v0.38.0

This release adds support for the spec.initProvider API and for the granular management policies alpha feature detailed here.

The generated example manifests from Terraform registry no longer contain the trailing YAML document separator (---).

The external client for Terraformed resources now explicitly requeue, up to 20 retries, a reconciliation request if a shared provider has expired. And only after 20 retries it propagates the error down to the managed reconciler. The ttl-expired error message has also been improved to hint at the --provider-ttl command-line option.

Also status updates and updates to certain annotations (crossplane.io/external-create-failed & crossplane.io/external-create-pending) no longer queue reconciliation requests, which decreases the resource utilization of upjet-based providers. This is especially important when errors happen during the external connecter's Create call, or in general, when an MR is failing to sync successfully.

Breaking API Changes

The API for the management policies alpha feature has a breaking change:

The old API of

spec:
  managmentPolicy: FullControl/ObserveOnly/OrphanOnDelete

is replaced by:

spec: 
  managementPolicies: ["*", "Observe", "Create", "Update", "LateInitialize", "Delete"]

After applying the updated provider, the spec.managementPolicy field will be removed automatically, and the spec.managementPolicies: ["*"] will be defaulted. This is equivalent to FullControl but for resources using ObserveOnly and OrphanOnDelete the it means that the behavior changes.

The suggested migration steps from spec.managementPolicy to spec.managementPolicies (if the alpha feature is being used) are:

• Pause your resources using non-default management policies before upgrading the provider version
• Noting down which ones those are (could be by adding labels managementPolicy: x )
• Upgrading the provider version
• Setting the desired management policies on the marked ones (those with label managementPolicy)

What's Changed

• Handle build environment variables for proxy access by @bobh66 in #755
• Update docker/setup-qemu-action action to v2 by @renovate in #633
• Update actions/checkout action to v3 by @renovate in #631
• Update actions/setup-go action to v4 by @renovate in #632
• Update docker/setup-buildx-action digest to 16c0bc4 by @renovate in #758
• Update alpine Docker tag to v3.18.2 by @renovate in #630
• CognitoIDP[UserPoolClient]: Avoid underlying provider validation failure by @ytsarev in #762
• feat(auth): disable configuring auth with Secrets by @miloszsobczak in #766
• Fix marketplace link in README.md by @jeanduplessis in #772
• Added queue url to the connection details. Added writeConnectionSecre… by @ItielOlenick in #769
• Update CODEOWNERS file by @turkenf in #777
• Issue 753: Fix examples/sfn/statemachine.yaml to work with Uptest by @svscheg in #764
• Fix issue 726: Missing selector in Broker resource for selecting security groups by @svscheg in #779
• Bugfix/Change not working link by @dverveiko in #788
• Adding backstage configuration file by @Piotr1215 in #781
• fix(efs): fixed kmsKeyId to use ARN instead of ID by @gadiener in #793
• fix(aws_cloudwatch_log_group): skip name_prefix lateinit by @haarchri in #797
• Fix issue716: AWS Cognito User Pool - Verification Message Template configuration conflicts by @svscheg in #790
• Add an event filter with the resource.DesiredStateChanged predicate to filter status updates out by @ulucinar in #789
• Support Granular management policies by @lsviben in #785
• Explicitly queue a reconcile request if a shared provider has expired by @ulucinar in #805
• Fix panic when using custom endpoints by @carpenterm in #804

New Contributors

• @bobh66 made their first contribution in #755
• @miloszsobczak made their first contribution in #766
• @ItielOlenick made their first contribution in #769
• @Piotr1215 made their first contribution in #781
• @gadiener made their first contribution in #793
• @lsviben made their first contribution in #785
• @carpenterm made their first contribution in #804

