v2.0.1

What's Changed

2.0.1

Patch Changes

• f503835: Fix an issue preventing Entra users from being linked with Common Fate user accounts.
• f503835: Fix an issue where the 'Review Requests' panel would be shown when the web console was opened.
• f503835: Add the grant principal to audit logs for grant actions

Full Changelog: v2.0.0...v2.0.1

v2.0.0

What's Changed

2.0.0

See the migration guide for details on changes to the infrastructure in this version.

Major Changes

• 5beef23: For BYOC customers: Removes the Authz service, which has been fully deprecated as of application version 4.3.0.
  The supporting DynamoDB table for this service will remain until a future release when it will be removed.
  The CloudWatch log group for the Authz service will remain until a future release when it will be removed.
• e56d0bd: For BYOC Customers: Removes team_name and logo_url variables and support for customising the appearance of the web app.
• e56d0bd: For BYOC Customers: This change removes the PagerDuty and Slack configuration from the infrastructure stack. These integrations are now entirely configured in the application config.
• e56d0bd: For BYOC Customers: This change removes the provisioner config variables from the infrastructure stack. To upgrade, you will need to remove any references to these variables in your config. The provisioner is now configured entirely from the application configuration.
• e56d0bd: For BYOC Customers: This change removes unstable_enable_feature_least_privilege, unstable_sync_idc_cloudtrail_schedule and unstable_least_privilege_analysis_schedule variables as this feature has been removed from the application.

Minor Changes

• e74c376: Send slack notification to notify users at a preset time before their access expires.
• 96af06e: Add Otel container definition to provisioner module
• e74c376: Adds ability to prioritise roles when creating availabilities. The highest priority role will be suggested in the entitlement request UI
• e74c376: Adds new recently used section to entitlement select tree which displays 3 most frecently used entitlements
• e74c376: Add event filtering to webhook integration
• e74c376: Notify slack approvers and channel when breakglass access is used
• e74c376: Adds support for breakglass access, when enabled, users who have permission will be able to skip approvals for specific entitlements.

Patch Changes

• 6b3dc4d: Update slack expiry notification to include target and role which are expiring.
• e74c376: Fix "Open Console" showing on requests for other users in the requests list view.
• e74c376: Adds OTEL tracing to the Provisioner and improves the tracing for the Control Plane http APIs
• e74c376: Fix logic for creating profiles based on an entitlement requested with batch ensure
• d58a647: Fixes a permissions issue which prevented the provisioner from reading secrets from SSM Parameter store at runtime, for integrations such as Okta, Entra, Auth0
• 9c05918: Fixes a cyclic reference issue when the ALB certificate ARN depends on the output of another Terraform module.
• e74c376: Add tracing to the Provisoner and emit traces to AWS X-Ray
• e74c376: Fixes an issue causing the activate button not to be shown on Slack DMs when the approval policy checks for a principal condition.
• e74c376: Further improvements and fixes to new hierarchy UI to improve search and readability
• 6b3dc4d: Fix an issue where the Access Request confirmation accordion would not open by default in the web console.
• e74c376: Fix scrollbar always showing on requests list view
• f3ccd4b: Adds centralised monitoring environment variables to the provisioner module

Full Changelog: v1.45.1...v2.0.0

v1.45.4

What's Changed

1.45.4

Patch Changes

• 43785b7: Fix logic for creating profiles based on an entitlement requested with batch ensure

Full Changelog: v1.45.3...v1.45.4

v1.45.3

What's Changed

1.45.3

Patch Changes

• 075f19e: Fixes a permissions issue which prevented the provisioner from reading secrets from SSM Parameter store at runtime, for integrations such as Okta, Entra, Auth0

Full Changelog: v1.45.2...v1.45.3

v1.45.2

What's Changed

1.45.2

Patch Changes

• b926024: Fix "Open Console" showing on requests for other users in the requests list view.
• b926024: Fix scrollbar always showing on requests list view

