NOTES:
- Until further notice, the following providers are not being maintained. They aren't being abandoned but there are too few development resources to update all of them right now.
- Azure AD (EntraID)
- Google Workspace
- Okta
DEV:
- Bumped to python to 3.11
DOCS:
- Update README with IAMbic/TF Differences ; Video img #605
- IAC Comparison Table #598
- Update doc on how to turn on Cloudtrail logs integration #597
- Fix doc links #596
- Rewrite the getting started section. #590
BUG FIXES:
- Fixed #608 Implement import filtering protocol for SCP #609
- Fixed #602 Propagate errors if invalid user or group assignment #606
- Optimize GitHub PR plan time #607
- Fix IdentityCenter access rules not being updated #604
- Fixed EN-2401 Check parent directory truthy-ness before attempt to create it #603
- Enhance error message during PrincipalID resolution #599
- Fix error handling for detect not able to create gist #595
DEV:
- Fix flaky functional test on account assignment #612
THANKS:
hilyas
contributing better docs #590rodolphoescobar
reporting NOQ::AWS::Organizations::SCP Filter does not work #608dushyantbhardwaj9
reporting iambic does not throw warning/error for users/groups that do not exists in the Idp #602dushyantbhardwaj9
reporting import not updating existing IdentityCenter access rules in templates.
BUG FIXES:
- Fix #593 PermissionSet InlinePolicy to support single statement syntax #594
THANKS:
rodolphoescobar
reporting Permission Set InlinePolicy issue #593
ENHANCEMENTS:
- Cloudtrail logs as git notes on 'detect' commit #522
BUG FIXES:
- Use alternative implementation of list_users and list_groups #591
THANKS:
dushyantbhardwaj9
for contributing the alternate implementation of list_users and list_groups to workaround some AD + IdentityCenter issues #557
DOCS:
- Update JSON Schema and Schema markdown #586
BUG FIXES:
- EN-2348: add guards when schema generator fails #582
- Fix #587 when describe_user and describe_group fail to lookup PrincipalID #588
ENHANCEMENTS:
- Allow disabling variable substitution #589
THANKS:
rodolphoescobar
reporting ResourceNotFoundException in import resources #587
DOCS:
- Simplify installation instructions #567
ENHANCEMENTS:
- EventBridge Schedule to invoke detect, expire, enforce, and import periodic tasks #567
BUG FIXES:
- Fix #581 Relax Target to stay as account id if we cannot look up its account name #583
- Fix #555 Duplicate menu item #584
DEV EXPERIENCE:
- Fix pre-commit complaints #580
THANKS:
rodolphoescobar
reporting SCP import issue #581
BUG FIXES:
- Workaround for #557 Defer GUID resolution #558
- Fix EN-2380 clear known cf stacksets state if user enter into add org flow #573
- Fix for exception raised when iambic plan command is run on empty template file #578
- Fix for encoding error when writing proposed_changes.txt #576
THANKS:
dushyantb
reporting #557 and testing #5580xAJX
reporting #577 and contributed the fix #5780xAJX
reporting #575 and contributed the fix #576
BUG FIXES:
- EN-2381 Fixed identity center handling of suspended account #568
- Added a check to skip code if OS is Windows fixes #570 #571
- EN-2379 Turn on CF Stacksets for Organizations when possible #569
THANKS:
BUG FIXES:
- Fix template generation details #566
DOCS:
BUG FIXES:
- Fix EN-2377 Use list instead of set for deterministic iteration order #565
BUG FIXES:
- Docs and script to update deployed lambda function #552
- Enhance GitHub App local secrets handling #559
- Fix condition in policy statement #560
- Ignore extra fields because of forward compatibility reasons #561
THANKS:
datfinesoul
for giving feedback on need to have docs or automation to update the IAMbic GitHub integration
BUG FIXES:
- EN-2373: change regions #556
THANKS:
dushyantb
for reporting issues when IAMbic is used in unsupported AWS regions
ENHANCEMENTS:
- Address part of #490. Name the hyperlink with more details #549
- Added a template_schema_url to all IAMbic templates. #534
- Addresses some of #490 Plan output improvement #550
BUG FIXES:
- EN-2345 Runs lint before plan #547
- EN-2343: Show message when credentials are not provided #539
- Fix #489 Handle change_summary differently during rendering #548
- Fix #507 git apply exceptions is not properly reported in comments #554
DEV EXPERIENCE:
- Track *.png and *.jpg using Git LFS #551
THANKS:
datfinesoul
for giving feedback on auto formatting and relative time -> absolute timestamp commits made by automationdatfinesoul
on reporting plan output is incorrect #489datfinesoul
on giving feedback on the need of ease of use to lookup schema reference in templatesmike.p
on community slack for reporting the issue when the PR contains invalid AWS principal during git apply cycle.
