From 17bcf72d57b68828afed57d09ec060cf35a961ce Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Wed, 7 Jun 2023 12:14:41 -0700 Subject: [PATCH 01/25] chore: Update PR template to reflect blueprints v5 changes (#1641) --- .github/PULL_REQUEST_TEMPLATE.md | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index cab935af62..6d2434bbf4 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,33 +1,23 @@ -## :bangbang: PLEASE READ THIS FIRST :bangbang: - -The direction for EKS Blueprints will soon shift from providing an all-encompassing, monolithic "framework" and instead focus more on how users can organize a set of modular components to create the desired solution on Amazon EKS. We have updated the [examples](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/examples) to show how we use the https://github.com/terraform-aws-modules/terraform-aws-eks for EKS cluster and node group creation. We will not be accepting any PRs that apply to EKS cluster or node group creation process. Any such PR may be closed by the maintainers. - -We are hitting also the pause button on new add-on creations at this time until a future roadmap for add-ons is finalized. Please do not submit new add-on PRs. Any such PR may be closed by the maintainers. - -Please track progress, learn what's new and how the migration path would look like to upgrade your current Terraform deployments. We welcome the EKS Blueprints community to continue the discussion in issue https://github.com/aws-ia/terraform-aws-eks-blueprints/issues/1421 - -### What does this PR do? +# Description + +A brief description of the change being made with this pull request. +--> -### Motivation +### Motivation and Context - Resolves # -### More +### How was this change tested? - [ ] Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes) - [ ] Yes, I have updated the [docs](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/docs) for this feature - [ ] Yes, I ran `pre-commit run -a` with this PR -### For Moderators - -- [ ] E2E Test successfully complete before merge? - ### Additional Notes From a7ec6059b95ef4593a3a961ba8c216f841b06fee Mon Sep 17 00:00:00 2001 From: Sylvain Witmeyer Date: Thu, 8 Jun 2023 09:20:14 -0400 Subject: [PATCH 02/25] fix: Correct `teams` patterns use of multi-team namespace creation (#1642) --- examples/multi-tenancy-with-teams/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/multi-tenancy-with-teams/main.tf b/examples/multi-tenancy-with-teams/main.tf index 37bc47777f..fbc22b96f0 100644 --- a/examples/multi-tenancy-with-teams/main.tf +++ b/examples/multi-tenancy-with-teams/main.tf @@ -126,10 +126,10 @@ module "eks_blueprints_dev_teams" { } namespaces = { - "blue-${each.key}" = { + "team-${each.key}" = { labels = { - appName = "blue-team-app", - projectName = "project-blue", + appName = "${each.key}-team-app", + projectName = "project-${each.key}", } resource_quota = { From 8a11a5aa830d9a6dcb6d1026e28b1bd3c78e263e Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 22 Jun 2023 08:37:20 -0700 Subject: [PATCH 03/25] chore: Apply security best practices to GitHub actions (#1660) Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 6 ++ .github/workflows/dependency-review.yml | 27 ++++++++ .github/workflows/e2e-parallel-destroy.yml | 8 +++ .github/workflows/e2e-parallel-full.yml | 18 +++++ .github/workflows/markdown-link-check.yml | 8 +++ .github/workflows/plan-examples.yml | 13 ++++ .github/workflows/pr-title.yml | 11 ++++ .github/workflows/pre-commit.yml | 15 +++++ .github/workflows/publish-docs.yml | 8 +++ .github/workflows/scorecards.yml | 76 ++++++++++++++++++++++ .github/workflows/stale-issue-pr.yml | 8 +++ 11 files changed, 198 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..253bcb76ba --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..ea4d0002ac --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/e2e-parallel-destroy.yml b/.github/workflows/e2e-parallel-destroy.yml index 529248aade..75a831f955 100644 --- a/.github/workflows/e2e-parallel-destroy.yml +++ b/.github/workflows/e2e-parallel-destroy.yml @@ -10,6 +10,9 @@ on: concurrency: e2e-parallel-destroy +permissions: + contents: read + jobs: deploy: name: Run e2e test @@ -34,6 +37,11 @@ jobs: - example_path: examples/vpc-cni-custom-networking steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v3 diff --git a/.github/workflows/e2e-parallel-full.yml b/.github/workflows/e2e-parallel-full.yml index e0d2fdb0af..e24308b4c9 100644 --- a/.github/workflows/e2e-parallel-full.yml +++ b/.github/workflows/e2e-parallel-full.yml @@ -14,6 +14,9 @@ env: IAMLIVE_VERSION: v0.48.0 BUCKET_NAME: terraform-eks-blueprints-iam-policies-examples +permissions: + contents: read + jobs: prereq-cleanup: name: Prerequisite Cleanup @@ -23,6 +26,11 @@ jobs: id-token: write contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v3 @@ -62,6 +70,11 @@ jobs: - example_path: examples/stateful - example_path: examples/vpc-cni-custom-networking steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v3 @@ -147,6 +160,11 @@ jobs: runs-on: ubuntu-latest steps: # Be careful not to change this to explicit checkout from PR ref/code, as below we run a python code that may change from the PR code. + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v3 diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml index ddaec1eb3b..7fc91bb630 100644 --- a/.github/workflows/markdown-link-check.yml +++ b/.github/workflows/markdown-link-check.yml @@ -13,10 +13,18 @@ on: paths: - "**/*.md" +permissions: + contents: read + jobs: markdown-link-check: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: diff --git a/.github/workflows/plan-examples.yml b/.github/workflows/plan-examples.yml index c28e77ca89..f6d5b1400a 100644 --- a/.github/workflows/plan-examples.yml +++ b/.github/workflows/plan-examples.yml @@ -11,6 +11,9 @@ concurrency: group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' cancel-in-progress: true +permissions: + contents: read + jobs: getExampleDirectories: name: Get example directories @@ -23,6 +26,11 @@ jobs: directories: ${{ steps.dirs.outputs.directories }} steps: # Be careful not to change this to explicit checkout from PR ref/code, as below we run a python code that may change from the PR code. + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v3 @@ -49,6 +57,11 @@ jobs: directory: ${{ fromJson(needs.getExampleDirectories.outputs.directories) }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Remove default Terraform run: rm -rf $(which terraform) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index b4b2c9b59c..6b763100b3 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -7,11 +7,22 @@ on: - edited - synchronize +permissions: + contents: read + jobs: main: + permissions: + pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs + statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR name: Validate PR title runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: amannn/action-semantic-pull-request@v5.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 4e4ac382d1..3667801d8c 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -26,6 +26,11 @@ jobs: outputs: directories: ${{ steps.dirs.outputs.directories }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v3 @@ -41,6 +46,11 @@ jobs: matrix: directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Remove default Terraform run: rm -rf $(which terraform) @@ -99,6 +109,11 @@ jobs: runs-on: ubuntu-latest needs: collectInputs steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Remove default Terraform run: rm -rf $(which terraform) diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 9a806ec576..3214b2eeaa 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -15,11 +15,19 @@ on: env: PYTHON_VERSION: 3.x +permissions: + contents: read + jobs: build: name: Deploy docs runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout main uses: actions/checkout@v3 with: diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000000..a9b168ae0a --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 + with: + sarif_file: results.sarif diff --git a/.github/workflows/stale-issue-pr.yml b/.github/workflows/stale-issue-pr.yml index 035a69fb69..be3cdefb22 100644 --- a/.github/workflows/stale-issue-pr.yml +++ b/.github/workflows/stale-issue-pr.yml @@ -4,6 +4,9 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest @@ -11,6 +14,11 @@ jobs: issues: write pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/stale@main id: stale with: From 12d9d29570542691979dc9e176086553488ea459 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Jun 2023 08:40:29 -0700 Subject: [PATCH 04/25] chore(deps): Bump ossf/scorecard-action from 2.0.6 to 2.1.3 (#1662) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index a9b168ae0a..a5ccc909e7 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -41,7 +41,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 with: results_file: results.sarif results_format: sarif From d6ae771fc389b6afb7d2cc05355e43e4bae61e6a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Jun 2023 08:41:00 -0700 Subject: [PATCH 05/25] chore(deps): Bump actions/setup-python from 3 to 4 (#1661) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/publish-docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 3214b2eeaa..75282a4713 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -34,7 +34,7 @@ jobs: fetch-depth: 0 - name: Set up Python ${{ env.PYTHON_VERSION }} - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: python-version: ${{ env.PYTHON_VERSION }} From 4ac05ae863f6b356ac5c5558c2872cc257745874 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Jun 2023 08:43:00 -0700 Subject: [PATCH 06/25] chore(deps): Bump aws-actions/configure-aws-credentials from 1.pre.node16 to 2.2.0 (#1663) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Apoorva Kulkarni --- .github/workflows/e2e-parallel-destroy.yml | 2 +- .github/workflows/e2e-parallel-full.yml | 6 +++--- .github/workflows/plan-examples.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/e2e-parallel-destroy.yml b/.github/workflows/e2e-parallel-destroy.yml index 75a831f955..a09f422418 100644 --- a/.github/workflows/e2e-parallel-destroy.yml +++ b/.github/workflows/e2e-parallel-destroy.yml @@ -50,7 +50,7 @@ jobs: run: sed -i "s/# //g" ${{ matrix.example_path }}/versions.tf - name: Auth AWS - uses: aws-actions/configure-aws-credentials@v1-node16 + uses: aws-actions/configure-aws-credentials@v2.2.0 with: role-to-assume: ${{ secrets.ROLE_TO_ASSUME }} aws-region: us-west-2 diff --git a/.github/workflows/e2e-parallel-full.yml b/.github/workflows/e2e-parallel-full.yml index e24308b4c9..6aa007cf42 100644 --- a/.github/workflows/e2e-parallel-full.yml +++ b/.github/workflows/e2e-parallel-full.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@v3 - name: Auth AWS - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v2.2.0 with: role-to-assume: ${{ secrets.ROLE_TO_ASSUME }} aws-region: us-west-2 @@ -83,7 +83,7 @@ jobs: run: sed -i "s/# //g" ${{ matrix.example_path }}/versions.tf - name: Auth AWS - uses: aws-actions/configure-aws-credentials@v1-node16 + uses: aws-actions/configure-aws-credentials@v2.2.0 with: role-to-assume: ${{ secrets.ROLE_TO_ASSUME }} aws-region: us-west-2 @@ -169,7 +169,7 @@ jobs: uses: actions/checkout@v3 - name: Configure AWS credentials from Test account - uses: aws-actions/configure-aws-credentials@v1-node16 + uses: aws-actions/configure-aws-credentials@v2.2.0 with: role-to-assume: ${{ secrets.ROLE_TO_ASSUME }} aws-region: us-west-2 diff --git a/.github/workflows/plan-examples.yml b/.github/workflows/plan-examples.yml index f6d5b1400a..eb95350454 100644 --- a/.github/workflows/plan-examples.yml +++ b/.github/workflows/plan-examples.yml @@ -88,7 +88,7 @@ jobs: - '*.tf' - name: Configure AWS credentials from Test account - uses: aws-actions/configure-aws-credentials@v1-node16 + uses: aws-actions/configure-aws-credentials@v2.2.0 if: steps.changes.outputs.src== 'true' with: role-to-assume: ${{ secrets.ROLE_TO_ASSUME }} From af1673077dc00f9a3fc43bf0fe0637bc650299ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Jun 2023 08:45:32 -0700 Subject: [PATCH 07/25] chore(deps): Bump actions/dependency-review-action from 2.5.1 to 3.0.6 (#1664) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Apoorva Kulkarni --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ea4d0002ac..aa20c458b2 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: 'Dependency Review' - uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 + uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6 From cf810e996d221e03bebe000e8f82df1ed30bf531 