Terrapod is a free, open-source platform replacement for Terraform Enterprise. This release adds custom runner execution hooks — operator-defined shell steps that run at fixed points in a plan/apply — along with two operational hardening improvements.
Highlights
- Execution hooks — a central library of reusable shell steps (
pre_init,pre_plan,post_plan,pre_apply,post_apply) that an admin defines once and associates with specific workspaces. Hooks run inside the runner Job with the workspace's cloud identity; a non-zero exit fails the run, sopost_plan/pre_applyhooks work as external gates (e.g. an out-of-band policy check before apply). Managed via the API, theterrapod_execution_hookprovider resource, and Admin → Execution Hooks in the UI. Kill-switch:runners.hooksEnabled(defaulttrue), enforced authoritatively server-side. Seedocs/execution-hooks.md. - Autodiscovery hook templates — autodiscovery rules can attach execution hooks to every workspace they create, picked by name in the rule form (no ids to type).
platform:hook-admincapability — added to the platform capability vocabulary so the built-inadmincapability set is complete.- Migration-smoke CI + schema-skew guard — a startup guard on
/readyfails fast when the running app and the database schema are out of step, plus a CI job that smoke-tests migrations.
Bug Fixes
- Execution hooks:
post_planhooks are now actually executed (they were accepted and delivered but never run); hook input validation hardened (non-numeric priority → 422, idempotent workspace association, 64 KiB script bound). - Registry: provider signature verification now honours GPG key revocation.
Status
Beta — the execution-hooks surface (API, SDK, provider, UI, docs) is complete and covered across the unit, services-API, and integration test tiers.
Full Changelog: v0.52.0...v0.53.0