Skip to main content

Components Changelog

Subscribe through RSS feeds to stay up-to-date with new releases!

View on GitHub

[account-map] Backwards compatibility for terraform profile users and eks/cluster

What

  • [account-map/modules/iam-roles] Add profiles_enabled input to override global value
  • [eks/cluster] Use iam-roles profiles_enabled input to force getting a role ARN even when profiles are in use
  • [guardduty] Make providers compatible with static and dynamic TF roles

Why

  • Previously, when the global account-map profiles_enabled flag was true, iam_roles.terraform_role_arn would be null. However, eks/cluster requires terraform_role_arn regardless.
  • Changes made in work in environments that have not adopted dynamic Terraform roles but would fail in environments that have (when using SuperAdmin)

[account-map] Feature flag to enable legacy Terraform role mapping

What

  • [account-map] Add legacy_terraform_uses_admin feature flag to retain backwards compatibility

Why

  • Historically, the terraform roles in root and identity were not used for Terraform plan/apply, but for other things, and so the terraform_roles map output selected the admin roles for those accounts. This "wart" has been remove in current aws-team-roles and tfstate-backend configurations, but for people who do not want to migrate to the new conventions, this feature flag enables them to maintain the status quo with respect to role usage while taking advantage of other updates to account-map and other components.

References

This update is recommended for all customers wanting to use any component version 1.227 or later.

[lambda] feat: allows to use YAML instead of JSON for IAM policy

What

  • BREAKING CHANGE: Actually use variable function_name to set the lambda function name.
  • Make the variable function_name optional. When not set, the old null-lable-derived name will be use.
  • Allow IAM policy to be specified in a custom terraform object as an alternative to JSON.

Why

  • function_name was required to set, but it wasn't actually passed to module "lambda" inputs.
  • Allow callers to stop providing function_name and preserve old behavior of using automatically generated name.
  • When using Atmos to generate inputs from "stack" YAML files, having the ability to pass the statements in as a custom object means specifying them via YAML, which makes the policy declaration in stack more readable compared to embedding a JSON string in the YAML.

refactor securityhub component

What

  • Refactor the Security Hub components into a single component

Why

  • To improve the overall dev experience and to prevent needing to do multiple deploys with variable changes in-between.

roll guard duty back to previous providers logic

What

  • Roll the Guard Duty component back to using the previous logic for role assumption.

Why

  • The newer method is causing the provider to try to assume the role twice. We get the error:
AWS Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 00000000-0000-0000-0000-00000000, api error AccessDenied: User: arn:aws:sts::000000000000:assumed-role/acme-core-gbl-security-terraform/aws-go-sdk-1687312396297825294 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/acme-core-gbl-security-terraform

refactor guardduty module

What

  • Refactor the GuardDuty components into a single component

Why

  • To improve the overall dev experience and to prevent needing to do multiple deploys with variable changes in-between.

upstream `github-action-runners` dockerhub authentication

What

  • Adds support for dockerhub authentication

Why

  • Dockerhub limits are unrealistically low for actually using dockerhub as an image registry for automated builds

alb: use the https_ssl_policy

What

  • Apply the HTTPS policy

Why

  • The policy was unused so it was defaulting to an old policy

References

Possibly breaking change:

In this update, account-map/modules/iam-roles acquired a provider, making it no longer able to be used with count. If you have code like

module "optional_role" {
  count = local.optional_role_enabled ? 1 : 0

  source  = "../account-map/modules/iam-roles"
  stage   = var.optional_role_stage
  context = module.this.context
}

You will need to rewrite it, removing the count parameter. It will be fine to always instantiate the module. If there are problems with ensuring appropriate settings with the module is disabled, you can always replace them with the component's inputs:

module "optional_role" {
  source  = "../account-map/modules/iam-roles"
  stage   = local.optional_role_enabled ? var.optional_role_stage : var.stage
  context = module.this.context
}

The update to components 1.227.0 is huge, and you have options.

  • Enable, or not, dynamic Terraform IAM roles, which allow you to give some people (and Spacelift) the ability to run Terraform plan in some accounts without allowing apply. Note that these users will still have read/write access to Terraform state, but will not have IAM permissions to make changes in accounts. terraform_dynamic_role_enabled
  • Update to new aws-teams team names. The new names are (except for support) distinct from team-roles, making it easier to keep track. Also, the new managers team can run Terraform for identity and root in most (but not all) cases.
  • Update to new aws-team-roles, including new permissions. The custom policies that have been removed are replaced in the aws-team-roles configuration with AWS managed policy ARNs. This is required to add the planner role and support the terraform plan restriction.
  • Update the providers.tf for all components. Or some of them now, some later. Most components do not require updates, but all of them have updates. The new providers.tf, when used with dynamic Terraform roles, allows users directly logged into target accounts (rather than having roles in the identity account) to use Terraform in that account, and also allows SuperAdmin to run Terraform in more cases (almost everywhere).

If you do not want any new features, you only need to update account-map to v1.235 or later, to be compatible with future components. Note that when updating account-map this way, you should update the code everywhere (all open PRs and branches) before applying the Terraform changes, because the applied changes break the old code.

If you want all the new features, we recommend updating all of the following to the current release in 1 PR:

  • account-map
  • aws-teams
  • aws-team-roles
  • tfstate-backend
Enable `terraform plan` access via dynamic Terraform roles

Reviewers, please note:

The PR changes a lot of files. In particular, the providers.tf and therefore the README.md for nearly every component. Therefore it will likely be easier to review this PR one commit at a time.

import_role_arn and import_profile_name have been removed as they are no longer needed. Current versions of Terraform (probably beginning with v1.1.0, but maybe as late as 1.3.0, I have not found authoritative information) can read data sources during plan and so no longer need a role to be explicitly specified while importing. Feel free to perform your own tests to make yourself more comfortable that this is correct.

What

  • Updates to allow Terraform to dynamically assume a role based on the user, to allow some users to run terraform plan but not terraform apply
    • Deploy standard providers.tf to all components that need an aws provider
    • Move extra provider configurations to separate file, so that providers.tf can remain consistent/identical among components and thus be easily updated
    • Create provider-awsutils.mixin.tf to provide consistent, maintainable implementation
  • Make aws-sso vendor safe
  • Deprecate sso module in favor of aws-saml

Why

  • Allow users to try new code or updated configurations by running terraform plan without giving them permission to make changes with Terraform
  • Make it easier for people directly logged into target accounts to still run Terraform
  • Follow-up to , which updated aws-teams and aws-team-roles, to make aws-sso consistent
  • Reduce confusion by moving deprecated code to deprecated/

Removed list of components from main README.md

What

  • Removed list of components from main README.md

Why

  • That list is outdated

References

upstream argocd

What

  • Upstream fixes that allow for Google OIDC

add new spacelift components

What

  • Add the newly developed spacelift components
  • Deprecate the previous components

Why

  • We undertook a process of decomposing a monolithic module and broke it into smaller, composable pieces for a better developer experience

References

feat: New Component `aws-ssosync`

What

  • adds a fork of aws-ssosync as a lambda on a 15m cronjob

Why

Google is one of those identity providers that doesn't have good integration with AWS SSO. In order to sync groups and users across we need to use some API calls, luckily AWS Built aws-ssosync to handle that.

Unfortunately, it required ASM so we use Benbentwo/ssosync as it removes that requirement.

Disable helm experiments by default, block Kubernetes provider 2.21.0

What

  • Set helm_manifest_experiment_enabled to false by default
  • Block Kubernetes provider 2.21.0

Why

  • The helm_manifest_experiment_enabled reliably breaks when a Helm chart installs CRDs. The initial reason for enabling it was for better drift detection, but the provider seems to have fixed most if not all of the drift detection issues since then.
  • Kubernetes provider 2.21.0 had breaking changes which were reverted in 2.21.1.

References

Move `profiles_enabled` logic out of `providers.tf` and into `iam-roles`

What

  • For Terraform roles and profiles used in providers.tf, return null for unused option
  • Rename variables to overridable_* and update documentation to recommend variables_override.tf for customization

Why

  • Prepare for providers.tf updates to support dynamic Terraform roles
  • ARB decision on customization compatible with vendoring