v4.2.0

Changed

• Add support for Crossplane usage on the CAPA controller role
• Add ability to import existing IAM resources into Terraform state for the CAPA controller role

Fixed

• Fixed terraform file to use correct GiantSwarm root account for the user that will assume the capa-controller role.

v4.1.0

Added

• Add ec2:ReplaceRoute permissions to the CAPA controller role.
• Add ec2:DescribeDhcpOptions permissions to the CAPA controller role, required by CAPA releases >= v2.4.0.

Added

• For cluster cleanup purposes, add the permissions s3:GetBucketTagging and s3:ListAllMyBuckets in order to scan for buckets owned by a management/workload cluster. Those buckets may not have a fixed name pattern (e.g. include AWS region or other dynamic string) and therefore searching by "owned" tag allows us to find and delete all such resources.
• For cluster cleanup purposes, tag all IAM roles and policies with the installation name, so they are easily identifiable during cleanup / teardown.

v4.0.0

Added

• Add iam:ListRoleTags and iam:UntagRole permissions to the AWS operator role.
• CAPA: add new mc-bootstrap policy to capa-controller role.
• Add IAM policy for use with Crossplane AWS provider. The initial permissions are meant to be used with Cilium ENI mode.
• CAPA: add autoscaling:CancelInstanceRefresh permission (needed for AWSMachinePool reconciler improvement)
• Create a CloudFormation stack to manage the IAM policies and roles.

Changed

• Use a setup script to automate CAPA controller commands.

Removed

• Remove vintage setup instructions.

v3.4.0

Changed

• Add S3 permission for CAPA polices in order to run on Flatcar.
• Remove non-existent IAM actions.

Added

• Add s3:PutBucketOwnershipControls to irsa policy. Needed because of this change in irsa-operator
• Add "ec2:DescribeInstanceTypes" to the CAPA controller policy, as it's required by newest CAPA releases.
• Add EKS permissions for managed node pools, encryption/identity provider configs, CIDR blocks, KMS.

v3.3.0

Changed

• Add Workload cluster AWS account id to sqs and events IAM permission.

v3.2.0

Added

• Add SQS permission for NodeTerminationHandler/Karpenter.
• Add Events permissions for NodeTerminationHandler/Karpenter.
• Add ssm:GetParameter for NodeTerminationHandler/Karpenter.

v3.1.0

Added

• Add s3:PutBucketOwnershipControls permissions for GiantSwarmAWSOperator.

v3.0.0

Added

• Extend GiantSwarmAdmin policy to allow EFS service.
• Extend all policies with iam:TagRole to fix missing tags.
• Extend GiantSwarmAdmin policy with permissions for policy view and last access service.
• Add sqs:* permission to admin role.
• Add iam:*OpenIDConnectProvider permissions to support IAM roles for service accounts.
• Add s3:PutObjectAcl for uploading public objects.
• Add ec2:CreateNetworkInterface permission for resolver rules operator.

Changed

• Limit S3 permissions for GiantSwarmAWSOperator
• Added sns:Publish permission to network-topology-operator policy
• Update permissions for resolver rules operator.
• Extend IAM permissions for GiantSwarmAdmin to allow rotating secrets.

Removed

• Remove unused service permissions in GiantSwarmAWSOperator.

Fixed

• Updated README with correct directories

v2.0.0

release v2.0.0 (#15)

Co-authored-by: github-actions <action@github.com>
Co-authored-by: Paweł Kopiczko <pawel@giantswarm.io>

v1.0.0

release v1.0.0 (#12)

Co-authored-by: github-actions <action@github.com>