v0.51.0
Terrapod is a free, open-source platform replacement for Terraform Enterprise — the collaboration, governance, state, and registry layer around terraform / tofu. This release makes RBAC granular: permissions are now capabilities, not just hierarchical levels.
Highlights
- Capability-based RBAC — a role's grant is now a set of granular
resource:verbcapabilities (e.g.run:plan,run:apply,run:apply-destroy,workspace:delete,var:write,state:read) instead of a single hierarchical level. This expresses grants the old levels never could — most importantly "plan but not apply" (run:planwithoutrun:apply). Capabilities union across a user's matching roles and are scoped by the same label/name allow/deny rules as before. - Levels become authoring shorthand — the familiar permission levels (read/plan/write/admin per axis) still work: send them on create/update and the server expands them into capabilities; a PATCH of one axis's level replaces only that axis, preserving granular capabilities on the others. Every roles response returns the stored
capabilitiesplus a derived, read-only level summary (the matching preset name, or"custom"when the set matches no preset). - Single source of truth — capabilities are the only stored, enforced grant; the per-axis level columns were dropped from the database (faithful, in-place migration — existing roles keep exactly the access they had). No
depends_on-style drift between a stored level and the enforced permission. - Wired end-to-end — the capability model is authored and displayed across the whole stack: the roles API, the go-terrapod SDK (
Role.Capabilities), the Terraform provider (terrapod_role.capabilities), and the admin roles UI (a capability matrix with preset shortcuts).
Status
Beta — production-shaped, API-stable for the CLI surface. Existing roles are migrated faithfully; no operator action required.
Full Changelog: v0.50.1...v0.51.0