HCP Terraform Agent Changelog

These are the release notes from the HCP Terraform Agent application. Changes within each release are categorized into one or more of the following labels:

FEATURES - Used for net-new features being added to the agent.
BUG FIXES - Backward-compatible fixes for buggy functionality.
IMPROVEMENTS - Functional improvements to performance, effeciency, etc.
SECURITY - Fixes for security-related issues.
BREAKING CHANGES - Reserved for changes which break previous functionality.

Each version below corresponds to a release artifact available for download on the official releases website.

1.21.1 (04/01/2025)

SECURITY:

Added guards for sensitive values exposed by procfs (#776, #784)

IMPROVEMENTS:

Improved backpressure signaling for request forwarding (#964)

1.21.0 (03/18/2025)

IMPROVEMENTS:

Upgraded Ubuntu to v24.04 for base Docker image. (#922)

1.20.2 (03/04/2025)

SECURITY:

Updated golang.org/x/crypto dependency to v0.35.0 to address GO-2025-3487 (#935)
Updated golang.org/x/oauth2 dependency to v0.27.0 to address GO-2025-3488 (#935)

1.20.1 (02/19/2025)

BUG FIXES:

Fixed a bug that would prevent tfc-agent from cleaning up temporary directories that contained subdirectories with readonly permissions. (#921)

1.20.0 (02/06/2025)

BUG FIXES:

Rolled back to Ubuntu v20.04 from upgrade to v24.04 for base Docker image to address errors seen with v24.04. (#913)
- This fixed a bug which caused tfc-agent:v1.19.0 to break on certain configs using local-exec or other provisioners that rely on python or the AWS CLI.

1.19.0 (02/05/2025)

BUG FIXES:

Changed 201 HTTP status code log from ERROR to DEBUG. (#891)

IMPROVEMENTS:

Upgraded Ubuntu to v24.04 for base Docker image. (#903)
Added log of OS and Arch at agent start (#901)

1.18.0 (01/29/2025)

FEATURES:

Added ability to check for private module versions that are deprecated and display deprecation warnings in the run output (#879)

SECURITY:

Updated dependency github.com/hashicorp/go-slug to v0.16.4 (#892)
- This resolved CVE-2025-0377 in hashicorp/go-slug.
- Fixed a bug which caused tfc-agent:v1.17.6 to break on certain API-driven workflows in HCP Terraform and Terraform Enterprise.

1.17.6 (01/23/2025)

SECURITY:

Updated dependency github.com/hashicorp/go-slug to v0.16.3 (#867)
- Important: v0.16.3 of go-slug contained a bug which caused tfc-agent:v1.17.6 to break on certain API-driven workflows in HCP Terraform and Terraform Enterprise.
- This resolved CVE-2025-0377 in hashicorp/go-slug.
Updated dependencies github.com/go-git/go-git/v5 to v5.13.1 and golang.org/x/net to v0.34.0 (#873)

1.17.5 (12/12/2024)

BUG FIXES:

Ensured Sentinel subjects are correctly managed and Terraform plugins are enabled when required (#854)

1.17.4 (12/12/2024)

BUG FIXES:

Surfaced errors due to invalid Sentinel output on errored Sentinel commands (#850)

1.17.3 (12/10/2024)

BUG FIXES:

Updated inaccurate constraint introduced in previous version gating ephemeral variables (#841)
Fixed an issue where streaming extremely large job outputs would retry after the server rejected further requests (#837)

1.17.2 (11/26/2024)

IMPROVEMENTS:

Added jitter to connection retries for Request Forwarding (#817)
Ensured ephemeral variables (Terraform v1.10 feature) are passed between plan & apply (#831)

1.17.1 (11/13/20204)

IMPROVEMENTS:

Added support for a custom timeout on each hook (#820)

1.17.0 (10/30/2024)

BREAKING CHANGES:

Changed the network protocol that supports unreleased Request Forwarding functionality, which affects Private VCS Providers (#801)

BUG FIXES:

Fixed issue where some fatal errors were logged at debug level instead of error (#799)
Fixed an issue where the hashicorp/tfc-agent Docker image could have the wrong owners for /home/tfc-agent/bin/* content (#807)

1.16.0 (10/02/2024)

FEATURES:

Added support for authenticating with AWS and GCP using dynamic credentials generated via HCP Vault Secrets (#786)

1.15.5 (09/18/2024)

IMPROVEMENTS:

Included a copy of the license text with all releases (#772)

SECURITY:

Moved to building with Go 1.22.7 in which several CVEs are addressed (#781)

1.15.4 (07/24/2024)

SECURITY:

Moved to building with Go 1.22.5 in which several CVEs are addressed (#727)

