Releases: common-fate/terraform-aws-common-fate-deployment
Releases · common-fate/terraform-aws-common-fate-deployment
v2.6.2
What's Changed
2.6.2
Patch Changes
- 11a71a4: Fixes the default value for the 'rds_instance_identifier_suffix' variable, to fix an error: 'The expression result is null' when applying the Terraform stack.
Full Changelog: v2.6.1...v2.6.2
v2.6.1
What's Changed
2.6.1
Patch Changes
- 2c6a525: Fixes an issue causing expiry notifications to not be sent
- 2c6a525: Replace filter dropdown menus on the all requests page with filter chips which can be used to construct more complex queries. Requests can be filtered by requestor, approver, closer, and for multiple principals at the same time.
- 2c6a525: Only create the default admin access role policy for new managed deployments.
- 820a2ef: Add managed_deployment variable to apply additional configuration on initial deployment.
- 2c6a525: Fixed RDS database and user names not showing on the get and list request APIs.
- 2c6a525: Fix issue causing empty AWS start url when using RDS proxy functionality with connected identities enabled.
- 2c6a525: Fixes the position of the bulk actions selector to be fixed at the bottom of the page.
- 2c6a525: Fixes an invalid GCP Organization selector terraform example in the Access Selector playground.
- 820a2ef: Pass in the builtin provisioner webhook url to the Control Plane and Access Handler services.
Full Changelog: v2.6.0...v2.6.1
v2.6.0
What's Changed
2.6.0
Minor Changes
- 6ea25f1: A reason is now required when using breakglass to activate an access request
- 6ea25f1: Create View for all access request statuses in My Access Requests Page.
- 6ea25f1: Admins can now delete users from the users list table
- 6ea25f1: Integrations now have their own detail page where config can be reviewed/edited and background tasks relating to integrations can be inspected
Patch Changes
- 6ea25f1: Fixes an issue with GCP access de-provisioning where a request for multiple roles on the same target, such as a Project or Folder, could result in one of the roles not being removed when the request was closed.
- 6ea25f1: Added the AWS account number to the target field in Slack messages.
- 6ea25f1: Add additional validation to availability spec apis to make sure domain identities cannot be empty
- 6ea25f1: Fix issue causing large target and role names to be hard to read in the request detail table
- 6ea25f1: Route users without access to integrations in the settings to the notifications panel
- 6ea25f1: Fix issue causing duplicate roles to show in entitlement previews
- 6ea25f1: Fix an issue where the policy simulator would not match policies including 'resource.approved' constraints.
Full Changelog: v2.5.2...v2.6.0
v2.5.2
What's Changed
2.5.2
Patch Changes
- 5aa2b10: Fixes an issue with GCP access de-provisioning where a request for multiple roles on the same target, such as a Project or Folder, could result in one of the roles not being removed when the request was closed.
- e86589a: Adds snapshot identifer and suffix for rds instance to enable creating rds instance from snapshot
- bc1e5f9: Makes target groups to ECS services configurable, allowing additional load balancers to be added to a Common Fate deployment.
- 5aa2b10: Fixes an issue where JIT requests to the Common Fate administrator role would not be correctly revoked.
Full Changelog: v2.5.1...v2.5.2
v2.4.5
What's Changed
2.4.5
Patch Changes
- a0e8dac: Fixes an issue with GCP access de-provisioning where a request for multiple roles on the same target, such as a Project or Folder, could result in one of the roles not being removed when the request was closed.
- a0e8dac: Fixes an issue where JIT requests to the Common Fate administrator role would not be correctly revoked.
Full Changelog: v2.4.4...v2.4.5
v2.5.1
What's Changed
2.5.1
Patch Changes
- 17e8c01: Adds cedar action CF::Authz::PolicyService::Action::"DeletePolicySet" to allow the action to be forbidden except for the terraform service.
- 17e8c01: Fixed an issue which prevented bulk request actions working on the access request table due to a 404 not found error. Additionally fixed a styling issue with the force close prompt.
