v0.19.0 (2026-06-17)

Summary

Largely a maintenance release with updated GitHub Actions and testing
dependencies to resolve deprecations and a host of CVEs (largely in infra tests
dependencies). While nothing provided out-of-the-box by the template breaks,
these updates do include a number of breaking version updates to some tooling,
mainly code scanning and the E2E test framework. So projects with extensive
additions to E2E or infra tests, or additional infra not provided by the
template, may need to handle some minor migrations.

Layer	Has changes	Needs migration
Account
Network
Build repository
Database	✅
Service	✅
CI/CD	✅

Database

• Minor edit to move DB Role Manager AWS Lambda runtime line to own "section" in
  resource block. This will make future updates clearer to review. No functional
  changes.

Service

• Updates to E2E testing
  • Update Playwright to v1.60.0
  • Update TypeScript to v6
  • Update Axe accessibility testing engine to v4.11.3
  • Misc. other package updates
• Package updates for infra service tests
  • Update Terratest to v1
  • Update Go to v1.26.0 (required by Terratest v1)
  • Misc. other package updates

CI / CD

• Updates to third-party GitHub Actions to use the Node.js v24 runtime
  • Update actions/cache action to v5
  • Update actions/checkout action to v6
  • Update actions/download-artifact to v8
  • Update actions/setup-go action to v6
  • Update actions/setup-node action to v6
  • Update actions/setup-python action to v6
  • Update actions/upload-artifact to v7
  • Update anchore/scan-action action to v7
    • The updated version of Grype has improved support for a variety of
      different systems, which could flag new issues depending on the
      application's ecosystem.
  • Update aws-actions/configure-aws-credentials action to v6
  • Update docker/setup-buildx-action action to v4
  • Update hashicorp/setup-terraform action to v4
  • Update slackapi/slack-github-action action to v3
  • Misc. other non-major updates
• Service vulnerability scanning config tweaks
  • Add default Dockle ignores in .dockleignore
    • A couple things either long broken upstream (for newer images) or out
      of date.
  • Add default ignore for Hadolint DL3008
    • Pinning the version for every package can make things more brittle
      and hard to recommend generally. For specific circumstances and teams
      it can make sense, those teams can re-enable if desired.

---

Full Changelog: v0.18.0...v0.19.0

v0.18.0

Summary

A few refinements in the Document Data Extraction module and working
file_upload_jobs in PR environments.

No migrations are required, but users of the Document Data Extraction module
should review the new documentation included in this release, particularly the
notes around updating Bedrock blueprints.

Layer	Has changes	Needs migration
Account
Network
Build repository
Database
Service	✅
CI/CD

Service

• Document Data Extraction module has various improvements, including dedicated
  documentation in docs/infra/document-data-extraction.md. Important to note
  that making updates to Bedrock blueprint config will require manual steps with
  this release, see docs for more detail. We hope to remove this inconvenience in
  the future.
  • Add document block to DDE output config to support field level extraction
    out of the box
  • Misc. changes for cleaner Terraform state diffs when using the DDE module
    • Ignore changes to DDE blueprints list to mitigate noise in service layer
      updates
    • Don't reference BDA project resource directly in DDE access policy so
      Terraform does not trigger unnecessary updates
    • Add trailing comma to default DDE blueprints config item to minimize diff
      when extended
• Make file_upload_jobs work in temporary environments against default service
  storage bucket. If you have jobs configured to intentionally run against some
  shared bucket which is fixed even across temporary environments, you should
  set source_bucket_apply_workspace_prefix = false for the relevant job
  config(s) (it defaults to true).
  • This is technically a behavior change, but the previous behavior was more
    undefined/unintended so not categorizing as breaking. If you wish to restore
    previous behavior (without adjusting every job config as mentioned above),
    you can change the service wide default in
    infra/<APP_NAME>/app-config/env-config/service.tf.
  • The implementation relies on the template's naming convention for temporary
    environment resources. If your project has deviated from those, you may need
    to make further changes to adapt the logic to your setup.

