Skip to content

chore(deps): update build tools#491

Merged
ttosta-google merged 2 commits intoGoogleCloudPlatform:mainfrom
renovate-bot:renovate/build-tools
Jan 24, 2024
Merged

chore(deps): update build tools#491
ttosta-google merged 2 commits intoGoogleCloudPlatform:mainfrom
renovate-bot:renovate/build-tools

Conversation

@renovate-bot
Copy link
Copy Markdown
Contributor

@renovate-bot renovate-bot commented Nov 15, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change
cert-manager/cert-manager patch v1.13.2 -> v1.13.3
google-github-actions/auth action minor v1.1.1 -> v1.3.0
hashicorp/terraform minor v1.6.3 -> v1.7.1

Release Notes

cert-manager/cert-manager (cert-manager/cert-manager)

v1.13.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Read about the breaking changes in cert-manager 1.13 before you upgrade from a < v1.13 version!

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

  • GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

  • CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Changes
Bug or Regression
  • The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#​6507, @​inteon)
  • The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. (#​6507, @​inteon)
  • The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#​6507, @​inteon)
  • Mitigate potential "Slowloris" attacks by setting ReadHeaderTimeout in all http.Server instances. (#​6538, @​wallrj)
  • Upgrade Go modules: otel, docker, and jose to fix CVE alerts. See GHSA-8pgv-569h-w5rw, GHSA-jq35-85cj-fj4p, and GHSA-2c7c-3mj9-8fqh. (#​6514, @​inteon)
Dependencies
Added

Nothing has changed.

Changed
  • cloud.google.com/go/firestore: v1.11.0 → v1.12.0
  • cloud.google.com/go: v0.110.6 → v0.110.7
  • github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
  • github.com/go-jose/go-jose/v3: v3.0.0 → v3.0.1
  • github.com/go-logr/logr: v1.2.4 → v1.3.0
  • github.com/golang/glog: v1.1.0 → v1.1.2
  • github.com/google/go-cmp: v0.5.9 → v0.6.0
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel: v1.19.0 → v1.20.0
  • go.uber.org/goleak: v1.2.1 → v1.3.0
  • golang.org/x/sys: v0.13.0 → v0.14.0
  • google.golang.org/genproto/googleapis/api: f966b18 → b8732ec
  • google.golang.org/genproto: f966b18 → b8732ec
  • google.golang.org/grpc: v1.58.3 → v1.59.0
Removed

Nothing has changed.

google-github-actions/auth (google-github-actions/auth)

v1.3.0

Compare Source

What's Changed

Full Changelog: google-github-actions/auth@v1...v1.3.0

v1.2.0

Compare Source

⚠️ This version requires Node 20 or later on the runner! If you are using GitHub-managed runners, no action is needed. If you are using self-hosted runners, make sure the system version of Node is version 20 or higher.

What's Changed
New Contributors

Full Changelog: google-github-actions/auth@v1...v1.2.0

hashicorp/terraform (hashicorp/terraform)

v1.7.1

Compare Source

1.7.1 (January 24, 2024)

BUG FIXES:

  • terraform test: Fix crash when referencing variables or functions within the file level variables block. (#​34531)
  • terraform test: Fix crash when override_module block was missing the outputs attribute. (#​34563)

v1.7.0

Compare Source

1.7.0 (January 17, 2024)

UPGRADE NOTES:

  • Input validations are being restored to the state file in this version of Terraform. Due to a state interoperability issue (#​33770) in earlier versions, users that require interaction between different minor series should ensure they have upgraded to the following patches:

    • Users of Terraform prior to 1.3.0 are unaffected;
    • Terraform 1.3 series users should upgrade to 1.3.10;
    • Terraform 1.4 series users should upgrade to 1.4.7;
    • Terraform 1.5 series users should upgrade to 1.5.7;
    • Users of Terraform 1.6.0 and later are unaffected.
      This is important for users with terraform_remote_state data sources reading remote state across different versions of Terraform.

  • nonsensitive function no longer raises an error when applied to a value that is already non-sensitive. (#​33856)

  • terraform graph now produces a simplified graph describing only relationships between resources by default, for consistency with the granularity of information returned by other commands that emphasize resources as the main interesting object type and de-emphasize the other "glue" objects that connect them.

    The type of graph that earlier versions of Terraform produced by default is still available with explicit use of the -type=plan option, producing an approximation of the real dependency graph Terraform Core would use to construct a plan.

  • terraform test: Simplify the ordering of destroy operations during test cleanup to simple reverse run block order. (#​34293)

  • backend/s3: The use_legacy_workflow argument now defaults to false. The backend will now search for credentials in the same order as the default provider chain in the AWS SDKs and AWS CLI. To revert to the legacy credential provider chain ordering, set this value to true. This argument, and the ability to use the legacy workflow, is deprecated. To encourage consistency with the AWS SDKs, this argument will be removed in a future minor version.

