CHANGELOG.md

17.1.0 (2025-01-17)

Features

• enable datawatch_request_body_logging_enabled everywhere (24d0b7f)

17.0.0 (2025-01-17)

• fix!: increase minimum hashicorp/aws version to 5.68.0 (3649e74)

BREAKING CHANGES

• If your installhas the "hashicorp/aws" provider version pinned to something lower than 5.68.0, increase the version to at least 5.68.0 and run terraform init -upgrade.

16.6.0 (2025-01-16)

Features

• enable auto minor version upgrade for rabbitmq (b53735f)

16.5.0 (2025-01-14)

Features

• allow control of temporal parallelism remaining queues (faee33d)

16.4.1 (2025-01-14)

Bug Fixes

• shorten name of rootcausework to rootcause (f7d4732)

16.4.0 (2025-01-13)

Features

• add dedicated ECS service for issue-root-cause (55558fb)

16.3.0 (2025-01-10)

Features

• allow control of temporal parallelism on datawork service (bb4d33b)

16.2.0 (2025-01-08)

Features

• allow setting issue-root-cause temporal client settings (dd60754)

16.1.0 (2025-01-07)

Features

• set lineagework instance count to 1 (5d738a0)

16.0.0 (2024-12-10)

• fix!: remove autoscaling from backfillwork (bc89cfb)

BREAKING CHANGES

• • var.backfillwork_autoscaling_max_count has been removed

15.0.0 (2024-12-06)

• feat!: allow specifying autoscaling algo for internalapi and monocle (#380) (ec95813), closes #380

BREAKING CHANGES

• The following vars have been removed:

• var.indexwork_autoscaling_enabled
• var.internalapi_autoscaling_cpu_enabled
• var.internalapi_autoscaling_cpu_target
• var.monocle_autoscaling_enabled
• var.monocle_max_count
• var.monocle_autoscaling_request_count_target

The following vars have been added:

• var.internalapi_autoscaling_config
• var.monocle_autoscaling_config

14.1.0 (2024-11-20)

Features

• make indexwork autoscaling configurable via variable (#377) (1cc3f34)

14.0.0 (2024-11-14)

• fix!: disable autoscaling for indexwork service (8e53564)

BREAKING CHANGES

• The following variable has been removed

• indexwork_autoscaling_max_count

13.0.0 (2024-11-12)

• feat!: roll out lineage and catalog indexing queue migrations (08c3e3f)

BREAKING CHANGES

• The following bigeye module variables have been removed:

• migrate_lineage_mq_queue_enabled
• migrate_catalog_indexing_mq_queue_enabled

Remove these from your configuration before upgrading to this version of the Bigeye terraform module. If these have not been set before, no action is required.

12.7.2 (2024-11-12)

Bug Fixes

• update autoscaling for services scaling on multiple queues (2728086)

12.7.1 (2024-11-11)

Bug Fixes

• fix security group id order (#368) (4855f8f)

12.7.0 (2024-11-11)

Features

• add backfillwork service (#366) (7575f92)

12.6.0 (2024-11-11)

Features

• add flag to migrate lineage MQ work to lineagework (5e5ed7f)

12.5.0 (2024-11-08)

Features

• add env var to control request size for datawatch (#363) (17edd39)

12.4.0 (2024-11-05)

Features

• disable lineagework service by default (474f20a)

12.3.0 (2024-11-05)

Features

• increase datawatch default cpu (901c893)
• scale indexwork in faster (8e0efaf)

12.2.0 (2024-11-04)

Features

• add flag to migrate lineage MQ work to lineagework (9b1f468)

12.1.0 (2024-11-04)

Bug Fixes

• update queue membership for MQ based metric runs (2973e4a)

Features

• add flag to migrate lineage MQ work to lineagework (9b1f468)

12.0.1 (2024-11-04)

Bug Fixes

• update queue membership for MQ based metric runs (2973e4a)

12.0.0 (2024-11-01)

• feat!: rollout indexwork service (04d8624)

BREAKING CHANGES

• The following feature flags will need to be removed from your config if you are using them:

• indexwork_enabled
• indexwork_autoscaling_enabled

11.7.0 (2024-11-01)

Features

• reduce default indexwork instance count (06ae1be)

11.6.0 (2024-10-31)

Bug Fixes

• reduce indexwork autoscaling to 1 step (e6821b9)

Features

• autoscale indexwork service (764df5e)

11.5.1 (2024-10-30)

Bug Fixes

• remove metricwork MQ workers (ec304db)

11.5.0 (2024-10-29)

Features

• add indexwork service (36d347d)

11.4.0 (2024-10-23)

Features

• use an include queue list instead of exclude queue (2e4d98e)

11.3.1 (2024-10-09)

Bug Fixes

• exclude issue-root-cause from lineagework service (fb22038)

11.3.0 (2024-09-10)

Features

• add enable flag for logging class load/unload messages (a00ad19)

11.2.0 (2024-09-06)

Features

• add a feature flag to control a memory leak fix (bb986af)

11.1.1 (2024-09-06)

Bug Fixes

• reduce datawatch and derivative service max JVM ram percent (c2c266c)

11.1.0 (2024-09-06)

Features

• allow setting JVM MaxRAMPercentage for each service (71eec8b)

11.0.0 (2024-09-04)

• feat!: remove support for mTLS connections from Datawatch (2ffe314)

BREAKING CHANGES

• Two environment variables MTLS_KEY_PATH and MTLS_CERT_PATH were removed from Datawatch.

