build(deps): Bump github.com/hashicorp/terraform from 0.13.5 to 0.14.0

[dependabot]

Bumps github.com/hashicorp/terraform from 0.13.5 to 0.14.0.

Release notes

Sourced from github.com/hashicorp/terraform's releases.

v0.14.0

0.14.0 (December 02, 2020)

NEW FEATURES:

• Terraform now supports marking input variables as sensitive, and will propagate that sensitivity through expressions that derive from sensitive input variables.

• terraform init will now generate a lock file in the configuration directory which you can check in to your version control so that Terraform can make the same version selections in future. (#26524)

  If you wish to retain the previous behavior of always taking the newest version allowed by the version constraints on each install, you can run terraform init -upgrade to see that behavior.

• Terraform will now support reading and writing all compatible state files, even from future versions of Terraform. This means that users of Terraform 0.14.0 will be able to share state files with future Terraform versions until a new state file format version is needed. We have no plans to change the state file format at this time. (#26752)

UPGRADE NOTES:

• Outputs that reference sensitive values (which includes variables marked as sensitive, other module outputs marked as sensitive, or attributes a provider defines as sensitive if the provider_sensitive_attrs experiment is activated) must also be defined as sensitive, or Terraform will error at plan.
• The version argument inside provider configuration blocks has been documented as deprecated since Terraform 0.12. As of 0.14 it will now also generate an explicit deprecation warning. To avoid the warning, use provider requirements declarations instead. (#26135)
• The official MacOS builds of Terraform now require MacOS 10.12 Sierra or later. (#26357)
• TLS certificate verification for outbound HTTPS requests from Terraform CLI no longer treats the certificate's "common name" as a valid hostname when the certificate lacks any "subject alternative name" entries for the hostname. TLS server certificates must list their hostnames as a "DNS name" in the subject alternative names field. (#26357)
• Outbound HTTPS requests from Terraform CLI now enforce RFC 8446's client-side downgrade protection checks. This should not significantly affect normal operation, but may result in connection errors in environments where outgoing requests are forced through proxy servers and other "middleboxes", if they have behavior that resembles a downgrade attack. (#26357)
• Terraform's HTTP client code is now slightly stricter than before in HTTP header parsing, but in ways that should not affect typical server implementations: Terraform now trims only ASCII whitespace characters, and does not allow Transfer-Encoding: identity. (#26357)
• The terraform 0.13upgrade subcommand and the associated upgrade mechanisms are no longer available. Complete the v0.13 upgrade process before upgrading to Terraform v0.14.
• The debug command, which did not offer additional functionality, has been removed.

ENHANCEMENTS:

• config: Added sensitive argument for variable blocks, which supresses output where that variable is used (#26183)
• config: Added alltrue and anytrue functions, which serve as a sort of dynamic version of the && and || or operators, respectively. These are intended to allow evaluating boolean conditions, such as in variable validation blocks, across all of the items in a collection using for expressions. (#25656], [#26498)
• config: New functions textencodebase64 and textdecodebase64 for encoding text in various character encodings other than UTF-8. (#25470)
• terraform plan and terraform apply: Added an experimental concise diff renderer. By default, Terraform plans now hide most unchanged fields, only displaying the most relevant changes and some identifying context. This experiment can be disabled by setting a TF_X_CONCISE_DIFF environment variable to 0. (#26187)
• config: ignore_changes can now apply to map keys that are not listed in the configuration (#26421)
• terraform console: Now has distinct rendering of lists, sets, and tuples, and correctly renders objects with null attribute values. Multi-line strings are rendered using the "heredoc" syntax. (#26189, #27054)
• terraform login: Added support for OAuth2 application scopes. (#26239)
• terraform fmt: Will now do some slightly more opinionated normalization behaviors, using the documented idiomatic syntax. (#26390)
• terraform init's provider installation step will now abort promptly if Terraform receives an interrupt signal. (#26405)
• cli: A new global command line option -chdir=..., placed before the selected subcommand, instructs Terraform to switch to a different working directory before executing the subcommand. This is similar to switching to a new directory with cd before running Terraform, but it avoids changing the state of the calling shell. (#26087)
• cli: help text is been reorganized to emphasize the main commands and improve consistency (#26695)
• cli: Ensure that provider requirements are met by the locked dependencies for every command. This will help catch errors if the configuration has changed since the last run of terraform init. (#26761)
• core: When sensitive values are used as part of provisioner configuration, logging is disabled to ensure the values are not displayed to the UI (#26611)
• core: terraform plan no longer uses a separate refresh phase. Instead, all resources are updated on-demand during planning (#26270)
• modules: Adds support for loading modules with S3 virtual hosted-style access (#26914)
• backend/consul: Split state into chunks when outgrowing the limit of the Consul KV store. This allows storing state larger than the Consul 512KB limit. (#25856)
• backend/consul: Add force-unlock support to the Consul backend (#25837)
• backend/gcs: Add service account impersonation to GCS backend (#26837)
• On Unix-based operating systems other than MacOS, the SSL_CERT_DIR environment variable can now be a colon-separated list of multiple certificate search paths. (#26357)
• On MacOS, Terraform will now use the Security.framework API to access the system trust roots, for improved consistency with other MacOS software. (#26357)

