DevOps Weekly Update

FEATURES:

• New Data Source: azurerm_mssql_managed_database (#27026)

BUG FIXES:

• azurerm_application_insights_api_key - fix condition that nil checks the list of available API keys to prevent an indefinate loop when keys created outside of Terraform are present (#28037)
• azurerm_data_factory_linked_service_azure_sql_database - send tenant_id only if it has been specified (#28120)
• azurerm_eventgrid_event_subscription - fix crash when flattening advanced_filter (#28110)
• azurerm_virtual_network_gateway - fix crash issue when specifying root_certificate or revoked_certificate (#28099)

ENHANCEMENTS:

• dependencies - update go-azure-sdk to v0.20241128.1112539 (#28137)
• containerapps - update api version to 2024-03-01 (#28074)
• Search - update api version to 2024-06-01-preview (#27803)
• Data Source: azurerm_logic_app_standard - add support for the public_network_access property (#27913)
• Data Source: azurerm_search_service - add support for the customer_managed_key_encryption_compliance_status property (#27478)
• azurerm_container_registry_task - add validation on cpu as well as on agent_pool_nameand agent_setting (#28098)
• azurerm_databricks_workspace - add support for the enhanced_security_compliance block (#26606)
• azurerm_eventhub - deprecate namespace_name and resource_group_name in favour of namespace_id (#28055)
• azurerm_logic_app_standard - add support for the public_network_access property (#27913)
• azurerm_search_service - add support for the customer_managed_key_encryption_compliance_status property (#27478)
• azurerm_cosmosdb_account - add support for value EnableNoSQLFullTextSearch in the capabilities.name property (#28114)

NOTES:

• New ephemeral resources azurerm_key_vault_certificate and azurerm_key_vault_secret now support ephemeral values

FEATURES:

• New Ephemeral Resource: azurerm_key_vault_certificate (#28083)
• New Ephemeral Resource: azurerm_key_vault_secret (#28083)
• New Resource: azurerm_eventgrid_namespace (#27682)

ENHANCEMENTS:

• dependencies: update hashicorp/go-azure-sdk to v0.20241118.1115603 (#28075)
• batch - upgrade api version to 2024-07-01 (#27982)
• containerregistry - upgrade api version to 2023-11-01-preview (#27983)
• azurerm_application_gateway - 1.1 is now accepted as a valid rule_set_version in the waf_configuration block (#28039)
• azurerm_arc_machine - add support for the identity and tags properties (#27987)
• azurerm_container_app - secret.name now accepts up to 253 characters and . (#27935)
• azurerm_network_manager - scope_accesses now accepts Routing (#28033)
• azurerm_network_watcher_flow_log - add support for the target_resource_id property (#26015)
• azurerm_role_assignment - condition_version will be defaulted to 2.0 when condition has been set (#27189)
• azurerm_subnet - Informatica.DataManagement/organizations is a valid service_delegation (#27993)
• azurerm_virtual_network - Informatica.DataManagement/organizations is a valid service_delegation (#27993)
• azurerm_web_application_firewall_policy - 1.1 is now accepted as a valid version for Microsoft_BotManagerRuleSet rule types (#28039)

BUG:

• azurerm_api_management - public_ip_address_id is no longer required when zone has been set (#27976)
• azurerm_api_management_diagnostic - raise and error when operation_name_format is used with and identity that is not applicationinsights (#27630)
• azurerm_api_management_api_diagnostic - raise and error when operation_name_format is used with and identity that is not applicationinsights (#27630)
• azurerm_application_gateway - rewrite_rule_set can be supplied when using Basic sku (#28011)
• azurerm_container_registry_token_password - correctly mark as gone if container registry token doesn't exist (#27232)
• azurerm_kusto_cluster - allowed_fqdn and allowed_ip_ranges can now be set to empty lists (#27529)
• azurerm_linux_function_app_slot - create content settings when using a consumpton plan (#25412)
• azurerm_virtual_network_gatway - updating ip_configuration now recreates the resource (#27828)

A new REST API endpoint lists the secret scanning scan history for a repository, giving you visibility into when different types of secret scanning scans have occurred in your repository. This information can be helpful for auditing purposes and troubleshooting.

To get your repository’s scan history, call the /repos/{owner}/{repo}/secret-scanning/scan-history endpoint. The following table lists the responses returned by the API:

Secret scanning covers multiple scan sources, triggers, and methods of scanning. Scans listed in the API are not an exhaustive list of all scans for a repository. The following scans are not included:
– incremental scans and pattern update scans for non-git content types
– non-git backfills for custom patterns set at the repository level
– any pattern update scans completed before September 2024
– scans for passwords detected with Copilot Secret Scanning

A repository must have a GitHub Advanced Security license to get the scan history.

Learn more about how to secure your repositories with secret scanning.

The post Access a repository’s secret scanning scan history with the REST API appeared first on The GitHub Blog.

