Skip to content

v5.1.0

Choose a tag to compare

@github-actions github-actions released this 25 Jun 18:50
6dc26c7

5.1.0 (2026-06-25)

⚠ BREAKING CHANGES

  • iam/agent: the IRSA token no longer has Route53/EKS/ELB/AVP permissions directly. The agent must assume the permissions role (exposed via the nullplatform_agent_permissions_role_arn output) to use them.
  • iam: infrastructure/aws/iam/ecr no longer creates the build workflow user, access key or group, and no longer outputs build_workflow_access_key_id / build_workflow_access_key_secret. Consumers must instantiate the new build-user module, pass its group_name to ecr (new required input build_workflow_group_name) and to s3-assets, take the build credentials from build-user outputs, and run a tofu state mv to preserve the existing user and access key (see infrastructure/aws/iam/build-user/README.md). The IAM group is renamed from ecr-managers to asset-publishers (recreated; does not rotate the user's keys).
  • dns,ingress,iam: support disabling public-side resources (#364)
  • nullplatform/dimension: callers of nullplatform/dimensions must migrate to nullplatform/dimension and run a terraform state mv to preserve the existing dimension (resource labels changed from environment / environment_value to this). Migration steps are documented in the new module's README.
  • security,eks: cluster_security_group_id and gateway_port variables removed from infrastructure/aws/security. Callers must replace those inputs with a separate module eks_gateway_rules call using infrastructure/aws/eks-gateway-rules.

Features

  • 613: add support cert manager for oci (#152) (1282171)
  • account: make repository_prefix and repository_provider optional (#326) (a0a079a)
  • add additional_policies variable to agent IAM module (#233) (7762406)
  • add ebs and storage class for eks (#298) (8c00ba3)
  • add eks_cluster_primary_security_group_id output (#236) (46412f8)
  • add extra_envs variable to agent module (#229) (996b24f)
  • add istio security groups (#190) (5e06e8c)
  • add pre-configured api_key modules for agent, scope and service notifications (d5d1d76)
  • add scope_configuration module (#271) (a49e943)
  • agent: add config external-dns to aws config (3d69436)
  • agent: add config external-dns to aws config (#105) (1a828f9)
  • agent: IAM assume-role support + multi-instance parametrization (#386) (b82df52)
  • agent: move identical variables to global configuration (2b78254)
  • aks acr integration (#120) (e2237b6)
  • api-key: add custom_grants support for multi-NRN grants (#276) (ce70c59)
  • aws-backend: make backend module compliant with OpenTofu S3 backend docs (#238) (d494c20)
  • aws-eks: add private access to k8s API (7d971ad)
  • aws-vpc: disable public ip to EC2 (973f1bc)
  • azure/aks: enforce workload identity — hardcode oidc_issuer_enabled (#358) (e542032)
  • azure/cloud: support passing authentication credentials as variables (#381) (2313640)
  • azure: Add private DNS zone module (813cad3)
  • azure: Add private DNS zone module (#90) (5d4399e)
  • azure: AKS routing infra — aks_route_table module, vnet drift fix, security improvements (#360) (15c2372)
  • azure: unify variable names and update module conventions (41d4f3b)
  • azure: unify variable names and update module conventions (#162) (d8bccf1)
  • backend: add optional KMS encryption and IAM bucket policy (#246) (1af61bd)
  • base: add gateway_public_azure_load_balancer_subnet (#403) (b9b6f5e)
  • base: add gateway_public_load_balancer_type and fix public gateway name (#392) (116fc70)
  • base: security and nrn tags (#160) (2ad4b2f)
  • cert-manager: add aws support (858e346)
  • cert-manager: add Azure Workload Identity support (#272) (800249c)
