github mattrobinsonsre/terrapod v0.44.0
on GitHub

3 hours ago

A quality-and-hardening release of Terrapod — an open-source platform replacement for Terraform Enterprise — implementing the full backlog from a whole-project review across UX/accessibility, test + SDK coverage, security defense-in-depth, and documentation.

Highlights

  • Per-connection GitHub webhook secret — each VCS connection can carry its own webhook HMAC secret so one installation's secret can't forge another's webhooks; falls back to the global secret when unset. Wired end-to-end across the API, go-terrapod SDK, the Terraform provider, and the web UI.
  • Dedicated token signing key — runner tokens and run-task/download-ticket callback tokens can sign with a dedicated api.tokenSigningKey secret instead of one derived from the database URL, decoupling token-forgery resistance from database credentials. Backward-compatible: leaving it unset invalidates no in-flight token.
  • Accessible modals + live SSE status — a focus-trapping, Escape-dismissable Modal primitive on the catalog destructive flows, and a live connection indicator on the workspace list, workspace detail, and run pages so a dropped event stream is visible.
  • Broader SDK coverage — go-terrapod gains typed methods for individual-policy CRUD, the workspace bulk search/update surface, and the labels browser.

Security

  • Sensitive→non-sensitive variable downgrades now clear the value so a previously-hidden secret can't be exposed by toggling a flag.
  • State-divergence checks use a collision-resistant SHA-256 (the TFE-contract md5 is retained; legacy rows fall back to md5).
  • The unread CA private-key disk cache is removed and the CA key column renamed to reflect that at-rest protection comes from database encryption.

Bug Fixes

  • Registry module-version creation returns a clean 409 on a duplicate instead of a 500 + dangling pending row.
  • De-flaked the audit-log method-filter E2E and added a deterministic SSE-through-proxy live-update test.
  • A new workspace now appears on an open workspace list over SSE without a manual reload.

Upgrade Notes

Three additive/rename database migrations run automatically on upgrade (state_versions.sha256, certificate_authority.ca_key_pem, vcs_connections.webhook_secret). No configuration changes are required; the new api.tokenSigningKey and per-connection webhook secret are opt-in.

Status

Beta — production-capable; single-maintainer project, API-compatible with the terraform/tofu cloud-block workflow.

Full Changelog: v0.43.0...v0.44.0

Check out latest releases or
releases around mattrobinsonsre/terrapod v0.44.0

Don't miss a new terrapod release

NewReleases is sending notifications on new releases.

Get notifications