v2.0.0

🚀 Forge Release Notes

🔥 Breaking Changes

⬆️ Minimum OpenTofu Version: 1.11.0

Forge now requires OpenTofu 1.11.0 or higher.
Users must upgrade local and CI tooling to ensure compatibility.

🔐 Secrets Manager Fully Replaced with SSM Parameter Store

All secret management has been migrated from AWS Secrets Manager to AWS SSM Parameter Store, affecting:

• Lambda environment variable sources
• Variable declarations
• Secret retrieval logic
• Runtime integrations

---

✨ New Features

📊 Observability & Dashboards

• Added a new SQS performance dashboard.
• Added new Splunk O11y dashboards.
• Added a new general-purpose dashboard for extended visibility.

🔐 Parameter Management

• Added code to create SSM parameters to support the new secret management strategy.
• Added more detailed logs across Lambda functions.
• Added exception handling to Lambdas to improve resilience.

🖥️ Placement Groups

• Added support for EC2 Placement Groups to improve workload performance and affinity.

---

🛠️ Refactors

🏗️ Resource & Variable Updates

• Moved the redrive deadletter function to a more appropriate location.
• Migrated Kubernetes resources to v1 API versions.
• Refactored and streamlined Forge variables.

🔐 Secret Migration (SM → SSM)

• Replaced remaining usage of Secrets Manager with SSM.
• Core migration is in PR #243
• Additional updates in PRs #243 and #244

---

🐛 Fixes

🌐 Infrastructure Stability

• Prevented removal of public access block in AWS configurations.
• Fixed trust validator submodule reference.
• Upgraded kubernetes_config_map provider usage.
• Removed Helm chart provider and replaced it with a safer null_resource implementation.
• Added missing context when running Helm and kubectl.
• Fixed namespace creation for Karpenter.
• Encoded the first dummy secret to avoid parsing errors.
• Ensured Helm and kubectl are executed using the bash interpreter.

---

📚 Documentation

• Updated Terraform docs.
• Updated documentation for new tenant setup.
• Fixed examples across multiple documentation files.

---

Full Changelog: v1.10.4...v2.0.0

v1.10.4

What's Changed

• feat: add extra submodule for ec2_deployment by @edersonbrilhante in #216
• docs: update terraform docs by @edersonbrilhante in #217
• chore: merge renovate updates by @edersonbrilhante in #218
• fix: use retry and backoff to update assume policy by @edersonbrilhante in #219

Full Changelog: v1.10.3...v1.10.4

v1.10.3

What's Changed

• fix: fix regression bug in handler_per_service.py by @edersonbrilhante in #207
• chore: merge renovate updates by @edersonbrilhante in #204
• feat: add splunk o11y dashboards by @edersonbrilhante in #206
• fix: fix regexManagers by @edersonbrilhante in #209
• chore: update terraform modules by @edersonbrilhante in #210
• fix: add restricted_suggestions in variables by @edersonbrilhante in #211
• feat: add lambda submodule to validate trust relationship by @edersonbrilhante in #212
• fix: add missing property in dynamic_variables by @edersonbrilhante in #213
• feat: add support to validate if tenant role allows session tag by @edersonbrilhante in #214
• feat: add field extraction to all extra lambdas by @edersonbrilhante in #215

Full Changelog: v1.10.2...v1.10.3

v1.10.2

What's Changed

• fix: update lambda from terraform-aws-github-runner by @edersonbrilhante in #195
• ci: fix renovatebot config by @edersonbrilhante in #196
• chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #194
• chore(deps): update infrastructure dependencies to latest versions by @edersonbrilhante in #197
• ci: add new rules in renovate config by @edersonbrilhante in #198
• fix(splunk_cloud_data_manager): fix payload for cwl-vpc-flow-logs by @edersonbrilhante in #199
• chore: update deps by @edersonbrilhante in #200
• fix: use depends on to wait secrets creation by @edersonbrilhante in #201
• docs: remove unused config from example by @edersonbrilhante in #202
• fix: refactor script to update GitHub app webhook by @edersonbrilhante in #203

