v1.487.0

Add Scoped Rate Limits and Bot Control Machine Learning to WAF Component @RoseSecurity (#1103)

what

• Added enable_machine_learning parameter inside aws_managed_rules_bot_control_rule_set configuration
• Adds scope_down_statements with byte matching support

why

• AWS highly recommends safeguarding against HTTP request floods; they advise implementing two rate limiting rules for web traffic. The initial rule employs AWS WAF's rate-based rules to automatically block IP addresses of malicious actors if the number of requests in a 5-minute sliding window surpasses a predefined threshold. The second rule focuses on a more detailed approach, allowing for targeted blocking. This is achieved by using scope_down_statements to refine the criteria for blocking, enhancing the precision of the defense mechanism.
• Added enable_machine_learning argument to avoid idempotency problem if you use "COMMON" inspection level

example

testing

Utilized the following example Atmos component:

        rate_based_statement_rules:
          - name: "scoped-rate-limit"
            action: "block"
            priority: 10
            statement:
              limit: 1000
              aggregate_key_type: "IP"
              evaluation_window_sec: 300
              scope_down_statement:
                byte_match_statement:
                  field_to_match:
                    uri_path: true
                  positional_constraint: "STARTS_WITH"
                  search_string: "/test"
                  text_transformation:
                    - priority: 0
                      type: "NONE"

references

• AWS WAF – Rate-based rules
• Rate-based rule request rate limiting behavior

v1.486.0

feat: IAM Access Analyzer Component @RoseSecurity (#1066)

what

[!NOTE]
This component was developed by @aknysh

• Creates a new component for access-analyzer

why

This component is responsible for configuring AWS Identity and Access Management Access Analyzer within an AWS
Organization. IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk.

references

• Access Analyzer

v1.485.0

make requester vpc lookup optional if vpc is passed @Benbentwo (#1099)

what

continuation of #1097

Add frontmatter @osterman (#1085)

what

• Specify the layer associated with each component using tags
• Tag each component
• Move title to front matter

why

• So we can associate components with layers in documentation
• Play nicely with docusarus

ref

• https://linear.app/cloudposse/issue/DEV-2446/help-needed-to-add-tags-to-all-components-by-layer-in-pr-1085

v1.484.0

Update `eks/external-dns` component to support Istio `istio-gateway` resources @aknysh (#1098)

what

• Update eks/external-dns component to support Istio istio-gateway resources

why

• The external-dns Helm Chart supports the sources variable (not source) to specify the resources types to be observed for new DNS entries by ExternalDNS

## @param sources [array] K8s resources type to be observed for new DNS entries by ExternalDNS
##
sources:
  # - crd
  - service
  - ingress

The code used the source variable instead of sources. It was working for the service and ingress types because they are in the Chart values by default.

The istio-gateway resource was never added, preventing external-dns from managing Istio Gateways and creating DNS records for the Gateway's hosts.

references

• https://artifacthub.io/packages/helm/bitnami/external-dns?modal=values

v1.483.0

update `vpc-peering` with requester params @Benbentwo (#1097)

what

• New Variable:
  requester_vpc_id - allows passing in an ID for the requester vpc
  requester_role_arn - allows passing in a custom arn to use to hook up the requester vpc

why

the requester vpc shouldn't HAVE to be a vpc component.

DEV-2439: Update all docs.cloudposse links @milldr (#1096)

what

• Updated all links for docs.cloudposse.com

why

• New version of the docs has been released! As such, there are many changes in links

references

• DEV-2439

v1.482.0

Upstream `eks/actions-runner-controller` with `var.auto_update_enabled` @milldr (#1095)

what

• Upstream improvements for eks/actions-runner-controller
• Added var.auto_update_enabled

why

• We can now choose whether or not to enable runner auto-updates. The default behavior is to auto-update, but we've encountered issues building on Geodesic where we choose to disable auto-update for the sake of debugging. Added to this chart to help future efforts
• It's no longer pointless to pin the version, and is rather a matter of preference.

references

• customer engagement
• actions/actions-runner-controller#2056
• https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner
• https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner-dind

v1.481.0

fix: tfstate-backend cold-start regression @dudymas (#1093)

what

• fix(tfstate-backend): cold-start regression
• chore(tfstate-backend): update cold-start reqs

why

• tfstate cold-start had a regression bug that prevents an admin from using
  the bucket/dynamodb

references

• As reported in discussions

v1.480.0

Add Variable for dynamic dns component lookup @Benbentwo (#1094)

what

• Adds input for dynamic component lookup for external-dns

why

• External DNS needs a policy that contains each hosted zone. we lookup only dns-primary and dns-delegated currently. This changes it so we can support a list of objects to enhance that lookup.

e.g.

        dns_components: 
          - component: dns-primary
          - component: dns-delegated
          - component: dns-delegated/abc
          - component: dns-delegated/123

v1.479.0

chore: update argocd-repo to use 6.0+ github provider @dudymas (#1031)

what

• chore(argocd-repo/branch-protection): updated for latest provider
• chore(argocd-repo/versions): ensure github is 6.0+

why

• The branch protection attributes have changed. You must use
  restrict_pushes
  now

references

• 6.0.0-rc1 Release of GitHub provider broke 5.x

Replace Admonition Style @milldr (#1092)

what

• Replace all Docusarus style admonitions with GitHub style admonitions

why

• We now can provide the GH style here and have the docs site convert the format into Docusarus style

references

• DEV-2453
• Required by cloudposse/docs#642

v1.478.0

feat(spacelift): support for local files for policies @oycyc (#1091)

what

• Upgrade the Spacelift policies module to version 1.7.0 following the PR cloudposse/terraform-spacelift-cloud-infrastructure-automation#183
• Add support for allowing using file path as the source of a Spacelift policy in addition to the current inline body and URLs

references

PR from the Spacelift module cloudposse/terraform-spacelift-cloud-infrastructure-automation#183