32 KiB
layout | page_title | sidebar_current | description |
---|---|---|---|
guides | Upgrading to Terraform 0.12 | upgrade-guides-0-12 | Upgrading to Terraform v0.12 |
Upgrading to Terraform v0.12
Terraform v0.12 is a major release focused on configuration language improvements and thus includes some changes that you'll need to consider when upgrading. The goal of this guide is to cover the most common upgrade concerns and issues.
For most users, upgrading configuration should be completely automatic. Some simple configurations will require no changes at all, and most other configurations can be prepared by running the automatic upgrade tool. Please read on for more information and recommendations on the upgrade process.
-> If you are a developer maintaining a provider plugin, please see the documentation on 0.12 compatibility for providers to learn more about the changes that are required.
Upgrade to Terraform 0.11 first
We strongly recommend completing an upgrade to the latest Terraform v0.11 release first. This will give you an opportunity to address any changes required for the previous major version upgrades separately, rather than making multiple changes at once.
In particular, if you are upgrading from a Terraform version prior to v0.9,
you must first upgrade to Terraform v0.9 and
switch to initializing with terraform init
, because v0.12 no longer includes
the functionality for automatically migrating from the legacy remote state
mechanism.
This guide focuses on changes from v0.11 to v0.12. Each previous major release has its own upgrade guide, so please consult the other guides (available in the navigation) to upgrade step-by-step to v0.11 first.
Terraform v0.11.14 (and any subsequent v0.11 releases) also include some additional functionality to help smooth the upgrade, which we will use later in this guide.
Prior versions of Terraform are available from the releases server.
Pre-upgrade Checklist
Terraform v0.11.14 introduced a temporary helper command
terraform 0.12checklist
, which analyzes your configuration to detect any
required steps that will be easier to perform before upgrading.
To use it, first upgrade to Terraform v0.11.14. Then, perform the following steps:
terraform init
to ensure your working directory is fully initialized and all required plugins are installed and selected.terraform apply
to ensure that your real infrastructure and Terraform state are consistent with the current configuration. The instructions produced by the checklist command assume that configuration and state are synchronized.terraform 0.12checklist
to see if there are any pre-upgrade steps in the checklist.
If all is well, the final command will produce a message like this:
Looks good! We did not detect any problems that ought to be
addressed before upgrading to Terraform v0.12
This tool is not perfect though, so please check the v0.12 upgrade
guide for additional guidance, and for next steps:
https://www.terraform.io/upgrade-guides/0-12.html
As the message suggests, the next step in that case is to read the remainder of this page to prepare for and carry out the upgrade.
However, the checklist command may instead produce a list of one or more tasks that we recommend you perform before upgrading to Terraform 0.12, because they are easier to perform with a fully-functional Terraform 0.11 than with a Terraform 0.12 that has encountered compatibility problems.
The tasks it may suggest you perform could include:
- Upgrading any provider versions that are not compatible with Terraform v0.12. We recommend upgrading to the latest version of each provider before upgrading because that will avoid changing many things in one step.
- Renaming any resources or provider aliases that have names that start with digits, because that is no longer valid in Terraform 0.12.
- Upgrading any external modules the configuration uses which themselves have the above problems.
In each case, the tool will give some direction on how to perform the task it is suggesting.
The output from terraform 0.12checklist
is in Markdown format so that it can
easily be pasted into a Markdown-compatible issue tracker, should you want
to track the necessary tasks or share the work with other team members.
After all of the tasks are complete, run terraform 0.12checklist
one more time
to verify that everything is complete. If so, continue reading the following
sections to complete the upgrade!
Upgrading to Terraform 0.12
Before switching to Terraform 0.12, we recommend using Terraform v0.11.14 (or
any later v0.11 release) to perform one last terraform init
and
terraform apply
to ensure that everything is initialized and synchronized.
Once terraform apply
shows no changes pending, switch over to a Terraform
v0.12 release and run terraform init
again to upgrade the working directory
metadata to v0.12 format. (Once you've done this, you'll need to delete the
.terraform
directory if you wish to return to Terraform v0.11, but no
real infrastructure or persisted state will be upgraded yet.)
