Patch release of Terrapod — an open-source platform replacement for Terraform Enterprise. A new-contributor OIDC interop fix, a drift-detection fix, and security updates.
Bug Fixes
- OIDC login against PKCE-enforcing IdPs — Terrapod now sends S256 PKCE (RFC 7636) on the upstream OIDC authorize request and token exchange, fixing login for identity providers that require PKCE on the authorization-code flow even when a client secret is configured (e.g. Pinniped Supervisor). Automatic and backward-compatible. Thanks to first-time contributor @Qubut! (#543)
- Drift detection false positive — a drift check that found no changes could still flag a workspace as
driftedif the runner's plan-result POST hit a transient read-timeout (leavinghas_changesunknown). The authoritative result POSTs now retry with backoff, so a momentary blip no longer produces phantom drift. (#566)
Security
- pydantic-settings → 2.14.2 — GHSA-4xgf-cpjx-pc3j (
NestedSecretsSettingsSourcefollowed symlinks outsidesecrets_dir). (#563) - @babel/core → 7.29.7 — GHSA-4x5r-pxfx-6jf8 (arbitrary file read via
sourceMappingURL). (#563) - CodeQL cleanups (redundant import, unused global). (#563)
Status
Beta — production-capable; self-hosted, and API-compatible with the terraform/tofu cloud-block workflow.
Full Changelog: v0.44.0...v0.44.1