Full Changelog: v1.10.1...v1.10.2

v1.10.1

What's Changed

• chore: update components by @edersonbrilhante in #190
• feat: update calico and karpenter to support eks 1.34 (requires cluster reinstall) by @edersonbrilhante in #191
• update(deps): update deps in modules by @edersonbrilhante in #192

Full Changelog: v1.10.0...v1.10.1

v1.10.0

What's Changed

• chore(deps): bump docker/metadata-action from 5.8.0 to 5.9.0 by @dependabot[bot] in #184
• feat: add module to send GitHub job logs from S3 to Splunk by @edersonbrilhante in #185
• feat: add new transform and field extraction for runner logs by @edersonbrilhante in #186
• docs: update terraform docs by @edersonbrilhante in #187
• refactor: make 1 teleport role per cluster by @edersonbrilhante in #188
• fix(splunk-conf): remove acl for sourcetype by @edersonbrilhante in #189

Full Changelog: v1.9.0...v1.10.0

v1.9.0

What's Changed

• fix: fix relative path in migrate-all-tenants.sh by @edersonbrilhante in #172
• fix: use terragrunt render to get inputs for migrate-tenant.sh by @edersonbrilhante in #173
• fix: add missing --working-dir by @edersonbrilhante in #174
• fix(eks): remove depends_on block to prevent issues when scaling up and down by @edersonbrilhante in #175
• fix: fix eks module for scale up/down by @edersonbrilhante in #176
• feat: upgrade github arc to 0.13.0 by @edersonbrilhante in #165
• feat: add module github_webhook_relay_destination_receivers by @edersonbrilhante in #178
• fix: make sure the arc deployment is deleted in blue and green cluster by @edersonbrilhante in #179
• refactor!(forge): create submodule for github features by @edersonbrilhante in #180
• fix: fix bug eks node lose policy in scale up and down by @edersonbrilhante in #181
• fix: run aws cli after send event json to logs by @edersonbrilhante in #177
• fix(runner): enforce instance profile usage and disable shared AWS creds by @edersonbrilhante in #182
• fix: replace hardcoded role for super admin in eks cluster for variable by @edersonbrilhante in #183

Full Changelog: v1.8.2...v1.9.0

v1.8.2

What's Changed

• fix: use Lambda Layers Instead of Including requirements.txt in Lambdas for AWS Billing by @edersonbrilhante in #162
• feat: add submodule to save github job logs into tenant bucket by @edersonbrilhante in #164
• fix: use prefix in policy name by @edersonbrilhante in #166
• refactor: change outputs to be more cleaner by @edersonbrilhante in #168
• fix: fix dependency in reader_profile by @edersonbrilhante in #169
• fix: add missing tags in modules by @edersonbrilhante in #170
• fix: add lambda permission in webhook relay destination by @edersonbrilhante in #171

Full Changelog: v1.8.1...v1.8.2

v1.8.1

What's Changed

• fix: use lambda arn instead of name by @edersonbrilhante in #160

Full Changelog: v1.8.0...v1.8.1

v1.8.0

What's Changed

• fix: use shorter name for aws_cloudwatch_log_delivery_source by @edersonbrilhante in #151
• feat: update module terraform-aws-github-runner to v6.7.8 by @edersonbrilhante in #150
• docs: update tenant template by @edersonbrilhante in #154
• feat: add event bus rule to update ec2 tags with more job info by @edersonbrilhante in #153
• chore(deps): bump docker/login-action from 3.5.0 to 3.6.0 by @dependabot[bot] in #152
• deprecated: remove old comments and remove binary syncer by @edersonbrilhante in #156
• fix: fix lambda upgrade all the time by @edersonbrilhante in #157
• feat: migrate aws billing lambdas to use external packaging by @edersonbrilhante in #158
• fix: remove wide permission to send logs from lambdas by @edersonbrilhante in #159

Full Changelog: v1.7.0...v1.8.0