It is possible that your configuration may be using configuration constructs
that are not Terraform v0.12 compatible and thus require upgrade. In that case,
terraform init
will produce the following message:
Terraform has initialized, but configuration upgrades may be needed.
Terraform found syntax errors in the configuration that prevented full
initialization. If you've recently upgraded to Terraform v0.12, this may be
because your configuration uses syntax constructs that are no longer valid,
and so must be updated before full initialization is possible.
Terraform has installed the required providers to support the configuration
upgrade process. To begin upgrading your configuration, run the following:
terraform 0.12upgrade
To see the full set of errors that led to this message, run:
terraform validate
As mentioned in the message, Terraform has partially initialized the directory just enough to perform the configuration upgrade process, which is described in the following section.
We recommend running the configuration upgrade tool even if you do not see the above message, because it may detect and fix constructs that are syntactically correct but still need some changes to work as expected with Terraform v0.12.
Upgrading Terraform configuration
Terraform v0.12 includes a new command terraform 0.12upgrade
that will
read the configuration files for a module written for Terraform 0.11 and
update them in-place to use the cleaner Terraform 0.12 syntax and also
adjust for use of features that have changed behavior in the 0.12 Terraform
language.
Simple configuration files are likely to be understood by Terraform 0.12 as-is, because the language is still broadly compatible, but we recommend that everyone run the upgrade tool nonetheless. Even if your configuration is already compatible, the tool will update your configuration to use the cleaner syntax available in Terraform 0.12, which should improve readability.
To run the command, first make sure that your local working directory is synced with your version control system so that there are no changes outstanding. This will make it easier to review the changes that the upgrade tool is proposing, using the diff feature of your version control system.
With a fully-initialized working directory (all necessary providers and child
modules installed), run terraform 0.12upgrade
to begin the process. By default
it will print some information about what it is about to do and prompt for
confirmation:
This command will rewrite the configuration files in the given directory so
that they use the new syntax features from Terraform v0.12, and will identify
any constructs that may need to be adjusted for correct operation with
Terraform v0.12.
We recommend using this command in a clean version control work tree, so that
you can easily see the proposed changes as a diff against the latest commit.
If you have uncommitted changes already present, we recommend aborting this
command and dealing with them before running this command again.
Would you like to upgrade the module in the current directory?
If you answer yes, the .tf
and .tfvars
files in your current working
directory will be rewritten in-place.
The upgrade tool may also print out warnings about constructs it wasn't able to
migrate fully automatically; in that case, it will also emit comments into the
rewritten source files containing the special marker TF-UPGRADE-TODO
, as
a prompt for a decision you'll need to make to complete the upgrade.
Once the upgrade tool has successfully completed and you've resolved any
TF-UPGRADE-TODO
prompts, use your version control tool to review the proposed
changes and then run terraform plan
to see the effect of those changes.
In most cases, terraform plan
should report that no changes are required,
because the updated configuration is equivalent to before.
The remaining sections below describe both some common changes that the upgrade
tool is able to make automatically, and some other upgrade situations that
the configuration tool may not be able to fully resolve. If you encounter
any errors during the upgrade or during the subsequent terraform plan
, the
sections below may give some additional context for how to proceed.
Once you're happy with the updated configuration, commit it to version control in the usual way and apply it with Terraform 0.12.
Remote state references
The terraform_remote_state
data source has changed slightly for the v0.12
release to make all of the remote state outputs available as a single map
value, rather than as top-level attributes as in previous releases.
In previous releases, a reference to a vpc_id
output exported by the remote
state data source might have looked like this:
data.terraform_remote_state.vpc.vpc_id
This value must now be accessed via the new outputs
attribute:
data.terraform_remote_state.vpc.outputs.vpc_id
The upgrade tool will rewrite remote state references automatically to include
the additional outputs
attribute.
Where appropriate, you can also access the outputs attribute directly to work with the whole map as a single value:
data.terraform_remote_state.vpc.outputs
Another consideration for terraform_remote_state
is that this data source must
be able to parse the latest state snapshot for a separate Terraform
configuration that may have been updated by a newer version of Terraform.