DOCS:
- Update IAMbic GitHub Integration docs #540
ENHANCEMENTS:
BUG FIXES:
- iambic lint no longer converts expires_at relative time to an absolute #530
- Fix issue when identity center details is lost during 2nd setup #541
- Handling TooManyRequestsException in boto_crud_call #544
- Improved logging in boto_crud_call #544
THANKS:
Rodrigo C.
from community slack on reporting the TooManyRequestsException issue on large orgs.
DOCS:
- Fix typo #533
ENHANCEMENTS:
- Report unhandled exceptions #516
BUG FIXES:
DEV TOOLS:
- EN-2355 Implement dev workflow to test IAMbic GitHub webhook #535
THANKS:
Rodrigo C.
from community slack on reporting AWS multiple iam paths issue.Shatoria
from community slack on testing out the new IAMbic GitHub integration setup process.
ENHANCEMENTS:
- GitHub App creation flow in iambic wizard #515
DOCS:
- Change project description on PyPI #527 ** There were some reference to the old project name. Those were cleaned up.
BUG FIXES:
- Fix #491 Support "merge", "squash", and "rebase" merge method #525
- Fix security/dependabot/26 Bump certifi #524
- Fixed bug where none type description was causing an exception on role #528
- Attaching and detaching role tags now 2 distinct operations. Fixes to role attribute value resolver on Role._apply_to_account. #528
THANKS:
datfinesoul
for reporting GitHub linear history use case. #491
Simon D.
in community slack for reporting the old project name references. #527
BUG FIXES:
- Git commit message not reflecting the linting changes #521
THANKS:
datfinesoul
for reporting git commit message not reflecting the actual changes. #520
DOCS:
- Add Youtube Video reference to README #517
BUG FIXES:
- Add help text to CLI commands #510
- Update App Manifest to subscribe to Workflow run #509
- Update iambic_base_container to 2.0.0 #511 ** Amazon Linux 2023 as the base linux distribution for the Lambda Container Image ** Python 3.10.12 as the python runtime for the Lambda Container Image
- Opportunistically import resource module #506 ** Windows user does not have the resource module available
- Fix #512 Handle FileNotFoundException #513
- Bump aiohttp from 3.8.4 to 3.8.5 #514
THANKS:
Wilhite-r
contributing #510
BUG FIXES:
- Fixed error encountered when configuring change detection in the setup wizard. #508
- Use markdown syntax for links #501
BUG FIXES:
- Fixed Google Groups paginated response #500
THANKS:
jonathan.silva
in community slack reporting the pagination issue on Google Workspace
BUG FIXES:
- Handle CUSTOMER type as Google Group member #499
THANKS:
jonathan.silva
in community slack reporting the CUSTOMER type issue on Google Workspace
BUG FIXES:
- #498
- Fixed race condition on iambic detect not using templated resource id grouping resources.
- Fixed issue where a resource could show as excluded on a resource it was never evaluated on.
ENHANCEMENTS:
- Improved ordering of template attributes.
base_group_dict_attribute
is now more deterministic in its grouping.iambic detect
performance optimizations.- Now only evaluates on the account a resource id change is detected on as opposed to all accounts.
- Example if
engineering
is on all accounts and detect is ran for account a, onlyengineering
on account a is evaluated.
- Removed remaining AWS provider references from core.
DOCS:
BUG FIXES:
- Validate google response data #497
ENHANCEMENTS:
- Add 'notes' core template attribute #485
THANKS:
jonathan.silva
in community slack reporting the Google Workspace setup issue.
