Terrapod is a free, open-source platform replacement for Terraform Enterprise. This release adds passwordless database authentication and hardens every API client with bounded retries.
Highlights
- Cloud-IAM database authentication — connect the platform Postgres with no static password, using the API pod's existing cloud workload identity. Opt in via
database.auth_mode:aws_iam(AWS RDS IAM, IRSA),gcp_iam(GCP Cloud SQL IAM, Workload Identity Federation), orazure_ad(Azure Database for PostgreSQL — Microsoft Entra, Azure Workload Identity). A short-lived token is minted per connection, off the event loop, and TLS is always on. Static-password auth (password) remains the default and is unchanged. - First-class database TLS CA — the new
api.databaseCAchart block takes the provider CA bundle as a ConfigMap (inline PEM that the chart turns into a ConfigMap, or anexistingConfigMap), mounts it, and wiresdatabase.ssl_root_certautomatically — sossl_mode: verify-ca/verify-fullwork out of the box. - Bounded retry on every API client — runner uploads, listener status/log/heartbeat posts, API → upstream registry/VCS/binary-cache calls, and notification + run-task webhook deliveries now retry transient failures (timeouts, connection errors, 5xx) with backoff, method-aware so non-idempotent writes are never double-sent. A single dropped
plan-resultPOST can no longer leave a workspace falsely flagged as drifted.
Documentation
- New cloud-identity + database-authentication guide in
docs/cloud-credentials.md, with per-cloud setup for AWS / GCP / Azure.
Status
Beta — production-ready for the documented surface. Cloud-IAM database auth should be validated against your IAM-enabled database in staging before switching production off the static password.
Full Changelog: v0.44.1...v0.45.0