Skip to content

chore: upgrade Azure IoT Operations to 2606 (v1.3.137) #652

Description

@katriendg

Summary

Upgrade the pinned Azure IoT Operations (AIO) version from the current 1.3.105 to the latest GA release 2606 (v1.3.137). AIO 2606 is a security- and stability-focused patch release that delivers critical security vulnerability remediation and reliability improvements. Staying current is recommended for continued support and to pick up security patches.

Release notes: Release 2606 Update · Azure/azure-iot-operations (v1.3.137)

Current State

The AIO instance version is pinned to 1.3.105 in:

  • src/100-edge/110-iot-ops/terraform/variables.instance.tf (operations_config.version)
  • src/100-edge/110-iot-ops/bicep/types.bicep (release.version)

What's in 2606 (v1.3.137)

Release type: Patch · Release date: June 2026 · Current GA version: 2606

Security fixes (critical):

  • Glob metacharacter injection in BrokerAuthorization state-store key pattern substitution — key pattern matching now escapes metacharacters.
  • RegistryEndpoint arbitrary audience/host for MSI token minting — token minting now enforces strict audience/host validation.
  • AIO Onboarding role self-assignment — ABAC conditions strengthened to prevent role self-escalation to Contributor.
  • Schema Registry dependency vulnerability remediation.

Connector reliability:

  • MQTT connector async task panic handling now surfaces and logs failures.
  • OPC UA: configurable method-execution client idle timeout; expired action requests rejected before the execution queue; endpoint state transitions fixed.

MQTT / Dataflows / Platform:

  • Broker authorization partial attribute matching fixed.
  • Dataflow health status recovery from Degraded after download timeout.
  • Map transform enrichment fixed for multi-record context datasets.
  • MQTT source now reports unavailable on connector disconnect.
  • Meta Operator recovery from transient upgrade failures (no longer stuck in Failed).

Known issues to be aware of:

  • Akri Operator may show inconsistent default authentication behavior in certain configurations.
  • Since 2605, the MQTT connector will not connect to external MQTT brokers with private IPs (full resolution expected in 2607).

Proposed Work

  • Bump operations_config.version from 1.3.105 to 1.3.137 in src/100-edge/110-iot-ops/terraform/variables.instance.tf.
  • Bump release.version from 1.3.105 to 1.3.137 in src/100-edge/110-iot-ops/bicep/types.bicep.
  • Review akri-connectors default connector versions/tags (1.2.37 / 1.2.39) for any required bump alongside 2606.
  • Run aio-version-checker.py to confirm resolved URLs/manifests for v1.3.137.
  • Validate Terraform and Bicep (npm run tf-validate, Bicep build) and regenerate docs.
  • Deploy to a test cluster and confirm a clean upgrade from an existing 2605/earlier instance (verify Meta Operator does not get stuck).

Acceptance Criteria

  • AIO version pinned to 1.3.137 across Terraform and Bicep.
  • Validation and docs generation pass.
  • Test-cluster upgrade completes successfully with all AIO components healthy.

References

Metadata

Metadata

Assignees

Labels

backloginfrastructureInfrastructure as code and platformmaintenanceMaintenance work, no version bumppriority-2High priority, address soonsecuritySecurity-related changes or concernsterraform

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions