions, not the latest available based on configuration. (#32749)
• Fixed module downloads from S3 URLs when using AWS IAM roles for service accounts (IRSA). (#32700)
• hcl: Fix a crash in Terraform when attempting to apply defaults into an incompatible type. (#32775)
• Prevent panic when creating a plan which errors before the planning process has begun. (#32818)
• Fix the plan renderer skipping the "no changes" messages when there are no-op outputs within the plan. (#32820)
• Prevent panic when rendering null nested primitive values in a state output. (#32840)
• Warn when an invalid path is specified in TF_CLI_CONFIG_FILE (#32846)

v1.4.0

1.4.0 (March 08, 2023)

UPGRADE NOTES:

• config: The textencodebase64 function when called with encoding "GB18030" will now encode the euro symbol € as the two-byte sequence 0xA2,0xE3, as required by the GB18030 standard, before applying base64 encoding.

• config: The textencodebase64 function when called with encoding "GBK" or "CP936" will now encode the euro symbol € as the single byte 0x80 before applying base64 encoding. This matches the behavior of the Windows API when encoding to this Windows-specific character encoding.

• terraform init: When interpreting the hostname portion of a provider source address or the address of a module in a module registry, Terraform will now use non-transitional IDNA2008 mapping rules instead of the transitional mapping rules previously used.

  This matches a change to the WHATWG URL spec's rules for interpreting non-ASCII domain names which is being gradually adopted by web browsers. Terraform aims to follow the interpretation of hostnames used by web browsers for consistency. For some hostnames containing non-ASCII characters this may cause Terraform to now request a different "punycode" hostname when resolving.

• terraform init will now ignore entries in the optional global provider cache directory unless they match a checksum already tracked in the current configuration's dependency lock file. This therefore avoids the long-standing problem that when installing a new provider for the first time from the cache we can't determine the full set of checksums to include in the lock file. Once the lock file has been updated to include a checksum covering the item in the global cache, Terraform will then use the cache entry for subsequent installation of the same provider package. There is an interim CLI configuration opt-out for those who rely on the previous incorrect behavior. (#32129)

• The Terraform plan renderer has been completely rewritten to aid with future Terraform Cloud integration. Users should not see any material change in the plan output between 1.3 and 1.4. If you notice any significant differences, or if Terraform fails to plan successfully due to rendering problems, please open a bug report issue.

BUG FIXES:

• The module installer will now record in its manifest a correct module source URL after normalization when the URL given as input contains both a query string portion and a subdirectory portion. Terraform itself doesn't currently make use of this information and so this is just a cosmetic fix to make the recorded metadata more correct. (#31636)
• config: The yamldecode function now correctly handles entirely-nil YAML documents. Previously it would incorrectly return an unknown value instead of a null value. It will now return a null value as documented. (#32151)
• Ensure correct ordering between data sources and the deletion of managed resource dependencies. (#32209)
• Fix Terraform creating objects that should not exist in variables that specify default attributes in optional objects. (#32178)
• Fix several Terraform crashes that are caused by HCL creating objects that should not exist in variables that specify default attributes in optional objects within collections. (#32178)
• Fix inconsistent behaviour in empty vs null collections. (#32178)
• terraform workspace now returns a non-zero exit when given an invalid argument (#31318)
• Terraform would always plan changes when using a nested set attribute (#32536)
• Terraform can now better detect when complex optional+computed object attributes are removed from configuration (#32551)
• A new methodology for planning set elements can now better detect optional+computed changes within sets (#32563)
• Fix state locking and releasing messages when in -json mode, messages will now be written in JSON format (#32451)

ENHANCEMENTS:

