CHANGELOG.md

Changelog

3.18.3 (2024-08-27)

Bug Fixes

• wrong import in Cognito Email Sender lambda function (#786) (f1cfae9)

3.18.2 (2024-08-22)

Bug Fixes

• add api missing variables (zitadel domain and app key) (#781) (0d92933)
• attach permission to retrieve secrets to API ECS task (#783) (b2d73f8)
• permission to use DynamoDB was not properly set in the ECS task configuration (#784) (ee6c425)
• permission to use KMS was not properly set in the ECS task configuration (#785) (6101829)

3.18.1 (2024-08-13)

Bug Fixes

• Attach files from fileInputs in a dynamicRow (#776) (b8084a8)

3.18.0 (2024-08-12)

Features

• add new secrets for Zitadel (#764) (631db20)

Bug Fixes

• remove unused secret (#772) (e812b7d)
• secret arn output name (#771) (eadcb8a)
• Secrets vs variable (#770) (34b4da0)
• set API service to use latest task def (#767) (769eae9)

Miscellaneous Chores

• add alarms for all IdP LB target groups (#773) (cb8768c)
• add AWS CLI prerequisite to README.md (#775) (0001d46)
• prepare zitadel variables for production deployment (#774) (1607916)
• update IdP DMARC security email (#769) (4a7e047)

3.17.0 (2024-08-08)

Features

• add API CloudWatch alarms (#754) (f7d3e38)
• add HTTP2 IdP target group (#762) (e49bcb6)
• update IdP WAF to block large requests (#756) (4fae4a4)

Bug Fixes

• add label match custom rule (#760) (e8a76c8)
• exclude EC2MetaDataSSRF_Body WAF ACL rule (#759) (4dceba4)
• IdP listener rule for well-known config (#763) (0e0010c)
• switch IdP LB protocol to HTTP1 (#758) (2379e06)

Miscellaneous Chores

• add OpenAPI doc route to WAF (#761) (010fcec)
• added rds_connector_db_password variable to RDS terragrunt.hcl file (#757) (2173fca)
• remove completed import blocks (#755) (2170624)
• rename ECS API task from form-api to forms-api (#766) (391ff5e)
• synced file(s) with cds-snc/site-reliability-engineering (#752) (67e6358)
• upgrade to Release Please v4 (#765) (ae1920e)

3.16.0 (2024-07-29)

Features

• add API load balancer target group (#736) (7e87c4e)
• add read-only user for RDS connector (#751) (0a3a853)
• deploy API ECS service in Staging (#746) (64cd26d)
• Enable Athena Federated Query for RDS (#745) (133145d)

Bug Fixes

• add API paths to WAF and fix healthcheck (#747) (907c469)
• Athena-DynamoDB connector policy (#741) (dea7b19)
• combine API valid paths with app (#748) (0185313)
• create API certificate validation resource (#744) (b4fb494)
• create dedicated security group for connector (#749) (a883778)
• downgrade local AWS provider (#743) (bb92b87)
• S3 egress from the connector (#750) (4d17823)

3.15.0 (2024-07-23)

Features

• add API ECS service to the Forms cluster (#734) (62d1753)

Bug Fixes

• block invalid host requests to the IdP (#732) (7ad863d)
• convert LB security rules to standalone (#740) (443fe06)
• terraform script for athena-dynamodb (#738) (0d16981)
• Use a custom policy for the dynamodb-lambda connector (allows access to AuditLog only) (#731) (089f27d)

Miscellaneous Chores

• upgrade to latest Terraform and Terragrunt (#735) (c21f697)
• upgrade to latest Terraform AWS provider (#739) (981e82f)

3.14.1 (2024-07-18)

Bug Fixes

• alarm module apply when idp not enabled (#728) (e48896e)
• response archiver lambda will ignore confirmation code entries in the DynamoDB Vault table when scanning for items (#730) (dbd7242)

3.14.0 (2024-07-16)

Features

• add IdP CloudWatch alarms (#720) (f2696eb)
• Enable Amazon Athena to communicate with DynamoDB (#723) (188824d)

Bug Fixes

• Change the Archive Index key projection back to All (#727) (4cdccf5)
• Updates global indexes to only project needed keys (#725) (78ef137)

Miscellaneous Chores

• deps: update all non-major github action dependencies (#721) (aa42dae)
• switch from using GSIs to Scan operations for both the response archiver and the nagware lambda functions (#726) (c09caba)
• synced file(s) with cds-snc/site-reliability-engineering (#722) (605faef)

3.13.0 (2024-07-05)

