The following table shows Terraform Enterprise releases, deployment methods, and prerequisites. Each version links to detailed release notes, which are also available in the right sidebar.

* Denotes a required release. All online upgrades will automatically install this version, but airgap customers must upgrade to this version before proceeding to later releases.

** The release package contains this version of the Terraform CLI, but you can install older and newer versions of the Terraform CLI as needed via the Admin UI or API.

Minimum system requirements

The requirements for deploying Terraform Enterprise depend on the version you want to deploy, as well as the environment you plan to operate the software in, such as operating system, runtime, and storage systems. Check the software product compatibility report page for details.

2.0.3

Last required release: v202406-1 (776)

Flexible Deployment Options terraform-enterprise container digest: amd64/linux sha256:c5bf5e7ef7949f5e32b306f0df0f208002ab24894c4ae6bfbc1f79854d07774f, arm64/linux sha256:4b0295ffec1000051fb42286dbd6971e2b910c56e19233cc36c2f5ec2e7f7a53

Bug Fixes

1. Readiness checks now behave correctly when a node is draining. In previous releases, readiness checks returned an HTTP 503 status during node drain, which could cause load balancers in some non‑Kubernetes environments to remove draining nodes from service unintentionally. This issue has been resolved, and readiness checks now return a successful HTTP 200 response while indicating the draining state so nodes are handled appropriately during upgrades.
2. Terraform Enterprise now supports PostgreSQL extensions installed in non-default schemas. Previously, Terraform Enterprise could fail to start or operate correctly in environments where PostgreSQL extensions are installed in database-managed schemas, leading to initialization errors. This release introduces new configuration option (TFE_DATABASE_EXTRA_SCHEMAS) that let you include additional schemas in the connection search_path, enabling compatibility with PostgreSQL environments that restrict default permissions.
3. Terraform Enterprise now supports deployments with pre-provisioned PostgreSQL schemas without requiring database-level CREATE permissions. Previously, startup checks required database-level CREATE privileges even when all required Terraform Enterprise schemas already existed, which could prevent deployments in DBA-managed PostgreSQL environments. This update improves the validation logic to check for existing schemas and verify appropriate permissions at the schema level, allowing Terraform Enterprise to start successfully in these environments.
4. Terraform Enterprise now handles deployments with long or complex hostnames reliably. Previously, Terraform Enterprise could fail to start in environments with long hostnames due to Nginx limitations when building the server names hash. This issue has been resolved by increasing the supported hash bucket size, preventing startup failures.
5. You can now allow Terraform Enterprise to start even if expired certificates are present in the CA bundle. Previously, Terraform Enterprise failed to start if any expired certificates were detected in the CA certificate bundle, which could delay restarts in environments where certificate management is handled externally. This release introduces the TFE_STARTUP_CHECKS_IGNORE_FAILURES configuration option, allowing you to treat these checks as warnings instead of blocking startup. Refer to Tolerating startup check failures for more information.
6. Explorer now includes remote modules, such as those sourced from GitHub. Previously, modules sourced directly from version control were not shown in Explorer, limiting visibility into module usage across your organization. This update ensures non‑registry modules are included, giving you a more complete view of the modules used in your Terraform Enterprise deployment.

Security

1. Security vulnerabilities have been addressed and resolved in this update to enhance overall system protection.

2.0.2

Last required release: v202406-1 (776)

Flexible Deployment Options terraform-enterprise container digest: amd64/linux sha256:7566f27c16a5632818b4d368bbe4231196a91f635375bb4fa2bb9fa09e6d7c98, arm64/linux sha256:0fcfb815974fbeda95d5b3b2b02fd690d55c880152da2275c09c30b2882dd000

Known Issues

1. When a Terraform Enterprise node enters a draining state, readiness checks return an HTTP 503 status. In some non‑Kubernetes cloud environments, checks for load balancers may interpret this as an unhealthy node and remove it from service, even though the node is intentionally draining and not accepting new requests. When draining nodes in your Terraform Enterprise installation, consider disabling readiness checks and instead use host-level health signals. For example, you can enable Auto Scaling Group instance checks in AWS, disable auto-repair in AWS, or disable auto-healing policies in GCP. This issue does not affect Terraform Enterprise deployments on Kubernetes or OpenShift.

