Skip to content

v0.43.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 24 Jun 10:54
· 1 commit to main since this release
v0.43.0
ed4dce9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Terrapod is a free, open-source platform replacement for Terraform Enterprise. This is a hardening release implementing the verified findings from a whole-project third-party review (security, documentation, UX, completeness, tests, API-contract integrity).

Bug Fixes

  • Service Catalog access is now grantable to non-adminscatalog_permission (none/read/use/admin) is exposed end-to-end on the roles surface (API, web Roles page, go-terrapod, and the terrapod_role provider resource + data source). Previously the axis existed but no consumer could set it, so with no everyone floor the v0.42.0 self-service catalog was admin-only in practice.
  • Drift-ignore no longer stalls the API event loop — parsing a large drift plan and classifying it now run off the event loop (Rule 13), so a multi-MB plan can't park /health on a replica.
  • Concurrent create conflicts return 409, not 500 — a global IntegrityError handler maps unique-constraint races (pre-check-then-INSERT under multiple replicas) to a proper conflict.
  • RFC3339 timestamps — the registry, GPG-key, and binary-cache endpoints now emit a trailing Z (not +00:00), restoring go-tfe compatibility on those surfaces.
  • Web UX — the workspace list now live-updates the first workspace created on an empty org (SSE was gated on a non-empty list); deleting a workspace variable now requires a two-click confirm; the run-detail page no longer breaks next build (missing Suspense boundary).
  • Docs — corrected the migration-tool status (available since v0.27.0, not stubbed) and the generated catalog-wrapper example (untyped root variables).

Security

  • Offboarding is now complete — deactivating or deleting a user revokes the cached token-role set and every API token bound to the identity, not just web sessions (a deactivated admin previously kept cached admin roles for up to 60s on API-token requests).
  • PKCE verifier comparison is now timing-safe (hmac.compare_digest).

New tests

  • Router-level coverage for the public GitHub webhook receiver and the provider-mirror authentication gate (both previously had none).

Status

Beta — a hardening release on top of v0.42.0; no schema changes, no new Helm values.

Full Changelog: v0.42.0...v0.43.0

Assets 32
Loading