Turbot Enterprise (TE) Releases

5.37.6 [2021-06-24]

Apollo UI Preview

  • New Report – Azure Storage Accounts.
  • New Report - Large AWS ElastiCache Replication Groups.
  • Default Encryption AWS DynamoDB Tables report now includes additional filters.
  • Detached AWS EBS Volumes report now includes additional filters and control details.
  • Public AWS Route53 Hosted Zones report now includes additional filters and control details.
  • Unencrypted AWS SNS Topics report now includes additional filters and control details.
  • Unencrypted AWS SQS Queues report now includes additional filters and control details.
  • Developers page added for each report displaying the Graphql query examples used to generate the report.
  • Improved performance of Control query filters.
  • Permission modal now only returns grantable resources.
  • Total calculations correctly display when total counts are zero.
  • Graphql history now auto-saves correctly when the history pane is closed.
  • Tags table is now alphabetically sorted on the Developer detailed pages for Reports.
  • Run command on policy value detailed pages should now be enabled to select.
  • Standard policy settings are now validated using ajv.

What's new?

  • Maximum limit added of 600 types (resource, policy, control, action) in a Mod.
  • Stack and Configured controls now support Terraform v0.14.11 and v0.15.5, along with Terraform cloud provider versions AWS v3.44.0, GCP v3.71.0, AzureRM v2.62.0, Azure AD v1.5.0, AzureStack v0.10.0.
  • Total table size (include index) was added to the Workspace Health control.

Bug fixes

  • Register the correct scope for the nested resolver descendants and children for a resource query.
  • Fixed potential deadlock when triggering policy value.

Enterprise

  • Error type ‘databaseError’ was added for quick searches in CW Insights.
  • Resource history data and metadata is now stored in S3 instead of the database to reduce the DB disk space and improve performance.
  • TE Dashboard now includes Mod Lambda Execution Stat and Database Error Stat metrics.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.37.5 [2021-06-16]

Apollo UI Preview

  • New Report - AWS EC2 Instance Security Group Usage.
  • Info tooltip added to each search box throughout the UI to reference more information on Turbot Filters.
  • Process Terminate button is added when a process is running on the control detail and calculated policies pages.
  • Moved out Accounts page to be accessible outside of Workspace Admin section.
  • Group profile count accurately shows when no group profiles are present.
  • Policy setting developers page now correctly show update and create mutation for calculated policy setting.

What's new?

  • Improved Event Poller performance by discarding duplicate events.

Bug fixes

  • Increased event locks from 40 minutes to 4 hours as intended in the original design.

Enterprise

  • Move Turbot Action data from the database to Redis (if installed) to reduce database usage.
  • Optimization improvements to reduce data retrieval requests to S3.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.37.4 [2020-06-10]

Apollo UI Preview

  • Process and notification detail pages will no longer crash or error when trying to display resources, control or policy values which are no longer available.

Enterprise

  • Performance improvements for resource deletions.
  • Improved process logs when using Event Poller to increase reliability and performance of event handling.
  • Default Ansible version is no 2.9.21 as part of OS Guardrails features.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.37.3 [2021-06-10]

Enterprise

  • Revert Postgres compilation option that was causing excessive database load.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.37.2 [2021-06-09]

Apollo UI Preview

  • UI no longer crashes when an unknown or deleted resource ID is used.

Bug fixes

  • Fixed long running control execution for non-Redis

Enterprise

5.37.1 [2021-06-08]

Apollo UI Preview

  • Added a link to smart folders on the main policy settings page.

What's new?

  • Clean up of unused indexes from notifications, resource_types, action_types, control_types, permission_types, policy_types, control_categories, resource_categories, resource_interfaces, membership_hierarchy, permission_levels tables to reduce DB disk space and improve performance.

Enterprise

  • Expand Redis lock utilization to increase event handling performance and reduce database usage.
  • Improved timing of launching Type Installed controls when mods are installing.
  • Notification and history will no longer be generated for favorite actions to reduce insignificant history.
  • Mod get query results are now cached in Redis when applicable during control and policy runs.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.37.0 [2021-06-02]

Apollo UI Preview

  • Turbot Console Apollo UI will become the default UI for all Turbot users. For users who still prefer the original UI, they can switch back with the "Switch to existing console" link in the header of the console. he existing (non-Apollo) console will be considered deprecated in the v5.37.0 release. A future v5.40.0 release will fully remove the non-Apollo UI. When fully removed, there will be no impact to the APIs, however will impact any saved URLs pointing to specific screens in the old UI.
  • New Report - Policy Setting Exceptions.
  • New Report - Oldest GCP Compute Disks.
  • New Report - User Login History.
  • AWS EBS Volumes report now includes additional filters and control details.
  • Detached AWS Internet Gateways now includes additional filters and control details.
  • Unencrypted AWS EC2 Snapshots report now includes control details.
  • Added tooltip to the view log button when process log is not available.
  • Recent Login report now linked within the Account Admin page.
  • Waiting indicator added when favorites are loading on the homepage.
  • Account IDs are no included in the CSV export data for the AWS Well-Architected Tool Workloads report.
  • Search function in resource detail, GraphQL editor, process input data, and the calculated policy editor now remains visible while viewing results submitted.
  • The developer page for reach resource now has a GraphQL query example for resource activity.
  • Resource explore page now hides Smart Folders and Files from the view by default. A Turbot Resources filter has been added to display Files, Mods and/or Smart Folders.
  • Actor title on activity lists now shows the Persona if Identity is unknown.
  • Improved the Mod Update modal to enable the Update button by default for one less click when updating to the latest mod version.
  • Negative current spend now renders correctly.
  • Timestamps are now wrapped correctly in Recent Resources List of Account Overview page.

What's new?

  • Added error message details when Lambda executions error to runnable DLQ in the console.
  • Added Lambda execution runnable DLQ metrics to TE Dashboard.

Bug fixes

  • Improved policy setting list queries for better result speed and performance.
  • Fix potential Mod control execution failure if the payload is larger than maximum SQS allowable message.
  • Users will now be able to view their own Turbot Access Keys and SSH Keys without requiring Turbot resource level permissions.
  • Turbot no longer crashes with it tries to restart controls in non-Redis mode while TE is installed with Redis mode.
  • State conditions of policy values and control states during precheck are correctly handled.
  • Saving a dependency to a policy value that does not exist yet during a Mod Install no longer crashes the control.
  • Corrected duplicate log entry when retrieving process logs from the UI.

Enterprise

  • Reduced unused policy_values_history columns to improve the performance of smart folder and policy setting creation.
  • Reduced unused types and levels history information to free up disk space.
  • Improved resource delete handling for large operations when no history mode is selected.
  • Improved control usage information for resource version deletions without history.
  • TE Cloudwatch alarms now include TEF SNS topic alarms.
  • Reduced non-critical process log storage to 7 days. Note: critical process logs will continue to be stored in S3 with the default retention of 13 months.
  • Policy value history and control data history are now stored in S3 with the default retention of 13 months.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.36.14 [2021-05-28]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Apollo UI Preview

  • AWS Account Import External ID input now correctly handles inputted values that were copied into the setting.

Enterprise

5.36.13 [2021-05-27]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Apollo UI Preview

  • Aging calculations in all reports now correctly calculate the duration.

Bug fixes

  • Improved handling for long running control to avoid infinite execution.
  • Improved handling of potential process logs duplication.

Enterprise

5.36.12 [2021-05-24]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Apollo UI Preview

  • Control summary chart no longer adds another 'state' filter.
  • Log messages in the Diff viewer are now sorted alphanumeric.
  • Calculated policy builder no longer errors when a multi-line GraphQL query is set.
  • Policy setting detail card highlight now remains visible regardless of content length.
  • Regex validation corrected to handle special characters for AWS External IDs while in Protected Mode during AWS Account imports.
  • Reporting page search improvements for handling edge cases.

Enterprise

5.36.11 [2021-05-18]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Enterprise

  • Expanded error logging to capture when Turbot is unable to perform operations to Redis.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.36.10 [2021-05-12]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Bug fixes

  • Error handling improvements when the maintenance container index is recreated during weekly maintenance activities.

Enterprise

5.36.9 [2021-05-10]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Bug fixes

  • Re-running the Mod Install control will detect when the Mod URL has expired and will automatically refresh the Mod URL.
  • Type Install will no longer fail when ElastiCache is not enabled.
  • Event Container autoscaling policy now uses the correct alarm action.

Enterprise

5.36.8 [2021-05-06]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Bug fixes

  • Retry logic added for reconnecting to Redis when there is a credential error.

Enterprise

  • Clean up of unused tables (action_history) and unused indexes (controls_history, resources_history, and policy_values_history) to reduce DB disk space.
  • Additional database indexes are added to be re-created weekly to improve performance.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.36.7 [2021-04-29]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Apollo UI Preview

  • New Report - Oldest Azure Compute Disks.
  • New Report - Well-Architected Tool Workloads.
  • Unencrypted Azure Compute Disks report was expanded and renamed to Turbot Best Practice - Azure Compute Disks.
  • Smart Folder Detail page now has a Detach Resource action.
  • Resource age calculations are now correctly queried in all related resource reports.
  • Policy setting editor will no longer show a double scrollbar.
  • Corrected the active blue border around Identities and Permissions fields within the Grant Permission modal.
  • Improved results when calculating control alerts on the descendant resources in the resource controls page.

Bug fixes

  • Optimized performance to prevent crashes when Turbot is unable to load a resource while processing into the CMDB.
  • Improved handling of smart folder attachments and detachments to ensure all policy values are evaluated.

Enterprise

  • ECS Auto Scaling now scales based on memory utilization.
  • Adjusted placement of Events CPU Utilization in TE Dashboard.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.36.6 [2021-04-26]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Apollo UI Preview

  • New Report - Unencrypted AWS CloudWatch Log Groups.
  • AWS KMS Key report now has a Key Type filter.
  • Account Summary report now includes active controls stats and cloud provider filters.
  • Associated and Dissociated AWS Elastic IPs report now includes control indicators as part of the report.
  • Unencrypted AWS S3 Report now includes control indicators as part of the report.
  • Large AWS EC2 Instances report should not load at the middle of the page.
  • Resources dashboard now has a Folder grouping view.
  • AWS Account Import page now has a tooltip for the External ID input to provide more information on suggested auto-generated External IDs and protection mode.
  • AWS Account Import no longer defaults to the Turbot level as the Parent Resource.

Bug fixes

  • Re-running Type Install controls will no longer be blocked by the Workspace Lock.
  • Template policy value calculations have improved handling on null values and empty strings.

Enterprise

  • Critical database indexes are now re-created weekly to improve performance.
  • We've improved our first backoff timing to be 1 hour after the state changed, instead of 3 within the hour for “Too Many Requests” and “Forbidden” errors . This will help reduce risk of throttling during highly active event churn.
  • Reduced errors and improved performance of Mod installs by caching Mod data.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.36.5 [2021-04-16]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Apollo UI Preview

  • Exporting report data should not fail when actor identity information is null.

Bug fixes

  • Improved handling of policy value calculations when the template returns null.
  • Reduced crashing when the cache is not fully initialized.

Enterprise

5.36.4 [2020-04-12]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Bug fixes

  • Policy values were incorrectly calculating after a resource move. Requires turbot mod version 5.34.0.

Enterprise

5.36.3 [2020-04-12]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Apollo UI Preview

  • EC2 AMI instance report should display when there is no image information available.

Enterprise

5.36.2 [2021-04-09]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Bug fixes

  • Improved indexing on multiple tables to reduce statement timeouts.

