Changelog

Subscribe to all changelog posts via RSS or follow #changelog on our Slack community to stay updated on everything we ship.

Bug fixes

  • Server
    • Added support for OpenTofu 1.x (open-source Terraform) integration via Guardrail.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Added support for OpenTofu v1.8.3 (open source Terraform) container to run Stack [Native] controls.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • UI
    • Updated the filter logic on the Reports page for more accurate results.
    • Resolved an issue where resource links in the Permissions section redirected to the profile page instead of the resource page when grouped by resources.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • UI
    • Resolved an issue where reports pages could crash if certain information was null

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Resolved an issue where actor information was not being passed correctly during the process execution, ensuring accurate tracking and processing of actor-related data.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server

    • Introduced Activity Retention feature for Smart Retention control to enhance version and data management.
  • UI

    • Support for downloading AWS CloudFormation templates directly from the AWS import page.

Bug fixes

  • Server

    • Resolved controls getting stuck when Notify or Ignore keywords were missing in the notification rules.
  • UI

    • The + button for adding permissions now correctly applies the appropriate attributes.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Removed recursive loop detection logic, as this is now managed effectively by Lambda.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server

    • Introduced support for multi-architecture images, now compatible with both ARM64 and x86_64.
    • Added a default resource query to the context of calculated policies.
    • Updated several node packages to newer versions for improved functionality and security.
    • Updated Lambda to support recursive loops.
  • UI

    • Now you can use the + sign to grant permissions in the context of both the identity and resource.
    • Updated several node packages to newer versions for improved functionality and security.

Bug fixes

  • Server

    • Azure Credential Resolver now respects proxy settings, adding full proxy support.
  • UI

    • Updated policy pack Terraform to correctly reference turbot_policy_pack.
    • Adjusted the Admin page layout for improved usability.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server

    • Resolved an issue where policy values were not being terminated due to a race condition.
    • The ServiceNow credentials resolver will now display a clear message when the instance is hibernate or unavailable state.
  • UI

    • Fixed an issue where filters on the Resource Explorer page were not functioning correctly.
    • The Import button on the Connect page has been updated to Connect.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server

    • Made notifications faster by improving the query, which enhances the performance of the resource activity tab.
  • UI

    • Fixed a bug where policy pack creation would fail if the AKA was not provided from the user interface.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server
    • Migrated from Node.js 18 to Node.js 20 for improved performance and security.
    • Updated the Mod Lambda architecture to ARM64 for better efficiency.
    • Added support for Node.js 20 in the Lambda runtime.

Bug fixes

  • Server
    • Resolved an issue where the next tick timestamp was not being set for large commands

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • UI
    • Resolved deletion issue from UI for Policy Packs with latest Turbot Mod(5.45.0) and TE 5.45.0.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server

    • Improved memory optimization for Redis.
    • Updated all AWS Lambda functions in the TE environment to use ARM64 architecture for improved performance and cost efficiency.
    • Allow notifications rules to accept nunjucks for Email address.
    • Updated several node packages to newer versions for improved functionality and security.
  • UI

    • Smart Folders are now called Policy Packs.
    • Now you can add AKA while creating Policy Packs from UI.

Bug fixes

  • Server

    • Fixed an issue where controls remained in TBD state for accounts imported without an External ID.
  • UI

    • Removed the unsupported feature for rearranging Policy Packs from the UI.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Resolved an issue that caused control targeting to accounts fail when AWS Gov accounts were imported in commercial environment.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • The OUTBOUND_SECURITY_GROUP_ID environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server
    • The creation of the EncryptionInTransit TopicPolicy has shifted from a custom resource to AWS CloudFormation’s AWS::SNS::TopicPolicy.

Bug fixes

  • Server
    • Changes to notifications introduced in version 5.44.2 have been rolled back due to issues with specific queries. This action restores previous functionality and ensures stability across the platform.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server

    • Made notifications faster by improving the query, which enhances the performance of the activity tab.
  • UI

    • The Depends-on tab on the controls page has been renamed to Related. It now includes the information from the Depends-on tab along with additional related controls information.

