IACM infrastructure pipelines using terraform are currently experiencing an outage

Update timeline

1. investigating Apr 19, 2026, 02:09 PM UTC

   We are currently investigating this issue.

2. identified Apr 19, 2026, 02:20 PM UTC

   The issue has been identified and a fix is being implemented.

3. monitoring Apr 19, 2026, 03:17 PM UTC

   A fix has been implemented and we are monitoring the results.

4. resolved Apr 19, 2026, 03:24 PM UTC

   This incident has been resolved. Customers using a pinned version older than plugins/harness_terraform:0.214.0 should update to the latest version by following the https://developer.harness.io/docs/continuous-integration/use-ci/set-up-build-infrastructure/harness-ci/#specify-the-harness-ci-images-used-in-your-pipelines. If you are not pinning a specific version, no action is required — your pipelines are already using the updated image.

5. postmortem Apr 30, 2026, 07:04 PM UTC

   ## **Summary** On April 19, 2026, Terraform-based IaCM pipelines failed across production environments due to an issue with Terraform binary verification during runtime. The issue was caused by an expired OpenPGP signing key in a third-party library used to validate Terraform downloads. This resulted in failures when pipelines attempted to install Terraform dynamically. ## **Impact** * Terraform-based IaCM pipelines failed during execution * Failures occurred at runtime when attempting to download/verify Terraform binaries * **Customers Unaffected:** * OpenTofu-based pipelines * Pipelines using pre-installed or cached Terraform binaries Customers pinning plugin versions older than the fixed release continued to experience failures until upgraded. ## **Root Cause** The IaCM Terraform plugin relies on a third-party library \(HashiCorp’s `hc-install`\) to download and verify Terraform binaries. * The library contained a **hardcoded OpenPGP signing key** * This key **expired**, causing verification failures during Terraform installation * HashiCorp had not yet released an updated version with a renewed key ## **Remediation** ### **Immediate Mitigation** * Released **IaCM Terraform plugin v0.214.0** * Modified behavior to: * **Bypass the expired signature verification step** * Continue secure downloads over HTTPS ### **Resolution** * Rolled out the fix across **prod0–prod4** * Pipeline execution functionality was restored ## **Customer Actions Required** * Customers using pinned plugin versions **older than v0.214.0** must: * **Upgrade to v0.214.0 or later** * No action required for customers using default/latest plugin versions ## **Prevention & Next Steps** We are implementing the following improvements: * **Dependency Monitoring** * Proactive monitoring for third-party certificate/key expirations * **Upstream Coordination** * Track HashiCorp release for updated signing key * Re-enable signature verification once available * **Customer Communication** * Notify customers using older pinned versions * **Operational Improvements** * Enhance validation of external dependencies in runtime workflows