BUG FIXES:

• config: Report an error when provider configuration attributes are incorrectly added to a required_providers object. (#26184)
• config: Better errors for invalid terraform version constraints (#26543)
• config: fix panic when element() is called with a negative offset (#26079)

... (truncated)

Changelog

Sourced from github.com/hashicorp/terraform's changelog.

0.14.0 (December 02, 2020)

NEW FEATURES:

• Terraform now supports marking input variables as sensitive, and will propagate that sensitivity through expressions that derive from sensitive input variables.

• terraform init will now generate a lock file in the configuration directory which you can check in to your version control so that Terraform can make the same version selections in future. (#26524)

  If you wish to retain the previous behavior of always taking the newest version allowed by the version constraints on each install, you can run terraform init -upgrade to see that behavior.

• Terraform will now support reading and writing all compatible state files, even from future versions of Terraform. This means that users of Terraform 0.14.0 will be able to share state files with future Terraform versions until a new state file format version is needed. We have no plans to change the state file format at this time. (#26752)

UPGRADE NOTES:

• Outputs that reference sensitive values (which includes variables marked as sensitive, other module outputs marked as sensitive, or attributes a provider defines as sensitive if the provider_sensitive_attrs experiment is activated) must also be defined as sensitive, or Terraform will error at plan.
• The version argument inside provider configuration blocks has been documented as deprecated since Terraform 0.12. As of 0.14 it will now also generate an explicit deprecation warning. To avoid the warning, use provider requirements declarations instead. (#26135)
• The official MacOS builds of Terraform now require MacOS 10.12 Sierra or later. (#26357)
• TLS certificate verification for outbound HTTPS requests from Terraform CLI no longer treats the certificate's "common name" as a valid hostname when the certificate lacks any "subject alternative name" entries for the hostname. TLS server certificates must list their hostnames as a "DNS name" in the subject alternative names field. (#26357)
• Outbound HTTPS requests from Terraform CLI now enforce RFC 8446's client-side downgrade protection checks. This should not significantly affect normal operation, but may result in connection errors in environments where outgoing requests are forced through proxy servers and other "middleboxes", if they have behavior that resembles a downgrade attack. (#26357)
• Terraform's HTTP client code is now slightly stricter than before in HTTP header parsing, but in ways that should not affect typical server implementations: Terraform now trims only ASCII whitespace characters, and does not allow Transfer-Encoding: identity. (#26357)
• The terraform 0.13upgrade subcommand and the associated upgrade mechanisms are no longer available. Complete the v0.13 upgrade process before upgrading to Terraform v0.14.
• The debug command, which did not offer additional functionality, has been removed.