Recommendation: Ensure you are using application version 1.57.0 or higher.

Downtime: No

Steps: None

10.4.2 (2024-08-29)

Bug Fixes

• reduce default max metric run workflow slots to 5 (5e9bd84)

10.4.1 (2024-08-20)

Bug Fixes

• reduce default mc lineage workflow task pollers (d482ffa)

10.4.0 (2024-08-12)

Features

• change autothreshold S3 file expiration to 45 days (3caaa3d)

10.3.0 (2024-08-08)

Features

• new Temporal task queue monocle-invalidation (705af1e), closes #14885

10.2.0 (2024-08-01)

Features

• add ability to use hosted zone apex as top level domain (07f3257)

10.1.2 (2024-07-31)

Bug Fixes

• reduce default value for reconciliation workflow workers (b76da3f)

10.1.1 (2024-07-26)

Bug Fixes

• reduce default value for scorecard refresh parallelism (9903119)

10.1.0 (2024-07-25)

Features

• add env vars to control job executor parallelism (2137cc9)

10.0.0 (2024-07-22)

Bug Fixes

• rename papi service to internalapi (fc65441)

BREAKING CHANGES

Variable rename

• All variables with papi in the name need to be globally replaced with internalapi.

Steps

1. Run the following commands to remove the papi security group from the redis and RDS security groups

terraform destroy --target 'module.bigeye.module.redis.aws_vpc_security_group_ingress_rule.other_sgs[5]'

terraform destroy --target 'module.bigeye.module.datawatch_rds.aws_vpc_security_group_ingress_rule.other_sgs[4]'

terraform destroy --target 'module.bigeye.module.datawatch_rds.aws_vpc_security_group_ingress_rule.replica_other_sgs[4]'

2. Rename variables in main.tf referencing papi (search and replace papi with internalapi)
3. Change the module version of the bigeye module to v10.0.0
4. terraform init && terraform apply
5. If you are using the alarms module, now change the version of the alarms module to v10.0.0
6. terraform init && terraform apply
7. Done!

9.2.0 (2024-07-18)

Features

• add robot agent api key secret (c4abb90)
• update temporal defaults to use apikey auth (063db42)

9.1.0 (2024-07-08)

Features

• add ECS mem util percent alarm (8d4f6d8)

9.0.0 (2024-07-05)

• fix!: upgrade AWS provider version from 5.33 to 5.50 (0afcdc1)

Features

• enable KMS key rotation (05897ed)
• make KMS key rotation days configurable (82f6bbf)

BREAKING CHANGES

• You must run terraform init -upgrade to upgrade your provider versions.

Recommendation: Run terraform init -upgrade.

Downtime: No.

Steps: Run terraform init -upgrade.

8.0.1 (2024-07-03)

Bug Fixes

• always create KMS IAM Policy if creating IAM Role (af1ff1d)

8.0.0 (2024-07-02)

Breaking Changes

Variable Rename

7b8a504

The datwatch_encrypt_secrets_with_kms_enabled variable had a typo and has been renamed to datawatch_encrypt_secrets_with_kms_enabled.

Change Default KMS Setting

09acc39

The datawatch_encrypt_secrets_with_kms_enabled flag enables KMS encryption in datawatch. As of 1.57.0 the feature is not yet GA, so this value is being changed to false.

Action required if

• Upgrading from a terraform version between 6.6.0 and 7.0.2.
• AND your application version is greater than 1.58.0.

If your installation does not meet the above conditions, no action is required.

If you do meet the above conditions, then certain data has already been encrypted with KMS, and if you do not follow the steps below, then you will be at risk of data corruption.

Recommendation

You must set your datawatch_encrypt_secrets_with_kms_enabled variable to true.

If you accidentally delete your KMS Key, you must cancel its deletion. Please refer to the AWS documentation on cancelling a key deletion here.

