» Upgrading to Terraform v0.9

Terraform v0.9 is a major release and thus includes some changes that you'll need to consider when upgrading. This guide is meant to help with that process.

The goal of this guide is to cover the most common upgrade concerns and issues that would benefit from more explanation and background. The exhaustive list of changes will always be the Terraform Changelog. After reviewing this guide, we recommend reviewing the Changelog to check on specific notes about the resources and providers you use.

» Remote State

Remote state has been overhauled to be easier and safer to configure and use. The new changes are backwards compatible with existing remote state and you'll be prompted to migrate to the new remote backend system.

An in-depth guide for migrating to the new backend system is available here. This includes backing up your existing remote state and also rolling back if necessary.

The only non-backwards compatible change is in the CLI: the existing terraform remote config command is now gone. Remote state is now configured via the "backend" section within the Terraform configuration itself.

Example configuring a Consul remote backend:

terraform {
  backend "consul" {
    address    = "demo.consul.io"
    datacenter = "nyc3"
    path       = "tfdemo"
    scheme     = "https"

Action: Nothing immediately, everything will continue working except scripts using terraform remote config. As soon as possible, upgrade to backends.

» State Locking

Terraform 0.9 now will acquire a lock for your state if your backend supports it. This change is backwards compatible, but may require enhanced permissions for the authentication used with your backend.

Backends that support locking as of the 0.9.0 release are: local files, Amazon S3, HashiCorp Consul, and Terraform Enterprise (atlas). If you don't use these backends, you can ignore this section.

Specific notes for each affected backend:

  • Amazon S3: DynamoDB is used for locking. The AWS access keys must have access to Dynamo. You may disable locking by omitting the lock_table key in your backend configuration.

  • HashiCorp Consul: Sessions are used for locking. If an auth token is used it must have permissions to create and destroy sessions. You may disable locking by specifying lock = false in your backend configuration.

Action: Update your credentials or configuration if necessary.