Skip to content

Releases: navapbc/template-infra

v0.16.0 ⚠️ Requires migration steps

09 Feb 21:23
@doshitan doshitan
v0.16.0
c08a1d4
This commit was signed with the committer’s verified signature.
doshitan Tanner Doshier
GPG key ID: 5190D3F1CC1334A6
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.16.0 ⚠️ Requires migration steps Latest
Latest

Summary

Remove Pinpoint and use SES directly for email notifications. Better handle
non-us-east-1 project regions.

Layer Has changes Needs migration
Account
Network
Build repository
Database
Service
CI/CD

⚠️ Migration notes

AWS Pinpoint has been deprecated and can no longer be used for new projects. Existing projects can continue to use resources that have already been created. See #942 for more background.

Your applications utilizing the notifications setup from the infra template will need code changes to use SES directly.

If you want to test SES alongside your existing Pinpoint setup before fully migrating, you can adopt a gradual approach while pulling updates.

Phase 1: Add SES alongside Pinpoint (Optional)

  • Keep your Pinpoint resources - Don't delete aws_pinpoint_app.app or
    related resources yet

  • Add the SES environment variable to your service configuration

    infra/<app_name>/service/notifications.tf:

    notifications_environment_variables = local.notifications_config != null ? {
# Existing Pinpoint variables
AWS_PINPOINT_APP_ID = module.notifications[0].app_id

# New SES variable (can construct inline to avoid output changes)
AWS_SES_FROM_EMAIL = local.notifications_config.sender_display_name != null ? 
    "${local.notifications_config.sender_display_name} <${local.notifications_config.sender_email}>" :
    local.notifications_config.sender_email
} : {}

  • Update your application code to use the sesv2 client instead of pinpoint,
    referencing AWS_SES_FROM_EMAIL

  • Test that SES email sending works in your environment

Phase 2: Remove Pinpoint

Once you've confirmed SES works:

  • Apply the full migration by merging/pulling the changes from this release
  • Run terraform apply to destroy the Pinpoint resources
  • This approach minimizes risk by allowing you to validate SES functionality before removing Pinpoint infrastructure.

PR Envs

If any active PR environments exist from before you remove Pinpoint, you'll need
to take some additional steps. After updating your trunk branch with the release
changes, but before apply the account layer changes, ensure all PRs
merge/rebase on the lastest changes.

If you don't do this, you will need to manually clean up the PR environment
after the PR is closed. You can update bin/destroy-pr-environment as follows.

After:

echo "Select Terraform workspace: ${workspace}"
terraform -chdir="infra/${app_name}/service" workspace select "${workspace}"

Add:

# TODO: tmp remove pinpoint state stuff so the rest of the removal can proceed
#
# Then go delete the actual resources via Console UI, Pinpoint > All projects > <project> > Settings > General Settings, "Delete project" button in upper right, enter "delete" then click "Delete" button
terraform -chdir="infra/${app_name}/service" state rm 'module.notifications[0].aws_pinpoint_email_channel.app'
terraform -chdir="infra/${app_name}/service" state rm 'module.notifications[0].aws_pinpoint_app.app'

Then run the PR environment cleanup script locally. Then manually removed resources as indicated in the comment. Then discard the script changes.

Service

Network

  • Better handle non-us-east-1 project regions by @sean-navapbc in #980
    • This touches a few things across the stack, but mostly impacts the network
      layer, ensuring DNS query logging CloudWatch resources remain in us-east-1
      despite the default project region.

CI / CD

  • Remove type from custom GitHub action inputs by @doshitan in 01cd538
  • Better match only p-<num> format for orphaned PR environment detection by @doshitan in #994
  • Parameterize service infra test code for container image tag by @doshitan in 85472c0
  • Bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /infra/test by @dependabot[bot] in #983

Tech debt and maintenance

The template has an AWS account cleanup script for itself, which you may find useful to reference if you are also doing extensive automated testing. Added by @sean-navapbc in #973.

