Releases
v5.1.0
Compare
Sorry, something went wrong.
No results found
5.1.0 (2026-06-25)
⚠ BREAKING CHANGES
iam/agent: the IRSA token no longer has Route53/EKS/ELB/AVP permissions directly. The agent must assume the permissions role (exposed via the nullplatform_agent_permissions_role_arn output) to use them.
iam: infrastructure/aws/iam/ecr no longer creates the build workflow user, access key or group, and no longer outputs build_workflow_access_key_id / build_workflow_access_key_secret. Consumers must instantiate the new build-user module, pass its group_name to ecr (new required input build_workflow_group_name) and to s3-assets, take the build credentials from build-user outputs, and run a tofu state mv to preserve the existing user and access key (see infrastructure/aws/iam/build-user/README.md). The IAM group is renamed from ecr-managers to asset-publishers (recreated; does not rotate the user's keys).
dns,ingress,iam: support disabling public-side resources (#364 )
nullplatform/dimension: callers of nullplatform/dimensions must migrate to nullplatform/dimension and run a terraform state mv to preserve the existing dimension (resource labels changed from environment / environment_value to this). Migration steps are documented in the new module's README.
security,eks: cluster_security_group_id and gateway_port variables removed from infrastructure/aws/security. Callers must replace those inputs with a separate module eks_gateway_rules call using infrastructure/aws/eks-gateway-rules.
Features
613: add support cert manager for oci (#152 ) (1282171 )
account: make repository_prefix and repository_provider optional (#326 ) (a0a079a )
add additional_policies variable to agent IAM module (#233 ) (7762406 )
add ebs and storage class for eks (#298 ) (8c00ba3 )
add eks_cluster_primary_security_group_id output (#236 ) (46412f8 )
add extra_envs variable to agent module (#229 ) (996b24f )
add istio security groups (#190 ) (5e06e8c )
add pre-configured api_key modules for agent, scope and service notifications (d5d1d76 )
add scope_configuration module (#271 ) (a49e943 )
agent: add config external-dns to aws config (3d69436 )
agent: add config external-dns to aws config (#105 ) (1a828f9 )
agent: IAM assume-role support + multi-instance parametrization (#386 ) (b82df52 )
agent: move identical variables to global configuration (2b78254 )
aks acr integration (#120 ) (e2237b6 )
api-key: add custom_grants support for multi-NRN grants (#276 ) (ce70c59 )
aws-backend: make backend module compliant with OpenTofu S3 backend docs (#238 ) (d494c20 )
aws-eks: add private access to k8s API (7d971ad )
aws-vpc: disable public ip to EC2 (973f1bc )
azure/aks: enforce workload identity — hardcode oidc_issuer_enabled (#358 ) (e542032 )
azure/cloud: support passing authentication credentials as variables (#381 ) (2313640 )
azure: Add private DNS zone module (813cad3 )
azure: Add private DNS zone module (#90 ) (5d4399e )
azure: AKS routing infra — aks_route_table module, vnet drift fix, security improvements (#360 ) (15c2372 )
azure: unify variable names and update module conventions (41d4f3b )
azure: unify variable names and update module conventions (#162 ) (d8bccf1 )
backend: add optional KMS encryption and IAM bucket policy (#246 ) (1af61bd )
base: add gateway_public_azure_load_balancer_subnet (#403 ) (b9b6f5e )
base: add gateway_public_load_balancer_type and fix public gateway name (#392 ) (116fc70 )
base: security and nrn tags (#160 ) (2ad4b2f )
cert-manager: add aws support (858e346 )
cert-manager: add Azure Workload Identity support (#272 ) (800249c )
chart: new version of charts (#122 ) (83a8b39 )
ci: enable AI readme generator workflow (#203 ) (5ed8c84 )
ci: integrate AI readme generation into Release Please workflow (#209 ) (5ea8de5 )
cloud-dns: DNSSEC enabled by default for public zones (#393 ) (c2e606d )
commons/azure: Workload Identity for cert-manager and external-dns, with Service Principal fallback (#361 ) (f11896e )
container orchestration (#216 ) (1a87622 )
customers-aws-image: update readme (f367a8f )
dns,ingress,iam: support disabling public-side resources (#364 ) (872efa1 )
do not require org nrn (#261 ) (25d5a5b )