Features

• add ability to bring your own kms key for encryption (19d1b77)

7.0.2 (2024-07-02)

Bug Fixes

• add setting private_hosted_zone to support private zones (0e05741)

7.0.1 (2024-06-29)

Bug Fixes

• add tags to datawatch KMS key (e6d8cd3)
• remove broken condition in kms policy (893d7b2)

7.0.0 (2024-06-27)

• feat!: autoscale papi service (c4f8c3a)

Features

• reduce Papi ECS service deregistration delay to 3 minutes (2067655)

BREAKING CHANGES

• Upgrading to this version will result downtime while the Papi (internal API service) ECS service is replaced with an autoscaling version. The downtime can be avoided by manually running a terraform state move before running terraform apply:

terraform state mv
'module.bigeye.module.papi.aws_ecs_service.controlled_count[0]'
'module.bigeye.module.papi.aws_ecs_service.uncontrolled_count[0]'

This also speeds up the terraform apply by ~15 minutes as that is the current LB deregistration delay on the Papi service.

6.6.1 (2024-06-27)

Bug Fixes

• add permissions for datawatch ECS task to use KMS key (66da40f)
• don't reference KMS unless feature is enabled (1aa302a)

6.6.0 (2024-06-26)

Features

• use KMS to encrypt secrets (8d528c3)

6.5.0 (2024-06-18)

Features

• route internal API calls to papi service 2 (133ea11)

6.4.1 (2024-06-18)

Bug Fixes

• iam role policy name for datawatch efs access (d57720a)

6.4.0 (2024-06-14)

Features

• add private API service (papi) 1 (7cb575d)

6.3.1 (2024-06-13)

Bug Fixes

• revert send monocle and toretto traffic to datawork instead (b65bade)

6.3.0 (2024-06-13)

Features

• enable heap dump on OOM for some java services (d7e66fe)

6.2.0 (2024-06-13)

Features

• add ability to mount EFS volume in app containers (569bb5c)

6.1.1 (2024-06-12)

Bug Fixes

• send monocle and toretto traffic to datawork instead (cf4cf05)

6.1.0 (2024-05-31)

Features

• allow using firelens for ECS logs (3aeb288)

6.0.0 (2024-05-23)

Breaking Changes - Variable removals

Downtime: No

If set, the following variables will need to be removed from your configuration as they have been removed from this Terraform module:

• temporal_opensearch_instance_count
• temporal_opensearch_enable_master_nodes
• temporal_opensearch_zone_awareness_zone_count

These are now no longer settable, but instead controlled via var.redundant_infrastructure.

7829d35

5.0.0 (2024-05-20)

Breaking Changes - State Moves

Downtime: Yes if steps are not taken.

Several resource addresses have changed, requiring some manual steps to prepare the terraform state for a non-destructive apply. These changes were made to accommodate the injection of several other resources, as well as to avoid overriding the desired_count of the autoscaling ECS services.

If no manual changes are made, then the next terraform apply will be destructive.

Always inspect the output of the terraform plan and terraform apply commands to ensure the changes Terraform plans are the ones you expect.

Autoscaling desired_count

ead3a6d

The resource name for the aws_ecs_service's in the simpleservice module have been changed to reflect whether the desired_count is controlled.

Run the following commands:

terraform state mv 'module.bigeye.module.web.aws_ecs_service.this' 'module.bigeye.module.web.aws_ecs_service.controlled_count[0]'
terraform state mv 'module.bigeye.module.temporalui.aws_ecs_service.this' 'module.bigeye.module.temporalui.aws_ecs_service.controlled_count[0]'
terraform state mv 'module.bigeye.module.datawatch.aws_ecs_service.this' 'module.bigeye.module.datawatch.aws_ecs_service.controlled_count[0]'
terraform state mv 'module.bigeye.module.datawork.aws_ecs_service.this' 'module.bigeye.module.datawork.aws_ecs_service.controlled_count[0]'
terraform state mv 'module.bigeye.module.lineagework.aws_ecs_service.this' 'module.bigeye.module.lineagework.aws_ecs_service.controlled_count[0]'
terraform state mv 'module.bigeye.module.metricwork.aws_ecs_service.this' 'module.bigeye.module.metricwork.aws_ecs_service.controlled_count[0]'
terraform state mv 'module.bigeye.module.scheduler.aws_ecs_service.this' 'module.bigeye.module.scheduler.aws_ecs_service.controlled_count[0]'
terraform state mv 'module.bigeye.module.haproxy.aws_ecs_service.this' 'module.bigeye.module.haproxy.aws_ecs_service.controlled_count[0]'

If you are autoscaling monocle & toretto, run the following:

terraform state mv 'module.bigeye.module.toretto.aws_ecs_service.this' 'module.bigeye.module.toretto.aws_ecs_service.uncontrolled_count[0]'
terraform state mv 'module.bigeye.module.monocle.aws_ecs_service.this' 'module.bigeye.module.monocle.aws_ecs_service.uncontrolled_count[0]'

If you are not autoscaling monocle & toretto, run the following:

terraform state mv 'module.bigeye.module.toretto.aws_ecs_service.this' 'module.bigeye.module.toretto.aws_ecs_service.controlled_count[0]'
terraform state mv 'module.bigeye.module.monocle.aws_ecs_service.this' 'module.bigeye.module.monocle.aws_ecs_service.controlled_count[0]'

Bring-your-own Resources

You can now bring your own IAM Roles as well as a RabbitMQ broker.

• IAM Roles c73561e
• RabbitMQ 77e9169

These resources are now conditional and therefore their resource addresses have changed.

You must run the following commands.

# RabbitMQ
terraform state mv 'module.bigeye.module.rabbitmq' 'module.bigeye.module.rabbitmq[0]';

# ECS Role
terraform state mv 'module.bigeye.aws_iam_role.ecs' 'module.bigeye.aws_iam_role.ecs[0]';
terraform state mv 'module.bigeye.aws_iam_role_policy.ecs_execution' 'module.bigeye.aws_iam_role_policy.ecs_execution[0]';
terraform state mv 'module.bigeye.aws_iam_role_policy.ecs_secrets' 'module.bigeye.aws_iam_role_policy.ecs_secrets[0]';

# Admin Container Role
terraform state mv 'module.bigeye.module.bigeye_admin.aws_iam_role.this' 'module.bigeye.module.bigeye_admin.aws_iam_role.this[0]';
terraform state mv 'module.bigeye.module.bigeye_admin.aws_iam_role_policy.this' 'module.bigeye.module.bigeye_admin.aws_iam_role_policy.this[0]';

# Monocle Role
terraform state mv 'module.bigeye.aws_iam_role.monocle' 'module.bigeye.aws_iam_role.monocle[0]';
terraform state mv 'module.bigeye.aws_iam_role_policy.monocle' 'module.bigeye.aws_iam_role_policy.monocle[0]';

# Datawatch Role
terraform state mv 'module.bigeye.aws_iam_role.datawatch' 'module.bigeye.aws_iam_role.datawatch[0]';
terraform state mv 'module.bigeye.aws_iam_role_policy.datawatch_s3' 'module.bigeye.aws_iam_role_policy.datawatch_s3[0]';
terraform state mv 'module.bigeye.aws_iam_role_policy.datawatch_temporalsecrets' 'module.bigeye.aws_iam_role_policy.datawatch_temporalsecrets[0]';
terraform state mv 'module.bigeye.aws_iam_role_policy.datawatch_listsecrets' 'module.bigeye.aws_iam_role_policy.datawatch_listsecrets[0]';
terraform state mv 'module.bigeye.aws_iam_role_policy.datawatch_secrets' 'module.bigeye.aws_iam_role_policy.datawatch_secrets[0]';

Bug Fixes

• do not access route53 if not managing dns (80ad921)

Other Features

• add outputs for cloudwatch and s3 resources (1d6c2be)

4.7.3 (2024-05-15)

Bug Fixes

• update opernsearch autotune rollback setting (1166591)

4.7.2 (2024-05-15)

Bug Fixes

• update password strength rules for generated opensearch password (3190b83)

4.7.1 (2024-05-15)

Bug Fixes

• add missing flag for replica option group (954c17b)
• use dynamic config for opensearch availability zone count (de8d837)

4.7.0 (2024-05-15)

Features

• allow passing in rds db option group settings (fa5d9db)

4.6.1 (2024-05-14)

Bug Fixes

• always use 3 opensearch zones if zone aware is enabled (669b3d5)
• set opensearch data and master node types to the same (5194ae4)

4.6.0 (2024-05-14)

Features

• disable MQ workers for lineagework service (87cf93f)

4.5.0 (2024-05-13)

Features

• add opensearch for temporal visibility store with one data node (bd3a8ee)
• allow temporal visibility store to be driven by SQL (4edadf2)
• enable production settings on temporal visibility store (e162989)

4.4.0 (2024-05-13)

Features

• add lineagework service (9d8a03c)

4.3.0 (2024-05-09)

Features

• add additional outputs for subnet ids (82b0e3a)

4.2.0 (2024-05-09)

Features

• add additional outputs for subnet ids (82b0e3a)

4.1.2 (2024-05-09)

Bug Fixes

• change the default setting for general_log on replica (7bf436b)
• create temporal parameters by default (588ea58)
• database slow log parameter settings (d97746b)

4.1.1 (2024-05-03)

Bug Fixes

• db parameter apply method not working (fa561eb)

4.1.0 (2024-05-03)

Features

• allow configuring database iops (6972a6c)

4.0.0 (2024-04-26)

Breaking Changes

Variable Re-definition - RDS Parameters

eb9b737

Downtime: No

The way RDS parameters were configured made it cumbersome to specify database parameter changes. If a user wanted to change a single DB parameter, they would need to provide the rest of the database parameters into the variable. This represented an unnecessary maintenance risk.

