v0.44.0

In v0.44.0, the Upjet version has been upgraded to v1.0.0. This upgrade, brings a change with how we interact with the underlying Terraform AWS provider. Instead of interfacing with TF CLI, the new implementation consumes the Terraform provider's Go provider schema and invokes the CRUD functions registered in that schema. All resources except the following 5 resources will be reconciled using the new architecture:

* `SecurityGroupIngressRule.ec2`
* `SecurityGroupEgressRule.ec2`
* `Environment.appconfig`
* `UserPoolClient.cognitoidp`
* `Domain.simpledb`

In this version, many performance improvements have been made with the introduction of the new architecture. Below is a reference results for 1K and 10K MR. These results are shared not to provide a Sizing Guide but as a reference to understand the improvements in performance metrics. Also, the experiment sets of tests are shared:

• Objective: 10K UserPolicyAttachment MRs

• Parallelization: 500 reconcile workers

• Poll period: 10min

• Node: m5.2xlarge (8vCPU, 32GiB RAM)

  Average TTR	Peak TTR	Average Memory	Peak Memory	Average CPU	Peak CPU
  4.40 secs	79 secs	775.41 MiB	1185.62 MiB	15.25%	20.90%

• Objective: 1K UserPolicyAttachment MRs

• Parallelization: 500 reconcile workers

• Poll period: 10min

• Node: m5.2xlarge (8vCPU, 32GiB RAM)

  Average TTR	Peak TTR	Average Memory	Peak Memory	Average CPU	Peak CPU
  4.15 secs	44 secs	630.39 MiB	948.35 MiB	9.06%	12.69%

Note

While there are no breaking changes in the APIs of the CRDs, we encourage users who may have made changes to the ControllerConfig to adjust previous values like max-reconcile-rate to undo these and work with the default settings of the provider. We will release a sizing and configuration guide in the near future to give guidance on how users might consider adjusting the default behavior.

What's Changed

• Fix MetricFilter.cloudwatchlogs external-name configuration by @ulucinar in #943
• Bump crossplane-runtime to v1.14.1 by @turkenf in #947
• add bucket id,arn and regio to writeConnectionSecretToRef by @ahmedali6 in #951
• Fix broken link for adding new resource by @turkenf in #962
• Update kubernetes patches to v0.28.4 by @renovate in #967
• Use Terraform Plugin SDK to Reconcile MRs by @ulucinar in #938

New Contributors

• @ahmedali6 made their first contribution in #951

Full Changelog: v0.43.1...v0.44.0

v0.43.1

This release updates Crossplane Runtime to v1.14.1 which includes a fix in the retry mechanism while persisting the critical annotations.

What's Changed

• [Backport release-0.43] Bump crossplane-runtime to v1.14.1 by @github-actions in #948

Full Changelog: v0.43.0...v0.43.1

v0.43.0

What's Changed

• Msk serverless cluster by @nalbury in #905
• Add "branch_name", "version" and "regorg" parameters to the "Publish Service Artifacts" workflow by @ulucinar in #925
• Update actions/checkout digest to b4ffde6 by @renovate in #926
• fix(iam-role): ignore managed_policy_arns in late init by @haarchri in #933
• Update kubernetes patches by @renovate in #659

New Contributors

• @nalbury made their first contribution in #905

Full Changelog: v0.42.0...v0.43.0

v0.42.0

What's Changed

Important

Provider version 0.40 introduced a regression (see #929) related to IAM roles and role policy attachments. The issue was fixed in provider version 0.43.0. If you haven't installed versions 0.40.0, 0.41.0 or 0.42.0 into your cluster, we recommend skipping those releases and upgrading directly to 0.43.0 when you choose to upgrade. If you have installed one of the affected releases, we recommend upgrading to an unaffected release (0.43+), and then you will need to unset the spec.forProvider.managedPolicyArns value from any Role.iam.aws.upbound.io managed resources that you want to be able to use RolePolicyAttachment resources to attach policies to.

