HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Terraform
Terraform Home

Terraform Enterprise 1.2.x

The following table shows Terraform Enterprise releases, deployment methods, and prerequisites. Each version links to detailed release notes, which are also available in the right sidebar.

Plan your upgrade path

Review Select a target version before you schedule downtime. The sequence walks you through compatibility validation, image staging, and rollback planning. Use the Last required release marker, which appears in the release tables on version-specific pages (for example, /terraform/enterprise/releases/1.1.x), to list the mandatory intermediate releases from your current version to the target version, and stage artifacts for every intermediate release in the sequence.

Below is a list of the most recent Terraform Enterprise Releases that can deploy Terraform Enterprise natively in a Kubernetes environment. Learn more about flexible deployment options.

VersionLinked
Terraform CLI**		SentinelTested Kubernetes Versions (EKS, AKS, GKE)Helm Chart Version
1.2.01.14.40.40.01.34, 1.34, 1.331.6.7

* Denotes a required release. All online upgrades will automatically install this version, but airgap customers must upgrade to this version before proceeding to later releases.

** The release package contains this version of the Terraform CLI, but you can install older and newer versions of the Terraform CLI as needed via the Admin UI or API.

Minimum system requirements

The requirements for deploying Terraform Enterprise depend on the version you want to deploy, as well as the environment you plan to operate the software in, such as operating system, runtime, and storage systems. Check the software product compatibility report page for details.

1.2.0

2026-02-11

Last required release: v202406-1 (776)

Flexible Deployment Options terraform-enterprise container digest: amd64/linux sha256:ee07999aad4f865a71fd556be8eb8362e62a61cdf7dbdb9fd88b7057f2c527e0, arm64/linux sha256:9b0a7b502b17385a8ecd86e4959cb49ffacc915e970d513075af6b7ce8e723da

Known Issues

  1. (Updated 12 Feb 2026) Explorer is GA as of 1.2.0. Explorer is incorrectly identified as a beta feature in the navigation sidebar and page header.

Deprecations

  1. The following Terraform Enterprise admin CLI subcommands are deprecated. HashiCorp plans to remove these commands in the next major release:

  1. The /_health_check endpoint has been replaced with a readiness endpoint /api/v1/health/readiness and a diagnostics endpoint /api/v1/diagnostics. IBM plans to remove the health check endpoint in the next major release.

  2. Removing the 'opa-latest-deprecation' feature flag. This will deprecate the 'latest' tag for the OPA version policy set.

Highlights

  1. Explorer is now generally available for Terraform Enterprise. Run the backfill process to populate the Explorer database. For Terraform Enterprise installations that use external agents, the agents must be based on tfc-agent:1.26 or greater. Otherwise, the Explorer backfill process will fail. For more information about the Explorer and the backfill process, refer to Enable Explorer on Terraform Enterprise. For information about Explorer API endpoints, refer to the API documentation. For information about using Explorer, refer to the workspaces documentation.

  2. Terraform Enterprise now includes the following health check endpoints:

    • /api/v1/health/readiness is a lightweight endpoint for load balancer integration.
    • /api/v1/diagnostics provides detailed component status for faster root cause analysis during troubleshooting. This endpoint requires authentication. You can trigger both endpoints by either calling the API or by running the tfectl app health readiness and tfectl app diagnostics CLI commands.

  3. Terraform actions is now generally available for Terraform Enterprise. Actions introduce a way to codify and automate Day 2 infrastructure operations by triggering third-party tools outside of Terraform. Built directly into Terraform providers, actions provide preset operations that extend Terraform’s automation capabilities for common Day 2 tasks. These actions can be invoked before or after a resource's lifecycle events, such as create or update, or ad hoc via the CLI terraform apply -invoke command. By codifying more Day 2 operations, organizations can reduce operational costs and accelerate delivery by automating previously manual, error-prone tasks. Actions provide two major benefits for Terraform users:

    • Unified Day 2 management: Module authors can define Day 2 infrastructure operations in code alongside the rest of their infrastructure — offering a clear association between Day 2 actions and managed resources — and optionally invoke the operations with lifecycle triggers.
    • Native workflow: By bringing more Day 2 infrastructure operations within Terraform, users can extend its utility by unifying more operations in one control plane. This ensures consistency and brings teams closer to having a single source of truth for all infrastructure.

    With general availability, Terraform Enterprise users can now see actions in run output, either directly invoked or triggered by resource operations. This gives users visibility into all the actions that were triggered by creating or updating resources. Also, if anyone runs terraform apply -invoke directly, it will show up as its own entry in the run output.

  4. You can now discover resources faster using the new Search & Import experience in Terraform Enterprise. With a new query construct and visual results directly in your workspace, it’s easier to explore infrastructure, understand what’s managed, and confidently decide what to import.

