chore(deps): update opentofu/opentofu to 1.12.0

[zon-renovate]

This PR contains the following updates:

Package	Update	Change
opentofu/opentofu	minor	1.11.5 → 1.12.0

---

Release Notes

opentofu/opentofu (opentofu/opentofu)

v1.12.0

Compare Source

OpenTofu 1.12.0

We're proud to announce that OpenTofu 1.12.0 is now officially available! 🎉

Highlights

This release cycle introduces major new capabilities and integrations:

Dynamic prevent_destroy

OpenTofu v1.12.0 now allows prevent_destroy to be defined dynamically in terms of other values available elsewhere in the same module. For example:

variable "prevent_destroy_database" {
  type    = bool
  default = true
}

resource "example_database" "example" {
  # ...

  lifecycle {
    prevent_destroy = var.prevent_destroy_database
  }
}

Provider Checksum Improvements

The default provider installation behavior in OpenTofu is designed to mostly "just work" by getting the needed providers installed and
making the necessary changes to the dependency lock file, but in previous versions
friction appeared for any teams using many of the non-default installation settings such as the shared provider plugin cache, or local mirrors of upstream providers.

For OpenTofu v1.12, OpenTofu Registry now provides a full set of official checksums in all of the checksum formats needed by other installation methods.
This means that after running tofu init the dependency lock file will immediately have all of the information required to successfully use a global
plugin cache directory and to verify matching packages served from a local mirror, without needing to run tofu providers lock separately.

Simultaneous Human-readable and Machine-readable Output

Many OpenTofu commands support both human-oriented UI output and machine-readable JSON output, but previously those commands could be run with only one or the other.
This was bothersome for those implementing alternative UIs in terms of the machine-readable output because it meant they would need to implement all possible
features of the UI before their tool could actually be used.

OpenTofu v1.12.0 introduces a new option -json-into=FILENAME, which produces the same output format that -json would have produced but sends that output
to the given filename instead of to the standard output stream. The OpenTofu UI output then appears on the standard output stream as normal, so that
software interpreting the JSON output can behave as just a supplement to the normal UI rather than a complete replacement.

New destroy lifecycle meta-argument

The new destroy = false lifecycle option for managed resources allows removing an object from the state without first destroying the remote object.

Deprecation Notices

WinRM for Provisioners is Now Deprecated

Some of the Go libraries that OpenTofu uses for WinRM connection support in provisioners have become unmaintained over time, and so unfortunately we are phasing
out support for WinRM in OpenTofu starting with deprecation warnings in this release.

If your configuration includes a connection block with type = "winrm" then OpenTofu v1.12 will warn that this connection type is deprecated,
but provisioning should otherwise still work as it did before.

We intend to remove WinRM support completely in the forthcoming OpenTofu v1.13 series, and so if you are currently relying on WinRM support we
recommend that you begin planning to migrate to using OpenSSH for Windows instead.

Phasing Out Support for 32-bit CPU Architectures

We are also planning to stop producing official releases for 32-bit CPU architectures (386 and arm) in a future version of OpenTofu.
Support for 64-bit architectures (amd64 and arm64) is unaffected.

OpenTofu v1.12 does not include any changes to CPU support yet, but we expect that the official builds in the forthcoming v1.13 series will begin producing warnings
when running on 32-bit CPU architectures, before we stop producing those packages altogether in a future release series.

Compatibility Notes

• macOS: Requires macOS 12 Monterey or later
• The OPENTOFU_USER_AGENT environment variable, which allowed fully overriding the default User-Agent header on all HTTP requests, has been removed.
• On Unix systems OpenTofu now considers the BROWSER environment variable as a possible override for the default behavior for launching a web browser.
  If you run OpenTofu in a context where an environment variable of that name is already set, it may cause OpenTofu to now open a web browser in a different way than previous versions would have.
  Unsetting that environment variable will restore the previous platform-specific behavior.

Reference

• Full Changelog
• Blog Post

Thank you for your continued support and testing of the OpenTofu project!

v1.11.8

Compare Source

SECURITY ADVISORIES:

• Previous releases in the v1.11 series could potentially take an excessive amount of time and send extraneous data to an HTTP2 server that specifies a maximum frame size of zero. This is now fixed. (#​4094)

  An attacker that can coerce an operator to install a dependency from an attacker-controlled server could use this to cause unexpected resource consumption during tofu init.

Full Changelog: opentofu/opentofu@v1.11.7...v1.11.8

v1.11.7

Compare Source

BUG FIXES:

• When installing provider packages into a local cache directory, the installer will now return an error if a conflicting entry is already present in the cache that doesn't match the expected checksum. Previously OpenTofu would just silently write over the existing entry in that case. (#​4082)

Full Changelog: opentofu/opentofu@v1.11.6...v1.11.7

v1.11.6

Compare Source

BUG FIXES:

• Running tofu apply -refresh-only with a configuration that contains ephemeral resources does not fail anymore because the refresh produced changes (#​3776)
• Fixed tofu init crashing when a module version uses a variable and the module is referenced from a test file. (#​3686)
• Fixed provider-defined functions in import block id expressions causing "BUG: Uninitialized function provider" error. (#​3803)
• tofu test no longer fails during cleanup when using a mocked version of a resource type with write-only attributes. (#​3964)
• A malicious remote TLS server can no longer deadlock OpenTofu by sending multiple key update messages in a single record. (#​3966)
• When installing module packages from "tar" archives, OpenTofu now accepts only a limited number of sparse file entries to avoid unbounded memory usage from maliciously-crafted archives containing many sparse regions. (#​3966)

Full Changelog: opentofu/opentofu@v1.11.5...v1.11.6

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.