In version 4.0.0, the default RDS parameters are now specified in the following variables:

• datawatch_rds_default_parameters
• datawatch_rds_replica_default_parameters
• temporal_rds_default_parameters

Users can add to or override these defaults by specifying the following variables (previously these variables contained the default values):

• datawatch_rds_parameters
• datawatch_rds_replica_parameters
• temporal_rds_parameters

The structure of all of these variables has also changed to more clearly control merging precedence. The structure has changed as follows:

locals {
  previous_structure = [
    {
      name         = "log_output"
      value        = "FILE"
      apply_method = "immediate"
    }
  ]

  new_structure = {
    log_output = {
      value = "FILE"
      apply_method = "immediate"
    }
  }
}

The parameters are constructed by merging the _rds_parameters with, or on top of (i.e. overriding), the values in the respective _default_rds_parameters variables.

Changes Required

If you have modified any of the following variables, then you will have to make changes.

• datawatch_rds_parameters
• datawatch_rds_replica_parameters
• temporal_rds_parameters

Change the structure of your parameters variable values to conform to the new syntax. Confirm your changes by running terraform plan and inspecting the output.

RDS Parameter Value Changes

Downtime: No

The log_output DB parameter was defaulted to "FILE".

Now, the general_log and slow_query_log DB parameters are now enabled by default if the rds_enabled_logs variables include the general and slowlog values, respectively.

Upgrade AWS Provider

1dc29a3

Downtime: No

The required AWS provider was increased from 5.31.0 to 5.33.0. This was to allow the AWS Secrets Manager secret versions to be controlled and prevent drift. Previously, if someone had modified one of the terraform-controlled AWS Secrets Manager secrets to have a new value, the Terraform module would not correct that drift. In this new version, drift detection is possible for AWS Secrets Manager secret versions. See the release notes for more information.

To upgrade, you must run:

terraform init -upgrade

If you have pinned your AWS terraform provider version to something less than 5.33.0, you will need to update that value and run terraform init -upgrade.

Bug Fixes

• ensure the AWSCURRENT version of ASM secrets is controlled (1ee7c40)

3.15.0 (2024-04-26)

Features

• add variable to configure database logs (4e8da7a)

3.14.0 (2024-04-26)

Features

• enable ecs exec for some of the services (9418ef3)

3.13.1 (2024-04-25)

Bug Fixes

• temporal frontend service should only run the frontend component (13dfdc5)

3.13.0 (2024-04-24)

Bug Fixes

• use fargate_version var (b6fa30a)

Features

• add security group rule for metrics checking (fc7a2c2)
• split temporal into components (11d42e3)

3.12.0 (2024-04-23)

Features

• add encryption and salt secrets (3d5ef9b)

3.11.2 (2024-04-19)

Bug Fixes

• set default for performance insights back to true (e521370)

3.11.1 (2024-04-17)

Bug Fixes

• update logic enabling performance insights on RDS (3689493)

3.11.0 (2024-04-17)

Features

• enable performance insights on datawatch mysql replica (c36f20f)

3.10.0 (2024-04-05)

Features

• add additional ingress cidrs for internal resources (ffb2c8f)
• add additional_ingress_cidrs var for outward-facing resources (08a1917)

3.9.1 (2024-04-04)

Bug Fixes

• add sentry dsn to web container (7173a30)

3.9.0 (2024-04-03)

Features

• allow setting replica DB engine version (c801fb2)

3.8.3 (2024-03-27)

Bug Fixes

• scheduler datawatch address to datawork (7371a93)

3.8.2 (2024-03-18)

Bug Fixes

• binlog_format should be ROW for replica by default (25a6b26)
• write iops metric for RDS (a0c85a5)

3.8.1 (2024-03-15)

Bug Fixes

• add app tag for temporal, redis, rabbit (b2d54ee)

3.8.0 (2024-03-15)

Features

• create parameter group by default for datawatch replica (6ce59d6)

3.7.0 (2024-03-12)

Bug Fixes

• reorder environment variable merge list to allow var to override (7afaf17)

Features

• add rds parameters variables (1ecf236)

3.6.2 (2024-03-08)

Bug Fixes

• alarm defaults for redis and rabbitmq (413127a)
• elasticache alarms incorrect namespace (23d31a8)
• load balancer and target group alarm ids should use arn_suffix (f875b75)

3.6.1 (2024-03-07)

Bug Fixes

• add agent large payload bucket name env var (f026974)

3.6.0 (2024-03-05)

Features

• add ability to specify models s3 bucket name (4a8e9c2)

3.5.1 (2024-03-05)

Bug Fixes

• logic update for when to install RDS performance insights (b03da76)

3.5.0 (2024-03-04)

Features

• add optional VPC S3 flow logs (e2bc49a)
• enable performance insights by default if instances support it (72aeeb5)