BUG FIXES:
- Update Structlog and other dependencies #495
BUG FIXES:
- AWS - Fixing missing change details #487
THANKS:
mikegrima
for contributing AWS fix #487
BUG FIXES:
- Google Workspace - Fix SUSPENDED support in Google Workspace Groups #483
- AWS - Added Managed Policy ARN to ProposedChange #484
THANKS:
victorSouza-DevOPS
for contributing Google Workspace fix #483mikegrima
for contributing AWS fix #484
DOCS:
BUG FIXES:
- Fixed add single AWS account in setup flow. The bug was checking CloudFormation StackSets status when single AWS account setup does not use StackSets #478
- Updated
semver
to7.5.2+
#474
ENHANCEMENTS:
- Adds support for AWS Import Rules. IAMbic will obey import rules to either ignore resources with certain attributes, or to flag them as import_only. #469
- Implement GitHub App interaction error protocol #471
- Allow
iambic apply
to be triggered by GitHub Apps #470
THANKS:
datfinesoul
to champion the user story for AWS Import Rules
ENHANCEMENTS:
- Explicit allow list GitHub bots interactions (iambic approve, iambic apply) #470
BUG FIXES:
- Fixed IAMbic import errors when AWS Organization that has no permission sets in IdentityCenter #459
- Fixed broken links on README.md #465
- Fixed import issue when AWS policy document uses
Id
element #464
ENHANCEMENTS:
- Improve IAMbic wizard prompting when AWS Organization has not yet enabled trusted access for CloudFormation StackSets. #459
- Only configure structlog if it's not already configured. More friendly when
iambic-core
is used as a library #462
THANKS:
sidick
for reporting AWS Organization import issue when there is no permission sets in IdentityCenter #460sidick
for reporting lack of prompts when AWS Organization has not yet enabled trusted organization access for Cloudformation StackSets. #458sourcefrog
for contribution in fixing README #461sidick
for reporting AWS Role import issue whenId
element is used #463
BUG FIXES:
- Fixed #419: Deleted file should not be removed again during Git workflow #441
- Fixed functional test #451
- Skip a key from new_model if old_model already mark it as metadata #453
- Do not override logging settings when used as library #454
ENHANCEMENTS:
- Bump
cryptography
from39.0.1
to41.0.1
#443 - Skip wizard prompts if AWS SDK can verify settings #444
- Move module level templates symbol to config to allow ease of use of
iambic-core
as library #440 - Dependency Cleanup #448
- Included empty tags dict when decribing role without tags #449
- Implemented "iambic approve" for GitHub workflow #452. It's now possible to have IAMbic GitHub integration to approve PR. The workflow allows another GitHub App to open a PR and mark the PR as
approved
. See the pull request for the full discussion on security considerations. It's secure by default, because without an actual configuration with a public/private key, the IAMbic GitHub integration's approve command will not work.
DOCS:
- Create 001-AWS-Managed-Resources-Attributes #395. We recommend contributor to write up the design prior to creating a large pull request, so the community can give feedback prior to a significant change.
- Improve GitHub App creation docs to have most of the settings included in the query params #402
THANKS:
mxw-sec
for reporting issue #419 regarding AWS IAM Delete File issue Github APPmxw-sec
for discussing how to improve GitHub App creation using GitHub App Manifestdatfinesoul
for reporting issue #405 regarding Automatically Detect Management Account for AWS Organizations to confirm an existing prompt.mikegrima
for contributing #448. This shrinks the install dependencies when usingiambic-core
as library.mikegrima
for contributing #449. This makes AWS role tags before/after value much easier to compare by handling boto3 quarks.
BUG FIXES:
- Explicitly setting
account_id
andaccount_name
variables during AWS Account Setup Wizard #430 - Create iambic docker user before assigning file permissions #435
- Handled unbound changes variable on plan_git_changes #434
- Detect changes between policy documents #436
- More robust yaml comments interaction between templates and subsequent import #437
ENHANCEMENTS:
- AWS SCP (Service Control Policy) support. #384
- Development experience changes on removing pytest.ini for ease for run-and-debug #428
- Docs for AWS Change Detection #429
- Docs for IAMbic gist repo usage #432
- SCP Quickstart Docs #433
BUG FIXES:
- Fix merge model int handling (impact subsequent importing) #410
- Fixed wizard prompt when editing an AWS account. #415
- Fix missing tags on IambicSpokeRole in the management account #416
- Fix change detection setup for isolated runs #417
- Ignore extra fields provided by Azure AD #424
- Upgrade requests from 2.30.0 to 2.31.0 #425
- Move IAMbic default docker image to ship with Python 3.10.8 instead of 3.11.1 Setup Wizard #427
ENHANCEMENTS:
- Development experience changes on customizing hub and spoke role #422
- Docs referencing IAMOps flow #420
- Development experience changes on requiring greater than 75% coverage #422
THANKS:
datfinesoul
for reporting missing tags on IambicSpokeRole creation in management account #406datfinesoul
for reporting AWS change detection setup issue #407mxw-sec
for reviewing #420sprkyco
for reporting directory extension Azure AD issue #423
BUG FIXES:
- Handling merge models when the new value is an int
- Flatten multiline comment when they are not attached to a YAML dict key
ENHANCEMENTS:
- Added an
iambic convert
command to convert an AWS policy to the IAMbic formatted yaml - Default relative directory leverages
path
information from IAM resources. #400
THANKS:
Shreyas D
for reporting the merge model issuePhil H, Michael W
for suggesting theiambic convert
command
BUG FIXES:
- AWS plugin now supports legacy policy document schema. (This is an undocumented schema in which statement can be a single statement not wrapped inside an array. New policy editor will always use the array syntax; however, there are old policies that have the legacy syntax. IAMbic should handle it gracefully without crashing.)
