Third hotfix in the v0.31.x line — completes the cross-workspace terraform_remote_state story under internal-ingress deployments. The state-version URLs the API hands runners now mirror whichever hostname the runner used to call in, so an in-cluster runner gets back an in-cluster URL instead of a public one it can't (cheaply) reach.
Bug Fixes
terraform_remote_statereads hung for minutes on the state download even after v0.31.2 (runner host{} fix) and v0.31.3 (workspace-show allowlist). The remaining gap:hosted-state-download-urlin the state-version JSON was built fromsettings.auth.callback_base_url— a single global config baked at deploy time, always the public hostname. In internal-ingress topologies where the API is exposed on both a public hostname (browsers, terraform login) AND an internal cluster-only hostname (in-cluster runners hitting the cloud-block backend), runners got back a URL they could only reach via slow external NAT / CDN paths. The terraform CLI'shost{}redirect installed by the runner only applies during service discovery — once the API hands the runner an absolute URL it follows that URL directly without going through host{} again, so the public URL stuck. Fix: build URLs from the request's own host (X-Forwarded-Host→Hostheader →callback_base_urlfallback chain). External requests still get the public URL back; internal-ingress runner requests now get the internal URL back.
Maintenance
- Release CI: the single ~10-15 min
releasejob has been split into four parallel branches (image retag + Helm + SBOMs, GoReleaser provider, GoReleaser migrate, finalize) joining at a tiny finalize step. The next release after this one will be the first under the new pipeline; cleanup-tag handles partial failures the same way as before.
Upgrade notes
Combined with v0.31.2 and v0.31.3, this completes the cross-workspace state-sharing path for internal-ingress deployments:
- v0.31.2 — runner CLI-config host{} declares
tfe.v2so service discovery survives the internal-ingress redirect - v0.31.3 — server allows runner tokens from consumer workspaces to resolve the producer through the workspace-lookup endpoint
- v0.31.4 — server emits state-download URLs that round-trip to whichever hostname the runner used
All three fixes need to be live for agent-mode data "terraform_remote_state" to work end-to-end under internal-ingress topologies.
Status
Stable — surgical edits to URL construction in 5 endpoints; no schema, contract, or other auth-path changes.
Full Changelog: v0.31.3...v0.31.4