ecr: migrate IAM to infrastructure/aws/iam/ecr module (#372 ) (faa35b8 )
edit readme (#222 ) (4f94816 )
eks version (#270 ) (8bf801e )
eks: expose ami_release_version and use_latest_ami_release_version (#334 ) (1d88c1e )
eks: expose control plane logging configuration (#242 ) (322d3f6 )
esternal-dns: resolve conflicts (4f71b63 )
external_dns: add label_filter support for Route53 provider (#371 ) (0827191 )
external_dns: support azure-private-dns provider (#369 ) (3a0ebf5 )
externaldns: support multi external dns (#97 ) (3ddbd8e )
gcp: unify variable names and rename modules for consistency (3a619f8 )
iam/agent: split agent role into agent + permissions roles (#397 ) (9df28f5 )
iam: separate build workflow user from asset repositories + add S3 asset support (#402 ) (9ae9e09 )
identity-access-control: add cloud-agnostic provider config module (#387 ) (ddcc212 )
infra: add v1 to namespace external dns (ae35596 )
infrastructure/aws/eks: expose encryption_config (backward-compatible) (#324 ) (f3294d6 )
introduce api_key module for unified API key management (#155 ) (aded8a6 )
istio: expose istiod_replicas to guarantee HA for node drains (#292 ) (05a081f )
nullplatform-base: update version (a872b6f )
nullplatform/asset/ecr: add configurable cross-account pull policy (#330 ) (6f4392f )
nullplatform/asset/ecr: add ecr:SetRepositoryPolicy to manager policy (#307 ) (a0520b5 )
nullplatform/base: add per-provider log/metrics split and applicationLogs toggle (#362 ) (b6fb844 )
nullplatform/cloud/aws/vpc: implement aws-networking-configuration provider config (#255 ) (3c3439b )
nullplatform/scope_definition: add extra_visible_to_nrns for org-wide sharing (#304 ) (b52d0f0 )
nullplatform/scope_definition: expose scope_configuration_name_override (backward-compatible) (#328 ) (8ef0b0e )
OCI security list auto-management and namespace race condition fix (#197 ) (3d2a723 )
oci test (#213 ) (33594c7 )
oci: add support for oci (#146 ) (ffaa72d )
oci: cloud provider (#175 ) (bcdc2b5 )
provider: add support for azure devops (#133 ) (e0125d9 )
rename route53 to dns and add diagnose actions to scope definition (#215 ) (a40c98b )
scope_configuration: support icon (#348 ) (a4db9cf )
scope-definition-agent-association: add extra_filters support (#353 ) (0b0191f )
scope-definition: add description field to nullplatform_service_specification (#273 ) (f9ee6ea )
scope-definition: add optional scope configuration support (#254 ) (b585706 )
scope: parameterize repository values (#110 ) (297c1a3 )
security,eks: extract gateway SG rules into dedicated eks-gateway-rules module (#314 ) (bb5a1dd )
service definition and service association channel (#121 ) (44e6a8e )
service-definition: add local filesystem provider for spec loading (#278 ) (f24d7c9 )
service: add support to gitlab (#249 ) (1d41de6 )
support to different cni of oke (#250 ) (9905b57 )
tofu: run fmt (371342b )
update nullplatform provider to >= 0.0.86 across all modules (#322 ) (6b5e5ce )
vpc: export security group IDs as output (#258 ) (7509399 )
Bug Fixes
acm: fix logic (cafffea )
actions (#227 ) (1bff3ae )
add disclaimer for registration_enabled usage (ac1fd0a )
add missing description and type fields to module variables (#268 ) (36faf96 )
add push release-please (#225 ) (1803560 )
add terraform-docs step to release PR generation flow (#262 ) (5a35267 )
add validation for virtual_network_links (76438d0 )
agent: add permission to verifiedpermissions (7d2c50c )
agent: add permission to verifiedpermissions (#145 ) (369012e )
agent: move cross-variable validations to lifecycle preconditions (#341 ) (799f26c )
aks: add network contributor (0305ade )
aks: add network contributor (#114 ) (1542270 )
alb-controller: fix sa to v1 (ab6f557 )
alb-controller: fix sa to v1 (8a9d1d3 )
api key lifecycle (#163 ) (beaa60f )
api key lifecycle (#165 ) (86fd93e )
api_key: add create_before_destroy to prevent service disruption (7efc3ed )
api_key: convert tuple to map in dynamic block for_each (#342 ) (1d38bba )
api_key: rename backend.tf to providers.tf and add version constraint (543b174 )
api_key: replace concat with merge to produce map(string) for tags (#346 ) (9cf26ea )
api_key: use tomap and map(string) to satisfy for_each type constraint (#344 ) (bf02402 )
