HashiCorp

1.15.2 (May 6, 2026)

ENHANCEMENTS:

• stacks: add ouput values to plan component instance change description (#38360)

BUG FIXES:

• Avoid printing warnings from 'terraform output -json' (#38530)

1.15.1 (May 1, 2026)

BUG FIXES:

• Fixed crash when configuration has an invalid action_trigger nested block in data or ephemeral lifecycle blocks (#38402)

• validate: Removed validation of attributes inside backend blocks due to incompatibility with workflows using the -backend-config flag. (#38466)

• Fix non-const variable checks on init (#38470)

• Avoid warnings in 'terraform output -raw' (#38487)

• Ignore undeclared variable values from the cloud backend (#38490)

• Fix panic for types modules with no expanded instances (#38491)

• Fixed "unknown provider function" errors occurring during init (#38472)

• init: Fixed a bug that impacted use of provider pre-releases during init (#38496)

0.21.3 (2026/04/28)

New and Improved

• Added support for IBM Passport Advantage Online licensing. You can now use PAO to enable Boundary Enterprise.
• Added support for new debug flag to expose pprof endpoints for debugging purposes. (PR)
• Updated internal dependencies.

Security

• Updated jackc/pgx/v5 dependency to v5.9.2 to address GHSA-j88v-2chj-qfwx, GO-2026-4771, GO-2026-4772, and GHSA-9jj7-4m8r-rfcm (PR, PR)
• Updated Azure/go-ntlmssp dependency to v0.1.1 to address GHSA-pjcq-xvwq-hhpj (PR)

0.19.5 (2026/04/24)

New and Improved

• Added support for new debug flag to expose pprof endpoints for debugging purposes. (PR)

Security

• Updated jackc/pgx/v5 dependency to v5.9.2 to address GHSA-j88v-2chj-qfwx, GO-2026-4771, GO-2026-4772, and GHSA-9jj7-4m8r-rfcm (PR, PR)
• Updated Azure/go-ntlmssp dependency to v0.1.1 to address GHSA-pjcq-xvwq-hhpj (PR)

0.20.3 (2026/04/24)

New and Improved

• Added support for new debug flag to expose pprof endpoints for debugging purposes. (PR)

Security

• Updated jackc/pgx/v5 dependency to v5.9.2 to address GHSA-j88v-2chj-qfwx, GO-2026-4771, GO-2026-4772, and GHSA-9jj7-4m8r-rfcm (PR, PR)
• Updated Azure/go-ntlmssp dependency to v0.1.1 to address GHSA-pjcq-xvwq-hhpj (PR)

1.15.0 (April 29, 2026)

NEW FEATURES:

• We now produce builds for Windows ARM64 (#32719)

• You can set a deprecated attribute on variable and output blocks to indicate that they are deprecated. This will produce warnings when passing in a value for a deprecated variable or when referencing a deprecated output. (#38001)

• backend/s3: Support authentication via aws login (#37976)

• validate: The validate command now checks the backend block. This ensures the backend type exists, that all required attributes are present, and that the backend's own validation logic passes. (#38021)

• convert function, which allows for precise inline type conversions (#38160)

• Terraform now supports variables and locals in module source and version attributes (#38217)

ENHANCEMENTS:

• config: output blocks now can have an explicit type constraints (#36411)

• ssh-based provisioner (file + remote-exec): Re-enable support for PowerShell (#37794)

• terraform init log timestamps include millisecond precision (#37818)

• init: skip dependencies declared in development override. This allows you to use terraform init with developer overrides and install dependencies that are not declared in the override file. (#37884)

• Terraform Test: Allow functions within mock blocks (#34672)

• improve detection of deprecated resource attributes / blocks (#38077)

• Deprecation messages providers set on resources / blocks / attributes are now part of the deprecation warning (#38135)

• Include which attribute paths are marked as sensitive in list_start JSON logs (#38197)

• Add input variable validation for Stacks (#38240)

• When comparing a container value to null, only top level marks are now considered for the result. (#38270)

• As part of supporting variables in module sources, most commands now accept variable values (#38276)

BUG FIXES:

• testing: File-level error diagnostics are now included in JUnit XML skipped test elements, ensuring CI/CD pipelines can detect validation failures (#37801)

• A refresh-only plan could result in a non-zero exit code with no changes (#37406)

• cli: Fixed crash in terraform show -json when plan contains ephemeral resources with preconditions or postconditions (#37834)

• cli: Fixed terraform init -json to properly format all backend configuration messages as JSON instead of plain text (#37911)

• state show: The state show command will now explicitly fail and return code 1 when it fails to render the named resources state (#37933)

• apply: Terraform will raise an explicit error if a plan file intended for one workspace is applied against another workspace (#37954)

• lifecycle: replace_triggered_by now reports an error when given an invalid attribute reference that does not exist in the target resource (#36740)

• backend: Fix nil pointer dereference crash during terraform init when the destination backend returns an error (#38027)

• stacks: send progress events if the plan fails for better UI integration (#38039)

• stacks: component instances should report no-op plan/apply. This solves a UI inconsistency with convergence destroy plans (#38049)

• backend/http: Return conflicting lock info from HTTP backend instead of the lock that failed to be taken (#38144)

• states: fixed a bug that caused Terraform to be unable to identify when two states had different output values. This may have caused issues in specific circumstances like backend migrations. (#38181)

• cloud: terraform cloud and registry discovery network requests are now more resilient, making temporary network or service related errors less common (#38064)

• Enable formatting of .tfquery.hcl files by terraform fmt (#38398)

• Fix validate not returning JSON for some early diagnostics (#38400)

• Fix Terraform Stacks plugin installation error (#38406)

NOTES:

• command/init: Provider installation was refactored to enable future enhancements in the area. This results in different order of operations during init and 2 new log messages replacing one (initializing_provider_plugin_message). The change should not have any end-user impact aside from the init command output. (#38227)

UPGRADE NOTES:

• backend/s3: The AWS_USE_FIPS_ENDPOINT and AWS_USE_DUALSTACK_ENDPOINT environment variables now only respect true or false values, aligning with the AWS SDK for Go. This replaces the previous behavior which treated any non-empty value as true. (#37601)

Previous Releases

For information on prior major and minor releases, refer to their changelogs:

• v1.14
• v1.13
• v1.12
• v1.11
• v1.10
• v1.9
• v1.8
• v1.7
• v1.6
• v1.5
• v1.4
• v1.3
• v1.2
• v1.1
• v1.0
• v0.15
• v0.14
• v0.13
• v0.12
• v0.11 and earlier

1.22.7 (April 21, 2026)

SECURITY:

• security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
• security: upgrade go.opentelemetry.io/otel to 1.42.0 to remediate CVE-2026-24051 (Path Hijacking / Untrusted Search Paths on macOS). [GH-23387]
• test-sds-server: bump github.com/hashicorp/consul to v1.22.5 in integration test module to align with the CVE-2026-2808 fixed release line. [GH-23437]
• ui: (Enterprise only) Backport Rollup update to 2.80.0 for release/1.21.x to address CVE-2026-27606 (SECVULN-38912). [GH-23359]

IMPROVEMENTS:

• acl: Addition of TokenNameFormat field to auth-method and parse the same for token name [GH-23444]
• discovery-chain: removes the use of hashstructure_v2 ([github.com/mitchellh/hashstructure/v2] from compiled discovery chain hashing and replaces it with explicit custom hash implementations. [GH-23393]
• ui: removed consul docs website related code as it is being maintained in a separate internal repository. [GH-23398]

BUG FIXES:

• api-gateway: fix HTTPRoute PathPrefix routing to preserve the original request path when replacePrefixMatch is not configured [GH-23390]

FEATURES:

• config: add nonproduction config option for server, license, and reporting config [GH-27646]
• core (Enterprise): Enable parsing and reporting with IBM PAO licenses

SECURITY:

• build: upgrade Go to 1.26.2 [GH-27831]
• ui: Increased the client-side generated OIDC nonce entropy to 256-bit. [GH-27749]

IMPROVEMENTS:

• build: Upgrade to Go 1.26 [GH-27685]
• metrics: adds a metric for total agent http connections [GH-26756]
• secrets: increase secrets plugin execution timeout to 60s [GH-27779]
• variables: Add variable events to the event stream [GH-27637]