NEW FEATURES:

  • terraform test: Providers, modules, resources, and data sources can now be mocked during executions of terraform test. The following new blocks have been introduced within .tftest.hcl files:

    • mock_provider: Can replace provider instances with mocked providers, allowing tests to execute in command = apply mode without requiring a configured cloud provider account and credentials. Terraform will create fake resources for mocked providers and maintain them in state for the lifecycle of the given test file.
    • override_resource: Specific resources can be overridden so Terraform will create a fake resource with custom values instead of creating infrastructure for the overridden resource.
    • override_data: Specific data sources can be overridden so data can be imported into tests without requiring real infrastructure to be created externally first.
    • override_module: Specific modules can be overridden in their entirety to give greater control over the returned outputs without requiring in-depth knowledge of the module itself.

  • removed block for refactoring modules: Module authors can now record in source code when a resource or module call has been removed from configuration, and can inform Terraform whether the corresponding object should be deleted or simply removed from state.

    This effectively provides a configuration-driven workflow to replace terraform state rm. Removing an object from state is a new type of action which is planned and applied like any other. The terraform state rm command will remain available for scenarios in which directly modifying the state file is appropriate.

BUG FIXES:

  • Ignore potential remote terraform version mismatch when running force-unlock (#​28853)
  • Exit Dockerfile build script early on cd failure. (#​34128)
  • terraform test: Stop attempting to destroy run blocks that have no actual infrastructure to destroy. This fixes an issue where attempts to destroy "verification" run blocks that load only data sources would fail if the underlying infrastructure referenced by the run blocks had already been destroyed. (#​34331)
  • terraform test: Improve error message for invalid run block names. (#​34469)
  • terraform test: Fix bug where outputs in "empty" modules were not available to the assertions from Terraform test files. (#​34482)
  • security: Upstream patch to mitigate the security advisory CVE-2023-48795, which potentially affects local-exec and file provisioners connecting to remote hosts using SSH. (#​34426)

ENHANCEMENTS:

  • terraform test: Providers defined within test files can now reference variables from their configuration that are defined within the test file. (#​34069)
  • terraform test: Providers defined within test files can now reference outputs from run blocks. (#​34118)
  • terraform test: Terraform functions are now available within variables and provider blocks within test files. (#​34204)
  • terraform test: Terraform will now load variables from any terraform.tfvars within the testing directory, and apply the variable values to tests within the same directory. (#​34341)
  • terraform graph: Now produces a simplified resources-only graph by default. (#​34288)
  • terraform console: Now supports a -plan option which allows evaluating expressions against the planned new state, rather than against the prior state. This provides a more complete set of values for use in console expressions, at the expense of a slower startup time due first calculating the plan. (#​34342)
  • import: for_each can now be used to expand the import block to handle multiple resource instances (#​33932)
  • If the proposed change for a resource instance is rejected either due to a postcondition block or a prevent_destroy setting, Terraform will now include that proposed change in the plan output alongside the relevant error, whereas before the error would replace the proposed change in the output. (#​34312)
  • .terraformignore: improve performance when ignoring large directories (#​34400)
Previous Releases

For information on prior major and minor releases, see their changelogs:

v1.6.6

Compare Source

1.6.6 (December 13, 2023)

BUG FIXES:

  • terraform test: Stop attempting to destroy run blocks that have no actual infrastructure to destroy. This fixes an issue where attempts to destroy "verification" run blocks that load only data sources would fail if the underlying infrastructure referenced by the run blocks had already been destroyed. (#​34331)
  • cloud: prevent running saved cloud plans in VCS-connected workspaces. Saved plans might be applied later, and VCS workspaces shouldn't apply configurations that don't come from their designated VCS branch.
  • core: Unmanaged plugins (mainly used by provider acceptance testing) would not have a provider address set, preventing the caching of their schemas (#​34380)

v1.6.5

Compare Source

1.6.5 (November 29, 2023)

BUG FIXES:

  • backend/s3: Fixes parsing errors in shared config and credentials files. (#​34313)
  • backend/s3: Fixes error with AWS SSO when using FIPS endpoints. (#​34313)

v1.6.4

Compare Source

1.6.4 (November 15, 2023)

ENHANCEMENTS:

  • backend/s3: Add the parameter endpoints.sso to allow overriding the AWS SSO API endpoint. (#​34195)

BUG FIXES:

  • terraform test: Fix bug preventing passing sensitive output values from previous run blocks as inputs to future run blocks. (#​34190)
  • backend/s3: Add https_proxy and no_proxy parameters to allow fully specifying proxy configuration (#​34243)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot requested a review from a team as a code owner November 15, 2023 17:10
@renovate-bot renovate-bot changed the title chore(deps): update dependency hashicorp/terraform to v1.6.4 chore(deps): update build tools Nov 20, 2023
@ttosta-google ttosta-google merged commit f1a3a50 into GoogleCloudPlatform:main Jan 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ttosta-google ttosta-google ttosta-google approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@enocom enocom

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@renovate-bot @ttosta-google @enocom