Bug fixes

  • Server
    • Fixed an issue where sometimes an older mod version was used instead of the latest one after a mod upgrade. Now, the cache is properly updated to always use the latest version.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server

    • Added support for newer auth mechanism to fetch temporary Azure credentials via the @azure/msal-node package.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server

    • You can now configure Mod Lambda functions to run within a VPC across various providers including AWS, Azure, ServiceNow, and GCP. This update ensures Lambdas operate with static CIDR ranges.
    • Enhanced osquery/logger API to support payloads up to 10MB.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server

    • Added a new GraphQL resolver for osquery to generate an enrollSecret.
    • Added new REST APIs for osquery management, which includes:
      • api/latest/osquery/enroll
      • api/latest/osquery/config
      • api/latest/osquery/logger
    • Introduced a dedicated worker, along with SQS FIFO queue and SNS topic FIFO, to run osquery operations.
    • Implemented a new serviceNowCredential resolver specifically for Kubernetes clusters.
    • Upgraded our SDK (@turbot/sdk) to version 5.15.0 and our fn toolkit (@turbot/fn) to version 5.22.0, to support FIFO queues.
  • UI

    • Added support for connecting to Kubernetes, facilitating easier integration and management.
    • Added report for AWS CIS v2.0.
    • Added report for AWS CIS v3.0.
    • Added report for Azure CIS v2.0.
    • Added report for GCP CIS v2.0.

Requirements

  • TEF: 1.58.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server
    • Implemented monitoring for worker_factory in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog".
    • Established a CloudWatch Alarm for the _worker_factory queue.
    • Product, Vendor Tags to the IAM Role resources created by the TE stack.
    • Adjusted the threshold for the CloudWatch Alarm monitoring the _worker queue.

Bug fixes

  • Server

    • Now, users with only Turbot/User access will no longer see grants or active grants belonging to other users. This ensures that you only view grants that are relevant to your permissions.
    • Control will move to error if it fails to determine the state at precheck.
    • System resilience has been enhanced through extended TTL settings and refined management of suspended processes, aiming to improve stability and reduce backlog issues.
    • Refined management of various processes to improve stability and reduce backlog issues.
  • UI

    • Converted the template_input property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Account import will be smoother and more consistent than before.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • UI
    • Fixed the AWS login dropdown button to accurately display both existing and new grants.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server

    • Updated the tier for the SSM parameter /tenant/${workspaceFullId} to Advanced.
    • Delete operations for resources is now faster and more efficient than before.
    • Auto mod update control for mods will now look only for recommended versions instead of available and recommended.
    • Fixed policy value resolution to default to the value of resolvedSchema if not available in the schema.
  • UI

    • Fixed a table typo in the Steampipe query used in the resources developer tab.
    • Display the AWS login button when setting permissions via the AWS > Turbot > IAM > Managed control.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server

    • Added: Support for AWS Custom Group Levels.
    • Updated: The DLQ lambda timeout has been updated to 2 minutes instead of 1 minute.
    • Updated: The Events DLQ visibility timeout has been increased from 15 minutes to 4 hours.
    • Updated: The Events DLQ MessageRetentionPeriod has been decreased from 14 days to 7 days.
  • UI

    • Added: Action button to run immediate policy value.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Added the Deny:* policy for HTTP traffic back to the turbot-policy-parameter custom lambda code.
    • Event DLQ should not set the control or policy value to error if there has been a new process started for the control or policy value.
    • Run next should drop the events in case of recursive loop.
    • Add additional retryable throttling codes for actions.

Requirements

  • TEF: 1.55.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server
    • You can now update API size limit via the MAX_PAYLOAD_SIZE parameter.

Requirements

  • TEF: 1.55.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Updated: Enhanced IAM policy for tighter access around custom Lambda.
    • Fixed: Turbot > Workspace > Health Control should not break if there is no input.

Requirements

  • TEF: 1.55.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • The scheduled actions would sometimes fail to work for the firehose-aws-sns mod due an inadvertent bug introduced in TE v5.42.10. This is now fixed.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server
    • Updated: Enhanced IAM policy for tighter access around Mod Lambda SNS topic.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Server

    • Updated: The directory API to support Require Signed Assertion Response.
  • UI:

    • Added: Introduced UI options for Require Signed Assertion Response for enhanced security in SAML authentication.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Enhanced Security and Compatibility Guide for SAML Authentication

Description: The recent update to @node-saml/passport-saml mandates the signing of the assertion response. To ensure backward compatibility, we have introduced a new configuration option in the UI:

  • Require Signed Assertion Response

By default, this option is set to Disabled to maintain compatibility with existing setups.

