Turbot Enterprise Foundation (TEF) Releases

v1.26.3 [2020-10-01]

Bug fixes

  • Error handling in workspace pre-install checker.

v1.26.2 [2020-10-01]

Bug fixes

  • Error handling in workspace pre-install checker.

v1.26.1 [2020-09-30]

Bug fixes

  • ECS Agent should attempt to use the locally cached image, which dramatically reduces disk IO and download bandwidth.
  • Upgrade via CloudFormation had a race condition in our custom resource Lambda functions that could be triggered when doing a large number of upgrades or rollbacks in parallel.

v1.26.0 [2020-09-24]

Bug fixes

  • When a custom outbound access security group is specified in the TEF template do not create the {prefix}outboundinternetsecuritygroup or the {prefix}{version}outboundinternetsecurity_group.

v1.25.0 [2020-09-22]

What's new?

  • Ability to restrict SNS topic and SQS queue access based on Organization Id.

v1.24.0 [2020-08-21]

Warning

  • IAM permissions updated.

Bug fixes

  • The (optional) API Gateway to proxy external events to the internal Turbot load balancer was returning error codes (5xx) all queries even though it worked successfully. This could lead to retries of the message (which were not processed due to our duplicate detection). Errors in both the event handler and the health check have been cleared.

v1.23.0 [2020-07-22]

What's new?

  • Updated Workspace Manager permissions for SSM policy lookups and reading S3 data for access to the TE workspace manager Lambda results.

v1.22.1 [2020-07-07]

Bug fixes

  • As part of preparing for connection pooling, the hive manager included steps to initialize multiple database roles. These are not yet in use so have been removed.

v1.22.0 [2020-07-06]

What's new?

  • The default browser facing security group (used by the load balancer) is now open on port 80, so HTTP traffic can be automatically redirected to HTTPS at the load balancer level.
  • Expanded EC2 instance type options, and changed the default to t3.medium.
  • Changed the default maximum limit for ECS hosts from 64 to a more sensible, but still generous, 8.
  • Further restricted permissions to EC2 hosts, limiting the accessible resources as much as possible.

v1.21.0 [2020-06-19]

What's new?

  • Introducing a new parameter model in TEF, allowing parameter "overrides" to be optionally set in SSM. Turbot creates default parameters, but will automatically detect any overrides you create during the stack run. This allows us to expand beyond the 60 parameter limit of CloudFormation.
  • Each Turbot version installs minimal IAM policies and roles specific to its requirements. Some customers prefer more control over IAM management, so we now support BYO-IAM with parameters for all IAM entities required in the Turbot primary account.
  • Added parameters to optionally set the ALB Log Prefix and ALB Idle Timeout.
  • TEF will now perform a rolling update of the EC2 hosts if required due to launch configuration changes, ensuring no downtime during upgrades.
  • Allow preinstall check Lambda function to use VPC from non-VPC setting.

v1.20.0 [2020-05-29]

What's new?

  • Added 169.254.170.2 to the default NO_PROXY parameter. This is required for stack containers to execute in some proxy environments.

v1.19.1 [2020-05-20]

Bug fixes

  • Network Interface permissions added in v1.19.0 are low risk, but have been tightened further to only be granted in environments running Lambda inside the VPC.

v1.19.0 [2020-05-18]

What's new?

  • TED and TE are being enhanced to automatically check that their required versions of TEF and TED are installed. The Lambda function they use for that check (custom resource during the CloudFormation stack run) is deployed in TEF, and added in this release.
  • Turbot Enterprise uses a lot of Lambda functions to execute mod code. For organizations who prefer more visibility into network traffic, we're adding support to run these functions inside the VPC. This version of TEF expands the IAM permissions granted to Lambda functions with the minimum required to attach Network Interface cards.

v1.18.1 [2020-05-14]

What's new?

  • Flags parameter now has validation rules and defaults to NONE (CloudFormation does not like empty string defaults for SSM parameters).

v1.18.0 [2020-05-14]

What's new?

  • Flags parameter will allow features to be enabled or disabled at the installation level giving us more flexibility to innovate and gradually deploy features.

v1.17.0 [2020-05-12]

What's new?

  • Moved to ECS optimized Amazon Linux 2 as our host OS for containers. (Previously we used ECS optimized Amazon Linux 1.)
  • Expanded proxy server support, particularly through the ECS bootstrap sequence. We now support HTTP and HTTPS requests being routed to a http:// proxy for all traffic - no need for endpoints or similar in any case. (We do not yet support custom certificates and https:// proxies.)
  • TEF now publishes an SSM parameter with the currently installed version, which will be used in the future to check version compatibility during TED and TE upgrades.

v1.16.0 [2020-05-05]

What's new?

  • Allow Self-Signed Certificate parameter, instructing Turbot to ignore certificate errors when connecting to external services - for example - enterprise environments with an outbound internet proxy.
  • S3 bucket inventory has been enabled, setting us up for future batch operations on collections of log files.
  • Updated lifecycle rules to clean deleted versions of debug logs and match changes to the prefix of log files.

v1.15.0 [2020-05-01]

What's new?

