jprdonnelly/opentf
1
0
Fork 0
mirror of https://github.com/opentffoundation/opentf.git synced 2025-12-19 17:59:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

Update what's new page for 1.11 (#3425)

Browse Source 
Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
This commit is contained in:
Christian Mesh
2025-10-23 11:32:36 -04:00
committed by GitHub
parent eff8f3faba
commit f161c7cc27
2 changed files with 48 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
website/docs/intro/upgrading.mdx
View File

@@ -1,27 +1,19 @@
---
sidebar_position: 5
sidebar_label: Upgrading from OpenTofu 1.7.x/1.8.x/1.9.x
sidebar_label: Upgrading from OpenTofu 1.8.x/1.9.x/1.10.x
description: |-
Learn how to upgrade OpenTofu from version 1.7.x/1.8.x/1.9.x to 1.10.0.
Learn how to upgrade OpenTofu from version 1.8.x/1.9.x/1.10.x to 1.11.0.
---
# Upgrading from OpenTofu 1.7.x/1.8.x/1.9.x
# Upgrading from OpenTofu 1.8.x/1.9.x/1.10.x
OpenTofu 1.8.x is mostly compatible with previous OpenTofu versions (other than one minor breaking change in the S3 backend). This migration guide will take you through the process of upgrading OpenTofu to version 1.8.0.
OpenTofu 1.11.x is mostly compatible with previous OpenTofu versions. This migration guide will take you through the process of upgrading OpenTofu to version 1.11.0.
## Step 0: Prepare a disaster recovery plan
Although OpenTofu 1.10 is mostly compatible with previous versions, you should take the necessary precautions to prevent accidents. Make sure you have an up to date and *tested* disaster recovery plan.
Although OpenTofu 1.11 is mostly compatible with previous versions, you should take the necessary precautions to prevent accidents. Make sure you have an up to date and *tested* disaster recovery plan.
## Step 1: If using an S3 backend - Remove any use of `use_legacy_workflow` from S3 backend configurations
If you are using the S3 backend, with `use_legacy_workflow` set, you'd have to remove it. This field has been deprecated in version 1.7.0, and has been changed to default to `false`. The legacy workflow of authentication is no longer supported. Please start using the new authentication method, which is more consistent with other AWS tools
## Step 2: If you are using `ghcr.io/opentofu/opentofu` as a base image
If you are using `ghcr.io/opentofu/opentofu` as a base image for your containers, you will need to move away from this setup. Please follow the instructions on the container installation page to build your own base image.
## Step 3: Apply all changes with OpenTofu 1.7.x/1.8.x/1.9.x
## Step 1: Apply all changes with OpenTofu 1.7.x/1.8.x/1.9.x
Before proceeding, make sure that you apply all changes with `tofu apply`. Running `tofu plan` should result in no planned changes. While you can switch to OpenTofu with pending changes, it is not recommended.
@@ -36,18 +28,18 @@ OpenTofu has compared your real infrastructure against your
configuration and found no differences, so no changes are needed.
```
## Step 4: Install OpenTofu 1.10.x
## Step 2: Install OpenTofu 1.11.x
As a first step, please [follow the installation instructions for the OpenTofu CLI tool](intro/install/index.mdx). Please test
if you can successfully execute the `tofu` command and receive the correct version:
```
$ tofu --version
OpenTofu v1.10.0
OpenTofu v1.11.0
on linux_amd64
```
## Step 5: Back up your state file
## Step 3: Back up your state file
Before you begin using the `tofu` binary on your Terraform code, make sure to back up your state file. If you are using
a local state file, you can simply make a copy of your `terraform.tfstate` file in your project directory.
@@ -55,7 +47,7 @@ a local state file, you can simply make a copy of your `terraform.tfstate` file
If you are using a remote backend such as an S3 bucket, make sure that you follow the backup procedures for the
backend and that you exercise the restore procedure at least once.
