Summary
Upgrade the pinned Azure IoT Operations (AIO) version from the current 1.3.105 to the latest GA release 2606 (v1.3.137). AIO 2606 is a security- and stability-focused patch release that delivers critical security vulnerability remediation and reliability improvements. Staying current is recommended for continued support and to pick up security patches.
Release notes: Release 2606 Update · Azure/azure-iot-operations (v1.3.137)
Current State
The AIO instance version is pinned to 1.3.105 in:
src/100-edge/110-iot-ops/terraform/variables.instance.tf (operations_config.version)
src/100-edge/110-iot-ops/bicep/types.bicep (release.version)
What's in 2606 (v1.3.137)
Release type: Patch · Release date: June 2026 · Current GA version: 2606
Security fixes (critical):
- Glob metacharacter injection in
BrokerAuthorization state-store key pattern substitution — key pattern matching now escapes metacharacters.
RegistryEndpoint arbitrary audience/host for MSI token minting — token minting now enforces strict audience/host validation.
- AIO Onboarding role self-assignment — ABAC conditions strengthened to prevent role self-escalation to Contributor.
- Schema Registry dependency vulnerability remediation.
Connector reliability:
- MQTT connector async task panic handling now surfaces and logs failures.
- OPC UA: configurable method-execution client idle timeout; expired action requests rejected before the execution queue; endpoint state transitions fixed.
MQTT / Dataflows / Platform:
- Broker authorization partial attribute matching fixed.
- Dataflow health status recovery from
Degraded after download timeout.
- Map transform enrichment fixed for multi-record context datasets.
- MQTT source now reports unavailable on connector disconnect.
- Meta Operator recovery from transient upgrade failures (no longer stuck in
Failed).
Known issues to be aware of:
- Akri Operator may show inconsistent default authentication behavior in certain configurations.
- Since 2605, the MQTT connector will not connect to external MQTT brokers with private IPs (full resolution expected in 2607).
Proposed Work
Acceptance Criteria
- AIO version pinned to
1.3.137 across Terraform and Bicep.
- Validation and docs generation pass.
- Test-cluster upgrade completes successfully with all AIO components healthy.
References
Summary
Upgrade the pinned Azure IoT Operations (AIO) version from the current
1.3.105to the latest GA release 2606 (v1.3.137). AIO 2606 is a security- and stability-focused patch release that delivers critical security vulnerability remediation and reliability improvements. Staying current is recommended for continued support and to pick up security patches.Release notes: Release 2606 Update · Azure/azure-iot-operations (v1.3.137)
Current State
The AIO instance version is pinned to
1.3.105in:src/100-edge/110-iot-ops/terraform/variables.instance.tf(operations_config.version)src/100-edge/110-iot-ops/bicep/types.bicep(release.version)What's in 2606 (v1.3.137)
Release type: Patch · Release date: June 2026 · Current GA version: 2606
Security fixes (critical):
BrokerAuthorizationstate-store key pattern substitution — key pattern matching now escapes metacharacters.RegistryEndpointarbitrary audience/host for MSI token minting — token minting now enforces strict audience/host validation.Connector reliability:
MQTT / Dataflows / Platform:
Degradedafter download timeout.Failed).Known issues to be aware of:
Proposed Work
operations_config.versionfrom1.3.105to1.3.137insrc/100-edge/110-iot-ops/terraform/variables.instance.tf.release.versionfrom1.3.105to1.3.137insrc/100-edge/110-iot-ops/bicep/types.bicep.akri-connectorsdefault connector versions/tags (1.2.37/1.2.39) for any required bump alongside 2606.aio-version-checker.pyto confirm resolved URLs/manifests for v1.3.137.npm run tf-validate, Bicep build) and regenerate docs.Acceptance Criteria
1.3.137across Terraform and Bicep.References