  • Added a "connectivity test" lambda function, making it easier to verify that an environment has the necessary network setup. Run ${ResourceNamePrefix}_connectivity_checker manually to test.
  • Improved descriptions for the Installation Domain and Turbot Certificate ARN parameters.

v1.14.0 [2020-04-24]

What's new?

  • Turbot License Key has been added as a (currently optional) parameter.

v1.13.0 [2020-04-17]

What's new?

  • Updates Hive Manager, which includes the ability to convert ownership of database schemas. This is part of a longer term effort to move database ownership to specific turbot roles, reducing our use of the master account.

v1.12.1 [2020-04-02]

Bug fixes

  • EC2 instances used for ECS should have AssociatePublicIpAddress set to false. This is a defence improvement since our EC2 instances are run in a private VPC so were not publically accessible anyway.

v1.12.0 [2020-04-01]

What's new?

  • Cleanup IAM roles to use _ consistently in names (instead of mixing _ and - together).

v1.11.0 [2020-03-31]

What's new?

  • Some organizations need to use a self-signed certificate for their ALB. This would fail a certificate check when also using our API Gateway proxy. Use the Self Signed Certificate In ALB parameter to ignore these certificate errors.

Bug fixes

  • The IAM role used for ECS EC2 instances is now named consistently with our other IAM roles.

v1.10.0 [2020-03-27]

Warning

  • Existing TEF installations must install v1.9.0 before upgrading to v1.10.0. This sequence will automatically preserve and transition parameter settings for S3 bucket names as we move from fixed names to randomized names by default for new installations.

What's new?

  • Log and process buckets now use a partly random name by default, making new installations smoother and easier to troubleshoot.

v1.9.0 [2020-03-26]

What's new?

  • Optionally use a random name for log and process log buckets, making repeated install and uninstall easier.
  • Log buckets will now be retained on deletion of the TEF stack.

v1.8.0 [2020-03-23]

What's new?

  • Setup an S3 bucket to store process logs, including lifecycle rules to cleanup debug logs.

v1.7.0 [2020-03-17]

What's new?

  • Turbot Hive Manager lambda now has permission to create encrypted SSM parameters, required by TED v1.5.0.

v1.6.0 [2020-03-09]

Warning

  • Security access from the load balancer to ECS has changed from requiring port 8443 to requiring the full high port range of 32768-65535. This allows us to run ECS in bridge mode and efficiently reuse IP addresses across Turbot core containers.
  • The outbound security group now allows port 80 outbound by default. This makes cloud-init in the ECS optimized image run much faster than only providing port 443 outbound.
  • If you are upgrading from a previous TEF version, you will need to make the modifications listed below:

    • Add ports 32768-65535 to the Load Balancer Security Group OUTBOUND to the API Security Group
    • Add ports 32768-65535 to the API Security Group INBOUND from the Load Balancer Security Group
    • Add port 80 to the Outbound Internet Security Group OUTBOUND to 0.0.0.0/0

What's new?

  • Use ECS on EC2 (instead of Fargate) to accelerate container startup time (particularly for stacks), increase cost efficiency at scale, and prepare for wider container use at the core level.

v1.5.0 [2020-03-05]

What's new?

  • Workspace manager creation of turbot.com directories updated to use a server name (instead of a phase).

v1.4.0 [2020-01-22]

What's new?

  • Added a lifecycle rule to automatically delete temporary data from S3.

v1.3.0 [2020-01-20]

What's new?

  • Reduced scope of permissions granted to custom mod Lambda functions. These add extra levels of protection and take effect as mods are installed or updated in Turbot v5.5.0 or later.

v1.2.0 [2020-01-14]

What's new?

  • Publish the alpha region as an SSM parameter so it can be used as a default in other areas - like TED's default location for the primary DB.

v1.1.1 [2020-01-08]

Bug fixes

  • The Hive Manager and Workspace Manager lambda functions used during the workspace upgrade process were not properly connecting to the database using SSL during initial workspace creation (they were during upgrades). Our change to force SSL on the database in TED revealed this issue, which is now fixed.

v1.1.0 [2020-01-07]

What's new?

  • TEF version is now published as an output parameter in CloudFormation. (We'd rather that Service Catalog showed this automatically, but there is an AWS quirk that breaks that feature when Service Catalog versions are published using CloudFormation.)
  • Workspace upgrades may now take up to 15 minutes before timing out. This allows us to run larger data migration jobs during the upgrade process. (Don't worry, we design these to be background tasks that don't affect availability during the upgrade.)
  • Custom security groups are published as SSM parameters allowing them to be leveraged by the Turbot Enterprise CloudFormation stacks to override per-version default security groups.

Bug fixes

  • GovCloud installations require conditions in IAM to match the correct partition arn:aws-us-gov:.

v1.0.0 [2019-12-18]

What's new?

  • Initial version.
  • CloudFormation design for deployment via Service Catalog.
  • Foundation components: KMS keys, IAM roles, Log groups & buckets.
  • Network configuration with up to 3 tiers (public, turbot, database) across 3 availability zones in 3 regions.
  • Automated VPC peering setup across regions.
  • Subnet Groups and Security Groups for database and cache services.
  • Optional gateway proxy for external event handling with an internal installation.
  • Optional BYO network parameters for complex or pre-existing environments.