Releases: cloudposse/terraform-aws-eks-iam-role
v2.2.0
🚀 Enhancements
add managed_policy_arns to eks iam role @finchr (#58)
what
Add support for adding managed policies to the eks iam role.
why
The module currently only allows a single policy json and we have multiple iam polices that we need to attach to the role.
references
🤖 Automatic Updates
Update release workflow to allow pull-requests: write @osterman (#56)
what
- Update workflow (
.github/workflows/release.yaml
) to have permission to comment on PR
why
- So we can support commenting on PRs with a link to the release
Update GitHub Workflows to use shared workflows from '.github' repo @osterman (#54)
what
- Update workflows (
.github/workflows
) to use shared workflows from.github
repo
why
- Reduce nested levels of reusable workflows
Update GitHub Workflows to Fix ReviewDog TFLint Action @osterman (#52)
what
- Update workflows (
.github/workflows
) to addissue: write
permission needed by ReviewDogtflint
action
why
- The ReviewDog action will comment with line-level suggestions based on linting failures
Update GitHub workflows @osterman (#51)
what
- Update workflows (
.github/workflows/settings.yaml
)
why
- Support new readme generation workflow.
- Generate banners
Bump golang.org/x/net from 0.17.0 to 0.23.0 in /test/src @dependabot (#49)
Bumps golang.org/x/net from 0.17.0 to 0.23.0.
Commits
c48da13
http2: fix TestServerContinuationFlood flakes762b58d
http2: fix tipos in commentba87210
http2: close connections when receiving too many headersebc8168
all: fix some typos3678185
http2: make TestCanonicalHeaderCacheGrowth faster448c44f
http2: remove clientTesterc7877ac
http2: convert the remaining clientTester tests to testClientConnd8870b0
http2: use synthetic time in TestIdleConnTimeoutd73acff
http2: only set up deadline when Server.IdleTimeout is positive89f602b
http2: validate client/outgoing trailers- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Use GitHub Action Workflows from `cloudposse/.github` Repo @osterman (#48)
what
- Install latest GitHub Action Workflows
why
- Use shared workflows from
cldouposse/.github
repository - Simplify management of workflows from centralized hub of configuration
Bump golang.org/x/net from 0.7.0 to 0.17.0 in /test/src @dependabot (#47)
Bumps golang.org/x/net from 0.7.0 to 0.17.0.
Commits
b225e7c
http2: limit maximum handler goroutines to MaxConcurrentStreams88194ad
go.mod: update golang.org/x dependencies2b60a61
quic: fix several bugs in flow control accounting73d82ef
quic: handle DATA_BLOCKED frames5d5a036
quic: handle streams moving from the data queue to the meta queue350aad2
quic: correctly extend peer's flow control window after MAX_DATA21814e7
quic: validate connection id transport parametersa600b35
quic: avoid redundant MAX_DATA updatesea63359
http2: check stream body is present on read timeoutddd8598
quic: version negotiation- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless...
v2.1.1
v2.1.0
- No changes
v2.0.0 IRSA trust policy now checks OIDC Audience
Require correct OIDC Audience value to assume role @Nuru (#33)
Breaking Changes
- If namespace and service account are supplied only in
service_account_namespace_name_list
then the IAM Role name will be derived from the first entry in the list, instead of ending with "all@all" - If one of
service_account_namespace
orservice_account_name
is supplied and the other is not or is empty (""
), the missing element will be replaced with a wildcard (*
) - Either or both of
service_account_namespace
orservice_account_name
can now be explicitly set to"*"
or contain wildcards - Removed
service_account_list_qualifier
(invalid/unnecessary)
what
- Created IAM Role's trust policy now includes a check for OIDC
aud
- If the generated service account IAM Role Name would be too long, it is now truncated by null-label
- See "Breaking Changes" above
- Terraform minimum version bumped to 1.0.0
- AWS Provider minimum version bumped to 3.0
why
- Extra security, preventing ODIC assertions for one audience being used for another
- Fix rather than break due to too-long IAM Role names
- Role names must be unique, and using "all@all" would limit the cluster to a single multi-namespace role
- "ForAllValues" and "ForAnyValues" are for multi-valued keys. The OIDC keys have single values.