---

Full Changelog: v0.17.0...v0.18.0

v0.17.0

Summary

A new "Document Data Extraction" module provides customizable file
identification and structured data extraction with out-of-the-box support for a
variety of document types. Typically this would be used as a part of a Strata
DocumentAI instance, but the module could be of use to any service interested in
the underlying functionality itself.

SMS support has been added for "notifications", similar to existing email
support.

Terraform state locking has migrated from DynamoDB to native S3. DynamoDB
locking is deprecated in Terraform upstream. This does require manual migration
steps for existing projects.

The out-of-the-box version of Playwright used for end-to-end testing has been
updated. Along with various documentation updates and script cleanups.

Layer	Has changes	Needs migration
Account	✅	✅
Network	✅
Build repository
Database
Service	✅
CI/CD

⚠️ Migration notes

For the S3 state locking migration, see
docs/infra/migrate-terraform-state-locking-to-s3.md.

Account

• Switch to S3 state locking for Terraform (#999)

Note, the Document Data Extraction module and SMS notifications use new (for the
template) AWS services which can result in changes in the account layer for the
GitHub Actions permissions.

Network

Note, the SMS notification feature requires a new VPC endpoint. This will only
be created in a network if the feature is enabled for a service in said network.

Service

• Add Document Data Extraction Module (#989)
• Add SMS notifications feature (#1012)
• Support configuring storage module for service principal access (#997)
• Update Playwright from 1.49.0 to 1.56.1 (#967) (#1010)

Tech debt and maintenance

• New docs
  • Temporary environments and out-of-band resources (#1005)
  • Deletion protection in temporary environments (#1007)
• Cleanup
  • Makefile: Clearer script calls (#574)
  • Switch script shebangs to /usr/bin/env (#577)
  • Various typo fixes and trailing whitespace removal

New Contributors

• @laurencegoolsby made their first contribution in #997
• @juliareynolds-nava made their first contribution in #999
• @jrpbc made their first contribution in #1012

---

Full Changelog: v0.16.0...v0.17.0

v0.16.0 ⚠️ Requires migration steps

Summary

Remove Pinpoint and use SES directly for email notifications. Better handle
non-us-east-1 project regions.

Layer	Has changes	Needs migration
Account	✅
Network	✅
Build repository
Database
Service	✅	✅
CI/CD

⚠️ Migration notes

AWS Pinpoint has been deprecated and can no longer be used for new projects. Existing projects can continue to use resources that have already been created. See #942 for more background.

Your applications utilizing the notifications setup from the infra template will need code changes to use SES directly.

If you want to test SES alongside your existing Pinpoint setup before fully migrating, you can adopt a gradual approach while pulling updates.

Phase 1: Add SES alongside Pinpoint (Optional)

• Keep your Pinpoint resources - Don't delete aws_pinpoint_app.app or
  related resources yet

• Add the SES environment variable to your service configuration

  infra/<app_name>/service/notifications.tf:

  notifications_environment_variables = local.notifications_config != null ? {
  # Existing Pinpoint variables
  AWS_PINPOINT_APP_ID = module.notifications[0].app_id
  
  # New SES variable (can construct inline to avoid output changes)
  AWS_SES_FROM_EMAIL = local.notifications_config.sender_display_name != null ? 
      "${local.notifications_config.sender_display_name} <${local.notifications_config.sender_email}>" :
      local.notifications_config.sender_email
  } : {}
  

• Update your application code to use the sesv2 client instead of pinpoint,
  referencing AWS_SES_FROM_EMAIL

• Test that SES email sending works in your environment

Phase 2: Remove Pinpoint

Once you've confirmed SES works:

• Apply the full migration by merging/pulling the changes from this release
• Run terraform apply to destroy the Pinpoint resources
• This approach minimizes risk by allowing you to validate SES functionality before removing Pinpoint infrastructure.

PR Envs

If any active PR environments exist from before you remove Pinpoint, you'll need
to take some additional steps. After updating your trunk branch with the release
changes, but before apply the account layer changes, ensure all PRs
merge/rebase on the lastest changes.

If you don't do this, you will need to manually clean up the PR environment
after the PR is closed. You can update bin/destroy-pr-environment as follows.

