Releases: guardian/cdk
v56.0.2
v56.0.1
v56.0.0
Major Changes
- 5fead41: - Load balancers now add headers with information about the TLS version and cipher suite used during negotiation
- Load balancers now drop invalid headers before forwarding requests to the target. Invalid headers are described as HTTP header names that do not conform to the regular expression [-A-Za-z0-9]+
Patch Changes
-
a551119: Apply the
Apptag to the launch template created in the EC2 App pattern. -
de7c472: Update dependencies
-
e1f3751: Fixes a bug where
this.appon aGuStackis alwaysundefined, as it is never set.See #1497 (comment).
v55.0.0
Major Changes
-
6c5e701: Use PROD version of cognito-auth-lambdas instead of INFRA.
We no longer update/use the INFRA version of cognito-auth-lambdas, although we won't be making any breaking changes to these lambdas there may be a situation if a user of CDK does not update for a long while, when they switch from INFRA to PROD they will suddenly receive a lot of updates to their lambdas.
Users should take care to verify that any applications use Google Auth are still functional.
v54.1.0
v54.0.0
Major Changes
This change includes some potentially breaking changes for consumers of:
GuEc2AppGuPlayApp(a subclass ofGuEc2App)GuPlayWorkerApp(a subclass ofGuEc2App)GuNodeApp(a subclass ofGuEc2App)
Since v49.0.2, the EC2 instance profile created in GuEc2App, and it's subclasses, used the AmazonSSMManagedInstanceCore AWS Managed Policy to enable the SSM+SSH capability.
In addition to enabling SSM+SSH, this Managed Policy also provided read access to all SSM Parameters.
This is not least privilege.
In this version, usage of the AmazonSSMManagedInstanceCore Managed Policy is swapped for a custom, more minimal, policy.
Important
Before upgrading to this version, ensure your application is not relying on the IAM Policy behaviour provided by AmazonSSMManagedInstanceCore.
If your application is reading SSM Parameters outside the /STAGE/STACK/APP/* namespace, you will need to add an explicit policy.
An IAM Policy to read SSM Parameters in the /STAGE/STACK/APP/* namespace is already provided by the GuEc2App construct, via GuParameterStoreReadPolicy
To understand if your application is impacted, consult this Service Catalogue query showing CloudFormation stacks using the above and using GuCDK v49.0.2 or above.
Query ran in Service Catalogue
```sql
with data as (
select cfn.account_id
, acc.name as account_name
, tml.stack_id
, cfn.last_updated_time
, cfn.region
, cfn.stack_name
, tml.metadata ->> 'gu:cdk:version' as gucdk_version
, cfn.tags ->> 'gu:repo' as repository
, cfn.tags ->> 'Stack' as stack
, cfn.tags ->> 'Stage' as stage
, cfn.tags ->> 'App' as app
from aws_cloudformation_template_summaries tml
join aws_accounts acc on tml.account_id = acc.id
join aws_cloudformation_stacks cfn on tml.stack_arn = cfn.arn
where tml.metadata is not null
and (
(metadata -> 'gu:cdk:constructs')::jsonb ? 'GuEc2App'
OR (metadata -> 'gu:cdk:constructs')::jsonb ? 'GuPlayApp'
OR (metadata -> 'gu:cdk:constructs')::jsonb ? 'GuPlayWorkerApp'
OR (metadata -> 'gu:cdk:constructs')::jsonb ? 'GuNodeApp'
)
),
ownership as (
select distinct full_name
, galaxies_team
, team_contact_email
from view_repo_ownership
where galaxies_team is not null
and team_contact_email is not null
)
select data.*
, ownership.galaxies_team
, ownership.team_contact_email
from data
left join ownership on data.repository = ownership.full_name
where gucdk_version like '49%' -- affected version is 49.0.2 onwards, so this will catch some extra stacks, but hopefully not too many!
OR gucdk_version like '5%';
```
</p>