BUGFIX:
- Fix release version
FEATURES:
- Adds functionality to get secrets from secrets manager for use as TF Vars before planning/applying with Dome
- Secrets can be configured in itv.yaml at the global, ecosystem and environment level such as:
dome:
hiera_keys: {}
certs: {}
secretsmanager:
global_secret: common_{ecosystem}_{environment}_secret_id
dev:
dev_common_secret: dev_common_secret_id
dev:
dev_dev_secret: dev_dev_secret_id
qa:
dev_qa_secret: dev_qa_secret_id
prd:
prd:
prd_prd_secret: prd-prd_secret-id
- The secret id can use string replacement for {ecosystem} and {environment} so in the example above, planning in dev/qa would result in global_secret returning the secret string for the common_dev_qa_secret_id secret in the relevant account.
- Secrets with duplicate names are overwritten by the most precise scope (env > eco > global)
- Secret names are output as environment variables with the TF_VAR_ prefix, as per env vars set via Hiera.
- Secrets can only be access from the authenticated AWS account.
BUGFIX:
- upload kpi changes in CI
BUGFIX:
- check ecosystem before aws-vault kpi commands
BUGFIX:
- cleanup kpi csv file after upload
BUGFIX:
- correct bucket/prefix referenced to get version ID
- ensure breaking changes in 13.0.0 are adhered to
BREAKING:
- Add prd infra changes to core kpi bucket
- Requires tf-aws-eksci v32.0.0
- Requires cp-jenkins-libs v12.0.0
FEATURE:
- Add support for darwin arm64 providers
FEATURE:
- add optional
--jsonarg to use-jsonin plan/apply
BUGFIX:
- add params at ecosystem level during import
FEATURES:
- support installing 3rd-party providers.
- support providing optional providers via a
.terraform-providers-local.yamlfile.
FEATURES:
- Update the ecoroles config to use directory name
rolesat the ecosystem level
PATCH:
- Check time left on sso CLI sessions
BREAKING:
- Read params/env.tfvars at the ecosystem level.
- This version should only be used when updating to the
ironrelease
FEATURE:
- Remove old tf12-13 upgrade provider cache BUGFIX:
- Use new providercache dir for tf14 onwards
BREAKING:
- Update providers for namespace functionality as part of TF14 update
- Remove TF lock file when running TF plan
- This version should only be used when updating to TF14 (chromium release)
BUGFIX:
- Set
AWS_REGIONenvvar rather thanAWS_DEFAULT_REGION- this is to fix a provider bug that prevents you from creating S3 buckets outside of
eu-west-1
- this is to fix a provider bug that prevents you from creating S3 buckets outside of
FEATURE:
- Show remaining seconds left on session
- Fix typo
FEATURE:
- Export Main Environment when running actions at Ecosystem level to support the environment to ecosystem migration
FEATURE:
- Check AWS session time before running. If the remaining session time is <20 minutes then clear the session and get a new one. If less than 40 minutes, check if the user wants to clear the session before continuing. This is for the case of long-running applys such as EKS upgrades.
FEATURE:
- Load secrets into env vars for terraform import
FEATURE:
- Add terraform import option
BREAKING:
- Update the providers download to support the new local provider path. Also provides a second compatibility provider dir for when migrating from tf1 2 -> tf13. This version should only be used when updating to TF13 (scandium release)
BUGFIX:
- Only warn on missing hiera lookups
FEATURE:
- Add
ecoroleslevel at the ecosystem
BUGFIX:
- Handle outputs of
aws-vaulton Linux clients
FEATURE:
- Check terraform version against .terraform-version before running
BREAKING:
- Upgrade aws-sdk to v3
- This requires the following updates in your infra's Gemfile:
- Update: gem 'aws-sdk-core', '~> 3'
- Update lugus gem to at least 'v9.0.0'
- Remove: gem 'aws_assume_role', '1.2.1'
BUGFIX:
- Fix zip file open for use in containers
BREAKING CHANGES:
- Remove
aws_assume_rolegem - Use
aws-vaultfor assuming role- Install it separately: https://github.com/99designs/aws-vault
- New AWS config format: Uses
<product>-<ecosysyem>-[dev|pe|root]profile names - If you want to use
itv-devrole by default putexport ITV_DEV=trueinto your shell's rc file - To skip invoking
aws-vaultrunexport FREEZE_AWS_ENVVAR=true
- To use Yubikey for MFA, set the following environment variable (with your email!):
export YUBIKEY_MFA='Amazon Web Services:first.last@itv.com@itv-root'- you must have ykman installed for this to work: https://developers.yubico.com/yubikey-manager/
FEATURES:
- Pin to Ruby 2.7.1
- Update vulnerable Rake
FEATURES:
- Allow dome to use
params/env.tffrom the environment level when running on new run-levelservices
FEATURES:
- Add
servicelevel where a business service can be defined within<product>-infra/terraform/<product>-<ecosystem>/<environment>/<services>/<serviceX>. This ensures a one services AWS S3 bucket with multiple uniquely named terraform state files. - Add explicit validation for
servicesandroleslevels.
NOTE: Do not use v7.0.0 or v7.0.1 as v7.0.2 contains the necessary incremental fixes.
FEATURES:
- Provide better naming convention for service-level state file i.e.