Enterprise

5.36.1 [2021-04-08]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Apollo UI Preview

  • New report - AWS EC2 Instance AMI usage.
  • Delete resource modal now offers an option to retain the resource history before deletion.
  • Generated suggestions for IAM Role External ID during AWS Account Imports are now optional when AWS > Account > Turbot IAM Role > External ID > Protection policy set to Open.

What's new?

  • Deleting a resource now supports additional flag retention values of NONE and HISTORY. The default value is HISTORY. Setting to NONE will delete all the history records for the resource. The resource delete will be 3 times faster if the retention is set to NONE.

Bug fixes

  • Policy setting creation should not fail if the Smart Folder is attached on multiple resources under the same ancestors in the resource hierarchy.
  • Policy setting creation should not fail while creating the workspace.
  • Fixed handling of edge cases where container crashes occurred when accepting a new SNS Subscription.

Enterprise

  • TEF Workspace Manager now prevents a user from changing a workspace name.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.36.0 [2021-04-02]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.36.3.

Apollo UI Preview

  • New report - AWS Default VPC.
  • New report - AWS EC2 AMIs.
  • New report - AWS Public Route 53 Hosted Zones.
  • New report - Recent User Login.
  • New report - Detached GCP Compute Engine Disks.
  • New report - Turbot Best Practice - AWS S3 Buckets.
  • New report - Unencrypted AWS CloudTrail Trails.
  • Renamed AWS Access Keys (90+ days old) report to Aging AWS Access Keys.
  • Renamed Turbot Access Keys (90+ days old) report to Aging Turbot Access Keys.
  • Age filter was added to the Aging AWS Access Keys & Aging Turbot Access Keys reports.
  • Providers filter was added to the reports dashboard to filter by reports by AWS, Azure, GCP or Turbot.
  • Mods List shows more information on the latest available version and last updated.
  • List of available smart folders in the resource attachment modal should be sorted alphabetically.
  • Added additional details for policy settings notification detailed pages.
  • When importing an AWS Account, Turbot now suggests an operational unique External ID.
  • Improved handling and coverage on all pages for displaying insufficient permissions notices when applicable.
  • Query results on the Search page will now display results as available instead of waiting until the request is completed.
  • Resource total calculations on the Resource Explore page have been improved to not show Turbot resources.
  • Text wrapping has been fixed when listing controls with long strings.

What's new?

  • Support for managing SSH Keys to your user profile was added as part of OS Guardrails features.
  • Redis password on the maintenance container now rotates monthly.
  • Optional AWS Security Group added to be used for connecting to LDAP server.
  • Control and policyValue graphQL resources will return null when the respective record does not exist.
  • Controls and policy value calculations pause during heavy operations such as mod installs, mod updates and resource deletions.

Bug fixes

  • Fixed race condition during Mod Updates for Control Types.
  • Improved resource aggregation queries for Resource Type and Resource Category using ResourceId.
  • LDAP connectivity control should return with a timeout message instead of ending up in DLQ when DNS connectivity does not go through.

Enterprise

  • DeletionPolicy is now defaulted to “Retain” for Worker, API, Events and Maintenance container log group.
  • Improved caching in Redis for Turbot root resource queries.
  • TE Dashboard now includes metrics of Worker Retry, Events DLQ and Runnable DLQ Lambda.
  • TLS requests with LDAPS should override the checkServerIdentity option to verify the identity of the host explicitly to handle CA cert issues.
  • Requires: TEF v1.33.0, TED v1.9.1.

5.35.9 [2021-03-22]

Bug fixes

  • The Interval Check control will now fail if the inline payload is too large, previously it would cause a crash.
  • Fixed handling of edge cases where Nunjucks rendering caused crashing errors.

Enterprise

  • Verbose logs were enabled for raw events to capture more details for troubleshooting.
  • Improved locks for duplicate event handling.

Requires: TEF v1.31.2, TED v1.9.1.

5.35.8 [2021-03-15]

Apollo UI Preview

  • New report - Unencrypted RDS Clusters.
  • Policy settings set on a smart folder are now shown when listing Policy values on a resource.

Enterprise

  • Updated SQL migrations for Postgres 12 compatibility.
  • Reduced S3 and KMS load by only saving process information to S3 when the process had a notification. (Other processes are not worth keeping.)
  • Process logs are saved to S3 as a single operation, reducing request costs.
  • Allow the S3 bucket for process records to be set explicitly, which allows movement of workspaces between TED instances.
  • Low value action history is no longer retained, reducing DB load.
  • Process monitor control updated to better handle a large number of processes to terminate.
  • Do not create a temp directory for large commands if a small command was received.
  • Fix crashes in dead letter queue handling.
  • Expanded descriptions in the TE dashboard for easier troubleshooting.
  • Monitoring for stale controls was not working properly, but will now detect any.
  • SSM parameter saving during workspace update should raise the full error details for investigation.
  • Filter by resource type optimizations in v5.35.4 could cause extra matches, these have been fixed.
  • Requires: TEF v1.31.2, TED v1.9.1.

v5.35.7 [2021-03-05]

Apollo UI Preview

  • Access Keys 90+ Days Old report now shows the creation date.
  • Grant permission modal auto-selects next field once an identity is selected.
  • Markdown tables in policy descriptions now render correctly.
  • Policy Setting OCL Rules text fields are now larger by default for multi-line entries.

Enterprise

  • Performance improvements when listing controls, notifications and policy values.
  • Requires: TEF v1.31.2, TED v1.9.1.

v5.35.6 [2021-02-25]

Apollo UI Preview

  • Calculated policy editor now displays autocomplete suggestions.
  • New report - Resources Deleted by Turbot.
  • New report - Detached Azure Compute Disks.
  • New report - Unencrypted Azure Storage Accounts.
  • New report - Unencrypted AWS RDS Instances.
  • New report - Unencrypted AWS RDS Instance Snapshots.
  • New report - Unencrypted AWS RDS Cluster Snapshots.
  • Access Keys 90+ Days Old report now shows the last used date.

Enterprise

v5.35.5 [2021-02-19]

Apollo UI Preview

  • New report - Non-rotating AWS KMS Keys
  • New report - Associated AWS Elastic IPs
  • Reports are hidden if the required mods are not installed.
  • Data and metadata should not be empty when viewing resource update notifications.

Bug fixes

  • Paging should not fail when using sort:rank with an empty full text search, we now fall back to sort:title.

Enterprise

v5.35.4 [2021-02-12]

Enterprise

  • Improved performance of smart folder attachment, particularly for large environments.
  • Improved performance of filtering for large hierarchies of control and policy values.
  • Improved performance of large scale resource cleanup tasks.
  • Use "Unidentified Identity" rather than null if the actor is not known.
  • Fixed process cleanup for environments not using ElastiCache.
  • Fixed notification generation when multiple watch rules are matched.
  • Requires: TEF v1.31.2, TED v1.9.1.

v5.35.3 [2021-01-27]

Apollo UI Preview

  • New report - Detached AWS EBS Volumes.
  • New report - Unencrypted AWS DynamoDB Tables.
  • New report - Unallocated AWS Elastic IPs.
  • Reports showing type data can now be sorted by type.
  • Mod detail page now links to the Type Installed and Mod Installed controls.
  • Local directory user password should be auto-generated when creating the user.
  • Add trailing whitespace to the footer to make the bottom of the page easier to read.
  • Developers tab in process detail page.

Enterprise

  • Large scale updates to policy values (e.g. through policy settings or smart folder attach) are now approximately two times faster.
  • Next tick timestamp should be set if a runnable can't be started due to conflict.
  • Requires: TEF v1.31.2, TED v1.9.1.

v5.35.2 [2021-01-27]

Enterprise

  • Hive Manager function should convert underscore to hyphen when creating and deleting Redis user & group.
  • Requires: TEF v1.31.2, TED v1.9.1.

v5.35.1 [2021-01-25]

Enterprise

  • Type Installed control should stop re-trying if we get a 403 (forbidden) from the mod registry.
  • Requires: TEF v1.31.2, TED v1.9.1.

v5.35.0 [2021-01-22]

Apollo UI Preview

  • New report - Oldest AWS IAM Access Keys.
  • New report - Oldest EBS Snapshots.
  • New report - Oldest RDS Snapshots.
  • New report - EBS Volumes.
  • Process terminate button is now available in the main header action menu area.

What's new?

  • Improved performance of resource and control aggregation counts.

Enterprise

  • Mod update will automatically run any controls or policies where the calculation code has been updated. This creates a large amount of work during install for often minor changes (e.g. a patch to a dependency). Mods can now include a hash of their function code to ensure re-run is only executed when necessary, reducing load on systems during upgrades. (Note: only effective for the second mod upgrade onwards.)
  • Policy calculations can now leverage the precheck mode, reducing load for Skipped controls and policies.
  • TE now pulls Worker Lambda parameters from TEF via SSM, reducing custom settings on each install.
  • Improved performance of policy value lookups. We do a lot, and it adds up.
  • TE Dashboard now includes unhealthy host metrics for event handlers.
  • TE Dashboard log queries have been fixed to show errors and crashes.
  • Requires: TEF v1.31.0, TED v1.9.1.

Enterprise: Redis Caching

Turbot now uses Redis by default for short term data storage (e.g. process data) and caching. This reduces database load and IOPS considerably while also improving process and query performance. Long term data is not stored in Redis, for example, process data and logs are archived to S3.

Upgrading TEF, TED and TE will automatically enable this feature unless it's deliberately disabled in both TEF and TED parameters. (Note: While currently optional, we expect Redis to be a requirement in a future release.)

Warning: Customers using Redis through the Experimental Features flag are required to follow specific steps during the upgrade to align your installation with the final release:

  1. Open TED and TEF stack in CloudFormation. Turn off Experimental Features. This will shutdown Redis.
  2. When both stack have been updated, open TE CFN Stack, toggle the Parameter Deployment Trigger from Green to Blue or vice versa.
  3. Upgrade TEF to 1.31.0.
  4. Upgrade TED to 1.17.0 (not required for TE 5.35.0 but since the Experimental Features is on in this scenario, we're assuming that you are in the latest TED).
  5. New Redis instance should be created.
  6. Open TE CFN Stack, toggle the Parameter Deployment Trigger from Green to Blue or vice versa. This will enable the existing TE 5.34.x to use Redis.
  7. Install TE 5.35.0

v5.34.8 [2021-01-14]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.34.1.

Apollo UI Preview

  • Process detail now includes convenient links to the related policy, control and resource pages.
  • Added a type column to various reports focus on types (e.g. Large EC2 Instances).
  • Prevent ugly text overflow if too large for rows or cards.
  • Show errors for stalled account imports.

Enterprise

  • Ongoing incremental performance improvements to policy value updates.
  • Caught and fixed a crashing error in mod install.
  • TE dashboard was not properly showing worker and event crash events. Now it does.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.34.7 [2021-01-08]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.34.1.

Apollo UI Preview

  • Fixed export of reports with more than 5000 rows.
  • Clearly show which mods are installed when installing a new mod.
  • Directory list for login page now loads quickly.

Bug fixes

  • Group profile sync from Active Directory should preserve friendly titles rather than overwriting with each sync.
  • Expiration added when creating a policy setting will now be immediately shown in the UI.
  • Performance improvements to resource filter queries.

Enterprise

  • Automatically detect and repair any invalid database indexes.
  • Removed false positives from Turbot > Workspace > Health control by increasing slow idle query timeout and ignoring indexes that are invalid during creation.
  • Expand Lambda timeout limits for mod controls, so we can allow discovery of very very large resource sets.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.34.6 [2020-12-24]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.34.1.

Apollo UI Preview

  • Activity Ledger report can now be filtered by resource.
  • Mod detail page now has an Activity tab.
  • Allow a calculated policy to be run manually even if it's in TBD state.
  • Remove confusing examples from the calculated policy builder.
  • Cross-link from control detail page to the control type explorer.
  • If a policy value has a setting the button should read "Edit Setting" (not Create).
  • Improve login screen experience while directories are being loaded.
  • Move resource modal now has the latest and greatest Apollo dropdowns.
  • Standardized the order of state cards on control and policy value reports.
  • Admin page now loads progressively, so we're not blocked by the slowest part.
  • Resources totals on the home dashboard should now match exactly.
  • Going back from viewing logs to the original page is now a single click.

Enterprise

  • Improved YAML parsing safety and fallback handling for resource title templates defined in mods.
  • Added Tenant information to various TE dashboard data tables.
  • Fixed a race condition when saving some process logs to S3.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.34.5 [2020-12-17]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.34.1.

Apollo UI Preview

  • New report: Unencrypted AWS S3 buckets.
  • New report: Unencrypted AWS EBS volumes.
  • New report: Unencrypted AWS EBS snapshots.
  • Resource search results now work properly in Search tab.
  • Resource attach in the Smart Folder detail page now works.

Enterprise

  • Removed unnecessary repeated data from the policy values table, reducing size and load.
  • Changes to policy type hierarchy should not trigger notifications for each policy value.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.34.4 [2020-12-11]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.34.1.

Apollo UI Preview

  • New report: Large AWS EC2 instances.
  • New report: Large AWS RDS, DocumentDB and Neptune DB instances.
  • Create Policy button added to header of the policies page.
  • Last process run timestamp information added to the control detail page.
  • Search box added to the controls dashboard.
  • Statistics in the resources, control and policy lists now link to their related reports.
  • Improved cross-browser support for the calculated policy builder.
  • Smart Folder developers tab now includes template and template input data for calculated policy settings.

Enterprise

  • API responses now set the Referrer-Policy header to strict-origin-when-cross-origin to improve privacy.
  • Turbot > Workspace > Health Control now shows the top 5 bloated database indexes per workspace.
  • Index rebuilding is now run at most once for all indexes, reducing retries.
  • Removed a race condition in action running, which could lead to conflicts for the same action.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.34.3 [2020-12-07]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.34.1.

Enterprise

  • Database re-index operations should only update an index once per day at most, and other small fixes.
  • The precheck phase in runnables should allow invalid, error and ok states to be set.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.34.2 [2020-12-04]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.34.1.

Enterprise

  • Added support to run in Sao Paulo (sa-east-1) region. Welcome Brazil!
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.34.1 [2020-12-03]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.34.1.

Enterprise

  • Support for targeting specific action types with events, reducing duplication and fan out in shared event types.
  • Automatically re-index database tables to free space and improve performance.
  • Allow the maintenance container to have DB access for re-index job (which can be very long running).
  • Only create Turbot's outbound security group when a custom group is not specified via a parameter.
  • Fixed some TE dashboard log queries that we broke in v5.34.0.

v5.34.0 [2020-11-30]

Warning

  • IAM permissions updated in Turbot Enterprise stack for v5.34.1.

What's new?

  • Most controls have a matching primary policy, which may be set to Skip. A new precheck phase is now available to mods to quickly test policy settings (e.g. Skip), or control values (e.g. CMDB) and immediately set the control status. This accelarates event handling, reduces load, and simplifies our dependency triggers considerably.
  • Mod installation runs separate processes for each control type and policy type install. For large environments this still involves a significant amount of work (proportional to the number of target resources), which can be slow or timeout. We now breakup that work into background tasks and run through it progressively.

Bug fixes

  • Any failure to process the commands sent from the runner to the handler should set the control or calculated policy to error.

Enterprise

  • Optimized dependency triggers during all resource create, update and delete operations.
  • Cleanup help blocks in the TE dashboard.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.33.3 [2020-11-26]

Bug fixes

  • Event handling changes in v5.33.2 caused some events (e.g. affected Azure and GCP, but not AWS) to error in handling.

Enterprise

  • Multi-region deployments had incorrect S3 permissions (too tight) to Turbot buckets.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.33.2 [2020-11-19]

Enterprise

  • Immediately handle inline responses, reducing event flow.
  • Action run should not generate and save dependencies in S3. They are not needed.
  • Experimental ElastiCache: Reduce Next events through locking.
  • Experimental ElastiCache: Do not reset password when not using ElastiCache.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.33.1 [2020-11-18]

Enterprise

  • Optimize internal Next events to reduce load and aid troubleshooting.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.33.0 [2020-11-12]

Warning

  • IAM permissions updated in Turbot Enterprise stack.

What's new?

Bug fixes

  • Clarify error message when a resource is not found or forbidden.
  • Sort by trunk title should support paging.

Enterprise

  • Increase maintenance_work_mem and max_parallel_maintenance_workers for faster search data index creation.
  • All run parameters for control containers are now encrypted.
  • Transient messages and tasks should use the turbot_transient KMS key (not turbot_foundation).
  • Cleanup obsolete notifications from the database (e.g. control_created).
  • Stack factory container does not require ports 8443 or 8080 to be open.
  • Tightened IAM access policies to Turbot's own S3 buckets.
  • Update control type update db function to not perform path updates to the descendants if not required.
  • Requires: TEF v1.29.0, TED v1.9.1.

v5.32.7 [2020-11-12]

Bug fixes

  • If the experiment Redis support is not enabled then we should never try to connect to it.

Enterprise

v5.32.6 [2020-11-10]

Bug fixes

  • Type Install controls should use in memory cache to retrieve the Mod first and only build if not already available.

Enterprise

v5.32.5 [2020-11-09]

Bug fixes

  • Optimize dependency triggers during resource creation, particularly during large operations like mod install.

Enterprise

v5.32.4 [2020-11-04]

Bug fixes

  • Large mod installs were producing excess debug logs, breaching the maximum inline payload size.
  • Mod install should delegate calculation of resource interface targets to the per-type installation process, improving mod install parallel performance.

Enterprise

v5.32.3 [2020-10-29]

Bug fixes

  • Policy setting summaries by control category counts were slightly incorrect.
  • Skipped controls should not be automatically re-run as instructed by the defaultInterval attribute in the control type. They are skipped, so rerunning adds work without value.

Enterprise

v5.32.2 [2020-10-26]

Bug fixes

  • Revert more problematic changes to IAM policies for S3 logging buckets introduced in v5.32.0.

Enterprise

v5.32.1 [2020-10-26]

Bug fixes

  • Revert problematic changes to IAM policies for S3 logging buckets introduced in v5.32.0.

Enterprise

v5.32.0 [2020-10-23]

What's new?

  • Sort resource results by their full hierarchy title. (e.g. resources(filter: "sort:trunkTitle")).
  • A lock can now be optionally shared across controls, avoiding contention in similar operations.

Bug fixes

  • Moving a resource with higher level smart folders was not properly updating policy values. This could cause the resource policies to be out of sync with the settings in their new location. We've fixed this, and repaired existing policy values.
  • Prior to v5.31.0 some policy value primitives were stored with the wrong type (e.g. as "2" instead of 2 for an integer policy). This version goes back and repairs previously stored values to have the correct type per their schema.
  • Do not retry a control or policy calculation if the control or policy type is no longer available (e.g. been uninstalled).
  • Reduced possible deadlocks in policy type updates.
  • Get resource types optimized to only target resource types (not policy types, control types, etc).
  • Pre-release version information is now included when calculating mod peer dependencies & engine dependencies.

Enterprise

  • Tightened IAM permissions for access to the S3 logging buckets in the Turbot primary account.
  • Workspaces now have a database health control to raise up many issues and statistics about underlying database performance for their schema. This will make initial troubleshooting considerably easier for many environments.
  • Requires: TEF v1.26.3, TED v1.9.1.

v5.31.4 [2020-10-21]

Bug fixes

  • Improved performance of the Turbot > Workspace > Migration control, reducing both execution time and reducing database load. (Requires @turbot/turbot mod v5.28.3.)

Enterprise

  • Added indexes to the search data column for resources, controls, policy settings and policy values.
  • Requires: TEF v1.26.3, TED v1.9.1.

v5.31.3 [2020-10-20]

Bug fixes

  • TEF and TED version requirements were incorrectly increased in v5.31.0. They have been reset in this version to avoid unnecessary upgrades. Customers moving from v5.30.x or earlier directly to v5.31.3 may not need to upgrade their TEF or TED stacks.
  • Stack runs were improved to used cache data in v5.31.0, we've fixed some edge case failures in this patch.

Enterprise

v5.31.2 [2020-10-16]

Bug fixes

  • Deleting a resource, which deletes it's associated policy settings, should raise policy setting deleted notifications.
  • Controls with a defaultInterval set should continue to retry even if they are still in error after 56 days (our max retry length for other errors).

Enterprise

v5.31.1 [2020-10-15]

Enterprise

  • Fixed a bad schema reference in notification queries for the policyTypeId: pivot.
  • Requires: TEF v1.27.0, TED v1.14.0.

v5.31.0 [2020-10-14]

Warning

  • IAM permissions updated in Turbot Enterprise stack.

What's new?

  • Mods can now specify a specific version of the Turbot engine required for installation, making dependent upgrades simpler to manage - particularly via autoupdate.
  • Control category filters now support more pivots like resourceId:, resourceTypeId: and policyTypeId:.

Bug fixes

  • We leverage type coercion when receiving input data (e.g. make "2" into 2 if we are expecting an integer). This coerced data is then saved to the database. This worked when the data was inside an object (e.g. { "foo": "2" } becomes { "foo": 2 }), but did not work for primitive types (e.g. "2"). For primitive types we'd pass validation, but were not saving the coerced value - leading to invalid data in the database. This is now fixed.
  • Template policies should respect the defaultInterval attribute.

Enterprise

  • Improved performance of resource move operations, and increased the timeout to 5 mins to give us more room in very large cases.
  • Add sweepers to find and fix (rare) cases where controls or policies have lost their next tick schedule.
  • Requires: TEF v1.27.0, TED v1.14.0.

5.30.6 [2020-10-08]

Enterprise

  • Mods can now share a single Lambda zip package for multiple controls, rather than a zip per control. This will allow mods to use a much larger number of controls within the mod size limit.
  • Requires: TEF v1.26.3, TED v1.9.1.

v5.30.5 [2020-10-06]

Warning

  • Workspaces must be on v5.30.2 or later before upgrading to v5.30.5. Important data migration tasks are performed in the background in preparation for this version. Status of migrations is visible in the Turbot > Workspace > Migration control.

Bug fixes

  • Controls should not rerun if they have an error due to bad credentials, they will just fail again anyway.

Enterprise

  • Improved performance of mod uninstall.
  • Improved performance of category views using data models added in v5.30.2.
  • Fixed policy type after update trigger to ensure that new calculated policy values are initialized into the TBD state.
  • Requires: TEF v1.26.3, TED v1.9.1.

v5.30.4 [2020-10-01]

Enterprise

v5.30.3 [2020-10-01]

Enterprise

v5.30.2 [2020-09-29]

Enterprise

  • Improved data model for categories with background data migrations to prepare for future use.
  • Improved performance of controls when filtering on multiple pivots, e.g. resource & resource type.
  • Improved performance of mod installation for large environments.
  • Requires: TEF v1.25.0, TED v1.9.1.

v5.30.1 [2020-09-24]

Enterprise

v5.30.0 [2020-09-23]

Warning

  • Workspaces must be on v5.29.12 or later before upgrading to v5.30.0. Important data migration tasks are performed in the background in preparation for this version.

What's new?

