Skip to content

v0.51.0

Choose a tag to compare

@github-actions github-actions released this 02 Jul 08:26
f82951f

Terrapod is a free, open-source platform replacement for Terraform Enterprise — the collaboration, governance, state, and registry layer around terraform / tofu. This release makes RBAC granular: permissions are now capabilities, not just hierarchical levels.

Highlights

  • Capability-based RBAC — a role's grant is now a set of granular resource:verb capabilities (e.g. run:plan, run:apply, run:apply-destroy, workspace:delete, var:write, state:read) instead of a single hierarchical level. This expresses grants the old levels never could — most importantly "plan but not apply" (run:plan without run:apply). Capabilities union across a user's matching roles and are scoped by the same label/name allow/deny rules as before.
  • Levels become authoring shorthand — the familiar permission levels (read/plan/write/admin per axis) still work: send them on create/update and the server expands them into capabilities; a PATCH of one axis's level replaces only that axis, preserving granular capabilities on the others. Every roles response returns the stored capabilities plus a derived, read-only level summary (the matching preset name, or "custom" when the set matches no preset).
  • Single source of truth — capabilities are the only stored, enforced grant; the per-axis level columns were dropped from the database (faithful, in-place migration — existing roles keep exactly the access they had). No depends_on-style drift between a stored level and the enforced permission.
  • Wired end-to-end — the capability model is authored and displayed across the whole stack: the roles API, the go-terrapod SDK (Role.Capabilities), the Terraform provider (terrapod_role.capabilities), and the admin roles UI (a capability matrix with preset shortcuts).

Status

Beta — production-shaped, API-stable for the CLI surface. Existing roles are migrated faithfully; no operator action required.

Full Changelog: v0.50.1...v0.51.0