Releases: common-fate/terraform-aws-common-fate-deployment
v1.41.2
v1.41.1
What's Changed
Patch Changes
4ccb495: Allow disabling automatic database migrations using the database_auto_migrate variable when the Control Plane container starts.
8014185: Fix an issue which could cause active grants to be revoked if the activation expiry is exceeded.
8014185: For BYOC customers: allow disabling automatic database migrations when the Control Plane container starts.
Full Changelog: v1.41.0...v1.41.1
v1.41.0
What's Changed
Minor Changes
c84bcf8: Adds provisioning configuration for the Common Fate Auth0 integration.
3a7c2be: Adds support for requesting access to a GCP Role Group. A Role Group is a group of multiple roles which are requested and assigned together. GCP Role Groups allow you to work around the permission count restriction in custom roles.
3a7c2be: Adds Auth0 integration.
3a7c2be: Updates API for slack alerts to allow for configuring messages via direct message to approvers
55e6057: Adds VPC Endpoints for services used in the stack.
Patch Changes
3a7c2be: For BYOC customers: fixes an issue where the 'version' attribute on OpenTelemetry spans was not being set.
3a7c2be: Fixes name based lookups for target and role when using the CLI to ensure access when the embedded authorization feature flag is enabled.
3a7c2be: Fix an issue where auto-approved access would use a lower priority Access Workflow, if the Access Workflow had a longer duration.
3a7c2be: Improve performance of the integration APIs
3a7c2be: Fix an issue causing the duration input to reset when requesting access in the web console.
3a7c2be: Fixes an issue where invalid configuration could cause the built-in Provisioner to report 'no provisioner has the capability to Grant on '. If you have a single provisioner registered with your Common Fate deployment, we'll always try and call it rather than reporting an error if the capabilities aren't correctly configured.
3a7c2be: Performance improvement for the Availability Maker background process.
c51b5d8: Enable embedded authorization by default
3a7c2be: Fix an issue on the new request page which would cause the access duration to reset when the reason was updated.
Full Changelog: v1.40.2...v1.41.0
v1.40.2
What's Changed
Patch Changes
e2a931b: For BYOC customers: fixes an issue where the 'version' attribute on OpenTelemetry spans was not being set.
e2a931b: Fix an issue where auto-approved access would use a lower priority Access Workflow, if the Access Workflow had a longer duration.
e2a931b: Fix an issue where containers could fail to start if the Common Fate support API was unable to issue an access token to the deployment.
Full Changelog: v1.40.1...v1.40.2
v1.40.1
What's Changed
Patch Changes
4d7de64: Fix an issue causing the duration input to reset when requesting access in the web console.
4d7de64: Fix an issue on the new request page which would cause the access duration to reset when the reason was updated.
Full Changelog: v1.40.0...v1.40.1
v1.40.0
What's Changed
Minor Changes
1ee7409: Adds a dead-letter queue to the event handler SQS queue.
1ee7409: Adds support for Managed Monitoring. When enabled, a Common Fate deployment will emit OpenTelemetry events to our centralised OpenTelemetry collector, allowing the Common Fate team to diagnose performance issues and proactively detect errors in your deployment. No identifiable information is included in the OpenTelemetry events.
Patch Changes
cad9494: Enable the Access Handler service to connect to the RDS database.
a9cc4ab: Add unstable feature flag for embedded authorization
b835a74: Grant permissions for the control plane and access handler services to write to the authz eval bucket.
58b9370: Updates the built-in application version to v3.11.0 , including the following changes:
Minor Changes
5f64825: Adds additional OpenTelemetry attributes to authorization events.
2f1b875: Improves the performance of API authorization.
2a60d42: Workflows can now be configured with an activation expiry deadline to automatically close requests that have not been activated for a set period of time after being approved.
5d659e1: Adds support for Managed Monitoring. When enabled, OpenTelemetry traces are dispatched to Common Fate's centralised monitoring infrastructure to allow our team to proactively monitor your deployment. No identifiable information such as email addresses or cloud resource metadata is included in any monitoring events.
Patch Changes
d67388a: For BYOC customers: fixes an issue where event handler logs were noisy. Info-level logs have been shifted to Debug. 0831fdd: For BYOC customers: fixes an issue where error logs would be emitted during container shutdown.
b913687: Improve query performance for integration entities by using a more performant encoding strategy for attributes.
8e942aa: For BYOC customers: fixes OpenTelemetry API errors being included in spans with "An unexpected error has occured."
ff0b8d3: For BYOC customers: logs emitted when identities are not matched have been reduced to 'info' level rather than 'warn'. 3ffd115: For BYOC Customers: the Access Handler now connects to the Common Fate RDS database.
e13d669: Shows 'Approvers' as a column title in the Access Request detail table header.
8754da8: The web console now shows the Access Workflow name associated with a particular Access Request, when viewing the Access Request details.
ebc1d4c: Fix missing mapping of ListBackgroundJobKindSummary to Admin::Action::"Read" action.
45e1db0: Introduces improved authorization performance, available as an opt-in feature flag.
cfd0187: Adds Parents tab to the resource detail view in the web UI.
Full Changelog: v1.39.0...v1.40.0
v1.39.0
What's Changed
Minor Changes
- cc8a9b1: When viewing an Access Request which needs approval, you'll now see a list of users who are authorized to approve access.
- cc8a9b1: Adds Access Preview. Common Fate administrators can now list the entitlements that end-users can have authorization to access. Access Preview shows whether access will be auto-approved, and indicates the particular authorization policies which contribute to the authorization decision.
- 12acbd7: Adds variable to allow for Multi-AZ on RDS database.
- e43324c: The Common Fate web console now filters entitlements by default. If an end-user doesn't have authorization to request access to an entitlement, it will not be shown in the list to select from in the web console.
- fe1c946: Adds 'rds_apply_immediately' variable to immediately apply RDS changes. Set to 'true' by default.
Patch Changes
- e59ab5d: Removes
unstable_enable_feature_access_simulationvariable from the Terraform module. This was used during the preview period for the Access Preview feature.
New Contributors
Full Changelog: v1.38.0...v1.39.0
Contributors
Assets 2
v1.38.0
What's Changed
Minor Changes
f8498b0: GCP Integration Module: adds optional support for provisioning access to GCP organizations and GCP BigQuery resources, which require additional IAM permissions.
96ca1d3: Common Fate now supports webhook integrations. You can use webhook integrations to route events to other security tools, or use them to build your own notification integrations.
96ca1d3: Adds support for Just-In-Time access to GCP BigQuery Tables.
96ca1d3: Adds an in-app contact form which can be used to reach Common Fate support if you have questions, feedback, or problems.
96ca1d3: The retention for authorization events (visible in the "Authorization" page in the web console) is now 1 year by default. After the retention period, events will be removed from the Common Fate database. For BYOC customers, events will still be present in CloudWatch, depending on the retention period you have configured for your log group.
96ca1d3: Adds support for Just-In-Time access to GCP BigQuery Datasets.
cfed93f: Adds SNS topic for alerting on Common Fate background job failures.
cfed93f: Adds SNS topic for alerting on ECS deployment failures.
96ca1d3: For BYOC customers: Common Fate now emits job.failed event when a background job fails, and a job.completed events when a background job completes successfully.
96ca1d3: Adds support for obtaining an AWS profile (to be stored in ~/.aws/config) for a particular AWS account and role when using the Common Fate CLI.
cfed93f: Enables ECS Circuit Breaker for ECS services.
96ca1d3: Add support for Just-In-Time access to GCP Organizations, by granting an organization-level role.
Patch Changes
96ca1d3: Fix error handling for slack integrations in the event handler. In some cases a database error would be reported as having no integrations configured.
b3cf16e: Redirect the DebugEntitlementAccess RPC to the control plane
0321530: For BYOC customers: the Common Fate Control plane now serves the Granted Profile Registry API. We've updated the load balancer rules to reflect this.
96ca1d3: Fixes an issue where the Common Fate could not reconnect to the database after a password rotation.
96ca1d3: Fixes an issue where some access preview APIs would not return the expected results for particular policy types.
7acb3f3: Permit the control plane and worker task role to fetch the database secret from secrets manager. This change is implemented to support application layer database credential rotation support.
Full Changelog: v1.35.1...v1.38.0
v1.35.1
v1.35.0
What's Changed
Minor Changes
- 6b1ad3d: Point-In-Time-Recovery (PITR) is now enabled by default for the Common Fate RDS database. Adds variables to restore from a PITR backup.
Patch Changes
- 0059931: Mitigates an issue where duplicate user identifiers may be created when a user first signs in to the web console.
- 5caf1e1: Fix an issue where the
namespace,stage, andlog_retention_in_daysvariables were not propagated to theecs_basemodule. - 0059931: Fix an issue where available entitlements could be orphaned during integration resource syncing.
Full Changelog: v1.34.0...v1.35.0