<project>-<ecosystem>-<environment>-<services>.tfstate.
FEATURES:
- Add
servicelevel where a business service can be defined within<product>-infra/terraform/<product>-<ecosystem>/<environment>/<service>. This ensures a service-specific AWS S3 bucket and terraform state file.
FEATURES:
- Provide clearer error if required profile is missing from aws config
BUGFIX:
- Add
rubyzipdependency
FEATURES:
- Add Hiera secrets to
dome --environment
BUGFIX:
- Fix provider permissions
- Fix empty provider config
FEATURES:
- Install and configure Terraform providers if
.terraform-providers.yamlfile is present in the root of the project
FEATURES:
- Lookup Hiera secrets using a modified config (dome_ro Vault role)
FEATURES:
--environmentcommand to export variables and spawn a sub-shell
FEATURES:
- Simplify Environment class
- changes per level
- ecosystem level
- environment set explicitly to nil
- exports TF_VAR_dev_ecosystem_environments
- exports TF_VAR_prd_ecosystem_environments
- product level
- environment set explicitly to nil
- exports TF_VAR_cidr_ecosystem (prd cidr)
- ecosystem level
- changes per level
- More consistent prints
FEATURES:
- Locate project root and itv.yaml
FEATURES:
- Add
--sudooption to assumeitv-root
REMOVED:
- rvm 2.2.4 to ensure C.I is ran on rvm 2.3.1 only.
BUGFIX:
- Pin
dry-validationgem to '< 0.13.1' to work with Ruby v2.3.1.
FEATURE:
- Use secrets-init endpoint for initialization
FEATURES:
- Initialize Vault if necessary (requires PE)
- Use VAULT_TOKEN environment variable if set
FEATURES:
- Add secrets-init and secrets-config levels
- Better error handling
FEATURES:
- Fix account on product level
FEATURES:
- Parse product from itv.yaml
FEATURES:
- prepend
itv-to the state bucket names, to help avoid name collision - add state bootstrap to init command, with small delay to avoid S3 asynchronicity
FEATURES:
- add
--initoption to invoketerraform init
FEATURES:
- allow option to conserve existing environment variables rather than overriding them
- this is required for cross account role assuming from
ec2 - default behaviour is unchanged
- this is required for cross account role assuming from
- update deprecated gem
FEATURES:
- Added refresh, console and state commands (dome -r,dome -c,dome -t).
- Added level support. Where level is ecosystem,environment,product,roles. Each level has its own remote state.
BUGFIX:
- Give a useful error message if you try to run without Puppet private keys available.
BUGFIX:
- Remove cidr_ecosystem_dev/prd because they are breaking existing runs(in infraprd). Will enable again in the future once everyone is using 1.1.
FEATURES:
- Exports TF_VARS based on the current directory
- Update README
- Simplify output. Remove default debug mode.
- Doesn't delete cache folder
FEATURES:
- Set TF_VAR_product,ecosystem,envname
- Replace envname with env so we can transition to the new env name
- You can remove product,envname,ecosystem from your params/env.tfvars as they are now discovered from your directory structure
FEATURES:
- added support for aws-assume-role with temporary STS credentials
REQUIRED CHANGES:
- ruby >
v2.1 - added dependency on
aws-assume-roleGem - please follow setup instructions
BREAKING CHANGE:
- Terraform 0.10.x support
REQUIRED CHANGES:
- Add a block for the s3 backend in the
main.tf(example from root-infra):terraform { backend "s3" { bucket = "root-tfstate-infraprd" key = "infraprd-terraform.tfstate" region = "eu-west-1" dynamodb_table = "root-tfstate-infraprd" } } - Pin the providers to specific versions: (example from root-infra):
provider "aws" { region = "${var.region}" version = "1.0.0" } provider "template" { version = "1.0.0" } provider "terraform" { version = "1.0.0" }
Update hiera to 3.x, required for projects which implement Puppet 5.x
Breaking change:
Ecosystem variable within the ITV yaml now needs to be a hash - the Terraform run will fail hard if the ecosystems are not set to a hash within the config
Added hiera-eyaml support.
This allows us to use encrypted Terraform variables via hiera lookups (the hiera.yaml is consumed).
It also allows us to decrypt and extract SSL certificates or SSH keys which can then be used as appropriate.
In order to utilise these two improvements, you must update your itv.yaml e.g.:
dome:
hiera_keys:
artifactory_password: 'deirdre::artifactory_password'
certs:
sit.phoenix.itv.com.pem: 'phoenix::sit_wildcard_cert'
phoenix.key: 'phoenix::certificate_key'
This release also containes:
- Improved debugging/output messages.
- More tests.
Forcibly unsetting environment variables AWS_ACCESS_KEY and AWS_SECRET_KEY.
This is to prevent bypassing the user's local credentials specified in ~/.aws/credentials.
Fixed bug where dome --state needed to be called first when setting up a new environment.
This requires some further testing but we may wish to remove this CLI option in the future.
Thanks to @Russell-IO for helping with these changes.
- Internal refactoring.
- More tests added (but lots more needed).
- Improved debug output and explained up front how variables are set.
- Removed
aws_profile_parserand used environment variables instead to unify the AWS CLI and terraform calls.
ROADMAP:
- Merge @mhlias changes that implements assumed-role support.