Merge branch 'main' into chore/github-runners/allow-refreshing

CHANGELOG.md

@@ -1,5 +1,148 @@
 # CHANGELOG
 
+## 1.523.1
+
+
+
+<details>
+  <summary>feat(elasticache-redis): add snapshot retention limit @nitrocode (#1171)</summary>
+## what
+
+<!--
+- Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?)
+- Use bullet points to be concise and to the point.
+-->
+- add snapshot retention limit
+
+## why
+
+<!--
+- Provide the justifications for the changes (e.g. business case).
+- Describe why these changes were made (e.g. why do these commits fix the problem?)
+- Use bullet points to be concise and to the point.
+-->
+- Resolves [ElastiCache.1](https://docs.aws.amazon.com/securityhub/latest/userguide/elasticache-controls.html#elasticache-1) (ElastiCache (Redis OSS) clusters should have automatic backups enabled) securityhub control by giving the ability to set this value to a number greater than 0
+
+## references
+
+<!--
+- Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow).
+- Use `closes #123`, if this PR closes a GitHub issue `#123`
+-->
+- Default is 0 https://github.com/cloudposse/terraform-aws-elasticache-redis/blob/9104d9a6a120ae9c90f59c5eb4ea711cc2d2c6bb/variables.tf#L223-L227
+- Module received the feature 5 years ago so no need to update the module version https://github.com/cloudposse/terraform-aws-elasticache-redis/pull/45
+- Related PR #1170 which upgrades the module
+</details>
+
+
+## 🤖 Automatic Updates
+
+<details>
+  <summary>Update Changelog for `1.523.0` @github-actions (#1174)</summary>
+Update Changelog for [`1.523.0`](https://github.com/cloudposse/terraform-aws-components/releases/tag/1.523.0)
+</details>
+
+
+
+## 1.523.0
+
+
+
+<details>
+  <summary>feat: Support `enabled` flag for EKS Storage Classes @milldr (#1173)</summary>
+## what
+- Add support for enabled flag in storage class variables
+
+## why
+- Create option to disable a given storage-class if it's include in an imported default component catalog
+
+## references
+- n/a
+</details>
+
+
+
+## 1.517.1
+
+
+
+<details>
+  <summary>feat: Add cross_origin_auth variable to auth0_client @wavemoran (#1149)</summary>
+## what
+
+- Adds the `cross_origin_auth` variable to the `auth0_client` resource
+
+## why
+
+- Variable to allow cross-origin auth requests which is useful in CORS-heavy setups
+
+## references
+
+- https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/client#cross_origin_auth
+
+</details>
+
+
+## 🤖 Automatic Updates
+
+<details>
+  <summary>Update Changelog for `1.517.0` @github-actions (#1153)</summary>
+Update Changelog for [`1.517.0`](https://github.com/cloudposse/terraform-aws-components/releases/tag/1.517.0)
+</details>
+
+
+
+## 1.517.0
+
+
+
+<details>
+  <summary>feat: add additional github repository options for argocd @RoseSecurity (#1143)</summary>
+## what
+
+- Add additional granular controls for ArgoCD repositories by supporting commit signing requirements and branch protection rules
+
+## why
+
+- Add more flexibility and security into the existing Argo repo
+
+## testing
+
+- [X] This contribution is actively deployed within our downstream component library
+
+</details>
+
+<details>
+  <summary>Update Changelog for `1.512.0` @github-actions (#1142)</summary>
+Update Changelog for [`1.512.0`](https://github.com/cloudposse/terraform-aws-components/releases/tag/1.512.0)
+</details>
+
+
+
+## 1.512.0
+
+
+
+<details>
+  <summary>Upstream `RunsOn` @Benbentwo (#1141)</summary>
+## what
+
+- RunsOn Component and how to setup TGW Connnections
+
+## why
+
+ - RunsOn simplifies the Github Action Runner setup
+
+
+</details>
+
+<details>
+  <summary>Update Changelog for `1.511.0` @github-actions (#1140)</summary>
+Update Changelog for [`1.511.0`](https://github.com/cloudposse/terraform-aws-components/releases/tag/1.511.0)
+</details>
+
+
+
 ## 1.511.0
 
 

modules/argocd-repo/main.tf

@@ -51,6 +51,8 @@ resource "github_repository" "default" {
 
   visibility           = "private"
   vulnerability_alerts = var.vulnerability_alerts_enabled
+
+  web_commit_signoff_required = var.web_commit_signoff_required
 }
 
 resource "github_branch_default" "default" {
@@ -87,6 +89,7 @@ resource "github_branch_protection" "default" {
   }
 
   restrict_pushes {
+    blocks_creations = var.restrict_pushes_blocks_creations
     push_allowances = var.push_restrictions_enabled ? [
       join("", data.github_user.automation_user[*].node_id),
     ] : []

modules/argocd-repo/variables.tf

@@ -157,6 +157,12 @@ variable "vulnerability_alerts_enabled" {
   default     = false
 }
 
+variable "restrict_pushes_blocks_creations" {
+  type        = bool
+  description = "Setting this to `false` allows people, teams, or apps to create new branches matching this rule"
+  default     = true
+}
+
 variable "slack_notifications_channel" {
   type        = string
   default     = ""
@@ -185,3 +191,9 @@ variable "github_notifications" {
     The default value given uses the same notification template names as defined in the `eks/argocd` component. If want to add additional notifications, include any existing notifications from this list that you want to keep in addition.
   EOT
 }
+
+variable "web_commit_signoff_required" {
+  type        = bool
+  description = "Require contributors to sign off on web-based commits"
+  default     = false
+}

modules/auth0/app/README.md

@@ -104,6 +104,7 @@ components:
 | <a name="input_authentication_method"></a> [authentication\_method](#input\_authentication\_method) | The authentication method for the client credentials | `string` | `"client_secret_post"` | no |
 | <a name="input_callbacks"></a> [callbacks](#input\_callbacks) | Allowed Callback URLs | `list(string)` | `[]` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
+| <a name="input_cross_origin_auth"></a> [cross\_origin\_auth](#input\_cross\_origin\_auth) | Whether this client can be used to make cross-origin authentication requests (true) or it is not allowed to make such requests (false). | `bool` | `false` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |

modules/auth0/app/main.tf

@@ -20,11 +20,12 @@ resource "auth0_client" "this" {
     alg                 = var.jwt_alg
   }
 
-  callbacks       = var.callbacks
-  allowed_origins = var.allowed_origins
-  web_origins     = var.web_origins
-  grant_types     = var.grant_types
-  logo_uri        = var.logo_uri
+  callbacks         = var.callbacks
+  cross_origin_auth = var.cross_origin_auth
+  allowed_origins   = var.allowed_origins
+  web_origins       = var.web_origins
+  grant_types       = var.grant_types
+  logo_uri          = var.logo_uri
 
 }
 

modules/auth0/app/variables.tf

@@ -9,6 +9,12 @@ variable "callbacks" {
   default     = []
 }
 
+variable "cross_origin_auth" {
+  type        = bool
+  description = "Whether this client can be used to make cross-origin authentication requests (true) or it is not allowed to make such requests (false)."
+  default     = false
+}
+
 variable "allowed_origins" {
   type        = list(string)
   description = "Allowed Origins"

modules/dns-delegated/README.md

@@ -7,17 +7,34 @@ tags:
 
 # Component: `dns-delegated`
 
-This component is responsible for provisioning a DNS zone which delegates nameservers to the DNS zone in the primary DNS
+This component is responsible for provisioning a DNS zone which manages subdomains delegated from a DNS zone in the primary DNS
 account. The primary DNS zone is expected to already be provisioned via
 [the `dns-primary` component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-primary).
 
+If you are deploying a root zone (e.g `example.com`) rather than a subdomain delegated from a root zone (e.g `prod.example.com`),
+and only a single account needs to manage or update the zone you are deploying, then you should use `dns-primary` instead to deploy 
+that root zone into the target account. See 
+[Why not use dns-delegated for all vanity domains?](https://docs.cloudposse.com/layers/network/faq/#why-not-use-dns-delegated-for-all-vanity-domains)
+for more details on that.
+
 This component also provisions a wildcard ACM certificate for the given subdomain.
 
+This component should only be deployed globally, which is to say once per account. See 
+[Why should the dns-delegated component be deployed globally rather than regionally?](https://docs.cloudposse.com/layers/network/faq/#why-should-the-dns-delegated-component-be-deployed-globally-rather-than-regionally)
+for details on why. 
+
+Note that once you delegate a subdomain (e.g. `prod.example.com`) to an account, that 
+account can deploy multiple levels of sub-subdomains (e.g. `api.use1.prod.example.com`) without further configuration,
+although you will need to create additional TLS certificates, as the wildcard in a wildcard TLS certificate
+only matches a single level. You can use [our `acm` component](https://github.com/cloudposse/terraform-aws-components/tree/readme-global-only/modules/acm)
+for that.
+
 ## Usage
 
-**Stack Level**: Global or Regional
+**Stack Level**: Global
+
 
-Here's an example snippet for how to use this component. Use this component in global or regional stacks for any
+Here's an example snippet for how to use this component. Use this component in global stacks for any
 accounts where you host services that need DNS records on a given subdomain (e.g. delegated zone) of the root domain
 (e.g. primary zone).
 
@@ -243,5 +260,10 @@ Takeaway
 
 - [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-delegated) -
   Cloud Posse's upstream component
+- [The `dns-primary` component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-primary).
+- [The `acm` component](https://github.com/cloudposse/terraform-aws-components/tree/readme-global-only/modules/acm)
+component for that.
+- [Why not use dns-delegated for all vanity domains?](https://docs.cloudposse.com/layers/network/faq/#why-not-use-dns-delegated-for-all-vanity-domains)
+- [Why should the dns-delegated component be deployed globally rather than regionally?](https://docs.cloudposse.com/layers/network/faq/#why-should-the-dns-delegated-component-be-deployed-globally-rather-than-regionally)
 
 [<img src="https://cloudposse.com/logo-300x69.svg" height="32" align="right"/>](https://cpco.io/component)