To provide flexibility when upgrading decomposed environments that use
terraform_remote_state
, Terraform v0.11.14 introduced support for reading
outputs from the Terraform v0.12 state format, so if you upgrade all of your
configurations to Terraform v0.11.14 first you can then perform v0.12 upgrades
of individual configurations in any order, without breaking
terraform_remote_state
usage.
Note that the config
block should now be in the form of an assignment with the =
sign:
data "terraform_remote_state" "default" {
backend = "gcs"
config = {
bucket = "..."
}
}
Attributes vs. blocks
Terraform resource configurations consist of both arguments that set individual properties of the main object being described, and nested blocks which declare zero or more other objects that are modeled as being part of their parent. For example:
resource "aws_instance" "example" {
instance_type = "t2.micro"
ami = "ami-abcd1234"
tags = {
Name = "example instance"
}
ebs_block_device {
device_name = "sda2"
volume_type = "gp2"
volume_size = 24
}
}
In the above resource, instance_type
, ami
, and tags
are both direct
arguments of the aws_instance
resource, while ebs_block_device
describes
a separate EBS block device object that is connected to the parent instance.
Due to the design of the configuration language decoder in Terraform v0.11 and
earlier, it was in many cases possible to interchange the argument syntax
(with =
) and the block syntax (with just braces) when dealing with map
arguments vs. nested blocks. However, this led to some subtle bugs and
limitations, so Terraform v0.12 now requires consistent usage of argument
syntax for arguments and nested block syntax for nested blocks.
In return for this new strictness, Terraform v0.12 now allows map keys to be
set dynamically from expressions, which is a long-requested feature. The
main difference between a map attribute and a nested block is that a map
attribute will usually have user-defined keys, like we see in the tags
example above, while a nested block always has a fixed set of supported
arguments defined by the resource type schema, which Terraform will validate.
The configuration upgrade tool uses the provider's schema to recognize the nature of each construct and will select the right syntax automatically. For most simple usage, this will just involve adding or removing the equals sign as appropriate.
A more complicated scenario is where users found that they could exploit this flexibility to -- with some caveats -- dynamically generate nested blocks even though this wasn't intentionally allowed:
# Example of no-longer-supported workaround from 0.11 and earlier
ebs_block_device = "${concat(map("device_name", "sda4"), var.extra_block_devices)}"
Terraform v0.12 now includes a first-class feature for dynamically generating
nested blocks using expressions, using the special dynamic
block type. The
above can now be written like this, separating the static block device from
the dynamic ones:
ebs_block_device {
device_name = "sda4"
}
dynamic "ebs_block_device" {
for_each = var.extra_block_devices
content {
device_name = ebs_block_device.value.device_name
volume_type = ebs_block_device.value.volume_type
volume_size = ebs_block_device.value.volume_size
}
}
The configuration upgrade tool will detect use of the above workaround and
rewrite it as a dynamic
block, but it may make non-ideal decisions for how to
flatten your expression down into static vs. dynamic blocks, so we recommend
reviewing the generated dynamic
blocks to see if any simplifications are
possible.
Terraform v0.12 now also requires that each argument be set only once within
a particular block, whereas before Terraform would either take the last
definition or, in some cases, attempt to merge together multiple definitions
into a list. The upgrade tool does not remove or attempt to consolidate
any existing duplicate arguments, but other commands like terraform validate
will detect and report these after upgrading.
Integer vs. Float Number Types
From Terraform v0.12, the Terraform language no longer distinguishes between integer and float types, instead just having a single "number" type that can represent high-precision floating point numbers. This new type can represent any value that could be represented before, plus many new values due to the expanded precision.
In most cases this change should not cause any significant behavior change, but please note that in particular the behavior of the division operator is now different: it always performs floating point division, whereas before it would sometimes perform integer division by attempting to infer intent from the argument types.
If you are relying on integer division behavior in your configuration, please
use the floor
function to obtain the previous result. A common place this
would arise is in index operations, where the index is computed by division:
example = var.items[floor(count.index / var.any_number)]
Using a fractional number to index a list will produce an error telling you
that this is not allowed, serving as a prompt to add floor
:
Error: Invalid index
The given key does not identify an element in this collection value: indexing a
sequence requires a whole number, but the given index (0.5) has a fractional
part.
