v0.45.0

Terrapod is a free, open-source platform replacement for Terraform Enterprise. This release adds passwordless database authentication and hardens every API client with bounded retries.

Highlights

• Cloud-IAM database authentication — connect the platform Postgres with no static password, using the API pod's existing cloud workload identity. Opt in via database.auth_mode: aws_iam (AWS RDS IAM, IRSA), gcp_iam (GCP Cloud SQL IAM, Workload Identity Federation), or azure_ad (Azure Database for PostgreSQL — Microsoft Entra, Azure Workload Identity). A short-lived token is minted per connection, off the event loop, and TLS is always on. Static-password auth (password) remains the default and is unchanged.
• First-class database TLS CA — the new api.databaseCA chart block takes the provider CA bundle as a ConfigMap (inline PEM that the chart turns into a ConfigMap, or an existingConfigMap), mounts it, and wires database.ssl_root_cert automatically — so ssl_mode: verify-ca / verify-full work out of the box.
• Bounded retry on every API client — runner uploads, listener status/log/heartbeat posts, API → upstream registry/VCS/binary-cache calls, and notification + run-task webhook deliveries now retry transient failures (timeouts, connection errors, 5xx) with backoff, method-aware so non-idempotent writes are never double-sent. A single dropped plan-result POST can no longer leave a workspace falsely flagged as drifted.

Documentation

• New cloud-identity + database-authentication guide in docs/cloud-credentials.md, with per-cloud setup for AWS / GCP / Azure.

Status

Beta — production-ready for the documented surface. Cloud-IAM database auth should be validated against your IAM-enabled database in staging before switching production off the static password.

Full Changelog: v0.44.1...v0.45.0