For organization owners, managing the security manager role is now easier and more flexible. These updates empower you to tailor security responsibilities and streamline role assignments to fit your needs:

1. Assign the security manager role to individual users: The security manager role can now be assigned directly to individual users, in addition to teams. This added flexibility ensures security responsibilities are allocated precisely where needed.
2. Streamlined role management in organization settings: Security manager assignment and configuration is now part of Settings > Organization roles at the organization level. This relocation centralizes and simplifies role management, making it intuitive to oversee security managers alongside other organizational roles.

Building on recent improvements

The addition of custom organization roles with repository permissions takes flexibility to the next level. With these updates, you can customize security roles to balance the right level of responsibility and access for your team. Here’s how you can leverage these features to meet your specific requirements:

1. Craft a security manager role with fewer permissions: The addition of repository permissions to custom organization roles means you can build custom security roles with a subset of security manager permissions, such as:
   • View secret scanning
   • Dismiss secret scanning
   • View code scanning
   • Dismiss code scanning
   • Delete code scanning analyses
   • View Dependabot alerts
   • Dismiss Dependabot alerts

   This lets you assign security responsibilities without granting the full access of a security manager role.

2. Expand the security manager role with additional permissions: Using custom organization roles, you can enhance the security manager role by adding additional organization-level or repository-specific permissions. For example, you can grant audit log access or other highly requested capabilities to create a tailored role that fits your team’s specific needs.

These updates are now generally available on GitHub Enterprise Cloud and will be included in GitHub Enterprise Server 3.16.

Learn more about the security manager role, custom organization roles and send us your feedback

The post Expanded flexibility and control for managing the security manager role appeared first on The GitHub Blog.

You can now export security data for offline analysis, reporting, and archival purposes on the enterprise-level security overview pages. This includes:

• Enterprise-level overview dashboard: Export alert-level data for all your scanning tools—including third-party scanning tools.
• Enterprise-level risk page: Export repository-level data with aggregated counts of security alerts per repository for code scanning, Dependabot, and secret scanning.
• Enterprise-level coverage page: Export repository-level data showing the enablement state for all Dependabot, code scanning, and secret scanning features.

Just like at the organization level, exports will respect all filters you’ve applied to the page, making it easy to for you to tailor downloads to your specific needs. Whether you’re focused on enterprise-wide insights or repository-level details, the data is now at your fingertips.

You can download all data where you have an appropriate level of access.

Learn more about security overview and send us your feedback

The post CSV export for enterprise-level security overview appeared first on The GitHub Blog.

This update includes several key improvements: Copilot Chat on Mobile now includes beta supports for Copilot Extensions, iOS users can enjoy three new app icons in celebration of Universe, and Android users can pin their favorite repositories to the home screen.

With Copilot Extensions on Mobile, developers can extend Copilot’s capabilities on the go, integrating third-party tools, automating tasks, and receiving personalized code suggestions.

iOS

What’s new

• GitHub Copilot Extensions are in beta.
• In celebration of Universe this year, we added 3 new app icons: Copilot, Nova Mona, and Quack. Head to Settings to choose your favorite.

Bug fixes

• The more button in Copilot chat shows the three most recent conversations.
• See contributors of a repository in the Explore tab with keyboards.
• Select multiple code lines to add a review comment with keyboards.
• Voiceover announces file status when jumping to a file while reviewing a pull request.
• Entering the required inputs of a dispatched workflow correctly enables the Run Workflow button.
• The settings button on iPad maintains its aspect ratio when the username is long.
• Links to relative images within Markdown which include query parameters render the image without error.

Android

What’s new

• GitHub Copilot Extensions are in beta.
• Pin your favorite repositories directly to your device’s home screen.

Bug fixes

• Checkboxes in the Files Changed screen now show the correct state when scrolling.
• Relative images within Markdown files are now rendering correctly in all cases.
• Longer Discussions now indicate page loading.
• Improving accessibility for Feed headers.
• More accurate TalkBack descriptions in trending repositories.
• Color contrast improvements for Pull Request merge options.

The post What’s New in Mobile, November Update appeared first on The GitHub Blog.

Based on customer feedback, we have updated how the created_at timestamp works in the Copilot seat details portion of responses from the following REST API endpoints:

• /organization/{org}/billing/copilot/seats
• /enterprises/{enterprise}/billing/copilot/seats
• /organization/{org}/members/{username}/copilot

The created_at timestamp now shows when a user received Copilot access, rather than when their team, enterprise team, or organization was granted access. This matches the timestamp of the seat’s corresponding seat_added event in the Audit Log.

The post Update to seat `created_at` timestamp in the Copilot user management REST API [Public Preview] appeared first on The GitHub Blog.

1.10.0 (November 27, 2024)

NEW FEATURES:

• Ephemeral resources: Ephemeral resources are read anew during each phase of Terraform evaluation, and cannot be persisted to state storage. Ephemeral resources always produce ephemeral values.
• Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.
  • ephemeralasnull function: a function takes a value of any type and returns a similar value of the same type with any ephemeral values replaced with non-ephemeral null values and all non-ephemeral values preserved.

