Skip to content

chore(main): release 5.1.0#412

Merged
davidf-null merged 2 commits into
mainfrom
release-please--branches--main
Jun 25, 2026
Merged

chore(main): release 5.1.0#412
davidf-null merged 2 commits into
mainfrom
release-please--branches--main

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

🤖 I have created a release beep boop

5.1.0 (2026-06-25)

⚠ BREAKING CHANGES

  • iam/agent: the IRSA token no longer has Route53/EKS/ELB/AVP permissions directly. The agent must assume the permissions role (exposed via the nullplatform_agent_permissions_role_arn output) to use them.
  • iam: infrastructure/aws/iam/ecr no longer creates the build workflow user, access key or group, and no longer outputs build_workflow_access_key_id / build_workflow_access_key_secret. Consumers must instantiate the new build-user module, pass its group_name to ecr (new required input build_workflow_group_name) and to s3-assets, take the build credentials from build-user outputs, and run a tofu state mv to preserve the existing user and access key (see infrastructure/aws/iam/build-user/README.md). The IAM group is renamed from ecr-managers to asset-publishers (recreated; does not rotate the user's keys).
  • dns,ingress,iam: support disabling public-side resources (#364)
  • nullplatform/dimension: callers of nullplatform/dimensions must migrate to nullplatform/dimension and run a terraform state mv to preserve the existing dimension (resource labels changed from environment / environment_value to this). Migration steps are documented in the new module's README.
  • security,eks: cluster_security_group_id and gateway_port variables removed from infrastructure/aws/security. Callers must replace those inputs with a separate module eks_gateway_rules call using infrastructure/aws/eks-gateway-rules.