- 17e8c01: Fixes an issue where the edit integration feature flag would not be set to enabled despite the user having the admin role.
- 17e8c01: Fixes an issue where the ListIntegrations rpc was not marked as a read only operation in authz logs.
- 17e8c01: AWS IDC integration now only syncs active accounts.
- 17e8c01: Fixes an issue where JIT requests to the Common Fate administrator role would not be correctly revoked.
Full Changelog: v2.5.0...v2.5.1
v2.5.0
What's Changed
2.5.0
Minor Changes
- 0f892af: Add user-configurable opt-in/opt-out settings for Slack DM notifications.
- 0f892af: Adds additional authorization log filtering capability to the API, the filter API now supports a boolean condition on entity filters and adds entity type filters.
- 0f892af: Adds a new page in the settings to view and debug Selectors. A selector playground is also added to test selectors in real time before deploying the selector.
- 0f892af: Adds a basic policy page to the Settings tab which allows for viewing and deleting access policies
- 0f892af: Integrations can now be configured and updated via ClickOps in the Common Fate Console.
- 0f892af: Adds an additional principal type filter to the authz eval page in the console. Logs can now be filtered by User or Service.
- 0f892af: A new page has been added showing the users own access requests, rather than all access requests. The request page has also been updated with a tab for pending, active and closed requests, making it easier to find what you are looking for.
- 0f892af: The AWS RDS Proxy integration has been overhauled to seperate database configuration from the proxy infrastructure. This change improves the reliability of the AWS proxy and makes it easier to configure where teams have databases deployed in different terraform stacks.
This is a breaking change for the AWS RDS Proxy, teams using the previous version of the proxy will need to redeploy the proxy and add databases as seperate modules in terraform.
Patch Changes
- 19fd33f: Add namespace and stage environment variables to the control plane
- 0f892af: Add help documentation for advanced search features on the new request page
- 0f892af: Adds the ability to filter all access requests by principal, approver, closer as well as by status pending, active and closed
- ba1c8db: Removes the hardcoded AWS provider block in the module. Fixes an issue where the module could not be destroyed due to the provider block being present.
- 0f892af: Fixes an issue where provisioning would fail for S3 bucket access when a provisioner webhook was configured in the config but not with the dynamic access capability.
- 2d753cd: Adds permission for the Control Plane to write parameters to SSM under the /{namespace}/{stage}/* namespace
- 0f892af: Fix issue where S3 audit log export continually rewrites the last event.
- 0f892af: Adds permission checks to the integration page in the settings UI, this and other application configuration pages will only be viewable if the user has is an administrator or has a policy permitting the CF::Admin::Action::"Read" action.
- 0f892af: Adds syntax highlighting for cedar policies and json entities in the access debugger and authorization logs.
- 0f892af: Fix a concurrency issue which could lead to panics when loading entities
Full Changelog: v2.4.4...v2.5.0
v2.4.4
What's Changed
2.4.4
Patch Changes
- f3f1c13: Fix issue where S3 audit log export continually rewrites the last event.
Full Changelog: v2.4.3...v2.4.4
v2.4.3
What's Changed
2.4.3
Patch Changes
- d2c3801: Fixes an issue where email casing was not ignored in the connected identities sync which could result in duplicate users being created and identities not being linked correctly.
- d2c3801: Fix issue where both default duration and max duration error messages appear when duration is set to zero.
- d2c3801: Add grant_id and access_request_id to otel traces in provisioner.
- d2c3801: Fixes an issue where the access handler would skip deprovisioning RDS proxy access in cases where the proxy config had been changed while a grant was active. Now, regardless of the config changing, the access handler will always attempt to remove the Permission Set that was created to grant access.
- d2c3801: Fix an issue where a broken navigation link was shown in the user profile menu.
Full Changelog: v2.4.2...v2.4.3
v2.4.2
What's Changed
2.4.2
Patch Changes
- f908555: Fix an issue where CloudWatch based alerting topics were not exposed as an output
Full Changelog: v2.4.1...v2.4.2