  • chart: new version of charts (#122) (83a8b39)
  • ci: enable AI readme generator workflow (#203) (5ed8c84)
  • ci: integrate AI readme generation into Release Please workflow (#209) (5ea8de5)
  • cloud-dns: DNSSEC enabled by default for public zones (#393) (c2e606d)
  • commons/azure: Workload Identity for cert-manager and external-dns, with Service Principal fallback (#361) (f11896e)
  • container orchestration (#216) (1a87622)
  • customers-aws-image: update readme (f367a8f)
  • dns,ingress,iam: support disabling public-side resources (#364) (872efa1)
  • do not require org nrn (#261) (25d5a5b)
  • ecr: migrate IAM to infrastructure/aws/iam/ecr module (#372) (faa35b8)
  • edit readme (#222) (4f94816)
  • eks version (#270) (8bf801e)
  • eks: expose ami_release_version and use_latest_ami_release_version (#334) (1d88c1e)
  • eks: expose control plane logging configuration (#242) (322d3f6)
  • esternal-dns: resolve conflicts (4f71b63)
  • external_dns: add label_filter support for Route53 provider (#371) (0827191)
  • external_dns: support azure-private-dns provider (#369) (3a0ebf5)
  • externaldns: support multi external dns (#97) (3ddbd8e)
  • gcp: unify variable names and rename modules for consistency (3a619f8)
  • iam/agent: split agent role into agent + permissions roles (#397) (9df28f5)
  • iam: separate build workflow user from asset repositories + add S3 asset support (#402) (9ae9e09)
  • identity-access-control: add cloud-agnostic provider config module (#387) (ddcc212)
  • infra: add v1 to namespace external dns (ae35596)
  • infrastructure/aws/eks: expose encryption_config (backward-compatible) (#324) (f3294d6)
  • introduce api_key module for unified API key management (#155) (aded8a6)
  • istio: expose istiod_replicas to guarantee HA for node drains (#292) (05a081f)
  • nullplatform-base: update version (a872b6f)
  • nullplatform/asset/ecr: add configurable cross-account pull policy (#330) (6f4392f)
  • nullplatform/asset/ecr: add ecr:SetRepositoryPolicy to manager policy (#307) (a0520b5)
  • nullplatform/base: add per-provider log/metrics split and applicationLogs toggle (#362) (b6fb844)
  • nullplatform/cloud/aws/vpc: implement aws-networking-configuration provider config (#255) (3c3439b)
  • nullplatform/scope_definition: add extra_visible_to_nrns for org-wide sharing (#304) (b52d0f0)
  • nullplatform/scope_definition: expose scope_configuration_name_override (backward-compatible) (#328) (8ef0b0e)
  • OCI security list auto-management and namespace race condition fix (#197) (3d2a723)
  • oci test (#213) (33594c7)
  • oci: add support for oci (#146) (ffaa72d)
  • oci: cloud provider (#175) (bcdc2b5)
  • provider: add support for azure devops (#133) (e0125d9)
  • rename route53 to dns and add diagnose actions to scope definition (#215) (a40c98b)
  • scope_configuration: support icon (#348) (a4db9cf)
  • scope-definition-agent-association: add extra_filters support (#353) (0b0191f)
  • scope-definition: add description field to nullplatform_service_specification (#273) (f9ee6ea)
  • scope-definition: add optional scope configuration support (#254) (b585706)
  • scope: parameterize repository values (#110) (297c1a3)
  • security,eks: extract gateway SG rules into dedicated eks-gateway-rules module (#314) (bb5a1dd)
  • service definition and service association channel (#121) (44e6a8e)
  • service-definition: add local filesystem provider for spec loading (#278) (f24d7c9)
  • service: add support to gitlab (#249) (1d41de6)
  • support to different cni of oke (#250) (9905b57)
  • tofu: run fmt (371342b)
  • update nullplatform provider to >= 0.0.86 across all modules (#322) (6b5e5ce)
  • vpc: export security group IDs as output (#258) (7509399)

