From afdc5a52d4e13ab679e2587ff9eb46648bb75b1a Mon Sep 17 00:00:00 2001 From: Jorge Turrado Ferrero Date: Tue, 10 Oct 2023 08:43:17 +0200 Subject: [PATCH 1/8] AWS: remove GetQueueAttributes from main role (#130) Signed-off-by: Jorge Turrado Ferrero --- terraform/modules/aws/iam/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/aws/iam/main.tf b/terraform/modules/aws/iam/main.tf index 046ce40..1a2e4bb 100644 --- a/terraform/modules/aws/iam/main.tf +++ b/terraform/modules/aws/iam/main.tf @@ -155,7 +155,7 @@ resource "aws_iam_policy" "policy" { }, { "Effect": "Deny", - "Action": "sqs:*", + "Action": "sqs:GetQueueAttributes", "Resource": [ "arn:aws:sqs:*:589761922677:asume-role-queue-*" ] @@ -225,4 +225,4 @@ resource "aws_iam_policy" "workload_role_policy" { ] } EOF -} \ No newline at end of file +} From cd3c1368bb7dc509d4e4064e7bf01b08150ef388 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 15:56:30 +0100 Subject: [PATCH 2/8] build(deps): bump hashicorp/setup-terraform from 2.0.3 to 3.0.0 (#131) Bumps [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) from 2.0.3 to 3.0.0. - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/setup-terraform/compare/v2.0.3...v3.0.0) --- updated-dependencies: - dependency-name: hashicorp/setup-terraform dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/main.yaml | 2 +- .github/workflows/pr-validation.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 68f9452..172a98d 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -52,7 +52,7 @@ jobs: service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} - name: Setup Terraform - uses: hashicorp/setup-terraform@v2.0.3 + uses: hashicorp/setup-terraform@v3.0.0 - name: Terraform Init run: | diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml index ca5b41b..63aac6c 100644 --- a/.github/workflows/pr-validation.yaml +++ b/.github/workflows/pr-validation.yaml @@ -54,7 +54,7 @@ jobs: service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} - name: Setup Terraform - uses: hashicorp/setup-terraform@v2.0.3 + uses: hashicorp/setup-terraform@v3.0.0 - name: Setup TFLint uses: terraform-linters/setup-tflint@v4 From 259c8756fca581bdb1b61e797b1158b9c9f4dcbc Mon Sep 17 00:00:00 2001 From: Jorge Turrado Ferrero Date: Tue, 21 Nov 2023 00:37:35 +0100 Subject: [PATCH 3/8] Update Kusto module to remove deprecated field (#133) * Update Kusto module to remove deprecated field Signed-off-by: Jorge Turrado Ferrero * Update main.tf Signed-off-by: Jorge Turrado Ferrero * Update main.tf Signed-off-by: Jorge Turrado Ferrero --------- Signed-off-by: Jorge Turrado Ferrero --- terraform/modules/azure/data-explorer/main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/modules/azure/data-explorer/main.tf b/terraform/modules/azure/data-explorer/main.tf index 957b2cb..7202ee2 100644 --- a/terraform/modules/azure/data-explorer/main.tf +++ b/terraform/modules/azure/data-explorer/main.tf @@ -17,6 +17,7 @@ resource "azurerm_kusto_cluster" "cluster" { name = local.kusto_cluster_name location = data.azurerm_resource_group.rg.location resource_group_name = data.azurerm_resource_group.rg.name + auto_stop_enabled = false engine = "V3" sku { @@ -47,4 +48,4 @@ resource "azurerm_kusto_cluster_principal_assignment" "role" { principal_id = var.admin_principal_ids[count.index] principal_type = "App" role = "AllDatabasesAdmin" -} \ No newline at end of file +} From b7efb8b755aa074b63334960d189f15e0dd88512 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 23:41:25 +0000 Subject: [PATCH 4/8] build(deps): bump actions/github-script from 6 to 7 (#132) Bumps [actions/github-script](https://github.com/actions/github-script) from 6 to 7. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pr-validation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml index 63aac6c..f830c51 100644 --- a/.github/workflows/pr-validation.yaml +++ b/.github/workflows/pr-validation.yaml @@ -97,7 +97,7 @@ jobs: working-directory: terraform - name: Create the plan summary - uses: actions/github-script@v6 + uses: actions/github-script@v7 if: always() id: summary env: From 94e968371210af15ec1ab46937c3c2f67865fbee Mon Sep 17 00:00:00 2001 From: Geoffrey Israel Date: Mon, 27 Nov 2023 23:10:39 +0100 Subject: [PATCH 5/8] add aws secret manager permission (#134) * add aws secret manager permission Signed-off-by: geoffrey1330 * add aws secret manager permission Signed-off-by: geoffrey1330 --------- Signed-off-by: geoffrey1330 --- terraform/modules/aws/iam/main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/modules/aws/iam/main.tf b/terraform/modules/aws/iam/main.tf index 1a2e4bb..45f964c 100644 --- a/terraform/modules/aws/iam/main.tf +++ b/terraform/modules/aws/iam/main.tf @@ -142,6 +142,9 @@ resource "aws_iam_policy" "policy" { "dynamodb:ListGlobalTables", "cloudwatch:ListMetricStreams", "dynamodb:DescribeReservedCapacity", + "secretsmanager:CreateSecret", + "secretsmanager:GetSecretValue", + "secretsmanager:DeleteSecret", "kinesis:UpdateShardCount" ], "Resource": "*" From 297fdc8a40da8bece5bee06d4e2da423c250c5db Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 15:32:04 +0100 Subject: [PATCH 6/8] build(deps): bump google-github-actions/auth from 1 to 2 (#135) Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 1 to 2. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/auth/compare/v1...v2) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/main.yaml | 2 +- .github/workflows/pr-validation.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 172a98d..d0fa1fd 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -46,7 +46,7 @@ jobs: aws-region: eu-west-2 - name: Log into GCP using OIDC - uses: google-github-actions/auth@v1 + uses: google-github-actions/auth@v2 with: workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} diff --git a/.github/workflows/pr-validation.yaml b/.github/workflows/pr-validation.yaml index f830c51..1ddd8a7 100644 --- a/.github/workflows/pr-validation.yaml +++ b/.github/workflows/pr-validation.yaml @@ -48,7 +48,7 @@ jobs: aws-region: eu-west-2 - name: Log into GCP using OIDC - uses: google-github-actions/auth@v1 + uses: google-github-actions/auth@v2 with: workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} From 80fdbc56f81f12f00c5ab6d54d3a4687e7c3c8e1 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Ferrero Date: Tue, 12 Dec 2023 23:08:21 +0100 Subject: [PATCH 7/8] Upgrade AKS Version Signed-off-by: Jorge Turrado Ferrero --- terraform/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 451d935..66b44a6 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -81,7 +81,7 @@ module "azuread_applications" { module "azure_aks_pr" { source = "./modules/azure/aks" resource_group_name = var.azure_resource_group_name - kubernetes_version = "1.27" + kubernetes_version = "1.28" cluster_name = local.pr_cluster_name unique_project_name = var.unique_project_name @@ -103,7 +103,7 @@ module "azure_aks_pr" { module "azure_aks_nightly" { source = "./modules/azure/aks" resource_group_name = var.azure_resource_group_name - kubernetes_version = "1.27" + kubernetes_version = "1.28" cluster_name = local.main_cluster_name unique_project_name = var.unique_project_name From 9c0175a22869569558d60eedcbcacaa8eb520dbf Mon Sep 17 00:00:00 2001 From: Jorge Turrado Ferrero Date: Thu, 28 Dec 2023 10:02:46 +0100 Subject: [PATCH 8/8] fix: SQS policy doesn't have a type (#136) Signed-off-by: Jorge Turrado Ferrero --- terraform/modules/aws/iam/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/aws/iam/main.tf b/terraform/modules/aws/iam/main.tf index 45f964c..dc23d5d 100644 --- a/terraform/modules/aws/iam/main.tf +++ b/terraform/modules/aws/iam/main.tf @@ -160,7 +160,7 @@ resource "aws_iam_policy" "policy" { "Effect": "Deny", "Action": "sqs:GetQueueAttributes", "Resource": [ - "arn:aws:sqs:*:589761922677:asume-role-queue-*" + "arn:aws:sqs:*:589761922677:assume-role-queue-*" ] }, { @@ -223,7 +223,7 @@ resource "aws_iam_policy" "workload_role_policy" { { "Effect": "Allow", "Action": "sqs:*", - "Resource": "arn:aws:sqs:*:589761922677:asume-role-queue-*" + "Resource": "arn:aws:sqs:*:589761922677:assume-role-queue-*" } ] }