  • Faster summary data loading for smoother browsing of resources, controls and policies.
  • Resource deletion is much faster, and scales to much larger environments.
  • Optimized performance across many GraphQL APIs and operations through careful analysis of queries and better data models introduced in v5.29.0.

Bug fixes

  • Internal JWT authentication no longer checks the version, which prevented smooth message handling during upgrades.

Enterprise

  • Workspace upgrades can now check that they are coming from a minimum required version, smoothing the process for key release milestones when a workspace is far behind.
  • Worker lambdas now handle four tasks in parallel instead of 2, optimizing utilization.
  • Terraform stack container is much smaller, for faster startup and improved performance.
  • Requires: TEF v1.25.0, TED v1.9.1.

v5.29.14 [2020-09-23]

Enterprise

v5.29.13 [2020-09-22]

Enterprise

  • Optimized dependency checking during resource, control and policy value creation.
  • SAML callback URL now uses the domain name specified in Turbot > Workspace > Domain Name.
  • SNS topic policies created during mod installation will restrict IAM permissions by organization ID when possible.
  • SQS and SNS policies in Turbot primary account will restrict IAM permissions by organization ID when possible.
  • Requires: TEF v1.25.0, TED v1.9.1.

v5.29.12 [2020-09-17]

Enterprise

  • Optimized background tasks for data model migrations preparing for v5.30.0.
  • Requires: TEF v1.24.0, TED v1.9.1.

v5.29.11 [2020-09-16]

Enterprise

  • Ensure Workspace > Usage upload errors (e.g. non-200 status code) send the control to error state.
  • Requires: TEF v1.24.0, TED v1.9.1.

v5.29.10 [2020-09-16]

Enterprise

  • Revert process history vacuum settings from v5.29.9, which timed out in very large environments.
  • Requires: TEF v1.24.0, TED v1.9.1.

v5.29.9 [2020-09-15]

Enterprise

  • Background tasks to add data model indexing for resources and policy values, to be used in a future version.
  • Add specific properties to optimize vacuum of process history.
  • Auto retry of controls in TBD & Error should have jitter to avoid large repeated spikes of activity.
  • Requires: TEF v1.24.0, TED v1.9.1.

v5.29.8 [2020-09-08]

Enterprise

  • Optimize cleanup of stale processes, particularly for large environments.
  • Requires: TEF v1.24.0, TED v1.9.1.

v5.29.7 [2020-09-07]

Bug fixes

  • Improve LDAP URL parsing for simpler port extraction and definitions, such as automatically setting the port to 636 if the protocol is ldaps://.
  • Improved handling of LDAP Directory userSearchAttributes.
  • Changes to control metadata should not create a new version of the control.

Enterprise

v5.29.6 [2020-09-07]

Bug fixes

  • Optimized performance of control list and summary queries, preventing timeouts in large environments.
  • When a resource is created, the policy values and controls for the resource are created at the same time. This often leads to controls being run immediately, before the policies they use are ready. We've added a fixed 5 second delay to new controls, which reduces work and policy not errors by about 50%.
  • Boolean matches for path (e.g. $.my.path:true) will now work as expected.
  • Process history cleanup has been optimized to reduce contention with the processes table.
  • Since TED v1.11.0, TE upgrades could fail with conflicts when the workspace was named turbot. This has been fixed.

Enterprise

v5.29.5 [2020-09-03]

Bug fixes

  • Control run optimizations added in v5.29.4 could lose actor information in some situations. These have been fixed, while keeping key parts of the optimizations.
  • Optimized process history cleanup, particularly for large environments.

Enterprise

v5.29.4 [2020-09-01]

Bug fixes

  • Optimized performance of listing and summarizing controls by control type.
  • The JWT in our tasks includes the Turbot version number, causing backlogged tasks to fail validation during upgrades. Most were automatically marked for retry, but this causes noise and rework. We have removed the version, allowing our version upgrade redirect of tasks to work more smoothly.
  • Control runs triggered by a mod (e.g. a CMDB control run triggered by an event) would try to run the task immediately, increasing conflicts in our single process detection handler. We now queue the request as appropriate, reducing that noise and work.

Enterprise

v5.29.3 [2020-08-31]

Bug fixes

  • Running a control from the UI would crash the API server if the control was already running.

Enterprise

v5.29.2 [2020-08-31]

Bug fixes

  • Background tasks use a JWT for authorization. In v5.29.0 we changed processes to a max of 4 hours (with a 1 hr heartbeat), but our secondary check in token verification was still restricted to a 1 hour maximum. These defence in depth token checks have been updated to match.

Enterprise

v5.29.1 [2020-08-27]

Bug fixes

  • Command handler should not try to update the status of a control or calculated policy if it no longer exists.
  • Policy value state is not being correctly updated when set from the server. (It was working correctly for the far more common case of being set via calculated policies.)

Enterprise

v5.29.0 [2020-08-26]

Bug fixes

  • If a control or calculated policy has a dependency in Invalid, then it will also be set to Invalid (instead of Error).
  • Improved ordering of type changes during mod update to prevent conflicts.
  • Backlogged processes would timeout after 1 hour, causing the process to be restarted. We now let processes run up to 4 hours, provided they have active work done at least each hour.

Enterprise

  • Reduced background task load, particularly tick.turbot.com:Next events, especially when the queue has a backlog to work through.
  • A new, optimized data format for dependencies has been added in this version and migrations are occurring in the background in preparation for a future version.
  • Dashboard graphs updated to use zero minimum values, better axes layout and more appropriate thresholds.
  • Requires: TEF v1.24.0, TED v1.9.1.

v5.28.7 [2020-08-25]

Enterprise

v5.28.6 [2020-08-21]

Enterprise

v5.28.5 [2020-08-18]

Bug fixes

  • Calculated policies using <resource> { tags } GraphQL input were not saving dependencies correctly, so would not be triggered by tag changes. The more commonly used form of <resource> { turbot { tags } } was saving dependencies correctly and not affected by this issue.
  • Requires: TEF v1.23.0, TED v1.9.1.

5.28.4 [2020-08-18]

Enterprise

  • Improved performance of stale process search for cleanup, especially under large backlog conditions.
  • Requires: TEF v1.23.0, TED v1.9.1.

5.28.3 [2020-08-15]

Enterprise

5.28.2 [2020-08-14]

Enterprise

  • Repaired indexed on the types table to improve performance bottlenecks.
  • Requires: TEF v1.23.0, TED v1.9.1.

5.28.1 [2020-08-13]

Enterprise

  • Optimized specific notification queries to improve UI performance of activity lists.
  • Requires: TEF v1.23.0, TED v1.9.1.

5.28.0 [2020-08-12]

What's new?

  • Performance improvements through various queries and triggers.

Bug fixes

  • Pagination of resources was not working properly for full text search queries combined with sort:rank. Now it does.
  • During resource upsert Turbot calculates various fields (e.g. AKAs) from the data. We now merge any updated data with the existing data before doing those calculations.
  • Mod update now performs resource type deletion after other actions (e.g. control type deletion), preventing conflicts.
  • Mod install sets the mod title as part of the initial data, so the UI can show the actual title instead of the ID during installation or if the install fails for any reason.
  • Notifications for scheduled actions should include the resource information when appropriate.
  • GraphQL nested resolved for policyTrunk could return extra results in some cases. We now use resourceId: instead of resource: internally to fix this.

Enterprise

  • Mod install creates Lambda functions with SNS triggers for control types and similar runnables. In versions before v5.27.0 this install would sometimes result in the trigger silently failing to setup. We now detect and repair these (legacy) cases on the next mod install.
  • Policy type updates during mod install could become deadlocked. These errors have been resolved.
  • Cleanup of stale processes is often running duplicates for the same process. We now clean each process once.
  • Dead letter queue handlers should not check the version of the handler, since the priorary goal is just to cleanup the process.
  • Requires: TEF v1.23.0, TED v1.9.1.

5.27.5 [2020-08-06]

Bug fixes

  • Notification queries have been redesigned to reduce timeouts in the UI in very large environments.
  • Added the control, action or policy type URI to event metadata to assist in analyzing event flow.

Enterprise

5.27.4 [2020-08-06]

Bug fixes

  • Various fixes for the scheduling of controls and calculated policies to be automatically re-run.
  • Policies such as GCP > IAM > Login Names are ensured to be unique across profiles, and include a reverse lookup capability to find the profile for a given login name. This is used most often while enriching incoming events from the provider. This release improves performance of these lookups.

Enterprise

5.27.3 [2020-07-31]

Bug fixes

  • Improved notification queries to reduce timeouts in the UI.

Enterprise

5.27.2 [2020-07-31]

Bug fixes

  • Notification queries had a double read of resource history indexes and data. Fixing this should improve performance of activity lists etc.
  • Process termination should not fail if the control or policy value no longer exists.
  • Policy hierarchy list queries were sometimes sorted in the wrong hierarchy order when multiple smart folders were attached to the same resource.

Enterprise

5.27.1 [2020-07-30]

Bug fixes

  • Actions should run when the Change Window policy is set to Forced Changes Only and they are triggered manually from the console. Force means force.
  • Full text search for type names (e.g. discovery) was not properly matching types with that name in their trunk (e.g. AWS > SQS > Queue > Discovery) - which is frustrating. We've fixed these searches, and improved our model to ensure they are properly maintained going forward.

Enterprise

5.27.0 [2020-07-29]

What's new?

  • GraphQL query policyValues(filter:"policySettingId:1234") to find all policy values derived from a specific setting. Great for calculating the actual impact of a policy setting.
  • Stacks will now claim unclaimed resources even when running in Check mode. This is consistent with our approach to the CMDB in general, and removes a number of weird possible error conditions.

Bug fixes

  • We've added an extra fail safe check for controls and calculated policies stuck in Error or TBD for more than 24 hours to force them to run. We will continue to iron out every possible edge that leads to things getting stuck, but this is a convenient and safe way to reduce the problems if it happens.
  • GraphQL mutation requests are always logged in the audit trail. We were also logging successful responses, but were not logging the error response. Now we do.
  • Scheduled actions were running at the scheduled time, even if it was outside the change window. They will now reschedule themselves into the next change window, just like regular actions do.
  • If multiple scheduled actions were found for a given time, we were only executing the first one. We'll now run all of them.
  • Scheduled action processes were not being terminated cleanly, now they are.
  • Stacks were failing to properly upsert association resources in some cases.
  • Mod installs that fail due to a missing dependency will now show that clearly in the error reason.
  • Resource creation errors are now shown directly, not hidden in a Turbot nested error warning.
  • Azure stacks were failing when using Terraform v0.12.x due to an extra required parameter.
  • Mod resources were including too much data (e.g. test cases) when installed from the registry. They now properly use the head data (not the dist data) for smaller, simpler viewing.

Enterprise

  • TE dashboard now includes details of external events, to help identify noisy tenants.
  • Improved caching and reduced data loading during event handling and task running.
  • Optimized database queries, particularly around stack running at scale.
  • The Turbot ECS task definitions now include Docker labels, for enterprises that are tags all the way down.
  • Careful sequencing of mod Lambda installation relative to SNS trigger registration, which should eliminate or reduce the chance of cases where we see the Lambda and the SNS topic both existing but still not working together.
  • Requires: TEF v1.23.0, TED v1.9.1. Note: IAM permissions are updated.

5.26.4 [2020-07-28]

Bug fixes

  • The control detail page was slow to load for some controls. We've given it a pep talk, and performance is now good for all cases.

Enterprise

  • Added back an optimization for dependency calculations where the data is either null or very large.
  • Requires: TEF v1.23.0, TED v1.9.1. Note: IAM permissions are updated.

