Last checked and updated on 05 Jun 2026
What Is New in Terraform 0.14
Terraform 0.14 introduces a suite of enhancements focused on security, workflow, and provider management. This release builds on previous versions to give operators more control and visibility into their infrastructure.
| Category | Key Changes |
|---|---|
| New Features | Provider Dependency Lock File, Sensitive Input Variables, Concise Diff |
| Improvements | Core and Provider Installation, Validation Rules |
| Bug Fixes | Various fixes across core and providers |
| Deprecations | Deprecation of certain template functions |
How does the provider dependency lockfile improve stability?
The new dependency lockfile is a game-changer for team consistency. It pins the exact versions of all providers used in your configuration, which is written to a .terraform.lock.hcl file.
In practice, this means terraform init will install the same provider versions every time, preventing unexpected changes from a new patch version. You have to explicitly run terraform init -upgrade to get newer versions, which is perfect for controlled rollouts.
What's the deal with marking variables as sensitive?
Terraform 0.14 allows you to mark input variables and module outputs as sensitive. When you do this, Terraform will redact that value from its console output and log files.
This matters because it prevents accidental leakage of secrets like passwords or API keys in your CI/CD logs. It's not a silver bullet for secret management--you should still use a proper secrets manager--but it's a huge step forward for basic operational hygiene.
variable "db_password" {
type = string
sensitive = true
}Why is the plan output now more concise?
The terraform plan output got a major readability upgrade. It now hides unchanged and irrelevant fields by default, focusing your attention on what actually matters.
You'll see a much cleaner diff that highlights only the resources being modified. If you need the full verbose output for debugging, you can still get it with the -detailed-exitcode flag. This change makes reviewing plans significantly faster, especially in large codebases.
Were there any changes to the core installation process?
Yes, the installation process for Terraform core and providers was optimized. The terraform init command now handles provider installation more efficiently, which is noticeable in environments with slow network connections.
Additionally, there's improved validation for provider requirements. Terraform will now catch and report errors for incompatible provider versions earlier in the process, saving you from runtime failures.
FAQ
Is the lockfile mandatory? What happens if I don't use it?
No, it's optional but highly recommended. Without it, you revert to the pre-0.14 behavior where terraform init can fetch newer provider versions that meet the version constraints, potentially introducing breaking changes.
Does the sensitive variables feature encrypt my values?
No. It only suppresses the values in Terraform's output and logs. The sensitive values are still stored in plaintext in your state file, so you must continue to protect state backend access accordingly.
Can I mark an entire resource as sensitive?
Not directly. The sensitive flag is for variables and module outputs. However, if a resource attribute is inherently sensitive (like a password), the provider can mark it as such, and Terraform will propagate that sensitivity.
How do I upgrade provider versions with the new lockfile?
To intentionally upgrade a provider, you need to run terraform init -upgrade. This will update the lockfile to the newest acceptable version per your version constraints.
Will the concise diff ever hide information I need?
It's designed to hide noise, not signal. For the vast majority of workflows, it shows everything you need. If you suspect a problem with a specific attribute, the verbose plan output is always available for deep inspection.