Full Changelog: v1.45.1...v1.45.2

v1.45.1

What's Changed

1.45.1

Patch Changes

• 991a6aa: Fix an issue causing the activate action not to show in slack DMs

Full Changelog: v1.45.0...v1.45.1

v1.45.0

What's Changed

1.45.0

Minor Changes

• a7b84d7: Provisioner no longer depends on infrastructure configuration for integrations.
  Teams using AWS or GCP integrations are required to follow the migration guide prior to updating to this release.
  https://docs.commonfate.io/migration-guide/migration-guide#v1-45-0
• a7b84d7: For BYOC customers: the authz service is no longer used. We plan to remove it in a future release.
• 57f05c2: deprecate configuring the provisioner via the infrastructure config
• a7b84d7: New access page for requesting target and role combinations laid out in a tree format

Patch Changes

• a7b84d7: Fixes an issue that could lead to a denial of service with the policy API if a malformed or forbid all policy was created. The CF::Service::"Terraform" which is service principal assumed by the terraform client credentials is now always permitted to use the policy APIs regardless of the customer policies applied, preventing customers from being unable to revert a bad policy change.
• a7b84d7: Fix active requests in the requests list not opening the request detail page when clicked
• 5b53143: Update default idle timeout on the ALB to 2m 30s to accomodate for the retry timeouts in the provisioners
• 64073c2: Fix AWS IAM Identity Center Linked Identity cleanup.
• 64073c2: Skip attempting deprovisioning if requested resources no longer exist.
• a7b84d7: Fix an issue causing SCIM Group APIs to fail on update operations.
• a7b84d7: improve action button to give more information on what button does
• a7b84d7: Slack integration will now only show activate button if the user viewing the notification has permissions to activate the grant
• a7b84d7: Refresh audit logs on request detail page every 10 seconds.

Full Changelog: v1.44.0...v1.45.0

v1.44.2

What's Changed

1.44.2

Patch Changes

• 5a25225: Fix an issue where the Common Fate CLI would generate an invalid credential_process profile field for AWS accounts with names containing whitespace.

Full Changelog: v1.44.1...v1.44.2

v1.44.1

What's Changed

1.44.1

Patch Changes

• 51501d5: Fix AWS IAM Identity Center Linked Identity cleanup.
• 51501d5: Skip attempting deprovisioning if requested resources no longer exist.
• d3c03f2: Fix an issue causing SCIM Group APIs to fail on update operations.
• d3c03f2: Refresh audit logs on request detail page every 10 seconds.

Full Changelog: v1.44.0...v1.44.1

v1.44.0

What's Changed

Minor Changes

a361487: Removes the requirement to configure pager_duty_client_id, pager_duty_client_secret_ps_arn, slack_client_id, slack_client_secret_ps_arn, slack_signing_secret_ps_arn variables in the infrastructure layer. This configuration is now pulled directly from the integration config resources in your application configuration.
1cf453f: Removes the 'cf authz policyset validate' server-side validation command in favor of client-side validation.
1cf453f: Remove the requirement for Slack, PagerDuty and OpsGenie to be configured in the infrastructure layer. Config is now read from the integration resources in terraform.
1cf453f: Support requiring all request actions to be forced to use the CF console.
1cf453f: Implement security headers and conceal server tokens in Nginx.

Patch Changes

1cf453f: Fix api pagination sometimes returning duplicate results
1cf453f: Fix an issue where old Access::LinkedIdentity entities would not be cleared when an AWS IDC User is removed.
1cf453f: Fix an issue where the default duration information would flicker in the web console.
1cf453f: Fixes an issue causing slack alerts not to be sent to channels when a request is created
1cf453f: Fix a nil pointer error sometimes observed when listing access requests
1cf453f: Add CF::Principal to resource page to improve debugging
1cf453f: Fix a login issue affecting some users
fbd193a: Fix cloudwatch resource policy conditions not permitting events to be written to cloudwatch log group.
1cf453f: Fixes an issue where the migration of users from Authz to the internal postgres database resulted in both names being set to the firstname.
1cf453f: Fixes an issue where CF::User would show up in the resources view twice
1cf453f: Fixes an issue where a new user created in v1.42.0..2 may have been created with an incorrect ID
1cf453f: Support additional provisioner configuration fields on AWS and GCP integrations
1cf453f: Fix policy migration issue seen in v4.0.1..4
1cf453f: Fix an issue where the sso_access_portal_url field would not be used for AWS console links in the web console.
1cf453f: Fixes an issue where errors during first time login may not be caught

Full Changelog: v1.43.5...v1.44.0