Unfortunately the automatic upgrade tool cannot apply a fix for this case because it does not have enough information to know if floating point or integer division was intended by the configuration author, so this change must be made manually where needed.
Referring to List Variables
In early versions of Terraform, before list support became first-class, we required using seemingly-redundant list brackets around a single expression in order to hint to the language interpreter that a list interpretation was desired:
# Example for older versions of Terraform; not valid for v0.12
example = ["${var.any_list}"]
This strange requirement was subsequently lifted after the introduction of first-class list support, but we retained compatibility with this older usage for a transitional period by including some fixup logic that would detect when list brackets contain list expressions and automatically flatten to a single list.
As part of implementing the first-class expressions support for v0.12, we needed to finally remove that backward-compatibility mechanism to avoid ambiguity in the language, so an expression like the above will now produce a list of lists and thus produce a type checking error for any argument that was expecting a list of some other type.
The upgrade tool is able to recognize most simple usage of this pattern and rewrite automatically to just refer to the list directly:
example = var.any_list
However, an unintended side-effect of this compatibility mechanism was to
also flatten mixed lists of single-value and list expressions into a single
list automatically. We didn't intend for this to be a part of the language, but
in retrospect it was an obvious consequence of how the compatibility mechanism
was implemented. If you have expressions in your modules that produce a list
of strings by using list brackets with a mixture of string and list-of-string
sub-expressions, you will need to rewrite this to explicitly use
the flatten
function
to make the special treatment more obvious to the reader:
example = flatten([
"single string",
var.any_list,
])
The configuration upgrade tool unfortunately cannot make this change automatically, because it doesn't have enough information to know for certain which interpretation was intended for a given list.
For complex examples that the upgrade tool is not able to adjust automatically, subsequent Terraform operations may produce an error message like the following:
Error: Incorrect attribute value type
on redundant-list-brackets.tf line 9, in resource "aws_security_group" "foo":
9: cidr_blocks = ["${var.cidr_blocks}"]
Inappropriate value for attribute "cidr_blocks": element 0: string required.
This message is reporting that Terraform has understood this expression as a
list of lists, and therefore element zero is a list rather than a string. To
fix the error, remove the redundant list brackets and possibly add a
flatten
function call as described above, for more complex cases.
Reserved Variable Names
In preparation for new features planned for future releases, Terraform 0.12 reserves some additional names that can no longer be used as input variable names for modules. These reserved names are:
count
depends_on
for_each
lifecycle
providers
source
When any of these names is used as the label of a variable
block, Terraform
will now generate the following error:
Error: Invalid variable name
on reserved-variable-names.tf line 2, in variable "count":
2: variable "count" {
The variable name "count" is reserved due to its special meaning inside module
blocks.
The upgrade tool cannot automatically adjust for these reserved names, because it does not know what new name would be more appropriate. To proceed, you must unfortunately rename these input variables and make a new major release of the module in question, since renaming input variables is a breaking change.
Type Constraints on Variables
In Terraform v0.11, variables were documented as accepting only strings, lists
of strings, and maps of strings. However, in practice Terraform permitted
lists of lists and lists of maps and other nested structures in some cases,
even though it was then generally inconvenient to work with those values
elsewhere in the module due to limitations of the index syntax, element
function, and lookup
function.
Terraform now allows various type constraints to be specified, as part of the language's new type system and generalized functions and operators. However, because lists and maps of non-string values were not officially supported in 0.11, existing configurations do not have enough information for the upgrade tool to know what element type was intended. It will therefore assume that lists and maps are of strings as documented, which will be incorrect for configurations using more complex structures. The result will be one of the following error messages:
Error: Invalid default value for variable
on child_module/example.tf line 4, in variable "example":
4: default = [
5: {
6: "foo" = "bar"
7: },
8: ]
This default value is not compatible with the variable's type constraint:
element 0: string required.