aws-eks: fix name varible (2b178e1 )
aws-region: use .name instead of .region attribute in aws_region data source (0d0912e )
aws-region: use .name instead of .region attribute in aws_region data source (#154 ) (7094878 )
aws-security: resolve confllicts (34a4c27 )
aws/cloud: allow to update attributes (#363 ) (f99f9a1 )
azure-aks: add role to vnet (b40d33d )
azure-aks: principal_id variable (6e3d54c )
azure-aks: principal_id variable (6232bf0 )
azure/vnet: relax azurerm provider constraint to ~> 4.0 (a4985ec )
base-gateways: add annottaion to LB use subnet private (8e3b09e )
base: adding gateway name parameter (#139 ) (a47a299 )
base: disabled webhook option (2496ba4 )
base: remove dangerous helm release options (#302 ) (66cdd18 )
base: update outputs to use input vars instead of removed modules (ac34128 )
base: update version chart (0bc1fbd )
base: update version chart (#116 ) (26a1034 )
base: update version heml chart (b8bec08 )
cert manager: fix linter (#95 ) (260d4c2 )
cert_manager,external_dns: move cross-variable validations to terraform_data preconditions (#315 ) (a213e35 )
cert-manager-iam: fix allow hosted zone (e819f79 )
cert-manager-iam: fix sa name & add private zone managed (5142697 )
cert-manager: add helm options (7bd7b2c )
cert-manager: remove deafult to mandatory variables (351a7f9 )
cert-manager: remove IRSA (6383227 )
cert-manager: resolve conflicts (c6a3cb7 )
chart-base: add istio gateway security groups (#143 ) (03fa7be )
ci: correct workflow reference path in tofu-test pipeline (0c97f44 )
ci: pass secrets to readme-generator workflow (#207 ) (a99fa51 )
ci: remove push trigger from tofu-test workflow (#205 ) (aef2384 )
ci: restore git permissions after secondary checkout (#264 ) (a1d81a5 )
ci: skip branch validation and commitlint for release-please branches (#300 ) (ce771a5 )
ci: skip deleted modules in readme generation (#301 ) (5f74c38 )
ci: update readme versions to release target and exclude root README (#211 ) (2b70f1b )
code_repository: remove access block and ignore_changes from all providers (#396 ) (4295a7f )
code-repository: fix version (c7a371b )
code-repository: fix version (eaa3117 )
commitlint: disable body-max-line-length rule (3ed3244 )
commons-external-dns: add switch to namespaces create (06852f7 )
commons-external-dns: add switch to namespaces create (19cd4a6 )
delete conflicting aws provider from backend module (#240 ) (aa6cb87 )
disable readme version update temporarily (#192 ) (58072e7 )
dns: ignore vpc changes on private_zone for cross-account assoc (#398 ) (772c201 )
ecr: add cross-account pull and repository policy support (#384 ) (cf6431f )
ecr: remove read section, cross-account role, and fix setup.policy drift (#389 ) (8000c6b )
eks: add aditional security gorup (2c44375 )
eks: auth mode validation and s3 secure transport policy (#266 ) (3a96b54 )
eks: disable node security group to avoid ALB controller conflict (#137 ) (8cbe80b )
eks: resolve Auto Mode compatibility issues (#167 ) (c58baea )
eks: segretate logic of node groups (0937b93 )
external_dns: change default sources and policy (#282 ) (50e8cde )
external_dns: derive label_filter default from zone_type convention (#375 ) (09ec15b )
external_dns: move cross-variable validations to terraform_data preconditions (#310 ) (c4f010e )
external-dns-iam: add trust policy (4fc890f )
external-dns: add action external dns policy (4752701 )
external-dns: add manage private zone (e0fbfff )
external-dns: add rbac (#141 ) (ea5c5bb )
external-dns: add rbac to manage dns endpoints (546876e )
external-dns: add source httproute (ba3b6fc )
external-dns: add source variable (aed8c25 )
external-dns: delete namespace manifest (17b7495 )
external-dns: fix external dns varaible type (d44879c )
external-dns: fix external dns varaible type (#128 ) (af26c59 )
external-dns: fix name chart (b0c4d05 )
external-dns: fix name chart (01852d9 )
external-dns: fix rbac to dnsendpoint (1e26890 )
external-dns: fix sources (fe50c75 )
external-dns: move zone_type to variable (bd3ac1b )
external-dns: remove regsitry (73cf983 )
external-dns: resolve conflicts (4c9a701 )
external-dns: rollback name dns provider (16ecdd9 )
external-dns: sa name (e0bdcb6 )