Features

• increase the number of form viewer tasks in prod (#717) (0a252de)

Bug Fixes

• scale Staging to multiple ECS tasks (#719) (2e45c8b)

3.12.0 (2024-07-04)

Features

• add IdP Staging Terraform plan/apply steps (#714) (c3f3958)
• add module for Zitadel IdP infrastructure (#708) (c6835b2)
• add SPF, DKIM and DMARC DNS records (#716) (e6b9641)
• send IdP emails using SES SMTP server (#715) (f1150e7)

Bug Fixes

• fix overdue response url (#712) (b109fd5)

Miscellaneous Chores

• synced file(s) with cds-snc/site-reliability-engineering (#707) (324cea1)

3.11.1 (2024-06-27)

Bug Fixes

• ECS task definition constant change on TF plan (#709) (20e0a2e)

3.11.0 (2024-06-24)

Features

• add CloudWatch Lambda function invocation alarms (#706) (24a6cd6)
• health check alarm for submission lambda invocations (#703) (4795366)

Bug Fixes

• switch dashboard to log insight graphs (#702) (5d741df)

Miscellaneous Chores

• deps: update actions/checkout action to v4.1.7 (#705) (77f33c4)
• solidify lambda functions matrix definition using a configuration file where we list functions that need to be deployed in production (#699) (4ea0a7f)
• synced file(s) with cds-snc/site-reliability-engineering (#693) (7f26d0e)

3.10.2 (2024-06-18)

Bug Fixes

• remove custom health check metrics (#698) (cbd6fac)

Miscellaneous Chores

• remove forms-terraform-apply-release OIDC role (#696) (69bb7e1)

3.10.1 (2024-06-18)

Bug Fixes

• use correct IAM role for TF apply (#694) (d32fecd)

3.10.0 (2024-06-17)

Features

• add CloudWatch metrics for Lambda behaviour (#683) (489db64)
• add form submission health check metrics (#681) (182e920)
• add health dashboard sections (#692) (142e41d)
• add system health dashboard (#688) (74b810f)
• add workflow to catch release of reverted tags (#684) (bde87ea)
• connects new healthchecks logs from web app in GC Forms healtcheck dashboard (#689) (f908efd)
• simplify production release reverts (#678) (f8af121)

Bug Fixes

• Athena load balancer create table query (#679) (140a250)
• checkout code for update lambda workflow step (#685) (944fdf8)
• healthchecks dashboard layout is broken (#690) (e45dff3)

Miscellaneous Chores

• deps: update actions/checkout action to v4 (#686) (a3bdd69)
• deps: update actions/github-script action to v7 (#687) (a7f1bc4)
• deps: update all non-major docker images (#636) (2ac8525)
• deps: update all non-major github action dependencies (#549) (554e8b6)
• deps: update localstack/localstack docker digest to c7a01ee (#691) (2f73044)
• synced file(s) with cds-snc/site-reliability-engineering (#665) (a671f77)
• update codeowners to protect version.txt (#682) (7098c54)

3.9.4 (2024-06-04)

Bug Fixes

• remove use of always() in the TF apply jobs (#672) (01d12fa)

3.9.3 (2024-06-03)

Bug Fixes

• remove load-testing lambda deployment from apply production workflow (#675) (62a7e26)

Miscellaneous Chores

• add more information to the error message we get when failing to save a submission (#673) (1265b9c)
• fix Lambda deployment issue with Localstack (#676) (860136b)

3.9.2 (2024-05-30)

Bug Fixes

• Remove CSRF regex pattern from WAF out-of-country rule (#671) (6e98154)

Miscellaneous Chores

• use static array of lambda name when deploying to production (#669) (15baf0b)

3.9.1 (2024-05-30)

Bug Fixes

• deployment issue in production (#668) (64f08d8)
• production deployment issue (#666) (35361dd)

3.9.0 (2024-05-17)

Features

• add TF_VAR check and conventional commit lint workflows (#663) (bf44015)

Bug Fixes

• include the mfa endpoint for WAF detection (0a3baea)
• missing runs on property in Github workflow (#647) (94b3e2f)
• modify the load balancer endpoint so it works with both the pre-app router and the new app router (7a16224)
• notify slack lambda function had missing scripts in package.json (#660) (db9f8cd)
• Update Notify error handling across lambdas (#651) (de189e2)
• wrong job dependency name in Github Workflow (#648) (342ecb1)

