HCP Terraform Agent Changelog

These are the release notes from the HCP Terraform Agent application. Changes within each release are categorized into one or more of the following labels:

FEATURES - Used for net-new features being added to the agent.
BUG FIXES - Backward-compatible fixes for buggy functionality.
IMPROVEMENTS - Functional improvements to performance, effeciency, etc.
SECURITY - Fixes for security-related issues.
BREAKING CHANGES - Reserved for changes which break previous functionality.

Each version below corresponds to a release artifact available for download on the official releases website.

1.22.0 (04/15/2025)

FEATURES:

Added ability to check for private module versions that are revoked and display revocations warnings in the run output of existing module consumers. New users of the revoked version will see an error in their run output. (#973)

1.21.2 (04/03/2025)

BUG FIXES:

Silenced profiler errors on systems where i/o data is unavailable (#973)
Fixed spurious 404 errors seen as workloads are completed (#667)

1.21.1 (04/01/2025)

SECURITY:

Added guards for sensitive values exposed by procfs (#776, #784)

IMPROVEMENTS:

Improved backpressure signaling for request forwarding (#964)

1.21.0 (03/18/2025)

IMPROVEMENTS:

Upgraded Ubuntu to v24.04 for base Docker image. (#922)

1.20.2 (03/04/2025)

SECURITY:

Updated golang.org/x/crypto dependency to v0.35.0 to address GO-2025-3487 (#935)
Updated golang.org/x/oauth2 dependency to v0.27.0 to address GO-2025-3488 (#935)

1.20.1 (02/19/2025)

BUG FIXES:

Fixed a bug that would prevent tfc-agent from cleaning up temporary directories that contained subdirectories with readonly permissions. (#921)

1.20.0 (02/06/2025)

BUG FIXES:

Rolled back to Ubuntu v20.04 from upgrade to v24.04 for base Docker image to address errors seen with v24.04. (#913)
- This fixed a bug which caused tfc-agent:v1.19.0 to break on certain configs using local-exec or other provisioners that rely on python or the AWS CLI.

1.19.0 (02/05/2025)

BUG FIXES:

Changed 201 HTTP status code log from ERROR to DEBUG. (#891)

IMPROVEMENTS:

Upgraded Ubuntu to v24.04 for base Docker image. (#903)
Added log of OS and Arch at agent start (#901)

1.18.0 (01/29/2025)

FEATURES:

Added ability to check for private module versions that are deprecated and display deprecation warnings in the run output (#879)

SECURITY:

Updated dependency github.com/hashicorp/go-slug to v0.16.4 (#892)
- This resolved CVE-2025-0377 in hashicorp/go-slug.
- Fixed a bug which caused tfc-agent:v1.17.6 to break on certain API-driven workflows in HCP Terraform and Terraform Enterprise.

1.17.6 (01/23/2025)

SECURITY:

Updated dependency github.com/hashicorp/go-slug to v0.16.3 (#867)
- Important: v0.16.3 of go-slug contained a bug which caused tfc-agent:v1.17.6 to break on certain API-driven workflows in HCP Terraform and Terraform Enterprise.
- This resolved CVE-2025-0377 in hashicorp/go-slug.
Updated dependencies github.com/go-git/go-git/v5 to v5.13.1 and golang.org/x/net to v0.34.0 (#873)

1.17.5 (12/12/2024)

BUG FIXES:

Ensured Sentinel subjects are correctly managed and Terraform plugins are enabled when required (#854)

1.17.4 (12/12/2024)

BUG FIXES:

Surfaced errors due to invalid Sentinel output on errored Sentinel commands (#850)

1.17.3 (12/10/2024)

BUG FIXES:

Updated inaccurate constraint introduced in previous version gating ephemeral variables (#841)
Fixed an issue where streaming extremely large job outputs would retry after the server rejected further requests (#837)

1.17.2 (11/26/2024)

IMPROVEMENTS:

Added jitter to connection retries for Request Forwarding (#817)
Ensured ephemeral variables (Terraform v1.10 feature) are passed between plan & apply (#831)

1.17.1 (11/13/20204)

IMPROVEMENTS:

Added support for a custom timeout on each hook (#820)

1.17.0 (10/30/2024)

BREAKING CHANGES:

Changed the network protocol that supports unreleased Request Forwarding functionality, which affects Private VCS Providers (#801)

BUG FIXES:

Fixed issue where some fatal errors were logged at debug level instead of error (#799)
Fixed an issue where the hashicorp/tfc-agent Docker image could have the wrong owners for /home/tfc-agent/bin/* content (#807)

1.16.0 (10/02/2024)

FEATURES:

Added support for authenticating with AWS and GCP using dynamic credentials generated via HCP Vault Secrets (#786)

1.15.5 (09/18/2024)

IMPROVEMENTS:

Included a copy of the license text with all releases (#772)

SECURITY:

Moved to building with Go 1.22.7 in which several CVEs are addressed (#781)

1.15.4 (07/24/2024)

SECURITY:

Moved to building with Go 1.22.5 in which several CVEs are addressed (#727)

1.15.3 (07/10/2024)

SECURITY:

Updated go-retryablehttp dependency to address CVE-2024-6104 (#712)
Removed unnecessary linux-libc-dev package from published container image (#714)

1.15.2 (05/29/2024)

BUG FIXES:

Fixed consistency of the status.<idle,busy> gauge metrics (#680)
Fixed cpu utilization gauge and clarified metric names (#681)

IMPROVEMENTS:

Improved collection of errors from VCS Repositories when performing ingress (#683)

1.15.1 (05/01/2024)

IMPROVEMENTS:

Added telemetry metric requests.forwarding.count (#651)
Added error log for when an organization does not have request forwarding permission (#658)
Improved logs when disconnected from the broker (#654)
Added resource utilization metrics during workload execution (#619)
Added support for authenticating with HCP via dynamic credentials (#673)

BUG FIXES:

Updated documentation to include ingress and test as accept options. (#643)
Fixed bug which allowed forwarding requests when unauthorized. (#661)

1.15.0 (03/13/2024)

FEATURES:

Added support for HTTP request forwarding (#635)
Added support for Ingress functionality (#637)

1.14.5 (02/28/2024)

BUG FIXES:

Fixed bug to handle Sentinel parameters that were collection of nested data types (#624)

1.14.4 (02/14/2024)

BUG FIXES:

Fixed Sentinel metrics to use snake-case for consistency with other metrics (#617)

1.14.3 (01/17/2024)

BUG FIXES:

Updated dependencies to address CVEs: GHSA-9763-4f94-gfch, CVE-2023-49569, CVE-2023-49568

1.14.2 (12/19/2023)

BUG FIXES:

Fixed issue that caused a canceled plan to not interrupt terraform (#575)

1.14.1 (11/16/2023)

BUG FIXES:

Fixed issue that could cause a "failed to load shared config file" error in certain cases for Vault-backed AWS dynamic credentials (#557)

1.14.0 (11/09/2023)

FEATURES:

Added support for terraform test (#546)
Added support for dynamic provider credentials for the Kubernetes and Helm providers (#503)

IMPROVEMENTS:

Optimized filesystem storage footprint by trimming provider installs before upload (#532)

BUG FIXES:

Fixed unexpected behavior with policies by preserving file timestamps and modes on unpacked archives (#548)

1.13.1 (10/25/2023)

IMPROVEMENTS:

Added any warnings emitted from Sentinel evaluation into the policy outcome (#534)

1.13.0 (09/27/2023)

FEATURES:

Added support for Sentinel policies to be evaluated within the agent (#519)

IMPROVEMENTS:

Increased timeout for generating JSON artifacts from 5 to 10 minutes (#511)

1.12.1 (09/13/2023)

IMPROVEMENTS:

Added policy tool version into the policy outcome for better debugging (#461)
Added handling for the "errored.tfstate" file when states fail to upload (#464)
Added ability to omit filesystem upload based on the presence of the filesystem url (#480)

BUG FIXES:

Fixed a race condition which could lead to unsent job status updates to the backend (#466)

1.12.0 (07/26/2023)

BUG FIXES:

Fixed OpenTelemetry log message to reflect insecure connections (#453)

FEATURES:

Added support for specifying a wait time after generating Vault-backed AWS credentials (#451)
Added support for multiple dynamic credentials configurations (#452)

IMPROVEMENTS:

Increased max wait time for Vault-backed Azure credentials to 25 minutes from 15 minutes (#450)

1.11.0 (07/19/2023)

FEATURES:

Added support for specifying a wait time after generating Vault-backed Azure credentials (#437)
Ensured that all assessment jobs execute a terraform refresh (#426)

BUG FIXES:

Fixed dependency report generation to respect Terraform workspace working directory settings - previous report generation would fail to find files relating to Terraform dependencies in some circumstances. (#441)

1.10.1 (07/07/2023)

BUG FIXES:

Fixed JSON unmarshalling errors when generating the redacted plan (#427)

1.10.0 (06/08/2023)

FEATURES:

Added support for Terraform 1.5 (#395)

1.9.0 (05/04/2023)

FEATURES:

Added support for specifying a custom CA cert for Vault dynamic credentials (#379)
Added support for setting env vars from Terraform hook scripts (#378)

IMPROVEMENTS:

Updated Docker container to pre-create the data directory (#380)

1.8.0 (04/18/2023)

BUG FIXES:

Fixed an issue which prevented some Dynamic Credentials validation error messages from being relayed (#365)
Fixed crash when unpacking configuration versions that contained archive entries with an empty name (#371)

