weekly.tf #18 - Terraform 0.13, AWS provider 3.0.0

It seems to be major release season for Terraform. Terraform 0.13 is coming up next week. Both releases have a number of breaking changes, so I expect that many AWS users will be spending a good chunk of the next few months managing these upgrades.

Terraform 0.13 has been in beta testing for a couple of months and unless something happens the final version will be released Monday (August 10).

As of writing, there are a couple dozen reported issues but zero confirmed.

All signs point toward an uneventful release, which will be a relief after the disruption of 0.12.

Here's the thing: managing changes to a widely used, large codebase with broad surface area is not easy. It is good to see the process getting better. Still these releases always come with some breaking changes which will have to be dealt with.

Version 3.0.0 of the AWS provider has been released with a number of breaking changes. If you don't have your versions pinned, now is the time to do it unless you want to do an unplanned upgrade.

The blog post has the high level and release notes have the details.

Major changes–

ACM Resources overhauled

The AWS Certificate Manager resources were fairly challenging to use and fixing them required making breaking changes. One of those was domain_validation_options being a list, which caused all sorts of consistency problems. That is now move to being a set things should be much more stable.

Sensitive values like certificate_body, certificate_chain, and private_key are no longer stored in the state as hashed values.

No more hashing in state storage

To protect sensitive data in Terraform state, the AWS provider has long used hashing on individual fields. This decision pre-dates having high-quality remote state storage which can encrypt all data at rest. Now that such options are available the state is not stored locally, these measures are no longer helpful. Glad to see that they are being dropped.

Fixed authentication ordering

Unless you use one of the more exotic authentication methods, you probably haven't run into this problem– for long the AWS provider has used a different order for authentication methods than the AWS SDK. That would become annoying when using the CLI to debug issues with Terraform (because they might use different methods to authenticate). Changes have been made to bring the order in line with the SDK.


There is an upgrade guide with a number of examples and for more detail take a look at the release notes.

The docs are now on the registry, not terraform.io.

There are now official deb and rpm packages for all HashiCorp tools.

Sorta light week and writing a date late. I have a backlog of things to talk about so, so expect a big issue next week.