Terraform Enterprise 2.0.x

The following table shows Terraform Enterprise releases, deployment methods, and prerequisites. Each version links to detailed release notes, which are also available in the right sidebar.

* Denotes a required release. All online upgrades will automatically install this version, but airgap customers must upgrade to this version before proceeding to later releases.

** The release package contains this version of the Terraform CLI, but you can install older and newer versions of the Terraform CLI as needed via the Admin UI or API.

Minimum system requirements

The requirements for deploying Terraform Enterprise depend on the version you want to deploy, as well as the environment you plan to operate the software in, such as operating system, runtime, and storage systems. Check the software product compatibility report page for details.

2.0.0

Last required release: v202406-1 (776)

Flexible Deployment Options terraform-enterprise container digest: amd64/linux sha256:cbd4a3537e9a0680204489abdc87f0ca7fb41f79986812a0cc57dbcb0ab7b26d, arm64/linux sha256:9f76a54799c23a5213ac9ef48cbc94baf9104bf704557955f30e0f49c07a3ee9

Known Issues

1. Terraform Stacks runs fail on Terraform Enterprise instances deployed on Kubernetes or OpenShift due to an invalid job label generated by the task worker. Issue will be fixed in version 2.0.1.

Breaking Changes

1. Terraform Enterprise now enforces a set of safety checks during the upgrade process. Previously, Terraform Enterprise would allow any upgrade, even while other nodes were active. Startup checks now fail if any node on a non-compatible version ran in the last 10 seconds. You can still take downtime to upgrade as long as nodes have been shut off for 10 seconds, but upgrading without downtime is now restricted on non-compatible versions.
2. The /_health_check endpoint, which was deprecated in 1.2.0, is no longer available and will now return an HTTP 410 status. Use the readiness endpoint at /api/v1/health/readiness instead.

Deprecations

1. tfectl database commands, which were deprecated in 1.2.0, are no longer supported and have been removed.
2. Underlying processes are no longer managed by supervisord. As a result, supervisortctl commands have been removed and are no longer supported.

Highlights

1. Terraform Enterprise now supports Stacks, which is an infrastructure orchestration capability that allows you to manage multiple nested modules and environments as a single unit. Stacks let you define complex, multi-tier infrastructure deployments, including cross-region and multi-account setups, with automated dependency management and streamlined configuration. This release simplifies the management of large-scale environments, ensuring consistent deployments, and reducing the operational overhead of coordinating related infrastructure components. Stacks are available when using a pricing model based on resources under management (RUM).
2. Terraform Enterprise now supports SCIM 2.0, which is a standard for automating user provisioning and management, including team membership management and user de-provisioning, directly from your identity provider (IdP). Terraform Enterprise administrators can now map IdP groups to Terraform Enterprise teams, which eliminates manual user management and significantly enhances security, compliance, and operational efficiency for large enterprises. This release supports Okta and Azure Entra ID.
3. Administrators can now perform on-demand health checks and diagnostics directly within the admin console user interface. This release provides Terraform Enterprise administrators with a human-readable output of health status and detailed component diagnostics, which can be collected from all nodes or a selection of nodes and easily copied for support tickets, significantly improving troubleshooting efficiency.
4. You can now run pre-upgrade checks from the command line to significantly improve upgrade planning. This feature allows Terraform Enterprise administrators to proactively identify compatibility issues before starting the upgrade process, streamlining planning and reducing risk. The checks ensure a fail fast approach by immediately providing underlying error messages for any issues detected.
5. Terraform Enterprise officially supports PostgreSQL 18 databases.
6. You can now use a Site Auditor user token to query Terraform Enterprise resources through the API with broad read-only access across the site. The Site Auditor role is designed for auditing and security workflows, giving teams visibility into organizations, workspaces, runs, policy sets, and related resources while blocking access to sensitive data such as state files. This helps customers automate auditing workflows with a lower-privileged user token, and also includes read-only UI visibility.
7. You can now delegate policy override management more precisely in Terraform Enterprise. Organization managers can grant the Delegate policy override permission so teams can override failed Soft mandatory policy checks only for the projects and workspaces they manage. This helps customers avoid broader organization-wide access while supporting policy override workflows where they are needed.
8. Terraform Enterprise now supports a maximum token time to live (TTL) policy for organization, team, and user API tokens. Organization owners can configure the policy so that tokens with a TTL greater than the maximum TTL can no longer be used for API calls.
9. You can no longer create non-expiring tokens on Terraform Enterprise. Existing tokens without expiration dates still function, but all tokens created after upgrading to this version will have an expiration date. If no expiration date is provided during token creation, it will default to 24 months from the time of creation.
10. You can now define policy update patterns to ensure your VCS-backed policy sets automatically update only when relevant repository files are modified.
11. Terraform Enterprise now features a first-class, API-driven workspace migration capability that lets you move workspaces between organizations without losing run history, state, tags and policy set associations. This enhancement promotes consistent infrastructure management and compliance across large-scale deployments by replacing fragile manual processes with a robust, scalable solution.
12. The IBM Support platform now handles support for Terraform Enterprise. Links to support in the UI reflect this change.

