diff --git a/.changeset/blue-dots-kick.md b/.changeset/blue-dots-kick.md deleted file mode 100644 index 55387a38..00000000 --- a/.changeset/blue-dots-kick.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -The Access::Action::"ForceClose" action will now only be evaluated if the force close option is provided in the API request. This change reduces excess policy authorization noise in the authorization log for authorization results that are never used. diff --git a/.changeset/cool-worms-wonder.md b/.changeset/cool-worms-wonder.md deleted file mode 100644 index 48f617bf..00000000 --- a/.changeset/cool-worms-wonder.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Improve observability of Pager Duty sync tasks and add an expiry window of 5 minutes to the PagerDuty token refresh process diff --git a/.changeset/fast-trees-travel.md b/.changeset/fast-trees-travel.md deleted file mode 100644 index 3e9c15cd..00000000 --- a/.changeset/fast-trees-travel.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Add a validation check for the ALB certificate which waits for it to be issued. diff --git a/.changeset/fluffy-timers-dream.md b/.changeset/fluffy-timers-dream.md deleted file mode 100644 index 8b0f57f5..00000000 --- a/.changeset/fluffy-timers-dream.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Fixes an issue where Target and Role options would not load for some Access Requests in Slack. diff --git a/.changeset/giant-tables-count.md b/.changeset/giant-tables-count.md deleted file mode 100644 index d457fad5..00000000 --- a/.changeset/giant-tables-count.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Expose the API client secrets to the control plane for the administrative API diff --git a/.changeset/gold-cups-camp.md b/.changeset/gold-cups-camp.md deleted file mode 100644 index 3c33413e..00000000 --- a/.changeset/gold-cups-camp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -add environment variables for configuring factory monitoring diff --git a/.changeset/good-candles-tie.md b/.changeset/good-candles-tie.md deleted file mode 100644 index cf48dc44..00000000 --- a/.changeset/good-candles-tie.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": minor ---- - -Adds a healthcheck to the centralised monitoring service which reports on service health. diff --git a/.changeset/honest-singers-change.md b/.changeset/honest-singers-change.md deleted file mode 100644 index a8090ce3..00000000 --- a/.changeset/honest-singers-change.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": minor ---- - -Adds the ability for the builtin Administrator role to fetch API Client secrets via the API diff --git a/.changeset/khaki-mugs-invite.md b/.changeset/khaki-mugs-invite.md deleted file mode 100644 index 24ece43f..00000000 --- a/.changeset/khaki-mugs-invite.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Fixes an issue which prevented using BatchEnsure to activate an approved request when a duration was provided diff --git a/.changeset/large-socks-bow.md b/.changeset/large-socks-bow.md deleted file mode 100644 index af7f5fc2..00000000 --- a/.changeset/large-socks-bow.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Fixed an issue causing creating access workflows to fail when extension conditions was not set diff --git a/.changeset/mean-paws-relate.md b/.changeset/mean-paws-relate.md deleted file mode 100644 index 0cda88fb..00000000 --- a/.changeset/mean-paws-relate.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Fixes an issue causing duration to not be shown on slack messages for access requests diff --git a/.changeset/nasty-zebras-scream.md b/.changeset/nasty-zebras-scream.md deleted file mode 100644 index ca434c68..00000000 --- a/.changeset/nasty-zebras-scream.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": minor ---- - -Extensions are only allowed after 50% of duration had elapsed. diff --git a/.changeset/quiet-lizards-worry.md b/.changeset/quiet-lizards-worry.md deleted file mode 100644 index a04f5983..00000000 --- a/.changeset/quiet-lizards-worry.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": minor ---- - -Adds cloudwatch alarms for ALB, database and SQS diff --git a/.changeset/quiet-swans-exercise.md b/.changeset/quiet-swans-exercise.md deleted file mode 100644 index 7af89a25..00000000 --- a/.changeset/quiet-swans-exercise.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Improve the tracing on Ops Genie sync and update retry logic diff --git a/.changeset/real-eagles-double.md b/.changeset/real-eagles-double.md deleted file mode 100644 index f1e663ad..00000000 --- a/.changeset/real-eagles-double.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Adds deployment configuration page to the setting tab in the web console. Exposes configuration parameters required to configure a deployment. This page is only available to users assigned the CF::Admin::Action::"Read" action diff --git a/.changeset/red-sheep-battle.md b/.changeset/red-sheep-battle.md deleted file mode 100644 index 7557df80..00000000 --- a/.changeset/red-sheep-battle.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": minor ---- - -Adds support for inviting an initial set of users to Common Fate when Cognito is used as the login provider. initial_user_emails is a comma seperated list of emails which will be created in Cognito and have an initial invite email sent. diff --git a/.changeset/smart-poets-do.md b/.changeset/smart-poets-do.md deleted file mode 100644 index 6647f5db..00000000 --- a/.changeset/smart-poets-do.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Prevent panic when calling DebugEntitlementsAccess due to concurrent map writes error diff --git a/.changeset/soft-humans-count.md b/.changeset/soft-humans-count.md deleted file mode 100644 index f27100cd..00000000 --- a/.changeset/soft-humans-count.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": minor ---- - -Adds tags and tag_keys attributes to AWS::IDC::PermissionSet resources which can be used to restrict access in Cedar policies diff --git a/.changeset/strong-tools-pump.md b/.changeset/strong-tools-pump.md deleted file mode 100644 index 4341b291..00000000 --- a/.changeset/strong-tools-pump.