• terraform plan can now store a plan file even when encountering errors, which can later be inspected to help identify the source of the failures (#32395)
• terraform_data is a new builtin managed resource type, which can replace the use of null_resource, and can store data of any type (#31757)
• terraform init will now ignore entries in the optional global provider cache directory unless they match a checksum already tracked in the current configuration's dependency lock file. This therefore avoids the long-standing problem that when installing a new provider for the first time from the cache we can't determine the full set of checksums to include in the lock file. Once the lock file has been updated to include a checksum covering the item in the global cache, Terraform will then use the cache entry for subsequent installation of the same provider package. There is an interim CLI configuration opt-out for those who rely on the previous incorrect behavior. (#32129)
• Interactive input for sensitive variables is now masked in the UI (#29520)
• A new -or-create flag was added to terraform workspace select, to aid in creating workspaces in automated situations (#31633)
• A new command was added for exporting Terraform function signatures in machine-readable format: terraform metadata functions -json (#32487)
• The "Failed to install provider" error message now includes the reason a provider could not be installed. (#31898)
• backend/gcs: Add kms_encryption_key argument, to allow encryption of state files using Cloud KMS keys. (#24967)
• backend/gcs: Add storage_custom_endpoint argument, to allow communication with the backend via a Private Service Connect endpoint. (#28856)
• backend/gcs: Update documentation for usage of gcs with terraform_remote_state (#32065)
• backend/gcs: Update storage package to v1.28.0 (#29656)
• When removing a workspace from the cloud backend terraform workspace delete will use Terraform Cloud's Safe Delete API if the -force flag is not provided. (#31949)
• backend/oss: More robustly handle endpoint retrieval error (#32295)
• local-exec provisioner: Added quiet argument. If quiet is set to true, Terraform will not print the entire command to stdout during plan. (#32116)
• backend/http: Add support for mTLS authentication. (#31699)
• cloud: Add support for using the generic hostname localterraform.com in module and provider sources as a substitute for the currently configured cloud backend hostname. This enhancement was also applied to the remote backend.
• terraform show will now print an explanation when called on a Terraform workspace with empty state detailing why no resources are shown. (#32629)
• backend/gcs: Added support for GOOGLE_BACKEND_IMPERSONATE_SERVICE_ACCOUNT env var to allow impersonating a different service account when GOOGLE_IMPERSONATE_SERVICE_ACCOUNT is configured for the GCP provider. (#32557)
• backend/cos: Add support for the assume_role authentication method with the tencentcloud provider. This can be configured via the Terraform config or environment variables.
• backend/cos: Add support for the security_token authentication method with the tencentcloud provider. This can be configured via the Terraform config or environment variables.

EXPERIMENTS:

• Since its introduction the yamlencode function's documentation carried a warning that it was experimental. This predated our more formalized idea of language experiments and so wasn't guarded by an explicit opt-in, but the intention was to allow for small adjustments to its behavior if we learned it was producing invalid YAML in some cases, due to the relative complexity of the YAML specification.

  From Terraform v1.4 onwards, yamlencode is no longer documented as experimental and is now subject to the Terraform v1.x Compatibility Promises. There are no changes to its previous behavior in v1.3 and so no special action is required when upgrading.

v1.4.0-rc1

1.4.0 (Unreleased)

UPGRADE NOTES:

• config: The textencodebase64 function when called with encoding "GB18030" will now encode the euro symbol € as the two-byte sequence 0xA2,0xE3, as required by the GB18030 standard, before applying base64 encoding.

• config: The textencodebase64 function when called with encoding "GBK" or "CP936" will now encode the euro symbol € as the single byte 0x80 before applying base64 encoding. This matches the behavior of the Windows API when encoding to this Windows-specific character encoding.

• terraform init: When interpreting the hostname portion of a provider source address or the address of a module in a module registry, Terraform will now use non-transitional IDNA2008 mapping rules instead of the transitional mapping rules previously used.

  This matches a change to the WHATWG URL spec's rules for interpreting non-ASCII domain names which is being gradually adopted by web browsers. Terraform aims to follow the interpretation of hostnames used by web browsers for consistency. For some hostnames containing non-ASCII characters this may cause Terraform to now request a different "punycode" hostname when resolving.

• terraform init will now ignore entries in the optional global provider cache directory unless they match a checksum already tracked in the current configuration's dependency lock file. This therefore avoids the long-standing problem that when installing a new provider for the first time from the cache we can't determine the full set of checksums to include in the lock file. Once the lock file has been updated to include a checksum covering the item in the global cache, Terraform will then use the cache entry for subsequent installation of the same provider package. There is an interim CLI configuration opt-out for those who rely on the previous incorrect behavior. (#32129)

• The Terraform plan renderer has been completely rewritten to aid with future Terraform Cloud integration. Users should not see any material change in the plan output between 1.3 and 1.4. If you notice any significant differences, or if Terraform fails to plan successfully due to rendering problems, please open a bug report issue.

BUG FIXES:

• The module installer will now record in its manifest a correct module source URL after normalization when the URL given as input contains both a query string portion and a subdirectory portion. Terraform itself doesn't currently make use of this information and so this is just a cosmetic fix to make the recorded metadata more correct. (#31636)
• config: The yamldecode function now correctly handles entirely-nil YAML documents. Previously it would incorrectly return an unknown value instead of a null value. It will now return a null value as documented. (#32151)
• Ensure correct ordering between data sources and the deletion of managed resource dependencies. (#32209)
• Fix Terraform creating objects that should not exist in variables that specify default attributes in optional objects. (#32178)
• Fix several Terraform crashes that are caused by HCL creating objects that should not exist in variables that specify default attributes in optional objects within collections. (#32178)
• Fix inconsistent behaviour in empty vs null collections. (#32178)
• terraform workspace now returns a non-zero exit when given an invalid argument (#31318)
• Terraform would always plan changes when using a nested set attribute (#32536)
• Terraform can now better detect when complex optional+computed object attributes are removed from configuration (#32551)
• A new methodology for planning set elements can now better detect optional+computed changes within sets (#32563)
• Fix state locking and releasing messages when in -json mode, messages will now be written in JSON format (#32451)

ENHANCEMENTS:

• terraform plan can now store a plan file even when encountering errors, which can later be inspected to help identify the source of the failures (#32395)
• terraform_data is a new builtin managed resource type, which can replace the use of null_resource, and can store data of any type (#31757)
• terraform init will now ignore entries in the optional global provider cache directory unless they match a checksum already tracked in the current configuration's dependency lock file. This therefore avoids the long-standing problem that when installing a new provider for the first time from the cache we can't determine the full set of checksums to include in the lock file. Once the lock file has been updated to include a checksum covering the item in the global cache, Terraform will then use the cache entry for subsequent installation of the same provider package. There is an interim CLI configuration opt-out for those who rely on the previous incorrect behavior. (#32129)
• Interactive input for sensitive variables is now masked in the UI (#29520)
• A new -or-create flag was added to terraform workspace select, to aid in creating workspaces in automated situations (#31633)
• A new command was added for exporting Terraform function signatures in machine-readable format: terraform metadata functions -json (#32487)
• The "Failed to install provider" error message now includes the reason a provider could not be installed. (#31898)
• backend/gcs: Add kms_encryption_key argument, to allow encryption of state files using Cloud KMS keys. (#24967)
• backend/gcs: Add storage_custom_endpoint argument, to allow communication with the backend via a Private Service Connect endpoint. (#28856)
• backend/gcs: Update documentation for usage of gcs with terraform_remote_state (#32065)
• backend/gcs: Update storage package to v1.28.0 (#29656)
• When removing a workspace from the cloud backend terraform workspace delete will use Terraform Cloud's Safe Delete API if the -force flag is not provided. (#31949)
• backend/oss: More robustly handle endpoint retrieval error (#32295)
• local-exec provisioner: Added quiet argument. If quiet is set to true, Terraform will not print the entire command to stdout during plan. (#32116)
• backend/http: Add support for mTLS authentication. (#31699)
• cloud: Add support for using the generic hostname localterraform.com in module and provider sources as a substitute for the currently configured cloud backend hostname. This enhancement was also applied to the remote backend.
• terraform show will now print an explanation when called on a Terraform workspace with empty state detailing why no resources are shown. (#32629)
• backend/gcs: Added support for GOOGLE_BACKEND_IMPERSONATE_SERVICE_ACCOUNT env var to allow impersonating a different service account when GOOGLE_IMPERSONATE_SERVICE_ACCOUNT is configured for the GCP provider. (#32557)
• backend/cos: Add support for the assume_role authentication method with the tencentcloud provider. This can be configured via the Terraform config or environment variables.
• backend/cos: Add support for the security_token authentication method with the tencentcloud provider. This can be configured via the Terraform config or environment variables.

EXPERIMENTS:

• Since its introduction the yamlencode function's documentation carried a warning that it was experimental. This predated our more formalized idea of language experiments and so wasn't guarded by an explicit opt-in, but the intention was to allow for small adjustments to its behavior if we learned it was producing invalid YAML in some cases, due to the relative complexity of the YAML specification.

