Terraform 0.14 Release Highlights

Date: 04 December 2020

Category: Terraform

Tag: Releases

Lets take a look at the latest features/changes introduced in the Terraform 0.14 release.

Release Info

Released: December 2020

Concise Diff

Terraform Blog Post

The diff renderer used by terraform plan, terraform apply, and terraform show has been updated to hide unchanged and irrelevant fields. If any attributes, collection elements, or blocks are hidden, a count will be kept and displayed at the end of the parent scope. This ensures that the diff is clearly only displaying a subset of the resource.

This is an experimental feature, but is on by default. The new diff will:

  • Always show all identifying fields, initially defined as id, name, and tags, even if unchanged
  • Only show changed, added, or removed primitive values: string, number, or bool
  • Only show added or removed elements in unordered collections and structural types: map, set, and object
  • Show added or removed elements with up to two contextual unchanged elements for sequence types: list and tuple
  • Only show added or removed nested blocks, or blocks with changed attributes

Sensitive Input Variables

Terraform Blog Post

Defining an input variable value as “sensitive” will result in Terraform redacting that value from CLI output. The same is true for module outputs. Module outputs with the sensitive=true attribute set will also see their values redacted throughout a Terraform plan.

variable "user_information" {
  type = object({
    name    = string
    address = string
  sensitive = true

output "db_password" {
  value       = aws_db_instance.db.password
  description = "The password for logging in to the database."
  sensitive   = true

Defining a module output as “sensitive” imparts the same behavior for those outputs as with variables defined as “sensitive”; those output values will be redacted even if they are consumed elsewhere in the Terraform plan.

Terraform has also introduced experimental functionality to allow providers to mark variables as sensitive. Experimentation is needed to understand the cascade effects of marking variables/module output as sensitive.

Provider Dependency Lockfile

Terraform Blog Post

Terraform 0.13 made it possible to install providers from customer-controlled or third-party remote registries. Remote and automated Terraform workflows need to be able to duplicate previous runs exactly.

The dependency lock file launching with Terraform 0.14 is generated automatically when Terraform init is run. The generated lockfile should be committed into version control systems so that Terraform can guarantee to select exactly the same provider versions on future runs.

Upgrading to a new provider (or collection of providers) can be completed via terraform init -upgrade.

Forward Compatibility of State Files

Terraform will now support reading and writing all compatible state files, even from future versions of Terraform. This means that users of Terraform 0.14.0 will be able to share state files with future Terraform versions until a new state file format version is needed.