v2.4.1

What's Changed

2.4.1

Patch Changes

• 42de9f4: Fixes an issue in the Worker task which could cause it to fail on the first deployment of version 2.4.0

Full Changelog: v2.4.0...v2.4.1

v2.4.0

What's Changed

2.4.0

Minor Changes

• d3903e9: Adds a healthcheck to the centralised monitoring service which reports on service health.
• d3903e9: Adds the ability for the builtin Administrator role to fetch API Client secrets via the API
• d3903e9: Extensions are only allowed after 50% of duration had elapsed.
• 47e7747: Adds cloudwatch alarms for ALB, database and SQS
• ad678b7: Adds support for inviting an initial set of users to Common Fate when Cognito is used as the login provider. initial_user_emails is a comma seperated list of emails which will be created in Cognito and have an initial invite email sent.
• d3903e9: Adds tags and tag_keys attributes to AWS::IDC::PermissionSet resources which can be used to restrict access in Cedar policies
• d3903e9: Built-in roles can now be requested using the JIT request workflow with access governed by cedar policies. For new deployments, an initial policy is created which permits access to the administrative role. In existing deployments, no default access is create, teams can add the cedar policy to expose this role if required.
• d3903e9: Add default Cedar policies which prevent users being able to request access to resources when they do not have the required linked identity.
• d3903e9: Adds built-in roles for managing Common Fate. Initially an Administrator role has been added which is permitted to access OIDC secrets and configure integrations.

Patch Changes

• d3903e9: The Access::Action::"ForceClose" action will now only be evaluated if the force close option is provided in the API request. This change reduces excess policy authorization noise in the authorization log for authorization results that are never used.
• d3903e9: Improve observability of Pager Duty sync tasks and add an expiry window of 5 minutes to the PagerDuty token refresh process
• d012909: Add a validation check for the ALB certificate which waits for it to be issued.
• d3903e9: Fixes an issue where Target and Role options would not load for some Access Requests in Slack.
• dded0d1: Expose the API client secrets to the control plane for the administrative API
• 5e35d44: add environment variables for configuring factory monitoring
• d3903e9: Fixes an issue which prevented using BatchEnsure to activate an approved request when a duration was provided
• d3903e9: Fixed an issue causing creating access workflows to fail when extension conditions was not set
• d3903e9: Fixes an issue causing duration to not be shown on slack messages for access requests
• d3903e9: Improve the tracing on Ops Genie sync and update retry logic
• d3903e9: Adds deployment configuration page to the setting tab in the web console. Exposes configuration parameters required to configure a deployment. This page is only available to users assigned the CF::Admin::Action::"Read" action
• d3903e9: Prevent panic when calling DebugEntitlementsAccess due to concurrent map writes error
• d3903e9: Update open telemetry middleware to correctly capture panics
• d3903e9: The AWS resource sync task now correctly handles access denied errors when syncing tags for buckets fails

Full Changelog: v2.3.3...v2.4.0

v2.3.3

What's Changed

2.3.3

Patch Changes

• e52bd84: The Access::Action::"ForceClose" action will now only be evaluated if the force close option is provided in the API request. This change reduces excess policy authorization noise in the authorization log for authorization results that are never used.
• e52bd84: Improve observability of Pager Duty sync tasks and add an expiry window of 5 minutes to the PagerDuty token refresh process
• 73e84c3: Add an output for the Application Load Balancer ARN.
• d6f3459: Fixes Role Name not showing in the new request checkout.
• e52bd84: Fixed an issue causing creating access workflows to fail when extension conditions was not set
• b22710a: For BYOC customers: the Okta Sync background task can now be disabled.
• e52bd84: Improve the tracing on Ops Genie sync and update retry logic
• e52bd84: Prevent panic when calling DebugEntitlementsAccess due to concurrent map writes error
• e52bd84: Update open telemetry middleware to correctly capture panics
• e52bd84: The AWS resource sync task now correctly handles access denied errors when syncing tags for buckets fails

Full Changelog: v2.3.1...v2.3.3

v2.3.2

What's Changed

2.3.2

Patch Changes

• 87eea29: Fixes Role Name not showing in the new request checkout

Full Changelog: v2.3.1...v2.3.2

v2.3.1

What's Changed

2.3.1

Patch Changes

• 75fd002: Fixes an issue preventing requests being made via the Console when the user is not permitted to use the GetResource API