1.15.3 (07/10/2024)

SECURITY:

Updated go-retryablehttp dependency to address CVE-2024-6104 (#712)
Removed unnecessary linux-libc-dev package from published container image (#714)

1.15.2 (05/29/2024)

BUG FIXES:

Fixed consistency of the status.<idle,busy> gauge metrics (#680)
Fixed cpu utilization gauge and clarified metric names (#681)

IMPROVEMENTS:

Improved collection of errors from VCS Repositories when performing ingress (#683)

1.15.1 (05/01/2024)

IMPROVEMENTS:

Added telemetry metric requests.forwarding.count (#651)
Added error log for when an organization does not have request forwarding permission (#658)
Improved logs when disconnected from the broker (#654)
Added resource utilization metrics during workload execution (#619)
Added support for authenticating with HCP via dynamic credentials (#673)

BUG FIXES:

Updated documentation to include ingress and test as accept options. (#643)
Fixed bug which allowed forwarding requests when unauthorized. (#661)

1.15.0 (03/13/2024)

FEATURES:

Added support for HTTP request forwarding (#635)
Added support for Ingress functionality (#637)

1.14.5 (02/28/2024)

BUG FIXES:

Fixed bug to handle Sentinel parameters that were collection of nested data types (#624)

1.14.4 (02/14/2024)

BUG FIXES:

Fixed Sentinel metrics to use snake-case for consistency with other metrics (#617)

1.14.3 (01/17/2024)

BUG FIXES:

Updated dependencies to address CVEs: GHSA-9763-4f94-gfch, CVE-2023-49569, CVE-2023-49568

1.14.2 (12/19/2023)

BUG FIXES:

Fixed issue that caused a canceled plan to not interrupt terraform (#575)

1.14.1 (11/16/2023)

BUG FIXES:

Fixed issue that could cause a "failed to load shared config file" error in certain cases for Vault-backed AWS dynamic credentials (#557)

1.14.0 (11/09/2023)

FEATURES:

Added support for terraform test (#546)
Added support for dynamic provider credentials for the Kubernetes and Helm providers (#503)

IMPROVEMENTS:

Optimized filesystem storage footprint by trimming provider installs before upload (#532)

BUG FIXES:

Fixed unexpected behavior with policies by preserving file timestamps and modes on unpacked archives (#548)

1.13.1 (10/25/2023)

IMPROVEMENTS:

Added any warnings emitted from Sentinel evaluation into the policy outcome (#534)

1.13.0 (09/27/2023)

FEATURES:

Added support for Sentinel policies to be evaluated within the agent (#519)

IMPROVEMENTS:

Increased timeout for generating JSON artifacts from 5 to 10 minutes (#511)

1.12.1 (09/13/2023)

IMPROVEMENTS:

Added policy tool version into the policy outcome for better debugging (#461)
Added handling for the "errored.tfstate" file when states fail to upload (#464)
Added ability to omit filesystem upload based on the presence of the filesystem url (#480)

BUG FIXES:

Fixed a race condition which could lead to unsent job status updates to the backend (#466)

1.12.0 (07/26/2023)

BUG FIXES:

Fixed OpenTelemetry log message to reflect insecure connections (#453)

FEATURES:

Added support for specifying a wait time after generating Vault-backed AWS credentials (#451)
Added support for multiple dynamic credentials configurations (#452)

IMPROVEMENTS:

Increased max wait time for Vault-backed Azure credentials to 25 minutes from 15 minutes (#450)

1.11.0 (07/19/2023)

FEATURES:

Added support for specifying a wait time after generating Vault-backed Azure credentials (#437)
Ensured that all assessment jobs execute a terraform refresh (#426)

BUG FIXES:

Fixed dependency report generation to respect Terraform workspace working directory settings - previous report generation would fail to find files relating to Terraform dependencies in some circumstances. (#441)

1.10.1 (07/07/2023)

BUG FIXES:

Fixed JSON unmarshalling errors when generating the redacted plan (#427)

1.10.0 (06/08/2023)

FEATURES:

Added support for Terraform 1.5 (#395)

1.9.0 (05/04/2023)

FEATURES:

Added support for specifying a custom CA cert for Vault dynamic credentials (#379)
Added support for setting env vars from Terraform hook scripts (#378)

IMPROVEMENTS:

Updated Docker container to pre-create the data directory (#380)

1.8.0 (04/18/2023)

BUG FIXES:

Fixed an issue which prevented some Dynamic Credentials validation error messages from being relayed (#365)
Fixed crash when unpacking configuration versions that contained archive entries with an empty name (#371)

IMPROVEMENTS:

Updated logs, metrics, and traces to have consistently named attributes (#357, #364)
Removed unnecessary nesting from telemetry attributes (#368)

