Changelog

What's new?

• Added: support for TLS 1.2 for API Gateway

What's new?

• Added: SSM parameter for Process Log Fallback Bucket.

What's new?

• Added: new IAM permissions for Mod Lambda to publish messages to the Priority Events queue.
• Added: parameter for Worker Priority and Events Tick Lambda Reserved Concurrency.
• Added: EC2 ECS host recycling using parameter.

Bug fixes

• Fixed: ECS Rolling update.
• Fixed: Condition of Foundation Key to prevent its creation if TEFKmsKey parameter value is specified.

There are IAM changes in this release:

• New IAM permissions for Mod Lambda to publish messages to the Priority Events queue.
• New IAM roles for ECS Rolling Update.

What's new?

• Added: Parameter to limit the URL where the API Gateway Lambda can forward to. This should be a regular expression of valid workspace URLs.
• Updated: TEF KMS Key parameter name changed to TEF KMS Key Arn.
• Updated: Enforce HTTPS access for S3 buckets created by TEF.

What's new?

• Added: Parameter for Alb WAF option. (Default is disabled)
• Added: Parameter for Mods Cleanup.

What's new?

• Added: Parameters for Api and Events Container Scaling metrics, and threshold values for CPU Utilization.
• Added: Parameter to allow import of Foundation KMS Key.
• Updated: Set DeletionPolicy of FoundationKey to Retain.

What's new?

• Added: Parameters for ECS Factory Task hard limit and soft limit on memory.

Warning

• There are IAM changes in this release.

What's new?

• Updated: Condition for HiveManagerExecutionRole.
• Updated: TurbotParameters and TurbotSnsSqsPolicyParameterLambda to include variables for Proxy setting.
• Removed: MskManagerExecutionRole role from custom iam role template.

What's new?

• Added: VPC Endpoint for s3 to reduce NAT Gateway cost.
• Updated: API and Events container scaling by replacing hardcoded values with parameters.
• Updated: Outbound, Api and Database security groups so that they are created for Predefined VPC if custom security groups are not mentioned.
• Updated: default value of LogRetentionDays parameter changed to 180.

Warning

• There are IAM changes in this release for the turbot_policy_parameter.

Bug fixes

• TE Build ID was misconfigured causing TEF to build unsuccessfully, this has now been corrected and TEF builds as expected.

Warning

• There are IAM changes in this release for the turbot_policy_parameter.

What's new?

• Turbot Security Group is added and includes rules for Ansible and LDAP. The security group is intended for additional rules to be added under feature flags. Note: the existing LDAP and Ansible security groups will remain for older TE versions.
• Dashboard for ECS Cluster metrics is now added.
• Autoscaling parameters were added for the Events Service.
• ElastiCache Security Groups and Subnet Groups are now added to the overrides template.
• TEF Workspace Manager now prevents users from changing the workspace name.
• OSGuardrail parameter location from Advanced - OS Guardrails to Advanced - Deployment Group.
• turbot_parameters and turbot_policy_parameter lambda functions now include VPC config.
• turbot_policy_parameter IAM Role now includes EC2 network interfaces policy.
• Improved input validation to not allow blank values.

What's new?

• S3 bucket lifecycle rule added to the mods processing log bucket.
• Optional AWS Security Group added to be used for connecting to LDAP server.
• S3 inventory reports will no longer generate in the TEF Process Logs bucket.
• Updated process log bucket lifecycle configurations to remove /debug/ rules.
• Runtime has been updated to Node 14 for all Turbot Core deployed Lambda functions.

What's new?

• OSGuardrails feature flag, adding security groups and SSM parameters as required.
• HealthCheckProxyLambda runtime updated from 2.7 to 3.8.

Warning

• IAM permissions updated in v1.31.0.

Bug fixes

• Fix and republish a corrupt portfolio build artifact.

Warning

• IAM permissions updated in v1.31.0.

Bug fixes

• Hive Manager should convert underscore to hyphen when creating Redis group (from TE).

Warning

• IAM permissions updated in v1.31.0.

Bug fixes

• Hive Manager should convert underscore to hyphen when creating Redis user (from TE).

Warning

• IAM permissions updated.

What's new?

• ElastiCache Redis is now enabled by default.
• Parameters - Mod Lambda function limits.
• Parameters - Worker Lambda configuration, allowing reuse across TE versions.
• CloudWatch Alarms for SQS ApproximateAgeOfOldestMessage.

Bug fixes

• Fixed: Code of s3BucketArnLambda to fix s3 permission.

What's new?

• Hive Manager and Workspace Manager runtime updated to node 12.

Bug fixes

• Install Hive Manager in all regions, not just the Alpha region.

Warning

• IAM permissions updated.

What's new?

• New turbot_transient KMS key specifically used for encryption of transient data (e.g. SNS, SQS).
• Tightened IAM access policies to Turbot's own S3 buckets.
• Hive Manager is now permitted IAM access to manage ElastiCache.
• Added ListBucket permission to WorkspaceManager role so head object calls will return 404 instead of 403.

Bug fixes

• Event Proxy Lambda must be installed in the subnet where Load Balancers are installed (by TE).

Warning

• IAM permissions updated.

What's new?

• Further refined our IAM permissions for S3 bucket access, with a focus on removing more wildcards. It was already good, but now it's better.

Bug fixes

• Made the ElastiCache network infrastructure optional through Development Mode. It was harmless, but not necessary unless ElastiCache is enabled in TED.
• Moved policy parameter role into the IAM stacks, where it belongs.

What's new?

• Reclaimed the ECSDesiredInstanceCount parameter, which now defaults to using ECSMinInstanceCount instead. This frees up a precious parameter slot for other options.
• Added the DevelopmentMode parameter for internal use, which groups options like using the latest container image (instead of cached).
• For environments with ElastiCache enabled in TED, cache subnet group and security groups have been added.

Bug fixes

• Error handling in workspace pre-install checker.

Bug fixes

• Error handling in workspace pre-install checker.

Bug fixes

• ECS Agent should attempt to use the locally cached image, which dramatically reduces disk IO and download bandwidth.
• Upgrade via CloudFormation had a race condition in our custom resource Lambda functions that could be triggered when doing a large number of upgrades or rollbacks in parallel.

Bug fixes

• When a custom outbound access security group is specified in the TEF template do not create the {prefix}_outbound_internet_security_group or the {prefix}_{version}_outbound_internet_security_group.

What's new?

• Ability to restrict SNS topic and SQS queue access based on Organization Id.

Warning

• IAM permissions updated.

Bug fixes

• The (optional) API Gateway to proxy external events to the internal Turbot load balancer was returning error codes (5xx) all queries even though it worked successfully. This could lead to retries of the message (which were not processed due to our duplicate detection). Errors in both the event handler and the health check have been cleared.

What's new?

• Updated Workspace Manager permissions for SSM policy lookups and reading S3 data for access to the TE workspace manager Lambda results.

Bug fixes

• As part of preparing for connection pooling, the hive manager included steps to initialize multiple database roles. These are not yet in use so have been removed.

What's new?

• The default browser facing security group (used by the load balancer) is now open on port 80, so HTTP traffic can be automatically redirected to HTTPS at the load balancer level.
• Expanded EC2 instance type options, and changed the default to t3.medium.
• Changed the default maximum limit for ECS hosts from 64 to a more sensible, but still generous, 8.
• Further restricted permissions to EC2 hosts, limiting the accessible resources as much as possible.

What's new?

• Introducing a new parameter model in TEF, allowing parameter "overrides" to be optionally set in SSM. Turbot creates default parameters, but will automatically detect any overrides you create during the stack run. This allows us to expand beyond the 60 parameter limit of CloudFormation.
• Each Turbot version installs minimal IAM policies and roles specific to its requirements. Some customers prefer more control over IAM management, so we now support BYO-IAM with parameters for all IAM entities required in the Turbot primary account.
• Added parameters to optionally set the ALB Log Prefix and ALB Idle Timeout.
• TEF will now perform a rolling update of the EC2 hosts if required due to launch configuration changes, ensuring no downtime during upgrades.
• Allow preinstall check Lambda function to use VPC from non-VPC setting.

What's new?

• Added 169.254.170.2 to the default NO_PROXY parameter. This is required for stack containers to execute in some proxy environments.

Bug fixes

• Network Interface permissions added in v1.19.0 are low risk, but have been tightened further to only be granted in environments running Lambda inside the VPC.

What's new?

• TED and TE are being enhanced to automatically check that their required versions of TEF and TED are installed. The Lambda function they use for that check (custom resource during the CloudFormation stack run) is deployed in TEF, and added in this release.
• Turbot Guardrails Enterprise uses a lot of Lambda functions to execute mod code. For organizations who prefer more visibility into network traffic, we're adding support to run these functions inside the VPC. This version of TEF expands the IAM permissions granted to Lambda functions with the minimum required to attach Network Interface cards.

What's new?

• Flags parameter now has validation rules and defaults to NONE (CloudFormation does not like empty string defaults for SSM parameters).

What's new?

• Flags parameter will allow features to be enabled or disabled at the installation level giving us more flexibility to innovate and gradually deploy features.

What's new?

• Moved to ECS optimized Amazon Linux 2 as our host OS for containers. (Previously we used ECS optimized Amazon Linux 1.)
• Expanded proxy server support, particularly through the ECS bootstrap sequence. We now support HTTP and HTTPS requests being routed to a http:// proxy for all traffic - no need for endpoints or similar in any case. (We do not yet support custom certificates and https:// proxies.)
• TEF now publishes an SSM parameter with the currently installed version, which will be used in the future to check version compatibility during TED and TE upgrades.

What's new?

• Allow Self-Signed Certificate parameter, instructing Turbot to ignore certificate errors when connecting to external services - for example - enterprise environments with an outbound internet proxy.
• S3 bucket inventory has been enabled, setting us up for future batch operations on collections of log files.
• Updated lifecycle rules to clean deleted versions of debug logs and match changes to the prefix of log files.

What's new?

• Added a "connectivity test" lambda function, making it easier to verify that an environment has the necessary network setup. Run ${ResourceNamePrefix}_connectivity_checker manually to test.
• Improved descriptions for the Installation Domain and Turbot Certificate ARN parameters.

What's new?

• Turbot License Key has been added as a (currently optional) parameter.

What's new?

• Updates Hive Manager, which includes the ability to convert ownership of database schemas. This is part of a longer term effort to move database ownership to specific turbot roles, reducing our use of the master account.

Bug fixes

• EC2 instances used for ECS should have AssociatePublicIpAddress set to false. This is a defence improvement since our EC2 instances are run in a private VPC so were not publically accessible anyway.

What's new?

• Cleanup IAM roles to use _ consistently in names (instead of mixing _ and - together).

What's new?

• Some organizations need to use a self-signed certificate for their ALB. This would fail a certificate check when also using our API Gateway proxy. Use the Self Signed Certificate In ALB parameter to ignore these certificate errors.

Bug fixes

• The IAM role used for ECS EC2 instances is now named consistently with our other IAM roles.

Warning

• Existing TEF installations must install v1.9.0 before upgrading to v1.10.0. This sequence will automatically preserve and transition parameter settings for S3 bucket names as we move from fixed names to randomized names by default for new installations.

What's new?

• Log and process buckets now use a partly random name by default, making new installations smoother and easier to troubleshoot.

What's new?

• Optionally use a random name for log and process log buckets, making repeated install and uninstall easier.
• Log buckets will now be retained on deletion of the TEF stack.

What's new?

• Setup an S3 bucket to store process logs, including lifecycle rules to cleanup debug logs.

What's new?

• Turbot Hive Manager lambda now has permission to create encrypted SSM parameters, required by TED v1.5.0.

Warning

• Security access from the load balancer to ECS has changed from requiring port 8443 to requiring the full high port range of 32768-65535. This allows us to run ECS in bridge mode and efficiently reuse IP addresses across Turbot core containers.

• The outbound security group now allows port 80 outbound by default. This makes cloud-init in the ECS optimized image run much faster than only providing port 443 outbound.

• If you are upgrading from a previous TEF version, you will need to make the modifications listed below:

  • Add ports 32768-65535 to the Load Balancer Security Group OUTBOUND to the API Security Group

  • Add ports 32768-65535 to the API Security Group INBOUND from the Load Balancer Security Group

  • Add port 80 to the Outbound Internet Security Group OUTBOUND to 0.0.0.0/0

What's new?

• Use ECS on EC2 (instead of Fargate) to accelerate container startup time (particularly for stacks), increase cost efficiency at scale, and prepare for wider container use at the core level.

What's new?

• Workspace manager creation of turbot.com directories updated to use a server name (instead of a phase).

What's new?

• Added a lifecycle rule to automatically delete temporary data from S3.

What's new?

• Reduced scope of permissions granted to custom mod Lambda functions. These add extra levels of protection and take effect as mods are installed or updated in Turbot v5.5.0 or later.

What's new?

• Publish the alpha region as an SSM parameter so it can be used as a default in other areas - like TED's default location for the primary DB.

Bug fixes

• The Hive Manager and Workspace Manager lambda functions used during the workspace upgrade process were not properly connecting to the database using SSL during initial workspace creation (they were during upgrades). Our change to force SSL on the database in TED revealed this issue, which is now fixed.

What's new?

• TEF version is now published as an output parameter in CloudFormation. (We'd rather that Service Catalog showed this automatically, but there is an AWS quirk that breaks that feature when Service Catalog versions are published using CloudFormation.)
• Workspace upgrades may now take up to 15 minutes before timing out. This allows us to run larger data migration jobs during the upgrade process. (Don't worry, we design these to be background tasks that don't affect availability during the upgrade.)
• Custom security groups are published as SSM parameters allowing them to be leveraged by the Turbot Guardrails Enterprise CloudFormation stacks to override per-version default security groups.

Bug fixes

• GovCloud installations require conditions in IAM to match the correct partition arn:aws-us-gov:.

What's new?

• Initial version.
• CloudFormation design for deployment via Service Catalog.
• Foundation components: KMS keys, IAM roles, Log groups & buckets.
• Network configuration with up to 3 tiers (public, turbot, database) across 3 availability zones in 3 regions.
• Automated VPC peering setup across regions.
• Subnet Groups and Security Groups for database and cache services.
• Optional gateway proxy for external event handling with an internal installation.
• Optional BYO network parameters for complex or pre-existing environments.