Releases: cloudposse/terraform-aws-components
Releases · cloudposse/terraform-aws-components
v1.478.0
feat(spacelift): support for local files for policies @oycyc (#1091)
what
- Upgrade the Spacelift policies module to version 1.7.0 following the PR cloudposse/terraform-spacelift-cloud-infrastructure-automation#183
- Add support for allowing using file path as the source of a Spacelift policy in addition to the current inline body and URLs
references
PR from the Spacelift module cloudposse/terraform-spacelift-cloud-infrastructure-automation#183
v1.477.0
v1.476.0
Fix account map special accounts like dns, identity support dynamic roles @goruha (#1087)
what
- Support terraform dynamic roles
dns_terraform_role_arn
,audit_terraform_role_arn
,identity_terraform_role_arn
- Fix but in when
team_roles_stacks
does not have components defined
why
- Some components like
dns-deletegate
usedns_terraform_role_arn
,audit_terraform_role_arn
,identity_terraform_role_arn
inprovider.tf
In the case of gitops, the planner role can not assume anapply
dynamic role. - Thats expected case for all
non gbl
accounts
references
v1.475.0
EKS IDP roles added reader @goruha (#1089)
what
- Added
reader
role foreks/idp-roles
why
- Required for dynamic terraform roles to read k8s resources
references
feat: Auth0 Components @milldr (#1086)
what
- Added components for Auth0 terraformation -
auth0/tenant
andauth0/app
why
- Auth0 Application component. Auth0 is a third-party service that provides authentication and authorization as a service. It is typically used to to authenticate users.
auth0/tenant
configures the Terraform provider and the Auth0 tenant itselfauth0/app
deploys an Auth0 application
references
- client engagement
Fix: README Formatting for Docusarus @milldr (#1084)
what
- Misc fixes for admonition and support format for render on Docusarus
why
- New lines are required after
:::
- Support MDX format
references
v1.474.0
Upgrade Supported ArgoCD Chart Version @RoseSecurity (#1081)
what and why
- Argo versions
0.1.0
through2.10.0-rc1
,v2.9.3
,v2.8.7
,v2.7.15
are affected by CVE-2024-22424, a CSRF attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. - Propose that we update the default values for Argo's chart from:
argo/argo-cd 5.19.12 v2.5.9
to an unaffected version patched after 2.10-rc2, 2.9.4, 2.8.8, 2.7.16
notable changes
- Argo CD 2.10 upgraded kubectl from 1.24 to 1.26. This upgrade introduced a change where client-side-applied labels and annotations are no longer preserved when using a server-side kubectl apply
- Note that bundled Helm version has been upgraded from 3.13.2 to 3.14.3
- Starting with Argo CD 2.10.11, the NetworkPolicy for the argocd-redis and argocd-redis-ha-haproxy dropped Egress restrictions. This change was made to allow access to the Kubernetes API to create a secret to secure Redis access
testing
- This version has been tested and verified to work with the existing component configuration
references
v1.473.0
🚀 Enhancements
feat: add additional variables and outputs for `spa-s3-cloudfront` @korenyoni (#1080)
what
- add
origin_bucket
variable - add
s3_origins
variable - add
cloudfront_distribution_identity_arn
output
why
- Add variables and outputs present in the cloudposse/terraform-aws-cloudfront-s3-cdn module but missing in this component
references
N/A
v1.472.0
v1.471.0
fix(`aws-team-roles`): Remove Deprecated Support and Billing Custom Policies @milldr (#1078)
what
Add missing custom policies names that are already defined with the included component- Removed the custom policies for support and billing
why
Thepolicy-support.tf
andpolicy-billing.tf
files already contain these policies by default. We should include them as in the defaultsupplied_custom_policy_map
- We should use the AWS managed Job Role policies instead. For example
billing:
<<: *user-template
enabled: false
role_description: "Role with view permissions in the billing console"
role_policy_arns:
- "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess"
aws_saml_login_enabled: false
max_session_duration: 3600 # 1 hour in seconds
trusted_teams:
- "devops"
- "managers"
billing_admin:
<<: *user-template
enabled: false
role_description: "Role with permissions for billing and cost management. This includes viewing account usage and viewing and modifying budgets and payment methods."