## Step 6: Initialize OpenTofu 1.10.x
## Step 4: Initialize OpenTofu 1.11.x
:::warning
@@ -75,10 +67,10 @@ If you are using the S3 backend - You will need to run `tofu init -reconfigure`
:::
## Step 7: Inspect the plan
## Step 5: Inspect the plan
Once initialized, run `tofu plan` and ensure that there are no pending changes similar to step 1 above. If there are
unexpected changes in the plan, roll back to OpenTofu 1.6.x/1.7.x and troubleshoot your migration. (See the Troubleshooting
unexpected changes in the plan, roll back to OpenTofu 1.8.x/1.9.x/1.10.x and troubleshoot your migration. (See the Troubleshooting
section below.)
```
@@ -92,17 +84,17 @@ OpenTofu has compared your real infrastructure against your
configuration and found no differences, so no changes are needed.
```
## Step 8: Test out a small change
## Step 6: Test out a small change
Before you begin using OpenTofu for larger changes, test out `tofu apply` with a smaller, non-critical
change.
## Rolling back and reporting issues
If you have issues migrating to OpenTofu you can follow these steps to roll back to OpenTofu 1.7.x/1.8.x/1.9.x:
If you have issues migrating to OpenTofu you can follow these steps to roll back to OpenTofu 1.8.x/1.9.x/1.10.x:
1. Create another backup of your state file.
2. Remove OpenTofu 1.19.x and verify that you are running OpenTofu 1.7.x/1.8.x/1.9.x.
2. Remove OpenTofu 1.11.x and verify that you are running OpenTofu 1.8.x/1.9.x/1.10.x.
3. Run `tofu init`.
4. Run `tofu plan` and verify that no unexpected changes are in the plan.
5. Test the rollback with a small, non-critical change.
@@ -117,11 +109,11 @@ If you encounter any issues during the migration to OpenTofu, you can join the <
### Error: Failed to query available provider packages
This error happens when a provider you specified in your configuration is not available in the OpenTofu registry.
Please roll back to OpenTofu 1.7.x/1.8.x/1.9.x and make sure your code works with that version. If your code works, please
Please roll back to OpenTofu 1.8.x/1.9.x/1.10.x and make sure your code works with that version. If your code works, please
[submit an issue to include the provider in the registry](https://github.com/opentofu/registry/issues/).
### Error: Module not found
This error happens when a module you specified in your configuration is not available in the OpenTofu registry.
Please roll back to OpenTofu 1.7.x/1.8.x/1.9.x and make sure your code works with that version. If your code works, please
Please roll back to OpenTofu 1.8.x/1.9.x/1.10.x and make sure your code works with that version. If your code works, please
[submit an issue to include the module in the registry](https://github.com/opentofu/registry/issues/).

73
website/docs/intro/whats-new.mdx
View File

@@ -1,66 +1,55 @@
---
sidebar_position: 2
sidebar_label: What's new in version 1.10?
sidebar_label: What's new in version 1.11?
description: |-
Learn all about the new features in OpenTofu 1.10.
Learn all about the new features in OpenTofu 1.11.
---
# What's new in OpenTofu 1.10?
This page will run you through the most important changes in OpenTofu 1.10:
- [New features](#new-features)
- [New built-in functions](#new-built-in-functions)
- [Moved for different resource types](#moved-for-different-resource-types)
- [Improvements to existing features](#improvements-to-existing-features)
- [External programs as encryption key providers (experimental)](#external-programs-as-encryption-key-providers-experimental)
- [Smaller improvements](#smaller-improvements)
- [Deprecations](#deprecations)
- [Using `ghcr.io/opentofu/opentofu` as a base image](#using-ghcrioopentofuopentofu-as-a-base-image)
- [Bugfixes](#bugfixes)
# What's new in OpenTofu 1.11?
## New features
### New built-in functions
### Ephemeral Resources / Write-Only Attributes
New builtin provider functions added ([#2306](https://github.com/opentofu/opentofu/pull/2306)) :
**Ephemeral values** allow OpenTofu to work with data and resources that exist only in memory during a single OpenTofu phase, guaranteeing that those values will not be persisted in state snapshots or plan files.
- `provider::terraform::decode_tfvars` - Decode a TFVars file content into an object.