Features

1. You can now view a summary of the variables configured for dynamic credentials on a workspace's Variables page.
2. You can now manage IP allowlists from the UI.
3. Terraform Enterprise now supports GitHub Enterprise Cloud (GHE.com) for GitHub App.

Improvements

1. A more descriptive empty state is now shown when a project contains no workspaces.
2. In Explorer, when sorting numeric fields in descending order, NULL values are placed after non-NULL values.
3. Large Explorer datasets are faster to query. Previously, Explorer types with a very large number of records could experience compounded loading times when generating the page count.
4. Health assessments run more quickly due to improved internal caching.
5. Admin list views for the Users, Organizations, and Workspaces pages now use Helios-based pagination.
6. Users can now confirm select modal actions by typing a confirmation keyword rather than the resource name.
7. Heartbeats from Terraform Enterprise nodes now store the Terraform Enterprise version of the node. The heartbeat time also uses the database time for consistent time in active-active mode.
8. Query runs using dynamic credentials now use the configuration specified for Terraform plans.
9. Terraform Enterprise can now dump detailed debugging information when communicating with S3-compatible backend storage offerings. This is useful for debugging connectivity to storage solutions whose behavior does not align with AWS S3.
10. Terraform Enterprise now establishes a heartbeat entry for each node every second. Previously, Terraform Enterprise established heartbeats in 10-second intervals. This improves reliability and responsiveness in logic that requires coordination among Terraform Enterprise nodes.
11. Terraform Enterprise now validates your TLS certificate, private key, CA bundle, and certificate chain at startup, surfacing clear error messages when a misconfiguration is detected before the server begins serving traffic.
12. Terraform Actions invocation page now includes an Invoke button that creates a new run with the action address and navigates to the run details page.
13. The Action Invocations page now shows who initiated each invocation directly in a new Invoked by column. The entry includes the user avatar and display name. This improves traceability and helps users understand invocation context without leaving the page.
14. The Terraform Actions page now shows a Last Invoked column with relative time linked to the triggering run.
15. The Actions table now includes the Last Invocation Method column.
16. You can now search action name, provider, and last invocation method in workspaces. This helps you find the right action faster in workspaces with larger action lists.

Bug Fixes

1. Previously, Terraform Enterprise installations that used localterraform.com as their registry URL wouldn't record modules and providers, which prevented Explorer from collecting data about them. Terraform Enterprise now creates records in these cases.
2. Removed manage tags button for users that don't have write access.
3. Fixes duplicate and missing members when paginating organization memberships for invited users with null usernames.
4. Users with project level maintain or workspace-create access can no longer modify the organization level data retention policy.
5. Previously, policy set parameters allowed any character in the key field, which is not supported by Sentinel parameters. This change adds validation for Sentinel key parameters as per the language specification.
6. Fixed a bug where multiple workspace resources co-exist with the same address, which can be caused by state upload race conditions.
7. Fixes errors when a workspace's execution mode is change while runs are queued.
8. Fixed a bug where the project default execution mode was ignored when creating a workspace from a no-code module.
9. Terraform Enterprise now directs you to the correct setup step when switching from CLI to VCS during new workspace creation, even after entering a workspace name first.
10. In Explorer page filters, the is empty and is not empty filters now work as expected when the column is numeric.
11. You can paginate organization membership results, including invited users, without duplicate or missing entries. Previously, invited members could be omitted or repeated across pages in some responses.
12. The GitHub App token cards now use consistent text sizes for badges and links in Account Settings > Tokens.
13. Fixed projects API endpoint to consistently return workspace-count: 0 for projects with no active workspaces, resolving inconsistent API responses when filtering by project name.
14. Fixed N+1 query performance issue when viewing admin user details page with organization-recovery-admin feature flag enabled.
15. Fixed breadcrumb formatting on organization settings pages to use colon-separated format per platform guidelines.
16. Atlas configured to use Redis Sentinel without mTLS now correctly connects to Redis when necessary. Previously, Redis connections would fail due to a misconfiguration introduced in v1.1.0, but only when using Redis Sentinel without an mTLS certificate.
17. Terraform Enterprise now reports configuration errors as proper errors. Previously, the platform reported some configuration errors as panic errors.
18. Fixed a bug where non-reordered list were incorrectly classified as reordered list. The Structured Run Output plan view now matches the Terraform CLI plan view for non-reordered list items.

Security

1. Git-based operations now include additional validation controls for repository URLs and paths, helping enforce safer defaults for Git integrations.