Features

  1. Users can now configure Microsoft Exchange SMTP using OAuth 2.0.
  2. Module test runs now support OIDC-based dynamic credentials, eliminating the need for static cloud provider credentials. You can configure OpenID Connect trust relationships with AWS, Azure, GCP, and Vault to generate short-lived, automatically rotating tokens for each test run. Refer to Use dynamic credentials with module testing for configuration details, and the Test Configuration API for programmatic management.

Improvements

  1. User tokens can no longer be used to disable user tokens on an organization, to prevent clients from locking themselves out
  2. Adds a warning message to the email notifications that are sent when a run fails or is cancelled, telling the user that this will prevent health assessments from being made until the problem is fixed.
  3. The organization users page now loads more efficiently when navigating between pages or searching for users. Previously, when viewing users who belonged to many teams, the page could generate excessive API requests that resulted in performance degradation in Terraform Enterprise. This issue was particularly noticeable in organizations with large numbers of teams and users.
  4. Refreshing Explorer for an organization is now faster and has a greatly reduced burden on Sidekiq. Previously, refreshing Explorer had the potential to create a high volume of Sidekiq jobs, which could put pressure on infrastructure and take time to sync.
  5. Fixed tooltip info icons in Add variable modal to meet WCAG 2.1 Level AAA accessibility standards (24x24px minimum interactive area).
  6. Introducing support for more optimised Opa-Wrapper binary(Hashicorp vended).
  7. Workspace overview now shows when the current state version is being processed for the latest resources. It now includes a processing or timeout state instead of always "Current as of most recent state version"
  8. Workspace resources overview now supports very large state files or very large numbers of resources. Users who observed "resources-processed" remaining false on a state version after uploading it due to database timeouts or memory exhaustion should now see this status eventually resolve and workspace resources updated.
  9. Workspace Overview UI now loads faster when a great many outputs are present
  10. Site admins can now filter VCS Events based on event type and even view the list of workspaces affected, which helps customers troubleshoot VCS problems independently

Bug Fixes

  1. Variable sets now maintain proper inheritance during no-code module upgrades. Previously, variables from variable sets were duplicated as workspace variables during upgrades, overriding the inherited values.
  2. Fix bug where API for explorer CSV download returned an error after atlas startup.
  3. Fix bug in explorer filters, the "is empty" and "is not empty" conditions now work properly when the column value is an empty string.
  4. Fixed problem with azure cost-estimation when two or more items have the same SKU prefix, as commonly happens when a new version is available.
  5. Fixed problem with AWS cost-estimation when two or more items are in the same product family; separately fixed logic for macOS instances
  6. No-code workspace version updates now include additional validation steps to prevent stale no-code version upgrade runs from changing the workspace's no-code module version to one that no longer applies. Previously, if a workspace was upgraded by another run or a newer module version was published after the upgrade run was created, applying the stale run could cause the workspace to be updated to an outdated version. Stale no-code version upgrade runs now return a 409 Conflict error with a message explaining why the upgrade cannot be applied.
  7. No-code workspace upgrades now don’t bypass a failed plan before completing the upgrade. Previously, a bug allowed upgrades to proceed even when the plan had failed or was canceled. This has been resolved, and upgrades now return an error if the plan has not completed successfully, preventing the no-code workspace version update.
  8. No-code module versions can no longer be deleted while no-code provisioned workspaces are still using them. Previously, deleting a registry module version could cause linked no-code workspaces to lose their connection to the no-code module, leaving them in a broken state. Attempting to delete a no-code module version with linked workspaces now returns an error, and users must first upgrade or unlink those workspaces.
  9. Customers using S3‑compatible storage that does not support SHA‑256 validation can configure the system to use MD5 validation instead. Support for this fallback depends on the storage provider and may not function in all environments.
  10. the button to Create a team token is now always shown unless the user is impersonating
  11. Update project header icon to use file-text instead of dashboard
  12. Add Terraform brand color to project header IconTile
  13. Organizations in TFE can now correctly set assessments_enforced field during creation, ensuring the values are applied as expected.
  14. Improved the search experience in the Projects list view so the search bar remains fully visible while results load. Previously, the search input could appear clipped as results refreshed. Users can now review and edit their search terms without the input field being cut off.
  15. Users can now clear selections in the Variable Set Scope selector without errors for Global Varsets. Previously, clicking ‘Clear selected’ triggered an undefined error in the console. The selector now resets reliably for a smoother filtering experience.
  16. Fixed inconsistent VCS commit status types by basing passing statuses on workspace policy execution mode, ensuring consistent ‘sentinel’ and ‘policy’ status reporting for both triggered and untriggered runs in version‑managed Terraform execution workspaces.
  17. Remove twice encoding of tags
  18. Fixed pending runs not showing inherited agent pools, ensuring accurate pool resolution across all levels

Security

  1. Security vulnerabilities have been addressed and resolved in this update to enhance overall system protection.
Edit this page on GitHub