v1.1.2

Summary

This release includes security vulnerability remediations and dependency updates.

Security Fixes

This release addresses multiple CVE vulnerabilities:

Go stdlib vulnerabilities:

• Updated Go version to 1.25.9 to address CVE-2026-27140, CVE-2026-32283, CVE-2026-32280, CVE-2026-32281, CVE-2026-32289, CVE-2026-32282, CVE-2026-32288

Dependency vulnerabilities:

• Updated github.com/hashicorp/go-getter to v1.8.6 (fixes GHSA-92mm-2pjq-r785)
• Updated github.com/go-jose/go-jose/v4 to v4.1.4 (fixes GHSA-78h2-9frx-2jm8)
• Updated go.opentelemetry.io/otel/sdk to v1.43.0 (fixes GHSA-hfvc-g4fc-pqhx)
• Updated github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream to v1.7.8 (fixes GHSA-xmrv-pmrh-hhx2)
• Updated github.com/aws/aws-sdk-go-v2/service/s3 to v1.97.3 (fixes GHSA-xmrv-pmrh-hhx2)

Other Changes

• Updated CI workflow Go version to match go.mod

v1.1.1

Summary

This release includes security fixes and toolchain updates.

Security Fixes

• CVE-2026-25679, CVE-2026-27142, CVE-2026-27139: Updated Go to version 1.25.8
• GHSA-p77j-4mvh-x3m3: Updated google.golang.org/grpc to v1.79.3

Improvements

• Updated golangci-lint to v2.11.4 for Go 1.25 compatibility
• Updated CI workflows to use Go 1.25.8

v1.0.5

Summary

This release includes critical security fixes and dependency updates for the OpenTofu provider.

Security Fixes

• Go Runtime: Updated to Go 1.25.8 to address CVE-2026-25679, CVE-2026-27142, and CVE-2026-27139
• gRPC: Updated google.golang.org/grpc to v1.79.3 to address GHSA-p77j-4mvh-x3m3

Improvements

• Updated golangci-lint to v2.11.4 for Go 1.25 compatibility
• Updated CI workflows to use Go 1.25.8

This release ensures compatibility with the latest security patches and maintains code quality standards.

v1.1.0

Summary

This release includes security fixes, dependency updates, and new features.

Security

• Remediated multiple CVE vulnerabilities through Go dependency updates
• Updated Go version to 1.24.13 to address security vulnerabilities

Updates

• Updated OpenTofu runtime to 1.10.8
• Updated Alpine base image to 3.22.2
• Bumped uptest to v2
• Updated Crossplane version to 2.0.2
• Updated kind version to v0.30.0

Features

• Added remotePullPolicy to reduce remote module download costs

v1.0.4

Summary

This release includes security fixes, bug fixes, and dependency updates.

Highlights

• Security vulnerability remediation: Updated Go version to 1.24.13 to address multiple CVEs (CVE-2025-68121, CVE-2025-61726, CVE-2025-61731, CVE-2025-61732, CVE-2025-61730, CVE-2025-61728)
• Garbage collection fix: Consolidated garbage collection logic for namespaced and cluster-scoped workspaces to prevent unintended workspace directory deletions caused by race conditions between GC instances

v1.0.3

This release updates go mod dependencies to fix the following CVEs:

• CVE-2025-61729
• CVE-2025-61727

What's Changed

• [release-1.0]: Update go.mod dependencies [SECURITY] by @upbound-bot in #115

v1.0.2

This release updates go mod dependencies to fix the following CVEs:

• CVE-2025-58181
• CVE-2025-47914

What's Changed

• [release-1.0]: Update go.mod dependencies [SECURITY] by @upbound-bot

v1.0.1

This release updates go mod dependencies to fix the following CVEs:

• CVE-2025-61723
• CVE-2025-61725
• CVE-2025-58186
• CVE-2025-61724
• CVE-2025-47912
• CVE-2025-58188
• CVE-2025-58189
• CVE-2025-58185
• CVE-2025-58187
• CVE-2025-58183

What's Changed

• [release-1.0]: Update go.mod dependencies [SECURITY] by @upbound-bot in #108

v1.0.0

Release v1.0.0

Caution

This release introduces breaking changes and significant internal upgrades. Please review the release notes thoroughly, make the necessary changes to your manifests, and test thoroughly before upgrading.

Before using any Crossplane v2 capabilities in the provider, we encourage you to familiarize yourself with the changes in v2.

This release introduces:

• Compatibility with Crossplane v2
• Support for Crossplane v2 namespace-scoped Managed Resources (MRs) alongside existing cluster-scoped MRs.
• Upgrade to crossplane-runtime v2.0.0.
• Removal of External Secret Store support.

Please review the breaking changes carefully before upgrading.

Namespace-scope MR Support (Crossplane v2-only)

• New namespace-scoped MR APIs are available under the opentofu.m.upbound.io API group.
• All new APIs are at version v1beta1.
• ProviderConfig
  • ProviderConfig.opentofu.m.upbound.io is now namespace-scoped.
  • A new cluster-scoped ClusterProviderConfig.opentofu.m.upbound.io resource was added; new MRs can reference either ProviderConfig or ClusterProviderConfig via spec.providerConfigRef.kind.
  • spec.providerConfigRef defaults to ClusterProviderConfig with name default when omitted.
• spec.writeConnectionSecretToRef and sensitive parameter refs (e.g., spec.forProvider.fooSecretRef) in namespace-scoped MRs are now local secret references (if no namespace is specified, it defaults to the MR's namespace).
• Cross-resource references are now namespace-scoped by default, however, cross-namespace references are allowed.
• This provider will serve both the new namespace-scoped and cluster-scoped APIs.