Error: Invalid value for module argument
on variables-incorrect-elem-type.tf line 4, in module "child":
4: example = [
5: {
6: "foo" = "bar"
7: },
8: ]
The given value is not suitable for child module variable "example" defined at
child/child.tf:1,1-19: element 0: string required.
To fix this, change the type
argument from list(string)
or map(string)
to a more appropriate type constraint.
If you're not sure what type constraint to use yet, another option is to
use the type constraint any
, which will effectively disable validation and
allow any value. We recommend using specific types where possible, but selecting
any
during upgrade may be preferable, so that the work to select and define
a more precise type can be saved for a later change at your leisure, once
upgrading is complete.
Working with count
on resources
The count
feature allows declaration of multiple instances of a particular
resource constructed from the same configuration. In Terraform v0.11, any
use of count
would generally lead to referring to the resource in question
using the "splat expression" syntax elsewhere in the configuration:
aws_instance.example.*.id[0]
Because aws_instance.example
itself was not directly referencable in
Terraform v0.11, the expression system allowed some flexibility in how such
expressions were resolved. For example, Terraform would treat
aws_instance.example.id
as an alias for aws_instance.example.*.id[0]
.
Terraform v0.12 allows referring to an entire resource as an object value,
but that required making a decision on what type of value is returned by
aws_instance.example
. The new rules are as follows:
-
For resources where
count
is not set, a reference likeaws_instance.example
returns a single object, whose attributes can be accessed in the usual way, likeaws_instance.example.id
. -
For resources where
count
is set -- even if the expression evaluates to1
--aws_instance.example
returns a list of objects whose length is decided by the count. In this caseaws_instance.example.id
is an error, and must instead be written asaws_instance.example[0].id
to access one of the objects before retrieving itsid
attribute value.
The splat syntax is still available and will still be useful in situations
where a list result is needed, but we recommend updating expressions like
aws_instance.example.*.id[count.index]
to instead be
aws_instance.example[count.index].id
, which should be easier to read and
understand for those who are familiar with other languages.
Another consequence of the new handling of count
is that you can use the
length
function directly with references to resources that have count
set:
length(aws_instance.example)
This replaces the v0.11 special case of aws_instance.example.count
, which
can no longer be supported due to aws_instance.example
being a list.
The upgrade tool will automatically detect references that are inconsistent
with the count
setting on the target resource and rewrite them to use the
new syntax. The upgrade tool will not rewrite usage of splat syntax to
direct index syntax, because the old splat syntax form is still compatible.
Another count
-related change is that Terraform now requires count
to be
assigned a numeric value, and will not automatically convert a boolean value
to a number in the interests of clarity. If you wish to use a boolean value
to activate or deactivate a particular resource, use the conditional operator
to show clearly how the boolean value maps to a number value:
count = var.enabled ? 1 : 0
First-class expressions
Terraform v0.11 and earlier allowed expressions only within interpolation
sequences, like "${var.example}"
. Because expressions are such an important
part of Terraform -- they are the means by which we connect the attributes of
one resource to the configuration of another -- Terraform v0.12 now allows
you to use expressions directly when defining most attributes.
ami = var.ami
The generalization of expression handling also has some other benefits. For
example, it's now possible to directly construct lists and maps within
expressions using the normal syntax, whereas in Terraform v0.11 we required
using the list
and map
functions:
# Old 0.11 example
tags = "${merge(map("Name", "example"), var.common_tags)}"
# Updated 0.12 example
tags = merge({ Name = "example" }, var.common_tags)
The automatic upgrade tool will perform rewrites like these automatically, making expressions easier to read and understand.
Default settings in connection
blocks
Terraform v0.11 and earlier allowed providers to pre-populate certain arguments
in a connection
block for use with remote provisioners. Several resource
type implementations use this to pre-populate type
as "ssh"
and host
as one of the IP addresses of the compute instance being created.
While that feature was convenient in some cases, we found that in practice it was hard for users to predict how it would behave, since each provider had its own rules for whether to prefer public vs. private IP addresses, which network interface to use, whether to use IPv4 or IPv6, etc.