role_policy_arns:
- "arn:aws:iam::aws:policy/job-function/Billing"
aws_saml_login_enabled: false
trusted_teams:
- "devops"
- "managers"
support:
<<: *user-template
enabled: true
role_policy_arns:
- "arn:aws:iam::aws:policy/AWSSupportAccess"
- "arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityReadOnlyAccess"
role_description: "Role with permissions for accessing the AWS Support Service"
trusted_teams:
- "devops"
- "managers"
- "helpdesk"
references
- Customer engagement
- These changes were reverted in https://github.com/cloudposse/terraform-aws-components/pull/715/files#diff-cfffc34b5672fff580a9d0f4c45efc3d5a8326d66ad54f81c9569cfe5499b7c0R13-R14.
I believe this was a mistake. This was intentional
v1.470.1
🐛 Bug Fixes
[eks/actions-runner-controller] Fix misconfigured document separators in Helm chart template @Nuru (#1077)
what
eks/actions-runner-controller
- Fix misconfigured document separators in Helm chart template
why
- Runner Deployment manifest would be malformed if not using
running_pod_annotations
references
- Introduced in #1075
v1.470.0
[eks/actions-runner-controller] Multiple bug fixes and enhancements @Nuru (#1075)
what
New Features:
- Add support for scheduled overrides of Runner Autoscaler min and max replicas.
- Add option
tmpfs_enabled
to have runners use RAM-backed ephemeral storage (tmpfs
,emptyDir.medium: Memory
) instead of disk-backed storage. - Add
wait_for_docker_seconds
to allow configuration of the time to wait for the Docker daemon to be ready before starting the runner. - Enhance the ability to have the runner Pods add annotations to themselves once they start running a job.
Changes:
- Previously,
syncPeriod
, which sets the period in which the controller reconciles the desired runners count, was set to 120 seconds inresources/values.yaml
. This setting has been removed, reverting to the default value of 1 minute. You can still set this value by setting thesyncPeriod
value in thevalues.yaml
file or by settingsyncPeriod
invar.chart_values
. - Previously,
RUNNER_GRACEFUL_STOP_TIMEOUT
was hardcoded to 90 seconds. That has been reduced to 80 seconds. - The inaccurately named
webhook_startup_timeout
has been replaced withmax_duration
.webhook_startup_timeout
is still supported for backward compatibility, but is deprecated.
Bugfixes:
- Create and deploy the webhook secret when an existing secret is not supplied
- Restore proper order of operations in creating resources (broken in release 1.454.0 (PR #1055))
- If
docker_storage
is set anddockerdWithinRunnerContainer
istrue
(which is hardcoded to be the case), properly mount the docker storage volume into the runner container rather than the (non-existent) docker sidecar container.
why
New Features:
- Enable having idle runners during work hours without having to pay for them during non-work hours.
- Enable packing more Runners onto an instance without being constrained by disk I/O.
- Allow for extended disk I/O waits when some Runner gets greedy.
- Intended to make idle Runners interruptible and running runners uninterruptible under Karpenter, but it does not work well enough for that. Still, we implemented the feature, so we might as well leave it in. Adds logging to help diagnose race conditions.
Changes:
- More responsive scaling
- Increases the chances the runner will successfully deregister itself
- The old name was extremely confusing, while the new name is much more reflective of its impact
Bugfixes:
- Restore intended operation
references
[eks/karpenter] Add support for `kubelet` config, fix IAM support for `v1alpha` cleanup @Nuru (#1076)
what
- Support configuration of
spec.template.spec.kubelet
- Fix issues with IAM Policy supporting management of v1alpha resources
why
- Default reservations for system resources under Amazon Linux are often inadequate and benefit from being able to be tuned
- Previous policy had errors, and would become too long if the cluster name got too long