Note

Cluster-scoped MRs do NOT implement the above changes and continue operating as before.

Removed Features

• External Secret Store support has been removed from all MRs (spec.publishConnectionDetailsTo is no longer available) as the feature has been removed in Crossplane v2.

Note

The removed feature is the External Secret Store, which allowed storing connection details outside the cluster (e.g., in Vault). Connection secrets for managed resources remain available for storing connection details in Kubernetes Secrets.

Other Notable Changes

• SafeStart capability has been added (Crossplane v2-only): Controllers start once their CRD is installed.
• Repository structure changes:
  • apis, controllers, and examples now have scoped subdirectories: cluster and namespaced.
  • Resource configurations are also scoped; updates must be applied to both where relevant.
  • Examples for namespace-scoped MRs are included.

Note

This PR duplicates most of the controller logic and apis for namespaced MRs with several namespace-specific code modified. A refactoring of types and controllers should follow-up.

Backward Compatibility Notes

• This provider can be installed in Crossplane v1.x environments:
  • Both cluster-scoped and namespace-scoped CRDs will be installed; namespace-scoped CRDs cannot be composed in v1.x.
  • SafeStart will be disabled.
• When upgrading from v1.x providers, review all breaking resource API changes noted above. The package itself is Crossplane v1.x compatible, but there can be resources that have API changes that need adjustment in your control plane.

Upgrade Guide

1. Review all affected resources listed under Breaking API Changes.
2. Update manifests to reflect renamed/removed properties.
3. For Crossplane v2.x users:
   • Ensure secret and reference configurations align with the new namespace-scoped MR behavior.
   • Decide whether to use ProviderConfig or ClusterProviderConfig.
4. Remove any spec.publishConnectionDetailsTo usage.
5. Validate repository structure changes if maintaining custom resource configurations.

What's Changed

• Fix directory name in Dockerfile by @turkenf in #2
• Update registry organization by @turkenf in #3
• Add github bot token to scan workflow by @turkenf in #4
• Add docker username and secrets to scan workflow by @turkenf in #5
• Remove scan workflow by @turkenf in #6
• Set the repo's official provider requirements by @turkenf in #7
• Bump opentofu version to v1.9.0 by @turkenf in #10
• Fix a few typos in the documentation by @peimanja in #11
• Bump the go_modules group across 1 directory with 2 updates by @dependabot[bot] in #9
• Update go version to 1.23.6 [SECURITY] by @sergenyalcin in #13
• Prevent external contributors from triggering workflows via PR comments by @turkenf in #15
• Update to v4.0 of action/cache by @pib in #32
• Fix: switch back to TF_ prefixes for opentofu env vars by @pib in #18
• Fix: provide environment variables when running tofu workspace new by @pib in #19
• Bump golang.org/x/net from 0.34.0 to 0.36.0 in the go_modules group across 1 directory by @dependabot[bot] in #35
• Update all non-major github action by @renovate[bot] in #42
• Update alpine Docker tag to v3.21.3 by @renovate[bot] in #39
• Update actions/cache digest to 5a3ec84 by @renovate[bot] in #38
• Update Terraform random to v3.7.1 by @renovate[bot] in #41
• Bump dependencies by @jeanduplessis in #37
• Update docs about disabling plugin cache by @ztzxt in #60
• [main] Update go.mod dependencies [SECURITY] by @turkenf in #63
• [main] Update go.mod dependencies [SECURITY] by @turkenf in #68
• Update OPENTOFU_VERSION to 1.10.0 in Dockerfile by @iomarcovalente in #70
• add basic plumbing for provider startup checks by @jastang in #72
• fix(deps): update module github.com/hashicorp/go-getter to v1.7.9 [security] by @renovate[bot] in #77
• Bump golang.org/x/net from 0.36.0 to 0.38.0 in the go_modules group across 1 directory by @dependabot[bot] in #61
• chore(deps): update dependency kubernetes-sigs/kind to v0.30.0 by @renovate[bot] in #47
• chore(deps): update actions/cache digest to 0400d5f by @renovate[bot] in #81
• chore(deps): update module github.com/ulikunitz/xz to v0.5.15 [security] by @renovate[bot] in #80
• chore(deps): update terraform random to v3.7.2 by @renovate[bot] in #83
• chore(deps): update terraform null to v3.2.4 by @renovate[bot] in #82
• chore(deps): update actions/checkout action to v4.3.0 by @renovate[bot] in #85
• chore(deps): update actions/setup-go action to v5.5.0 by @renovate[bot] in #86
• chore(deps): update zeebe-io/backport-action action to v3.3.0 by @renovate[bot] in #87
• chore(config): migrate renovate config - autoclosed by @renovate[bot] in #91
• chore(deps): update actions/checkout action to v5 by @renovate[bot] in #88
• chore(deps): update alpine docker tag to v3.22.1 by @renovate[bot] in #93
• crossplane v2: namespaced MRs by @sergenyalcin in #94

New Contributors

• @peimanja made their first contribution in #11
• @dependabot[bot] made their first contribution in #9
• @pib made their first contribution in #32
• @renovate[bot] made their first contribution in #42
• @jeanduplessis made their first contribution in #37
• @ztzxt made their first contribution in #60
• @iomarcovalente made their first contribution in #70
• @jastang made their first contribution in #72

Full Changelog: https://github.com/upbound/provider-opentofu/commits/v1.0.0

v0.2.7

This release updates go mod dependencies to fix the following CVEs:

• CVE-2025-47907
• CVE-2025-4674

What's Changed

• [release-0.2]: Update go.mod dependencies [SECURITY] by @upbound-bot in #78

New Contributors

• @upbound-bot made their first contribution in #78

Full Changelog: v0.2.6...v0.2.7