v1.477.0

Added additional polices for vpn and kms - required by planner @goruha (#1088)

what

• Added VPN export reader policy
• Added KMS decrypt policy

why

Policies required for gitops dynamic terraform roles planner

references

• https://github.com/cloudposse/infra-live/actions/runs/10181554256/job/28167900030
• https://github.com/cloudposse/infra-live/actions/runs/10181554256/job/28164592870

v1.476.0

Fix account map special accounts like dns, identity support dynamic roles @goruha (#1087)

what

• Support terraform dynamic roles dns_terraform_role_arn, audit_terraform_role_arn, identity_terraform_role_arn
• Fix but in when team_roles_stacks does not have components defined

why

• Some components like dns-deletegate use dns_terraform_role_arn, audit_terraform_role_arn, identity_terraform_role_arn in provider.tf
  In the case of gitops, the planner role can not assume an apply dynamic role.
• Thats expected case for all non gbl accounts

references

• https://github.com/cloudposse/infra-live/actions/runs/10146129540/job/28119365151
• https://github.com/cloudposse/terraform-aws-components/blob/main/modules/dns-delegated/providers-dns-primary.tf#L11

v1.475.0

EKS IDP roles added reader @goruha (#1089)

what

• Added reader role for eks/idp-roles

why

• Required for dynamic terraform roles to read k8s resources

references

• https://github.com/cloudposse/infra-live/actions/runs/10146129540/job/28057016517

feat: Auth0 Components @milldr (#1086)

what

• Added components for Auth0 terraformation - auth0/tenant and auth0/app

why

• Auth0 Application component. Auth0 is a third-party service that provides authentication and authorization as a service. It is typically used to to authenticate users.
• auth0/tenant configures the Terraform provider and the Auth0 tenant itself
• auth0/app deploys an Auth0 application

references

• client engagement

Fix: README Formatting for Docusarus @milldr (#1084)

what

• Misc fixes for admonition and support format for render on Docusarus

why

• New lines are required after :::
• Support MDX format

references

• cloudposse/docs#626

Fix README Format @milldr (#1083)

what

• Fix formatting in READMEs for docusarus rendering

why

• Fix closing tags and alignment for MDX

references

• cloudposse/docs#626

v1.474.0

Upgrade Supported ArgoCD Chart Version @RoseSecurity (#1081)

what and why

• Argo versions 0.1.0 through 2.10.0-rc1, v2.9.3, v2.8.7, v2.7.15 are affected by CVE-2024-22424, a CSRF attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD.
• Propose that we update the default values for Argo's chart from:

argo/argo-cd	5.19.12      	v2.5.9

to an unaffected version patched after 2.10-rc2, 2.9.4, 2.8.8, 2.7.16

notable changes

• Argo CD 2.10 upgraded kubectl from 1.24 to 1.26. This upgrade introduced a change where client-side-applied labels and annotations are no longer preserved when using a server-side kubectl apply
• Note that bundled Helm version has been upgraded from 3.13.2 to 3.14.3
• Starting with Argo CD 2.10.11, the NetworkPolicy for the argocd-redis and argocd-redis-ha-haproxy dropped Egress restrictions. This change was made to allow access to the Kubernetes API to create a secret to secure Redis access

testing

• This version has been tested and verified to work with the existing component configuration

references

• Argo Upgrade Docs

v1.473.0

🚀 Enhancements

feat: add additional variables and outputs for `spa-s3-cloudfront` @korenyoni (#1080)

what

• add origin_bucket variable
• add s3_origins variable
• add cloudfront_distribution_identity_arn output

why

• Add variables and outputs present in the cloudposse/terraform-aws-cloudfront-s3-cdn module but missing in this component

references

N/A

v1.472.0

Added branch restrictions to GHA IAM role @goruha (#1082)

what

• Added branch restrictions to GHA IAM role

why

• Improve security

references

• DEV-371 Restrict the GitHub OIDC admin permission to the main branch

v1.471.0

fix(`aws-team-roles`): Remove Deprecated Support and Billing Custom Policies @milldr (#1078)

what

• Add missing custom policies names that are already defined with the included component
• Removed the custom policies for support and billing

why

• The policy-support.tf and policy-billing.tf files already contain these policies by default. We should include them as in the default supplied_custom_policy_map
• We should use the AWS managed Job Role policies instead. For example

          billing:
            <<: *user-template
            enabled: false
            role_description: "Role with view permissions in the billing console"
            role_policy_arns:
              - "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess"
            aws_saml_login_enabled: false
            max_session_duration: 3600 # 1 hour in seconds
            trusted_teams:
              - "devops"
              - "managers"