THANKS:
Shreyas D
reported the issue #397
ENHANCEMENTS:
- Tag support on CloudFormation stack. These tags will propagate to IambicHubRole and
IambicSpokeRole created. Wizard will prompt the user to either enter blank or
in
key1=value1
format. To add multiple tags, usekey1=value1, key2=value2
format.
BUG FIXES:
- Fixes in wizard when user does not grant Iambic write access.
- Fixes in wizard when setting up an individual AWS account instead of AWS Organization.
THANKS:
Phil H.
,David B.
in NoqCommunity proposing tags support during IAMbic setup.
ENHANCEMENTS:
- Additional clarity in the wizard as it relates to AWS cloudformation changes.
- Added the ability to check the IAMbic version from the CLI.
BUG FIXES:
- AWS read only spoke role is now working as designed
- Fixes to text being truncated in the wizard on smaller terminal windows.
THANKS:
PERMISSION CHANGES:
- IambicHubRole now uses a region agnostic resource definition in the SQS
IAMbicChangeDetectionQueue
permission (CloudFormation Template)
ENHANCEMENTS:
- The AWS region IAMbic uses is now configurable in the wizard.
- Added region awareness to cloud formation util functions.
BREAKING CHANGES:
- The
AwsIdentityCenterPermissionSetTemplate
schema has changed. In particular,permissions_boundary.policy_arn
has becomepermissions_boundary.managed_policy_arn
. This is due to the PermissionSet API distinguishing attached permissions_boundary either owned by AWS or owned by Customer. To align with AWS API response, we have decided to follow the AWS naming convention. The old namepermissions_boundary.policy_arn
never quite worked correctly inAwsIdentityCenterPermissionSetTemplate
. We decide to go through with the breaking change route.
BUG FIXES:
- Fixed import of
AwsIdentityCenterPermissionSetTemplate
in which permission boundary is set tomanaged_policy_arn
THANKS:
PERMISSION CHANGES:
- IambicHubRole added SQS read/write access to queue named
IAMbicChangeDetectionQueue
to support IAM resource detection. #355 - IambicHubRole added sts:SetSourceIdentity to
IambicSpokeRole
to be compatible with Idp that enforce SetSourceIdentityForwarding #361
ENHANCEMENTS:
BUG FIXES:
- IAM resource detect mechanism cannot remove SQS message that is already been processed in
IAMbicChangeDetectionQueue
#355 - If environment variables contains AWS credentials, IAMbic wizard shall not ask what profile to write into configuration file. #358
THANKS:
BREAKING CHANGES:
- AWS templates containing account_id or account_name will need to be updated from
{{ account_id }}
to{{ var.account_id }}
and from{{ account_name }}
to{{ var.account_name }}
. Alternatively, you can remove the files and re-import them.
You can use your favorite editor for find and replace, or give the following bash two-liner a try.
find . -type f -name "*.yaml" -print0 | xargs -0 sed -i '' -e 's/{{account_id}}/{{var.account_id}}/g'
find . -type f -name "*.yaml" -print0 | xargs -0 sed -i '' -e 's/{{account_name}}/{{var.account_name}}/g'
ENHANCEMENTS:
- Removed AWS package imports from core
- Standardized variable naming in templates
- Improved exception handling in the AWS package
- Cleaned up additional import only checks on AWS IAM role, user, and group models.
BUG FIXES:
- Resolved type error on merge template when new value is None.
Initial plan is to do a every 2-week release cycle.
ENHANCEMENTS:
- Improve memory footprint in templates reading
- Minimize I/O in templates reading