Skip to content

v0.50.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 30 Jun 11:24
v0.50.0
c6d8364
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Terrapod is a free, open-source platform replacement for Terraform Enterprise — the collaboration, governance, state, and registry layer around terraform / tofu. This release is an enterprise-readiness wave: bring-your-own-key encryption at rest, day-2 operability (observability, backup/DR, preflight), and the hardening to run them safely.

Highlights

  • Encryption at rest (BYOK, optional, off by default) — application-layer envelope encryption of DB-stored secrets and Terraform state files, with a key-encryption key you hold: static (operator-held), vault_transit (HashiCorp Vault), or awskms (AWS KMS). For deployments without a usable cloud at-rest switch — bare-metal, on-prem, a niche cloud, or air-gapped — and belt-and-braces where your CSP already encrypts. State stays consistent (integrity hashes over plaintext; the runner's state download proxies+decrypts when on). Enable with api.config.encryption.enabled.
  • Don't-lose-the-key durability — losing decryptability is data loss, so the feature is built to make that impossible by accident: a pre-enable wrap→unwrap proof, a boot canary that fails closed (a wrong/missing key crashes the API rather than serving), a decryptable status endpoint, an on-demand encryption doctor drill, DEK rotation that verifies-before-activate and retains old keys, and a resumable verify-readback migration to encrypt-in-place or revert. DEK rotation propagates across replicas automatically (no leader election, no restart).
  • Observability bundle — a shipped Grafana dashboard, a Prometheus PrometheusRule alert set, and a runbook per alert. Enable with api.config.metrics.grafanaDashboards.enabled / prometheusRule.enabled.
  • Backup + DR drill — a logical Postgres backup CronJob plus a restore-verification job that proves the backup actually restores (and that state objects are reachable). Off by default; backup.enabled / backup.restoreVerify.enabled.
  • Preflight doctor — a one-shot cloud-identity + object-store preflight that validates storage access and workload-identity wiring before you depend on them. preflight.enabled.

Status

Beta — production-shaped, API-stable for the CLI surface. The encryption, backup, and preflight features are off by default; turn on only what you need.

Full Changelog: v0.49.2...v0.50.0

Assets 32
Loading