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": minor ---- - -Administrative users can now be added to the deployment, these users will be automatically assigned to the administrative role in Common Fate. On an initial deployment, they will also be invited to cognito. diff --git a/.changeset/tame-ears-drive.md b/.changeset/tame-ears-drive.md deleted file mode 100644 index bff463cc..00000000 --- a/.changeset/tame-ears-drive.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -Update open telemetry middleware to correctly capture panics diff --git a/.changeset/ten-bees-refuse.md b/.changeset/ten-bees-refuse.md deleted file mode 100644 index 8a24391a..00000000 --- a/.changeset/ten-bees-refuse.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": minor ---- - -Built-in roles can now be requested using the JIT request workflow with access governed by cedar policies. For new deployments, an initial policy is created which permits access to the administrative role. In existing deployments, no default access is create, teams can add the cedar policy to expose this role if required. diff --git a/.changeset/tough-spiders-cheat.md b/.changeset/tough-spiders-cheat.md deleted file mode 100644 index 337f7504..00000000 --- a/.changeset/tough-spiders-cheat.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": patch ---- - -The AWS resource sync task now correctly handles access denied errors when syncing tags for buckets fails diff --git a/.changeset/weak-buttons-obey.md b/.changeset/weak-buttons-obey.md deleted file mode 100644 index a4c21819..00000000 --- a/.changeset/weak-buttons-obey.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": minor ---- - -Add default Cedar policies which prevent users being able to request access to resources when they do not have the required linked identity. diff --git a/.changeset/wicked-tools-sneeze.md b/.changeset/wicked-tools-sneeze.md deleted file mode 100644 index af851196..00000000 --- a/.changeset/wicked-tools-sneeze.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"@common-fate/terraform-aws-common-fate-deployment": minor ---- - -Adds built-in roles for managing Common Fate. Initially an Administrator role has been added which is permitted to access OIDC secrets and configure integrations. diff --git a/CHANGELOG.md b/CHANGELOG.md index b78bfcfa..351a3ea2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,37 @@ # @common-fate/terraform-aws-common-fate-deployment +## 2.4.0 + +### Minor Changes + +- d3903e9: Adds a healthcheck to the centralised monitoring service which reports on service health. +- d3903e9: Adds the ability for the builtin Administrator role to fetch API Client secrets via the API +- d3903e9: Extensions are only allowed after 50% of duration had elapsed. +- 47e7747: Adds cloudwatch alarms for ALB, database and SQS +- ad678b7: Adds support for inviting an initial set of users to Common Fate when Cognito is used as the login provider. initial_user_emails is a comma seperated list of emails which will be created in Cognito and have an initial invite email sent. +- d3903e9: Adds tags and tag_keys attributes to AWS::IDC::PermissionSet resources which can be used to restrict access in Cedar policies +- d012909: Administrative users can now be added to the deployment, these users will be automatically assigned to the administrative role in Common Fate. On an initial deployment, they will also be invited to cognito. +- d3903e9: Built-in roles can now be requested using the JIT request workflow with access governed by cedar policies. For new deployments, an initial policy is created which permits access to the administrative role. In existing deployments, no default access is create, teams can add the cedar policy to expose this role if required. +- d3903e9: Add default Cedar policies which prevent users being able to request access to resources when they do not have the required linked identity. +- d3903e9: Adds built-in roles for managing Common Fate. Initially an Administrator role has been added which is permitted to access OIDC secrets and configure integrations. + +### Patch Changes + +- d3903e9: The Access::Action::"ForceClose" action will now only be evaluated if the force close option is provided in the API request. This change reduces excess policy authorization noise in the authorization log for authorization results that are never used. +- d3903e9: Improve observability of Pager Duty sync tasks and add an expiry window of 5 minutes to the PagerDuty token refresh process +- d012909: Add a validation check for the ALB certificate which waits for it to be issued. +- d3903e9: Fixes an issue where Target and Role options would not load for some Access Requests in Slack. +- dded0d1: Expose the API client secrets to the control plane for the administrative API +- 5e35d44: add environment variables for configuring factory monitoring +- d3903e9: Fixes an issue which prevented using BatchEnsure to activate an approved request when a duration was provided +- d3903e9: Fixed an issue causing creating access workflows to fail when extension conditions was not set +- d3903e9: Fixes an issue causing duration to not be shown on slack messages for access requests +- d3903e9: Improve the tracing on Ops Genie sync and update retry logic +- d3903e9: Adds deployment configuration page to the setting tab in the web console. Exposes configuration parameters required to configure a deployment. This page is only available to users assigned the CF::Admin::Action::"Read" action +- d3903e9: Prevent panic when calling DebugEntitlementsAccess due to concurrent map writes error +- d3903e9: Update open telemetry middleware to correctly capture panics +- d3903e9: The AWS resource sync task now correctly handles access denied errors when syncing tags for buckets fails + ## 2.3.3 ### Patch Changes diff --git a/package.json b/package.json index f64d5ce2..4630555b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@common-fate/terraform-aws-common-fate-deployment", - "version": "2.3.3", + "version": "2.4.0", "description": "", "main": "index.js", "keywords": [],