Full Changelog: v0.15.7...v0.16.0

Contributors

doshitan, dependabot, and sean-navapbc
Assets 2
Loading

v0.15.7

15 Oct 16:36
@doshitan doshitan
v0.15.7
c477511
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.15.7

Summary

Many CI/CD improvements, notably caching of container build layers, which should
result in a sizeable reduction in build time for images. And better
compatibility with automatic minor updates for the DB, by only specifying the
major version of the database.

Layer Has changes Needs migration
Account
Network
Build repository
Database
Service
CI/CD

Database

  • Better handling of DB auto minor updates by @lorenyu in #938 and @doshitan in #962
    • If the template specifies a new minor version every time there's a release,
      that forces projects to update in when doing a "simple" pull of template
      changes. Projects wanting to pin to a particular version will need to
      resolve that on template updates anyway, but for projects using auto updates
      (the default), by only specifying the major version, less conflicts are
      created on template updates and less juggling of state changes are necessary
      for the projects, as AWS rolls out the auto updates on different schedules
      for different accounts.
  • Better handling of DB upgrades by @doshitan in #964

CI / CD

  • Upgrade anchore-scan action by @lorenyu in #939
  • Fix PR environment destroy race condition by @lorenyu in #945
  • Use new version of markdown link check by @lorenyu in #955
  • Build and deploys
    • Handle new output format from AWS CLI in bin/current-region by @doshitan in #959 and @lorenyu in #961
    • Have image scripts use configured build repo region rather than current AWS CLI session region by @doshitan in #957
    • Update CI to use docker build caching by @lisac in #960

Tech debt and maintenance

New Contributors

Full Changelog: v0.15.6...v0.15.7.

Contributors

lorenyu, lisac, and 4 other contributors
Loading

v0.15.6

24 Apr 14:28
@doshitan doshitan
v0.15.6
a2c736e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.15.6

Summary

This release brings configurable AWS Web Application Firewall (WAF) support,
redirects HTTP to HTTPS when HTTPS support is enabled in services, begins of
better support for services running multiple containers/sidecars, and notifies
of deploy failures (if the system notification setup has been configured).

Layer Has changes Needs migration
Account
Network
Build repository
Database
Service
CI/CD

Migration notes

If you wish to use the WAF work in this release on your services, note the WAF
needs to first be created at the network layer before applying any changes at
the service layer, otherwise the service layer will not be able to find the WAF
to apply. To do this, apply the network changes by running:

make infra-update-network NETWORK_NAME=<NETWORK_NAME>

You can then set enable_waf to true in app-config/main.tf and update its
infrastructure.

CI / CD

  • Add deploy failure system notification by @lorenyu in #917
  • Separate E2E format and typecheck jobs by @rylew1 in #914
  • Add emojies to stale environment summaries for easier visual scanning by @lorenyu in 144b543

Network

  • AWS Web Application Firewall (WAF) config by @lorenyu and @devin-ai-integration in #924, #926, #928, #933
    • Default policy using some AWS managed rule sets for common threats
    • See docs/infra/web-application-firewall.md for more details

Service

  • Support sidecars in run command by @coilysiren in #918
  • Redirect HTTP traffic to HTTPS by @lorenyu in #925
  • AWS Web Application Firewall (WAF) support by @lorenyu
    • Disabled by default

Tech debt and maintenance

Full Changelog: v0.15.5...v0.15.6

Contributors

lorenyu, doshitan, and 4 other contributors
Loading

v0.15.5

20 Mar 17:48
@doshitan doshitan
v0.15.5
6664f1b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.15.5

Summary

Automatically run E2E tests after a deployment and avoid throttling issues when
running commands.

Layer Has changes Needs migration
Account
Network
Build repository
Database
Service
CI/CD
EOF

Service

  • Fix throttle issues when running commands (such as migrations) in projects with some history by @tdooner in #900

CI / CD

  • E2E
    • Cleanup E2E dependencies and strip e2e- from npm script names by @lorenyu in #895
    • Add autoformatting and typechecking by @lorenyu and @rylew1 in #896, #911
    • Support specifiying a specific email username for tests that need it by @lorenyu in #898
    • Consolidate ability to run E2E tests on demand into e2e-tests.yml by @lorenyu in #899
    • Ignore HTTPS errors by default on E2E tests by @lorenyu in #901
    • Run E2E tests at end of deployment except in prod by @lorenyu in #903 and #908
  • Check for stale infra service test environments by @lorenyu in #909
  • Bump golang.org/x/net from 0.34.0 to 0.36.0 in /infra/test by @dependabot in #905
  • Allow PR environment workflows to run in parallel for different apps by @lorenyu in a78dc50

Tech debt and maintenance

Full Changelog: v0.15.4...v0.15.5

Contributors

tdooner, lorenyu, and 2 other contributors
Loading

v0.15.4

05 Mar 18:55
@doshitan doshitan
v0.15.4
a79e0a5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.15.4

Summary

Re-add feature flags, streamline E2E test development, and refactor how some
things are configured.

Layer Has changes Needs migration
Account
Network
Build repository
Database
Service ⚠️
CI/CD

Migration notes

For secrets with manage_method="generated", if you want to avoid regenerating
the secrets, you can move the secrets to the new location with:

terraform -chdir=infra/<APP_NAME>/service state mv 'module.secrets["<SECRET_NAME>"].aws_ssm_parameter.secret[0]' 'module.secrets.aws_ssm_parameter.secrets["<SECRET_NAME>"]'
terraform -chdir=infra/<APP_NAME>/service state mv 'module.secrets["<SECRET_NAME>"].random_password.secret[0]' 'module.secrets.random_password.secrets["<SECRET_NAME>"]'

Service

Tech debt and maintenance

  • Generate infra service test id from timestamp by @lorenyu in #885
  • Move monitoring config out of service root module by @lorenyu in #884
  • Fix service module public_endpoint output when https enabled by @lorenyu in #893
  • Docs
  • E2E testing refactors
  • bin/orphaned-pr-environments: Handle no PR envs and merged PRs better by @doshitan in #889

Full Changelog: v0.15.3...v0.15.4

Contributors

lorenyu, doshitan, and coilysiren
Loading

v0.15.3

13 Feb 22:32
@doshitan doshitan
v0.15.3
276a848
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.15.3

Summary

Fix and improve email notifications, support writeable filesystem locations for
services, more flexible service healthchecks, and continue to shuffle some
configuration things around slightly for simpler inferfaces and better
separation of concerns.

Layer Has changes Needs migration
Account
Network
Build repository
Database
Service
CI/CD

Service

Documentation

Tech debt and maintenance

  • Include prefix in service root service_name output by @doshitan in #869
  • Move service config to separate file by @lorenyu in #872
  • Nest network and within service & database modules by @coilysiren in #861
  • infra/test: Update dependencies by @doshitan in #867
  • Replace deprecated managed_policy_arns with aws_iam_role_policy_attachment by @coilysiren in #862

Full Changelog: v0.15.2...v0.15.3

Contributors

lorenyu, doshitan, and coilysiren
Loading

v0.15.2 ⚠️ Requires migration steps

28 Jan 21:15
@doshitan doshitan
v0.15.2
9310f64
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.15.2 ⚠️ Requires migration steps

Summary

Fix a race condition in CI/CD, enable services to use the notifications setup directly, update Terraform to 1.10.x series, and a variety of smaller cleanups.

Layer Has changes Needs migration
Account
Network
Build repository
Database
Service
CI/CD

⚠️ Migration notes

The required Terraform version has changed from 1.8.x to 1.10.x. CI/CD actions should handle this automatically, but you'll need to update your local Terraform.