Features

  • 613: add support cert manager for oci (#152) (1282171)
  • account: make repository_prefix and repository_provider optional (#326) (a0a079a)
  • add additional_policies variable to agent IAM module (#233) (7762406)
  • add ebs and storage class for eks (#298) (8c00ba3)
  • add eks_cluster_primary_security_group_id output (#236) (46412f8)
  • add extra_envs variable to agent module (#229) (996b24f)
  • add istio security groups (#190) (5e06e8c)
  • add pre-configured api_key modules for agent, scope and service notifications (d5d1d76)
  • add scope_configuration module (#271) (a49e943)
  • agent: add config external-dns to aws config (3d69436)
  • agent: add config external-dns to aws config (#105) (1a828f9)
  • agent: IAM assume-role support + multi-instance parametrization (#386) (b82df52)
  • agent: move identical variables to global configuration (2b78254)
  • aks acr integration (#120) (e2237b6)
  • api-key: add custom_grants support for multi-NRN grants (#276) (ce70c59)
  • aws-backend: make backend module compliant with OpenTofu S3 backend docs (#238) (d494c20)
  • aws-eks: add private access to k8s API (7d971ad)
  • aws-vpc: disable public ip to EC2 (973f1bc)
  • azure/aks: enforce workload identity — hardcode oidc_issuer_enabled (#358) (e542032)
  • azure/cloud: support passing authentication credentials as variables (#381) (2313640)
  • azure: Add private DNS zone module (813cad3)
  • azure: Add private DNS zone module (#90) (5d4399e)
  • azure: AKS routing infra — aks_route_table module, vnet drift fix, security improvements (#360) (15c2372)
  • azure: unify variable names and update module conventions (41d4f3b)
  • azure: unify variable names and update module conventions (#162) (d8bccf1)
  • backend: add optional KMS encryption and IAM bucket policy (#246) (1af61bd)
  • base: add gateway_public_azure_load_balancer_subnet (#403) (b9b6f5e)
  • base: add gateway_public_load_balancer_type and fix public gateway name (#392) (116fc70)
  • base: security and nrn tags (#160) (2ad4b2f)
  • cert-manager: add aws support (858e346)
  • cert-manager: add Azure Workload Identity support (#272) (800249c)
  • chart: new version of charts (#122) (83a8b39)
  • ci: enable AI readme generator workflow (#203) (5ed8c84)
  • ci: integrate AI readme generation into Release Please workflow (#209) (5ea8de5)
  • cloud-dns: DNSSEC enabled by default for public zones (#393) (c2e606d)
  • commons/azure: Workload Identity for cert-manager and external-dns, with Service Principal fallback (#361) (f11896e)
  • container orchestration (#216) (1a87622)
  • customers-aws-image: update readme (f367a8f)
  • dns,ingress,iam: support disabling public-side resources (#364) (872efa1)
  • do not require org nrn (#261) (25d5a5b)
  • ecr: migrate IAM to infrastructure/aws/iam/ecr module (#372) (faa35b8)
  • edit readme (#222) (4f94816)
  • eks version (#270) (8bf801e)
  • eks: expose ami_release_version and use_latest_ami_release_version (#334) (1d88c1e)
  • eks: expose control plane logging configuration (#242) (322d3f6)
  • esternal-dns: resolve conflicts (4f71b63)
  • external_dns: add label_filter support for Route53 provider (#371) (0827191)
  • external_dns: support azure-private-dns provider (#369) (3a0ebf5)
  • externaldns: support multi external dns (#97) (3ddbd8e)
  • gcp: unify variable names and rename modules for consistency (3a619f8)
  • iam/agent: split agent role into agent + permissions roles (#397) (9df28f5)
  • iam: separate build workflow user from asset repositories + add S3 asset support (#402) (9ae9e09)
  • identity-access-control: add cloud-agnostic provider config module (#387) (ddcc212)
  • infra: add v1 to namespace external dns (ae35596)
  • infrastructure/aws/eks: expose encryption_config (backward-compatible) (#324) (f3294d6)
  • introduce api_key module for unified API key management (#155) (aded8a6)
  • istio: expose istiod_replicas to guarantee HA for node drains (#292) (05a081f)
  • nullplatform-base: update version (a872b6f)
  • nullplatform/asset/ecr: add configurable cross-account pull policy (#330) (6f4392f)
  • nullplatform/asset/ecr: add ecr:SetRepositoryPolicy to manager policy (#307) (a0520b5)
  • nullplatform/base: add per-provider log/metrics split and applicationLogs toggle (#362) (b6fb844)
  • nullplatform/cloud/aws/vpc: implement aws-networking-configuration provider config (#255) (3c3439b)
  • nullplatform/scope_definition: add extra_visible_to_nrns for org-wide sharing (#304) (b52d0f0)
  • nullplatform/scope_definition: expose scope_configuration_name_override (backward-compatible) (#328) (8ef0b0e)
  • OCI security list auto-management and namespace race condition fix (#197) (3d2a723)
  • oci test (#213) (33594c7)
  • oci: add support for oci (#146) (ffaa72d)
  • oci: cloud provider (#175) (bcdc2b5)
  • provider: add support for azure devops (#133) (e0125d9)
  • rename route53 to dns and add diagnose actions to scope definition (#215) (a40c98b)
  • scope_configuration: support icon (#348) (a4db9cf)
  • scope-definition-agent-association: add extra_filters support (#353) (0b0191f)
  • scope-definition: add description field to nullplatform_service_specification (#273) (f9ee6ea)
  • scope-definition: add optional scope configuration support (#254) (b585706)
  • scope: parameterize repository values (#110) (297c1a3)
  • security,eks: extract gateway SG rules into dedicated eks-gateway-rules module (#314) (bb5a1dd)
  • service definition and service association channel (#121) (44e6a8e)
  • service-definition: add local filesystem provider for spec loading (#278) (f24d7c9)
  • service: add support to gitlab (#249) (1d41de6)
  • support to different cni of oke (#250) (9905b57)
  • tofu: run fmt (371342b)
  • update nullplatform provider to >= 0.0.86 across all modules (#322) (6b5e5ce)
  • vpc: export security group IDs as output (#258) (7509399)

