Components Changelog

What​

• Datadog updates
• New datadog-configuration component for setting up share functions and making codebase more dry

What​

• Set VPC to use region-less AZs

Why​

• Prevent having to set VPC AZs within global region defaults

References​

• CPLIVE-320

What​

• Use cloudposse/template for arm support

Why​

• The new cloudposse/template provider has a darwin arm binary for M1 laptops

References​

• https://github.com/cloudposse/terraform-provider-template
• https://registry.terraform.io/providers/cloudposse/template/latest

What​

• Allow vpc-peering to peer v2 to v2

Why​

• Alternative to transit gateway

References​

N/A

What​

• Upstream iam-role component

Why​

• Create simple IAM roles

References​

• https://github.com/cloudposse/terraform-aws-iam-role

What​

• Support and prefer authentication via GitHub app
• Support and prefer webhook-based autoscaling

Why​

• GitHub app is much more restricted, plus has higher API rate limits
• Webhook-based autoscaling is proactive without being overly expensive

What​

• Upstream iam-service-linked-roles (thanks to for writing it)

Why​

• Centralized component to create IAM service linked roles

References​

• N/A

What​

• Add account-quotas component to manage account service quota increase requests

Why​

• Add service quotas to the infrastructure that can be represented in code

Notes​

Cloud Posse has a service quotas module, but it has issues, such as not allowing the service to be specified by name, and not having well documented inputs. It also takes a list input, but Atmos does not merge lists, so a map input is more appropriate. Overall I like this component better, and if others do, too, I will replace the existing module (only at version 0.1.0) with this code.

What && why​

Update EKS cluster and basic Kubernetes components for better behavior on initial deployment and on terraform destroy.

• Update minimum Terraform version to 1.1.0 and use one() where applicable to manage resources that can be disabled with count = 0 and for bug fixes regarding destroy behavior
• Update terraform-aws-eks-cluster to v2.5.0 for better destroy behavior
• Update all components' (plus account-map/modules/)remote-state to v1.2.0 for better destroy behavior
• Update all components' helm-release to v0.7.0 and move namespace creation via Kubernetes provider into it to avoid race conditions regarding creating IAM roles, Namespaces, and deployments, and to delete namespaces when destroyed
• Update alb-controller to deploy a default IngressClass for central, obvious configuration of shared default ingress for services that do not have special needs.
• Add alb-controller-ingress-class for the rare case when we want to deploy a non-default IngressClass outside of the component that will be using it
• Update echo-server to use the default IngressClass and not specify any configuration that affects other Ingresses, and remove dependence on alb-controller-ingress-group (which should be deprecated in favor of alb-controller-ingress-class and perhaps a specialized future alb-controller-ingress)
• Update cert-manager to remove default.auto.tfvars (which had a lot of settings) and add dependencies so that initial deployment succeeds in one terraform apply and destroy works in one terraform destroy
• Update external-dns to remove default.auto.tfvars (which had a lot of settings)
• Update karpenter to v0.18.0, fix/update IAM policy (README still needs work, but leaving that for another day)
• Update karpenter-provisioner to require Terraform 1.3 and make elements of the Provisioner configuration optional. Support block device mappings (previously broken). Avoid perpetual Terraform plan diff/drift caused by setting fields to null.
• Update reloader
• Update mixins/provider-helm to better support terraform destroy and to default the Kubernetes client authentication API version to client.authentication.k8s.io/v1beta1

References​

• https://github.com/cloudposse/terraform-aws-helm-release/pull/34
• https://github.com/cloudposse/terraform-aws-eks-cluster/pull/169
• https://github.com/cloudposse/terraform-yaml-stack-config/pull/56
• https://github.com/hashicorp/terraform/issues/32023

What​

• Minor TLC updates for GitHub Runners ASG component

Why​

• Maintaining up-to-date upstream

What​

• Replace deny_all_iam_users input with iam_users_enabled
• Fix implementation
• Provide more context for bats test failures

Why​

• Cloud Posse style guide dictates that boolean feature flags have names ending with _enabled
• Previous implementation only removed 1 of 2 policy provisions that blocked IAM users from assuming a role, and therefore IAM users were still not allowed to assume a role. Since the previous implementation did not work, a breaking change (changing the variable name) does not need major warnings or a major version bump.
• Indication of what was being tested was too far removed from bats test failure message to be able to easily identify what module had failed

Notes​

Currently, any component provisioned by SuperAdmin needs to have a special provider configuration that requires SuperAdmin to provision the component. This feature is part of what is needed to enable SuperAdmin (an IAM User) to work with "normal" provider configurations.

References​

• Breaks change introduced in , but that didn't work anyway.