Bug Fixes

1. Policy evaluations could fail to complete in some cases, particularly in workspaces with a large number of configured policies, causing runs to remain in progress. This issue has been resolved, and policy checks now execute and complete as expected. If you applied the workaround described in the support knowledge base article (https://www.ibm.com/support/pages/node/7272682), you can re‑enable policy checks and evaluations in your workspaces.
2. Product usage reports were not created successfully, which prevented usage reports from receiving up‑to‑date data. This issue has been resolved.
3. The Diagnostics API returned an HTTP 503 status for the task worker due to insufficient Kubernetes API permissions required by the diagnostics check. This resulted in a false unhealthy status being shown in the Terraform Enterprise. This issue has been resolved, and the Diagnostics API now reflects the actual availability of the task worker.
4. Explorer now includes remote (non-registry) modules, such as those sourced from GitHub.

2.0.1

Last required release: v202406-1 (776)

Flexible Deployment Options terraform-enterprise container digest: amd64/linux sha256:a5f64d59557b270f4f39188fab9a2cac3750333dfd959df0f3fa4890740cf649, arm64/linux sha256:058a866c1c8b241350ac605f1628be6d9ffe1bafd1b42ff1e313a6d5ad5cef51

Known Issues

1. (Updated 5/15/2026) In Terraform Enterprise 2.0.1, policy evaluations may not complete, resulting in stuck runs. This issue primarily affects workspaces with a large number of policies. Refer to our support knowledge base article for additional details and guidance. This issue is solved in Terraform Enterprise 2.0.2.
2. When a Terraform Enterprise node enters a draining state, readiness checks return an HTTP 503 status. In some non‑Kubernetes cloud environments, checks for load balancers may interpret this as an unhealthy node and remove it from service, even though the node is intentionally draining and not accepting new requests. When draining nodes in your Terraform Enterprise installation, consider disabling readiness checks and instead use host-level health signals. For example, you can enable Auto Scaling Group instance checks in AWS, disable auto-repair in AWS, or disable auto-healing policies in GCP. This issue does not affect Terraform Enterprise deployments on Kubernetes or OpenShift.
3. (Updated 5/6/2026) When Terraform Enterprise attempts to create a product usage report, it will fail with a Bad Request error. This issue prevents product usage reports from being generated.  Failure logs are observable for terraform-enterprise and atlas, but they will not impact other application functionality. This issue impacts Terraform Enterprise 2.0.0 and 2.0.1 and will be fixed in 2.0.2.
4. (Updated 5/7/2026) The Diagnostics API may report the task worker as unhealthy with an HTTP 503 status on Kubernetes and OpenShift deployments. This is a false positive caused by the diagnostics check requiring cluster-level Kubernetes API permissions that are not typically granted in these environments. The standard Terraform Enterprise Helm chart does not grant these permissions. This error status does not reflect actual task worker availability, and Terraform runs and readiness health checks are not affected.

Bug Fixes

1. Terraform Stacks runs now complete successfully on Kubernetes and OpenShift deployments. In Terraform Enterprise 2.0.0, Terraform Stacks runs would fail when Terraform Enterprise was deployed on Kubernetes or OpenShift.
2. When database monitoring was enabled, the database connection would terminate after a restart in some Terraform Enterprise components, mainly the operator admin UI/API. These components now refresh correctly when a DB monitor triggers a restart.
3. The Terraform Enterprise task worker check now correctly returns a DRAINING status instead of ERROR during a node drain.

2.0.0

Last required release: v202406-1 (776)

Flexible Deployment Options terraform-enterprise container digest: amd64/linux sha256:80802683e65385fce80dd3e1ec6d992888773f2d6549b185fe2d357a5bc55d51, arm64/linux sha256:ae52dab862eef58b0f4182da736ceac9809bd30e44f5d2b1f1c960058f29bdf6