FEATURES:

Added ability to collect terraform, module and provider versions for reporting purposes (#367)
Added support for vault-backed dynamic provider credentials (#370)

1.7.1 (03/29/2023)

BUG FIXES:

Fixed tracing span issues when executing Terraform operations (#340)
Changed the metrics export interval to support more telemetry platforms (#348)

IMPROVEMENTS:

Updated OpenTelemetry SDK libraries for improved compatibility (#327)

1.7.0 (03/02/2023)

FEATURES:

Added support for dynamic provider credentials (#328)

BUG FIXES:

Fixed exit code during startup errors (#335)

1.6.1 (02/23/2023)

SECURITY:

Added validation checks for filepaths when extracting Terraform bundles (#323)

1.6.0 (12/20/2022)

FEATURES:

Added a new configuration setting for defining the cache directory (#303)

IMPROVEMENTS:

Increased deadline for "terraform init" process to 10 minutes (#312)

1.5.0 (12/14/2022)

FEATURES:

Added new CLI configuration for controlling which types of jobs an agent accepts (#251)
Terraform module sources now support the generic hostname localterraform.com (#264)

BUG FIXES:

Fixed hook scripts not executing if the operation errors or exits early (#250)
Fixed handling of plugin directory in custom Terraform bundles (#295)

1.4.0 (10/05/2022)

IMPROVEMENTS:

Added better validation of Terraform run payloads (#226)

FEATURES:

Added the policy component, making it possible for policies to be evaluated within the agent (#235)

1.3.1 (09/13/2022)

BUG FIXES:

Fixed issues with download retries (#191)
Fixed validation of workspaces with no Terraform configuration files (#190)

IMPROVEMENTS:

Added error logging when failing to generate JSON artifacts (#192)

1.3.0 (08/04/2022)

FEATURES:

Added generation of "terraform show" plaintext output during plans (#183)

BUG FIXES:

Fixed a race condition causing tfc-agent to send status updates forever (#186)

1.2.7 (08/01/2022)

BUG FIXES:

Fixed provider symlink preservation for custom Terraform bundles (#182)

IMPROVEMENTS:

Removed the redundant "terraform init" command during apply operations (#182)

1.2.6 (06/24/2022)

BUG FIXES:

Fixed execution of internal Terraform commands when TF_* args are set (#170)

1.2.5 (06/23/2022)

BUG FIXES:

Fixed support for absolute symlinks which point to relative files (#168)
Added a fixed deadline for telemetry shutdown (#166)

IMPROVEMENTS:

Added user-error classification for bad data during filesystem uploads (#167)

1.2.4 (06/21/2022)

BUG FIXES:

Added support for dangling symlinks with relative targets (#164)

1.2.3 (06/09/2022)

BUG FIXES:

Fixed inconsistent paths between plan and apply (#161)

1.2.2 (05/12/2022)

IMPROVEMENTS:

Added attributes to traces created by the agent. (#134)

BUG FIXES:

Fixed handling of Terraform JSON artifact generation errors (#156)

1.2.1 (05/11/2022)

BUG FIXES:

Fixed the ability to use a symlink as the working directory (#151)

1.2.0 (05/02/2022)

IMPROVEMENTS:

Added better error handling for non-existent working directories (#148)
Added jq, python, and pip to the Docker image (#149)

1.1.7 (04/25/2022)

BUG FIXES:

Fixed response handling for retryable downloads (#146)

1.1.6 (04/20/2022)

BUG FIXES:

Fixed OpenTelemetry metrics by rolling back client version (#144)

1.1.5 (04/18/2022)

IMPROVEMENTS:

Improved resilience of downloads by adding retries. (#136)

1.1.4 (03/22/2022)

BUG FIXES:

Fixed HOME environment variable during hook execution. (#130)

1.1.3 (03/17/2022)

SECURITY:

Updated Docker image to address OpenSSL CVE-2022-0778 (#129)

1.1.2 (03/11/2022)

BUG FIXES:

Fixed Terraform variable validation to accept Terraform v0.12+ syntax. (#122)
Fixed core HTTP requests (fetch jobs, post status) to log in debug mode (#125)
Extended HTTP header timeout to 30 seconds (#127)

1.1.1 (03/09/2022)

IMPROVEMENTS:

Added redacted HTTP logs in debug log mode (#123)

1.1.0 (02/23/2022)

FEATURES:

Added support for executing hooks at various stages of a Terraform run. (#109)

BUG FIXES:

Fixed missing operation name in Terraform run temp dir paths (#115)

IMPROVEMENTS:

Added Nomad context to logs, traces, and metrics when available (#109)
Added ping command to Docker image (#112)

1.0.2 (12/07/2021)

BUG FIXES:

Fixed key collision in log attributes when performaing status updates (#105)
Fixed race condition during status updates at the end of a job (#106)

1.0.1 (11/11/2021)

IMPROVEMENTS:

Added basic user-error classification to Terraform component logs (#103)

1.0.0 (10/29/2021)

BREAKING CHANGES:

Changed logging to only include Terraform output at trace level (#88)
Removed deprecated -disable-update and TFC_AGENT_DISABLE_UPDATE (#95)

SECURITY:

Removed all SUID/SGID binaries from the Docker container (#91)

BUG FIXES:

Fixed agent behavior when core HTTP requests block for a long time (#90)

IMPROVEMENTS:

Added additional metadata to logs when using JSON logging mode (#84)
Added more descriptive log when new major versions become available (#89)
Increased HTTP retries when receiving server errors from TFC (#92)
Added utilities to Docker image to support modules, provisioners, etc. (#93)
Added support for Terraform versions 1.1+ via the "cloud" integration (#94)
Added detection of unrecognized TFC_AGENT_* environment variables (#97)

0.4.2 (10/06/2021)

BUG FIXES:

Fixed errors resulting from using "disabled" auto-update mode (#81)
Fixed trace flushing to ensure all spans are recorded properly (#82)

IMPROVEMENTS:

Added verification of core plugin major version (#80)

0.4.1 (09/13/2021)

IMPROVEMENTS:

Increased timeout for generating JSON artifacts from one to five minutes (#78)
Improved timeout logging when generating JSON artifacts (#78)

0.4.0 (08/20/2021)

FEATURES:

Added configurable automatic update strategy to make upgrades safer (#59)

BUG FIXES:

Fixed segfault when no valid Terraform files were found (#67)

0.3.2 (07/22/2021)

BUG FIXES:

Fixed Docker image OS permissions for automatic updates (#64)

0.3.1 (07/22/2021)

BUG FIXES:

Fixed Terraform output buffer corruption (#63)

0.3.0 (07/07/2021)

BREAKING CHANGES:

Changed the user in the Docker container to be non-root (#56)

SECURITY:

Changed the user in the Docker container to be non-root (#56)

0.2.1 (06/03/2021)

IMPROVEMENTS:

Added HTTP retries during registration and status updates. (#53)

FEATURES:

Added support for JSON-formatted log output (#54)

BUG FIXES:

Fixed release builds to always compile binaries statically (#55)

0.2.0 (06/18/2021)

FEATURES:

Added support for using custom Terraform bundles (#52)
Added support for Terraform's -replace flag (#51)
Added support for Terraform's -refresh-only flag (#49)
Added support for structured run output (#34)

BUG FIXES:

Fixed Terraform resource targeting (#50)

0.1.14 (05/06/2021)

BREAKING CHANGES:

Updated the HashiCorp GPG public key for release verification (#41)

0.1.13 (05/06/2021)

FEATURES:

Added support for Terraform's -refresh=false flag (#43)
Added support for flash messages (#47)

0.1.12 (04/27/2021)

FEATURES:

Added support for exporting tracing and metrics via OpenTelemetry (#38)

0.1.11 (04/14/2021)

IMPROVEMENTS:

Expanded signal handling to include SIGTERM, SIGINT, and SIGQUIT (#39)

0.1.10 (04/05/2021)

IMPROVEMENTS:

Added support for Terraform versions back to v0.9.1 (#35)

0.1.9 (03/09/2021)

BUG FIXES:

Fixed upgrades from Terraform v0.12 to v0.13 (#33)

IMPROVEMENTS:

Added base OS update during Docker image builds (#30)

0.1.8 (01/11/2021)

BUG FIXES:

Added a work-around for Docker sending multiple INT signals on ctrl+c (#29)

0.1.7 (01/07/2021)

SECURITY:

Removed access to tfc-agent configuration env vars after agent boot up (#28)

0.1.6 (01/05/2021)

FEATURES:

Added variable sensitivity propagation for Terraform 0.14+ (#27)

0.1.5 (12/03/2020)

SECURITY:

Mitigated zipslip vulnerability (#24)

0.1.4 (10/21/2020)

BUG FIXES:

Fixed handling of user-defined SSH keys during Terraform runs (#21)

0.1.3 (09/08/2020)

BUG FIXES:

Removed dynamic linker cache in Docker image (#20)

0.1.2 (08/14/2020)

BUG FIXES:

Fixed handling of custom env vars when running "terraform version" (#19)

0.1.1 (08/12/2020)

BUG FIXES:

Added required packages used by Terraform for cloning modules

0.1.0 (08/12/2020)

Initial release