v0.12.2

Summary

This release adds the ability to define scheduled jobs aka cron jobs.
It also includes a few small edge case fixes (see release notes below).

Layer	Has changes	Needs migration
Account
Network
Build repository
Database
Service	✅
CI/CD

Service

• 🚀 Add scheduled jobs by @coilysiren in #745
• 🐞 Remove manually defined CloudWatch log resource policy to prevent hitting limit on number of temporary environments by @lorenyu in #742
• 🐞 Fix configure-aws-credentials when network_name has dashes by @lorenyu in #743

Full Changelog: v0.12.1...v0.12.2

v0.12.1 ⚠️ Requires migration steps

Summary

This release:

• Fixes an issue with projects that separate their environments into different AWS accounts from being able to deploy to an environment that is in a different account than the account that contains the image repository.
• Improves developer experience by letting users log in to PR environments with the same credentials that they log into the dev environment

Layer	Has changes	Needs migration
Account
Network
Build repository
Database
Service	✅
CI/CD

⚠️ Migration notes

Run the following command for each app and environment to upgrade the terraform aws provider to the next major version.

terraform -chdir=infra/<APP_NAME>/service init -upgrade -backend-config="<ENVIRONMENT>.s3.tfbackend"

Service

• 🐞 Fix access to build repository from different AWS account by @lorenyu in #737
• 🚀 Use existing identity provider in temporary environments by @rocketnova in #717

Tech debt and maintenance

• 🔧 Update app/service root module aws provider version to >=5.35.0 by @rocketnova in #731

Full Changelog: v0.12.0...v0.12.1

v0.12.0

Summary

This release:

• 🚀 Adds an identity provider (AWS Cognito) to the service layer that can be enabled or disabled
• 🚀 Adds support for running end-to-end (e2e) tests on every PR using Playwright

Additional enhancements related to these features will be added soon.

Layer	Has changes	Needs migration
Account
Network
Build repository
Database
Service	✅
CI/CD	✅

CI / CD

• 🚀 Add e2e tests by @rylew1 in #694

Service

• 🚀 Add identity provider modules by @rocketnova in #650

New Contributors

• @rylew1 made their first contribution in #694
• @coilysiren made their first contribution in #728

Full Changelog: v0.11.2...v0.12.0

v0.11.2

Summary

This release:

• 🚀 Introduces a workflow that runs overnight that checks the deploy status for infrastructure changes. This is useful to ensure the infrastructure code matches what is deployed.
• 🐞 Fixes a bug that causes DB migrations to fail when adding new secret configurations to the service layer
• 🐞 Works around a bug that causes PR environment workflows to fail on repos that use GitHub Projects

Layer	Has changes	Needs migration
Account
Network
Build repository
Database
Service
CI/CD	✅

CI / CD

• 🚀 Add check infra deploy status workflow by @lorenyu in #682 and #707
• 🐞 Workaround GitHub CLI bug that causes PR environment workflows to fail by @lorenyu in #710

Database

• 🐞 Update task_executor IAM policy before running migrations by @lorenyu in #697

Full Changelog: v0.11.1...v0.12.0

v0.11.1

Summary

• Fix issue that causes Terraform plan in database layer to show a diff on a clean checkout of the repo

Layer	Has changes	Needs migration
Account
Network
Build repository
Database	✅
Service
CI/CD

Database layer

• 🐞 Check in role manager archive by @lorenyu in #695
  • Fixes issue that causes Terraform plan in database layer to show a diff on a clean checkout of the repo

Tech debt and maintenance

• Bump google.golang.org/protobuf from 1.26.0 to 1.33.0 in /template-only-test by @dependabot in #572
• Organize outputs alphabetically by @daphnegold in #687

Full Changelog: v0.11.0...v0.11.1

v0.11.0 ⚠️ Requires migration steps

Summary

• 🚀 Add pull request environments

Layer	Has changes	Needs migration
Account
Network
Build repository
Database
Service
CI/CD	✅

⚠️ Migration notes

There is one minor breaking change:

1. Account name configuration moved from app config to network config

Each application environment is mapped to an AWS account. Previously, this was done via an account_name attribute in each application environment's <ENVIRONMENT>.tf file in infra/<APP_NAME>/app-config/. Now, to DRY things up, the application environment is now mapped to the network via the network_name attribute, and the network is mapped to the AWS account via an account_name attribute in the network configuration in infra/project-config/networks.tf. To make this migration, follow these steps:

1. Remove account_name from each environment config file <ENVIRONMENT>.tf in the infra/<APP_NAME>/app-config/ folder
2. Add account_name to each network config in infra/project-config/networks.tf

This should not produce any changes in the Terraform plan for any of the infrastructure layers.

