Releases: nullplatform/tofu-modules
Releases · nullplatform/tofu-modules
Release list
v6.0.0
v5.3.1
v5.3.0
v5.2.0
v5.1.0
5.1.0 (2026-06-25)
⚠ BREAKING CHANGES
- iam/agent: the IRSA token no longer has Route53/EKS/ELB/AVP permissions directly. The agent must assume the permissions role (exposed via the nullplatform_agent_permissions_role_arn output) to use them.
- iam: infrastructure/aws/iam/ecr no longer creates the build workflow user, access key or group, and no longer outputs build_workflow_access_key_id / build_workflow_access_key_secret. Consumers must instantiate the new build-user module, pass its group_name to ecr (new required input build_workflow_group_name) and to s3-assets, take the build credentials from build-user outputs, and run a tofu state mv to preserve the existing user and access key (see infrastructure/aws/iam/build-user/README.md). The IAM group is renamed from ecr-managers to asset-publishers (recreated; does not rotate the user's keys).
- dns,ingress,iam: support disabling public-side resources (#364)
- nullplatform/dimension: callers of
nullplatform/dimensionsmust migrate tonullplatform/dimensionand run aterraform state mvto preserve the existing dimension (resource labels changed fromenvironment/environment_valuetothis). Migration steps are documented in the new module's README. - security,eks: cluster_security_group_id and gateway_port variables removed from infrastructure/aws/security. Callers must replace those inputs with a separate module eks_gateway_rules call using infrastructure/aws/eks-gateway-rules.
Features
- 613: add support cert manager for oci (#152) (1282171)
- account: make repository_prefix and repository_provider optional (#326) (a0a079a)
- add additional_policies variable to agent IAM module (#233) (7762406)
- add ebs and storage class for eks (#298) (8c00ba3)
- add eks_cluster_primary_security_group_id output (#236) (46412f8)
- add extra_envs variable to agent module (#229) (996b24f)
- add istio security groups (#190) (5e06e8c)
- add pre-configured api_key modules for agent, scope and service notifications (d5d1d76)
- add scope_configuration module (#271) (a49e943)
- agent: add config external-dns to aws config (3d69436)
- agent: add config external-dns to aws config (#105) (1a828f9)
- agent: IAM assume-role support + multi-instance parametrization (#386) (b82df52)
- agent: move identical variables to global configuration (2b78254)
- aks acr integration (#120) (e2237b6)
- api-key: add custom_grants support for multi-NRN grants (#276) (ce70c59)
- aws-backend: make backend module compliant with OpenTofu S3 backend docs (#238) (d494c20)
- aws-eks: add private access to k8s API (7d971ad)
- aws-vpc: disable public ip to EC2 (973f1bc)
- azure/aks: enforce workload identity — hardcode oidc_issuer_enabled (#358) (e542032)
- azure/cloud: support passing authentication credentials as variables (#381) (2313640)
- azure: Add private DNS zone module (813cad3)
- azure: Add private DNS zone module (#90) (5d4399e)
- azure: AKS routing infra — aks_route_table module, vnet drift fix, security improvements (#360) (15c2372)
- azure: unify variable names and update module conventions (41d4f3b)
- azure: unify variable names and update module conventions (#162) (d8bccf1)
- backend: add optional KMS encryption and IAM bucket policy (#246) (1af61bd)
- base: add gateway_public_azure_load_balancer_subnet (#403) (b9b6f5e)
- base: add gateway_public_load_balancer_type and fix public gateway name (#392) (116fc70)
- base: security and nrn tags (#160) (2ad4b2f)
- cert-manager: add aws support (858e346)
- cert-manager: add Azure Workload Identity support (#272) (800249c)
- chart: new version of charts (#122) (83a8b39)
- ci: enable AI readme generator workflow (#203) (5ed8c84)
- ci: integrate AI readme generation into Release Please workflow (#209) (5ea8de5)
- cloud-dns: DNSSEC enabled by default for public zones (#393) (c2e606d)
- commons/azure: Workload Identity for cert-manager and external-dns, with Service Principal fallback (#361) (f11896e)
- container orchestration (#216) (1a87622)
- customers-aws-image: update readme (f367a8f)
- dns,ingress,iam: support disabling public-side resources (#364) (872efa1)
- do not require org nrn (#261) ([25d...
v5.0.0
5.0.0 (2026-06-25)
⚠ BREAKING CHANGES
- iam: infrastructure/aws/iam/ecr no longer creates the build workflow user, access key or group, and no longer outputs build_workflow_access_key_id / build_workflow_access_key_secret. Consumers must instantiate the new build-user module, pass its group_name to ecr (new required input build_workflow_group_name) and to s3-assets, take the build credentials from build-user outputs, and run a tofu state mv to preserve the existing user and access key (see infrastructure/aws/iam/build-user/README.md). The IAM group is renamed from ecr-managers to asset-publishers (recreated; does not rotate the user's keys).