v2.2.1

docs: fix ARN typo @kpankonen (#66)

## what

fixes a few typos in the comments: ARM -> ARN

🤖 Automatic Updates

chore(deps): bump the go_modules group in /test/src with 2 updates @[dependabot[bot]](https://github.com/apps/dependabot) (#60)

Bumps the go_modules group in /test/src with 2 updates: [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) and google.golang.org/protobuf.

Updates github.com/hashicorp/go-getter from 1.7.4 to 1.7.5

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.5

What's Changed

• Prevent Git Config Alteration on Git Update by @​dduzgun-security in hashicorp/go-getter#497

New Contributors

• @​dduzgun-security made their first contribution in hashicorp/go-getter#497

Full Changelog: hashicorp/go-getter@v1.7.4...v1.7.5

Commits

• 5a63fd9 Merge pull request #497 from hashicorp/fix-git-update
• 5b7ec5f fetch tags on update and fix tests
• 9906874 recreate git config during update to prevent config alteration
• See full diff in compare view

Updates google.golang.org/protobuf from 1.30.0 to 1.33.0

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Migrate new test account @osterman (#62)

## what - Update `.github/settings.yml` - Update `.github/chatops.yml` files

why

• Re-apply .github/settings.yml from org level to get terratest environment
• Migrate to new test account

References

• DEV-388 Automate clean up of test account in new organization
• DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
• DEV-386 Update terratest to use new testing account with GitHub OIDC

Update .github/settings.yml @osterman (#61)

## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

chore(deps): bump the go_modules group across 1 directory with 4 updates @[dependabot[bot]](https://github.com/apps/dependabot) (#59)

Bumps the go_modules group with 3 updates in the /test/src directory: [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter), [golang.org/x/net](https://github.com/golang/net) and [google.golang.org/grpc](https://github.com/grpc/grpc-go).

Updates github.com/hashicorp/go-getter from 1.7.1 to 1.7.4

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.4

What's Changed

• Escape user-provided strings in git commands hashicorp/go-getter#483
• Fixed a bug in .netrc handling if the file does not exist hashicorp/go-getter#433

Full Changelog: hashicorp/go-getter@v1.7.3...v1.7.4

v1.7.3

What's Changed

• SEC-090: Automated trusted workflow pinning (2023-04-21) by @​hashicorp-tsccr in hashicorp/go-getter#432
• SEC-090: Automated trusted workflow pinning (2023-09-11) by @​hashicorp-tsccr in hashicorp/go-getter#454
• SEC-090: Automated trusted workflow pinning (2023-09-18) by @​hashicorp-tsccr in hashicorp/go-getter#458
• don't change GIT_SSH_COMMAND when there is no sshKeyFile by @​jbardin in hashicorp/go-getter#459

New Contributors

• @​hashicorp-tsccr made their first contribution in hashicorp/go-getter#432

Full Changelog: hashicorp/go-getter@v1.7.2...v1.7.3

v1.7.2

What's Changed

• Don't override GIT_SSH_COMMAND when not needed by @​nl-brett-stime hashicorp/go-getter#300

Full Changelog: hashicorp/go-getter@v1.7.1...v1.7.2

Commits

• 268c11c escape user provide string to git (#483)
• 975961f Merge pull request #433 from adrian-bl/netrc-fix
• 0298a22 Merge pull request #459 from hashicorp/jbardin/setup-git-env
• c70d9c9 don't change GIT_SSH_COMMAND if there's no keyfile
• 3d5770f Merge pull request

v2.2.0

🚀 Enhancements

add managed_policy_arns to eks iam role @finchr (#58)

what

Add support for adding managed policies to the eks iam role.

why

The module currently only allows a single policy json and we have multiple iam polices that we need to attach to the role.

references

• Closes #57
• Duplicate of #55
• Closes #41

🤖 Automatic Updates

Update release workflow to allow pull-requests: write @osterman (#56)

what

• Update workflow (.github/workflows/release.yaml) to have permission to comment on PR

why

• So we can support commenting on PRs with a link to the release

Update GitHub Workflows to use shared workflows from '.github' repo @osterman (#54)

what

• Update workflows (.github/workflows) to use shared workflows from .github repo

why

• Reduce nested levels of reusable workflows

Update GitHub Workflows to Fix ReviewDog TFLint Action @osterman (#52)

what

• Update workflows (.github/workflows) to add issue: write permission needed by ReviewDog tflint action

why

• The ReviewDog action will comment with line-level suggestions based on linting failures

Update GitHub workflows @osterman (#51)

what

• Update workflows (.github/workflows/settings.yaml)

why

• Support new readme generation workflow.
• Generate banners

Bump golang.org/x/net from 0.17.0 to 0.23.0 in /test/src @dependabot (#49)

Bumps golang.org/x/net from 0.17.0 to 0.23.0.