• Resolve name collision between S3 and Lightsail in quickstart by @mergenci in #811
• Update alpine Docker tag to v3.18.4 by @renovate in #900
• Uptest family providers by @ulucinar in #903
• Fix trailing apostrophe breaking a hyperlink by @jastang in #897
• Bump uptest to v0.6.0 by @ulucinar in #913
• Bump uptest to v0.6.1 by @ulucinar in #914
• feat(ec2): add aws_vpc_security_group_ingress/egress_rule resource by @huynhsontung in #685
• Bump build submodule to 2672eeb by @jastang in #916
• Replace Go module dependency github.com/upbound/upjet with github.com/crossplane/upjet by @ulucinar in #919
• Sync UP_VERSION in Makefile by @jastang in #921
• Bump crossplane-runtime, upjet dependency to master and GMP promote to BETA by @turkenf in #918

New Contributors

• @mergenci made their first contribution in #811
• @huynhsontung made their first contribution in #685

Full Changelog: v0.41.0...v0.42.0

v0.41.0

What's Changed

Important

Provider version 0.40 introduced a regression (see #929) related to IAM roles and role policy attachments. The issue was fixed in provider version 0.43.0. If you haven't installed versions 0.40.0, 0.41.0 or 0.42.0 into your cluster, we recommend skipping those releases and upgrading directly to 0.43.0 when you choose to upgrade. If you have installed one of the affected releases, we recommend upgrading to an unaffected release (0.43+), and then you will need to unset the spec.forProvider.managedPolicyArns value from any Role.iam.aws.upbound.io managed resources that you want to be able to use RolePolicyAttachment resources to attach policies to.

• Update docker/setup-buildx-action digest to 885d146 by @renovate in #776
• Update alpine Docker tag to v3.18.3 by @renovate in #817
• Update actions/checkout digest to f43a0e5 by @renovate in #860
• Update kubernetes packages to v0.28.1 by @renovate in #832
• Update actions/setup-go digest to 93397be by @renovate in #818
• Update actions/checkout action to v4 by @renovate in #863
• Update actions/upload-artifact digest to a8a3f3a by @renovate in #867
• Update actions/cache digest to 704facf by @renovate in #869
• Update docker/setup-buildx-action action to v3 by @renovate in #872
• Update docker/setup-qemu-action action to v3 by @renovate in #873
• feat(meta.pkg): set to v1 by @haarchri in #882
• ignore cidr_block on lateinitialize to avoid conflicts when using ipam by @djeremiah in #883
• Request for REDSHIFT SERVERLESS resource by @svscheg in #802
• Add reference for Configuration to kafka cluster by @mbbush in #877
• Fix copy-paste errors in Configure comments by @mbbush in #878
• Update actions/checkout digest to 8ade135 by @renovate in #891
• Add option to skip region validation by @carpenterm in #814
• Adding aws_msk_scram_secret_association to v1beta1 by @mbbush in #836
• Add docs for family providers by @turkenf in #893
• Add ability to publish family provider docs for updoc workflow by @turkenf in #880
• Adding aws_batch_job_definition to v1beta1 version by @huffmanjohnf in #857
• Configure a default poll jitter for the controllers by @ulucinar in #896
• Regenerate batch.JobDefinition by @ulucinar in #899

New Contributors

• @mbbush made their first contribution in #877
• @huffmanjohnf made their first contribution in #857

Full Changelog: v0.40.0...v0.41.0

v.0.40.0

What's Changed

Important

Provider version 0.40 introduced a regression (see #929) related to IAM roles and role policy attachments. The issue was fixed in provider version 0.43.0. If you haven't installed versions 0.40.0, 0.41.0 or 0.42.0 into your cluster, we recommend skipping those releases and upgrading directly to 0.43.0 when you choose to upgrade. If you have installed one of the affected releases, we recommend upgrading to an unaffected release (0.43+), and then you will need to unset the spec.forProvider.managedPolicyArns value from any Role.iam.aws.upbound.io managed resources that you want to be able to use RolePolicyAttachment resources to attach policies to.