Full Changelog: v2.3.0...v2.3.1

v2.3.0

What's Changed

2.3.0

Minor Changes

• 9e38ba2: Add Common Fate styling to the cognito invite email
• c818f0d: Adds resource syncing support for AWS. Initially, our resource syncing implementation syncs S3 buckets.
• c818f0d: Adds Dynamic role provisioning for AWS S3 Buckets. Users may now request access to particular S3 Buckets in an account and have a single role provisioned with the requested level of access for each Bucket.
• c818f0d: Adds identity syncing for OpsGenie and Datastax
• 23891d3: Managed Monitoring for deployments is now enabled by default (https://docs.commonfate.io/setup/managed-monitoring).
• c818f0d: The Resources tab and APIs are now gated behind the action CF::Directory::Action::"GetResource" which is part of the CF::Admin::Action::"Read" action group. Users without these permissions will no longer be able to view this page.
• 85ff085: Added maintenance_mode_enabled and maintenance_mode_message variables to control the maintenance mode with customizable message.

Patch Changes

• c818f0d: Improve concurrency when provisioning multiple grants on a request.
• c818f0d: Removes extend button from slack channel notifications
• c818f0d: The ID of each integration is now shown in the web console Integrations page.
• c818f0d: Fixes an issue with displaying error messages when setup fails for a Slack or PagerDuty integration
• c818f0d: Fixes an issue that would force a user to use breakglass to activate via the web console if both breakglass and regular activation were permitted actions.
• 3122209: Fix an issue where the Common Fate API would return a internal server error when trying to update a Slack Alert that no longer exists.
• c818f0d: Fixes an issue when updating the path of a secret from PagerDuty or Slack during setup, the complete setup URL would point to an integration ID which does not exist, requiring you to remove and recreate the resource in terraform.
• 3122209: fix issue causing extension conditions to always require updating in Terraform
• c818f0d: Fix AWS Account names not shown when they contained S3 buckets
• c818f0d: Fixes an issue which may cause the Okta identity sync task to fail due to mishandled pagination parameter
• c818f0d: For BYOC customers: adds OpenTelemetry instrumentation to database migrations.
• c818f0d: Prevents issues with PagerDuty sync failing due to Expired Token errors
• c818f0d: Add RDS icon for RDS Databases
• c818f0d: Nest RDS Databases under their AWS Account in the new request page
• c818f0d: Fix eventbridge errors when requesting more than 5 entitlements at a time
• 37f5b61: Pass the cognito SAML configuration through to the control plane service
• 3122209: Adds a background task to monitor for any differences in authorization ahead of a migration to Connected Identities for authorization descisions
• c818f0d: Fixes insights access hours calculation showing 0 hours reduced
• c818f0d: Fix an issue where Common Fate would report an internal server error is a workflow was deleted and Slack Alerts were still present
• c818f0d: Include OpenTelemetry trace ID in internal server errors
• 3122209: Improve tracing on Okta sync workflows

Full Changelog: v2.2.0...v2.3.0

v2.2.0

What's Changed

2.2.0

Minor Changes

• 6a3d6d2: For BYOC customers: adds a configuration flag to enable/disable the pull-based Entra Identities Sync background task.
• be3fafa: Adds advanced search capability to the new request page including fuzzy search and logical conditions
• 01df860: Adds configuration variables for usage reporting.
• be3fafa: The Read-Only client is now permitted to preview user access. You can use this to develop automations that preview user access within Common Fate.
• be3fafa: Users and groups are now shown in a dedicated directory view in the Common Fate web console.
• be3fafa: Adds support for force closing Access Requests where deprovisioning has failed. To close these requests, give yourself permission to perform Access::Action::"ForceClose". You will then have the ability in the web console to forcibly close Access Requests.
• be3fafa: Adds pull-based syncing for Microsoft Entra.
• be3fafa: Adds 'Department' attribute to users. This attribute is synced with the Okta 'department' attribute.
• c053d32: For BYOC customers: adds Terraform variables to configure the access and refresh token duration for the CLI client.
• be3fafa: Adds Open in Console button to slack messages
• be3fafa: Common Fate deployments now report usage (such as user and integration count) to the Common Fate deployment metadata service.