- `provider::terraform::encode_tfvars` - Encode an object into a string with the same format as a TFVars file.
- `provider::terraform::encode_expr` - Encode an arbitrary expression into a string with valid OpenTofu syntax.
You can now declare input variables and output values as being ephemeral, and you can use provider plugins that have been updated to include ephemeral resource types (e.g. for fetching a secret) or managed resource types with write-only attributes (e.g. for setting a password without saving it in OpenTofu state).
### Moved for different resource types
For more information, refer to [Ephemerality](https://opentofu.org/docs/v1.11/language/ephemerality/).
- `moved` block can now be used to migrate between different types of resources ([docs](../language/modules/develop/refactoring.mdx#changing-a-resource-type)).
- Builtin provider now supports migration from `null_resource` to `terraform_data` resource.
### Enabled meta-argument
The new **`enabled` meta-argument** offers an alternative to the existing `count` and `for_each` meta-arguments for situations where a particular resource instance or module instance has either zero or one instances.
The initial form of this argument is nested inside a `lifecycle` block, rather than directly inside a resource or module declaration, to avoid conflicting with existing input variables or resource type arguments named `enabled`.
For more information, refer to [the `enabled` meta-argument](https://opentofu.org/docs/v1.11/language/meta-arguments/enabled/).
## Improvements to existing features
### External programs as encryption key providers (experimental)
### Tag support added to S3 backend
State encryption now supports using external programs as key providers. Additionally, the PBKDF2 key provider now supports chaining via the `chain` parameter. For details, [see the related documentation](../language/state/encryption.mdx#external-experimental)
This functionality is experimental and may be changed in future OpenTofu versions.
### Smaller improvements
* OpenTofu will now recommend using `-exclude` instead of `-target`, when possible, in the error messages about unknown values in `count` and `for_each` arguments, thereby providing a more definitive workaround. ([#2154](https://github.com/opentofu/opentofu/pull/2154))
The S3 backend now supports **object tagging** your backend, allowing you to add custom tags to your state files for better organization and cost tracking.
## Deprecations
### Using `ghcr.io/opentofu/opentofu` as a base image
- **Azure Backend (`azurerm`)**:
Using the `ghcr.io/opentofu/opentofu` image as a base image for custom images is deprecated and doesn't work as of OpenTofu 1.10. The reason behind this change is security: while we regularly update OpenTofu itself when security-relevant updates arise, providing a base image would require an update roughly once a week, which we are currently not equipped to do.
- The `endpoint` and `ARM_ENDPOINT` configuration options are no longer supported
- The `msi_endpoint` and `ARM_MSI_ENDPOINT` options are no longer supported
- The `environment` and `metadata_host` arguments are now mutually exclusive
However, we have added instructions on building your own base image in the [containerized installation instructions](./install/docker.mdx#building-your-own-image).
- **issensitive() Function**: Now correctly returns unknown results when evaluating unknown values. Code that previously relied on the incorrect behavior may need updates.
## Bugfixes
- **Testing with Mocks**: Mock values generated during testing now strictly adhere to provider schemas. Test configurations with invalid mock values will need to be corrected.
:::warning
OpenTofu 1.10 changed how workspace creation locking works. It is unsafe to
use `pg` backend with multiple OpenTofu versions (under 1.10) in parallel if those
are sharing the same underlying database.
:::
- **S3 Module Installation**: When installing module packages from Amazon S3 buckets using S3 source addresses OpenTofu will use the same credentials as the AWS CLI and SDK.
- Fixed an issue where an invalid provider name in the `provider_meta` block would crash OpenTofu rather than report an error ([#2347](https://github.com/opentofu/opentofu/pull/2347))
- `pg` backend doesn't fail on workspace creation for parallel runs, when the database is shared across multiple projects. ([#2411](https://github.com/opentofu/opentofu/pull/2411))
- **TLS and SSH Security**:
- SHA-1 signatures are no longer accepted for TLS or SSH connections
- SSH certificates must comply with the `draft-miller-ssh-cert-03` specification
## Full Changelog
You can find the full changelog at https://github.com/opentofu/opentofu/blob/v1.11/CHANGELOG.md