external-dns: set default value (#126 ) (c652f64 )
external-dns: single managed hosted zone (8dd9c20 )
gcp: remove duplicate output and version files (4004729 )
gke: add protection destroy as false (#102 ) (26f0788 )
helm: add options to applies (987403a )
helm: add options to applies (b64a340 )
iam-cert-manager: arn role (f9e27bd )
iam-cert-manager: arn role (e0e112c )
iam-cert-manager: arn role (65c5fb0 )
iam-cert-manager: arn role (4ea5275 )
iam-cert-manager: arn role (63959ac )
improve vpc variable descriptions for clarity (#194 ) (a165d43 )
infra: fix namespace name (5f22a63 )
infra: security hardening, DNS test fixes, WI docs and AVP revert (#295 ) (d5982fe )
istio subnet annotation (#327 ) (57c2495 )
istio: add OCI LoadBalancer subnet annotation support (#317 ) (4427b61 )
istio: wait for condition (8cbe4e1 )
make virtual_network_links required without default (329f5a5 )
nullplatform-asset-ecr: fix deprecated attribute name for region (ed29e76 )
nullplatform-base: add security groups to gateways (2b72d60 )
nullplatform/asset/ecr: correct invalid provider version constraint operator (#332 ) (8467496 )
nullplatform/asset/ecr: remove unsupported dimensions variable (#308 ) (6caa947 )
nullplatform/scope_definition: ignore_changes on action_specification icon (#350 ) (b895608 )
nullplatform/scope_definition: ignore_changes on scope_type provider_type and status (#305 ) (895ced0 )
nullplatform: add dimensions variable and eks balancer improvements (#290 ) (e38d07e )
nullplatform: rename api key to SCOPE_DEFINITION_AGENT_ASSOCIATION (d23557a )
pipeline: fix reference (#176 ) (ac897ab )
private_dns: make virtual_network_links required and update example (c75b08f )
release: fix commit message (#131 ) (eb4e239 )
release: fix commit message (#88 ) (5926b7b )
remove OCI configuration aliases and bump chart defaults (#184 ) (2e65a28 )
remove provider (#285 ) (65a31b1 )
remove provider (#287 ) (6cd6ef0 )
remove usedBy tag from api_key notification channels (#183 ) (dbe2c9a )
rename agent API key to AGENT-ASSOCIATION with minimal permissions (#92 ) (1fb44b2 )
rename api key to SCOPE_DEFINITION_AGENT_ASSOCIATION (#117 ) (1ed79ba )
replace agent helm release when API key rotates (b0ea1c9 )
replace deprecated data.aws_region.current.name with .region (5e90e4a )
replace deprecated data.aws_region.current.name with .region (#201 ) (0ba762b )
replace notification channels when API key rotates (07d3e17 )
route53: disable output acm (1dc1601 )
route53: disabled ACM (413144d )
scope_configuration: remove icon attribute (not in nullplatform_provider_config schema) (#351 ) (35b3d93 )
scope_definition_agent_association: add devops role to channel API key (dc92016 )
scope_definition_agent_association: use ops role instead of devops (6012a4a )
scope: Add support for icon and annotations in service action spec definition (#82 ) (5c7c1bb )
scope: Fixing typo in annotation in scope definition module (#85 ) (75a0d48 )
security,base: add health check toggle, ALB-to-pod rules, and gateway fixes (#230 ) (f60a1a5 )
security: align provider version constraints with repo conventions (a47de86 )
security: change gateway_port default from 8443 to 443 (#281 ) (6c5fc5c )
security: resolve cluster SG from data source instead of variable (#284 ) (a816f55 )
security: use static var.cluster_name in count to avoid unknown at plan time (#338 ) (a2675f4 )
service_definition_agent_association: remove telemetry from channel_sources default (#377 ) (876ad77 )
service_definition: handle empty service_path for GitLab and cmdline (#400 ) (826e016 )
service-definition: simplify link specifications to use only links/ directory (#149 ) (6db7d61 )
tofu-modules: update varibles & readme (8de37f1 )
tofu: fmt (a9da839 )
tofu: resolve conflicts (57ef623 )
tofu: resolve conflicts (013628f )
trigger release (#150 ) (eaa6a66 )
update to v0.15.0 and replace resource_group_name for parent_id (#53 ) (fe32430 )
use configurable branch for notification channel template URL (#224 ) (825343d )
Reverts
Miscellaneous Chores
Code Refactoring
nullplatform/dimension: replace dimensions with parameterized single-dimension module (#354 ) (319d962 )
You can’t perform that action at this time.