BUG FIXES:

• agent: Fixed a potential panic in agents using systemd notification [GH-27746]
• agent: fix api.Job.Version used in job PUT actions [GH-27768]
• drivers: handle SIGPIPE in executor to handle possible write errors after client restart [GH-27825]
• identity: fix bug where client identity failed to renew after server upgrade to >=1.11.0 [GH-27773]
• oidc: Fixed a bug where the request cache could be corrupted by concurrent requests with the same nonce [GH-27747]

FEATURES:

• core (Enterprise): Enable parsing and reporting with IBM PAO licenses

SECURITY:

• build: upgrade Go to 1.26.2 [GH-27831]
• ui: Increased the client-side generated OIDC nonce entropy to 256-bit. [GH-27749]

IMPROVEMENTS:

• build: Upgrade to Go 1.26 [GH-27685]

BUG FIXES:

• agent: Fixed a potential panic in agents using systemd notification [GH-27746]
• agent: fix api.Job.Version used in job PUT actions [GH-27768]
• drivers: handle SIGPIPE in executor to handle possible write errors after client restart [GH-27825]
• oidc: Fixed a bug where the request cache could be corrupted by concurrent requests with the same nonce [GH-27747]

2.0.0 (April 21, 2026)

FEATURES:

• config: add nonproduction config option for server, license, and reporting config [GH-27646]
• core (Enterprise): Enable parsing and reporting with IBM PAO licenses

SECURITY:

• build: upgrade Go to 1.26.2 [GH-27831]
• ui: Increased the client-side generated OIDC nonce entropy to 256-bit. [GH-27749]

IMPROVEMENTS:

• build (Enterprise): Added support for ppc64le CPU architecture on Linux
• build: Upgrade to Go 1.26 [GH-27685]
• metrics: adds a metric for total agent http connections [GH-26756]
• secrets: increase secrets plugin execution timeout to 60s [GH-27779]
• server: Added support for raft-WAL logstore [GH-27493]
• variables: Add variable events to the event stream [GH-27637]

BUG FIXES:

• agent: Fixed a potential panic in agents using systemd notification [GH-27746]
• agent: fix api.Job.Version used in job PUT actions [GH-27768]
• drivers: handle SIGPIPE in executor to handle possible write errors after client restart [GH-27825]
• identity: fix bug where client identity failed to renew after server upgrade to >=1.11.0 [GH-27773]
• oidc: Fixed a bug where the request cache could be corrupted by concurrent requests with the same nonce [GH-27747]
• tls: fix parsing of combined key files when creating tls expiry metric [GH-27667]

1.14.9 (April 20, 2026)

BUG FIXES:

• Fix Terraform Stacks plugin installation error (#38406)

Vagrant nightly release build

A self-service organization deletion checklist is now available for organization owners. The checklist provides an automated pre-flight check to verify that all prerequisites—such as decommissioning active resources, resolving billing requirements, and clearing IAM configurations—are met before an organization can be deleted. This reduces the need for manual support tickets and provides a more seamless, transparent experience.

0.21.2 (2026/04/06)

New and Improved

• cli: Added optional flags -sort-by and -sort-direction to boundary search. These flags can be used to control sorting when searching the client cache and the resource is sessions or targets. (PR)
• The client cache search API now supports the sort_by and sort_direction query parameters when searching sessions or targets. (PR)

4.67.0 (April 02, 2026)

FEATURES:

• New List Resource: azurerm_storage_sync (#31995)
• New Resource: azurerm_data_protection_backup_policy_data_lake_storage (#31179)
• New Resource: azurerm_eventgrid_namespace_topic (#30104)
• New Resource: azurerm_kubernetes_cluster_deployment_safeguard (#31670)
• New Resource: azurerm_resource_provider_feature_registration (#28303)

ENHANCEMENTS:

• dependencies: go-azure-sdk - upgrade to v0.20260326.1151219 (#32047)
• dependencies: storage - update to API version 2025-06-01 (#32071)
• Data Source: azurerm_application_gateway - export the backend, listener, and routing_rule properties (#30376)
• Data Source: azurerm_logic_app_standard - export the site_config.ip_restriction_default_action property (#31816)
• Data Source: azurerm_mssql_elasticpool - export the high_availability_replica_count property (#31761)
• azurerm_application_gateway - add support for the backend, listener, and routing_rule properties (#30376)
• azurerm_kubernetes_cluster - add support for the Ubuntu2404 OS SKU (#32070)
• azurerm_kubernetes_cluster - improve validation for network_profile.0.advanced_networking (#31497)
• azurerm_kubernetes_cluster_node_pool - add support for the Ubuntu2404 OS SKU (#32070)
• azurerm_kusto_attached_database_configuration - add support for the database_name_override, database_name_prefix, sharing.functions_to_exclude, and sharing.functions_to_include properties (#31470)
• azurerm_logic_app_standard - add support for the site_config.scm_ip_restriction_default_action property (#32043)
• azurerm_logic_app_standard - add support for the site_config.ip_restriction_default_action property (#31816)
• azurerm_mssql_elasticpool - add support for the high_availability_replica_count property (#31761)
• azurerm_nat_gateway - add support for the StandardV2 SKU (#31197)
• azurerm_public_ip - add support for the StandardV2 SKU (#31197)
• azurerm_public_ip_prefix - add support for the StandardV2 SKU (#31197)

BUG FIXES:

• azurerm_backup_policy_vm - fix the Update function to properly set all timestamps when any of backup.time, retention_daily, retention_weekly, retention_montly, or retention_yearly change (#31969)
• azurerm_cosmosdb_account - fix an API error caused by backup.interval_in_minutes and backup.retention_in_hours being set to 0 in the API payload when not defined in config (#32037)
• azurerm_machine_learning_compute_instance - fix setting node_public_ip_enabled into state (#31725)
• azurerm_search_service - mark query_keys.key value as sensitive (#32053) (#32053)

6.39.0 (April 1, 2026)

NOTES:

• data-source/aws_eks_access_entry: The tags_all attribute is deprecated and will be removed in a future major version (#47133)

FEATURES:

• New Data Source: aws_iam_role_policies (#46936)
• New Data Source: aws_iam_role_policy_attachments (#47119)
• New Data Source: aws_networkmanager_core_network (#45798)
• New Data Source: aws_uxc_services (#47115)
• New List Resource: aws_eks_cluster (#47133)
• New List Resource: aws_organizations_aws_service_access (#46993)
• New List Resource: aws_sagemaker_training_job (#46892)
• New List Resource: aws_workmail_group (#47131)
• New List Resource: aws_workmail_user (#47131)
• New Resource: aws_organizations_aws_service_access (#46993)
• New Resource: aws_sagemaker_training_job (#46892)
• New Resource: aws_uxc_account_customizations (#47115)
• New Resource: aws_workmail_group (#47131)
• New Resource: aws_workmail_user (#47131)

ENHANCEMENTS:

• data-source/aws_outposts_asset: Add instance_families attribute (#47153)
• resource/aws_eks_cluster: Add resource identity support (#47133)
• resource/aws_eks_cluster: Support tier-8xl as a valid value for control_plane_scaling_config.tier (#46976)
• resource/aws_network_acl_rule: Add Resource Identity support (#47090)
• resource/aws_observabilityadmin_centralization_rule_for_organization: Add source.source_logs_configuration.data_source_selection_criteria argument. Change source.source_logs_configuration.log_group_selection_criteria to Optional (#47154)
• resource/aws_prometheus_scraper: Add source.vpc argument. Change source.eks to Optional (#47155)
• resource/aws_s3_bucket_metric: Support bucket metrics for directory buckets (#47184)
• resource/aws_s3control_storage_lens_configuration: Add storage_lens_configuration.account_level.advanced_performance_metrics and storage_lens_configuration.account_level.bucket_level.advanced_performance_metrics arguments (#46865)

BUG FIXES:

• data-source/aws_eks_access_entry: Fixed tags not being returned (#47133)
• data-source/aws_service_principal: Fix service principal names for EC2 and S3 in the aws-cn partition (#47141)
• resource/aws_config_organization_conformance_pack: Fix creation timeout when using a delegated administrator account (#47072)
• resource/aws_dynamodb_table: Fix Error: waiting for creation AWS DynamoDB Table (xxxxx): couldn't find resource in highly active accounts by restoring 5s delay before polling for table status. This fixes a regression introduced in v6.28.0. (#47143)
• resource/aws_eks_cluster: Set bootstrap_self_managed_addons to true when importing (#47133)
• resource/aws_elasticache_serverless_cache: Fix InvalidParameterCombination error when cache_usage_limits is removed (#46134)
• resource/aws_glue_catalog_table: Detect and report failed view creation (#47101)

4.66.0 (March 26, 2026)

FEATURES:

• New Data Source: azurerm_container_app_environment_storage (#32007)
• New List Resource: azurerm_video_indexer_account (#31978)

ENHANCEMENTS:

• dependencies: Go - upgrade to version 1.25.8 (#31907)
• azurerm_bastion_host - Upgrade API to 2025-01-01 (#32030)
• azurerm_kubernetes_cluster - add support for migration from Azure or Kubenet CNI to Azure CNI Overlay (#30959)
• azurerm_search_service: add support for endpoint attribute (#32010)
• cognitive_account_rai_blocklist_resource - add support for the tags property (#31871)

BUG FIXES:

• azurerm_container_app - fix failure_count_threshold validation values for container app probes (#31989)
• azurerm_linux_function_app_slot - fix API error when removing auth_settings_v2 configuration from a previously deployed appservice slot (#32008)
• azurerm_linux_web_app_slot - fix API error when removing auth_settings_v2 configuration from a previously deployed appservice slot (#32008)
• azurerm_log_analytics_workspace - preserve default value of local_authentication_enabled (#32004)
• azurerm_windows_function_app_slot - fix API error when removing auth_settings_v2 configuration from a previously deployed appservice slot (#32008)
• azurerm_windows_web_app_slot - fix API error when removing auth_settings_v2 configuration from a previously deployed appservice slot (#32008)

1.15.1 (March 26, 2026)

FEATURES:

• hcp: native sbom generation for hcp. Refer to the guide here for more information. GH-13566

BUG FIXES:

• core: Scrub multiline sensitive values from build output (including OS-specific multiline sensitive-value fixtures) GH-13582

SECURITY:

• deps: bump syft to v1.42.3 (fixes GO-2026-4809) GH-13581
• deps: bump github.com/hashicorp/packer-plugin-sdk to v0.6.7 GH-13581
• deps: bump github.com/hashicorp/hcp-sdk-go from 0.136.0 to 0.167.0 GH-13560
• deps: Updates OpenTelemetry dependencies to v1.41.0 GH-13572
• deps: Upgrade go-git to v5.17.0 and grpc to 1.79.3 GH-13570
• deps: Updates circl dependency to v1.6.3 GH-13564

INTERNAL:

• ci: Adds grouped and scheduled updates for GitHub Actions (monthly, grouped PRs, ignore major bumps) GH-13575
• docs: remove docs validation from packer (docs changes move to web-unified-docs) GH-13577
• legal: Update LICENSE GH-13563

1.22.6 (March 23, 2026)

SECURITY:

• security: upgrade envoy version to 1.35.9 and 1.34.13 [GH-23372]
• security: update google.golang.org/grpc to fix CVE-2026-33186 [GH-23379]
• security: upgrade go version to 1.25.8 [GH-23322]
• security: bump golang.org/x/* dependencies to align with consul-enterprise and address security vulnerabilities. [GH-23322]

IMPROVEMENTS:

• api-gateway: Add support to disable traffic with weight 0 in services for HTTPRoute backends, allowing explicit zero-weight backends to be excluded from traffic. [GH-23216]
• ui: Fixed Consul UI to work in non-secure environments by enabling Ember Data's UUID polyfill for crypto.randomUUID. [GH-23341]
• ui: Fixed Consul UI services page navigation by ensuring route transitions trigger the expected model hook behavior after Ember upgrade. [GH-23271]
• ui: Replaced deprecated SideNav component with AppSideNav for improved navigation structure. [GH-23289]