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Jun 2023 08:47:36 -0700 Subject: [PATCH 08/25] chore(deps): Bump clowdhaus/terraform-composite-actions from 1.8.0 to 1.8.3 (#1665) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Apoorva Kulkarni --- .github/workflows/pre-commit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 3667801d8c..1d342d1ce8 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -36,7 +36,7 @@ jobs: - name: Get root directories id: dirs - uses: clowdhaus/terraform-composite-actions/directories@v1.8.0 + uses: clowdhaus/terraform-composite-actions/directories@v1.8.3 preCommitMinVersions: name: Min TF pre-commit From 66fdd04d2203d2af4de5f577cf52e9a93f1d2a5b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Jun 2023 08:32:35 -0400 Subject: [PATCH 09/25] chore(deps): Bump amannn/action-semantic-pull-request from 5.0.2 to 5.2.0 (#1667) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pr-title.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 6b763100b3..04153efe94 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -23,7 +23,7 @@ jobs: with: egress-policy: audit - - uses: amannn/action-semantic-pull-request@v5.0.2 + - uses: amannn/action-semantic-pull-request@v5.2.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From e7e4f6f241c340d35a523d17f8f73755a56a2f6e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Jun 2023 08:32:45 -0400 Subject: [PATCH 10/25] chore(deps): Bump clowdhaus/terraform-min-max from 1.2.0 to 1.2.6 (#1666) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pre-commit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 1d342d1ce8..f12294408e 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -80,7 +80,7 @@ jobs: restore-keys: ${{ runner.os }}-terraform- - name: Terraform min/max versions - uses: clowdhaus/terraform-min-max@v1.2.0 + uses: clowdhaus/terraform-min-max@v1.2.6 if: steps.changes.outputs.src== 'true' id: minMax with: @@ -145,7 +145,7 @@ jobs: - name: Terraform min/max versions id: minMax - uses: clowdhaus/terraform-min-max@v1.2.0 + uses: clowdhaus/terraform-min-max@v1.2.6 if: steps.changes.outputs.src== 'true' - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} From d62559b3a62a7be5b26f16fe16e060f579b95e3a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Jun 2023 06:12:21 -0700 Subject: [PATCH 11/25] chore(deps): Bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#1668) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index a5ccc909e7..be96ea3fa1 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -41,7 +41,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 + uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 with: results_file: results.sarif results_format: sarif From a3138bd8ee2dba924e01a3fc265b84402a0246bc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Jul 2023 07:24:03 -0400 Subject: [PATCH 12/25] chore(deps): Bump github/codeql-action from 2.20.1 to 2.20.2 (#1674) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index be96ea3fa1..91bcfdf665 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 + uses: github/codeql-action/upload-sarif@004c5de30b6423267685b897a3d595e944f7fed5 # v2.20.2 with: sarif_file: results.sarif From 7c9665656c2bf58416478d2ed828fced7d687bf1 Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 6 Jul 2023 16:10:47 -0700 Subject: [PATCH 13/25] fix: Remove broken link in fargate-serverless README (#1679) --- examples/fargate-serverless/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/fargate-serverless/README.md b/examples/fargate-serverless/README.md index fa30269973..8507e04da2 100644 --- a/examples/fargate-serverless/README.md +++ b/examples/fargate-serverless/README.md @@ -8,7 +8,7 @@ This example solution provides: - AWS EKS Fargate Profiles for the `kube-system` namespace which is used by the `coredns`, `vpc-cni`, and `kube-proxy` addons, as well as profile that will match on `app-*` namespaces using a wildcard pattern. - AWS EKS managed addons `coredns`, `vpc-cni` and `kube-proxy` - AWS Load Balancer Controller add-on deployed through a Helm chart. The default AWS Load Balancer Controller add-on configuration is overridden so that it can be deployed on Fargate compute. -- A [sample-app](./sample-app) is