Releases: guardian/cdk
v61.8.1
v61.8.0
Minor Changes
-
0cc9129: Addition of slow start mode support for
GuEc2AppExperimental.We recommend enabling this setting if you run a high-traffic service, particularly if it is JVM-based.
v61.7.0
Minor Changes
-
d1ee03a: feat(GuEc2App): Replace
enabledDetailedInstanceMonitoringoptional property with mandatoryinstanceMetricGranularitypropertySpecifying how an ASG service should be monitored is now explicitly required.
When detailed monitoring is enabled, EC2 metrics are produced at a higher granularity of one minute (default is five minutes).
This should allow for earlier horizontal scaling and provide more detail during incident triage.This change will cost roughly $3 per instance per month.
We'd recommend using detailed monitoring for production environments.See also:
v61.6.0
v61.5.2
v61.5.1
v61.5.0
Minor Changes
Removes GuWazuhAccess security group as Wazuh has been deprecated (#2561).
This change will remove a resource of logical ID WazuhSecurityGroup from stacks that use a GuAutoScalingGroup.
The snapshot diff will include the removal of the following resource:
{
"Resources": {
"WazuhSecurityGroup": {
"Properties": {
"GroupDescription": "Allow outbound traffic from wazuh agent to manager",
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Wazuh event logging",
"FromPort": 1514,
"IpProtocol": "tcp",
"ToPort": 1514
},
{
"CidrIp": "0.0.0.0/0",
"Description": "Wazuh agent registration",
"FromPort": 1515,
"IpProtocol": "tcp",
"ToPort": 1515
}
],
"Type": "AWS::EC2::SecurityGroup"
}
}
}
}How to update to this version
This version of @guardian/cdk detaches the WazuhSecurityGroup security group from any autoscaling group and deletes it in one step.
When using Riff-Raff's autoscaling deployment type, upgrading needs to be performed in two steps, across two independent pull requests.
If we do not, Riff-Raff will fail with an error similar to:
WazuhSecurityGroup(AWS::EC2::SecurityGroup}: DELETE_FAILED resource sg-1234 has a dependent object (Service: Ec2, Status Code: 400) (SDK Attempt Count: 1)
-
For the first pull request, we'll detach the
WazuhSecurityGroupsecurity group from the autoscaling group.In this step, we detach the
WazuhSecurityGroupsecurity group from the autoscaling group by upgrading to v61.5.0
and temporarily recreateWazuhSecurityGroupas a resource in the CloudFormation stack:declare const myApp: GuEc2App; const { vpc } = myApp; // A temporary security group with a fixed logical ID, replicating the one removed from GuCDK v61.5.0. const tempSecurityGroup = new SecurityGroup(this, "WazuhSecurityGroup", { vpc, // Must keep the same description, else CloudFormation will try to replace the security group // See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-securitygroup.html#cfn-ec2-securitygroup-groupdescription. description: "Allow outbound traffic from wazuh agent to manager", }); this.overrideLogicalId(tempSecurityGroup, { logicalId: "WazuhSecurityGroup", reason: "Part one of updating to GuCDK 61.5.0+ whilst using Riff-Raff's ASG deployment type", });
-
For the second pull request, we'll remove the
WazuhSecurityGroupsecurity group.Now that the security group is unused, we can remove it from the stack by deleting the
tempSecurityGroupvariable created above.
Note
- We've opted against issuing a release for each of these steps as most projects upgrade to the latest version.
- The new deployment mechanism offered by
GuEc2AppExperimentaldoes not need this workaround as CloudFormation works out the dependency tree itself.
v61.4.0
Minor Changes
-
0426904: Removal of the
withoutImdsv2property fromGuEc2AppandGuAutoScalingGroup.
When this property was set totrue, launched instances would not meet the FSBP EC2.8 control.Removing this property as a signal that GuCDK will follow FSBP controls by default.
If for whatever reason you need to disable IMDSv2, you can do so via an escape hatch:
import { CfnLaunchTemplate } from "aws-cdk-lib/aws-ec2"; declare const asg: GuAutoScalingGroup; const launchTemplate = asg.instanceLaunchTemplate.node.defaultChild as CfnLaunchTemplate; // Set the value to "optional", allowing IMDSv1 and IMDSv2. // See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-metadataoptions.html#cfn-ec2-launchtemplate-metadataoptions-httptokens. launchTemplate.addPropertyOverride("LaunchTemplateData.MetadataOptions.HttpTokens", "optional"); // Or remove the property entirely. launchTemplate.addPropertyDeletionOverride("LaunchTemplateData.MetadataOptions.HttpTokens");
v61.3.4
Patch Changes
-
3851bd2: Upgrade to ESLint 9.x and @guardian/eslint-config
Upgrade Guide
- Update required dependencies
# NPM npm uninstall @guardian/eslint-config-typescript --save-dev npm install eslint@^9.24.0 --save-dev npm install @guardian/eslint-config@^11.0.0 --save-dev # Or YARN yarn remove @guardian/eslint-config-typescript --dev yarn add eslint@^9.24.0 --dev yarn add @guardian/eslint-config@^11.0.0 --dev
- Switch to using a flat eslint config
A lot of the config that we used to define is now available by default in the shared
@guardian/eslint-configlibrary.# Remove deprecated .eslintrc config rm .eslintrc # Replace with newer eslint.config.mjs # Most config options we want are enabled by default now in `@guardian/eslint-config` so we can # have a fairly minimal eslint config file. cat >> eslint.config.mjs << 'END' import guardian from '@guardian/eslint-config'; export default [ ...guardian.configs.recommended, ...guardian.configs.jest ]; END
- Remove unsupported
--extflag fromlintscript inpackage.json
# Remove --ext .ts from `npm run lint` script sed -i '' '/--ext .ts/d' ./package.json