1.4.0
This release contains a cycle bug. Please use the next 1.4.1 tag.
Breaking Changes!
Build
Before this release, there were two ways to build zip files for Elevator lambdas:
- Locally using the local environment
- Locally using Docker build
Building zips locally without Docker created many problems with Python environments, where an incorrect Python version could break the build. In this release, we decided to remove the ability to use the local environment entirely.
Now, with every release, a GitHub CI will be triggered that pre-builds requester and revoker lambda Docker images and pushes them to FivexL's private ECR. Users will be able to pull these pre-built Docker images to build lambdas.
ECR is private for the following reasons:
- AWS Lambda can't use any other source of images except ECR.
- AWS Lambda can't use public ECR.
- AWS Lambda doesn't support pulling container images from Amazon ECR using a pull-through cache rule (so we can't create a private repo on the user side to pull images from the GHCR, for example).
The private ECR created by FivexL is accessible only for the read-only actions necessary to pull images by the lambdas. Images and repositories are replicated in every region that AWS SSO supports.
Conclusion:
Now there are only two ways to build an SSO elevator:
- By using pre-created images pulled from ECR (Default)
- By using Docker build to build images locally. (To use this method, provide the module with the following variable:
use_pre_created_image = false)
There is also the ability to host ECR yourself. To do so, you would need to provide SSO Elevator with the following two variables:
ecr_repo_name = "example_repo_name"
ecr_owner_account_id = <example_account_id>The elevator will then try to pull images from your private ECR repo.
API
After updating the module, you can find the API URL in the output of the module. Please don't forget to update the Slack App manifest with the new URL.
In previous releases, the terraform-aws-sso-elevator module was triggering the lambda-1 SecurityHub control. This happened because, by default, when creating the aws_lambda_function_url resource, the Terraform provider would create a FunctionURLAllowPublicAccess resource-based policy for the lambda on your behalf (but would not delete it after the resource's destruction. More information can be found here).
To address the SecurityHub control alert, we decided to migrate to using API Gateway. Now the module will create and use API Gateway by default. The lambda URL is now deprecated, and the ability to use it will be removed in future releases. If you need to continue using the lambda URL, provide the module with the following variable:
use_deprecated_lambda_url = trueDue to the issue in the Terraform provider, if you migrate to API Gateway from using the Lambda URL, you will still have problems with SecurityHub because the Terraform provider will not delete the policy on your behalf, it will only create it. To fix the SecurityHub issue, you need to go to the AWS Console where your SSO Elevator is deployed, navigate to Lambda service/configuration/permissions/Resource-based policy statements, and delete the FunctionURLAllowPublicAccess policy statement.
Other
- Updated documentation to address module changes.
- Documentation changes by pre-commit terraform-doc hook.
- Small typo fixes by code-spell hook.
- Updated dependencies by Dependabot.
- Updated S3 object upload to use server-side encryption.
- Using baseline-s3 module to standardize and simplify configuration management of the S3 audit bucket. Now the bucket forces uploaded objects to be encrypted by default. More information about the baseline bucket can be found here: terraform-aws-account-baseline.
FMT. - Renaming of EventBridge and IAM resources to follow naming conventions, which will cause resource recreation:
sso_elevator_check_on_inconsistencyto -sso-elevator-check-on-inconsistencysso_elevator_scheduled_revocationtosso-elevator-scheduled-revocationevent-bridge-role-for-sso-elevatortosso-elevator-event-bridge-role
Full Changelog: 1.3.1...1.4.0