Bug Fixes

  • acm: fix logic (cafffea)
  • actions (#227) (1bff3ae)
  • add disclaimer for registration_enabled usage (ac1fd0a)
  • add missing description and type fields to module variables (#268) (36faf96)
  • add push release-please (#225) (1803560)
  • add terraform-docs step to release PR generation flow (#262) (5a35267)
  • add validation for virtual_network_links (76438d0)
  • agent: add permission to verifiedpermissions (7d2c50c)
  • agent: add permission to verifiedpermissions (#145) (369012e)
  • agent: move cross-variable validations to lifecycle preconditions (#341) (799f26c)
  • aks: add network contributor (0305ade)
  • aks: add network contributor (#114) (1542270)
  • alb-controller: fix sa to v1 (ab6f557)
  • alb-controller: fix sa to v1 (8a9d1d3)
  • api key lifecycle (#163) (beaa60f)
  • api key lifecycle (#165) (86fd93e)
  • api_key: add create_before_destroy to prevent service disruption (7efc3ed)
  • api_key: convert tuple to map in dynamic block for_each (#342) (1d38bba)
  • api_key: rename backend.tf to providers.tf and add version constraint (543b174)
  • api_key: replace concat with merge to produce map(string) for tags (#346) (9cf26ea)
  • api_key: use tomap and map(string) to satisfy for_each type constraint (#344) (bf02402)
  • aws-eks: fix name varible (2b178e1)
  • aws-region: use .name instead of .region attribute in aws_region data source (0d0912e)
  • aws-region: use .name instead of .region attribute in aws_region data source (#154) (7094878)
  • aws-security: resolve confllicts (34a4c27)
  • aws/cloud: allow to update attributes (#363) (f99f9a1)
  • azure-aks: add role to vnet (b40d33d)
  • azure-aks: principal_id variable (6e3d54c)
  • azure-aks: principal_id variable (6232bf0)
  • azure/vnet: relax azurerm provider constraint to ~> 4.0 (a4985ec)
  • base-gateways: add annottaion to LB use subnet private (8e3b09e)
  • base: adding gateway name parameter (#139) (a47a299)
  • base: disabled webhook option (2496ba4)
  • base: remove dangerous helm release options (#302) (66cdd18)
  • base: update outputs to use input vars instead of removed modules (ac34128)
  • base: update version chart (0bc1fbd)
  • base: update version chart (#116) (26a1034)
  • base: update version heml chart (b8bec08)
  • cert manager: fix linter (#95) (260d4c2)
  • cert_manager,external_dns: move cross-variable validations to terraform_data preconditions (#315) (a213e35)
  • cert-manager-iam: fix allow hosted zone (e819f79)
  • cert-manager-iam: fix sa name & add private zone managed (5142697)
  • cert-manager: add helm options (7bd7b2c)
  • cert-manager: remove deafult to mandatory variables (351a7f9)
  • cert-manager: remove IRSA (6383227)
  • cert-manager: resolve conflicts (c6a3cb7)
  • chart-base: add istio gateway security groups (#143) (03fa7be)
  • ci: correct workflow reference path in tofu-test pipeline (0c97f44)
  • ci: pass secrets to readme-generator workflow (#207) (a99fa51)
  • ci: remove push trigger from tofu-test workflow (#205) (aef2384)
  • ci: restore git permissions after secondary checkout (#264) (a1d81a5)
  • ci: skip branch validation and commitlint for release-please branches (#300) (ce771a5)
  • ci: skip deleted modules in readme generation (#301) (5f74c38)
  • ci: update readme versions to release target and exclude root README (#211) (2b70f1b)
  • code_repository: remove access block and ignore_changes from all providers (#396) (4295a7f)
  • code-repository: fix version (c7a371b)
  • code-repository: fix version (eaa3117)
  • commitlint: disable body-max-line-length rule (3ed3244)
  • commons-external-dns: add switch to namespaces create (06852f7)
  • commons-external-dns: add switch to namespaces create (19cd4a6)
  • delete conflicting aws provider from backend module (#240) (aa6cb87)
  • disable readme version update temporarily (#192) (58072e7)
  • dns: ignore vpc changes on private_zone for cross-account assoc (#398) (772c201)
  • ecr: add cross-account pull and repository policy support (#384) (cf6431f)
  • ecr: remove read section, cross-account role, and fix setup.policy drift (#389) (8000c6b)
  • eks: add aditional security gorup (2c44375)
  • eks: auth mode validation and s3 secure transport policy (#266) (3a96b54)
  • eks: disable node security group to avoid ALB controller conflict (#137) (8cbe80b)
  • eks: resolve Auto Mode compatibility issues (#167) (c58baea)
  • eks: segretate logic of node groups (0937b93)
  • external_dns: change default sources and policy (#282) (50e8cde)
  • external_dns: derive label_filter default from zone_type convention (#375) (09ec15b)
  • external_dns: move cross-variable validations to terraform_data preconditions (#310) (c4f010e)
  • external-dns-iam: add trust policy (4fc890f)
  • external-dns: add action external dns policy (4752701)
  • external-dns: add manage private zone (e0fbfff)
  • external-dns: add rbac (#141) (ea5c5bb)
  • external-dns: add rbac to manage dns endpoints (546876e)
  • external-dns: add source httproute (ba3b6fc)
  • external-dns: add source variable (aed8c25)
  • external-dns: delete namespace manifest (17b7495)
  • external-dns: fix external dns varaible type (d44879c)