Miscellaneous Chores

• add permission for ECS task to call legacy submission Lambda function name (#643) (66f98b9)
• added description in all package.json files (#649) (2b7ea5c)
• added test-lambda-code job to Github workflow (#658) (87c2939)
• adjust WAF rules (e9a3b8a)
• Disable OpsGenie alerting for non-production environment (72fc8cb)
• Github workflow deployment script not working as intended (#655) (f6d16cf)
• sanitize GitHub workflow logs (e7e9537)
• wait for lambdas images to be ready to use before applying Terraform modules (#650) (3ca2993)

Code Refactoring

• convert Lambda code from S3 binary object to ECR container image (#626) (524d68f)

3.8.5 (2024-04-30)

Miscellaneous Chores

• set force_destroy to true on Lambda code bucket in preparation for the Lambda containerization upgrade which will delete this bucket (#641) (a20e4cb)

3.8.4 (2024-04-23)

Bug Fixes

• update name of Notify callback token TF variable (#639) (269ac5a)

3.8.3 (2024-04-22)

Bug Fixes

• changed TTL field type from String to Number in ReliabilityQueue DynamoDB table (#637) (868fa43)

3.8.2 (2024-04-18)

Miscellaneous Chores

• deps: update all non-major docker images (#500) (dc47785)

3.8.1 (2024-04-16)

Bug Fixes

• Do not try to handle non form types (#631) (ea6b3fb)

3.8.0 (2024-04-16)

Features

• deploy redis and postgresql in localstack (#620) (20e0fc1)

Bug Fixes

• Add missing component (combobox / searchable list) for email responses (4cbd734)

3.7.2 (2024-03-26)

Miscellaneous Chores

• synced file(s) with cds-snc/site-reliability-engineering (#555) (bfd81fe)
• synced file(s) with cds-snc/site-reliability-engineering (#621) (dd097d1)

3.7.1 (2024-03-15)

Bug Fixes

• async issue with lambda notification logic (#616) (a344cc1)
• the alarm monitoring for 'unhealthyhost' wasn't working properly (#614) (4309971)

Code Refactoring

• lambda that notifies slack and opsgenie (#609) (ba562d3)

3.7.0 (2024-02-29)

Features

• enable file scanning on Vault S3 bucket (#611) (a44318c)

Bug Fixes

• cloudwatch alarm configuration for unhealthy host (#604) (dbdbba1)

Miscellaneous Chores

• Rename next auth url in preperation for next auth upgrade (f16e080)

3.6.0 (2024-02-27)

Features

• Audit Log Archiver (e06658f)
• send critical/error events to OpsGenie (#596) (1281b1c)

Bug Fixes

• add a way of unit testing lambda quickly and fix the lowercase logical error (#600) (4b733d7)
• add missing subscription filter to audit logs archiver lambda logs (#597) (0def180)
• missing permissions for the audit logs archiver lambda to access S3 bucket (#601) (05ce856)

3.5.2 (2024-02-08)

Bug Fixes

• deployment issue due to audit logs TTL resource block that is not needed anymore (#594) (9cd9098)
• nagware lambda trigger CRON definition is incorrect (#595) (c7513ff)

Miscellaneous Chores

• create env file that gets automatically loaded when we start the infra in Localstack (#592) (b28c633)
• reduce number of Nagware emails and Slack notifications (#591) (655061a)

3.5.1 (2024-01-29)

Bug Fixes

• ECS service autoscaling target (#587) (fb3d104)
• load test env vars and test file (#588) (9748d19)

Miscellaneous Chores

• disable TTL for Audit logs DynamoDB table (#589) (04ecac3)
• remove production imports (#585) (91b9278)

3.5.0 (2024-01-25)

Features

• add new cloudwatch alarm and waf rule for Cognito login outside Canada (#558) (d23a252)
• disable health check until maintenance mode implementation is finalized (#538) (41c7d0a)
• enable deletion protection on all DynamoDB tables (#580) (62a00aa)
• implement maintenance page design (#544) (418b71a)
• OIDC roles for GitHub workflows (#568) (3840ad9)
• redirect to static maintenance web page when in maintenance mode or service is down (#530) (a99ccbe)
• send notification on Slack when a timeout is detected in the lambda logs (#581) (d200b33)

