Skip to content

v3.16.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 01 Jun 23:27
· 23 commits to main since this release
v3.16.0
d8041f2

v3.16.0 is a substantial ClickPipes-focused release. It adds first-class support for GCP Private Service Connect reverse endpoints (unblocking ClickPipes against Cloud SQL and other GCP sources), a dedicated clickhouse_clickpipes_reverse_private_endpoint_custom_private_dns resource so custom DNS mappings can be attached and updated after the endpoint already exists, an in-place update path for Kinesis pipes, and Google Cloud Pub/Sub as a new source type. The release also promotes write-only passwords for ClickPipes sources (password_wo / password_wo_version) so credentials can be rotated without ever being stored in Terraform state, and fixes several long-standing bugs β€” most notably that deleting multiple private endpoints in one apply now removes them all, and that ClickPipes can finally be created with a custom replica count and updated without losing their username.

✨ New Features

  • GCP Private Service Connect for ClickPipes reverse endpoints: clickhouse_clickpipes_reverse_private_endpoint now accepts GCP_PSC_SERVICE_ATTACHMENT as a type, with a new gcp_service_attachment attribute (format projects/{project}/regions/{region}/serviceAttachments/{name}). This unblocks ClickPipes against GCP data sources such as Cloud SQL over PSC, with a new end-to-end example under examples/clickpipe/reverse_private_endpoint_cloud_sql_psc/ (#548).
  • Google Cloud Managed Kafka as a Kafka source: gcmk is now a recognised Kafka source type for ClickPipes (#548).
  • Dedicated custom-DNS resource for reverse endpoints: the new clickhouse_clickpipes_reverse_private_endpoint_custom_private_dns resource manages the full set of custom private DNS mappings for an existing reverse private endpoint. Because private DNS names are often only known after the underlying VPC/PSC endpoint has been created, this resource can depends_on those upstream resources and attach mappings later β€” without forcing replacement of the reverse private endpoint itself. The mapping list is a full-replacement set, and deleting the resource clears all custom mappings (#552).
  • Pub/Sub source for ClickPipes: the clickhouse_clickpipe resource now supports Google Cloud Pub/Sub as a source type, letting you ingest directly from Pub/Sub topics (currently in private preview) (#527).
  • Write-only passwords for ClickPipes sources: every source authentication block on clickhouse_clickpipe now accepts an ephemeral password_wo value alongside an integer password_wo_version trigger. The password is sent to the API on create/update but never persisted to Terraform state, eliminating the long-standing concern about plaintext credentials being readable from state files. The existing password attribute still works and is mutually exclusive with password_wo (#532).
  • CLICKHOUSE_CLOUD_API_KEY / CLICKHOUSE_CLOUD_API_SECRET environment variables: the provider now reads credentials from these renamed variables, matching the naming used in the ClickHouse Cloud UI and OpenAPI docs. The previous CLICKHOUSE_TOKEN_KEY / CLICKHOUSE_TOKEN_SECRET names continue to work but are deprecated and will be removed in a future release; if both are set, the new names take precedence (#540).

πŸ§ͺ Experimental Features

These features require the latest alpha build available.

  • Service upgrade window (clickhouse_service_upgrade_window): pin the weekly window during which the ClickHouse Cloud data plane is allowed to upgrade a service. One window per service: pick a weekday (0–6) and a start_hour_utc ∈ {0, 6, 12, 18}. The resource is primary-service-only (secondary services inherit from their primary), and Create performs a best-effort GET before PUT so an existing out-of-band window surfaces a "please import" diagnostic instead of being silently overwritten. Setting or updating a window requires an ENTERPRISE-plan organization (#549).
  • Scheduled scaling for services (clickhouse_service_scheduled_scaling): define up to 10 recurring weekly windows during which a service uses a fixed replica count and idle-scaling configuration; outside those windows the service falls back to its base auto-scaling settings. Useful for pinning capacity during business hours or scaling down overnight. Per-entry constraints β€” min_replicas == max_replicas, weekdays as 0 (Sunday) through 6 (Saturday), and an end_hour_utc that may be less than start_hour_utc to express overnight windows β€” are validated client-side. Requires a request to support to enable it on your organization (#536).

πŸ”§ Improvements

  • Kinesis ClickPipes can be updated in place: the Kinesis source previously had no PATCH path, so any change to a Kinesis pipe forced a destroy-and-recreate. The provider now sends a proper PATCH and RequiresReplace has been removed from the affected fields, so Kinesis pipes update like every other source (#556).
  • Stopping pipes no longer drifts state: a state-handling bug that affected pipes in a stopping/stopped state has been corrected (#532).
  • Reject starting a pipe in a paused state: extra schema-level validation now refuses configurations that would attempt to start a ClickPipe while it is paused β€” an unsupported transition that previously surfaced as an opaque API error (#532).

πŸ› Bug Fixes

  • Username no longer wiped on ClickPipe PATCH: updating a ClickPipe no longer clears the source username after a PATCH (#533, fixes #528).
  • ClickPipes can be created with a custom replica value: a bug that prevented creating a ClickPipe with a non-default replica count has been fixed (#533, fixes #513).
  • Private endpoint deletion now removes every endpoint: previously, removing multiple private endpoints from a clickhouse_service_private_endpoints_attachment only deleted the last one in the list β€” the others were silently left attached. All endpoints scheduled for removal are now correctly detached (#472).
  • Service deletion retries on transient 409 conflicts: DeleteService now retries automatically (every 10 seconds, for up to 3 minutes) when the API returns a 409 Conflict because the service is still transitioning internally, even after it reports as stopped. This eliminates spurious teardown failures (#509).
  • Alpha-resource examples render again: restored the missing provider.tf template files for the alpha-only resource examples so they render and import correctly (#541, #542).