  From Terraform v1.4 onwards, yamlencode is no longer documented as experimental and is now subject to the Terraform v1.x Compatibility Promises. There are no changes to its previous behavior in v1.3 and so no special action is required when upgrading.

v1.4.0-beta2

1.4.0 (Unreleased)

UPGRADE NOTES:

• config: The textencodebase64 function when called with encoding "GB18030" will now encode the euro symbol € as the two-byte sequence 0xA2,0xE3, as required by the GB18030 standard, before applying base64 encoding.

• config: The textencodebase64 function when called with encoding "GBK" or "CP936" will now encode the euro symbol € as the single byte 0x80 before applying base64 encoding. This matches the behavior of the Windows API when encoding to this Windows-specific character encoding.

• terraform init: When interpreting the hostname portion of a provider source address or the address of a module in a module registry, Terraform will now use non-transitional IDNA2008 mapping rules instead of the transitional mapping rules previously used.

  This matches a change to the WHATWG URL spec's rules for interpreting non-ASCII domain names which is being gradually adopted by web browsers. Terraform aims to follow the interpretation of hostnames used by web browsers for consistency. For some hostnames containing non-ASCII characters this may cause Terraform to now request a different "punycode" hostname when resolving.

• The Terraform plan renderer has been completely rewritten to aid with future Terraform Cloud integration. Users should not see any material change in the plan output between 1.3 and 1.4. Users are encouraged to file reports if they notice material differences, or encounter any bugs or panics during their normal execution of Terraform.

  The diff computation and the rendering are now split into separate packages, while previously the rendering was handled as the diff was computed. Going forward, making small changes to the format of the plan will be easier and introducing new types of renderer will be simplified.

BUG FIXES:

• The module installer will now record in its manifest a correct module source URL after normalization when the URL given as input contains both a query string portion and a subdirectory portion. Terraform itself doesn't currently make use of this information and so this is just a cosmetic fix to make the recorded metadata more correct. (#31636)
• config: The yamldecode function now correctly handles entirely-nil YAML documents. Previously it would incorrectly return an unknown value instead of a null value. It will now return a null value as documented. (#32151)
• Ensure correct ordering between data sources and the deletion of managed resource dependencies. (#32209)
• Fix Terraform creating objects that should not exist in variables that specify default attributes in optional objects. (#32178)
• Fix several Terraform crashes that are caused by HCL creating objects that should not exist in variables that specify default attributes in optional objects within collections. (#32178)
• Fix inconsistent behaviour in empty vs null collections. (#32178)
• terraform workspace now returns a non-zero exit when given an invalid argument (#31318)
• Terraform would always plan changes when using a nested set attribute (#32536)
• Terraform can now better detect when complex optional+computed object attributes are removed from configuration (#32551)
• A new methodology for planning set elements can now better detect optional+computed changes within sets (#32563)
• Fix state locking and releasing messages when in -json mode, messages will now be written in JSON format (#32451)

ENHANCEMENTS:

• terraform plan can now store a plan file even when encountering errors, which can later be inspected to help identify the source of the failures (#32395)
• terraform_data is a new builtin managed resource type, which can replace the use of null_resource, and can store data of any type (#31757)
• terraform init will now ignore entries in the optional global provider cache directory unless they match a checksum already tracked in the current configuration's dependency lock file. This therefore avoids the long-standing problem that when installing a new provider for the first time from the cache we can't determine the full set of checksums to include in the lock file. Once the lock file has been updated to include a checksum covering the item in the global cache, Terraform will then use the cache entry for subsequent installation of the same provider package. There is an interim CLI configuration opt-out for those who rely on the previous incorrect behavior. (#32129)
• Interactive input for sensitive variables is now masked in the UI (#29520)
• A new -or-create flag was added to terraform workspace select, to aid in creating workspaces in automated situations (#31633)
• A new command was added for exporting Terraform function signatures in machine-readable format: terraform metadata functions -json (#32487)
• The "Failed to install provider" error message now includes the reason a provider could not be installed. (#31898)
• backend/gcs: Add kms_encryption_key argument, to allow encryption of state files using Cloud KMS keys. (#24967)
• backend/gcs: Add storage_custom_endpoint argument, to allow communication with the backend via a Private Service Connect endpoint. (#28856)
• backend/gcs: Update documentation for usage of gcs with terraform_remote_state (#32065)
• backend/gcs: Update storage package to v1.28.0 (#29656)
• When removing a workspace from the cloud backend terraform workspace delete will use Terraform Cloud's Safe Delete API if the -force flag is not provided. (#31949)
• backend/oss: More robustly handle endpoint retrieval error (#32295)
• local-exec provisioner: Added quiet argument. If quiet is set to true, Terraform will not print the entire command to stdout during plan. (#32116)
• backend/http: Add support for mTLS authentication. (#31699)
• cloud: Add support for using the generic hostname localterraform.com in module and provider sources as a substitute for the currently configured cloud backend hostname. This enhancement was also applied to the remote backend.
• terraform show will now print an explanation when called on a Terraform workspace with empty state detailing why no resources are shown. (#32629)
• backend/gcs: Added support for GOOGLE_BACKEND_IMPERSONATE_SERVICE_ACCOUNT env var to allow impersonating a different service account when GOOGLE_IMPERSONATE_SERVICE_ACCOUNT is configured for the GCP provider. (#32557)
• backend/cos: Add support for the assume_role authentication method with the tencentcloud provider. This can be configured via the Terraform config or environment variables.
• backend/cos: Add support for the security_token authentication method with the tencentcloud provider. This can be configured via the Terraform config or environment variables.

EXPERIMENTS:

• Since its introduction the yamlencode function's documentation carried a warning that it was experimental. This predated our more formalized idea of language experiments and so wasn't guarded by an explicit opt-in, but the intention was to allow for small adjustments to its behavior if we learned it was producing invalid YAML in some cases, due to the relative complexity of the YAML specification.

  From Terraform v1.4 onwards, yamlencode is no longer documented as experimental and is now subject to the Terraform v1.x Compatibility Promises. There are no changes to its previous behavior in v1.3 and so no special action is required when upgrading.

v1.3.9

1.3.9 (February 15, 2023)

BUG FIXES:

• Fix crash when planning to remove already-deposed resource instances. (#32663)

v1.4.0-beta1

1.4.0 (Unreleased)

UPGRADE NOTES:

• config: The textencodebase64 function when called with encoding "GB18030" will now encode the euro symbol € as the two-byte sequence 0xA2,0xE3, as required by the GB18030 standard, before applying base64 encoding.

• config: The textencodebase64 function when called with encoding "GBK" or "CP936" will now encode the euro symbol € as the single byte 0x80 before applying base64 encoding. This matches the behavior of the Windows API when encoding to this Windows-specific character encoding.

• terraform init: When interpreting the hostname portion of a provider source address or the address of a module in a module registry, Terraform will now use non-transitional IDNA2008 mapping rules instead of the transitional mapping rules previously used.

  This matches a change to the WHATWG URL spec's rules for interpreting non-ASCII domain names which is being gradually adopted by web browsers. Terraform aims to follow the interpretation of hostnames used by web browsers for consistency. For some hostnames containing non-ASCII characters this may cause Terraform to now request a different "punycode" hostname when resolving.

• The Terraform plan renderer has been completely rewritten to aid with future Terraform Cloud integration. Users should not see any material change in the plan output between 1.3 and 1.4. Users are encouraged to file reports if they notice material differences, or encounter any bugs or panics during their normal execution of Terraform.

  The diff computation and the rendering are now split into separate packages, while previously the rendering was handled as the diff was computed. Going forward, making small changes to the format of the plan will be easier and introducing new types of renderer will be simplified.