Recommendations: We recommend enabling this option as it adds an additional layer of security. However, please be aware that enabling this setting might impact the SAML login functionality.

Bug fixes

  • Server
    • Guardrails will now process notifications correctly for a matching watch created via @turbot/sdk.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Updated TE stack to enable propagation of custom tags to ECS tasks.
    • Updated @turbot/aws-sdk to 5.13.0, @turbot/fn to 5.21.0 and aws-sdk to 2.922.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • ServiceNow Instance Client Secret and Password were processed incorrectly while fetching credentials for the Instance.

Bug fixes

  • Server
    • Create mutation for ServiceNow instance failed if no instances were available in a Guardrails workspace.

What's new?

  • Server

    • Added: Support for creating and deleting watches using @turbot/sdk.
    • Updated: @turbot/fn, @turbot/aws-sdk, aws-sdk, @turbot/utils, @turbot/errors, @turbot/log, @turbot/responses packages.
    • Added: Support for ServiceNow credentials.
  • UI:

    • Added: Support to import ServiceNow Instance in Guardrails.

What's new?

  • Server

    • Updated: Updated the package passport-saml to @node-saml/passport-saml: 4.0.4
    • Updated: The directory API to support Require Signed Authentication Response and Strict Audience Validation.
  • UI:

    • Added: Introduced UI options for Require Signed Authentication Response and Strict Audience Validation for enhanced security in SAML authentication.

Enhanced Security and Compatibility Guide for SAML Authentication

Description

The recent package change for @node-saml/passport-saml has made it mandatory to sign the audience response and perform audience validation. To maintain backward compatibility, we have introduced two new options in the UI:

  1. Require Signed Authentication Response
  2. Strict Audience Validation

To make it backward compatible, both of these options are initially set to Disabled by default.

Important Note: This change ensures that the audience response is signed and audience validation is enforced. These checks were not available in earlier versions of the package.

Recommendations

We recommend customers enable both of these properties as they add an additional layer of security. However, it's important to be aware that enabling these properties might potentially break SAML login functionality. Therefore, certain steps need to be taken before enabling them.

Here are specific recommendations for popular Identity Providers (IDPs):

Okta

  • Strict Audience Validation: If enabled, ensure that the "Issuer ID" matches the "Audience Restriction."

OneLogin

  • Require Signed Authentication Response: This feature should be disabled in OneLogin, as OneLogin does not support it.
  • Strict Audience Validation: If enabled, ensure that the "Issuer ID" matches the "Audience".

Azure Entra ID (Previously Known as Azure AD)

  • Require Signed Authentication Response: If enabled, make sure you choose the Signing option to be "SIGN SAML response and assertion". The Signing option is available on the Signing Certificate page of Entra ID

Please follow these recommendations carefully to make sure you're able to transition smoothly to the updated SAML package.

What's new?

  • Server:
    • Updated: Downgrade passport-saml Node package to 1.3.5.

What's new?

  • Server:

    • Updated: RDS CA Certificate to use the latest bundled certificate.
    • Updated: Updated the package passport-saml to @node-saml/passport-saml: 4.0.4
    • Updated: Steampipe query in developer section now points to the correct table.
  • UI:

    • Added: Option to view Changelogs in the Help dropdown menu.

Bug fixes

  • Server:
    • Fixed: Stack control failed to run when a large number of resources were being managed by a stack control.

What's new?

  • Server:
    • Updated: Now supports creating multiple AKAs starting with arn, azure, and gcp via APIs.
    • Updated: Add mod version check for workspace upgrade.

Bug fixes

  • Server:
    • Fixed: Ensure successful workspace creation on fresh PostgreSQL 15 installations.
    • Fixed: The stack should claim the Security Group (SG) or Security Group Rule (SGR) if the resource already exists.
    • Removed: vm2 node package.

What's new?