Minor callouts

  • While there are no changes in functionality, the service/network/domain/database Terraform module reorg may require additional attention if you've customized those modules for your project.
  • The ADR doc naming convention has shifted to use a date prefix, it's suggested to move any of your project-specific entries to match. At the very least you may need to re-number yours.
  • Some test projects non-uniformly encountered a few oddities when running the update, so just be on the lookout for:
    • A deleted infra/modules/database/resources/role_manager.zip, restore with: 
      git checkout origin/main -- infra/modules/database/resources/role_manager.zip
      (or copy from template-infra repo)
    • The old docs/decisions/infra/ ADRs being left around, manually remove those with something like: 
      git rm docs/decisions/infra/0*

Service

Notifications

  • Enable service to send notifications, rather than just Cognito by @lorenyu in #835

CI/CD

  • Fix race condition often causing failures on merges to main, by @doshitan and @lorenyu in #848 and #849
  • bin/lint-markdown: When a link check returns HTTP 429 "Too Many Requests", wait and retry instead of failing by @lorenyu in #858
  • bin/lint-markdown: Only run against git-tracked markdown files by @doshitan in #780
  • Show app name in PR environment destroyed message by @lorenyu in af9e30a

Documentation

Tech debt and maintenance

  • No functional changes, but various Terraform modules have been internally reorganized for a simpler interface and cleaner separation of concerns:
  • Use a date instead of incrementing number for ADR file names by @daphnegold in #851
  • Upgrade Terraform version from 1.8.3 to 1.10.5 by @daphnegold in #852
  • Remove otherfile.txt and somefile.txt by @lorenyu in 5a00683

Full Changelog: v0.15.1...v0.15.2

Contributors

lorenyu, doshitan, and daphnegold
Loading

v0.15.1

15 Jan 22:59
@lorenyu lorenyu
v0.15.1
cb15833
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.15.1

Summary

Includes a change for notifications functionality that simplifies the code and fixes a conflict under certain project configurations.

Layer Has changes Needs migration
Account
Network
Build repository
Database
Service
CI/CD

What's Changed

  • 🔧 Move prefix from env-config to service root by @lorenyu in #832
  • 🐞 Notifications: Reuse app domain for domain identity by @lorenyu in #834

Full Changelog: v0.15.0...v0.15.1

Contributors

lorenyu
Loading

v0.15.0 ⚠️ Requires migration steps

14 Jan 22:18
@doshitan doshitan
v0.15.0
5c11598

Choose a tag to compare

View all tags
v0.15.0 ⚠️ Requires migration steps

Summary

This release switches to using the Platform CLI tool for managing the template. There should be no breaking changes to functionality, but the switch involves a breaking change to how the template is installed/updated that will need manual migration.

Layer Has changes Needs migration
Account
Network
Build repository
Database
Service
CI/CD

⚠️ Migration notes

See https://navapbc.github.io/platform-cli/getting-started/migrating-from-legacy-template/ for guidance on updating to this version using the Platform CLI.

There are a lot of little documentation tweaks to better support multi-app environments. So diff might look large at first glance.

What's Changed

  • Support Platform CLI by @lorenyu and @doshitan in #763 includes a fair amount of changes. Notable ones being:
    • Broader multi-app support across all functionality, but in particular new multi-app support in:
      • PR Environments
      • Infra tests/CI
    • Move example/demo/minimal application app/ to template-only-app/. Places wanting to use it as their example app for testing can copy template-only-app/ to the appropriate app-named directory.

Full Changelog: v0.14.3...v0.15.0

Contributors

lorenyu and doshitan
Loading

v0.14.3

14 Jan 20:59
@doshitan doshitan
v0.14.3
641f91a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.14.3

Summary

Improvements around PR environments and consistency naming terraform modules.

Layer Has changes Needs migration
Account
Network
Build repository
Database
Service
CI/CD

What's Changed

  • ⚙️ Send notification for failed infra deploy status check by @lorenyu in #823
  • 🐞 Fix trigger for PR environment destroy workflow by @lorenyu in #827
  • 🐞 Fix permissions for scan orphaned PRs workflow by @lorenyu in #829
  • 🔧 Use underscores in Terraform file names instead of dashes by @daphnegold in #828

Template development

  • Add template release management documentation by @lorenyu in #825
  • Add template technical design principles by @lorenyu in #824

Full Changelog: v0.14.2...v0.14.3

Contributors

lorenyu and daphnegold
Loading