v1.25.0

What's Changed

• add configuration for authorization evaluation storage by @chrnorm in #105
• update app version to v3.3.0 by @chrnorm in #111
• update bundled app version to v3.3.1 by @chrnorm in #112
• update app version to v3.3.2 by @chrnorm in #113
• Version Packages for main by @github-actions in #110

Full Changelog: v1.24.1...v1.25.0

v1.24.0

What's Changed

• Add slack cognito client by @JoshuaWilkes in #100
• Update bundled release by @JoshuaWilkes in #107
• Version Packages for main by @github-actions in #106

Application Changes

Minor Changes

• Adds support for reducing the duration of access when making an Access Request.

Patch Changes

• Matching user accounts in integrations via email address is now case-insensitive.
• Slack DM is always sent for requests which originate from Slack, improving the user experience.
• Improve the readability of the target selector list when making an access request via the web console.
• Adds an icon for the Okta integration in the settings page.
• Fix an issue where querying for grant output data (used in the Common Fate AWS RDS integration) would return an empty result
• Fixes an issue which caused the Common Fate Audit Log API to return some logs in non-deterministic order when they are created with the same timestamp. Logs now have an additional 'index' field which tracks the order they are created.
• Identity syncing workflows will now use the key "detail" instead of "error" in warning logs when a user from an external integration cannot be linked to an internal CF::User. This change reduces noise when filtering logs for errors.
• Security fix: GraphQL API introspection is now disabled by default.

Full Changelog: v1.23.1...v1.24.0

v1.23.1

What's Changed

• update bundled version by @meyerjrr in #98
• Add configurable access token duration with default of 10 minutes by @meyerjrr in #97
• update patch version by @meyerjrr in #101
• Version Packages for main by @github-actions in #99

Full Changelog: v1.21.0...v1.22.0

What's Changed

• Fix default cron schedules for cloudtrail sync by @JoshuaWilkes in #103
• Version Packages for main by @github-actions in #104

Full Changelog: v1.23.0...v1.23.1

v1.23.0

What's Changed

• add top-level variables to improve BYOVPC support by @chrnorm in #88
• Version Packages for main by @github-actions in #102

Full Changelog: v1.22.0...v1.23.0

v1.22.0

What's Changed

• update bundled version by @meyerjrr in #98
• Add configurable access token duration with default of 10 minutes by @meyerjrr in #97
• update patch version by @meyerjrr in #101
• Version Packages for main by @github-actions in #99

Application changes

Minor Changes

Adds the ability to add multiple slack clients for different slack tenancies. As well as sending slack messages to different channels

Updates the SCIM implementation to fix an issue which would cause users to be created with their first name repeated.
Adds support for resetting the Entra users which were created via SCIM, so that they can be reset in the event that the SCIM configuration was incorrect.

Adds additional metadata to authorization evaluations, including authorization duration.

Patch Changes

Improve the target field of slack messages by including the target type

Fix an infinite rerender bug on the resources pages that could be triggered by using the breadcrumb navigation

Fix an issue which caused auto approved requests to have approval buttons in slack channel messages

Fix an issue where activating a request from the CLI would not update the slack DM

When a slack integration is removed from terraform it will be uninstalled from the slack workspace and tokens will be removed.

Use a background task to update availabilities on demand when selectors or availability specs are updated in terraform configuration. Ensuring access is made unavailable shortly after the update.

Full Changelog: v1.21.0...v1.22.0

v1.21.0

What's Changed

• Add worker container to control plane task deployment by @JoshuaWilkes in #91
• Version Packages for main by @github-actions in #95

Updates the bundled Common Fate application release to be v3.0.0

Major Changes

• Splits background workflows out into a database-backed work queue.

Minor Changes

• Adds deployment diagnostics. Retrieve diagnostic information about your Common Fate deployment by executing the cf deployment diagnostics command. Permission to execute this command requires authorization for CF::Control::DiagnosticService::Action::"GetOAuthTokenMetadata".
• Introduces DataStax integration.

Patch Changes

• Enhances rate limit handling for OpsGenie resource syncing.
• Resolves issues causing access request flow to get stuck in a broken state and some attributes not to display for resources.
• Fixes an issue displaying "Error Processing Grant" message in the Web App after a preflight when the grant was active or pending in another request.
• Corrects keyboard navigation malfunction in the access request UI of the web app when selecting an entitlement.
• Updates Slack OAuth scopes to match the app definition, ensuring Slack commands are visible for SaaS customers.
• Implements retry handling to accommodate OpsGenie rate limit errors in integration.
• Displays the duration of the request in the preflight when requesting access in the UI.
• Encodes the reason into the URL query parameters for the access request form.
• Adds DataStax integration icons to the web console UI.
• Addresses an issue that may have caused PagerDuty sync to fail for some teams.

Full Changelog: v1.20.0...v1.21.0

v1.19.0

What's Changed

• expose deletion protection variable for RDS database by @chrnorm in #78
• provisioner_task_role_name fix by @shwethaumashanker in #85
• Make provisioner ingress configurable by @JoshuaWilkes in #87

Updates the bundled Common Fate application release to be v2.2.0

Minor Changes

Adds slack DM to the requestor when their request is approved, permits the activate and close request methods from withing Slack.

Patch Changes

Fixes an issue where the web console would redirect to an invalid page after the Slack app install is complete.

Improve grant state stepper so that Activated and Approved steps are correctly shown as skipped when a grant is closed before activation or appoval. Adds activatedAt and closedAt timestamps.

Improves the UI of the 'integrations' section in the Settings page to indicate when integrations are loading, or when no integrations have been installed.

Fixed issue causing closed requests to appear in in progress columns

Improves the state management for Grants so that provisioning attempts are tracked. Previously, a provisioning or network error would lead to a grant being incorrectly marked as active when the user may not actually have the access they requested. Failures in provisioning will now result in grants ending in the pending state, allowing the use to retry activating.

Handle cases in the AWS IDC provisioner where the entitlement has been removed outside of Common Fate, return successfully to prevent requests failing to close forever

Fixed an error that occured when logging out

Fix audit logs not sorting chronologically

Full Changelog: v1.18.0...v1.19.0

v1.12.1

Fixes an issue where the RDS database version constraint included a minor version. This could cause deployments to fail because auto-minor-version upgrades are enabled for the database.

Full Changelog: v1.12.0...v1.12.1

v1.18.0

Updates the bundled Common Fate application release to be v2.1.1:

• Adds an additional check to ensure that user emails are included in the SAML assertion when SAML SSO is used. This fixes an issue where users appear with an empty email address if SAML SSO is misconfigured.
• Add additional validation to the authorization service to prevent resources with empty Entity IDs (EIDs) being written to the database.
• Fixes an issue where resource names were not propagated into Slack Access Request messages.

Full Changelog: v1.17.1...v1.18.0

v1.17.0

Minor Changes

• ca94e45: Adds support for Okta integration configuration

• 778160b: Updates the bundled Common Fate application release to be v2.1.0:

  Adds support for Okta integration, adding user and group syncing and an Okta group provisioner

  Update the provisioner configuration check to warn instead of panic when no provisioner types are configured
  New users will have now have their identity linked with any idp integration upon logging in
  Fix cleanup routine to remove closed requests that never started
  Add expires timing to grants on request detail page
  Prevent an internal server error when creating availability specs before resource syncing has run

Patch Changes

• ec5bb85: Expose variables single_nat_gateway and one_nat_gateway_per_az on the vpc module to enable deploying with a single nat gateway instance.