πŸ“¦ Build / Testing / Packaging

  • Release and end-to-end workflows now auto-retry individual steps on transient failures, reducing the rate of spurious red builds (#531).
  • Stale-issue automation has been relaxed: issues now need 90 days of inactivity (up from 30) before being auto-closed (#550).
  • Pinned the default GITHUB_TOKEN to contents: read on four workflows that don't need broader API access (#537).
  • E2E cleanup now also removes leftover custom roles from the organization after failed role_management test runs, preventing follow-up runs from failing with name conflicts (#507).
  • Release notes generation moved into a dedicated workflow with Langfuse observability, and the Claude tool-use prompt tuned for more reliable output (#510, #506, #518, #534, #535).
  • Dependency bumps: hashicorp/terraform-plugin-go 0.29.0 β†’ 0.31.0 (#474), hashicorp/terraform-plugin-docs 0.24.0 β†’ 0.25.0 (#516), k8s.io/apimachinery 0.34.1 β†’ 0.35.3 (#491), google.golang.org/grpc 1.79.2 β†’ 1.79.3 (#490), actions/setup-go 6.3.0 β†’ 6.4.0 (#499), actions/create-github-app-token 2.2.1 β†’ 3.2.0 (#493, #539), goreleaser/goreleaser-action 7.0.0 β†’ 7.2.1 (#525), tj-actions/changed-files 47.0.5 β†’ 47.0.6 (#520), anthropics/claude-code-action (#505, #515, #530).

Changelog

  • d8041f2 Bump provider version in examples to 3.16.0
  • ee21885 feat(clickpipes): Add kinesis patch flow (#556)
  • 869a20b feat(clickpipes): add reverse endpoint custom DNS resource (#552)
  • f512e22 feat(clickpipes): support GCP PSC reverse endpoints (#548)
  • 7c3b380 Implement multiple bug fixes for forced username update, and custom replicas issue (#533)
  • 8acb242 Bump provider version in examples to 3.15.0-alpha3
  • ef76459 implement write only passwords for ClickPipes sources (#532)
  • ba50002 feat: add clickhouse_service_upgrade_window resource (#549)
  • 6d57d27 Actions improvements, add retry + longer cleanup (#531)
  • 36d02a7 PubSub: Drop snapshot support (#551)
  • 27081a3 fix(idle-issues): increase idle time before issue closes (#550)
  • f3d6c85 Remove alpha docs from main branch
  • c468051 Bump provider version in examples to 3.15.0-alpha2
  • fd32270 fix(alpha-resources): add missing provider.tf (#542)
  • daae413 fix(alpha-resources): rename provider.tf (#541)
  • f27b115 feat(api-env-vars): support CLICKHOUSE_CLOUD_API_* (#540)
  • 122ff0b ci: declare workflow-level contents: read on 4 workflows (#537)
  • d396562 chore(deps): bump actions/create-github-app-token from 3.1.1 to 3.2.0 (#539)
  • c998bfb feat: add clickhouse_service_scheduled_scaling resource (#536)
  • aa57ff5 Add pubsub support for ClickPipes terraform resource (#527)
  • b9a3e0a chore(deps): bump tj-actions/changed-files from 47.0.5 to 47.0.6 (#520)
  • 54904d8 chore(deps): bump github.com/hashicorp/terraform-plugin-docs from 0.24.0 to 0.25.0 (#516)
  • 7c8d4b0 chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 (#525)
  • 368974f fix(claude-permissions): revert read and write scoping (#535)
  • d6fe9c8 chore(deps): bump anthropics/claude-code-action from 1.0.99 to 1.0.120 (#530)
  • 8deb872 fix(release-docs): langfuse venv install (#534)
  • 9618334 chore(release-notes): tune workflow and allow manual dispatch (#518)
  • 9a0302d Remove alpha docs from main branch
  • 8d38535 Bump provider version in examples to 3.15.0-alpha1
  • dc5458e chore(deps): bump anthropics/claude-code-action from 1.0.93 to 1.0.99 (#515)
  • a713956 ci(releases): move release notes steps to dedicated workflow and use langfuse (#510)
  • 709b6b1 Fix bug in Delete where only last private endpoint was removed (#472)
  • b1d6e6c fix(api): retry DeleteService on 409 Conflict (#509)
  • dd8ab54 fix(e2e): clean up leftover roles after failed role_management test runs (#507)
  • bd957dd chore(deps): bump k8s.io/apimachinery from 0.34.1 to 0.35.3 (#491)
  • a8830a9 chore(deps): bump actions/setup-go from 6.3.0 to 6.4.0 (#499)
  • ac88237 chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 (#493)
  • e2a9ba2 chore(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 (#490)
  • 0731325 chore(deps): bump github.com/hashicorp/terraform-plugin-go from 0.29.0 to 0.31.0 (#474)
  • a902a24 chore(deps): bump anthropics/claude-code-action from 1.0.80 to 1.0.92 (#505)
  • 263f26f ci(release-notes): steer claude tool use (#506)
Assets 18
Loading