Terrapod is an open-source platform replacement for Terraform Enterprise. A minor release hardening how runner Jobs receive workspace variables.
Highlights
- Secure per-run variable delivery — in agent mode, workspace variables are now delivered to each runner Job through a short-lived, per-run Kubernetes Secret instead of plaintext environment in the Job spec. Terraform variables are rendered into a generated
terrapod.auto.tfvarsmounted read-only from the Secret; environment variables are injected viasecretKeyRef. No variable value — sensitive or not — ever appears in the Job spec, the listener logs, orkubectl describe. The Secret is owner-referenced to the Job and cascade-garbage-collected when the Job is cleaned up (no sweeper, no accumulation). - Correct complex-variable handling across engines — complex (
list/map/object) andhcl-flagged variables now render identically onterraform,tofu, andterragruntvia the generated tfvars file, fixing the cross-engine divergence the oldTF_VAR_*environment approach had for untyped complex values.
Security
- Workspace variable values (including sensitive ones) are no longer written as plaintext environment in the runner Job spec — they live only in a short-lived, cascade-GC'd per-run Secret, mounted as a tfvars file (terraform vars) or referenced via
secretKeyRef(env vars). - Bumped the
js-yamlweb dependency. (#530)
Status
Beta.
Full Changelog: v0.40.1...v0.41.0