Full Changelog: v0.37.0...v0.38.0

v0.37.0

What's Changed

• Revert "Remove family label from the config provider for proper searc… by @jastang in #731
• Add dependency to Crossplane min version of v1.12.1-0 by @ulucinar in #733
• feat(dms): endpoint: service_access_role ref/selector by @haarchri in #735
• feat(datasync): add datasync with s3 by @haarchri in #738
• Provide up-to-date UPTEST_CLOUD_CREDENTIALS export examples by @ytsarev in #743
• RDS: Enhance documentation comments for engine and engineVersion by @ytsarev in #702
• Update LeaderElectionID for Scoped Providers by @stevendborrelli in #736
• Remove version input from publish-service-artifacts.yml by @turkenf in #746
• Enable route53_zone_association by @ytsarev in #463
• Fix conflicting parameters for ec2.Instance resource by @turkenf in #749
• fix(iam): Policy ID should contain path and the external-name derived from the ID should be the name part only by @portswigger-tim in #747
• fix(kms): Alias ID for tfstate should begin with "alias/" by @portswigger-tim in #744
• Remove duplicated references injector config by @dougsong in #729
• Fix ARN contruction for aws state machine by @filipkoravik in #751

New Contributors

• @portswigger-tim made their first contribution in #747
• @dougsong made their first contribution in #729
• @filipkoravik made their first contribution in #751

Full Changelog: v0.36.0...v0.37.0

v0.36.0

What's Changed

• Rename family parent package from provider-aws-config to provider-family-aws by @ulucinar in #701
• Remove .parameters.region references from external-name configuration template bodies by @turkenf in #704
• Do not override the config.Resource.References map for aws_elasticache_cluster by @ulucinar in #708
• Update token in native provider bump workflow by @turkenf in #713
• Bump native provider to version 4.67.0 by @upbound-bot in #714
• Remove SecurityGroup resource in rds group by @turkenf in #719
• feat(firehose): add hec_token as sensitive by @haarchri in #707
• fix(ec2): fix ipv6 field issues in ec2 group by @haarchri in #109
• Fix for the issue 574: rds: DBCluster writeConnectionSecret missing fields by @svscheg in #703
• rds.instance: add owner reference if the input secret is created by us by @muvaf in #650
• Add example to create cognito user pool with lambda triggers by @thekaleidoscope in #695
• fix 464 issue: acm:Certificate Late init fields should be skipped - cannot run refresh by @svscheg in #682
• Remove family label from the config provider for proper search indexing by @jastang in #728
• Fix for issue 505 by @svscheg in #690

New Contributors

• @upbound-bot made their first contribution in #714
• @thekaleidoscope made their first contribution in #695

Full Changelog: v0.35.0...v0.36.0

v0.35.0

What's Changed

• fix(networkfirewall): fixed import for networkfirewall resources by @haarchri in #661
• Add caller workflow for publishing service artifacts by @turkenf in #681
• Break provider-aws up by service by @ulucinar in #680
• Use monolith for local run by @turkenf in #687
• Bump Terraform provider version to v4.66.0 by @turkenf in #697
• make localstack possible by @alexinthesky in #447
• Call up xpkg batch to batch-process the smaller provider packages in the build pipelines by @ulucinar in #699

Full Changelog: v0.34.0...v0.35.0

v0.34.0

What's Changed

• Add ProviderConfig auth documentation by @hasheddan in #647
• Add Support for Observe Only Resources by @turkenh in #672
• Bump build submodule by @jastang in #675
• Enable ESS Plugin by @ezgidemirel in #677

New Contributors

• @jastang made their first contribution in #675

Full Changelog: v0.33.0...v0.34.0

v0.33.0

What's Changed

• Add sizing and monitoring guide references by @sergenyalcin in #639
• Configure plural names for resources whose kind names end with "fleet" by @ulucinar in #648
• fix(launchTemplate): fixed kmsKeyId to use ARN by @haarchri in #642
• fix(ec2_tag): fix identifier and key, seperated by a comma not a underscore by @haarchri in #640
• fix(iam): added username and password for iam accesskey connection-secret by @haarchri in #644
• feat(memorydb): add connectiondetails for cluster by @haarchri in #645
• fix for conflicting glue job fields by @stevendborrelli in #655
• feat(networkfirewall): added loggingconfiguration for networkfirewall by @haarchri in #641
• fix(lateinit): aws_lb_target_group target_failover by @haarchri in #665
• refactor(config): switched elasticloadbalancing to elbv2 folder by @haarchri in #666
• fix(ram): skip reference/selector for resource_arn for aws_ram_resource_association by @haarchri in #667
• feat(ec2): prefix list references in aws_route and aws_security_group_rule by @duizabojul in #606
• fix(ecs-service): #624 fix description of ecs service cluster field by @haarchri in #643
• update the externalname configuration for aws_lambda_alias to reflect… by @djeremiah in #654

Full Changelog: v0.32.1...v0.33.0

v0.32.1

This is a bugfix release addressing #646. Please install or upgrade to v0.32.1 instead of v0.32.0 as v0.32.0 introduces some undesired breaking changes caused by kubernetes-sigs/controller-tools#660. Some more details can be found in #646.