Known Issues

1. (Updated 5/15/2026) In Terraform Enterprise 2.0.0, policy evaluations may not complete, resulting in stuck runs. This issue primarily affects workspaces with a large number of policies. Refer to our support knowledge base article for additional details and guidance. This issue is solved in Terraform Enterprise 2.0.2.
2. Terraform Stacks runs fail on Terraform Enterprise instances deployed on Kubernetes or OpenShift due to an invalid job label generated by the task worker. Issue will be fixed in version 2.0.1.
3. (Updated 4/27/2026) When using TFE configured with Database Monitoring enabled, if a database recovery is triggered, afterwards the Admin API will not be able to connect to the Database. This leads to the TFE Admin UI errors. The current workaround for this is to restart the Terraform Enterprise application. This issue will be fixed in 2.0.1.
4. (Updated 5/6/2026) When Terraform Enterprise attempts to create a product usage report, it will fail with a Bad Request error. This issue prevents product usage reports from being generated.  Failure logs are observable for terraform-enterprise and atlas, but they will not impact other application functionality. This issue impacts Terraform Enterprise 2.0.0 and 2.0.1 and will be fixed in 2.0.2.
5. (Updated 5/7/2026) The Diagnostics API may report the task worker as unhealthy with an HTTP 503 status on Kubernetes and OpenShift deployments. This is a false positive caused by the diagnostics check requiring cluster-level Kubernetes API permissions that are not typically granted in these environments. The standard Terraform Enterprise Helm chart does not grant these permissions. This error status does not reflect actual task worker availability, and Terraform runs and readiness health checks are not affected.

Breaking Changes

1. Terraform Enterprise now enforces a set of safety checks during the upgrade process. Previously, Terraform Enterprise would allow any upgrade, even while other nodes were active. Startup checks now fail if any node on a non-compatible version ran in the last 10 seconds. You can still take downtime to upgrade as long as nodes have been shut off for 10 seconds, but upgrading without downtime is now restricted on non-compatible versions.
2. The /_health_check endpoint, which was deprecated in 1.2.0, is no longer available and will now return an HTTP 410 status. Use the readiness endpoint at /api/v1/health/readiness instead.

Deprecations

1. tfectl database commands, which were deprecated in 1.2.0, are no longer supported and have been removed.
2. Underlying processes are no longer managed by supervisord. As a result, supervisortctl commands have been removed and are no longer supported.
3. Redis 6.2 and 6.4 have reached vendor end-of-life and are deprecated, Redis 6.x support will be removed in 2.1.0

Highlights

1. Terraform Enterprise now supports Stacks, which is an infrastructure orchestration capability that allows you to manage multiple nested modules and environments as a single unit. Stacks let you define complex, multi-tier infrastructure deployments, including cross-region and multi-account setups, with automated dependency management and streamlined configuration. This release simplifies the management of large-scale environments, ensuring consistent deployments, and reducing the operational overhead of coordinating related infrastructure components. Stacks are available when using a pricing model based on resources under management (RUM). Refer to this announcement for additional details.
2. Terraform Enterprise now supports SCIM 2.0, which is a standard for automating user provisioning and management, including team membership management and user de-provisioning, directly from your identity provider (IdP). Terraform Enterprise administrators can now map IdP groups to Terraform Enterprise teams, which eliminates manual user management and significantly enhances security, compliance, and operational efficiency for large enterprises. This release supports Okta and Azure Entra ID.
3. Administrators can now perform on-demand health checks and diagnostics directly within the admin console user interface. This release provides Terraform Enterprise administrators with a human-readable output of health status and detailed component diagnostics, which can be collected from all nodes or a selection of nodes and easily copied for support tickets, significantly improving troubleshooting efficiency.
4. You can now run pre-upgrade checks from the command line to significantly improve upgrade planning. This feature allows Terraform Enterprise administrators to proactively identify compatibility issues before starting the upgrade process, streamlining planning and reducing risk. The checks ensure a fail fast approach by immediately providing underlying error messages for any issues detected.
5. Terraform Enterprise officially supports PostgreSQL 18 databases.
6. You can now use a Site Auditor user token to query Terraform Enterprise resources through the API with broad read-only access across the site. The Site Auditor role is designed for auditing and security workflows, giving teams visibility into organizations, workspaces, runs, policy sets, and related resources while blocking access to sensitive data such as state files. This helps customers automate auditing workflows with a lower-privileged user token, and also includes read-only UI visibility.
7. You can now delegate policy override management more precisely in Terraform Enterprise. Organization managers can grant the Delegate policy override permission so teams can override failed Soft mandatory policy checks only for the projects and workspaces they manage. This helps customers avoid broader organization-wide access while supporting policy override workflows where they are needed.
8. Terraform Enterprise now supports a maximum token time to live (TTL) policy for organization, team, and user API tokens. Organization owners can configure the policy so that tokens with a TTL greater than the maximum TTL can no longer be used for API calls.
9. You can no longer create non-expiring tokens on Terraform Enterprise. Existing tokens without expiration dates still function, but all tokens created after upgrading to this version will have an expiration date. If no expiration date is provided during token creation, it will default to 24 months from the time of creation.
10. You can now define policy update patterns to ensure your VCS-backed policy sets automatically update only when relevant repository files are modified.
11. Terraform Enterprise now features a first-class, API-driven workspace migration capability that lets you move workspaces between organizations without losing run history, state, tags and policy set associations. This enhancement promotes consistent infrastructure management and compliance across large-scale deployments by replacing fragile manual processes with a robust, scalable solution.
12. The IBM Support platform now handles support for Terraform Enterprise. Links to support in the UI reflect this change.