references
Sync github @max-lobur (#32)
Rebuild github dir from the template
v1.3.0
- No changes
v1.2.0
Feature: Namespace and Name List @Benbentwo (#31)
what
- supports a list of any or all value list
why
- Allows multiple various namespace and name patterns that couldn't be matched except with a singular
*:*
v1.1.0
feat(aws-eks-iam-role): add permissions_boundary to eks-iam-role @topikachu (#29)
what
- add permissions_boundary to aws_iam_role
why
- Our org requires all IAM role has permissions_boundary
references
git.io->cloudposse.tools update @dylanbannon (#28)
what and why
Change all references to git.io/build-harness
into cloudposse.tools/build-harness
, since git.io
redirects will stop working on April 29th, 2022.
References
- DEV-143
v1.0.0 Disruptive change
This is the first release with production Semantic Versioning, part of Cloud Posse's general policy to convert to production versioning as we make updates to relatively mature modules.
It contains a disruptive change. See #27 for details, but the short story is that applying this update will likely cause Terraform to delete and re-create the EKS IAM role. This may cause a transient disruption in service, but it should be within the normal tolerance for delays in recovering from an expired session.
More significantly, if you have attached additional policies to the role created by this module, those policies will need to be re-attached to the re-created role. (We expect that very few people are actually doing this.)
Refactor enable logic to use counts instead of `for_each` @elventear (#27)
what
Use count
instead of for_each
to manage if a resource is enabled or disabled.
why
If any element of the service account name is not known at plan time, for_each
would cause the plan to fail.
The main advantage of for_each
over count
is stability when an item in a list is added or removed or the order of elements in a list changes. With for_each
, only the changed item is affected, while with count
other items can be affected by being moved to a different position in the list. This advantage is not applicable to this module because there is always only one item.
note
This change will cause the IAM role to be deleted and recreated. If you have attached policies to the role outside of this module, you will need to reattach them.
v0.11.1
🚀 Enhancements
Add validation to oidc issuer url @nitrocode (#24)
what
- Add validation to oidc issuer url
why
- Make sure the value of the eks oidc issuer url is non null. This prevents creation of an unadsumable eks iam role.
references
- https://github.com/cloudposse/terraform-aws-helm-release is affected if the iam role is enabled but the eks oidc url is left with the default null value
v0.11.0
Use `list(string)` for iam policy document @nitrocode (#23)
what
- Use
list(string)
for iam policy document
why
This module runs into the dreaded for_each
error
│ The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform
│ cannot predict how many instances will be created. To work around this, use the -target argument to
│ first apply only the resources that the for_each depends on.
The way it is triggered is if the var.aws_iam_policy_document
supplied contains a JSON document that requires another submodule to be applied.
This was seen in a teleport cluster component which provisioned
teleport-backend
submodule which returns DynamoDB and S3 resource arns- Raw policy document json is constructed with the DynamoDB and S3 resource arns
- helm-release module takes input of the policy document
iam-policy
module takes statements from the policy documenteks-iam-role
module takes input from iam-module and throws an error because (1) isn't applied
This fix was tested locally using a forked module of terraform-aws-helm-release
which uses this feature branch
references
- https://github.com/cloudposse/terraform-aws-iam-policy
- https://github.com/cloudposse/terraform-aws-helm-release
- The list(string) method is used in the new version of the Security Group module to avoid this same situation
commands
# Use current tests where the iam policy doc is a string
terraform plan -var-file=fixtures.us-east-2.tfvars > stdout.string.plan 2>&1
# Modify test inputs where the iam policy doc is a list(string)
terraform plan -var-file=fixtures.us-east-2.tfvars > stdout.list.plan 2>&1
# no diff between
diff stdout.string.plan stdout.list.plan