Migration Guide
This page will detail migration steps to upgrade your deployment of Common Fate to new versions.
v1.19.0
Common Fate Slack Integration: Slack based access request workflow
v1.19.0 adds support for a slack based access request workflow. This new feature requires an update to your app manifest in Slack.
To upgrade, follow the steps below:
- Navigate to https://api.slack.com/apps and then select your Slack app from the list
- Select App Manifest from the left navigation
- Update the manifest JSON with the below, replacing
<Your app url>
where needed with your app URL.
{
"display_information": {
"name": "Common Fate",
"description": "Common Fate powers your cloud access workflows",
"background_color": "#26223a"
},
"features": {
"bot_user": {
"display_name": "Common Fate",
"always_online": false
},
"slash_commands": [
{
"command": "/access",
"url": "<Your app url>/api/v1/integrations/slack/access-command",
"description": "Common Fate Access Workflow",
"should_escape": false
}
]
},
"oauth_config": {
"redirect_urls": ["<Your app url>/api/v1/oauth2/callback/slack"],
"scopes": {
"bot": [
"channels:read",
"users:read",
"users:read.email",
"chat:write",
"chat:write.public",
"groups:read",
"groups:write",
"im:read",
"im:write",
"mpim:read",
"mpim:write",
"commands"
]
}
},
"settings": {
"interactivity": {
"is_enabled": true,
"request_url": "<Your app url>/api/v1/integrations/slack/interactivity",
"message_menu_options_url": "<Your app url>/api/v1/integrations/slack/options-load"
},
"org_deploy_enabled": false,
"socket_mode_enabled": false,
"token_rotation_enabled": false
}
}
- Navigate to Install App and click Reinstall to Workspace
v1.12.0
Common Fate Terraform Module: Provisioner module now bundled in with the main module
v1.12.0 adds a provisioner module deployment to the base common-fate module, this makes it easier to deploy the stack and also helps to ensure the release_tag is consistent between the modules. This is a non breaking change and teams will see the new provisioner is deployed alongside their existing provisioner.
To upgrade to use the builtin provisioner, follow these steps:
Note that this upgrade requires a brief period where provisioning will not be available as you reconfigure the AWS roles for your integrations.
- Copy your configuration blocks from the standalone provisioner to your main module keeping the original provisioner module. The config blocks are prefixed with
provisioner_
e.gprovisioner_aws_idc_config
Users of the AWS IDC integration will need to add an additional required field
idc_identity_store_id
to the config block when upgrading to the builtin provisioner
module "common-fate" {
source = "common-fate/common-fate-deployment/aws"
version = "1.12.0"
# New config block(s) added to your main module
provisioner_aws_idc_config = {
idc_identity_store_id = "<Your Identity Store ID>" # New required parameter added for aws_idc when using the builtin provisioner
... existing config copied over
}
}
# Your existing provisioner module remains unchanged
module "provisioner" {
source = "common-fate/common-fate-deployment/aws"
version = "1.12.0"
aws_idc_config = {
idc_instance_arn = "<Your Identity Center Instance ARN>"
idc_region = "<Your Identity Center Region>"
role_arn = "<ARN of the Common Fate Provision IAM role>"
}
}
-
Apply the changes
-
Update your Integration task roles to use the new builtin provisioner task role arn or name. The following outputs have been added to the common_fate module
provisioner_task_role_name
provisioner_task_role_arn
The provisioner_task_role_name
and provisioner_task_role_arn
both point to
the arn of the role in v1.12.0
. This is a known issue and it has been fixed
in the latest version.
For the AWS integration, you will have to modify the resource with the source common-fate/common-fate-deployment/aws//modules/aws-idc-integration/iam-roles
and update common_fate_aws_provisioner_role_arn
to point to the output of the provisioner_task_role_arn
from the main module.
common_fate_aws_provisioner_role_arn = module.common-fate.provisioner_task_role_arn
For the GCP integration, you will have to modify the resource with the source common-fate/common-fate-deployment/aws//modules/gcp-integration/workload-identity-roles
and update common_fate_aws_provisioner_role_name
to point to the name of the provisioner_task_role_name
from the main module.
common_fate_aws_provisioner_role_name = "common-fate-prod-builtin-provisioner-ecs-tr"
-
Apply the changes
-
Update the
url
of yourcommonfate_webhook_provisioner
resource in your application config using the main module outputprovisioner_url
resource "commonfate_webhook_provisioner" "provisioner" {
url = "http://common-fate-prod-builtin-provisioner.common-fate-prod-builtin.internal:9999"
...
}
- Apply the changes and remove the old provisioner module as it is now no longer required after the migration is complete.
v1.9.0
Common Fate Terraform Module: Security improvements to deployment infrastructure
<v1.7.0
are required to upgrade to v1.8.0
before upgrading to v1.9.0
due to a multi step process to rotate out old security groupsv1.8.0
Common Fate Terraform Module: Security improvements to deployment infrastructure
v1.8.0 includes configuration changes to the terraform-aws-common-fate-deployment
Terraform module to improve security.
This includes:
- Restricted security groups networking configuration used within the Common Fate VPC.
- Introduced new EC2 security groups which have names and descriptions. Previously, our security groups did not have this information, which makes them difficult to attribute to the Common Fate deployment when inspecting them. In
v1.9.0
, ECS tasks will use these new security groups and the existing security groups will be removed. - ALB to drop invalid header fields
- Enforce SQS queues to use server side encryption
<v1.7.0
are required to upgrade to v1.8.0
before upgrading to v1.9.0
due to a multi step process to rotate out old security groupsv1.7.0
Common Fate terraform module: removed favicon variable
Common Fate v1.7.0 removes the favicon
variable from the common-fate module as support customizing the branding of the web app has been removed other than the login screen.