BUG FIXES:

• The module installer will now record in its manifest a correct module source URL after normalization when the URL given as input contains both a query string portion and a subdirectory portion. Terraform itself doesn't currently make use of this information and so this is just a cosmetic fix to make the recorded metadata more correct. (#31636)
• config: The yamldecode function now correctly handles entirely-nil YAML documents. Previously it would incorrectly return an unknown value instead of a null value. It will now return a null value as documented. (#32151)
• Ensure correct ordering between data sources and the deletion of managed resource dependencies. (#32209)
• Fix Terraform creating objects that should not exist in variables that specify default attributes in optional objects. (#32178)
• Fix several Terraform crashes that are caused by HCL creating objects that should not exist in variables that specify default attributes in optional objects within collections. (#32178)
• Fix inconsistent behaviour in empty vs null collections. (#32178)
• terraform workspace now returns a non-zero exit when given an invalid argument (#31318)
• Terraform would always plan changes when using a nested set attribute (#32536)
• Terraform can now better detect when complex optional+computed object attributes are removed from configuration (#32551)
• A new methodology for planning set elements can now better detect optional+computed changes within sets (#32563)
• Fix state locking and releasing messages when in -json mode, messages will now be written in JSON format (#32451)

ENHANCEMENTS:

• terraform plan can now store a plan file even when encountering errors, which can later be inspected to help identify the source of the failures (#32395)
• terraform_data is a new builtin managed resource type, which can replace the use of null_resource, and can store data of any type (#31757)
• terraform init will now ignore entries in the optional global provider cache directory unless they match a checksum already tracked in the current configuration's dependency lock file. This therefore avoids the long-standing problem that when installing a new provider for the first time from the cache we can't determine the full set of checksums to include in the lock file. Once the lock file has been updated to include a checksum covering the item in the global cache, Terraform will then use the cache entry for subsequent installation of the same provider package. There is an interim CLI configuration opt-out for those who rely on the previous incorrect behavior. (#32129)
• Interactive input for sensitive variables is now masked in the UI (#29520)
• A new -or-create flag was added to terraform workspace select, to aid in creating workspaces in automated situations (#31633)
• The "Failed to install provider" error message now includes the reason a provider could not be installed. (#31898)
• backend/gcs: Add kms_encryption_key argument, to allow encryption of state files using Cloud KMS keys. (#24967)
• backend/gcs: Add storage_custom_endpoint argument, to allow communication with the backend via a Private Service Connect endpoint. (#28856)
• backend/gcs: Update documentation for usage of gcs with terraform_remote_state (#32065)
• backed/gcs: Update storage package to v1.28.0 (#29656)
• When removing a workspace from the cloud backend terraform workspace delete will use Terraform Cloud's Safe Delete API if the -force flag is not provided. (#31949)
• backend/oss: More robustly handle endpoint retrieval error (#32295)
• local-exec provisioner: Added quiet argument. If quiet is set to true, Terraform will not print the entire command to stdout during plan. (#32116)
• backend/http: Add support for mTLS authentication. (#31699)
• cloud: Add support for using the generic hostname localterraform.com in module and provider sources as a substitute for the currently configured cloud backend hostname. This enhancement was also applied to the remote backend.
• terraform show will now print an explanation when called on a Terraform workspace with empty state detailing why no resources are shown. (#32629)

EXPERIMENTS:

• Since its introduction the yamlencode function's documentation carried a warning that it was experimental. This predated our more formalized idea of language experiments and so wasn't guarded by an explicit opt-in, but the intention was to allow for small adjustments to its behavior if we learned it was producing invalid YAML in some cases, due to the relative complexity of the YAML specification.

  From Terraform v1.4 onwards, yamlencode is no longer documented as experimental and is now subject to the Terraform v1.x Compatibility Promises. There are no changes to its previous behavior in v1.3 and so no special action is required when upgrading.

v1.3.8

1.3.8 (February 09, 2023)

BUG FIXES:

• Fixed a rare bug causing inaccurate before_sensitive / after_sensitive annotations in JSON plan output for deeply nested structures. This was only observed in the wild on the rancher/rancher2 provider, and resulted in glitched display in Terraform Cloud's structured plan log view. (#32543)
• A variable only referenced by an output precondition error_message may be missing during evaluation (#32464)
• Removing a NestingSingle block from configuration results in an invalid plan (#32463)
• Null module outputs could be dropped, causing evaluation errors when referring to those module attributes (#32583)
• Fix terraform crash when applying defaults into a collection with dynamic type constraint. (#32454)
• Updated to newer github.com/mitchellh/cli version, in turn bringing in updates for several indirect dependencies with known security issues. (#32609)
• Fix case where the first plan to use a new remote state could be applied twice, corrupting the state (#32614)