ENHANCEMENTS:

• config: Added sensitive argument for variable blocks, which supresses output where that variable is used (#26183)
• config: Added alltrue and anytrue functions, which serve as a sort of dynamic version of the && and || or operators, respectively. These are intended to allow evaluating boolean conditions, such as in variable validation blocks, across all of the items in a collection using for expressions. (#25656], [#26498)
• config: New functions textencodebase64 and textdecodebase64 for encoding text in various character encodings other than UTF-8. (#25470)
• terraform plan and terraform apply: Added an experimental concise diff renderer. By default, Terraform plans now hide most unchanged fields, only displaying the most relevant changes and some identifying context. This experiment can be disabled by setting a TF_X_CONCISE_DIFF environment variable to 0. (#26187)
• config: ignore_changes can now apply to map keys that are not listed in the configuration (#26421)
• terraform console: Now has distinct rendering of lists, sets, and tuples, and correctly renders objects with null attribute values. Multi-line strings are rendered using the "heredoc" syntax. (#26189, #27054)
• terraform login: Added support for OAuth2 application scopes. (#26239)
• terraform fmt: Will now do some slightly more opinionated normalization behaviors, using the documented idiomatic syntax. (#26390)
• terraform init's provider installation step will now abort promptly if Terraform receives an interrupt signal. (#26405)
• cli: A new global command line option -chdir=..., placed before the selected subcommand, instructs Terraform to switch to a different working directory before executing the subcommand. This is similar to switching to a new directory with cd before running Terraform, but it avoids changing the state of the calling shell. (#26087)
• cli: help text is been reorganized to emphasize the main commands and improve consistency (#26695)
• cli: Ensure that provider requirements are met by the locked dependencies for every command. This will help catch errors if the configuration has changed since the last run of terraform init. (#26761)
• core: When sensitive values are used as part of provisioner configuration, logging is disabled to ensure the values are not displayed to the UI (#26611)
• core: terraform plan no longer uses a separate refresh phase. Instead, all resources are updated on-demand during planning (#26270)
• modules: Adds support for loading modules with S3 virtual hosted-style access (#26914)
• backend/consul: Split state into chunks when outgrowing the limit of the Consul KV store. This allows storing state larger than the Consul 512KB limit. (#25856)
• backend/consul: Add force-unlock support to the Consul backend (#25837)
• backend/gcs: Add service account impersonation to GCS backend (#26837)
• On Unix-based operating systems other than MacOS, the SSL_CERT_DIR environment variable can now be a colon-separated list of multiple certificate search paths. (#26357)
• On MacOS, Terraform will now use the Security.framework API to access the system trust roots, for improved consistency with other MacOS software. (#26357)

BUG FIXES:

• config: Report an error when provider configuration attributes are incorrectly added to a required_providers object. (#26184)
• config: Better errors for invalid terraform version constraints (#26543)
• config: fix panic when element() is called with a negative offset (#26079)
• config: lookup() will now only treat map as unknown if it is wholly unknown (#26427)

... (truncated)

Commits

• 02f0ec2 Release v0.14.0
• 983d399 backport of commit d98598d3ce3104c534f84b81263ef26b064ae716
• c46b2ed website: Backport of add new learn links, improve legacy landing pages into v...
• b397344 Merge pull request #27056 from hashicorp/backport/alisdair/hcl-v2.7.2/blindly...
• 46118fc Update CHANGELOG.md
• 7ec4cec Merge pull request #27054 from hashicorp/backport/alisdair/output-heredocs/mu...
• b5cdf5a backport of commit 72567388353bda5fb3cb7f055b9a8198c9543d08
• 56516bb backport of commit 4e7607deb5383a4be421d16513f22325dc2e55fa
• af587cb backport of commit a56e49263b87e1bce50fe3c7238a6a88f3219c4e
• 67d0e4b Merge pull request #26987 from hashicorp/backport/nov20_remove_registry/quick...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[bendrucker]

Because no experiments were added in 0.13/removed in 0.14, this should be non-breaking:

https://github.com/hashicorp/terraform/blob/v0.14/CHANGELOG.md