After:

echo "Select Terraform workspace: ${workspace}"
terraform -chdir="infra/${app_name}/service" workspace select "${workspace}"

Add:

# TODO: tmp remove pinpoint state stuff so the rest of the removal can proceed
#
# Then go delete the actual resources via Console UI, Pinpoint > All projects > <project> > Settings > General Settings, "Delete project" button in upper right, enter "delete" then click "Delete" button
terraform -chdir="infra/${app_name}/service" state rm 'module.notifications[0].aws_pinpoint_email_channel.app'
terraform -chdir="infra/${app_name}/service" state rm 'module.notifications[0].aws_pinpoint_app.app'

Then run the PR environment cleanup script locally. Then manually removed resources as indicated in the comment. Then discard the script changes.

Service

• Migrate notifications off of AWS Pinpoint by @sean-navapbc and @doshitan in #968, #981, and 7b26ec0

Network

• Better handle non-us-east-1 project regions by @sean-navapbc in #980
  • This touches a few things across the stack, but mostly impacts the network
    layer, ensuring DNS query logging CloudWatch resources remain in us-east-1
    despite the default project region.

CI / CD

• Remove type from custom GitHub action inputs by @doshitan in 01cd538
• Better match only p-<num> format for orphaned PR environment detection by @doshitan in #994
• Parameterize service infra test code for container image tag by @doshitan in 85472c0
• Bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /infra/test by @dependabot[bot] in #983

Tech debt and maintenance

• Misc. cleanup in d01fdca, 6252077, 0f3c616

The template has an AWS account cleanup script for itself, which you may find useful to reference if you are also doing extensive automated testing. Added by @sean-navapbc in #973.

---

Full Changelog: v0.15.7...v0.16.0

v0.15.7

Summary

Many CI/CD improvements, notably caching of container build layers, which should
result in a sizeable reduction in build time for images. And better
compatibility with automatic minor updates for the DB, by only specifying the
major version of the database.

Layer	Has changes	Needs migration
Account
Network
Build repository
Database	✅
Service
CI/CD	✅

Database

• Better handling of DB auto minor updates by @lorenyu in #938 and @doshitan in #962
  • If the template specifies a new minor version every time there's a release,
    that forces projects to update in when doing a "simple" pull of template
    changes. Projects wanting to pin to a particular version will need to
    resolve that on template updates anyway, but for projects using auto updates
    (the default), by only specifying the major version, less conflicts are
    created on template updates and less juggling of state changes are necessary
    for the projects, as AWS rolls out the auto updates on different schedules
    for different accounts.
• Better handling of DB upgrades by @doshitan in #964

CI / CD

• Upgrade anchore-scan action by @lorenyu in #939
• Fix PR environment destroy race condition by @lorenyu in #945
• Use new version of markdown link check by @lorenyu in #955
• Build and deploys
  • Handle new output format from AWS CLI in bin/current-region by @doshitan in #959 and @lorenyu in #961
  • Have image scripts use configured build repo region rather than current AWS CLI session region by @doshitan in #957
  • Update CI to use docker build caching by @lisac in #960

Tech debt and maintenance

• Bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 in /infra/test by @dependabot[bot] in #953
• Don't eat non-zero exit in AWS /bin scripts by @doshitan in #958
• Docs
  • Reorganize infra documentation by @lorenyu in #930
  • Remove inaccurate comment by @coilysiren in #943
  • Remove references to template from infra/README getting started by @lorenyu in #951
  • Fix typo by @doshitan in ef7e879

New Contributors

• @lisac made their first contribution in #960
• @sean-navapbc made their first contribution in #963

---

Full Changelog: v0.15.6...v0.15.7.

v0.15.6

Summary

This release brings configurable AWS Web Application Firewall (WAF) support,
redirects HTTP to HTTPS when HTTPS support is enabled in services, begins of
better support for services running multiple containers/sidecars, and notifies
of deploy failures (if the system notification setup has been configured).