  • external-dns: fix external dns varaible type (#128) (af26c59)
  • external-dns: fix name chart (b0c4d05)
  • external-dns: fix name chart (01852d9)
  • external-dns: fix rbac to dnsendpoint (1e26890)
  • external-dns: fix sources (fe50c75)
  • external-dns: move zone_type to variable (bd3ac1b)
  • external-dns: remove regsitry (73cf983)
  • external-dns: resolve conflicts (4c9a701)
  • external-dns: rollback name dns provider (16ecdd9)
  • external-dns: sa name (e0bdcb6)
  • external-dns: set default value (#126) (c652f64)
  • external-dns: single managed hosted zone (8dd9c20)
  • gcp: remove duplicate output and version files (4004729)
  • gke: add protection destroy as false (#102) (26f0788)
  • helm: add options to applies (987403a)
  • helm: add options to applies (b64a340)
  • iam-cert-manager: arn role (f9e27bd)
  • iam-cert-manager: arn role (e0e112c)
  • iam-cert-manager: arn role (65c5fb0)
  • iam-cert-manager: arn role (4ea5275)
  • iam-cert-manager: arn role (63959ac)
  • improve vpc variable descriptions for clarity (#194) (a165d43)
  • infra: fix namespace name (5f22a63)
  • infra: security hardening, DNS test fixes, WI docs and AVP revert (#295) (d5982fe)
  • istio subnet annotation (#327) (57c2495)
  • istio: add OCI LoadBalancer subnet annotation support (#317) (4427b61)
  • istio: wait for condition (8cbe4e1)
  • make virtual_network_links required without default (329f5a5)
  • nullplatform-asset-ecr: fix deprecated attribute name for region (ed29e76)
  • nullplatform-base: add security groups to gateways (2b72d60)
  • nullplatform/asset/ecr: correct invalid provider version constraint operator (#332) (8467496)
  • nullplatform/asset/ecr: remove unsupported dimensions variable (#308) (6caa947)
  • nullplatform/scope_definition: ignore_changes on action_specification icon (#350) (b895608)
  • nullplatform/scope_definition: ignore_changes on scope_type provider_type and status (#305) (895ced0)
  • nullplatform: add dimensions variable and eks balancer improvements (#290) (e38d07e)
  • nullplatform: rename api key to SCOPE_DEFINITION_AGENT_ASSOCIATION (d23557a)
  • pipeline: fix reference (#176) (ac897ab)
  • private_dns: make virtual_network_links required and update example (c75b08f)
  • release: fix commit message (#131) (eb4e239)
  • release: fix commit message (#88) (5926b7b)
  • remove OCI configuration aliases and bump chart defaults (#184) (2e65a28)
  • remove provider (#285) (65a31b1)
  • remove provider (#287) (6cd6ef0)
  • remove usedBy tag from api_key notification channels (#183) (dbe2c9a)
  • rename agent API key to AGENT-ASSOCIATION with minimal permissions (#92) (1fb44b2)
  • rename api key to SCOPE_DEFINITION_AGENT_ASSOCIATION (#117) (1ed79ba)
  • replace agent helm release when API key rotates (b0ea1c9)
  • replace deprecated data.aws_region.current.name with .region (5e90e4a)
  • replace deprecated data.aws_region.current.name with .region (#201) (0ba762b)
  • replace notification channels when API key rotates (07d3e17)
  • route53: disable output acm (1dc1601)
  • route53: disabled ACM (413144d)
  • scope_configuration: remove icon attribute (not in nullplatform_provider_config schema) (#351) (35b3d93)
  • scope_definition_agent_association: add devops role to channel API key (dc92016)
  • scope_definition_agent_association: use ops role instead of devops (6012a4a)
  • scope: Add support for icon and annotations in service action spec definition (#82) (5c7c1bb)
  • scope: Fixing typo in annotation in scope definition module (#85) (75a0d48)
  • security,base: add health check toggle, ALB-to-pod rules, and gateway fixes (#230) (f60a1a5)
  • security: align provider version constraints with repo conventions (a47de86)
  • security: change gateway_port default from 8443 to 443 (#281) (6c5fc5c)
  • security: resolve cluster SG from data source instead of variable (#284) (a816f55)
  • security: use static var.cluster_name in count to avoid unknown at plan time (#338) (a2675f4)
  • service_definition_agent_association: remove telemetry from channel_sources default (#377) (876ad77)
  • service_definition: handle empty service_path for GitLab and cmdline (#400) (826e016)
  • service-definition: simplify link specifications to use only links/ directory (#149) (6db7d61)
  • tofu-modules: update varibles & readme (8de37f1)
  • tofu: fmt (a9da839)
  • tofu: resolve conflicts (57ef623)
  • tofu: resolve conflicts (013628f)
  • trigger release (#150) (eaa6a66)
  • update to v0.15.0 and replace resource_group_name for parent_id (#53) (fe32430)
  • use configurable branch for notification channel template URL (#224) (825343d)

Reverts

Miscellaneous Chores

Code Refactoring

  • nullplatform/dimension: replace dimensions with parameterized single-dimension module (#354) (319d962)

This PR was generated with Release Please. See documentation.

@davidf-null davidf-null merged commit 6dc26c7 into main Jun 25, 2026
1 check passed
@davidf-null davidf-null deleted the release-please--branches--main branch June 25, 2026 18:49
@github-actions

Copy link
Copy Markdown
Contributor Author

🤖 Created releases:

🌻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant