weekly.tf #27

Last week was HashiConf Digital, the online-only replacement for the usual North American HashiConf. There was some good stuff and I will be posting videos once they are available in a permanent spot (I am told the digital.hashiconf.com links won't work forever).

In the meantime we have some immediately announcements to talk about.

Version 0.14 is now in beta, just months after 0.13 and the team is signaling that stabilization for a 1.0 is now the focus for the team.

As the target becomes 1.0, the focus seems to be shifting toward refinements to the user experience rather than new features.

This release has three such improvements-

Sensitive input variables

Variables can now be marked as sensitive and terraform will propagate that label through expressions derived from sensitive variables doing the appropriate masking on output.

Concise diffs

Terraform 0.12 made plan diffs considerably more verbose. This new format is a compromise between the 0.11 and 0.12 versions, showing some but not all unchanged values. If you can recall, 0.11 showed only changed values and 0.12 shows all values for changed resources. The compromise here is that 0.14 will show identity values (names, ids, etc) in addition to changed values.

Provider Dependency Lock File

terraform init will now write a .terraform.lock.hcl file which can be checked into source control. This will pin provider versions between init runs. This seems to be a common solution across many package-management solutions and a good improvement to the predictability of terraform operations.

But, are folks out there really not pinning versions already? That would be surprising to me.

See the upgrade guide for more on the nuances of this new feature.


For more on these features, there is a (draft) upgrade guide, a forum post, and the changelog.

Terraform Consul Sync is new product, in "tech preview" which aims to fill an automation gap which especially effects networking teams.

At its most basic level, this tool can watch data in consul and respond to changes by running terraform code with data sourced from consul. The code is on github.

You probably could have kludged together something like this with consul-template, but this approach seems much cleaner.

Notable Releases

It seems like all new features are going into 0.14 (and there are not many new features right now), so this release is "just" bug fixes.

Terraformer is definitely the most useful tool for bringing existing infrastructure under management by Terraform. Finally it has support for Terraform 0.13.

New resources for appmesh and codeartifact and a handful of improvements to sagemaker.

New data sources for vault_transit_decrypt and vault_transit_encrypt look really nice.

A couple nice things in this release along with some breaking changes.

There is a great new docs site at tfsec.dev with docs for all checks. Modules are now supported, after running terraform init. And the tool no longer recursively checks files, a breaking but welcome change since this is the way terraform itself works.

No longer supports 0.11. Also did you know that there was a provider that allows you to make generic http (GET) requests?

Also no longer supports 0.11. Did you know there is a provider that allows you to read and write DNS records via DNS (did you know you can write/update records directly via DNS? I didn't).

Also no longer supports Terraform 0.11. Did you know that a provider exists just to interface with external programs (ok I knew about this one).

Yet another provider that no longer supports Terraform 0.11. The archive provider, AKA the provider for packaging your lambda functions.

Ok, you guessed, it- no more 0.11 support.

One final provider that no longer supports terraform 0.11.