          billing_admin:
            <<: *user-template
            enabled: false
            role_description: "Role with permissions for billing and cost management. This includes viewing account usage and viewing and modifying budgets and payment methods."
            role_policy_arns:
              - "arn:aws:iam::aws:policy/job-function/Billing"
            aws_saml_login_enabled: false
            trusted_teams:
              - "devops"
              - "managers"
              
          support:
            <<: *user-template
            enabled: true
            role_policy_arns:
              - "arn:aws:iam::aws:policy/AWSSupportAccess"
              - "arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityReadOnlyAccess"
            role_description: "Role with permissions for accessing the AWS Support Service"
            trusted_teams:
              - "devops"
              - "managers"
              - "helpdesk"

references

• Customer engagement
• These changes were reverted in https://github.com/cloudposse/terraform-aws-components/pull/715/files#diff-cfffc34b5672fff580a9d0f4c45efc3d5a8326d66ad54f81c9569cfe5499b7c0R13-R14. I believe this was a mistake. This was intentional

v1.470.1

🐛 Bug Fixes

[eks/actions-runner-controller] Fix misconfigured document separators in Helm chart template @Nuru (#1077)

what

eks/actions-runner-controller

• Fix misconfigured document separators in Helm chart template

why

• Runner Deployment manifest would be malformed if not using running_pod_annotations

references

• Introduced in #1075

v1.470.0

[eks/actions-runner-controller] Multiple bug fixes and enhancements @Nuru (#1075)

what

New Features:

• Add support for scheduled overrides of Runner Autoscaler min and max replicas.
• Add option tmpfs_enabled to have runners use RAM-backed ephemeral storage (tmpfs, emptyDir.medium: Memory) instead of disk-backed storage.
• Add wait_for_docker_seconds to allow configuration of the time to wait for the Docker daemon to be ready before starting the runner.
• Enhance the ability to have the runner Pods add annotations to themselves once they start running a job.

Changes:

• Previously, syncPeriod, which sets the period in which the controller reconciles the desired runners count, was set to 120 seconds in resources/values.yaml. This setting has been removed, reverting to the default value of 1 minute. You can still set this value by setting the syncPeriod value in the values.yaml file or by setting syncPeriod in var.chart_values.
• Previously, RUNNER_GRACEFUL_STOP_TIMEOUT was hardcoded to 90 seconds. That has been reduced to 80 seconds.
• The inaccurately named webhook_startup_timeout has been replaced with max_duration. webhook_startup_timeout is still supported for backward compatibility, but is deprecated.

Bugfixes:

• Create and deploy the webhook secret when an existing secret is not supplied
• Restore proper order of operations in creating resources (broken in release 1.454.0 (PR #1055))
• If docker_storage is set and dockerdWithinRunnerContainer is true (which is hardcoded to be the case), properly mount the docker storage volume into the runner container rather than the (non-existent) docker sidecar container.

why

New Features:

• Enable having idle runners during work hours without having to pay for them during non-work hours.
• Enable packing more Runners onto an instance without being constrained by disk I/O.
• Allow for extended disk I/O waits when some Runner gets greedy.
• Intended to make idle Runners interruptible and running runners uninterruptible under Karpenter, but it does not work well enough for that. Still, we implemented the feature, so we might as well leave it in. Adds logging to help diagnose race conditions.

Changes:

• More responsive scaling
• Increases the chances the runner will successfully deregister itself
• The old name was extremely confusing, while the new name is much more reflective of its impact

Bugfixes:

• Restore intended operation

references

• kubernetes-sigs/karpenter#624
• kubernetes-sigs/karpenter#1180
• kubernetes-sigs/karpenter#651

[eks/karpenter] Add support for `kubelet` config, fix IAM support for `v1alpha` cleanup @Nuru (#1076)

what

• Support configuration of spec.template.spec.kubelet
• Fix issues with IAM Policy supporting management of v1alpha resources

why

• Default reservations for system resources under Amazon Linux are often inadequate and benefit from being able to be tuned
• Previous policy had errors, and would become too long if the cluster name got too long

references

• Karpenter documentation on spec.template.spec.kubelet
• Kubernetes documentation Kubelet Config

v1.469.0

fix(`eks/loki`): Remove Unnecessary `compact` @milldr (#1073)

what

• Removed compact from the eks/loki component list of objects for schema config

why

• Fix terraform when one of this lists isnt defined

references

• n/a