All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
5.0.0 (2022-02-11)
- Starting with this release, internal authentication provider in Service Workbench will remain deprecated. Logging into Service Workbench using the legacy internal authentication route will not work.
- Resources owned by
internal
users need to be deactivated or their ownership needs to be transferred to native Cognito user pool/external IdP users. Users marked with aninternal
auth provider will need to be deactivated. Please follow the detailed instructions here for a smooth upgrade experience.
- add attributes for better logging (#897) (0a3ea5c)
- Allow CICD pipeline to have cognito permission for creating root user (#914) (93618cb)
- integ tests for auth change (#915) (86c6e19)
- Reduce scope of list users API for non admin users (#898) (1999b26)
- throw less descriptive errors (#895) (85ae1e2)
- user names update (#899) (89b9936)
4.3.1 (2022-02-01)
- Apply correct SWB version number by using properly formatted commit message (6b26e0a)
4.3.0 (2022-01-26)
- notify api returns internal error on malformed id (#885) (fa2550c)
- strengthen CSP headers for style (#880) (7e64ba4)
- temp perm changes for servicecatalog (#877) (fbff7c0)
- temp srevice catalog changes (#878) (e6804bf)
4.2.0 (2022-01-19)
Starting with the Service Workbench 4.2.0 release, the native Amazon Cognito user pool is the default authentication method, and is reflected accordingly on the application's login page (alongside your external SAML IdP integrations, if any).
Note: As a security enhancement, the internal authentication method used by Service Workbench (the legacy default authentication method) will soon be deprecated. For more information, read Using native Amazon Cognito user pool for authentication
- You will find the default (user-customizable) configurations determining the native Amazon Cognito user pool behavior in the
main/solution/post-deployment/config/settings/.defaults.yml
file. - If using native Amazon Cognito user pool, users can sign up for a user account, but can not access Service Workbench until they are approved by the application admin. The user addition experience on Service Workbench for native Amazon Cognito user pool is similar to that of an external IdP.
- A new admin user would be created in Service Workbench using the
rootUserEmail
value as provided by your stage configuration. A temporary password will be available in the installation summary necessary for logging the native admin user in for the first time. - You can still log in using the
internal
authentication method by adding the text/?internal
to your Service Workbench URL (for eg.https://<random_string>.cloudfront.net/?internal
).
- We suggest creating new users in native Amazon Cognito user pool (or an external IdP, if you use one) corresponding to their internal auth counterparts, and migrating resource permissions over to these new users.
- Implementation for Cognito Native Pool feature (#858) (44dd9a6).
- cypress login page for Cognito enabled (#859) (726b957)
4.1.3 (2022-01-06)
- Allow onboarding member account in non AppStream supported regions (#844) (93dc465)
- force securetransport traffic only for buckets with dynamic bucket policies (#832) (33a4346)
- unhandled workflow error (#852) (be127d7)
- update dependabot suggested libraries (#848) (7b4e7c6)
- use format instead of regex for email validN (#849) (640bef1)
4.1.2 (2021-12-27)
- Terminate preexistin Rstudio instances in launch-rstudio test (#830) (e44e77c)
- add key rotation (#834) (46bfa83)
- add kms permission to work with cicd pipeline (#836) (9ecd9ee)
- elb logging on (#843) (163b411)
- Update EMR release label for log4j vulnerability (#845) (8b93e11)
4.1.1 (2021-12-13)
- Add wait time for terminated RStudio instances in launch-rstudio-workspace test (#826) (ea93a8c)
- allow RStudio EC2 to initialize (#821) (5a3590a)
- Change build-image CLI argument to files (#825) (7506895)
- cidr port range check (#829) (dbfa431)
- delete verify linux tests from common folder (#822) (aff1d5c)
- EMR launch failure because of bucket policy (#824) (99bb319)
- terminate workspaces after e2e tests in non tre environment (#820) (bb9e457)
- Updates to RStudio Integration tests (#818) (eb879fe)
4.1.0 (2021-11-19)
-
Implementation for RstudioV2 (backed by ALB) feature (#807) (ed2e7dc). In this release, RStudio ALB workspace type is provided with the following new features:
- Compatibility with TRE (AppStream and Egress) features. See Prepare your account for AppStream.