What's Changed

• [Backport release-0.32] Configure plural names for resources whose kind names end with "fleet" by @github-actions in #649

Full Changelog: v0.32.0...v0.32.1

v0.32.0

Please install or upgrade to v0.32.1 instead of v0.32.0 as v0.32.0 introduces some undesired breaking changes caused by kubernetes-sigs/controller-tools#660. Some more details can be found in #646.

NOTE: We have removed the package xpkg.upbound.io/upbound/provider-aws:v0.32.0 from the Upbound marketplace registry in favor of the v0.32.1 package.

What's Changed

• Remove old CI workflow and reuse new one by @turkenf in #589
• Remove old workflows and reuse new ones: Backport, Comment Commands and Tag by @turkenf in #594
• Configure and add example for ResourceAssociation resource by @turkenf in #617
• Move authentication down to Terraform by @sergenyalcin in #616
• Consume upjet ProviderScheduler by @ulucinar in #627
• Add caller workflow for publishing docs by @turkenf in #623
• Pin dependencies by @renovate in #582
• Update module github.com/crossplane/crossplane-runtime to v0.19.2 [SECURITY] by @renovate in #600
• Update module golang.org/x/net to v0.7.0 [SECURITY] by @renovate in #580
• Update kubernetes patches by @renovate in #583
• Remove workflow update by @dverveiko in #609
• Change comment for the eks: NodeGroup subnetIds field by @svscheg in #598
• Explicitly configure transit_gateway_route_table_id cross-referencefo… by @djeremiah in #619
• Run make reviewable and fix linting issues by @jeanduplessis in #634
• rds.instance: add ability to auto-generate password in referenced secret by @muvaf in #628
• Moving directory_service(1), dms(1), dynamodb(1), efs(1), emrserverless(1) resources to v1beta1 version by @anastasiia-kvas in #560
• fix(aws_eks_addon): addon name should be in spec instead of using resource name by @duizabojul in #604

New Contributors

• @renovate made their first contribution in #582
• @djeremiah made their first contribution in #619
• @duizabojul made their first contribution in #604

Full Changelog: v0.31.0...v0.32.0

v0.31.0

In addition to the various bug fixes and some new resource configurations, with the v0.31.0 release, upbound/provider-aws now exposes the following Prometheus metrics from the upjet runtime:

• upjet_terraform_cli_duration: This is a histogram metric and reports statistics, in seconds, on how long it takes a Terraform CLI invocation to complete.
• upjet_terraform_active_cli_invocations: This is a gauge metric and it's the number of active (running) Terraform CLI invocations.
• upjet_terraform_running_processes: This is a gauge metric and it's the number of running Terraform CLI and Terraform provider processes.
• upjet_resource_ttr: This is a histogram metric and it measures, in seconds, the time-to-readiness for managed resources. Time-to-readiness (TTR for short) is defined for managed resources with the Ready=True status condition and is defined as the time between the MR's metadata.creationTimestamp and the time it acquires the Ready=True condition.

A detailed account of the available custom Prometheus metrics together with examples showing them in action can be found in crossplane/upjet#170.

We also bump the underlying Terraform provider version to v4.56.0 with this release.

The provider's package is available as xpkg.upbound.io/upbound/provider-aws:v0.31.0, and please don't forget to check the provider's Upbound Marketplace documentation.