Bug Fixes

  • acm: fix logic (cafffea)
  • actions (#227) (1bff3ae)
  • add disclaimer for registration_enabled usage (ac1fd0a)
  • add missing description and type fields to module variables (#268) (36faf96)
  • add push release-please (#225) (1803560)
  • add terraform-docs step to release PR generation flow (#262) (5a35267)
  • add validation for virtual_network_links (76438d0)
  • agent: add permission to verifiedpermissions (7d2c50c)
  • agent: add permission to verifiedpermissions (#145) (369012e)
  • agent: move cross-variable validations to lifecycle preconditions (#341) (799f26c)
  • aks: add network contributor (0305ade)
  • aks: add network contributor (#114) (1542270)
  • alb-controller: fix sa to v1 (ab6f557)
  • alb-controller: fix sa to v1 (8a9d1d3)
  • api key lifecycle (#163) (beaa60f)
  • api key lifecycle (#165) (86fd93e)
  • api_key: add create_before_destroy to prevent service disruption (7efc3ed)
  • api_key: convert tuple to map in dynamic block for_each (#342) (1d38bba)
  • api_key: rename backend.tf to providers.tf and add version constraint (543b174)
  • api_key: replace concat with merge to produce map(string) for tags (#346) (9cf26ea)
  • api_key: use tomap and map(string) to satisfy for_each type constraint (#344) (bf02402)
  • aws-eks: fix name varible (2b178e1)
  • aws-region: use .name instead of .region attribute in aws_region data source (0d0912e)
  • aws-region: use .name instead of .region attribute in aws_region data source (#154) (7094878)
  • aws-security: resolve confllicts (34a4c27)
  • aws/cloud: allow to update attributes (#363) (f99f9a1)
  • azure-aks: add role to vnet (b40d33d)
  • azure-aks: principal_id variable (6e3d54c)
  • azure-aks: principal_id variable (6232bf0)
  • azure/vnet: relax azurerm provider constraint to ~> 4.0 (a4985ec)
  • base-gateways: add annottaion to LB use subnet private (8e3b09e)
  • base: adding gateway name parameter (#139) (a47a299)
  • base: disabled webhook option (2496ba4)
  • base: remove dangerous helm release options (#302) (66cdd18)
  • base: update outputs to use input vars instead of removed modules (ac34128)
  • base: update version chart (0bc1fbd)
  • base: update version chart (#116) (26a1034)
  • base: update version heml chart (b8bec08)
  • cert manager: fix linter (#95) (260d4c2)
  • cert_manager,external_dns: move cross-variable validations to terraform_data preconditions (#315) (a213e35)
  • cert-manager-iam: fix allow hosted zone (e819f79)
  • cert-manager-iam: fix sa name & add private zone managed (5142697)
  • cert-manager: add helm options (7bd7b2c)
  • cert-manager: remove deafult to mandatory variables (351a7f9)
  • cert-manager: remove IRSA (6383227)
  • cert-manager: resolve conflicts (c6a3cb7)
  • chart-base: add istio gateway security groups (#143) (03fa7be)
  • ci: correct workflow reference path in tofu-test pipeline (0c97f44)
  • ci: pass secrets to readme-generator workflow (#207) (a99fa51)
  • ci: remove push trigger from tofu-test workflow (#205) (aef2384)
  • ci: restore git permissions after secondary checkout (#264) (a1d81a5)
  • ci: skip branch validation and commitlint for release-please branches (#300) (ce771a5)
  • ci: skip deleted modules in readme generation (#301) (5f74c38)
  • ci: update readme versions to release target and exclude root README (#211) (2b70f1b)
  • code_repository: remove access block and ignore_changes from all providers (#396) (4295a7f)
  • code-repository: fix version (c7a371b)
  • code-repository: fix version (eaa3117)
  • commitlint: disable body-max-line-length rule (3ed3244)
  • commons-external-dns: add switch to namespaces create (06852f7)
  • commons-external-dns: add switch to namespaces create (19cd4a6)
  • delete conflicting aws provider from backend module (#240) (aa6cb87)
  • disable readme version update temporarily (#192) (58072e7)
  • dns: ignore vpc changes on private_zone for cross-account assoc (#398) (772c201)
  • ecr: add cross-account pull and repository policy support (#384) (cf6431f)
  • ecr: remove read section, cross-account role, and fix setup.policy drift (#389) (8000c6b)
  • eks: add aditional security gorup (2c44375)
  • eks: auth mode validation and s3 secure transport policy (#266) (3a96b54)
  • eks: disable node security group to avoid ALB controller conflict (#137) (8cbe80b)
  • eks: resolve Auto Mode compatibility issues (#167) (c58baea)
  • eks: segretate logic of node groups (0937b93)
  • external_dns: change default sources and policy (#282) (50e8cde)
  • external_dns: derive label_filter default from zone_type convention (#375) (09ec15b)
  • external_dns: move cross-variable validations to terraform_data preconditions (#310) (c4f010e)
  • external-dns-iam: add trust policy (4fc890f)
  • external-dns: add action external dns policy (4752701)
  • external-dns: add manage private zone (e0fbfff)
  • external-dns: add rbac (#141) (ea5c5bb)
  • external-dns: add rbac to manage dns endpoints (546876e)