Bug Fixes

• acl not required with bucket ownership controls (#570) (1e31ae7)
• Check for localstack or AWS env (#547) (f0e15b2)
• deps: update dependency axios to v1 [security] (#531) (9860d8e)
• ecs force deployment option (#573) (2d0e004)
• enable code signing on Vault data integrity check lambda (#548) (50e1edc)
• GC Notify API Key is not properly passed to Nagware and Reliability lambdas (#553) (0c9bfaa)
• GitHub workflow OIDC role claims (#575) (bee2a0a)
• import pg package was not properly done in Nagware lambda (#554) (58fdc66)
• initialization of NotifyClient is not working because of the way we pass the API key (#576) (bd1904e)
• intergrity alarm (#542) (7440068)
• maintenance mode deployment issue (#533) (a0ff418)
• maintenance mode deployment issues second try (#534) (35f59eb)
• maintenance mode WAF rules to allow for new page resources to be loaded (#550) (98cbf18)
• Missed an S3 ACL on previous PR (#572) (783c8bc)
• missing aliases in Cloudfront distribution (#540) (6f95764)
• missing provider in WAF regex pattern set (#552) (44ddbad)
• missing provider in waf rule (#537) (6926dc3)
• missing WAF rule and certificate. Health check now targets load balancer DNS (#535) (85b8ea5)
• PR review OIDC role for VPC lambda deploys (#578) (e4c8376)
• revert certificate changes including ELB DNS (#536) (a4e41a1)
• rework response archiver lambda (#577) (e5da375)
• split Staging/Prod use of Scan Files service (#569) (d043405)
• update Terragrunt mock values to fix TF plan (#583) (26e4374)
• update to README file, adjust iterator age alarm threshold and fix to vault data integrity check local lambda test script (#525) (0761ad0)
• WAF rule for maintenance mode not having proper scope (#551) (f90bddc)

Miscellaneous Chores

• AWS Provider upgrade (#556) (1d6273c)
• create production import.tf file (#584) (9d3b92a)
• created local '.github/workflows/backstage-catalog-helper.yml' from remote 'tools/sre_file_sync/backstage-catalog-helper.yml' (#520) (c4f5f0d)
• deps: update all non-major github action dependencies (#512) (75bc194)
• reorganization of infrastructure as code for better local development (#532) (6f84917)
• update email with sign off language rather than confirm language (#541) (64158be)
• Update README.md (#506) (00ee9ca)

3.4.0 (2023-10-25)

Features

• addition of canada.ca domain (#515) (9c32551)

Bug Fixes

• ACM cert not being recreated on domain name addition (#518) (2ba215d)
• handle duplicate log events (#511) (e8de8d6)
• site verification files allowed path were not properly included in regex (#510) (30a9c8b)
• temporarily remove additional domain names (#519) (5e5a50f)

Miscellaneous Chores

• allow path to verification files for search engines tool (#509) (2fba19c)
• deps: update all non-major github action dependencies (#501) (c9c3b84)
• synced file(s) with cds-snc/site-reliability-engineering (#508) (14f249d)

3.3.1 (2023-09-25)

Miscellaneous Chores

• Add release manifest code owners (#499) (d63e8a2)
• synced file(s) with cds-snc/site-reliability-engineering (#498) (9a93c2f)

3.3.0 (2023-09-19)

Features

• Add freskdesk API key (d038c81)
• notify Slack if Terraform apply fails (#485) (45487c7)

Bug Fixes

• Add missing freshdesk api key to ecs task (d8a96ac)
• format of TF workflow Slack webhook URL (#496) (4bb5ca2)
• Github action logic for release-generator (#479) (dbb3a77)
• IAM permission for freshdesk secret (f22ee82)
• release generator token step (#495) (ae47a64)
• set target Slack channel for notification (#487) (fee609c)

Miscellaneous Chores

• deps: lock file maintenance (#467) (d9329d5)
• deps: update all non-major docker images (#465) (1766d88)
• deps: update all non-major docker images (#488) (1e3d5c3)
• deps: update all non-major github action dependencies (#466) (38611b1)
• deps: update all non-major github action dependencies (#472) (fb2c43c)
• deps: update aws-actions/configure-aws-credentials digest to fbaaea8 (#489) (f0f7f6b)
• release generator (#475) (31e1b98)
• release generator fix (#484) (661cf9a)
• synced file(s) with cds-snc/site-reliability-engineering (#468) (563f2af)
• synced file(s) with cds-snc/site-reliability-engineering (#490) (74cc135)
• synced local '.github/workflows/ossf-scorecard.yml' with remote 'tools/sre_file_sync/ossf-scorecard.yml' (#470) (4565dcf)
• synced local '.github/workflows/ossf-scorecard.yml' with remote 'tools/sre_file_sync/ossf-scorecard.yml' (#486) (8b3eee3)
• upgrade python image (#471) (e75ef9b)
• use GitHub app token with release-please (#491) (92f10eb)

Code Refactoring

• split out security group rules from inline (6eaee25)