To update your deployment, if you previously had a value configured for this, you will need to remove it.
v1.6.0
GCP Integration: Added JIT access for folders
Common Fate v1.6.0 extends the GCP integration by adding support for JIT access to folders. Teams using the GCP integration will need to update their deployment and their common-fate/common-fate-deployment/aws//modules/gcp-integration/workload-identity-roles
terraform module to version 1.6.0
This update will add 2 new permissions to the provisioner role, granting it the ability to manage IAM roles on folders.
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.setIamPolicy
In order to start requesting access to folders in GCP, you will need to update your commonfate_webhook_provisioner to direct GCP::Folder requests to your provisioner.
resource "commonfate_webhook_provisioner" "prod" {
url = "<The provisioner_url output from the main module e.g http://common-fate-prod-builtin-provisioner.common-fate.prod.internal:9999>"
capabilities = [
{
target_type = "GCP::Project"
role_type = "GCP::Role"
belonging_to = {
type = "GCP::Organization"
id = "<Your GCP organization ID>"
}
},
{
target_type = "GCP::Folder"
role_type = "GCP::Role"
belonging_to = {
type = "GCP::Organization"
id = "<Your GCP organization ID>"
}
},
]
}
After this, you will need to reinstall the pagerduty app in the deployment. You can do so by commenting out the commonfate_pagerduty_integration
resource and then running terraform apply
, and then adding it back in and running terraform apply
again.
Finally, follow the GCP integration guide to configure your selector and availabilities.
v1.5.0
Provisioner: New required parameters
Common Fate v1.5.0 introduced the AWS RDS JIT integration. This integration add 4 new required parameters to the provisioner module in your Terraform deployment.
To upgrade your deployment, add the 4 additional parameters to your provisioner module(s) provisioner_service_client_id
provisioner_service_client_secret
auth_issuer
app_url
as per the example below.
module "common-fate" {
source = "common-fate/common-fate-deployment/aws"
version = "1.5.0"
...
}
module "provisioner" {
source = "common-fate/common-fate-deployment/aws"
version = "1.5.0"
# Existing unchanged parameters
namespace = local.namespace
stage = local.stage
access_handler_sg_id = module.common-fate.access_handler_security_group_id
aws_region = local.aws_region
release_tag = local.release_tag
subnet_ids = module.common-fate.private_subnet_ids
vpc_id = module.common-fate.vpc_id
ecs_cluster_id = module.common-fate.ecs_cluster_id
# New parameters added in v1.5.0
provisioner_service_client_id = module.common-fate.provisioner_client_id
provisioner_service_client_secret = module.common-fate.provisioner_client_secret
auth_issuer = module.common-fate.auth_issuer
app_url = "<Your app URL>"
}
PagerDuty Integration: Added teams
Common Fate v1.5.0 extends the PagerDuty integration by adding support for PagerDuty Teams that can be used when creating authorization policies.
When authoring access policies, you can now use PagerDuty::User
as well as PagerDuty::Team
If you are using the PagerDuty integration then you will need to update the permissions granted to the Oauth app that you created in PagerDuty.
-
To update the permissions, find the Common Fate App Registration within your PagerDuty admin panel
<your-team>.pagerduty.com/developer/applications
and open the detail page. -
On the Edit App page find the OAuth 2.0 section and Click Manage which takes you to the configuration for the OAuth 2.0 app.
-
Under Permission Scope search for “Teams” and check the box for
Read Access
. -
Click Confirm changes > then Save
-
You can now go ahead and update your deployment to v1.5.0
v1.2.0
Common Fate v1.2.0 makes a breaking change to the provisioner module configuration. This change introduces blocks for each integration configuration.
This helps to group the configuration and allows for reuse of parameter names for each integration.
The configuration parameters for GCP and AWS are the same however they have now been shifted into the blocks aws_idc_config
and gcp_config
and the provisioner_
prefix has been dropped.
The provisioner module can now be configured for multiple integrations rather than just single integration, and as such the provisioner_type = "GCP"
field has been dropped.
The provisioner type will now be inferred from the configuration blocks.
A limitation is that the provisioner only supports a single instance of each integration config block. If you are connecting to more that one AWS organization for example, you would deploy 2 instances of the provisioner.
Before
module "provisioner" {
source = "common-fate/common-fate-deployment/aws//modules/provisioner"
version = "1.1.0"
provisioner_type = "GCP"
...
provisioner_aws_idc_instance_arn = "<Your Identity Center Instance ARN>"
provisioner_aws_idc_region = "<Your Identity Center Region>"
provisioner_role_arn = "<ARN of the Common Fate Provision IAM role>"
provisioner_gcp_workload_identity_config_json = jsonencode(<Your workload identity config>)
}
After
module "provisioner" {
source = "common-fate/common-fate-deployment/aws//modules/provisioner"
version = "1.2.0"
...
aws_idc_config = {
idc_instance_arn = "<Your Identity Center Instance ARN>"
idc_region = "<Your Identity Center Region>"
role_arn = "<ARN of the Common Fate Provision IAM role>"
}
gcp_config = {
workload_identity_config_json = jsonencode(<Your workload identity config>)
}
}