5.26.3 [2020-07-24]

Enterprise

  • When a resource is updated we mark any controls or policies that depend on it as due to run. A defect introduced in v5.25.0 meant made this match too broad, which creates unnecessary re-calculations and load.
  • Requires: TEF v1.23.0, TED v1.9.1. Note: IAM permissions are updated.

5.26.2 [2020-07-23]

Enterprise

  • Migration to v5.26.1 could become stuck due to bad or unexpected process records. We now tolerate these records and clean them up as part of the migration.
  • Requires: TEF v1.23.0, TED v1.9.1. Note: IAM permissions are updated.

5.26.1 [2020-07-23]

Enterprise

  • Process history should only delete intermediate versions after the process has been terminated.
  • Optimized our locks table in the database, improving performance particularly during polling.
  • Requires: TEF v1.23.0, TED v1.9.1. Note: IAM permissions are updated.

5.26.0 [2020-07-22]

What's new?

  • Automatically detect and install new mod versions. The Turbot > Mod > Auto Update policy on each mod allows you to selectively enabled this feature, including setting the desired Version Range. Initially our default is to disable this feature, but we expect to change that soon, so please lock the version of any mods you do not want updating. Requires @turbot/turbot mod v5.18.0 or later.
  • GraphQL favorites and watches queries now support resourceId:{aka} in filters.
  • Improved performance of various activity information and views in the UI.

Bug fixes

  • Optimized query to get the last process for a control, which among other things, makes AWS event polling much more efficient.
  • Optimized dependency scanning queries for policy values, which had slowed down in v5.25.0 when we moved away from plv8.
  • Cleaned up more edge case bugs from the UI switch to *Id:{aka} filter queries.
  • If Change Window > Schedule is empty (the default), then Forced Changes Only and No Changes were incorrectly running changes at all times. We now treat an empty Schedule policy as meaning that changes should never be made.

Enterprise

  • Process history is a significant source of database disk usage and growth. This release reworks that approach to store only the most important process data associated with major events. Existing process history will be gradually cleaned up (by approximately to 75%!), and growth will be at a slower rate moving forward.
  • Workspace manager will now validate the TE version and hive name before workspace creation, avoiding complex surprises late in the process.
  • Workspace updates were previously limited to 2 minutes, or would timeout (and retry). Workspace updates can now run for up to 15 minutes, which should almost never be necessary, but is critical for very large environments.
  • Requires: TEF v1.23.0, TED v1.9.1. Note: IAM permissions are updated.

5.25.4 [2020-07-17]

Bug fixes

  • Favorites and watches in the UI were missing results.

Enterprise

v5.25.3 [2020-07-16]

Bug fixes

  • Drilldown in the UI was broken in a number of scenarios due to changes in v5.25.0 to optimize our use of *Id in filter queries (e.g. resourceTypeId instead of resourceType). We've identified and fixed a few cases we missed.

Enterprise

v5.25.2 [2020-07-16]

Enterprise

  • Environments using a custom resource name for SSM parameters were failing during upgrade due to tighter permission checks conflicting with code that would check for older fallback settings in /turbot. It's been fixed, clearing a block to upgrades.
  • Requires: TEF v1.22.1, TED v1.9.1

v5.25.1 [2020-07-16]

Bug fixes

  • Switching Terraform versions was not taking effect for stacks. Now it does.

Enterprise

v5.25.0 [2020-07-15]

What's new?

  • Turbot File resources can store arbitrary data (e.g. metadata, application data) in Turbot for use across policies and controls. For example, store application metadata in a File and then reference it for tagging cost centers etc using standard Turbot controls. Files support AKAs for easy cross reference and any change to a file will trigger real-time updates throughout your environment. We can't wait to see what you connect!
  • Turbot managed stacks now support multiple terraform versions, including v0.11.x and v0.12.x. Each stack may target a specific version, giving you flexibility over changes and upgrades. (Migration note: we support most, but not all, features of the HCL and HCL 2.0 languages.)
  • Get process input and dependencies information via the GraphQL process() query.
  • Improved performance of notification queries and activity views.

Bug fixes

  • Saving a policy value through the SDK turbot.policy.ok({foo: "bar"}) was incorrectly doing an update, which would merge the value with the existing policy value. We now do a put, replacing the policy value with the new value (as you'd expect).
  • Long running controls will now be automatically split into chunks at the handling layer, preventing timeout errors. For example, discovering thousands of disk snapshots from a single region could timeout when the system was busy, it will now process batches in sequence ensuring completion.
  • When taking the long road, it was possible to delete a type parent before deleting it's children. This lead to inconsistent type data, and has now been fixed.
  • Improve handling and logging of Terraform plan and apply failures in Turbot managed stacks.

Enterprise

  • The Postgres plv8 extension is no longer used by Turbot, eliminating a thorn in our side for stability of the database layer. (It is still enabled at the TED layer, but will be removed in coming releases.)
  • Updated operations dashbaord with metrics for the separate event handling service added in v5.24.0.
  • Requires: TEF v1.22.0, TED v1.9.1

v5.24.3 [2020-07-10]

Enterprise

  • Installation of a control or policy type during mod install could fail if the underlying metadata was incorrect. This is now handled gracefully.
  • Requires: TEF v1.22.0, TED v1.9.1

v5.24.2 [2020-07-08]

Enterprise

  • AWS credential generation for control runs did not work properly for AWS IAM roles using a path. Now it does.
  • JWT decoding errors now return unauthorized instead of internal error.
  • Reduced logging noise during mod installation.
  • Requires: TEF v1.22.0, TED v1.9.1

v5.24.1 [2020-07-07]

Enterprise

  • Improved error handling and comptability for workspace installation and upgrades with regard to TED versions that no longer store database roles.
  • Requires: TEF v1.22.0, TED v1.9.1

5.24.0 [2020-07-06]

What's new?

  • Our AWS credentials are now fully partition and region aware, opening the door for our AWS mods to work across partitions (e.g. manage GovCloud or China from Commercial) and with newer regions (e.g. Hong Kong, Middle East).
  • HTTP requests are now automatically redirected to HTTPS at the load balancer level, avoiding awkward timeouts when users go old school.
  • Retrying controls and calculated policies in Error or TBD is very helpful to cleanup after a variety of issues. We've expanded our retries to try more in the first hour, and with backoff, all the way out to 56 days.
  • Previously, the stack converted the Terraform configuration to JSON format before executing Terraform. It now uses the original configuration without any conversion or alteration. Note: Some invalid Terraform syntax (e.g. unquoted variable type strings) previously handled by Turbot will now fail since it's not handled by Terraform natively.

Bug fixes

  • Resource deletion through external events could lose the actor information in some cases. We now track it through and report it properly in the CMDB.
  • Policy settings are only valid on the target resource type for the policy (e.g. AWS > SQS > Queue) and any resources above it in the hierarchy (e.g. region, account, folder, Turbot). We were checking this in the UI, but not in the API level, making it possible - even though useless - to set policies on invalid resource types (e.g. set an AWS policy on an Azure subscription). We now properly prevent saving invalid policies.
  • Smart retention actions were timing out in large environments, particularly when it had not been enabled before. We've optimized these queries, so smart retention is faster and more reliable.
  • Fixed the character casing of allowIdpInitiatedSso in SAML directory queries.

Enterprise

  • Incoming events are now handled by a separate service to general API traffic, making it easier to handle surges and providing a smoother user experience under extreme load.
  • Improved performance of type installation during mod upgrades.
  • Improved performance of control handling, with particular focus on discovery which can have large runs of identical resource upsert queries. This improves the overall load profile, particularly while importing very large collections of resources.
  • Expanded error logging in the hive manager, which is used to perform database migrations during version upgrades. If things go wrong, the underlying error should now be clearer.
  • The connectivity checker Lambda function is used to check the current permissions and network access in the installation account. We've expanded the logging and made the timeout optional for more information and flexibility, particularly against network timeouts.
  • SNS topics used to send commands to Mod Lambda functions are now setup with encryption enabled during mod install. This will be enabled as mods are ugpraded or reinstalled.
  • Requires: TEF v1.22.0, TED v1.9.1

5.23.2 [2020-06-30]

Bug fixes

  • Automatically triggers any controls or calculated policies that may have missed their trigger due to the resource update defect added in v5.23.0 and fixed in v5.23.1.

Enterprise

5.23.1 [2020-06-30]

Bug fixes

  • A change in v5.23.0 broke automatic running of dependencies when a resource is updated. We've also expanded our testing to cover this case.

Enterprise

5.23.0 [2020-06-29]

What's new?

  • Filter results can now be sorted by any path in the data object. For example, sort:$.QueueUrl or sort:$.Tags.environment. Null values are returned last.
  • GraphQL process(id:"1234") queries now return the last version of the process, even if it has been terminated. Which is what users expected all along.

Bug fixes

  • Deletion of fundamental Turbot identities (e.g. Turbot, or Unidentified User) is now blocked.
  • Filter queries with resource:undefined, while not expected, should be handled gracefully. Now they are.

Enterprise

  • Resource creation is approximately 4 times faster for the typical case (e.g. AWS S3 Bucket), and even better for resources with a large number of controls or policies (e.g. Azure Subscription). Primarily this was achieved by redesigning our model for dependency checks and triggers.
  • Mod installation is a significant operation, and tied to the number of resources affected. This release breaks up the process into separate steps per control type and policy type. Install now takes a little longer, but is more robust for very large workspaces.
  • API containers use AWS credentials for access to various services (the task role). Sometimes, retrieving these credentials from the metadata service has a timeout, leading to unexpected access denied errors. We've added logging for this case and increased the backoff / retry settings.
  • Low level functions in the database for JSON updates and differences relied on plv8. This is convenient, and performant, but makes the database more prone to unexpected (and particularly evil) crashes under load. We've rewritten these functions into native sql and plpgsql to improve stability.
  • Control and policy updates were overly aggressive in locking their dependency data, slowing down those operations. We've streamlined our approach, which should smooth control running at scale.
  • Updated our API server keep alive timeouts to match those expected by the load balancer, which should prevent nasty 502 errors that were very visible to users but both random and very quiet in our logs.
  • Fixed a crash when attempting to retrieve mods from the registry without valid credentials.
  • Any policy full text search data broken in v5.22.0 will be repaired by this upgrade.
  • Added a maintenance job to cleanup old Lambda functions created through local mod development.
  • Requires: TEF v1.21.0, TED v1.9.1

5.22.3 [2020-06-24]

Enterprise

  • Stale processes are cleaned up after 45 mins. Instead of giving up, we'll now schedule them to be retried.
  • Requires: TEF v1.21.0, TED v1.9.1

5.22.2 [2020-06-22]

Enterprise

  • Worker Lambda functions now have a dead letter queue. We already have a DLQ for the SQS queue feeding them, but wanted to ensure we capture the (theoretical, but unlikely) case where a message is successfully taken from SQS but not successfully processed by the Lambda function.
  • Made cleanup of temporary directories more resilient against unforeseen errors.
  • Requires: TEF v1.21.0, TED v1.9.1

5.22.1 [2020-06-22]

Enterprise

  • Resource create operations are now about 35% faster for a typical cloud resource. Another step smoothing the import experience at enterprsie scale.
  • Worker Lambda functions could run out of disk space if used for a number of large commands. We've fixed the temp data cleanup to cover this case.
  • Our efforts to expand the search data for policy settings to include the value ended up removing other important data (e.g. the title) during updates.
  • Requires: TEF v1.21.0, TED v1.9.1

5.22.0 [2020-06-19]

What's new?