IMPROVEMENTS:

Updated logs, metrics, and traces to have consistently named attributes (#357, #364)
Removed unnecessary nesting from telemetry attributes (#368)

FEATURES:

Added ability to collect terraform, module and provider versions for reporting purposes (#367)
Added support for vault-backed dynamic provider credentials (#370)

1.7.1 (03/29/2023)

BUG FIXES:

Fixed tracing span issues when executing Terraform operations (#340)
Changed the metrics export interval to support more telemetry platforms (#348)

IMPROVEMENTS:

Updated OpenTelemetry SDK libraries for improved compatibility (#327)

1.7.0 (03/02/2023)

FEATURES:

Added support for dynamic provider credentials (#328)

BUG FIXES:

Fixed exit code during startup errors (#335)

1.6.1 (02/23/2023)

SECURITY:

Added validation checks for filepaths when extracting Terraform bundles (#323)

1.6.0 (12/20/2022)

FEATURES:

Added a new configuration setting for defining the cache directory (#303)

IMPROVEMENTS:

Increased deadline for "terraform init" process to 10 minutes (#312)

1.5.0 (12/14/2022)

FEATURES:

Added new CLI configuration for controlling which types of jobs an agent accepts (#251)
Terraform module sources now support the generic hostname localterraform.com (#264)

BUG FIXES:

Fixed hook scripts not executing if the operation errors or exits early (#250)
Fixed handling of plugin directory in custom Terraform bundles (#295)

1.4.0 (10/05/2022)

IMPROVEMENTS:

Added better validation of Terraform run payloads (#226)

FEATURES:

Added the policy component, making it possible for policies to be evaluated within the agent (#235)

1.3.1 (09/13/2022)

BUG FIXES:

Fixed issues with download retries (#191)
Fixed validation of workspaces with no Terraform configuration files (#190)

IMPROVEMENTS:

Added error logging when failing to generate JSON artifacts (#192)

1.3.0 (08/04/2022)

FEATURES:

Added generation of "terraform show" plaintext output during plans (#183)

BUG FIXES:

Fixed a race condition causing tfc-agent to send status updates forever (#186)

1.2.7 (08/01/2022)

BUG FIXES:

Fixed provider symlink preservation for custom Terraform bundles (#182)

IMPROVEMENTS:

Removed the redundant "terraform init" command during apply operations (#182)

1.2.6 (06/24/2022)

BUG FIXES:

Fixed execution of internal Terraform commands when TF_* args are set (#170)

1.2.5 (06/23/2022)

BUG FIXES:

Fixed support for absolute symlinks which point to relative files (#168)
Added a fixed deadline for telemetry shutdown (#166)

IMPROVEMENTS:

Added user-error classification for bad data during filesystem uploads (#167)

1.2.4 (06/21/2022)

BUG FIXES:

Added support for dangling symlinks with relative targets (#164)

1.2.3 (06/09/2022)

BUG FIXES:

Fixed inconsistent paths between plan and apply (#161)

1.2.2 (05/12/2022)

IMPROVEMENTS:

Added attributes to traces created by the agent. (#134)

BUG FIXES:

Fixed handling of Terraform JSON artifact generation errors (#156)

1.2.1 (05/11/2022)

BUG FIXES:

Fixed the ability to use a symlink as the working directory (#151)

1.2.0 (05/02/2022)

IMPROVEMENTS:

Added better error handling for non-existent working directories (#148)
Added jq, python, and pip to the Docker image (#149)

1.1.7 (04/25/2022)

BUG FIXES:

Fixed response handling for retryable downloads (#146)

1.1.6 (04/20/2022)

BUG FIXES:

Fixed OpenTelemetry metrics by rolling back client version (#144)

1.1.5 (04/18/2022)

IMPROVEMENTS:

Improved resilience of downloads by adding retries. (#136)

1.1.4 (03/22/2022)

BUG FIXES:

Fixed HOME environment variable during hook execution. (#130)

1.1.3 (03/17/2022)

SECURITY:

Updated Docker image to address OpenSSL CVE-2022-0778 (#129)

1.1.2 (03/11/2022)

BUG FIXES:

Fixed Terraform variable validation to accept Terraform v0.12+ syntax. (#122)
Fixed core HTTP requests (fetch jobs, post status) to log in debug mode (#125)
Extended HTTP header timeout to 30 seconds (#127)

1.1.1 (03/09/2022)

IMPROVEMENTS:

Added redacted HTTP logs in debug log mode (#123)

1.1.0 (02/23/2022)

FEATURES:

Added support for executing hooks at various stages of a Terraform run. (#109)

BUG FIXES:

Fixed missing operation name in Terraform run temp dir paths (#115)

IMPROVEMENTS:

Added Nomad context to logs, traces, and metrics when available (#109)
Added ping command to Docker image (#112)

1.0.2 (12/07/2021)

BUG FIXES:

Fixed key collision in log attributes when performaing status updates (#105)
Fixed race condition during status updates at the end of a job (#106)

1.0.1 (11/11/2021)

IMPROVEMENTS:

Added basic user-error classification to Terraform component logs (#103)

1.0.0 (10/29/2021)

BREAKING CHANGES:

Changed logging to only include Terraform output at trace level (#88)
Removed deprecated -disable-update and TFC_AGENT_DISABLE_UPDATE (#95)

SECURITY:

Removed all SUID/SGID binaries from the Docker container (#91)

BUG FIXES:

Fixed agent behavior when core HTTP requests block for a long time (#90)

IMPROVEMENTS:

Added additional metadata to logs when using JSON logging mode (#84)
Added more descriptive log when new major versions become available (#89)
Increased HTTP retries when receiving server errors from TFC (#92)
Added utilities to Docker image to support modules, provisioners, etc. (#93)
Added support for Terraform versions 1.1+ via the "cloud" integration (#94)
Added detection of unrecognized TFC_AGENT_* environment variables (#97)

0.4.2 (10/06/2021)

BUG FIXES:

Fixed errors resulting from using "disabled" auto-update mode (#81)
Fixed trace flushing to ensure all spans are recorded properly (#82)

IMPROVEMENTS:

Added verification of core plugin major version (#80)

0.4.1 (09/13/2021)

IMPROVEMENTS:

Increased timeout for generating JSON artifacts from one to five minutes (#78)
Improved timeout logging when generating JSON artifacts (#78)

0.4.0 (08/20/2021)

FEATURES:

Added configurable automatic update strategy to make upgrades safer (#59)

BUG FIXES:

Fixed segfault when no valid Terraform files were found (#67)

0.3.2 (07/22/2021)

BUG FIXES:

Fixed Docker image OS permissions for automatic updates (#64)

0.3.1 (07/22/2021)

BUG FIXES:

Fixed Terraform output buffer corruption (#63)

0.3.0 (07/07/2021)

BREAKING CHANGES:

Changed the user in the Docker container to be non-root (#56)

SECURITY:

Changed the user in the Docker container to be non-root (#56)

0.2.1 (06/03/2021)

IMPROVEMENTS:

Added HTTP retries during registration and status updates. (#53)

FEATURES:

Added support for JSON-formatted log output (#54)

BUG FIXES:

Fixed release builds to always compile binaries statically (#55)

0.2.0 (06/18/2021)

FEATURES:

Added support for using custom Terraform bundles (#52)
Added support for Terraform's -replace flag (#51)
Added support for Terraform's -refresh-only flag (#49)
Added support for structured run output (#34)

BUG FIXES:

Fixed Terraform resource targeting (#50)

0.1.14 (05/06/2021)

BREAKING CHANGES:

Updated the HashiCorp GPG public key for release verification (#41)

0.1.13 (05/06/2021)

FEATURES:

Added support for Terraform's -refresh=false flag (#43)
Added support for flash messages (#47)

0.1.12 (04/27/2021)

FEATURES:

Added support for exporting tracing and metrics via OpenTelemetry (#38)

0.1.11 (04/14/2021)

IMPROVEMENTS:

Expanded signal handling to include SIGTERM, SIGINT, and SIGQUIT (#39)

0.1.10 (04/05/2021)

IMPROVEMENTS:

Added support for Terraform versions back to v0.9.1 (#35)

0.1.9 (03/09/2021)

BUG FIXES:

Fixed upgrades from Terraform v0.12 to v0.13 (#33)

IMPROVEMENTS:

Added base OS update during Docker image builds (#30)

0.1.8 (01/11/2021)

BUG FIXES:

Added a work-around for Docker sending multiple INT signals on ctrl+c (#29)

0.1.7 (01/07/2021)

SECURITY:

Removed access to tfc-agent configuration env vars after agent boot up (#28)

0.1.6 (01/05/2021)

FEATURES:

Added variable sensitivity propagation for Terraform 0.14+ (#27)

0.1.5 (12/03/2020)

SECURITY:

Mitigated zipslip vulnerability (#24)

0.1.4 (10/21/2020)

BUG FIXES:

Fixed handling of user-defined SSH keys during Terraform runs (#21)

0.1.3 (09/08/2020)

BUG FIXES:

Removed dynamic linker cache in Docker image (#20)

0.1.2 (08/14/2020)

BUG FIXES:

Fixed handling of custom env vars when running "terraform version" (#19)

0.1.1 (08/12/2020)

BUG FIXES:

Added required packages used by Terraform for cloning modules

0.1.0 (08/12/2020)

Initial release