feat: update opentofu/opentofu to v1.11.3 #minor - autoclosed #415

public-glueops-renovatebot · 2025-12-09T18:09:54Z

This PR contains the following updates:

Package	Update	Change
opentofu/opentofu	minor	`1.10.7` → `1.11.3`

Release Notes

opentofu/opentofu (opentofu/opentofu)

`v1.11.3`

Compare Source

BUG FIXES:

Fix crash when the executed configuration contains an import block that points to unexisting configuration block (#3616)
Fixed tofu test with mock_provider failing during cleanup when lifecycle { ignore_changes } references a block. (#3644)
Fixed state lock not being released when tofu apply is interrupted with Ctrl+C while using the HTTP backend. (#3624)
azure backend: resolve OIDC token dynamically to support ADO refresh. (#3594)

Full Changelog: opentofu/opentofu@v1.11.2...v1.11.3

`v1.11.2`

Compare Source

UPGRADE NOTES:

The change from #2643, that was announced previously in v1.11.0, has been reverted in this release. OpenTofu will no longer directly recommend using the -exclude= option to work around problems caused by unknown values in provider configurations.

Unfortunately there are existing providers that spuriously report that they cannot plan due to unknown values even when planning would have been successful, and so we cannot rely on providers to accurately signal when unknown values are the cause of an error. Using -exclude is still a valid workaround for these problems even though OpenTofu cannot accurately detect when it's useful to make that suggestion.

BUG FIXES:

Fix crash in plan -generate-config-out with read-only nested attributes (#3553)
It's now possible again to plan changes with the hashicorp/helm and hashicorp/kubernetes providers when the provider configuration contains unknown values, as long as the configuration is carefully written to avoid the plan phase actually depending on those values. (#3592)
When running tofu init on Windows with an azurerm backend, the subscription_id is quoted correctly allowing successful authentication. (#3602)
Fix serialization error in apply when using cloud backend (#3611)

Full Changelog: opentofu/opentofu@v1.11.1...v1.11.2

`v1.11.1`

Compare Source

BUG FIXES:

Fixed regression where import validation would incorrectly flag variables used in for_each statements within import blocks (#3564)
Fixed lifecycle enabled serialization in plan file (#3566)
Fixed regression when validating import.id expressions (#3567)

Full Changelog: opentofu/opentofu@v1.11.0...v1.11.1

`v1.11.0`

Compare Source

OpenTofu 1.11.0

We're proud to announce that OpenTofu 1.11.0 is now officially available! 🎉

Highlights

This release cycle introduces major new capabilities and integrations:

Ephemeral Values and Write Only Attributes

Ephemeral resources allow you to work with confidential data, temporary credentials, and transient infrastructure without persisting them to your state.

ephemeral "aws_secretsmanager_random_password" "password" {

}

resource "kubernetes_secret_v1" "credentials" {
  metadata {
    name = "admin"
    namespace = "my-app"
  }
  data_wo = {
    username = "admin"
    password = ephemeral.aws_secretsmanager_random_password.password.random_password
  }

  data_wo_revision = 1
  type = "kubernetes.io/basic-auth"
}

The `enabled` Meta-Argument

If you want to conditionally deploy a resource, you no longer have to use count = var.create_my_resource ? 1 : 0, you can now add the new enabled meta-argument to your resource to conditionally deploy it.

resource "aws_instance" "web" {
  ami           = "ami-12345"
  instance_type = "t3.micro"

  lifecycle {
    enabled = var.create_instance  # Simple boolean condition
  }
}

Compatibility Notes

macOS: Requires macOS 12 Monterey or later
Azure Backend (azurerm):
- The endpoint and ARM_ENDPOINT configuration options are no longer supported
- The msi_endpoint and ARM_MSI_ENDPOINT options are no longer supported
- The environment and metadata_host arguments are now mutually exclusive
issensitive() Function: Now correctly returns unknown results when evaluating unknown values. Code that previously relied on the incorrect behavior may need updates.
Testing with Mocks: Mock values generated during testing now strictly adhere to provider schemas. Test configurations with invalid mock values will need to be corrected.
S3 Module Installation: When installing module packages from Amazon S3 buckets using S3 source addresses OpenTofu will use the same credentials as the AWS CLI and SDK.
TLS and SSH Security:
- SHA-1 signatures are no longer accepted for TLS or SSH connections
- SSH certificates must comply with the draft-miller-ssh-cert-03 specification
-var/-var-file during tofu apply <planfile>:
- Since ephemeral variables values cannot be saved into the plan, now we allow using -var/-var-file during tofu apply <planfile> to pass again the values for ephemeral variables during apply
- This new functionality allows -var/-var-file to be used with non-ephemeral variables too, but it will error if the values given for this type of variables is different from the ones given during the plan creation
- TF_VAR values should stay consistent between plan and apply <planfile> to avoid the errors mentioned above

Reference

Thank you for your continued support and testing of the OpenTofu project!