  • Terraform stacks managed by Turbot were limited to 1-1 relationships between Terraform resources and Turbot CMDB resources. We now support a variety of relationships making them cleaner and more flexible. For example, a single aws_security_group_rule resource can map to several AWS > VPC > Security Group Rule resources in Turbot. Also, association resources (which exist only in Terraform) like aws_vpc_dhcp_options_association can now be managed inside existing Turbot resources (VPC or DHCP Options) without the need for an extra (and confusing) association resource.
  • Full text search of policy values will now also match on the actual value of the policy, not just it's resource and policy type titles.

Bug fixes

  • If there is a Terraform error during a stack run, any resources which were successfully created are claimed and upserted. This reduces problems with duplicate/unclaimed resources when the stack re-runs.

Enterprise

  • External messages are received in Turbot via our webhook. During upgrades, there can be a delay in the change of DNS from the old version to the new version, causing events to be received by the old version. Rather than processing them in the wrong place (since the workspace has been upgraded), we redirect many of these requests to the new version. Unfortunately, a defect meant that for external events we were redirecting them to the new version but not updating their webhook signature, so the new version would reject the event. This has been fixed so events will flow smoothly even if the workspace DNS does not point to the correct workspace version endpoint.
  • Controls and policies make decisions and send commands back to the Turbot handler like "upsert resource" or "set control to OK". In most cases, we'd group these updates into a single transaction for completeness. But, the size of the command set is not easily controlled (consider discovery of thousands of resources from a provider where paging is not supported) and resulted in very large transactions, creating risk and load. Mods are designed for idempotency, so this transaction had limited value. So, we now break the commands up into single operations and apply them in order - reducing conflicts and risk.
  • One database function had a crash condition that could slip through, causing the ugliest of database segmentation faults. We've tracked it down and now handle it without panic.
  • Our database connection pools in API and workers were not properly handling unexpected errors from the database (e.g. a crash), causing the API and worker process to also crash. We now catch and log these errors properly.
  • Workspace and mod installation create a small number of resources like Lambda functions, SNS topics and SSM parameters. These now inherit custom tags added in the TEF stack, supporting enterprises with very specific tagging requirements for their Turbot primary account.
  • Each Turbot Enterprise version installs minimal IAM policies and roles specific to its requirements. Some customers prefer more control over IAM management, so we now support BYO-IAM with parameters for all IAM entities required in the Turbot primary account.
  • Improved performance of control and policy value dependency management.
  • Terraform stack creation used to trigger a stack run for each newly configured resource - which creates unnecessary load and work. We've optimized this flow to realize the resource is new and properly configured, avoiding those runs.
  • Requires: TEF v1.21.0, TED v1.9.1

5.21.1 [2020-06-11]

Bug fixes

  • If two processes attempted to update the same resource in parallel, we'd see constraint errors in some cases. Specifically, process A starts, process B starts, process B gets lock first and updates resource, then process A (blocked behind B) now get the lock. Process A would fail with a timestamp constraint error. This is now fixed, and high throughput situations are running much smoother (e.g stacks, mod install).

Enterprise

5.21.0 [2020-06-10]

Active Directory / LDAP Integration

  • Connect Turbot to your Active Directory or LDAP system. Use your existing identity management system to manage all Turbot and cloud access.
  • Continously synchronize users and group memberships (including nested groups) into Turbot. Automatically disable access when users leave. Update group memberships on login. Ensure instant access and permissions for new Turbot users.
  • Seamlessly search your internal directory and assign permissions in Turbot. Build exact least-privilege models by combining your internal groups with the Turbot resource hierarchy for permissions.
  • Works seamlessly with SAML, allowing trusted authentication combined with instant and continuous synchronization.
  • Automatically integrates with Turbot's permission expiration and temporary elevation capabilities. Also works with our full stack cloud IAM model for per service permissions. For example, grant App Team A from LDAP the AWS/Admin permission until the end of the week (their setup period).

What's new?

  • Controls can now access detailed information about the maintenance mode, including the type of trigger and if the change window is currently open. They can also use turbot.set("nextRun", "CHANGE_WINDOW") to deliberate target actions to the next available change window.
  • Turbot generates temporary AWS credentials for each mod run. Those credentials are now based on the STS endpoint for the target resource - e.g. if running a control for an EC2 instance in ap-southeast-2 we'll create credentials using that region.
  • We now block the @turbot/turbot and @turbot/turbot-iam mods from being uninstalled. They are our heart and soul.

Bug fixes

  • Concurrent updates to the same resource were not properly sequenced using locks. Now they are, and conflicts have been reduced.
  • Directory create dropdown was blocked in the UI by a bad overlay. It's now visible.
  • upsertResource was incorrectly validating against the full (updated) data rather than the request data, which could lead to validation warnings if the update schema specifically required existing fields to be excluded. We now validate against request data.
  • Incoming events must be evaluated against the webhook secrets. If we cannot retrieve those secrets we'll now immediately stop execution.
  • Mods can choose their behavior under various maintenance mode conditions (e.g. CMDB controls should always run). If it is changed by a mod author we'll now properly update this setting during mod update.

Enterprise

  • Controls running in a container (e.g. stacks) are passed temporary data via an S3 object. These objects are now deleted immediately on process termination, rather than waiting for daily S3 lifecycle jobs.
  • IAM permissions for ECS tasks to access ECR images have been further tightened to only the specific resources required. When it comes to IAM policies we are minimalists.
  • Requires: TEF v1.19.1, TED v1.9.1

5.20.3 [2020-06-11]

Bug fixes

Enterprise

5.20.2 [2020-06-04]

Enterprise

  • We added checks in v5.20.0 that a Lambda function is installed and available before it will be run as part of a control or action. These checks work well for controls (the primary case) but have been disabled for actions (which were hanging).
  • Requires: TEF v1.19.1, TED v1.9.1

5.20.1 [2020-05-28]

Enterprise

  • Turbot is frequently throttled by the SSM service because the Worker Lambda fetches our feature flags from SSM at startup. Turbot now reads the flags from an environment variable instead.
  • Requires: TEF v1.19.1, TED v1.9.1

5.20.0 [2020-05-28]

Security

  • Since v5.17.0, permission checks were not properly checking the disabled status of inherited groups. Consider user A in group X which is in group Y, where group Y was granted Turbot/Admin permission. If group Y is enabled, then group X and user A inherit the Turbot/Admin permission. But, if group Y is disabled then it's permissions should no longer be available to group X or user A. We now correctly check the group disabled flag for inherited groups as part of permission evaluation. (Note that the disabled flag check was always working correctly for users, directories and direct groups like X above; just not indirect groups like Y.)
  • A low-level policy setting updated from being an exception (required under required) to an orphan (recommended under required) would not properly re-evaluate policy values using the (now orphaned) setting. Consider this sequence: 1. Set AWS > S3 > Bucket > Approved as Required to be Check: Approved on AWS Account 1234. 2. Set an exception as Required to be Skip on my-bucket. 3. At this point, the effective value is Skip for my-bucket. 4. Update the policy from Required to Recommended as Skip on my-bucket, making this policy setting an orphan and ineffective. 5. At this point, the effective value should be Check: Approved on my-bucket; but because of this defect, it was not re-evaluated so remained as Skip. This release properly handles this scenario, and triggers affected policy values to be re-evaluated to match their true effective setting (instead of the orphaned setting).

What's new?

  • GraphQL queries to get a resource will return an error if the resource is not found. We now support resource(id:"{aka}", options: {notFound: RETURN_NULL}) for cases where execution should continue either way.
  • The test resource browse dropdown in the calculated policy editor will now automatically select the current resource by default.
  • Improved performance and scalability of large scale changes to policy values (e.g. during mod install) and dependency trigger checks.

Bug fixes

  • Update policy setting mutation was not blocking operations on read-only policies. Now read-only means read-only and updates will return an error.
  • When executing a large number of upsert commands in parallel (e.g. import or stack control) it's possible for the same resource to get created twice in parallel (e.g. stack record from Turbot competing with a real-time event from the cloud provider). We now protect against these conflicts, smoothing large operations.
  • Changes to Terraform state information in the CMDB was not properly triggering dependencies, causing controls to be re-triggered. Stacks are now smoother and more accurate.
  • Control Installed control will no longer fail if Mod URL has expired. It will stop the current process and most importantly it will not change the current state of the control. Previously if the Mod was installed > 6 days the Control Installed state will be set to OK.
  • Create child resource should validate the AWS Account ID on blur. It's not an error until they are done entering the ID.
  • Login buttons for cloud accounts were not appearing if the user only had permission for a specific service (e.g. AWS/S3/Admin). Now they do.
  • Filter queries like policyTypeId:undefined would crash. Since the request is not specific, we'll now ignore this invalid input and continue the query.
  • Feature flags now support backoff and properly stop the process if retriving them fails.

Enterprise

  • Runnables like controls and calculated policies use Lambda functions for function execution. By default, for security & stability, these functions run outside the VPC. For organizations wishing to inspect and control all network traffic, we now support running of these Lambda functions inside the VPC.
  • Executing a runnable before it's Lambda function is installed and active would result in an error, which is noisy (particularly when using the slower Lambda in VPC model). We now leave the control in TBD state and automatically retry.
  • Requires: TEF v1.19.1, TED v1.9.1

5.19.5 [2020-05-22]

Enterprise

  • S3 process logs would fail to save in a small set of cases for the small set of customers using a fixed process log bucket name.

5.19.4 [2020-05-21]

Enterprise

  • Stacks were not properly running for AWS Gov Cloud environments since our change to ECS optimized Amazon Linux 2 in TEF v1.17.0. We relied on the AWS_REGION environment variable, which is no longer published in that newer image. This release fixes our environment check.
  • Requires: TEF v1.18.1, TED v1.8.0

5.19.3 [2020-05-20]

Enterprise

  • The new maintenance container was not properly built in our production artifacts. This release fixes that build.
  • Requires: TEF v1.18.1, TED v1.8.0

5.19.2 [2020-05-19]

Enterprise

  • Turbot is designed to support multiple workspaces as subdomains, using a repeatable format. But, workspaces may also be configured using a custom alternate URL. This release fixes an issue with the way we tracked and managed that alternate URL, ensuring it was used in all cases for logging and routing.
  • Requires: TEF v1.18.1, TED v1.8.0

5.19.1 [2020-05-15]

Bug fixes

  • Fixed error when deleting a grant from the permissions list in the UI.

Enterprise

5.19.0 [2020-05-14]

What's new?

  • Azure client key is now hidden as a secret in the UI during subscription import.
  • Calculated policy modal now shows the test resource as a link, for convenient viewing of the available data.
  • SAML directory setup will now automatically turn on group synchronization (per policies).

Bug fixes

  • Resources list was not immediately updating when browsing the hierarchy. Now it does.
  • The process dialog should only display the Terminate button if you actually have permission to terminate the Turbot process.
  • Controls with deferred actions based on the Maintenance Window were not properly re-run if the control had changed state in the first run. Now they do.
  • Smart Folder breadcrumb fixed with the correct destination links.

Enterprise

  • A new maintenance container has been added to perform general cleanup duties, such as cleaning and migration process logs into our new TED-based S3 buckets.
  • All process logs are now stored in TED-based S3 buckets with improved naming, lifecycle and encryption controls.
  • Support for TEF Flags, giving us more flexibility to innovate and gradually deploy features.
  • Dashboard response time metrics now track the maximum instead of average.
  • API container scaling capacity min and max has been fixed to work correctly.
  • Requires: TEF v1.18.1, TED v1.8.0

5.18.1 [2020-05-06]

Bug fixes

  • Turbot maintains a complex set of dependencies between controls and policies. One of the more complex cases to track is the use of lists (e.g. resources(filter:"")), which change as items are added, changed or removed. Our structure here was too slow, causing timeouts in large scale operations in large workspaces. We've optimized the structure and queries so operations like mod install and account import should be faster and more reliable.