  • Server:
    • Cloudwatch dashboard query for View AWS External Messages by AWS Account ID and Events to exclude restriction on AWS.
    • Allow sending notifications for same state change.
    • Replaced vm2 with eval for inline and trustedInline execution of policies, controls, and actions.

What's new?

  • Server:
    • Added: worker, sqs queue, sns topic for factory.
    • Updated: Allow upload of mod based on the value of TURBOT_CUSTOM_MOD_UPLOAD.
    • Added: Environment variable for custom mod upload.
    • Removed: Support for ALB WAF.

Bug fixes

  • Server:
    • Stack will not fail to delete and recreate resources.

Requirements

  • TEF: 1.51.0

What's new?

  • UI
    • Added: Inactive Users report.

Bug fixes

  • Server:
    • The actor information for attach and detach smart folder.
    • Disable notification feature if Redis is not being used.

What's new?

  • Server:

    • Added: Added support for control/action update notifications.
    • Added: Support for interface in control types.
    • Added: Turbot Installation Type environment variable.
    • Added: SES SendEmail permission to Worker Lambda Role.
    • Added: Add notification index to improve performance of notifications.
    • Updated: Improve policy value create/update with a more efficient database design.
    • Updated: Description of TE stack from Turbot Enterprise to Turbot Guardrails Enterprise.
    • Updated: @slack/web-api to 6.8.1. @wry/equality to 0.5.6. anymatch to 3.1.3. archiver to 5.3.1. body-parser to 1.20.2. chai to 4.3.7. chokidar to 3.5.3. classnames to 2.3.2. cli-progress to 3.12.0. copy-to-clipboard to 3.3.3. dataloader to 2.2.2. diff to 5.1.0. express to 4.18.2. generate-password to 1.7.0. graphql-2-json-schema to 0.10.0. http-status-codes to 2.2.0. lodash-match-pattern to 2.3.1. micromatch to 4.0.5. mockserver-client to 5.15.0. moment-timezone to 0.5.43. nconf to 0.12.0. nodemailer to 6.9.2. nunjucks to 3.2.4. passport to 0.6.0. pg to 8.10.0. performant-array-to-tree to 1.11.0. prismjs to 1.29.0. prompt to 1.3.0. prompts to 2.4.2. recursive-readdir to 2.2.3. redux to 4.2.1. resolve to 1.22.2. semver to 7.5.1. simple-git to 3.18.0. unzipper to 0.10.14. uri-js to 4.4.1. vm2 to 3.9.19 and other dev dependencies. Removed aws-appsync and aws-xray-sdk. ioredis to 5.3.1.
  • UI

    • Updated: Updated new login logo and home page logo.
    • Updated: Turbot directory should be created in guardrails.turbot.com.
    • Updated: Turbot directory SSO login should be redirected to there respective guardrails domain.

Note

IAM change in this release:

  • Updated worker lambda to include SES SendEmail permissions.

What's new?

  • Fixed: Resource details are now correctly included when doing a csv download of the Resources Deleted by Turbot report.

Requires

Container Info

What's new?

  • Added: Tagging details now included in CSV download for GCP Compute Engine VM Instances, Azure Compute Virtual Machines, Azure Compute Disks and EBS Volumes report.
  • Added: New filters for Turbot Files and Smart Folders in the resource browser.
  • Updated: Editing a Turbot File via the UI no longer requires the resource AKA to be specified.
  • Fixed: Resource deletion will no longer trigger an increase the count of active controls.

Requires

  • TEF v1.49.0

Container Info

What's new?

  • Added: Quick actions are now available for users that only have permission at the account level.
  • Fixed: The resource import page will now function correctly if the AWS mod is not installed.
  • Fixed: Resource deletion will no longer trigger an increase the count of active controls.

Requires

  • TEF v1.49.0

Container Info

What's new?

  • Added: Ability to specify AKA when creating Turbot File.
  • Updated: Turbot explorer search will show results for Smart Folders and Turbot Files.
  • Fixed: Terraform stack control should not end in error if the data size for command is too large.
  • Fixed: Turbot actions will now be visible for users with grants at the cloud account level.

Enterprise

  • Updated: Added debug statements for createGrant mutations.

