v1.479.0

chore: update argocd-repo to use 6.0+ github provider @dudymas (#1031)

what

• chore(argocd-repo/branch-protection): updated for latest provider
• chore(argocd-repo/versions): ensure github is 6.0+

why

• The branch protection attributes have changed. You must use
  restrict_pushes
  now

references

• 6.0.0-rc1 Release of GitHub provider broke 5.x

Replace Admonition Style @milldr (#1092)

what

• Replace all Docusarus style admonitions with GitHub style admonitions

why

• We now can provide the GH style here and have the docs site convert the format into Docusarus style

references

• DEV-2453
• Required by cloudposse/docs#642

v1.478.0

feat(spacelift): support for local files for policies @oycyc (#1091)

what

• Upgrade the Spacelift policies module to version 1.7.0 following the PR cloudposse/terraform-spacelift-cloud-infrastructure-automation#183
• Add support for allowing using file path as the source of a Spacelift policy in addition to the current inline body and URLs

references

PR from the Spacelift module cloudposse/terraform-spacelift-cloud-infrastructure-automation#183

v1.477.0

Added additional polices for vpn and kms - required by planner @goruha (#1088)

what

• Added VPN export reader policy
• Added KMS decrypt policy

why

Policies required for gitops dynamic terraform roles planner

references

• https://github.com/cloudposse/infra-live/actions/runs/10181554256/job/28167900030
• https://github.com/cloudposse/infra-live/actions/runs/10181554256/job/28164592870

v1.476.0

Fix account map special accounts like dns, identity support dynamic roles @goruha (#1087)

what

• Support terraform dynamic roles dns_terraform_role_arn, audit_terraform_role_arn, identity_terraform_role_arn
• Fix but in when team_roles_stacks does not have components defined

why

• Some components like dns-deletegate use dns_terraform_role_arn, audit_terraform_role_arn, identity_terraform_role_arn in provider.tf
  In the case of gitops, the planner role can not assume an apply dynamic role.
• Thats expected case for all non gbl accounts

references

• https://github.com/cloudposse/infra-live/actions/runs/10146129540/job/28119365151
• https://github.com/cloudposse/terraform-aws-components/blob/main/modules/dns-delegated/providers-dns-primary.tf#L11

v1.475.0

EKS IDP roles added reader @goruha (#1089)

what

• Added reader role for eks/idp-roles

why

• Required for dynamic terraform roles to read k8s resources

references

• https://github.com/cloudposse/infra-live/actions/runs/10146129540/job/28057016517

feat: Auth0 Components @milldr (#1086)

what

• Added components for Auth0 terraformation - auth0/tenant and auth0/app

why

• Auth0 Application component. Auth0 is a third-party service that provides authentication and authorization as a service. It is typically used to to authenticate users.
• auth0/tenant configures the Terraform provider and the Auth0 tenant itself
• auth0/app deploys an Auth0 application

references

• client engagement

Fix: README Formatting for Docusarus @milldr (#1084)

what

• Misc fixes for admonition and support format for render on Docusarus

why

• New lines are required after :::
• Support MDX format

references

• cloudposse/docs#626

Fix README Format @milldr (#1083)

what

• Fix formatting in READMEs for docusarus rendering

why

• Fix closing tags and alignment for MDX

references

• cloudposse/docs#626

v1.474.0

Upgrade Supported ArgoCD Chart Version @RoseSecurity (#1081)

what and why

• Argo versions 0.1.0 through 2.10.0-rc1, v2.9.3, v2.8.7, v2.7.15 are affected by CVE-2024-22424, a CSRF attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD.
• Propose that we update the default values for Argo's chart from:

argo/argo-cd	5.19.12      	v2.5.9

to an unaffected version patched after 2.10-rc2, 2.9.4, 2.8.8, 2.7.16

notable changes

• Argo CD 2.10 upgraded kubectl from 1.24 to 1.26. This upgrade introduced a change where client-side-applied labels and annotations are no longer preserved when using a server-side kubectl apply
• Note that bundled Helm version has been upgraded from 3.13.2 to 3.14.3
• Starting with Argo CD 2.10.11, the NetworkPolicy for the argocd-redis and argocd-redis-ha-haproxy dropped Egress restrictions. This change was made to allow access to the Kubernetes API to create a secret to secure Redis access

testing

• This version has been tested and verified to work with the existing component configuration

references

• Argo Upgrade Docs

v1.473.0

🚀 Enhancements

feat: add additional variables and outputs for `spa-s3-cloudfront` @korenyoni (#1080)

what

• add origin_bucket variable
• add s3_origins variable
• add cloudfront_distribution_identity_arn output

why

• Add variables and outputs present in the cloudposse/terraform-aws-cloudfront-s3-cdn module but missing in this component

references

N/A

v1.472.0

Added branch restrictions to GHA IAM role @goruha (#1082)

what

• Added branch restrictions to GHA IAM role

why

• Improve security

references

• DEV-371 Restrict the GitHub OIDC admin permission to the main branch

v1.471.0

fix(`aws-team-roles`): Remove Deprecated Support and Billing Custom Policies @milldr (#1078)

what

• Add missing custom policies names that are already defined with the included component
• Removed the custom policies for support and billing

why

• The policy-support.tf and policy-billing.tf files already contain these policies by default. We should include them as in the default supplied_custom_policy_map
• We should use the AWS managed Job Role policies instead. For example

          billing:
            <<: *user-template
            enabled: false
            role_description: "Role with view permissions in the billing console"
            role_policy_arns:
              - "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess"
            aws_saml_login_enabled: false
            max_session_duration: 3600 # 1 hour in seconds
            trusted_teams:
              - "devops"
              - "managers"

          billing_admin:
            <<: *user-template
            enabled: false
            role_description: "Role with permissions for billing and cost management. This includes viewing account usage and viewing and modifying budgets and payment methods."
            role_policy_arns:
              - "arn:aws:iam::aws:policy/job-function/Billing"
            aws_saml_login_enabled: false
            trusted_teams:
              - "devops"
              - "managers"
              
          support:
            <<: *user-template
            enabled: true
            role_policy_arns:
              - "arn:aws:iam::aws:policy/AWSSupportAccess"
              - "arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityReadOnlyAccess"
            role_description: "Role with permissions for accessing the AWS Support Service"
            trusted_teams:
              - "devops"
              - "managers"
              - "helpdesk"

references

• Customer engagement
• These changes were reverted in https://github.com/cloudposse/terraform-aws-components/pull/715/files#diff-cfffc34b5672fff580a9d0f4c45efc3d5a8326d66ad54f81c9569cfe5499b7c0R13-R14. I believe this was a mistake. This was intentional

v1.470.1

🐛 Bug Fixes

[eks/actions-runner-controller] Fix misconfigured document separators in Helm chart template @Nuru (#1077)

what

eks/actions-runner-controller

• Fix misconfigured document separators in Helm chart template

why

• Runner Deployment manifest would be malformed if not using running_pod_annotations

references

• Introduced in #1075