github mattrobinsonsre/terrapod v0.38.0
on GitHub

5 hours ago

Terrapod is a free, open-source platform replacement for Terraform Enterprise. This release overhauls API-token security: scoped service tokens, automatic offboarding protection, short-lived CLI logins, and a dedicated registry permission.

Highlights

  • Scoped service tokens — API tokens now come in three kinds. Personal (interactive) tokens carry your full live permissions (the terraform login default). Service · bound tokens are scoped to a subset of your roles — their effective access is the intersection of those roles and your own, and they stop working when your account is offboarded. Service · detached (admin-only, unbound) tokens carry an absolute pinned scope for critical machine-to-machine automation that must survive any one person leaving.
  • Automatic offboarding guard — a user-bound token is rejected once its owner hasn't logged in within auth.bound_token_idle_days (default 7). Disabling a user at the IdP automatically retires their tokens within the window — no cleanup required. For an immediate cut-off, the new admin revoke-all endpoint deletes every token bound to an identity. See the new offboarding runbook.
  • Short-lived terraform/tofu login tokens — login now mints a token that lives auth.login_token_ttl_hours (default 12h) instead of the full max-lifetime cap, so a leaked CLI credential expires by end of day.
  • Token rotation + expiry warnings — rotate a service token's secret in place (UI Rotate action / API), and an in-app banner warns before service tokens expire (scoped per-caller, so nobody is nagged about others' tokens).
  • Dedicated registry permission on roles — roles gain an independent registry_permission (read/write/admin) for modules and providers, decoupled from workspace_permission. A role can now grant exactly registry write (e.g. provider-publish CI) and nothing else.
  • Tokens-page UX — kind column, pinned-role picker, bound-to, masked secret reveal with Show/Copy/dismiss, and an admin kind filter.

Bug Fixes

  • Runner setup scripts run via an explicit /bin/sh -c argv instead of a shell-injection-prone path.
  • CI: cached Next.js/npm web builds; code-scanning suppressions now apply consistently.

Breaking Changes

  • The idle-login guard is ON by default (bound_token_idle_days: 7). Any bound (interactive or service_bound) token whose owner doesn't log in for 7 days will be rejected. Before upgrading, convert long-lived automation tokens to admin-managed detached service tokens (which are exempt), or set auth.bound_token_idle_days: 0 to disable the guard.
  • terraform login tokens now expire in 12h (was the api_token_max_ttl_hours cap). Re-run terraform login per session, or raise auth.login_token_ttl_hours. Long-lived automation should use a dedicated service token, not a login token.
  • Existing roles are auto-migrated: each role's new registry_permission is backfilled from its workspace_permission, so registry access is unchanged on upgrade.

Security

  • Scoped + offboarding-aware tokens close the "ex-employee's CI token still works weeks later" gap, and detached tokens give admins a managed path for critical M2M automation.

Status

Beta — the token-security surface is fully tested (unit + integration + E2E) and live-smoked, including offboarding, rotation, and scoped-resolution behaviour.

Full Changelog: v0.37.0...v0.38.0

Check out latest releases or
releases around mattrobinsonsre/terrapod v0.38.0

Don't miss a new terrapod release

NewReleases is sending notifications on new releases.

Get notifications