Features

1. You can now view a summary of the variables configured for dynamic credentials on a workspace's Variables page.
2. You can now manage IP allowlists from the UI.
3. Terraform Enterprise now supports GitHub Enterprise Cloud (GHE.com) for GitHub App.

Improvements

1. A more descriptive empty state is now shown when a project contains no workspaces.
2. In Explorer, when sorting numeric fields in descending order, NULL values are placed after non-NULL values.
3. Large Explorer datasets are faster to query. Previously, Explorer types with a very large number of records could experience compounded loading times when generating the page count.
4. Health assessments run more quickly due to improved internal caching.
5. Admin list views for the Users, Organizations, and Workspaces pages now use Helios-based pagination.
6. Users can now confirm select modal actions by typing a confirmation keyword rather than the resource name.
7. Heartbeats from Terraform Enterprise nodes now store the Terraform Enterprise version of the node. The heartbeat time also uses the database time for consistent time in active-active mode.
8. Query runs using dynamic credentials now use the configuration specified for Terraform plans.
9. Terraform Enterprise can now dump detailed debugging information when communicating with S3-compatible backend storage offerings. This is useful for debugging connectivity to storage solutions whose behavior does not align with AWS S3.
10. Terraform Enterprise now establishes a heartbeat entry for each node every second. Previously, Terraform Enterprise established heartbeats in 10-second intervals. This improves reliability and responsiveness in logic that requires coordination among Terraform Enterprise nodes.

Bug Fixes

1. Previously, Terraform Enterprise installations that used localterraform.com as their registry URL wouldn't record modules and providers, which prevented Explorer from collecting data about them. Terraform Enterprise now creates records in these cases.
2. Removed manage tags button for users that don't have write access.
3. Fixes duplicate and missing members when paginating organization memberships for invited users with null usernames.
4. Users with project level maintain or workspace-create access can no longer modify the organization level data retention policy.
5. Previously, policy set parameters allowed any character in the key field, which is not supported by Sentinel parameters. This change adds validation for Sentinel key parameters as per the language specification.
6. Fixed a bug where multiple workspace resources co-exist with the same address, which can be caused by state upload race conditions.
7. Fixes errors when a workspace's execution mode is change while runs are queued.
8. Fixed a bug where the project default execution mode was ignored when creating a workspace from a no-code module.
9. Terraform Enterprise now directs you to the correct setup step when switching from CLI to VCS during new workspace creation, even after entering a workspace name first.
10. In Explorer page filters, the is empty and is not empty filters now work as expected when the column is numeric.
11. You can paginate organization membership results, including invited users, without duplicate or missing entries. Previously, invited members could be omitted or repeated across pages in some responses.
12. The GitHub App token cards now use consistent text sizes for badges and links in Account Settings > Tokens.
13. Fixed projects API endpoint to consistently return workspace-count: 0 for projects with no active workspaces, resolving inconsistent API responses when filtering by project name.
14. Fixed N+1 query performance issue when viewing admin user details page with organization-recovery-admin feature flag enabled.
15. Fixed breadcrumb formatting on organization settings pages to use colon-separated format per platform guidelines.
16. Atlas configured to use Redis Sentinel without mTLS now correctly connects to Redis when necessary. Previously, Redis connections would fail due to a misconfiguration introduced in v1.1.0, but only when using Redis Sentinel without an mTLS certificate.
17. Terraform Enterprise now reports configuration errors as proper errors. Previously, the platform reported some configuration errors as panic errors.
18. Fixed a bug where non-reordered list were incorrectly classified as reordered list. The Structured Run Output plan view now matches the Terraform CLI plan view for non-reordered list items.
19. [Updated: April 30, 2026] You can now fully remove no-code modules from the Private Registry even if they previously provisioned workspaces.

Security

1. Git-based operations now include additional validation controls for repository URLs and paths, helping enforce safer defaults for Git integrations.