Layer	Has changes	Needs migration
Account
Network	✅
Build repository
Database
Service	✅
CI/CD	✅

Migration notes

If you wish to use the WAF work in this release on your services, note the WAF
needs to first be created at the network layer before applying any changes at
the service layer, otherwise the service layer will not be able to find the WAF
to apply. To do this, apply the network changes by running:

make infra-update-network NETWORK_NAME=<NETWORK_NAME>

You can then set enable_waf to true in app-config/main.tf and update its
infrastructure.

CI / CD

• Add deploy failure system notification by @lorenyu in #917
• Separate E2E format and typecheck jobs by @rylew1 in #914
• Add emojies to stale environment summaries for easier visual scanning by @lorenyu in 144b543

Network

• AWS Web Application Firewall (WAF) config by @lorenyu and @devin-ai-integration in #924, #926, #928, #933
  • Default policy using some AWS managed rule sets for common threats
  • See docs/infra/web-application-firewall.md for more details

Service

• Support sidecars in run command by @coilysiren in #918
• Redirect HTTP traffic to HTTPS by @lorenyu in #925
• AWS Web Application Firewall (WAF) support by @lorenyu
  • Disabled by default

Tech debt and maintenance

• Doc updates by @coilysiren and @lorenyu in #919 and a4d7eac
• Dependency updates for infrastructure tests by @dependabot and @doshitan in #922
• Add default issue template by @lorenyu in 6282c65

---

Full Changelog: v0.15.5...v0.15.6

v0.15.5

Summary

Automatically run E2E tests after a deployment and avoid throttling issues when
running commands.

Layer	Has changes	Needs migration
Account
Network
Build repository
Database
Service	✅
CI/CD	✅
EOF

Service

• Fix throttle issues when running commands (such as migrations) in projects with some history by @tdooner in #900

CI / CD

• E2E
  • Cleanup E2E dependencies and strip e2e- from npm script names by @lorenyu in #895
  • Add autoformatting and typechecking by @lorenyu and @rylew1 in #896, #911
  • Support specifiying a specific email username for tests that need it by @lorenyu in #898
  • Consolidate ability to run E2E tests on demand into e2e-tests.yml by @lorenyu in #899
  • Ignore HTTPS errors by default on E2E tests by @lorenyu in #901
  • Run E2E tests at end of deployment except in prod by @lorenyu in #903 and #908
• Check for stale infra service test environments by @lorenyu in #909
• Bump golang.org/x/net from 0.34.0 to 0.36.0 in /infra/test by @dependabot in #905
• Allow PR environment workflows to run in parallel for different apps by @lorenyu in a78dc50

Tech debt and maintenance

• Docs
  • Add additional docs to PR environments by @lorenyu in #897
  • Add style guide for GitHub Actions by @lorenyu in #902
  • Document notifications setup by @lorenyu in #904
  • Add docs on identity provider by @lorenyu in #910
• Fix role manager archive Make target by @lorenyu in #913

---

Full Changelog: v0.15.4...v0.15.5

v0.15.4

Summary

Re-add feature flags, streamline E2E test development, and refactor how some
things are configured.

Layer	Has changes	Needs migration
Account
Network
Build repository
Database
Service	✅	⚠️
CI/CD	✅

Migration notes

For secrets with manage_method="generated", if you want to avoid regenerating
the secrets, you can move the secrets to the new location with:

terraform -chdir=infra/<APP_NAME>/service state mv 'module.secrets["<SECRET_NAME>"].aws_ssm_parameter.secret[0]' 'module.secrets.aws_ssm_parameter.secrets["<SECRET_NAME>"]'
terraform -chdir=infra/<APP_NAME>/service state mv 'module.secrets["<SECRET_NAME>"].random_password.secret[0]' 'module.secrets.random_password.secrets["<SECRET_NAME>"]'    

Service

• Add SSM-based feature flags by @lorenyu in #873 and #883
• Convert secret module to create multiple secrets by @lorenyu in #877
• Add ability to run task commands in PR environment by @lorenyu in #879
• Add workflow to run E2E tests on demand by @lorenyu in #892 and c0c9cec

Tech debt and maintenance

• Generate infra service test id from timestamp by @lorenyu in #885
• Move monitoring config out of service root module by @lorenyu in #884
• Fix service module public_endpoint output when https enabled by @lorenyu in #893
• Docs
  • Fix typo in variable description by @coilysiren in #881
  • Fix link to project-config by @lorenyu in #882
• E2E testing refactors
  • Move test library files to lib by @lorenyu in #886
  • Move emailService to fixture for e2e tests by @lorenyu in #891
• bin/orphaned-pr-environments: Handle no PR envs and merged PRs better by @doshitan in #889

---

Full Changelog: v0.15.3...v0.15.4

v0.15.3

Summary

Fix and improve email notifications, support writeable filesystem locations for
services, more flexible service healthchecks, and continue to shuffle some
configuration things around slightly for simpler inferfaces and better
separation of concerns.

Layer	Has changes	Needs migration
Account
Network
Build repository
Database	✅
Service	✅
CI/CD

Service

• Fix MAIL FROM and add DMARC DNS Records by @coilysiren in #859
• Support ephemeral write mounts for services by @doshitan in #871
• Use service provided healthcheck, with fallbacks by @doshitan in #870

Documentation

• Add comment describing each AWS service by @lorenyu in #866
• Update module dependencies documentation by @lorenyu in #865
• Add ADR for notifications by @lorenyu in #830

Tech debt and maintenance

• Include prefix in service root service_name output by @doshitan in #869
• Move service config to separate file by @lorenyu in #872
• Nest network and within service & database modules by @coilysiren in #861
• infra/test: Update dependencies by @doshitan in #867
• Replace deprecated managed_policy_arns with aws_iam_role_policy_attachment by @coilysiren in #862

---

Full Changelog: v0.15.2...v0.15.3

v0.15.2 ⚠️ Requires migration steps

Summary

Fix a race condition in CI/CD, enable services to use the notifications setup directly, update Terraform to 1.10.x series, and a variety of smaller cleanups.

Layer	Has changes	Needs migration
Account
Network
Build repository
Database
Service	✅
CI/CD	✅

⚠️ Migration notes

The required Terraform version has changed from 1.8.x to 1.10.x. CI/CD actions should handle this automatically, but you'll need to update your local Terraform.

Minor callouts

• While there are no changes in functionality, the service/network/domain/database Terraform module reorg may require additional attention if you've customized those modules for your project.
• The ADR doc naming convention has shifted to use a date prefix, it's suggested to move any of your project-specific entries to match. At the very least you may need to re-number yours.
• Some test projects non-uniformly encountered a few oddities when running the update, so just be on the lookout for:
  • A deleted infra/modules/database/resources/role_manager.zip, restore with:

    git checkout origin/main -- infra/modules/database/resources/role_manager.zip
    

    (or copy from template-infra repo)
  • The old docs/decisions/infra/ ADRs being left around, manually remove those with something like:

    git rm docs/decisions/infra/0*
    

Service

Notifications

• Enable service to send notifications, rather than just Cognito by @lorenyu in #835

CI/CD

• Fix race condition often causing failures on merges to main, by @doshitan and @lorenyu in #848 and #849
• bin/lint-markdown: When a link check returns HTTP 429 "Too Many Requests", wait and retry instead of failing by @lorenyu in #858
• bin/lint-markdown: Only run against git-tracked markdown files by @doshitan in #780
• Show app name in PR environment destroyed message by @lorenyu in af9e30a

Documentation

• Miscellaneous minor updates by @doshitan in #847

Tech debt and maintenance

• No functional changes, but various Terraform modules have been internally reorganized for a simpler interface and cleaner separation of concerns:
  • Service root by @lorenyu in #837
  • Networking and domain by @lorenyu in #839 and #840
  • Database by @lorenyu in #841, #846, and c8ccc18
• Use a date instead of incrementing number for ADR file names by @daphnegold in #851
• Upgrade Terraform version from 1.8.3 to 1.10.5 by @daphnegold in #852
• Remove otherfile.txt and somefile.txt by @lorenyu in 5a00683

---

Full Changelog: v0.15.1...v0.15.2