mattrobinsonsre/terrapod v0.32.0

on GitHub

Open-source platform replacement for Terraform Enterprise. Minor release headlined by the runner's bash-to-Python rewrite — signal handling is now testable, the per-plan archive downloads for cross-arch lock-file extension are gone, and four CVEs cleared.

Highlights

• Runner ports five bash phases to Python — download phases (binary cache + config tarball + state), plan/apply subprocess + signal forwarding (SIGTERM → SIGINT + SIGKILL watchdog, now unit-tested with real children), artifact uploads (lock file + plan file + plan JSON + state with state-diverged signal), and run-result POSTs. The remaining bash entrypoint is the stable orchestration glue; the gnarly machinery is testable Python.
• Mirror-fed h1: injection eliminates per-plan archive downloads — when Terrapod's provider mirror has cached an archive, the runner pulls the precomputed h1: from {version}.json (a 1 KB JSON request) and splices it directly into .terraform.lock.hcl. v0.31.6's tofu providers lock fallback only runs when the mirror returns no h1: for a provider. Steady-state plans drop from ~500 MB–1.5 GB of redundant downloads to ~10 KB of metadata.
• Python 3.13 + litellm 1.87 + aiohttp 3.14 — base images downgraded from python:3.14-slim to python:3.13-slim to unblock litellm's relaxed aiohttp pin, clearing four CVEs (GHSA-hg6j-4rv6-33pg, GHSA-jg22-mg44-37j8, CVE-2026-40217, CVE-2026-28684).

Bug Fixes

• OPA 1.16.2 → 1.17.0 to clear CVE-2026-42504 (Go stdlib MIME-header DoS in the statically-linked OPA binary).

Security

• Dropped four --ignore-vuln allowlist entries from pip-audit (CVE-2026-40217, CVE-2026-28684, CVE-2026-34993, CVE-2026-47265) — all transitively resolved by the litellm + aiohttp bumps.
• Cleaned up stale rationale comments in pentest/trivy/.trivyignore.

Operator Notes

• Custom runner images: the canonical entrypoint is now python -m terrapod.runner.job_entrypoint. The transitional /entrypoint.sh bash script is still in the image but is invoked by the Python entrypoint, not by the kubelet. Custom images should not override ENTRYPOINT; layer additional tooling on top.
• Runner image base is now python:3.13-slim (was alpine:3.23.4). Image size grew ~50 MB; the next minor will reclaim it once the remaining bash phases (OPA, init, var-injection) are ported and bash + its tooling are stripped.

Status

Beta — production-ready for self-hosted Terraform Enterprise replacement; API and Helm chart shape stable within minor versions.

Full Changelog: v0.31.6...v0.32.0