It also violated our design principle of "explicit is better than implicit": we think it's important that someone who is unfamiliar with a particular Terraform configuration (or with Terraform itself) to be able to read the configuration and make a good guess as to what it will achieve, and the default connection settings feature left an important detail unstated: how do the provisioners access the host?
With this in mind, Terraform v0.12 no longer performs any automatic population
of connection
blocks. Instead, if you are using any remote provisioners you
should explicitly set the connection type and the hostname to connect to:
connection {
type = "ssh"
host = self.public_ip
# ...
}
The automatic upgrade tool will detect existing connection
blocks that are
lacking these settings within resource types that are known to have previously
set defaults, and it will write out an expression that approximates whatever
selection logic the provider was previously doing in its own implementation.
Unfortunately in some cases the provider did not export the result of the
possibly-rather-complex host selection expression as a single attribute, and so
for some resource types the generated host
expression will be quite
complicated. We recommend reviewing these and replacing them with a simpler
expression where possible, since you will often know better than Terraform does
which of the instance IP addresses are likely to be accessible from the host
where Terraform is running.
Upgrades for reusable modules
If you are making upgrades to a reusable module that is consumed by many different configurations, you may need to take care with the timing of your upgrade and of how you publish it.
We strongly recommend using module versioning, either via a Terraform registry or via version control arguments in your module source addresses, to pin existing references to the old version of the module and then publish the upgraded version under a new version number. If you are using semantic versioning, such as in a Terraform registry, the updates made by the upgrade tool should be considered a breaking change and published as a new major version.
The migration tool will automatically add a >= 0.12.0
Terraform version
constraint to indicate that the module has been upgraded to use v0.12-only
features. By using version constraints, users can gradually update their callers
to use the newly-upgraded version as they begin to use Terraform v0.12 with
those modules.
For simpler modules it may be possible to carefully adapt them to be both 0.11 and 0.12 compatible at the same time, by following the upgrade notes in earlier sections and avoiding any v0.12-only features. However, for any module using a undocumented workarounds for v0.11 limitations it is unlikely to be possible to both update it for Terraform v0.12 and retain v0.11 compatibility at the same time, because those undocumented workarounds have been replaced with new features in Terraform v0.12.
Map variables no longer merge when overridden
In prior versions of Terraform, a variable of type "map"
had a special
behavior where any value provided via mechanisms such as the -var
command
line option would be keywise-merged with any default value associated with
the variable. This was useful in early versions of Terraform that lacked
mechanisms for doing such merging explicitly, but since Terraform v0.10
introduced the concept of local values we consider it preferable to perform
such merges manually so that they are explicit in configuration:
variable "example_map" {
type = map(string)
default = {}
}
locals {
default_map_keys = {
"a" = "b"
}
merged_map_keys = merge(local.default_map_keys, var.example_map)
}
In order to improve the consistency of variable handling across types, the map variable merging behavior is removed in Terraform v0.12. Because this mechanism was driven by command line options rather than configuration, the automatic upgrade tool cannot automatically handle it. If you are relying on the merging feature, you must reorganize your configuration to use explicit merging like in the above example, or else your default map value will be entirely overridden by any explicitly-set value.
Upgrading remote
Backend Configuration
Terraform Enterprise users, and users of the Terraform SAAS free tier, will need
to run terraform init -reconfigure
to upgrade to Terraform 0.12.
Terraform provides a message stating that terraform init
is required; while
there is no harm in running this command, the next error message will clarify
that terraform init -reconfigure
is required.
Upgrading Sentinel policies
The Terraform Sentinel imports have been updated to work with Terraform 0.12. Care has been taken to ensure that the API is as backwards compatible as possible and most policies will continue to work without modification. However, there are some important changes and certain policies will need to modified.
More information on the changes can be found in our page on using Sentinel with Terraform 0.12.
It's strongly advised that you test your Sentinel policies after upgrading to Terraform 0.12 to ensure they continue to work as expected. Mock generation has also been updated to produce mock data for the Sentinel imports as they appear in Terraform 0.12.
For more information on testing a policy with 0.11 and 0.12 at the same time, see the section on testing a policy with 0.11 and 0.12 simultaneously.