- New input parameter ACMSSLCertARN has been introduced in the RStudio workspace type template. The template is created by the scripts provided in AWS partner’s repository. ACMSSLCertARN corresponds to the certificates of the custom domain present in the hosting account.
- The AmiID parameter value can be retrieved by creating a new AMI using the scripts provided in AWS partner’s repository.
- A common Application Load Balancer (ALB) has been provided in the hosting account. See Application load balancing for RStudio ALB workspace.
- Allows you to leverage the automatic certificate refresh feature from AWS Certificate Manager (ACM). As a result, you need not manually import the certificates into your main account ACM or hosting account ACM.
- Note: With this release, the support for legacy RStudio workspace type has been deprecated. Please terminate legacy RStudio environment instances, if you have any.
-
Add pending filter tab under AWS Accounts page (#786) (831da13)
-
Add user's email to JSON response of egress request (#771) (e3c6c22)
- Add WorkflowDraftId validation on backend (#777) (f240d81)
- default hosted zone in infra (#794) (0967129)
- default image builder update (#781) (6398830)
- enable versioning (#780) (380a938)
- hsts header (#790) (66f79f2)
- more secure traffic policy (#782) (9264b6a)
- moving advanced integ tests in non-TRE folder (#772) (b10f4b0)
- prevent duplicate hosted zone creation (#789) (ac72b90)
- remove custom domain condition infra cfn (#817) (33b53da)
- run TRE tests for develop merge (#802) (c6e04ca)
- sc portfolio deletion correction (#779) (6e4d67b)
- script permissions (#793) (5b404f0)
- update GH action to use custom domain (#791) (b2fdfcb)
4.0.2 (2021-10-19)
- add coverage for undef config case (#761) (a3f3f09)
- AppDeployer needs perms to create new env (#762) (fe75f8b)
- display unavailable after config deletion (#760) (9c1daa4)
4.0.1 (2021-10-15)
Notes: We recommend to apply this patch as soon as possible if you use CICD component
4.0.0 (2021-10-14)
Service Workbench is incrementing a major release version to bring attention to three new features.
The Service Workbench member account onboarding process is changed to be more in line with the Bring Your Own Bucket (BYOB) process. The general intent is that the process to onboard an account in support of hosting data should be the same as onboarding an account in support of hosting researcher workspace compute. Twelve points of context switching and manual data entry have been eliminated with the new process.
This change applies to all updated installations, and can be applied to those installations that have already onboarded member accounts.
To learn more about the new process, refer to the updated instructions in the Service Workbench Post Deployment guide.
Important Notes:
- If you have already onboarded a member account for your Service Workbench installation, and this account has active or stopped workspaces, the safest course would be to terminate all workspaces prior to the update. We did test a scenario with active and stopped workspaces and observed no impact during testing, but because this update is a major release, we recommend the safest course.
- After updating the member account, delete the old workspace types and import the new workspace types. This is needed because the old workspace types may not work correctly with Service Workbench 4.0.0.
- Any member accounts that were onboarded prior to this update will need to be updated through the Service Workbench user interface, and you will be prompted to do so when visiting the new “Accounts” page in Service Workbench. This update is necessary because there is a new capability that will check to see if the member and main account code versions are in sync, and provide a visual indicator if not, allowing you a clear indication of update.
Introduction of AppStream 2.0 as an access point for Service Workbench workspaces. With this enabled, researchers will not be able to egress the data from their Service Workbench workspaces to their client machine, and Service Workbench workspaces will not have access to the internet.
Core networking changes within the member account will move researcher workspaces to the private subnets, and the method of connecting to a researcher workspace changes. Restricting access by public IP is no longer available, and the layer of security per workspace that replaces IP restriction is outlined in connection instructions in the Service Workbench workspace UI.
This feature is disabled by default upon install. To enable this feature, change the feature flag isAppStreamEnabled
in the configuration file to true
.
Important Notes:
- Once this feature is enabled for a Service Workbench installation, it cannot be disabled without deleting the installation and reinstalling. This is because there are core networking changes for workspaces that cannot be reverted.
- If you have an existing installation without the feature flag enabled, and want to activate this feature flag, terminate all workspaces prior to activating the flag.
- AppStream service use does incur additional cost and we recommend you review the cost impact prior to configuring your AppStream fleet: https://aws.amazon.com/appstream2/pricing/
- Because the Service Workbench workspaces do not have internet connectivity, VPC endpoints are introduced for all AWS services that the workspaces use (such as S3, EC2, and AppStream).
- Significant updates to the post deployment configuration instructions when this feature is enabled are outlined here
As a compliment to the Secure Desktop functionality, this feature provides a mount point per workspace (that is only accessible from that workspace) for a researcher to stage data that they wish to take out of the Service Workbench installation. Once the data is put to this location (called the Egress Store), the researcher can choose the Submit Egress Request button and a message is generated to a SNS Topic (https://aws.amazon.com/sns/) containing the metadata for their egress request.
Like the Secure Desktop feature, this feature is also disabled by default upon install. To enable this feature, you must change the feature flag enableEgressStore
in the configuration file to true
. Note that this feature flag is independent from the Secure Desktop feature flag, but if it is activated by itself, there is nothing preventing the researcher from copying data to their local client (thus outside the egress store).
Important Notes:
- Currently, the message goes to the SNS topic - but there is not subscriber added to the topic. It is your responsibility to subscribe to the topic, and to act on the Egress Store data source with elevated permissions through the AWS Management Console.
- When this feature is enabled, the Bring Your Own Buckets (BYOB) data sources are only allowed to be read only. This is because a BYOB data source can live in a different AWS account (unlike MyStudy and Organizational Study that live in the main Service Workbench main account). Allowing write to a BYOB data source would be uncontrolled egress.
3.5.0 (2021-10-14)
- build ami version bug (#738) (a39b3b4)
- bypass develop protection when adding beta (#725) (fe4c0ff)
- downgrade node-ssh version to fix integ tests (#744) (f5ce251)
- integ test setup flakiness fix (#727) (65ea43d)
- namespace code works with configs with no namespace param (#717) (72c9fe3)
- Update libcurl-devel package for RStudio to correct version (#726) (04bb82c)
- version number before backend deployment (#724) (6d545dd)
3.4.0 (2021-09-16)
- display Configuration Name and Instance Type on Workspace details card (#669) (f0fa819)
- Pre-populate variable values in input section of new workspace configuration (#680) (8ce51b2)
- add label to stop timeout during e2e test (#688) (ff0b4cc)
- end2end test terminated existing ws (#685) (9c74ac7)
- github cypress setup (#686) (23f6d03)
- go bug during deployment is handled (#641) (4c21a30)
- no sagemaker autostop or EC2 stop lag (#703) (8cb199b)
- properly handle very long error messages on env update (#705) (d920abd)
- reset ForceLogout component upon relogin (#640) (5c2aaee)
- static namespace bug fix (#615) (bacb469)
- sync UI and API func (#709) (a188b3c)
- update int test readme to include adv test info (#634) (5453f5e)
3.3.1 (2021-07-26)
- application version number (#573) (fada154)
- Clear timer in ForceLogout.test.js to allow tests to end (#570) (4871e0f)
- Remove delete user feature from UI and handle study permissions which have stale users (#595) (8be3f90)
- Added details found needed while onboarding (#593) (d375785)
- IDP configuration guide (#569) (406c656)
3.3.0 (2021-06-25)
3.2.0 (2021-06-11)
- Add warning that internal authentication shouldn't be used in production (#506) (1586278)
- Encrypt s3 buckets for EMR log bucket and CICD Artifact bucket (#508) (e86fd06)
- study permissions only shown to Study Admin (#501) (f3eaae8)
- add termination status for non-found workspaces (#502) (8c30378)
- adds 'stopped' filter for workspaces (960b592)
- Allow sagemaker to have the proper IAM permission to autostop itself (#515) (32007ed)
- Corrected Spark defaults to fix read/write functionality from Spark (#526) (f96e1bd)
- Do not allow users to change root password (#503) (a436f73)
- moved notification boxes to avoid blocking the top ribbon. (#483) (5a226d7)
- react compilation error (#500) (547f2ad)
- Redirect non admin users to "/" if they try to access "/users" (#489) (ee3a58e)
3.1.0 (2021-05-10)
- Allow uploading a folder to My Studies (#475) (cb17d4b)
- Run coverage for merge commit (#458) (03afe0e)
- Test coverage (#456) (252b504)
- Fix BYOB app role to only modify FS roles (#454) (35f6cce)
- free-form strings for workspace configs (#479) (fca73f4)
- properly handle SC products with no active versions (#468) (3c561f4)
- Update workspace name reg exp and workspace config tags reg exp (#452) (f9b7d62)
- refactor: restricting AppDeployer permissions
- refactor: Remove permission boundary condition on launch constraint role
- refactor: restrict sc roles
Permissions boundaries are being added to the several important IAM roles used by Service Workbench as a security best practice.
Customer Impact: Below outlines the actions required for you to successfully adopt this security enhancement. The first two items are applicable to all customers. If you have created custom workspace types, then all three items below are applicable.
-
After running the update, onboard all hosting accounts once again to benefit from the enhanced security, and test the application. Note: The attached pdf contains steps for onboarding hosting accounts, contact your Service Workbench Administrator if you have not performed these steps before.
-
After running the update, import and use the newly available Service Catalog product versions for workspace types (latest version numbers) to benefit from the enhanced security.
-
ONLY Customers that have created custom workspace types: It is possible that the permissions boundaries would prevent actions that were formerly allowed. You should plan to validate your custom workspace types after the update. Issues should be addressed by modifying the custom workspaces to work within the permissions granted, or modify the permissions boundary for your installation (this would require a change to Service Workbench code (specifically the IAM policies that are attached as the permissions boundary) for your install). Note: Any existing custom or non-custom workspaces types (for example, EC2 Linux/Windows, EMR, SageMaker, R Studio) are not impacted by this upgrade.
- feat: Display SWB Version in UI's Top Bar
- fix: Fix cost dashboard bugs
- fix: Ensure sdk retry logic is enabled in prod
- docs: Readme updated
- fix: assume role on added member account
- fix: managing pnpm version for nodejs compatibility
- fix: adding required AppDeployer permissions
- chore: package dependency updates
- fix: added X-ray support and fix CWL IAM permissions
If you have been using CI/CD pipeline, please redeploy the pipeline stack to incorporate this fix by following the steps listed on the main/cicd/README.md
file.
- fix: managing AppDeployer role permission boundary
- fix: CW log resources corrected in backend CFN template
- refactor: restrict ApiHandler role permissions
- refactor: restrict WorkflowLoopRunner role permissions
- refactor: restrict CrossAcctExec role permissions
- chore: team email removed from feedback section in readme
- chore: updates to npm dependencies
If you have been using CI/CD pipeline, please redeploy the pipeline stack to incorporate this fix by following the steps listed on the main/cicd/README.md
file.
- chore: Enable SSE-S3 when registering buckets in BYOB
- refactor: restrict data source reachability Lambda role
- fix: Add 'reachable' and 'error' status to reachability check schema
- fix: added region parameter reference to elasticmapreduce bucket references
- fix: Upgraded react-dev-utils yarn dependency version
- feat: Added Bring Your Own Bucket(BYOB) functionality
- feat: Added integration testing for all APIs
- feat: Added OpenAPI documentation
- feat: Removed unused APIs- listWorkflowInstancesByStatus and createAuthenticationProviderConfig
- chore(deps): bump websocket-extensions from 0.1.3 to 0.1.4
- test: fix flaky integ tests
- fix: emr workspace image. Lock jupyterlab to version 2.2.6
- test: Implemented integration tests for service catalog workspaces
- feat: verbose integ test log
- fix: SageMaker environment status update
- fix: Validate Open Data ARNs
- test: Integration test components and framework
- chore: Dependency version bump
- fix: Added usernameInIdp property to update user schema
- fix: Made external researcher used UserOnboarding template less permissive
- fix: labeler yml syntax
- chore: add PR size labeler
We recommend to apply this patch as soon as possible
- feat: Adding ability to manage CIDR blocks of workspace's configured security group
Note:
- This feature has added permissions to the onboard-account template and requires re-onboarding existing member accounts. Please contact your system administrator for the same.
- For RStudio instances, please allow 2-5 minutes for CIDR changes to take effect.
- For SageMaker instances, currently application admins and workspace owners have ability to access the SageMaker platform directly, irrespective of CIDR inclusion.
- feat: Remove APIs for built-in workspaces
- fix: Fix a bug on the update user API
We recommend to apply this patch as soon as possible
- fix: Add tables back to cloudformation and don't authorize API Keys
We recommend to apply this patch as soon as possible
- fix: remove API Keys functionality
We recommend to apply this patch as soon as possible
- fix: open data scraper bugfix
- docs: improvements to deployment documentation
- fix: Upload Files button disappears for R/W users
- feat: install R3.6 and system packages required for dev
- fix: file not found error in download-env-config script
- test: Add github workflow for e2etest run
- feat: modify filter criteria for Open Data
- docs: delete dead links
- fix: changed RStudio server CSP headers to allow uploads from same-origin
- feat: Support Read/Write Study mounts for EC2 Windows
- fix: Fix a bug on the update study API
We recommend to apply this patch as soon as possible
- fix: Handling policy names for windows envs
- fix: Fix a bug on the create study API
We recommend to apply this patch as soon as possible
- feat: Study Read/Write and Permission propagation (Goofys)
- feat: Read/Only study mounts on AWS Service Catalog based EC2 Windows workspaces
- fix: Adding dependencies for Dynamo table creation to prevent install crash
- fix: Query string parameters were getting duplicated in the url
- feat: Pre-install git on RStudio workspaces
- chore: Create better env delete logs
- fix: Apply version name to products out of the box
- fix: changing rstudio check-idle logic
- fix: Cognito user pool domain name clashing issue
- fix(End to End test): When creating a workspace, select project by class item
- fix: Sagemaker instances respect CIDR blocks that are provided to the instance
- For existing service workbench deployments you will need to import Sagemaker as a workspace type again to mitigate the risk of exposing workspaces to all IPs
- Existing Sagemaker workspaces will continue to have this issue
- feat: manual stop and start functionality for EC2 Linux, EC2 Windows, RStudio and Sagemaker workspaces
- feat: auto stop functionality for SageMaker and RStudio workspaces
- bugfix: outdated lock file
- doc: update deployment and post-deployment documentation
- feat: user id change. We will be using a uid going forward as a user identity
- feat(backend): Also allow UPLOAD access for users with write access
- bugfix: rethrow unknown exceptions
- bugfix: rstudio connection fix, removing appsteam
- bugfix: metaconnection check for rstudio
- Add budget integration - Admin users can set up budget and alert notifications for AWS member accounts on-boarded with Service Workbench
- Adding RStudio Service Catalog product - Users can now use RStudio in Service Catalog
- Bug fix for Service Catalog product artifact creation (occurs when CfN template is edited in-place)
- Initial launch! 🚀