  • external-dns: add source httproute (ba3b6fc)
  • external-dns: add source variable (aed8c25)
  • external-dns: delete namespace manifest (17b7495)
  • external-dns: fix external dns varaible type (d44879c)
  • external-dns: fix external dns varaible type (#128) (af26c59)
  • external-dns: fix name chart (b0c4d05)
  • external-dns: fix name chart (01852d9)
  • external-dns: fix rbac to dnsendpoint (1e26890)
  • external-dns: fix sources (fe50c75)
  • external-dns: move zone_type to variable (bd3ac1b)
  • external-dns: remove regsitry (73cf983)
  • external-dns: resolve conflicts (4c9a701)
  • external-dns: rollback name dns provider (16ecdd9)
  • external-dns: sa name (e0bdcb6)
  • external-dns: set default value (#126) (c652f64)
  • external-dns: single managed hosted zone (8dd9c20)
  • gcp: remove duplicate output and version files (4004729)
  • gke: add protection destroy as false (#102) (26f0788)
  • helm: add options to applies (987403a)
  • helm: add options to applies (b64a340)
  • iam-cert-manager: arn role (f9e27bd)
  • iam-cert-manager: arn role (e0e112c)
  • iam-cert-manager: arn role (65c5fb0)
  • iam-cert-manager: arn role (4ea5275)
  • iam-cert-manager: arn role (63959ac)
  • improve vpc variable descriptions for clarity (#194) (a165d43)
  • infra: fix namespace name (5f22a63)
  • infra: security hardening, DNS test fixes, WI docs and AVP revert (#295) (d5982fe)
  • istio subnet annotation (#327) (57c2495)
  • istio: add OCI LoadBalancer subnet annotation support (#317) (4427b61)
  • istio: wait for condition (8cbe4e1)
  • make virtual_network_links required without default (329f5a5)
  • nullplatform-asset-ecr: fix deprecated attribute name for region (ed29e76)
  • nullplatform-base: add security groups to gateways (2b72d60)
  • nullplatform/asset/ecr: correct invalid provider version constraint operator (#332) (8467496)
  • nullplatform/asset/ecr: remove unsupported dimensions variable (#308) (6caa947)
  • nullplatform/scope_definition: ignore_changes on action_specification icon (#350) (b895608)
  • nullplatform/scope_definition: ignore_changes on scope_type provider_type and status (#305) (895ced0)
  • nullplatform: add dimensions variable and eks balancer improvements (#290) (e38d07e)
  • nullplatform: rename api key to SCOPE_DEFINITION_AGENT_ASSOCIATION (d23557a)
  • pipeline: fix reference (#176) (ac897ab)
  • private_dns: make virtual_network_links required and update example (c75b08f)
  • release: fix commit message (#131) (eb4e239)
  • release: fix commit message (#88) (5926b7b)
  • remove OCI configuration aliases and bump chart defaults (#184) (2e65a28)
  • remove provider (#285) (65a31b1)
  • remove provider (#287) (6cd6ef0)
  • remove usedBy tag from api_key notification channels (#183) (dbe2c9a)
  • rename agent API key to AGENT-ASSOCIATION with minimal permissions (#92) (1fb44b2)
  • rename api key to SCOPE_DEFINITION_AGENT_ASSOCIATION (#117) (1ed79ba)
  • replace agent helm release when API key rotates (b0ea1c9)
  • replace deprecated data.aws_region.current.name with .region (5e90e4a)
  • replace deprecated data.aws_region.current.name with .region (#201) (0ba762b)
  • replace notification channels when API key rotates (07d3e17)
  • route53: disable output acm (1dc1601)
  • route53: disabled ACM (413144d)
  • scope_configuration: remove icon attribute (not in nullplatform_provider_config schema) (#351) (35b3d93)
  • scope_definition_agent_association: add devops role to channel API key (dc92016)
  • scope_definition_agent_association: use ops role instead of devops (6012a4a)
  • scope: Add support for icon and annotations in service action spec definition (#82) (5c7c1bb)
  • scope: Fixing typo in annotation in scope definition module (#85) (75a0d48)
  • security,base: add health check toggle, ALB-to-pod rules, and gateway fixes (#230) (f60a1a5)
  • security: align provider version constraints with repo conventions (a47de86)
  • security: change gateway_port default from 8443 to 443 (#281) (6c5fc5c)
  • security: resolve cluster SG from data source instead of variable (#284) (a816f55)
  • security: use static var.cluster_name in count to avoid unknown at plan time (#338) (a2675f4)
  • service_definition_agent_association: remove telemetry from channel_sources default (#377) (876ad77)
  • service_definition: handle empty service_path for GitLab and cmdline (#400) (826e016)
  • service-definition: simplify link specifications to use only links/ directory (#149) (6db7d61)
  • tofu-modules: update varibles & readme (8de37f1)
  • tofu: fmt (a9da839)
  • tofu: resolve conflicts (57ef623)
  • tofu: resolve conflicts (013628f)
  • trigger release (#150) (eaa6a66)
  • update to v0.15.0 and replace resource_group_name for parent_id (#53) (fe32430)
  • use configurable branch for notification channel template URL (#224) (825343d)

Reverts

Miscellaneous Chores

Code Refactoring

  • nullplatform/dimension: replace dimensions with parameterized single-dimension module (#354) (319d962)