Enterprise

5.18.0 [2020-05-05]

Bug fixes

  • Using Azure credentials from US Government Azure AD requires a specific authentication context endpoint (for some tenants).

Enterprise

  • Support for "Allow Self-Signed Certificates" parameter from TEF, which enables Turbot to work in environments where a self-signed proxy is used to access external services like Azure or AWS.
  • Requires: TEF v1.16.0, TED v1.7.0

5.17.1 [2020-05-01]

Enterprise

  • We track various logs in S3 (e.g. process, input queries). We've updated this storage with better key prefixes for data management and lifecycle targeting. (Primarily a change in v5.17.0, but immediately tweaked in v5.17.1 before release.)

5.17.0 [2020-05-01]

What's new?

  • SAML group synchronization. Turbot can now detect group memberships during SAML login by users and automatically represent those groups and relationships in the Turbot IAM model. Grant permissions to the group, and then any user new to Turbot will automatically get the appropriate permissions on login.
  • Error messages from controls are now prominently displayed as the reason and details, making problems easier to diagnose without digging through logs.
  • We now show directory information while granting permissions to a profile or group profile.

Bug fixes

  • Calculated policies in TBD or Error were not automatically retried in all cases. You should see less policies getting stuck now, especially during account import.
  • Each control and policy waits in TBD until all policies it depends on are in an OK state. We were not triggering the waiting policy to re-run when it's dependency moved to OK. Now we do.
  • Mod versions must now be valid semantic version format. We admired the creativity, and love potatoes, but vegetables are not easy to digest as version numbers.
  • Process logs list would crash if passed an invalid log level. Obviously that was an overreaction, so now we just return a bad request error.
  • Concurrent events could cause a database deadlock when both trying to mark the same control as due to re-run.
  • Immediately after a mod update the UI would show two versions as currently installed. And now, there is one.
  • Policies set to 0 were not displaying the value in the control detail page.

Enterprise

  • As scale increases, audit trail logging could fail due to conflicts when writing. Log stream names are now unique for each workspace, version, container combination.
  • API health timeout increased to 30 seconds. Our previous setting was too aggressive and would cause unnecessary web server replacements.

5.16.0 [2020-04-24]

What's new?

  • The external role ID is now optional (but still recommended) when importing an AWS account.
  • Resource creation and updates via Terraform of GraphQL now prevent setting an invalid parent type - e.g. an Azure subscription should not be a child of a directory. Previously we allowed it but logged a warning.
  • Reviewed and optimized smart folder performance, increasing reliability and scale. Smart folders let you do more (e.g. policy settings) over a wider scope (e.g. many accounts) faster (e.g. single operation).
  • Filters now have sort:rank to order results by their full text search rank.
  • Mod runnable functions now default to using nodejs v12 (up from v10).
  • Use mode:node in controlSummariesByResourceType to see control data organized by resource type (e.g. AWS > S3 > Bucket).

Bug fixes

  • Controls and calculated policies are automatically triggered by changes to their input. Because the input is calculated before the run, a type could not depend on or be triggered by resources it created. Complex controls like Terraform stacks need this capability. So, types may now specify that their dependencies should be recalculated after a run. TLDR - complex controls will be triggered more reliably.
  • Turbot automatically calculates dependencies for every control and calculated policies, including filtered lists. This was working correctly for filters like resource:<id>, but not correctly handling cases like resource:<aka>. We now match and automatically trigger for these AKA cases as well.
  • Large scale deletions would sometimes fail with a conflict error caused by our efforts to track the original actor through many levels of events. Our brave developers have returned from deep in the events jungle with a fix.
  • Smart folders in the policy detail page could show as duplicates in complex configurations. One is enough.

Enterprise

  • Usage reporting is now incorporated to assist with billing. The data is aggregated by control type and does not include customer specific metadata (e.g. resource names are not reported). Opt-out is available when appropriate.
  • Ongoing cleanup of error messages and logging to reduce noise (e.g. S3 getObject errors for the new log locations) and improve traceability.

5.15.0 [2020-04-15]

Warning

  • Requires TEF v1.13.0 and TED v1.7.0. Please upgrade in order: TEF, TED, then TE.
  • Turbot > Maintenance policies (added in v5.14.0) have been renamed to Turbot > Change Window. Please upgrade @turbot/turbot to v5.11.0 to access these policies.

What's new?

  • Resource statistics now support mode:node to aggregate by specific nodes rather than the default (mode:lca) which rolls the data up to a common ancestor. For example, resourceSummariesByResourceType(filter:"mode:node").
  • New GraphQL query resourceSummariesBySmartFolder, to aggregate resources by smart folder.
  • Expanded logging to assist with troubleshooting: GraphQL errors are now shown in the process log, and errors in event handling will log the full payload.
  • Added flexibility to filters: filter resource categories by resourceType:, filter resource types by resourceCategory:, filter control categories by controlType:.
  • Notification filters now support exact matching with resourceId:{aka}, controlTypeId:{aka}, etc.
  • Favorites are now sorted by title on the home page.

Bug fixes

  • Policy evaluation was not triggered correctly when multiple smart folders were attached above a resource. We've expanded our testing and fixed a number of edge cases.
  • Mod updates that add targets to an existing policy type should create policy values for all instances of the new target resource types.
  • It should be possible to grant multiple custom roles to the same user on the same resource.
  • Smart folders defined in the UI were incorrectly limited to 64 character titles. Express yourself.
  • Policy detail page should support large number of smart folder attachments.

Enterprise

  • Added CloudWatch alarms to the dashboard to monitor queue health and unhealthy hosts.

5.14.6 [2020-04-14]

Bug fixes

  • Stack execution was broken in the build of v5.14.4. They will now run correctly again.

5.14.5 [2020-04-12]

Enterprise

  • Short term internal caching of policy type information was corrupted in some cases. This fix will reduce not found errors.

5.14.4 [2020-04-08]

Enterprise

  • Process data in S3 was not working correctly in multi-region installations with randomized bucket names.

5.14.3 [2020-04-08]

Bug fixes

  • Optimization work in v5.14.0 broke the display of resource summaries for users that are not granted Turbot/Metadata at Turbot level specifically. Which wasn't exactly optimal, so it's been fixed.

5.14.2 [2020-04-08]

Bug fixes

  • Terraform stacks run by Turbot can claim existing resources, automatically bringing them under management. We discovered a long standing bug where we were doing the hard work to claim, but not actually saving the claim information - meaning that claims didn't work effectively.

5.14.1 [2020-04-07]

Bug fixes

  • Eradicated various edge cases causing the API container to crash, increasing overall stability.

5.14.0 [2020-04-07]

Warning

  • Use @turbot/turbot v5.6.0 to access policies related to new features.

Security

  • Since v5.0.0, Turbot access keys created by a Local Directory user would still successfully authenticate even after the user was made inactive or deleted. With this fix, those invalid keys will now correctly fail authentication. No further action is required.

What's new?

  • Use Turbot > Maintenance policies to define the period of time when Turbot is permitted to apply changes to resources. (Note: Renamed to Turbot > Change Window in v5.15.0.)
  • Use Resource Type interfaces in filter queries, e.g. resourceType:'@turbot/turbot#/resource/interfaces/grants' resourceTypeLevel:self. Easily query resources from any mod that implements the interface.
  • Aggregation queries have always automatically calculated the longest common ancestor (mode:lca), grouping results appropriately (e.g. AWS). A new mode:node will group results by their specific node (e.g. AWS > S3 > Bucket).
  • The policy setting modal now asks for confirmation on cancel or close if you have unsaved work.
  • Notifications displayed on the resource detail page can now be filtered by type. More filtering, less scrolling.
  • Hovering a resource type in the left navigation bar will now show the URI.
  • Clicking a section (e.g. alarm) of the control summary chart now filters the entire chart to that state.
  • Use Turbot > Workspace > Retention > Debug Log Retention to automatically cleanup old debug logs from RDS.

Bug fixes

  • Custom Role permissions will now show the actual name of the custom role in the UI, an important capability when you have more than one.
  • The test resource is now optional in the calculated policy editor, so it works even if you have no existing resources of the required type.

Enterprise

  • Use of a database read replica is no longer required in region where the primary database resides. This provides a significant cost saving, in many cases the read replica has low utilization anyway. A read replica is still required in additional regions, ensuring data is available for faster failover.
  • The events webhook API will no longer log to the Audit Trail. It was very noisy, expensive for ingest and adds little value compared to the audit trail of user actions.
  • Process data is now stored in S3 instead of RDS. This reduces database growth by about 40% from v5.12.x and earlier.
  • Further clarified and reduced IAM permissions granted to various functions in the Turbot core.

5.13.0 [2020-03-27]

Warning

  • Requires TEF v1.9.0 or later.

What's new?

  • Performance improvements for deleting large collections of resources (e.g. an account or project).

Bug fixes

  • The Turbot root resource should not allow editing or smart folder attachments. So, now they are blocked in the UI.
  • Invalid dependencies in mod definitions should not crash the mod installation process.

Enterprise

  • Process logs are now stored in S3 instead of RDS. This reduces database growth by about 20% from v5.12.x and earlier.
  • Optimized dependency matching, particularly for new fields at the root level of an object. This reduces unnecessary control runs and policy calculations, a specific example being the upcoming account alias field for AWS.

5.12.2 [2020-03-23]

Enterprise

  • Revert performance improvements around policy value updates, they were triggering too often.

5.12.1 [2020-03-20]

Bug fixes

  • Mods with more than 300 types were failing during installation.

Enterprise

  • Creating indexes on the notification table may timeout for large workspaces.

5.12.0 [2020-03-19]

What's new?

  • Expanded filter support for array data. Match a specific index (e.g. 0) with a query like $.EncryptionAlgorithms.0:SYMMETRIC_DEFAULT or any item in the array using a splat (.*) like $.Policy.Statement.*.Action:'kms:*'.
  • Optimized queries for notifications and action history.

Bug fixes

  • Improved database error handling to prevent hard crashes.
  • Filter searches with quoted strings were not parsed correctly, leading to errors and bad results.
  • Controls and calculated policies were not being properly triggered by changes related to the new filter types of resourceId:, resourceTypeId:, etc.

5.11.0 [2020-03-12]

Warning

  • Requires TEF v1.6.0 or later.

What's new?

  • Control filters support state:active, a simpler way of asking for state:alarm,invalid,error,ok.
  • Simplified the home page controls chart to only show active controls.
  • Improved error messages when the GraphQL input to a control fails, making troubleshooting easier.

Bug fixes

  • In some cases, automatic retry of controls and calculated policies could toggle back and forth from Error to TBD indefinitely. It will now backoff and stop as expected.
  • Permissions should not be grantable on smart folders.

Enterprise

  • Improved performance of resource upserts.

5.10.0 [2020-03-06]

What's new?

  • Control Summary now shows active controls by default, reducing the noise and complexity from lower priority controls in Skipped or TBD state.
  • Search controls by keywords in their type, reason or resource details. For example, s3 bucket tags.

Bug fixes

  • Policy detail page was not showing settings on attached smart folders. Now it does.
  • Editing an existing policy setting with a recommended precedence would show it as required precedence in the editor.
  • During a workspace upgrade events may briefly be sent to the old version. They now queue for retry on the new version.

v5.9.1 [2020-03-06]

Enterprise

  • Fixed: Our API Gateway proxy used by some customers was broken in v5.9.0, stripping the URL passed through to the Turbot server too aggressively.

v5.9.0 [2020-03-03]

Warning

  • Turbot/Owner now includes Turbot/Admin rights.

What's new?

  • Turbot/Owner is now defined as Turbot/Admin plus perrmission management. Previously Turbot/Owner was Turbot/Metadata plus permission management. This simplifies our permission management model and aligns better with user expectations. It does reduce our inherent segregation of duties, but Turbot/Owner could always have granted themselves Turbot/Admin rights anyway.
  • Notification filters now support full text search of the resource details. Makes it easy to get the full history of deleted resources e.g. i-abcd12341. Simplified type matching with collective matches like notificationType:resource, and specific matches like notificationType:controlDeleted. Support for tags: and $.{field}: has also been added.
  • Expanded exact matching in control, policy value and policy setting filters to include resourceTypeId:{aka}, controlTypeId:{aka}, policyTypeId:{aka}, resourceCategoryId:{aka} and controlCategoryId:{aka}. The existing fuzzy match filters (e.g. controlType:{fuzzyAka} remain unchanged and more convenient.
  • Google login now redirects to the originally requested URL after successful authentication. Doing our bit to reduce your tabs.
  • The webhook GraphQL query needs a resource for context, so we now accept one as an argument.
  • The calculated policy editor now supports the full range of nunjucks filters. Enter and test your calculated policies with filters for json, yaml, alphanum, date, hex, pascalCase, snakeCase and camelCase.
  • Terminate "stuck" processes from the UI.

Bug fixes

  • Switching between policy settings and values in the UI will now preserve your search query.
  • Scrolling through children in the left navigation bar was failing after 2 pages of data. You can now scroll in support of all your children.

v5.8.6 [2020-02-19]

Bug fixes

  • Policy dependencies widget on the policy detail page was entering an infinite retry loop in some cases.

v5.8.5 [2020-02-15]

Bug fixes

  • New GraphQL queries for user and group data related to upcoming features were accidentally released early. They've been removed for now, please enjoy the sense of anticipation.

v5.8.4 [2020-02-14]

Bug fixes

  • Infinite scrolling in the resources pane of the left nav was broken for long lists in v5.8.0. It now scrolls smoothly again.

v5.8.3 [2020-02-13]

Bug fixes

  • We tried to remove unsafe_event to tighten Content Security Policies in the browser. But CodeMirror editors require it, so we've allowed it again for now.

v5.8.2 [2020-02-13]

Bug fixes

  • Mod resources can store metadata. This is currently called metadata (duh). Previously it was turbot.metadata and then turbot.custom, but those are now deprecated. This fix restores part of their functionality cleaned up in v5.8.0 that is still used by some older mods.

v5.8.1 [2020-02-13]

Bug fixes

  • Errors during mod install should set the state to error.

v5.8.0 [2020-02-13]

What's new?

  • Controls in Error or TBD state will now be automatically rerun after approximately 5 mins, 1 hr, 4 hrs, 1 day and 3 days (final). This should automatically clear the vast majority of "stuck" controls.
  • Specific GraphQL mutations for managing Turbot IAM objects like directories and profiles (e.g. createSamlDirectory). These are simpler to use, consistent with terraform and allow tighter validation of relationships.
  • Policy setting filters now support is:exception, is:orphan, is:expired, is:active, is:required, is:recommended. As usual, they work with "and" queries is:exception is:expired, "or" queries is:exception,orphan and negations !is:expired.
  • Policy value filters now support is:calculated and of course !is:calculated.
  • Expanded exact matching in resource list filters to include resourceTypeId:{aka}, controlTypeId:{aka}, policyTypeId:{aka}, resourceCategoryId:{aka} and controlCategoryId:{aka}. The existing fuzzy match filters (e.g. controlType:{fuzzyAka} remain unchanged and more convenient.
  • Login redirect to Azure Government subscriptions via the UI.

Bug fixes

  • Calculated policies producing object data (e.g. a tags template) were having the new value merged with the old value. It should have been replacing the entire object with the new value.
  • Clicking a specific state bar (e.g. Error) for a specific row (e.g. us-east-1) in the Controls Summary Chart should filter to both the correct data (i.e. us-east-1) and the desired state (i.e. Error).

v5.7.2 [2020-02-07]

Bug fixes

  • Mod installations that update a policy type will recalculate policy values for that type (ensuring they are up to date). In some cases, this process would briefly clear the policy value before setting it again. Generally you'd never notice, but this could trigger unexpected control or policy changes.

Enterprise

  • Some complex JSON operations are performed deep in the database layer. When they are good, they are very very good. When they are bad, they are now caught and logged for later review.

v5.7.1 [2020-02-07]

Skipped due to technical difficulties.

v5.7.0 [2020-02-06]

What's new?

  • Faster browsing experience through all filter pages. We feel your need for speed.
  • Filter to an exact resource ID or AKA using resourceId:{aka}. The existing resource:{fuzzyAka} is simpler and super intuitive, but can have multiple matches since it does a fuzzy match (partial, case insensitive) on resource AKAs.
  • New users now have a default favorite (Turbot root) and a clear warning if they have been added with no permissions.
  • Controls summary added to the home page.
  • Automatically run Policies and Controls on a set interval (e.g. daily). This interval can be defined on the type itself, or customized using the Interval policy.

Bug fixes

  • GraphQL query resourceVersion should check permissions on the specific version, not on the (potentially deleted) item.

v5.6.1 [2020-01-30]

Bug fixes

  • Listing resources at the Turbot level should not accidentally include searchable user profile information. You may need to see those profiles, but not all the time.

v5.6.0 [2020-01-30]

What's new?

  • Resource and control filter queries are a lot faster. The sort of speed improvement that should be noticed by everyone, not just it's loving parents.
  • Searching for a Turbot ID (e.g. 12345) will now find the resource with that ID. Just as you'd expect it to.

Bug fixes

  • Smart folders should be blocked from being attached to smart folders.

Enterprise

  • Improved logging of AWS SNS subscription confirmation requests, providing more information to help debug during installation into complex custom networking environments.

v5.5.0 [2020-01-22]

What's new?

  • Turbot Directory type. Optionally allow authentication into your workspace by users registered at turbot.com. Eventually this will be the default directory for new workspaces, making setup easier.
  • Improved performance of the Permissions tab.
  • Updated GraphQL documentation for many object and input types.

Bug fixes

  • Smart folder detachment was not triggering policy values to be recalculated. Now it does.
  • Imagine smart folder X is created under a parent resource A. To prevent cycles, X may be attached to any descendant of A, but not to A or its ancestors. After enjoying a number of "chicken or the egg" jokes, we're now correctly blocking X from being attached directly to its parent A.
  • GraphQL queries from runnables (controls and calculated policies) may use resource { data } to get the full object information. This is rare and not great style, but we will now fulfil the query (instead of passive aggressively always returning null).
  • Historic activity records for deleted resources should not silently eat their dropdown (hamburger) menus.

Enterprise

  • Requires Turbot Enterprise Foundation v1.3.0 or later.
  • Optimized resource creation and updates, smoothing database utilization.

v5.4.1 [2020-01-15]

Enterprise

  • Turbot containers need the ability to create CloudWatch Log streams. Our least privilege improvements in v5.4.0 went too far to less than least in this case.

v5.4.0 [2020-01-14]

What's new?

  • Easily delete any resource (and it's descendants) from the left navigation bar in the UI.
  • Faster loading of counts into tab headings (e.g. number of resources).
  • Documentation for GraphQL policy types and data.
  • Simplified the policy setting create and update modal by moving the precedence input into the advanced section. Most users create policies in Required mode, and using Recommended is really only for more advanced policy designs.
  • Summary charts have been removed from the policies tab. Enjoy the cleaner look with a focus on policy list data.

Bug fixes

  • Resource inserts were actually slowed by work we'd done to improve concurrency. That has been recitified, so larger activities (e.g. cloud account import) should now run faster and more reliably as they did before.

Enterprise

  • Reduce scope of CloudWatch Logging permissions granted to Fargate when executing Turbot tasks.

v5.3.0 [2020-01-09]

What's new?

  • Users can now subscribe to notifications for changes to resources, controls and more.

Bug fixes

  • Commands sent from mod controls back to Turbot may be split into multiple messages due to size limits. Occasionally we receive them out of order, and were hanging in these cases. You will see a lot less processes getting "stuck" now.
  • Large scale resource upserts triggered by complex Terraform stack runs revealed two edge cases - we were not always saving the terraform information (which causes unnecessary rework) and we were not always safe against concurrent inserts. Both are now fixed.
  • Events with errors are sent to a dead letter queue for cleanup. Our handler was not correctly logging these errors. Hopefully there won't be many of these errors, but at least now they are visible when they exist.

v5.2.0 [2020-01-09]

What's new?

  • Only show Revoke All permissions in the UI if the user has Turbot/Owner permission at the Turbot root level.

Bug fixes

  • The GraphiQL component for Developers now displays scrollbars as that team originally intended, instead of being forcibly removed by our overzealous CSS.
  • Toggling between the policy settings and values lists in the Policies tab was clearing the search query. You worked hard on that query, so we now keep it as you switch.

v5.1.1 [2020-01-08]

Bug fixes

  • When terraform stacks are run inside Turbot we automatically update the state information from the CMDB. It's important this information is correct for smooth stack operation on the next run. We detect failures on future runs and then try to automatically update the resource to clear the problem. Before this fix we did all the hard work to detect the problem, but were not actually saving that back to the CMDB to fix it.

v5.1.0 [2020-01-07]

Security

  • Since v5.0.0 Turbot has allowed a user to setup a notification to receive information about changes to a resource. Those updates were not properly filtered based on the permissions of the user, which may cause a workspace user to receive notifications for unintended resources in the same workspace. Notification matches for resources now correctly limit results based on the permissions of the subscriber.

What’s new?

  • Easily rearrange the resource hierarchy using the new "Move" option in the left navigation menu.
  • Performance improvements for mod installation and exploring policy detail pages.
  • Documentation for GraphQL root queries.
  • Filter resources by turbot metadata using queries like $.turbot.id:1234.
  • AWS IAM operations (console login, credentials) have been added to the GraphQL API (and removed from the REST API). The Turbot CLI uses these capabilities to make cross-account access easy.

Bug fixes

  • Deleting large blocks of resources was unreliable due to timeouts and conflicts from ongoing background changes. While delete was mostly used because we didn’t support moves (added above), it will now work reliably when needed.
  • Changes to the type hierarchy (e.g. resource types, control types) made in new mod versions were not applied properly in the workspace. Now they do, as they should.

Enterprise

  • Efficiency improvements in backend event handling and data storage - reducing event flow, improving next task selection, improving mod installation performance, and reducing noise in notification data.
  • Security groups (e.g. load balancer, outbound internet access) are now defined in TE, making them specific and immutable to each version while allowing them to evolve over time (just like our other other serverless infrastructure). Custom security groups can still be defined in TEF if you prefer full control.
  • Turbot now uses the AWS RDS bundled 2015 and 2019 root certificate, allowing TED managed RDS Instances to be upgraded to the new certificate.

v5.0.0 [2019-12-18]

  • Folders, discoverable resources
  • IDs (not URNs)
  • Resource types & categories
  • Control types & categories
  • Policy types & categories
  • Permission types & levels
  • Terraform stacks with CMDB
  • Standard control types: approved, active, configured, cmdb, discovery, tags
  • Webhook events
  • Statistics & aggregation
  • Change history - resources, policies, controls, grants, etc
  • GraphQL
  • Filters
  • Dependencies / Dependents
  • Related policies / controls
  • Calculated policies
  • Tags / title
  • Multi-region
  • Serverless