Releases: cloudposse/terraform-aws-components
v1.487.0
Add Scoped Rate Limits and Bot Control Machine Learning to WAF Component @RoseSecurity (#1103)
what
- Added
enable_machine_learning
parameter insideaws_managed_rules_bot_control_rule_set
configuration - Adds scope_down_statements with byte matching support
why
- AWS highly recommends safeguarding against HTTP request floods; they advise implementing two rate limiting rules for web traffic. The initial rule employs AWS WAF's rate-based rules to automatically block IP addresses of malicious actors if the number of requests in a 5-minute sliding window surpasses a predefined threshold. The second rule focuses on a more detailed approach, allowing for targeted blocking. This is achieved by using scope_down_statements to refine the criteria for blocking, enhancing the precision of the defense mechanism.
- Added
enable_machine_learning
argument to avoid idempotency problem if you use "COMMON" inspection level
example
testing
Utilized the following example Atmos component:
rate_based_statement_rules:
- name: "scoped-rate-limit"
action: "block"
priority: 10
statement:
limit: 1000
aggregate_key_type: "IP"
evaluation_window_sec: 300
scope_down_statement:
byte_match_statement:
field_to_match:
uri_path: true
positional_constraint: "STARTS_WITH"
search_string: "/test"
text_transformation:
- priority: 0
type: "NONE"
references
v1.486.0
feat: IAM Access Analyzer Component @RoseSecurity (#1066)
what
[!NOTE]
This component was developed by @aknysh
- Creates a new component for
access-analyzer
why
This component is responsible for configuring AWS Identity and Access Management Access Analyzer within an AWS
Organization. IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk.
references
v1.485.0
v1.484.0
Update `eks/external-dns` component to support Istio `istio-gateway` resources @aknysh (#1098)
what
- Update
eks/external-dns
component to support Istioistio-gateway
resources
why
- The
external-dns
Helm Chart supports thesources
variable (notsource
) to specify the resources types to be observed for new DNS entries by ExternalDNS
## @param sources [array] K8s resources type to be observed for new DNS entries by ExternalDNS
##
sources:
# - crd
- service
- ingress
The code used the source
variable instead of sources
. It was working for the service
and ingress
types because they are in the Chart values by default.
The istio-gateway
resource was never added, preventing external-dns
from managing Istio Gateways and creating DNS records for the Gateway's hosts.
references
v1.483.0
update `vpc-peering` with requester params @Benbentwo (#1097)
what
- New Variable:
requester_vpc_id
- allows passing in an ID for the requester vpc
requester_role_arn
- allows passing in a custom arn to use to hook up the requester vpc
why
the requester vpc shouldn't HAVE to be a vpc component.
v1.482.0
Upstream `eks/actions-runner-controller` with `var.auto_update_enabled` @milldr (#1095)
what
- Upstream improvements for
eks/actions-runner-controller
- Added
var.auto_update_enabled
why
- We can now choose whether or not to enable runner auto-updates. The default behavior is to auto-update, but we've encountered issues building on Geodesic where we choose to disable auto-update for the sake of debugging. Added to this chart to help future efforts
- It's no longer pointless to pin the version, and is rather a matter of preference.
references
- customer engagement
- actions/actions-runner-controller#2056
- https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner
- https://github.com/actions-runner-controller/actions-runner-controller/pkgs/container/actions-runner-controller%2Factions-runner-dind
v1.481.0
v1.480.0
Add Variable for dynamic dns component lookup @Benbentwo (#1094)
what
- Adds input for dynamic component lookup for
external-dns
why
- External DNS needs a policy that contains each hosted zone. we lookup only
dns-primary
anddns-delegated
currently. This changes it so we can support a list of objects to enhance that lookup.
e.g.
dns_components:
- component: dns-primary
- component: dns-delegated
- component: dns-delegated/abc
- component: dns-delegated/123
v1.479.0
chore: update argocd-repo to use 6.0+ github provider @dudymas (#1031)
what
- chore(argocd-repo/branch-protection): updated for latest provider
- chore(argocd-repo/versions): ensure github is 6.0+
why
- The branch protection attributes have changed. You must use
restrict_pushes
now
references
Replace Admonition Style @milldr (#1092)
what
- Replace all Docusarus style admonitions with GitHub style admonitions
why
- We now can provide the GH style here and have the docs site convert the format into Docusarus style
references
- DEV-2453
- Required by cloudposse/docs#642
v1.478.0
feat(spacelift): support for local files for policies @oycyc (#1091)
what
- Upgrade the Spacelift policies module to version 1.7.0 following the PR cloudposse/terraform-spacelift-cloud-infrastructure-automation#183
- Add support for allowing using file path as the source of a Spacelift policy in addition to the current inline body and URLs
references
PR from the Spacelift module cloudposse/terraform-spacelift-cloud-infrastructure-automation#183