3.4.1 (2024-03-04)

Bug Fixes

• update rabbitmq admin port to 443 (fd42768)

3.4.0 (2024-03-01)

Features

• add variable to control from email for byo smtp server setups (30f2f14)

3.3.2 (2024-02-29)

Bug Fixes

• always ACM cert creation flag logic (5a2495d)

3.3.1 (2024-02-29)

Bug Fixes

• only create ingress rule if create_security_groups = true (0dd6209)

3.3.0 (2024-02-29)

Bug Fixes

• remove read-after-write race for rds databases (776ebd5)
• remove read-after-write race for redis auth token (7c684c2)
• remove read-after-write race for secret in rabbitmq (3e33823)
• upgrade slackapi/slack-github-action to v1.25.0 (da3d503)

Features

• use inline policy rather than AWS-managed policy (f68a32f)

3.2.0 (2024-02-29)

Bug Fixes

• remove read-after-write race for rds databases (776ebd5)
• remove read-after-write race for redis auth token (7c684c2)
• remove read-after-write race for secret in rabbitmq (3e33823)
• upgrade slackapi/slack-github-action to v1.25.0 (da3d503)

Features

• use inline policy rather than AWS-managed policy (f68a32f)

3.1.0 (2024-02-28)

Bug Fixes

• remove read-after-write race for rds databases (776ebd5)
• remove read-after-write race for redis auth token (7c684c2)
• remove read-after-write race for secret in rabbitmq (3e33823)

Features

• use inline policy rather than AWS-managed policy (f68a32f)

3.0.0 (2024-02-23)

Bug Fixes

• use dedicated ingress rule for rabbitmq security group (5fef368)

Features

• allow admin container access to RabbitMQ (668e271)

BREAKING CHANGES

• This requires manual deletion of the -rabbitmq instance.

AWS managed RabbitMQ does not allow changing security group membership for RabbitMQ so the resource must be deleted manually first before we can allow the admin container access to RabbitMQ.

• This requires users to remove all existing security group rules from the -rabbitmq security group.

The terraform run will fail due to duplicate ingress rules otherwise.

This change was required to avoid terraform perpetually detecting changes when rabbitmq_extra_cidr_blocks is an empty list (default).

2.13.0 (2024-02-22)

Bug Fixes

• add depends_on to improve deployment flow (3a37200)

Features

• add variable for num history shards (0d8460b)
• allow rabbitmq cluster mode to be controlled directly (73f7643)

2.12.0 (2024-02-22)

Features

• add ability to set ingress cidr blocks for rabbitmq (ae4f96f)

2.11.0 (2024-02-22)

Bug Fixes

• datadog metric checks for haproxy (2a2cc79)

Features

• add variables for datadog container secrets (72d2003)

2.10.0 (2024-02-16)

Bug Fixes

• toretto autoscaling names (3bc0d1e)
• toretto autoscaling should be based on datawatch count (f5385dd)

Features

• add autoscaling to monocle (dd7b1eb)
• add outputs from service module (f99708e)

2.9.1 (2024-02-16)

Bug Fixes

• default alarm settings (23bd027)

2.9.0 (2024-02-16)

Features

• add BYO mail server env vars to datawatch, datawork, metricwork (3a814a4)

2.8.0 (2024-02-15)

Features

• add option to use existing high/low urgency SNS topics (8c1ee45)

2.7.0 (2024-02-14)

Features

• add control over temporal persistence QPS (ff4b2d9)

2.6.0 (2024-02-14)

Bug Fixes

• broker name in bigeye module outputs (f3c10fc)

Features

• add autoscaling for toretto (a2ae211)
• add broker name to outputs (d1b9d0b)

2.5.0 (2024-02-13)

Features

• add module for cloudwatch alarms (dee7fb0)
• add outputs to bigeye module for databases (3a3aad9)

2.4.0 (2024-02-13)

Features

• add flag to control temporal logging (c08dc57)

2.3.0 (2024-02-12)

Bug Fixes

• environment variables for bigeye-admin container (e64989c)

Features

• allow separate optional tags for primary vs replica dbs (b0e152c)

2.2.0 (2024-02-02)

Features

• set binlog format to ROW (c1f4682)

2.1.0 (2024-02-01)

Bug Fixes

• add datawatch_db_name to handle edge case (1f510fc)
• add depends_on to prevent race condition on initial apply (68f8ac8)

Features

• add datawatach_rds_root_user_name to configure db (43ae61b)

2.0.0 (2024-01-31)

BREAKING CHANGES

Security Group Changes

A change was made to the security groups, which will result in terraform apply getting stuck trying to apply a security group rule when that rule already exists.

This is a result of moving from using an ingress block inside an aws_security_group resource to a separate resource for the aws_vpc_security_group_ingress_rule. This affects installations unless you have create_security_groups = false.