What's Changed

• Add native provider version bump workflow by @ulucinar in #527
• Moving grafana(1), inspector2(1), ivs(2), ssm(2), transcribe(3), transfer(1), vpc_network(1) resources to v1beta1 version by @steperchuk in #556
• Adding aws_ec2_instance_state, aws_ec2_network_insights_analysis, aws_ec2_transit_gateway_policy_table, aws_evidently_feature, aws_evidently_project, aws_evidently_segment, aws_fis_experiment_template, aws_glue_schema to v1beta1 version by @mykolalosev in #558
• Configure elasticsearch(2) group examples by @turkenf in #539
• add more fields to connection details by @alexinthesky in #530
• ci: configure renovate by @phisco in #462
• Add OWNERS.md and CODEOWNERS by @turkenf in #586
• feat(ec2): add aws_ec2_tag resource by @haarchri in #591
• Default STS region to global for WebIdentity by @hasheddan in #593
• Bump Terraform provider version to v4.56.0 by @dverveiko in #577
• fix(late-init): #531 ignore encryption_mode by @haarchri in #592
• S3: BucketACL: Enable canned ACL support by @ytsarev in #595
• Consume upjet with custom metrics by @ulucinar in #597
• Add Prometheus metrics to the upjet runtime by @ulucinar in crossplane/upjet#170

New Contributors

• @alexinthesky made their first contribution in #530
• @phisco made their first contribution in #462

Full Changelog: v0.30.0...v0.31.0

v0.30.0

What's Changed

• Add configurations of accessanalyzer (1), acmpca (2), appconfig (2), applicationinsights (1), apprunner (2), appsync (1), auditmanager (5), ce (3), cloudfront (1), cloudwatch (1), codepipeline (1), cognito (1), comprehend (2), connect (4), controltower (1) groups by @dverveiko in #482
• Add configurations of datasync (1), directory_service (4), dms (1), dx (1), dynamodb (1), ec2 (4), efs (1), emrserverless (1), evidently (3), fis (1), fix (1), glue (1), grafana (1), identitystore (3), inspector2 (3), ivs (3) groups by @dverveiko in #485
• Add configuration of ivschat (2), kendra (6), kms (1), lakeformation (2), lightsail (14), location (5) groups by @dverveiko in #487
• Moving ce(1), cloudfront(1) resources to v1beta1 version by @MyzaTaras in #506
• Moving location(5) resources to v1beta1 version by @MyzaTaras in #502
• Moving transfer(2) resources to v1beta1 version by @MyzaTaras in #488
• Adding aws_accessanalyzer_archive_rule, aws_acmpca_permission, aws_acmpca_policy, aws_appconfig_extension, aws_appconfig_extension_association, aws_applicationinsights_application, aws_apprunner_observability_configuration resources to v1beta1 version by @mykolalosev in #513
• Configure ssoadmin group examples by @turkenf in #514
• Add configuration of macie2 (1), medialive (5), msk (1), neptune (1), networkfirewall (1), networkmanager (7), opensearch (2), rds (2), redshift (15) groups by @dverveiko in #516
• Security Group Selector for Lambda by @nagavijayan-nagarathinam in #500
• Adding aws_codepipeline_custom_action_type, aws_cognito_risk_configuration, aws_connect_instance_storage_config, aws_connect_phone_number, aws_connect_user, aws_connect_vocabulary resources to v1beta1 version by @mykolalosev in #526
• Adding aws_directory_service_conditional_forwarder to v1beta1 version by @mykolalosev in #433
• Moving lightsail resources to v1beta1 version by @MyzaTaras in #529
• Add configuration of resourceexplorer2 (2), rolesanywhere (2), route53 (1), rum (2), s3 (1), sagemaker (2), scheduler (2), schemas (1), sesv2 (7), sqs (2), ssm (2), ssoadmin (3), transcribe (4), transfer (1), vpc_network (1) groups by @dverveiko in #528
• Moving redshift(4) resources to v1beta1 version by @MyzaTaras in #532
• Moving sesv2(6) resources to v1beta1 version by @MyzaTaras in #542
• Moving rolesanywhere(1), rum(2), s3(1), sagemaker(2), scheduler(2), sqs(2) resources to v1beta1 version by @steperchuk in #546
• Moving networkfirewall(1), networkmanager(4) resources to v1beta1 version by @anastasiia-kvas in #544
• Moving imagebuilder(1), route53(1), elasticbeanstalk(1) resources to … by @MyzaTaras in #552
• Moving kendra(5) resources to v1beta1 version by @anastasiia-kvas in #523
• Adding aws_medialive_channel, aws_medialive_input, aws_medialive_input_security_group, aws_medialive_multiplex, aws_neptune_global_cluster to v1beta1 version by @mykolalosev in #550

New Contributors

• @nagavijayan-nagarathinam made their first contribution in #500

Full Changelog: v0.29.0...v0.30.0