Commits

• c48da13 http2: fix TestServerContinuationFlood flakes
• 762b58d http2: fix tipos in comment
• ba87210 http2: close connections when receiving too many headers
• ebc8168 all: fix some typos
• 3678185 http2: make TestCanonicalHeaderCacheGrowth faster
• 448c44f http2: remove clientTester
• c7877ac http2: convert the remaining clientTester tests to testClientConn
• d8870b0 http2: use synthetic time in TestIdleConnTimeout
• d73acff http2: only set up deadline when Server.IdleTimeout is positive
• 89f602b http2: validate client/outgoing trailers
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Use GitHub Action Workflows from `cloudposse/.github` Repo @osterman (#48)

what

• Install latest GitHub Action Workflows

why

• Use shared workflows from cldouposse/.github repository
• Simplify management of workflows from centralized hub of configuration

Bump golang.org/x/net from 0.7.0 to 0.17.0 in /test/src @dependabot (#47)

Bumps golang.org/x/net from 0.7.0 to 0.17.0.

Commits

• b225e7c http2: limit maximum handler goroutines to MaxConcurrentStreams
• 88194ad go.mod: update golang.org/x dependencies
• 2b60a61 quic: fix several bugs in flow control accounting
• 73d82ef quic: handle DATA_BLOCKED frames
• 5d5a036 quic: handle streams moving from the data queue to the meta queue
• 350aad2 quic: correctly extend peer's flow control window after MAX_DATA
• 21814e7 quic: validate connection id transport parameters
• a600b35 quic: avoid redundant MAX_DATA updates
• ea63359 http2: check stream body is present on read timeout
• ddd8598 quic: version negotiation
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless...

v2.1.1

🚀 Enhancements

Do not validate inputs when disabled @Nuru (#37)

what

• Replace variable validations with precondition

why

• Variable validation cannot take other variables into account. With precondition, we can allow invalid inputs when the module is disabled.

references

• Supersedes and closes #35

v2.1.0

• No changes

v2.0.0 IRSA trust policy now checks OIDC Audience

Require correct OIDC Audience value to assume role @Nuru (#33)

Breaking Changes

• If namespace and service account are supplied only in service_account_namespace_name_list then the IAM Role name will be derived from the first entry in the list, instead of ending with "all@all"
• If one of service_account_namespace or service_account_name is supplied and the other is not or is empty (""), the missing element will be replaced with a wildcard (*)
• Either or both of service_account_namespace or service_account_name can now be explicitly set to "*" or contain wildcards
• Removed service_account_list_qualifier (invalid/unnecessary)

what

• Created IAM Role's trust policy now includes a check for OIDC aud
• If the generated service account IAM Role Name would be too long, it is now truncated by null-label
• See "Breaking Changes" above
• Terraform minimum version bumped to 1.0.0
• AWS Provider minimum version bumped to 3.0

why

• Extra security, preventing ODIC assertions for one audience being used for another
• Fix rather than break due to too-long IAM Role names
• Role names must be unique, and using "all@all" would limit the cluster to a single multi-namespace role
• "ForAllValues" and "ForAnyValues" are for multi-valued keys. The OIDC keys have single values.

references

• Troubleshooting OIDC and IRSA
• IAM conditions with multiple values

Sync github @max-lobur (#32)

Rebuild github dir from the template

v1.3.0

• No changes

v1.2.0

Feature: Namespace and Name List @Benbentwo (#31)

what

• supports a list of any or all value list

why

• Allows multiple various namespace and name patterns that couldn't be matched except with a singular *:*

v1.1.0

feat(aws-eks-iam-role): add permissions_boundary to eks-iam-role @topikachu (#29)

what

• add permissions_boundary to aws_iam_role

why

• Our org requires all IAM role has permissions_boundary

references

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#permissions_boundary

git.io->cloudposse.tools update @dylanbannon (#28)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

• DEV-143

v1.0.0 Disruptive change

This is the first release with production Semantic Versioning, part of Cloud Posse's general policy to convert to production versioning as we make updates to relatively mature modules.

It contains a disruptive change. See #27 for details, but the short story is that applying this update will likely cause Terraform to delete and re-create the EKS IAM role. This may cause a transient disruption in service, but it should be within the normal tolerance for delays in recovering from an expired session.

More significantly, if you have attached additional policies to the role created by this module, those policies will need to be re-attached to the re-created role. (We expect that very few people are actually doing this.)

Refactor enable logic to use counts instead of `for_each` @elventear (#27)

what

Use count instead of for_each to manage if a resource is enabled or disabled.

why

If any element of the service account name is not known at plan time, for_each would cause the plan to fail.

The main advantage of for_each over count is stability when an item in a list is added or removed or the order of elements in a list changes. With for_each, only the changed item is affected, while with count other items can be affected by being moved to a different position in the list. This advantage is not applicable to this module because there is always only one item.

note

This change will cause the IAM role to be deleted and recreated. If you have attached policies to the role outside of this module, you will need to reattach them.

v0.11.1

🚀 Enhancements

Add validation to oidc issuer url @nitrocode (#24)

what

• Add validation to oidc issuer url

why

• Make sure the value of the eks oidc issuer url is non null. This prevents creation of an unadsumable eks iam role.

references

• https://github.com/cloudposse/terraform-aws-helm-release is affected if the iam role is enabled but the eks oidc url is left with the default null value