Requires

  • TEF v1.49.0

Container Info

Enterprise

  • Changed: Removed long debug statements from stack controls to improve performance of large stacks.
  • Added: Additional logging information emmited while preparing stack container.

Requires

  • TEF v1.49.0

Container Info

What's new?

  • Fixed: Smart retention controls are now a bit smarter.

Enterprise

  • Updated: Resource policy of Events SQS queues now require encryption in transit.
  • Updated: Resource policy of Events SNS topics now require encryption in transit.

Requires

  • TEF v1.49.0

Container Info

  • Ubuntu 22.04, jammy-20230425
  • Alpine: 3.18.0

What's new?

  • Added: debug statement for Smart Retention control.

Requires

  • TEF v1.49.0

Server

What's new?

  • Added support for version v5.10.0 of the Turbot IAM mod.
  • Fixed: Adding grants to group profile now works as expected.

Requires

  • TEF v1.49.0

What's new?

  • Updated: Accounts Summary Report now includes resource AKA(s) in the CSV output.
  • Updated: The Turbot auth token cookie SameSite configuration to strict.
  • Updated: The policy setting page to now render HTML content as string.

Enterprise

  • Added: Parameter for TLS Policy for ALB HTTPS Listener.
  • Added: Rate limits to the login directories APIs.

Requires

  • TEF v1.49.0

What's new?

  • Added: AWS Lambda Functions report.
  • Updated: Turbot will now use AWS Terraform provider version 3.75.0 when Turbot > Stack Terraform Version [Default] is set to 0.15.*

Bug fixes

  • Fixed: Timestamp display in the console now updates correctly for recently deleted mods.
  • Fixed: When an Action fails due to cloud provider throttling, Turbot will now reschedule the control that triggered the action, those actions should now be more consistently applied under heavy loads.

Note AWS IAM permissions change in this release:

  • Updated: Worker Lambda to include Elasticache permissions to support the Turbot > Cache > Health Check control.
  • Updated: Hive Manager no longer manages the authentication configuration for ElastiCache. This responsibility has shifted to Turbot Guardrails Enterprise Database.

Bug fixes

  • Fixed: Improved handling of HTTP "Too Many Requests" (429) errors.

Enterprise

  • Updated: TE Management Lambdas, and ECS Containers will be deployed with the NodeJS 16.x runtime. This change is independent of Mod Lambda runtime versions.
  • Added: If specified in TEF, a custom security group may be assigned to the TE ALB.

Requires

  • TEF v1.47.0

Enterprise

  • Added: Parameter for Lambda trigger concurrency.

Requires TEF: v1.46.0 TED: v1.9.1

Bug fixes

  • Fixed: Issue that could prevent indexes from being recreated after being dropped.
  • Fixed: Issue with safeGet() function that could prevent reports from rendering in the UI.
  • Fixed: Ansible task and service now created correctly created for Ansible version 2.10.7.

Enterprise

  • Added: Support for trigger concurrency in worker and events lamda functions.

Requires TEF: v1.45.0 TED: v1.9.1

What's new?

  • Fixed: Activity page should display alternatePersona in the actor field if available.

Bug fixes

  • Fixed: AWS EC2 Instance report now runs more reliably.
  • Updated: Improved the performance of the Activity page.

Enterprise

  • Added: Encryption in transit policy for SNS topics and SQS queues in the Turbot Master account.
  • Updated: Removed the deleted control historical records from control_usage table.
  • Updated: vm2 package to 3.9.11 in the ECS containers.

What's new?

  • Added: Support to import Azure China Cloud subscriptions.
  • Added: Support for Azure China Cloud endpoints.

Bug fixes

  • Updated: Increased reliability of policy value application when attaching a smartfolder.

Enterprise

  • Updated: Removed Xray configuration from Postgres pool, as it was not being used.
  • Updated: vm2 in main package.json updated to 3.9.11.
  • Updated: Maintenance container base image to node:14-alpine3.17.

Requires TEF: v1.42.1 TED: v1.9.1

Bug fixes

  • Updated: Query for resource notifications to improve performance when using the Activity sub-tab on the resource page.
  • Updated: Improved logic used to determine when to run maintenance control for stale policy values.
  • Updated: Mod install controlls will now use the standard worker queue instead of worker_priority queue to allow other actions to take priority during mod installs.

