Skip to content

Releases: nullplatform/tofu-modules

v6.0.0

Choose a tag to compare

@github-actions github-actions released this 01 Jul 17:13
c4d586b

6.0.0 (2026-07-01)

⚠ BREAKING CHANGES

  • iam/agent: clusters that relied on the implicit permissions role must now pass it explicitly in assume_role_arns.

Features

  • iam/agent: require explicit assume_role_arns, drop implicit permissions role (#421) (44b8fd6)

v5.3.1

Choose a tag to compare

@github-actions github-actions released this 29 Jun 14:35
f03a199

5.3.1 (2026-06-29)

Bug Fixes

  • move infrastructure/aws/iam/s3 to scopes-static-files requirements (#419) (33d9b50)

v5.3.0

Choose a tag to compare

@github-actions github-actions released this 29 Jun 14:30
bc5321a

5.3.0 (2026-06-26)

Features

  • iam: add Pod Identity support to cert-manager and external-dns modules (#409) (1f4e5ff)

v5.2.0

Choose a tag to compare

@github-actions github-actions released this 25 Jun 20:51
34a360c

5.2.0 (2026-06-25)

Features

  • cloud/aws: make hosted_public_zone_id optional for private-only (#408) (7f52d4b)

v5.1.0

Choose a tag to compare

@github-actions github-actions released this 25 Jun 18:50
6dc26c7

5.1.0 (2026-06-25)

⚠ BREAKING CHANGES

  • iam/agent: the IRSA token no longer has Route53/EKS/ELB/AVP permissions directly. The agent must assume the permissions role (exposed via the nullplatform_agent_permissions_role_arn output) to use them.
  • iam: infrastructure/aws/iam/ecr no longer creates the build workflow user, access key or group, and no longer outputs build_workflow_access_key_id / build_workflow_access_key_secret. Consumers must instantiate the new build-user module, pass its group_name to ecr (new required input build_workflow_group_name) and to s3-assets, take the build credentials from build-user outputs, and run a tofu state mv to preserve the existing user and access key (see infrastructure/aws/iam/build-user/README.md). The IAM group is renamed from ecr-managers to asset-publishers (recreated; does not rotate the user's keys).
  • dns,ingress,iam: support disabling public-side resources (#364)
  • nullplatform/dimension: callers of nullplatform/dimensions must migrate to nullplatform/dimension and run a terraform state mv to preserve the existing dimension (resource labels changed from environment / environment_value to this). Migration steps are documented in the new module's README.
  • security,eks: cluster_security_group_id and gateway_port variables removed from infrastructure/aws/security. Callers must replace those inputs with a separate module eks_gateway_rules call using infrastructure/aws/eks-gateway-rules.

Features

  • 613: add support cert manager for oci (#152) (1282171)
  • account: make repository_prefix and repository_provider optional (#326) (a0a079a)
  • add additional_policies variable to agent IAM module (#233) (7762406)
  • add ebs and storage class for eks (#298) (8c00ba3)
  • add eks_cluster_primary_security_group_id output (#236) (46412f8)
  • add extra_envs variable to agent module (#229) (996b24f)
  • add istio security groups (#190) (5e06e8c)
  • add pre-configured api_key modules for agent, scope and service notifications (d5d1d76)
  • add scope_configuration module (#271) (a49e943)
  • agent: add config external-dns to aws config (3d69436)
  • agent: add config external-dns to aws config (#105) (1a828f9)
  • agent: IAM assume-role support + multi-instance parametrization (#386) (b82df52)
  • agent: move identical variables to global configuration (2b78254)
  • aks acr integration (#120) (e2237b6)
  • api-key: add custom_grants support for multi-NRN grants (#276) (ce70c59)
  • aws-backend: make backend module compliant with OpenTofu S3 backend docs (#238) (d494c20)
  • aws-eks: add private access to k8s API (7d971ad)
  • aws-vpc: disable public ip to EC2 (973f1bc)
  • azure/aks: enforce workload identity — hardcode oidc_issuer_enabled (#358) (e542032)
  • azure/cloud: support passing authentication credentials as variables (#381) (2313640)
  • azure: Add private DNS zone module (813cad3)
  • azure: Add private DNS zone module (#90) (5d4399e)
  • azure: AKS routing infra — aks_route_table module, vnet drift fix, security improvements (#360) (15c2372)
  • azure: unify variable names and update module conventions (41d4f3b)
  • azure: unify variable names and update module conventions (#162) (d8bccf1)
  • backend: add optional KMS encryption and IAM bucket policy (#246) (1af61bd)
  • base: add gateway_public_azure_load_balancer_subnet (#403) (b9b6f5e)
  • base: add gateway_public_load_balancer_type and fix public gateway name (#392) (116fc70)
  • base: security and nrn tags (#160) (2ad4b2f)
  • cert-manager: add aws support (858e346)
  • cert-manager: add Azure Workload Identity support (#272) (800249c)
  • chart: new version of charts (#122) (83a8b39)
  • ci: enable AI readme generator workflow (#203) (5ed8c84)
  • ci: integrate AI readme generation into Release Please workflow (#209) (5ea8de5)
  • cloud-dns: DNSSEC enabled by default for public zones (#393) (c2e606d)
  • commons/azure: Workload Identity for cert-manager and external-dns, with Service Principal fallback (#361) (f11896e)
  • container orchestration (#216) (1a87622)
  • customers-aws-image: update readme (f367a8f)
  • dns,ingress,iam: support disabling public-side resources (#364) (872efa1)
  • do not require org nrn (#261) ([25d...
Read more

v5.0.0

Choose a tag to compare

@github-actions github-actions released this 25 Jun 15:33
79bb06d

5.0.0 (2026-06-25)

⚠ BREAKING CHANGES

  • iam: infrastructure/aws/iam/ecr no longer creates the build workflow user, access key or group, and no longer outputs build_workflow_access_key_id / build_workflow_access_key_secret. Consumers must instantiate the new build-user module, pass its group_name to ecr (new required input build_workflow_group_name) and to s3-assets, take the build credentials from build-user outputs, and run a tofu state mv to preserve the existing user and access key (see infrastructure/aws/iam/build-user/README.md). The IAM group is renamed from ecr-managers to asset-publishers (recreated; does not rotate the user's keys).

Features

  • iam: separate build workflow user from asset repositories + add S3 asset support (#402) (9ae9e09)

v4.6.0

Choose a tag to compare

@github-actions github-actions released this 25 Jun 14:44
851a632

4.6.0 (2026-06-25)

Features

  • base: add gateway_public_azure_load_balancer_subnet (#403) (b9b6f5e)

v4.5.2

Choose a tag to compare

@github-actions github-actions released this 22 Jun 20:38
a07f080

4.5.2 (2026-06-22)

Bug Fixes

  • service_definition: handle empty service_path for GitLab and cmdline (#400) (826e016)

v4.5.1

Choose a tag to compare

@github-actions github-actions released this 19 Jun 17:54
009b637

4.5.1 (2026-06-19)

Bug Fixes

  • dns: ignore vpc changes on private_zone for cross-account assoc (#398) (772c201)

v4.5.0

Choose a tag to compare

@github-actions github-actions released this 16 Jun 16:20
00f2671

4.5.0 (2026-06-16)

Features

  • base: add gateway_public_load_balancer_type and fix public gateway name (#392) (116fc70)

Bug Fixes

  • code_repository: remove access block and ignore_changes from all providers (#396) (4295a7f)