• Fix warning title for monolithic provider by @turkenf in #848
• Ability to define roles with inline policy in the iam.Role resource by @turkenf in #745
• Configure iam.RolePolicy resource and add example manifest by @turkenf in #770
• fix(lateinit): skip version_id for firehose deliverystream by @haarchri in #852

Full Changelog: v0.39.0...v0.40.0

v0.39.0

What's Changed

• Change spec.owner in catalog-info.yaml by @Piotr1215 in #822
• Configure and add example for PrincipalAssociation.ram and ResourceShareAccepter.ram by @turkenf in #819
• Add warning for monolithic provider to the docs by @turkenf in #824
• Inherit golangci-lint version from build submodule by @ytsarev in #829
• Add targetgroupArnRef by @mhoshi-vm in #831
• ci: scheduled trivy scan by @phisco in #608
• Bump Terraform CLI to v1.5.5 by @ulucinar in #837
• Bump upjet to commit bd528e443b6f by @ulucinar in #838
• Bump alpine base image to v3.18.3 by @ulucinar in #839
• Bump upjet to commit e620c6228964 by @ulucinar in #843
• Bump upjet to v0.10.0 by @ulucinar in #845

New Contributors

• @mhoshi-vm made their first contribution in #831

Full Changelog: v0.38.0...v0.39.0

v0.38.0

This release adds support for the spec.initProvider API and for the granular management policies alpha feature detailed here.

The generated example manifests from Terraform registry no longer contain the trailing YAML document separator (---).

The external client for Terraformed resources now explicitly requeue, up to 20 retries, a reconciliation request if a shared provider has expired. And only after 20 retries it propagates the error down to the managed reconciler. The ttl-expired error message has also been improved to hint at the --provider-ttl command-line option.

Also status updates and updates to certain annotations (crossplane.io/external-create-failed & crossplane.io/external-create-pending) no longer queue reconciliation requests, which decreases the resource utilization of upjet-based providers. This is especially important when errors happen during the external connecter's Create call, or in general, when an MR is failing to sync successfully.

Breaking API Changes

The API for the management policies alpha feature has a breaking change:

The old API of

spec:
  managmentPolicy: FullControl/ObserveOnly/OrphanOnDelete

is replaced by:

spec: 
  managementPolicies: ["*", "Observe", "Create", "Update", "LateInitialize", "Delete"]

After applying the updated provider, the spec.managementPolicy field will be removed automatically, and the spec.managementPolicies: ["*"] will be defaulted. This is equivalent to FullControl but for resources using ObserveOnly and OrphanOnDelete the it means that the behavior changes.

The suggested migration steps from spec.managementPolicy to spec.managementPolicies (if the alpha feature is being used) are:

• Pause your resources using non-default management policies before upgrading the provider version
• Noting down which ones those are (could be by adding labels managementPolicy: x )
• Upgrading the provider version
• Setting the desired management policies on the marked ones (those with label managementPolicy)

What's Changed

• Handle build environment variables for proxy access by @bobh66 in #755
• Update docker/setup-qemu-action action to v2 by @renovate in #633
• Update actions/checkout action to v3 by @renovate in #631
• Update actions/setup-go action to v4 by @renovate in #632
• Update docker/setup-buildx-action digest to 16c0bc4 by @renovate in #758
• Update alpine Docker tag to v3.18.2 by @renovate in #630
• CognitoIDP[UserPoolClient]: Avoid underlying provider validation failure by @ytsarev in #762
• feat(auth): disable configuring auth with Secrets by @miloszsobczak in #766
• Fix marketplace link in README.md by @jeanduplessis in #772
• Added queue url to the connection details. Added writeConnectionSecre… by @ItielOlenick in #769
• Update CODEOWNERS file by @turkenf in #777
• Issue 753: Fix examples/sfn/statemachine.yaml to work with Uptest by @svscheg in #764
• Fix issue 726: Missing selector in Broker resource for selecting security groups by @svscheg in #779
• Bugfix/Change not working link by @dverveiko in #788
• Adding backstage configuration file by @Piotr1215 in #781
• fix(efs): fixed kmsKeyId to use ARN instead of ID by @gadiener in #793
• fix(aws_cloudwatch_log_group): skip name_prefix lateinit by @haarchri in #797
• Fix issue716: AWS Cognito User Pool - Verification Message Template configuration conflicts by @svscheg in #790
• Add an event filter with the resource.DesiredStateChanged predicate to filter status updates out by @ulucinar in #789
• Support Granular management policies by @lsviben in #785
• Explicitly queue a reconcile request if a shared provider has expired by @ulucinar in #805
• Fix panic when using custom endpoints by @carpenterm in #804

New Contributors

• @bobh66 made their first contribution in #755
• @miloszsobczak made their first contribution in #766
• @ItielOlenick made their first contribution in #769
• @Piotr1215 made their first contribution in #781
• @gadiener made their first contribution in #793
• @lsviben made their first contribution in #785
• @carpenterm made their first contribution in #804

Full Changelog: v0.37.0...v0.38.0

v0.37.0

What's Changed

• Revert "Remove family label from the config provider for proper searc… by @jastang in #731
• Add dependency to Crossplane min version of v1.12.1-0 by @ulucinar in #733
• feat(dms): endpoint: service_access_role ref/selector by @haarchri in #735
• feat(datasync): add datasync with s3 by @haarchri in #738
• Provide up-to-date UPTEST_CLOUD_CREDENTIALS export examples by @ytsarev in #743
• RDS: Enhance documentation comments for engine and engineVersion by @ytsarev in #702
• Update LeaderElectionID for Scoped Providers by @stevendborrelli in #736
• Remove version input from publish-service-artifacts.yml by @turkenf in #746
• Enable route53_zone_association by @ytsarev in #463
• Fix conflicting parameters for ec2.Instance resource by @turkenf in #749
• fix(iam): Policy ID should contain path and the external-name derived from the ID should be the name part only by @portswigger-tim in #747
• fix(kms): Alias ID for tfstate should begin with "alias/" by @portswigger-tim in #744
• Remove duplicated references injector config by @dougsong in #729
• Fix ARN contruction for aws state machine by @filipkoravik in #751

New Contributors

• @portswigger-tim made their first contribution in #747
• @dougsong made their first contribution in #729
• @filipkoravik made their first contribution in #751

Full Changelog: v0.36.0...v0.37.0

v0.36.0

What's Changed

• Rename family parent package from provider-aws-config to provider-family-aws by @ulucinar in #701
• Remove .parameters.region references from external-name configuration template bodies by @turkenf in #704
• Do not override the config.Resource.References map for aws_elasticache_cluster by @ulucinar in #708
• Update token in native provider bump workflow by @turkenf in #713
• Bump native provider to version 4.67.0 by @upbound-bot in #714
• Remove SecurityGroup resource in rds group by @turkenf in #719
• feat(firehose): add hec_token as sensitive by @haarchri in #707
• fix(ec2): fix ipv6 field issues in ec2 group by @haarchri in #109
• Fix for the issue 574: rds: DBCluster writeConnectionSecret missing fields by @svscheg in #703
• rds.instance: add owner reference if the input secret is created by us by @muvaf in #650
• Add example to create cognito user pool with lambda triggers by @thekaleidoscope in #695
• fix 464 issue: acm:Certificate Late init fields should be skipped - cannot run refresh by @svscheg in #682
• Remove family label from the config provider for proper search indexing by @jastang in #728
• Fix for issue 505 by @svscheg in #690

New Contributors

• @upbound-bot made their first contribution in #714
• @thekaleidoscope made their first contribution in #695

Full Changelog: v0.35.0...v0.36.0