provided to demonstrates how to configure the Ingress so that application can be accessed over the internet. +- A sample-app is provided (in-line) to demonstrate how to configure the Ingress so that application can be accessed over the internet. ## Prerequisites: From 164bb84372b92a46862e2123af6252454f094d68 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 7 Jul 2023 08:41:20 -0400 Subject: [PATCH 14/25] chore(deps): Bump github/codeql-action from 2.20.2 to 2.20.3 (#1680) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 91bcfdf665..e67204c00c 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@004c5de30b6423267685b897a3d595e944f7fed5 # v2.20.2 + uses: github/codeql-action/upload-sarif@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3 with: sarif_file: results.sarif From 4d3ab8a1ad2b50fdf2253ec4924f721e84b6b9ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jul 2023 08:00:45 -0400 Subject: [PATCH 15/25] chore(deps): Bump github/codeql-action from 2.20.3 to 2.20.4 (#1690) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index e67204c00c..4f2ef895d5 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3 + uses: github/codeql-action/upload-sarif@489225d82a57396c6f426a40e66d461b16b3461d # v2.20.4 with: sarif_file: results.sarif From b9e8476e5856b0ed0b872c3f2764cbfb1a89c966 Mon Sep 17 00:00:00 2001 From: Cody Grant Date: Wed, 19 Jul 2023 20:12:13 -0400 Subject: [PATCH 16/25] fix: Remove cluster security group from EniConfig for Custom Networking example (#1692) --- examples/vpc-cni-custom-networking/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/vpc-cni-custom-networking/main.tf b/examples/vpc-cni-custom-networking/main.tf index 07bc0e2c54..04b02d234a 100644 --- a/examples/vpc-cni-custom-networking/main.tf +++ b/examples/vpc-cni-custom-networking/main.tf @@ -127,7 +127,6 @@ resource "kubectl_manifest" "eni_config" { } spec = { securityGroups = [ - module.eks.cluster_primary_security_group_id, module.eks.node_security_group_id, ] subnet = each.value From 967325426db472840fd0a59b34ad1f1fc2eb7901 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Jul 2023 07:47:27 -0400 Subject: [PATCH 17/25] chore(deps): Bump github/codeql-action from 2.20.4 to 2.21.0 (#1693) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 4f2ef895d5..08ec5eea72 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@489225d82a57396c6f426a40e66d461b16b3461d # v2.20.4 + uses: github/codeql-action/upload-sarif@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.21.0 with: sarif_file: results.sarif From 45430f6436f6f4286f7a66967c536d19e5428855 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Jul 2023 07:43:09 -0400 Subject: [PATCH 18/25] chore(deps): Bump clowdhaus/terraform-min-max from 1.2.6 to 1.2.7 (#1697) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pre-commit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index f12294408e..834f6350ec 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -80,7 +80,7 @@ jobs: restore-keys: ${{ runner.os }}-terraform- - name: Terraform min/max versions - uses: clowdhaus/terraform-min-max@v1.2.6 + uses: clowdhaus/terraform-min-max@v1.2.7 if: steps.changes.outputs.src== 'true' id: minMax with: @@ -145,7 +145,7 @@ jobs: - name: Terraform min/max versions id: minMax - uses: clowdhaus/terraform-min-max@v1.2.6 + uses: clowdhaus/terraform-min-max@v1.2.7 if: steps.changes.outputs.src== 'true' - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} From 26c8624831b07181cac2e847f3ae024fc3c6d799 Mon Sep 17 00:00:00 2001 From: yukkes <44968006+yukkes@users.noreply.github.com> Date: Mon, 24 Jul 2023 21:06:01 +0900 Subject: [PATCH 19/25] fix: Modify Fargate serverless example to wait for Fargate profiles to provision (#1696) Co-authored-by: Bryant Biggs --- .github/PULL_REQUEST_TEMPLATE.md | 2 +- .github/workflows/dependency-review.yml | 2 +- .pre-commit-config.yaml | 2 +- examples/blue-green-upgrade/environment/versions.tf | 7 ++++--- examples/fargate-serverless/README.md | 2 +- examples/fargate-serverless/main.tf | 3 +++ 6 files changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 6d2434bbf4..c35f235b2c 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,6 +1,6 @@ # Description -