chore(deps): update terraform hashicorp/terraform to < 1.5

[renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change	Pending
hashicorp/terraform	required_version	minor	< 1.4 -> < 1.5	1.4.4 (+1)
hashicorp/terraform	required_version	minor	>= v0.15.5, < 1.2 -> < 1.5	1.4.4 (+1)

---

Release Notes

hashicorp/terraform

v1.4.2

Compare Source

1.4.2 (March 16, 2023)

BUG FIXES:

• Fix bug in which certain uses of setproduct caused Terraform to crash (#​32860)
• Fix bug in which some provider plans were not being calculated correctly, leading to an "invalid plan" error (#​32860)

v1.4.1

Compare Source

1.4.1 (March 15, 2023)

BUG FIXES:

• Enables overriding modules that have the depends_on attribute set, while still preventing the depends_on attribute itself from being overridden. (#​32796)
• terraform providers mirror: when a dependency lock file is present, mirror the resolved providers versions, not the latest available based on configuration. (#​32749)
• Fixed module downloads from S3 URLs when using AWS IAM roles for service accounts (IRSA). (#​32700)
• hcl: Fix a crash in Terraform when attempting to apply defaults into an incompatible type. (#​32775)
• Prevent panic when creating a plan which errors before the planning process has begun. (#​32818)
• Fix the plan renderer skipping the "no changes" messages when there are no-op outputs within the plan. (#​32820)
• Prevent panic when rendering null nested primitive values in a state output. (#​32840)
• Warn when an invalid path is specified in TF_CLI_CONFIG_FILE (#​32846)

v1.4.0

Compare Source

1.4.0 (March 08, 2023)

UPGRADE NOTES:

• config: The textencodebase64 function when called with encoding "GB18030" will now encode the euro symbol € as the two-byte sequence 0xA2,0xE3, as required by the GB18030 standard, before applying base64 encoding.

• config: The textencodebase64 function when called with encoding "GBK" or "CP936" will now encode the euro symbol € as the single byte 0x80 before applying base64 encoding. This matches the behavior of the Windows API when encoding to this Windows-specific character encoding.

• terraform init: When interpreting the hostname portion of a provider source address or the address of a module in a module registry, Terraform will now use non-transitional IDNA2008 mapping rules instead of the transitional mapping rules previously used.

  This matches a change to the WHATWG URL spec's rules for interpreting non-ASCII domain names which is being gradually adopted by web browsers. Terraform aims to follow the interpretation of hostnames used by web browsers for consistency. For some hostnames containing non-ASCII characters this may cause Terraform to now request a different "punycode" hostname when resolving.

• terraform init will now ignore entries in the optional global provider cache directory unless they match a checksum already tracked in the current configuration's dependency lock file. This therefore avoids the long-standing problem that when installing a new provider for the first time from the cache we can't determine the full set of checksums to include in the lock file. Once the lock file has been updated to include a checksum covering the item in the global cache, Terraform will then use the cache entry for subsequent installation of the same provider package. There is an interim CLI configuration opt-out for those who rely on the previous incorrect behavior. (#​32129)

• The Terraform plan renderer has been completely rewritten to aid with future Terraform Cloud integration. Users should not see any material change in the plan output between 1.3 and 1.4. If you notice any significant differences, or if Terraform fails to plan successfully due to rendering problems, please open a bug report issue.

BUG FIXES:

• The module installer will now record in its manifest a correct module source URL after normalization when the URL given as input contains both a query string portion and a subdirectory portion. Terraform itself doesn't currently make use of this information and so this is just a cosmetic fix to make the recorded metadata more correct. (#​31636)
• config: The yamldecode function now correctly handles entirely-nil YAML documents. Previously it would incorrectly return an unknown value instead of a null value. It will now return a null value as documented. (#​32151)
• Ensure correct ordering between data sources and the deletion of managed resource dependencies. (#​32209)
• Fix Terraform creating objects that should not exist in variables that specify default attributes in optional objects. (#​32178)
• Fix several Terraform crashes that are caused by HCL creating objects that should not exist in variables that specify default attributes in optional objects within collections. (#​32178)
• Fix inconsistent behaviour in empty vs null collections. (#​32178)
• terraform workspace now returns a non-zero exit when given an invalid argument (#​31318)
• Terraform would always plan changes when using a nested set attribute (#​32536)
• Terraform can now better detect when complex optional+computed object attributes are removed from configuration (#​32551)
• A new methodology for planning set elements can now better detect optional+computed changes within sets (#​32563)
• Fix state locking and releasing messages when in -json mode, messages will now be written in JSON format (#​32451)

ENHANCEMENTS:

• terraform plan can now store a plan file even when encountering errors, which can later be inspected to help identify the source of the failures (#​32395)
• terraform_data is a new builtin managed resource type, which can replace the use of null_resource, and can store data of any type (#​31757)
• terraform init will now ignore entries in the optional global provider cache directory unless they match a checksum already tracked in the current configuration's dependency lock file. This therefore avoids the long-standing problem that when installing a new provider for the first time from the cache we can't determine the full set of checksums to include in the lock file. Once the lock file has been updated to include a checksum covering the item in the global cache, Terraform will then use the cache entry for subsequent installation of the same provider package. There is an interim CLI configuration opt-out for those who rely on the previous incorrect behavior. (#​32129)
• Interactive input for sensitive variables is now masked in the UI (#​29520)
• A new -or-create flag was added to terraform workspace select, to aid in creating workspaces in automated situations (#​31633)
• A new command was added for exporting Terraform function signatures in machine-readable format: terraform metadata functions -json (#​32487)
• The "Failed to install provider" error message now includes the reason a provider could not be installed. (#​31898)
• backend/gcs: Add kms_encryption_key argument, to allow encryption of state files using Cloud KMS keys. (#​24967)
• backend/gcs: Add storage_custom_endpoint argument, to allow communication with the backend via a Private Service Connect endpoint. (#​28856)
• backend/gcs: Update documentation for usage of gcs with terraform_remote_state (#​32065)
• backend/gcs: Update storage package to v1.28.0 (#​29656)
• When removing a workspace from the cloud backend terraform workspace delete will use Terraform Cloud's Safe Delete API if the -force flag is not provided. (#​31949)
• backend/oss: More robustly handle endpoint retrieval error (#​32295)
• local-exec provisioner: Added quiet argument. If quiet is set to true, Terraform will not print the entire command to stdout during plan. (#​32116)
• backend/http: Add support for mTLS authentication. (#​31699)
• cloud: Add support for using the generic hostname localterraform.com in module and provider sources as a substitute for the currently configured cloud backend hostname. This enhancement was also applied to the remote backend.
• terraform show will now print an explanation when called on a Terraform workspace with empty state detailing why no resources are shown. (#​32629)
• backend/gcs: Added support for GOOGLE_BACKEND_IMPERSONATE_SERVICE_ACCOUNT env var to allow impersonating a different service account when GOOGLE_IMPERSONATE_SERVICE_ACCOUNT is configured for the GCP provider. (#​32557)
• backend/cos: Add support for the assume_role authentication method with the tencentcloud provider. This can be configured via the Terraform config or environment variables.
• backend/cos: Add support for the security_token authentication method with the tencentcloud provider. This can be configured via the Terraform config or environment variables.

EXPERIMENTS:

• Since its introduction the yamlencode function's documentation carried a warning that it was experimental. This predated our more formalized idea of language experiments and so wasn't guarded by an explicit opt-in, but the intention was to allow for small adjustments to its behavior if we learned it was producing invalid YAML in some cases, due to the relative complexity of the YAML specification.

  From Terraform v1.4 onwards, yamlencode is no longer documented as experimental and is now subject to the Terraform v1.x Compatibility Promises. There are no changes to its previous behavior in v1.3 and so no special action is required when upgrading.

---

Configuration

📅 Schedule: Branch creation - "every 3 months on the first day of the month" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[bourgeoisor]

/gcbrun

[dpebot]

/gcbrun

[forking-renovate[bot]]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[dpebot]

/gcbrun

[NimJay]

Ideally, we would also bump the Terraform (TF) version in our GitHub Action runners — similar to this pull-request. But bump TF versions in our Action runners should be out-of-scope for this PR.

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[NimJay]

Hi @Shabirmean,

Question: Should I remove the do not merge label? Do you remember the reason you added it?

I have preserved the >= v0.15.5 TF version constraints (which @renovate-bot was removing in it's original commit). The GitHub checks were passing in the previous attempt (so I assume they will pass again in the current attempt), and I have resolved the conflicts.

Note:

• I have not updated the TF version in our GitHub Action runners — which I think should be out-of-scope for this PR. Let me know if you think otherwise. :)

[Shabirmean]

Hi Shabir Mohamed Abdul Samadh,

Question: Should I remove the do not merge label? Do you remember the reason you added it?

I have preserved the >= v0.15.5 TF version constraints (which Mend Renovate was removing in it's original commit). The GitHub checks were passing in the previous attempt (so I assume they will pass again in the current attempt), and I have resolved the conflicts.

Note:

• I have not updated the TF version in our GitHub Action runners — which I think should be out-of-scope for this PR. Let me know if you think otherwise. :)

I think the reason I added it was to make sure we manually test these changes locally to verify a bulk of the samples work. The CI is testing only a subset of the samples and not all of them. Hence, I temporarily marked it as DNM.