Recommendation

You may either delete or import the conflicting security group rule. The RDS security groups and Redis security groups are affected. These have the names -datawatch-db, -datawatch-db-replica, -temporal-db, -temporal-db-replica, and -redis-cache.

Downtime

"Yes" if you delete the security group rule. "No" if you import it.

Steps

To import the security group rule run: terraform import [ADDR] [id]. The ADDR for each of the resources will be

• module.bigeye.module.datawatch_rds.aws_vpc_security_group_ingress_rule.client_sg[0]
• module.bigeye.module.datawatch_rds.aws_vpc_security_group_ingress_rule.replica_client_sg[0]
• module.bigeye.module.temporal_rds.aws_vpc_security_group_ingress_rule.client_sg[0]
• module.bigeye.module.temporal_rds.aws_vpc_security_group_ingress_rule.replica_client_sg[0]
• module.bigeye.module.redis.aws_vpc_security_group_ingress_rule.client_sg[0]

Make sure to wrap the ADDR with quotes, or the shell command will fail. Get the [id] for each of the security groups from the AWS console.

For example:

terraform import "module.bigeye.module.datawatch_rds.aws_vpc_security_group_ingress_rule.client_sg[0]" sgr-1234567890

(10d1f4a)

Removed Variables

The following two variables have been removed:

• sentry_dsn (9e2dce8)
• datadog_agent_api_key (bc62730)

Instead, use the following variables:

• sentry_dsn_secret_arn
• datadog_agent_api_key_secret_arn

This allows for better secrets management and makes sure that the terraform plan output isn't unnecessarily hidden.

Removed Outputs

All outputs starting with temporal_admin_ have been replaced with corresponding outputs starting with temporalui_.

(a4906b5)

Bug Fixes

• remove redis client sg from services (a8acd87)
• update services to not require db client sg (5cb71be)

Features

• add security_group_id as output from simpleservice (99f612a)

1.16.0 (2024-01-31)

Bug Fixes

• align declared container def with deployed (3d24a89)
• healthcheck for temporalui (64b3557)
• remove environment vars that can just be injected (f28a3d0)
• send temporalui logs to temporal log group (b5bbec3)
• typo in datadog environment variables (d4d89f9)
• update healthcheck parameters (a553a5c)
• update web environment variables to respect env (8022483)
• updated temporal configuration to match other services (41a9fb9)

Features

• add ability for additional docker labels if using datadog (3f14589)
• add datadog AD checks for haproxy (861ac9b)
• add rds_apply_immediately variable to control RDS changes (fc5971e)
• add sentry configuration variables (84a2e1a)
• add stopTimeout setting on ECS task (1c5db22)
• add variable for feature send enabled (2acacbc)
• configure stop_timeout for toretto and dw workers (8d5c2f0)

1.15.0 (2024-01-31)

Features

• set mysql transaction isolation to read-committed (efd1e74)

1.14.0 (2024-01-26)

Bug Fixes

• fixed output for temporal RDS hostname (736d504)

Features

• add outputs temporalui_* to replace temporal_admin (0284d57)
• add validation message for BYO DNS and ACM certificate (54c31e7)
• use RDS dns for app when create_dns_records is false (ef34b46)

1.13.0 (2024-01-25)

Features

• add additional networking resources to module outputs (ca3feb5)

1.12.0 (2024-01-25)

Features

• add ability to change temporal db name (5722963)

1.11.0 (2024-01-25)

Bug Fixes

• mark rabbit username as not sensitive (57f8791)

Features

• add rabbitmq configuration data to bigeye-admin (9346e23)

1.10.0 (2024-01-25)

Bug Fixes

• add missing tags to temporal resources (89f514e)
• clean up environment variables (b20aaf1)
• update datadog parameters for containers (b4000ba)

Features

• add variable for additional rds tags (54775ea)
• plumb through healthcheck config into simple service (abd5686)
• refactor plumbing for elb logs (a83b51b)
• update web service unhealthy target (b4b8baf)

1.9.0 (2024-01-23)

Features

• add BYO mTLS certs example (3e207b1)

1.8.1 (2024-01-19)

Bug Fixes

• configure iam policy for bigeye-admin (255f8a1)
• prevent terraform dependency graph issues for admin module (1b7f490)

1.8.0 (2024-01-19)

Features

• propagate ECS tags to the task (bf04efd)

1.7.0 (2024-01-18)

Bug Fixes

• add environment variables for admin module (d710f24)

Features

• release initial version of bigeye-admin container (c4ead4f)

1.6.2 (2024-01-18)

Bug Fixes

• normalize subnet names (fffe0ed)
• remove DEMO_ENDPOINT_ENABLED env var (acf02cc)

1.6.1 (2024-01-18)

Bug Fixes

• normalize subnet names (6ba167f)

1.6.0 (2024-01-16)