`v1.10.8`

Compare Source

SECURITY ADVISORIES:

This release contains fixes for some security advisories related to previous releases in this series.

Incorrect handling of excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs

This release incorporates the upstream fixes for GO-2025-4175.
Excessive CPU usage when reporting error about crafted TLS certificate with many hostnames

This release incorporates the upstream fixes for GO-2025-4155.

Full Changelog: opentofu/opentofu@v1.10.7...v1.10.8

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

public-glueops-renovatebot bot added the auto-update label Dec 9, 2025

github-actions bot added include-in-release-notes enhancement New feature or request minor labels Dec 9, 2025

public-glueops-renovatebot bot changed the title ~~feat: update opentofu/opentofu to v1.11.0 #minor~~ feat: update opentofu/opentofu to v1.11.0 #minor - autoclosed Dec 9, 2025

public-glueops-renovatebot bot closed this Dec 9, 2025

public-glueops-renovatebot bot deleted the renovate/opentofu-opentofu-1.11.x branch December 9, 2025 18:10

public-glueops-renovatebot bot changed the title ~~feat: update opentofu/opentofu to v1.11.0 #minor - autoclosed~~ feat: update opentofu/opentofu to v1.11.0 #minor Dec 9, 2025

public-glueops-renovatebot bot reopened this Dec 9, 2025

public-glueops-renovatebot bot force-pushed the renovate/opentofu-opentofu-1.11.x branch 2 times, most recently from c0d1861 to 15beeba Compare December 9, 2025 18:27

public-glueops-renovatebot bot changed the title ~~feat: update opentofu/opentofu to v1.11.0 #minor~~ feat: update opentofu/opentofu to v1.11.0 #minor - autoclosed Dec 9, 2025

public-glueops-renovatebot bot closed this Dec 9, 2025

public-glueops-renovatebot bot changed the title ~~feat: update opentofu/opentofu to v1.11.0 #minor - autoclosed~~ feat: update opentofu/opentofu to v1.11.0 #minor Dec 9, 2025

public-glueops-renovatebot bot reopened this Dec 9, 2025

public-glueops-renovatebot bot force-pushed the renovate/opentofu-opentofu-1.11.x branch 2 times, most recently from 15beeba to f4d89c5 Compare December 9, 2025 18:44

public-glueops-renovatebot bot changed the title ~~feat: update opentofu/opentofu to v1.11.0 #minor~~ feat: update opentofu/opentofu to v1.11.0 #minor - autoclosed Dec 9, 2025

public-glueops-renovatebot bot closed this Dec 9, 2025

public-glueops-renovatebot bot changed the title ~~feat: update opentofu/opentofu to v1.11.0 #minor - autoclosed~~ feat: update opentofu/opentofu to v1.11.0 #minor Dec 9, 2025

public-glueops-renovatebot bot reopened this Dec 9, 2025

public-glueops-renovatebot bot force-pushed the renovate/opentofu-opentofu-1.11.x branch 2 times, most recently from f4d89c5 to 5422f72 Compare December 9, 2025 18:56

public-glueops-renovatebot bot changed the title ~~feat: update opentofu/opentofu to v1.11.0 #minor~~ feat: update opentofu/opentofu to v1.11.0 #minor - autoclosed Dec 9, 2025

public-glueops-renovatebot bot closed this Dec 9, 2025

public-glueops-renovatebot bot changed the title ~~feat: update opentofu/opentofu to v1.11.0 #minor - autoclosed~~ feat: update opentofu/opentofu to v1.11.0 #minor Dec 9, 2025

public-glueops-renovatebot bot reopened this Dec 9, 2025

public-glueops-renovatebot bot force-pushed the renovate/opentofu-opentofu-1.11.x branch 2 times, most recently from 5422f72 to ca1184e Compare December 9, 2025 19:07

public-glueops-renovatebot bot changed the title ~~feat: update opentofu/opentofu to v1.11.0 #minor~~ feat: update opentofu/opentofu to v1.11.0 #minor - autoclosed Dec 9, 2025

public-glueops-renovatebot bot reopened this Jan 18, 2026

public-glueops-renovatebot bot force-pushed the renovate/opentofu-opentofu-1.11.x branch from 13452e0 to 4e1d3f8 Compare January 18, 2026 17:26