Enterprise

  • Updated: Updated Ubuntu vm2 package to version 3.9.11. to resolve CVE-2022-36067.
  • Updated: Message retetion period of events priority queue changed to 96 hours.

Requires TEF: v1.42.1 TED: v1.9.1

Bug fixes

  • Added: Btree aka index for akas_history and akas table. The Activity Tab should show improved performance.

Requires TEF: v1.42.1 TED: v1.9.1

Bug fixes

  • Fixed: Downloading the csv for EC2 > Instance > Report should not fail.

Enterprise

  • Added: ability to run async/callback in control's inline.
  • Added: Ability to move control to priority queue.
  • Updated: mute noisy log if unable to get process log data from S3.

Requires TEF: v1.42.1 TED: v1.9.1

Bug fixes

  • Updated: Local Profiles and Group Profiles filter now use free text search instead of akas matches.
  • Updated: Installing a mod using the CLI now runs faster, reducing the likelyhood of a timeout.
  • Fixed: Quick actions menu will no longer show actions from child resources.

Enterprise

  • Added: Support for workspace URL in Turbot > Workspace > Workspace URL policy.

Requires TEF: v1.42.1 TED: v1.9.1

Bug fixes

  • Fixed: Resolved issue where EC2 instance report would fail to run.
  • Fixed: Permissions summary report now works for users without permissions at the root level.

Enterprise

  • Added: allow an alternative process log bucket to be provided to read from an older bucket.
  • Updated: Ansible container base image to Ubuntu 22.10 (Kinetic Kudu)
  • Updated: Ansible version to 2.10.7
  • Updated: Docker base images of API and Factory to ubuntu 22.

Requires TEF: v1.42.1 TED: v1.9.1

Bug fixes

  • Fixed: Apollo UI behaves properly when setting backoff interval of an action.
  • Fixed: Actor display information will now fallback to unidentified if persona and identity are not available.
  • Updated: UI will now use the actor information of the process (if supplied) for Policy Setting CRUD operations.
  • Updated: Action runs now carry the identity of its launcher. This changes the way notifications are presented. Previously notifications from an action showed as Unidentified, now they will carry the identity of the launcher, most of the time this will be the Turbot identity unless the action is launched by a user from Turbot UI.

Enterprise

  • Updated: Linux Environment control to support version 3 of SELinux Python bindings

Enterprise

  • Updated: Improved Ansible container error handling

UI

  • Added: Mutation resolver for quick action and steampipe query in the developer tab.
  • Added: Add support to execute quick action via URL.

Enterprise

  • Fixed: Control type should only trigger the control if there is a change in graphql/inline/function.

What's new?

  • New Feature: Quick Actions
  • Updated: graphiql to 1.4.5

Quick Actions Quick Actions is a new feature that allows Turbot users to initaite specific (one time) control enforcements on their cloud environment via the Turbot UI. Cloud operations teams can use Quick Actions to remediate cloud configuration issues (e.g. enable encryption on a resource) or snooze Turbot alarms for issues that we want to come back to later. More details in the documentation. Quick actions will be rolling out across all supported cloud services in the coming months (based on your feedback); this initial release covers resources in the following AWS mods:

  • cloudtrail
  • ec2
  • kms
  • lambda
  • rds
  • s3
  • sns
  • sqs
  • vpc

Disabling the Quick Actions feature

  • Quick Actions use the permissions granted to the Turbot service user or cross-account role used to import your cloud service account into Turbot. Execution of quick actions will fail if the underlying role prevents those actions from occuring.

  • The Quick Actions feature is disabled by default, but can easily be enabled via the Turbot > Quick Actions > Enabled policy. If you would like to prevent lower level Turbot administrators from enabling Quick Actions for their cloud service accounts, then make sure you set Turbot > Quick Actions > Enabled to Disabled at the Turbot level using the Required option.

  • The policy Turbot > Quick Actions > Permission Levels offers fine-grained control over which Turbot permission levels are required to execute specific quick actions. These permission limits can be set globally and specific exceptions can be managed down to the individual cloud service account level.

Enterprise

  • Split package dependencies between Server and UI so they can use independent versions of GraphQL.