Patch Changes

• be3fafa: Fixes an issue which would cause the new request page to lag when searching for an entitlement
• be3fafa: For BYOC customers: background task diagnostics metrics are now emitted as an OpenTelemetry trace.
• be3fafa: Fixes a typo in the Preview Access web console text.
• be3fafa: Populate the names from discovered accounts if name does not exist.
• be3fafa: Fix pagination handling for Entra ID sync task
• be3fafa: Make audit_message_type nullable.
• be3fafa: Fixes a latency issue when viewing Common Fate deployment insights.
• be3fafa: Correctly handle the case where a workflow is deleted before a grant in closed when returning the results in the Close API
• be3fafa: Fix an issue where Common Fate would report an Internal Server Error if a workflow was deleted while availabilities were still present.
• be3fafa: Fixes a caching issue when querying for available entitlements.
• be3fafa: Improve the efficiency of the Entra ID sync task
• be3fafa: Fix an issue where the web console would show an error 'override duration cannot be greater than max duration'.
• be3fafa: fix issue causing long policies to overflow in preview entitlement access
• be3fafa: Fix an issue where the AWS Organizational Unit icon would not be shown in light mode in the web console.
• be3fafa: Fixes issue causing increased latency in the web console.
• be3fafa: For BYOC customers: adds OpenTelemetry instrumentation to provisioning/deprovisioning calls.
• 78bbdf7: Exposes ecs_task_memory and ecs_task_cpu variables for the control plane, workder and access handler services.
• be3fafa: Adds principal ID to API otel tracing spans
• be3fafa: Fixes policy highlighting in the preview debugger when policies have annotations

Full Changelog: v2.1.0...v2.2.0

v2.1.0

What's Changed

2.1.0

Minor Changes

• d7a212f: Users can now select the duration when using the Slack request workflow.
• d7a212f: Add support for extend access configuration with max extensions and extension duration in access workflows.
• d7a212f: Add stats page for access requests and privilege reduction
• d7a212f: Common Fate users are now proactively provisioned for our Slack, AWS IAM Identity Center, and PagerDuty integrations. Common Fate user accounts will be created automatically for user accounts in these integrations.
  This fixes an issue where users would have to wait for an initial integration resource sync before they could request access to entitlements.
• d7a212f: Deprecate TryExtendAfter in favour of ExtensionConditions.
• d7a212f: fix issue causing incorrect duration to be returned in batch ensure
• d7a212f: Slack integration messages now include information on who approved the request.
• d7a212f: The /access command now skips the resource type selector if only one access integration is installed.

Patch Changes

• d7a212f: Fix the contrast on the menu options when hovering in the preview access page in the web app
• d7a212f: Don't show breakglass option for a request that is already approved
• d7a212f: Fix an issue preventing Entra users from being linked with Common Fate user accounts.
• d7a212f: Fix UI overlap on the breadcrumb component in the web app
• d7a212f: Add grpc message validation to API middleware
• d7a212f: Fix an issue where the 'Review Requests' panel would be shown when the web console was opened.
• d7a212f: fix action button in request list for smaller screen widths
• d7a212f: Entra SCIM integration now correctly handles the case where a group is a member of another group.
  Previously all members of groups were treated as users, which meant that nested groups could not be used in access policies correctly.
• d7a212f: Okta Integration config is now validated on updates from terraform.
• d7a212f: fix issue causing principal to be incorrect on created grants
• d7a212f: Fixes an issue which would prevent a grant from being closed if the availability spec was removed while the grant was pending or active
• d7a212f: Add the grant principal to audit logs for grant actions
• d7a212f: Don't show the approve button on slack channel messages for requests which were auto approved or breakglass activated.
• d7a212f: update slack messenger to send push notification updates for important request lifecycle changes
• d7a212f: Improve the contrast of the authorization graph in light mode

Full Changelog: v2.0.3...v2.1.0

v2.0.3

What's Changed

2.0.3

Patch Changes

• b707d12: Fix an issue where Terraform would reset the 'schema' attribute on the Cognito user pool for some deployments.

Full Changelog: v2.0.2...v2.0.3

v2.0.2

What's Changed

2.0.2

Patch Changes

• 24b26c8: Fixes an issue in the Service Connect configuration which was causing a 15 second timeout. This would cause access requests to fail in some instances when multiple entitlements were requested.

Full Changelog: v2.0.1...v2.0.2