Features

• add VPC endpoints for resources required for ECS (724ab0a)

1.5.0 (2024-01-12)

Features

• add NAT IPs to TF output (2995d6c)

1.4.0 (2024-01-11)

Features

• enable service-specific image tag overrides (f3cabd3)

1.3.0 (2024-01-11)

Bug Fixes

• non-sensitive variables should not be marked as sensitive (9dac420)

Features

• specify defaulted values in task definition (127a605)
• use a secret ARN to store DD agent api key (e35ab7d)

1.2.1 (2024-01-11)

Bug Fixes

• reduce time it takes to mark ECS nodes as healthy (9aba1e7)

1.2.0 (2024-01-10)

Features

• add troubleshooting client security group to resources (817e9f3)
• add troubleshooting container instance (c741fd5)
• update ECS configuration to log execute commands (29fae91)
• use troubleshooting container in main bigeye module (9e40921)

1.1.0 (2024-01-03)

Bug Fixes

• add scheduler address to self for localhost calls (458696c)
• rds module should respect create_security_groups var (3b664e1)
• send correct security groups when create_security_groups is false (896d40a)
• use datawatch_rds_db_name for datawatch JDBC connection string (ca718db)

Features

• add validation for ECS task security groups (dd2acc5)
• add validation message for rabbitmq security groups (d6f7b7e)
• add validation messages for redis and rds security groups (c62ea0d)
• add validation rules (19454b5)

1.0.1 (2023-12-27)

Bug Fixes

• update temporal LB SG to allow 443 (d994113)

1.0.0 (2023-12-22)

Bug Fixes

• grant monocle and toretto IAM access to S3 (d84bd59)

• respect create_security_groups variable for services (183c2e9)

• respect create_security_groups variable for temporal (f0806cf)

• use bigeye as the default mysql db name for the app db (3f88717)

• chore!: update AWS provider (d6ec311)

• feat!: add security group to temporal network load balancer (4cf79dd)

• feat!: move temporal load balancer to private by default (954dd41)

Features

• add plumbing for bringing your own security group ids for services (f2147e9)

BREAKING CHANGES

IMPORTANT - Database Name Change

A new variable datawatch_rds_db_name was added with a default value of bigeye. In existing installations, this is a breaking change. In order to avoid destroying your database (and data!), please set the following variable: datawatch_rds_db_name = "toro".

Upgrade AWS Terraform Provider

The required AWS Terraform provider was updated to 5.31.0. This requires running the following command:

terraform init -upgrade

Temporal LB changes

Two breaking changes were added for the Temporal LB. Applying these will cause the Temporal LB to be destroyed and created.

While the LB is offline, no workers will be able to start new work, and no new work (e.g. metric runs) will be scheduled. Work already in queue will remain there and be picked up when the LB is up and service is restored.

Simply run the normal terraform apply commands to update the Load Blaancer. Note, due to the recency of Security Group support, this encounters a bug in the AWS Terraform Provider, and you will have to run the terraform apply command twice.

Add Security Group to Temporal LB

By default, a security group has been added to the Network Load Balancer for the Temporal service. AWS does not support modifying Security Groups on Network Load Balancers at this time, so this change requires the NLB to be destroyed and recreated.

Modify default visibility for Temporal LB

A new variable temporal_internet_facing has been introduced to control whether the Temporal LB is internet facing. The default is false, which is a breaking change causing the LB to be destroyed and recreated.

Recommendation: accept the new default and migrate to an internal temporal LB. This is more secure since it avoids unnecessary public access to the Temporal LB.

0.5.1 (2023-12-21)

Bug Fixes

• add datadog api key to service container if enabled (f2b4a35)

0.5.0 (2023-12-20)

Features

• add an image repository suffix variable (9af4648)

0.5.0 (2023-12-20)

Features

• add an image repository suffix variable (9af4648)

0.4.0 (2023-12-20)

Bug Fixes

• update deploy so mulitiple deploys run serially (9fc38f8)

Features

• update temporal env vars to latest CLI (1821dbb)

0.3.0 (2023-12-20)

Features

• update temporal env vars to latest CLI (9799cc9)

0.2.2 (2023-12-13)

Bug Fixes

• use vanity_alias for all dns names (4004a5d)

0.2.1 (2023-12-06)

Bug Fixes

• remove empty string validation on image_registry (72889f5)

0.2.0 (2023-12-01)

Bug Fixes

• remove duplicate default (90ffbf3)

Features

• add validation rules to common variables (11fdd73)
• allow slack and auth0 secrets to be empty/unset (1069765)
• default image_tag to latest and default registry to account ECR (771e62e)

0.1.0 (2023-11-30)

Features

• add bigeye stack (1516c13)
• add rabbitmq module (b621459)
• add rds module (922dda1)
• add redis module (5181c58)
• add simpleservice module (fe8c317)