Database layer

CI/CD

• 🚀 Add pull request environments by @lorenyu in #664, #672, and #674

Other DevEx updates

Tech debt and maintenance

• ⚠️ Move account_name from app config to network config by @lorenyu in #673
• Change references to ${var} from $var in scripts by @daphnegold in #663
• Alphabetize variables.tf files by @daphnegold in #667 and #680
• Set up specific terraform version in deploy workflow by @lorenyu in #684
• Upgrade actions/checkout to v4 by @daphnegold in #681

Full Changelog: v0.10.0...v0.11.0

v0.10.0 ⚠️ Requires migration steps

Summary

Layer	Has changes	Needs migration
Account
Network
Build repository
Database	✅	🚚
Service

⚠️ Migration notes

There are two minor breaking changes.

1. Major version upgrade to Postgres database

If you want to upgrade your Postgres version to the latest version (16.2), then follow the instructions in upgrade-database.md. If you are not yet ready for upgrading, revert the line of code that sets the engine_version back to your current version, and defer the upgrade to a future point.

2. Possible breaking change to how the database schema is named

For projects that have renamed the application to from app to some other string, this release is a breaking change. The database schema used to be given the same name as the app. In this release, the database schema is now hardcoded to the string "app". To avoid this breaking change, revert this line to set schema_name = var.app_name.

Database layer

• Alter default privileges for migrator to grant all privileges to app by @lorenyu in #622
• ⚠️ Upgrade Postgres version from 14.6 to 16.2 by @KevinJBoyer in #627
• Add support for Postgres extensions that require the rds_superuser role by @KevinJBoyer in #631
• 🐞 Fix role manager print strings by @rocketnova in #640
• Refine replace trigger for installation of role manager packages by @lorenyu in #648
• ⚠️ Set database schema name to "app" instead of using the application name by @rocketnova in #646
• Set the default app service to expect a database by @rocketnova in #485

CI/CD

• When deploying, wait for service to be stable by @lorenyu in #615

Other DevEx updates

• Set non-default workspaces as temporary by @rocketnova in #649

Tech debt and maintenance

• Remove old .terraform.lock.hcl by @rocketnova in #625
• Rename internal shell variables to be lower case by @daphnegold in #629 and #633
• Eliminate .sh extension from shell scripts by @daphnegold in #635
• Remove no longer needed manual deletion in CI Infra Service Checks by @rocketnova in #668

Documentation

• Add instruction to check build repository by @lorenyu in #617
• Add infra style guide by @lorenyu in #619
• Update example to minimum Terraform version by @KevinJBoyer in #628
• Update decision log index by @KevinJBoyer in #634
• Add troubleshooting instructions to ECS Exec documentation by @tdooner in #636
• Update network docs by @KevinJBoyer in #637
• Add instructions for setting up public internet access by @lorenyu in #651
• Improve and document CI/CD auth check by @lorenyu in #657
• Document dev and test workflow using workspaces by @lorenyu in #656 and #666
• Add docs on config modules by @lorenyu in #653

New Contributors

• @tdooner made their first contribution in #636

Full Changelog: v0.9.0...v0.10.0

v0.9.0 ⚠️ Requires migration steps

Summary

Layer	Has changes	Needs migration
Account
Network	✅
Build repository
Database
Service	✅	🚚

⚠️ Migration notes

There are two minor breaking changes.

1. Breaking change to way secrets are defined in app-config in environment-variables.tf

Secrets are now defined as a map:

secrets = {
  ENV_VAR_NAME = {
    manage_method     = "code" or "manual"
    secret_store_path = "/ssm/param/name"
  }
}

It was previously defined as a list:

secrets = [
  {
    name = "ENV_VAR_NAME",
    ssm_param_name = "/ssm/param/name"
  }
]

• Add new module modules/secret for generating new secrets or referencing existing secrets
• Refactor interface

To migrate:

• In app-config's environment-variables.tf, update secret definitions to use the new format.
• For secrets managed outside of the project's codebase, set manage_method = "manual"
• For secrets created within the project's codebase but defined elsewhere, move (using terraform mv) the aws_ssm_parameter to module.secret[ENV_VAR_NAME].aws_ssm_parameter.secret

For more info see: Add ability to generate secrets for the application

2. Breaking change to how the mapping from environment to account name is defined in app-config module.

Account name is now defined in each environment config (dev.tf, staging.tf, prod.tf, etc) rather than as a single account_names_by_environment map in app-config/main.tf. To migrate:

• Add a new parameter account_name to the env-config module call in each of your environment config files (e.g. app-config/dev.tf, app-config/staging.tf, app-config/prod.tf, etc.)
• Clean up (remove) account_names_by_environment map in app-config/main.tf

For more info see: Move account name config into into env-config

New and updated functionality

Service layer

• Add support for custom domains and HTTPS by @lorenyu in #561
• Simplify secret definitions by replacing ARNs with SSM param names by @lorenyu in #563
• Add ability to generate secrets for the application by @lorenyu in #602
• Add support for ECS Exec for debugging by @rocketnova in #594
• Fix: Add ListBucket permission for storage bucket (permission needed by Django) by @lorenyu in #566

CI/CD

• DevEx: Add app and ref to build workflow run name by @lorenyu in #564
• DevEx: Support concurrent migrations for different apps by @sawyerh in #570
• DevEx: Skip build step if image already published by @lorenyu in #611
• Fix: Remove terraform -refresh-only commands (fixes issue in terraform 1.8.0 which new github actions runners use that causes -refresh-only to error when there's no state file) by @rocketnova in #586
• Fix: omitted filename change when renaming ci-app-vulnerability-scans.yml by @rocketnova in #596
• Fix: build/publish concurrency group by @lorenyu in #607

Other DevEx updates

• Derive app_name from module path by @lorenyu in #568
• makefile: Improve help target by @doshitan in #573

Tech debt and maintenance

• Bump golang.org/x/crypto from 0.0.0-20210921155107-089bfa567519 to 0.17.0 in /infra/test by @dependabot in #518
• Bump google.golang.org/grpc from 1.50.1 to 1.56.3 in /infra/test by @dependabot in #468
• makefile: Breakout make target help text from target dependencies by @doshitan in #575
• makefile: Avoid mismatched quotes in check_defined by @doshitan in #576
• Make VPC database resources to be conditionally added only if there is a database needed in the network by @rocketnova in #590
• Pin terraform version by @rocketnova in #599
• Add AWS defaults to container definitions to produce clean tf plan by @lorenyu in #603
• Move account name config into into env-config by @lorenyu in #605

Documentation

• Clarify setup documentation by @rocketnova in #579
• Explain CI/CD flow and files by @rocketnova in #580
• Clarify main README for new users by @rocketnova in #588
• Fix typos and grammar in md files by @yoomlam in #593
• Update set-up-infrastructure-tools.md by @allthesignals in #608

New Contributors

• @doshitan made their first contribution in #573
• @allthesignals made their first contribution in #608

Full Changelog: v0.8.0...v0.9.0

v0.8.0

Summary

Layer	Has changes	Needs migration
Account	✅
Network
Build repository
Database
Service	✅

New and updated functionality

Service layer

• Add ability to configure environment variables and secrets for application by @lorenyu in #549
• Add IMAGE_TAG environment variable to all applications by @lorenyu in #556
• Add permissions to tag objects uploaded to S3 by @lorenyu in #555

Background jobs

• Add jobs that trigger on file upload by @lorenyu in #527

Security

• Instead of granting AdministratorAccess to GitHub Actions, explicitly list allowed AWS actions that GA can perform as part of CI/CD workflows by @lorenyu in #537
• Add deletion protection to application load balancer (ALB) by @SammySteiner in #542

CI/CD

• Allow multiple apps to deploy concurrently by @lorenyu in #551

Tech debt and maintenance

• Exclude node_modules subfolder for lint-markdown.sh by @yoomlam in #543
• Exclude .venv subfolder for lint-markdown.sh by @yoomlam in #544
• Update terraform version by @lorenyu in #548

Documentation

• Move network layer out of app in arch diagram by @lorenyu in #550

New Contributors

• @SammySteiner made their first contribution in #542

Full Changelog: v0.7.0...v0.8.0

v0.7.0 ⚠️ Requires migration steps

Summary

Layer	Has changes	Needs migration
Account	✅	🚚
Network	✅
Build repository
Database
Service	✅

⚠️ Migration notes

This release moves the OIDC provider to be managed outside of Terraform. Thus, to prevent Terraform from destroying that resource, you need to remove the OIDC provider from the Terraform state file for each of your accounts in infra/accounts. Run the following commands for each AWS account:

./bin/terraform-init.sh infra/accounts $(./bin/current-account-config-name.sh)
terraform -chdir=infra/accounts state rm module.auth_github_actions.aws_iam_openid_connect_provider.github

New functionality

• Add storage module for uploading documents by @lorenyu in #510

Enhancements

• Configure service CPU, memory, and desired instance count per environment by @lorenyu in #503
• Catch feature flag regressions by testing feature flag endpoint in CI Infra Service workflow by @lorenyu in #512
• Make infra service test cleanup more robust by using target apply in EnableDestroy step by @lorenyu in #521
• Support account set up in AWS accounts with existing OIDC provider by managing OIDC provider outside of Terraform by @lorenyu (credit to @anybodys and @daphnegold) in #533

Fixes

• Ignore linting localhost Markdown links by @sawyerh in #506
• Fix broken Markdown link when template is installed by @sawyerh in #505
• Prevent AWS's automatically generated log delivery resource policy from getting too big by creating resource policy for feature flags log group by @lorenyu in #530
• Fix accounts setup for other regions by @lorenyu in #534

Tech debt

• Update markdown linter name and execution by @sawyerh in #504
• Remove obsolete todo by @sawyerh in #511
• Remove workaround for VPC endpoint availability by @lorenyu in #516
• Remove unused config value by @lorenyu in #519

Documentation

• Add system architecture diagram by @lorenyu in #494
• Fix typo by @lorenyu in #513
• Network layer system design ADR by @lorenyu in #489

Full Changelog: v0.6.1...v0.7.0