Hotfix release of Terrapod — completes the cross-workspace terraform_remote_state story by closing the last auth gap: the workspace lookup endpoint that the remote backend hits before reading state now honors the producer's remote_state_consumers allowlist.
Bug Fixes
- Cross-workspace
terraform_remote_statefailed withError: Error creating workspace <X>: 403 Forbidden— even when the producer'sremote_state_consumersallowlist correctly listed the consumer workspace and the runner-side fixes from v0.31.2 were in place. Root cause: the OpenTofuremotebackend's first hop is a workspace lookup atGET /api/v2/organizations/{org}/workspaces/{name}, and that handler only checked user/role RBAC. Runner-token principals from consumer workspaces got 404, the backend interpreted that as "workspace doesn't exist" and fell through to its create-if-missing code path, and the create POST then 403'd on the runner's missing org-write permission. Fix: bothshow_workspace(by name) andshow_workspace_by_idnow fall back to_runner_state_read_allowedwhen user/role RBAC returns nothing — same predicate already used bycurrent_state_versionanddownload_state, so the producer's explicit consumer allowlist now applies uniformly across every endpoint the remote backend touches.
Upgrade notes
Combined with v0.31.2's runner-side host{} fix, this completes the cross-workspace state-sharing path:
- v0.31.2 — runner CLI-config host{} declares
tfe.v2so service discovery survives the internal-ingress redirect - v0.31.3 — server allows runner tokens from consumer workspaces to resolve the producer through the workspace-lookup endpoint
Both fixes are needed for data "terraform_remote_state" { backend = "remote" } to succeed in agent-mode runs.
Status
Stable — surgical edit to two endpoints; no schema, contract, or other auth-path changes.
Full Changelog: v0.31.2...v0.31.3