BUG FIXES:

• The secret_suffix in the kubernetes backend now includes validation to prevent errors when the secret_suffix ends with a number (#35666).
• The error message for an invalid default value for an input variable now indicates when the problem is with a nested value in a complex data type. (#35465)
• Sensitive marks could be incorrectly transferred to nested resource values, causing erroneous changes during a plan (#35501)
• Allow unknown error_message values to pass the core validate step, so variable validation can be completed later during plan
  (#35537)
• Unencoded slashes within GitHub module source refs were being truncated and incorrectly used as subdirectories in the request path (#35552)
• Terraform refresh-only plans with output only changes are now applyable. (#35812)
• Postconditions referencing self with many instances could encounter an error during evaluation (#35895)
• The plantimestamp() function would return an invalid date during validation (#35902)
• Updates to resources which were forced to use create_before_destroy could lose that flag in the state temporarily and cause cycles if immediately removed from the configuration (#35966)
• backend/cloud: Prefer KV tags, even when tags are defined as set (#35937)
• Simplify config generation (plan -generate-config-out) for string attributes that contain primitive types (e.g. numbers or booleans) (#35984)
• config: issensitive could incorrectly assert that an unknown value was not sensitive during plan, but later became sensitive during apply, causing failures where changes did not match the planned result (#36012)
• config: The evaluation of conditional expressions and for expression in HCL could lose marks with certain combinations of unknown values (#36017)

ENHANCEMENTS:

• The element function now accepts negative indices (#35501)
• Import block validation has been improved to provide more useful errors and catch more invalid cases during terraform validate (#35543)
• Performance enhancements for resource evaluation, especially when large numbers of resource instances are involved (#35558)
• The plan, apply, and refresh commands now produce a deprecated warning when using the -state flag. Instead use the path attribute within the local backend to modify the state file. (#35660)
• backend/cos: Add new auth for Tencent Cloud backend (#35888)

UPGRADE NOTES:

• backend/s3: Removes deprecated attributes for assuming IAM role. Must use the assume_role block (#35721)
• backend/s3: The s3 backend now supports S3 native state locking. When used with DynamoDB-based locking, locks will be acquired from both sources. In a future minor release of Terraform the DynamoDB locking mechanism and associated arguments will be deprecated. (#35661)
• moved: Moved blocks now respect reserved keywords when parsing resource addresses. Configurations that reference resources with type names that match top level blocks and keywords from moved blocks will need to prepend the resource. identifier to these references. (#35850)
• config: In order to ensure consistency in results from HCL conditional expressions, marks must be combined from all values within the expression to avoid losing mark information. This typically improves accuracy when validating configuration, but users may see sensitive results where they were lost previously.

Previous Releases

For information on prior major and minor releases, refer to their changelogs:

• v1.9
• v1.8
• v1.7
• v1.6
• v1.5
• v1.4
• v1.3
• v1.2
• v1.1
• v1.0
• v0.15
• v0.14
• v0.13
• v0.12
• v0.11 and earlier

1.10.0-rc3 (November 25, 2024)

NEW FEATURES:

• Ephemeral resources: Ephemeral resources are read anew during each phase of Terraform evaluation, and cannot be persisted to state storage. Ephemeral resources always produce ephemeral values.
• Ephemeral values: Input variables and outputs can now be defined as ephemeral. Ephemeral values may only be used in certain contexts in Terraform configuration, and are not persisted to the plan or state files.
  • ephemeralasnull function: a function takes a value of any type and returns a similar value of the same type with any ephemeral values replaced with non-ephemeral null values and all non-ephemeral values preserved.

BUG FIXES:

• The secret_suffix in the kubernetes backend now includes validation to prevent errors when the secret_suffix ends with a number (#35666).
• The error message for an invalid default value for an input variable now indicates when the problem is with a nested value in a complex data type. (#35465)
• Sensitive marks could be incorrectly transferred to nested resource values, causing erroneous changes during a plan (#35501)
• Allow unknown error_message values to pass the core validate step, so variable validation can be completed later during plan
  (#35537)
• Unencoded slashes within GitHub module source refs were being truncated and incorrectly used as subdirectories in the request path (#35552)
• Terraform refresh-only plans with output only changes are now applyable. (#35812)
• Postconditions referencing self with many instances could encounter an error during evaluation (#35895)
• The plantimestamp() function would return an invalid date during validation (#35902)
• Updates to resources which were forced to use create_before_destroy could lose that flag in the state temporarily and cause cycles if immediately removed from the configuration (#35966)
• backend/cloud: Prefer KV tags, even when tags are defined as set (#35937)
• Simplify config generation (plan -generate-config-out) for string attributes that contain primitive types (e.g. numbers or booleans) (#35984)
• config: issensitive could incorrectly assert that an unknown value was not sensitive during plan, but later became sensitive during apply, causing failures where changes did not match the planned result (#36012)
• config: The evaluation of conditional expressions and for expression in HCL could lose marks with certain combinations of unknown values (#36017)

ENHANCEMENTS:

• The element function now accepts negative indices (#35501)
• Import block validation has been improved to provide more useful errors and catch more invalid cases during terraform validate (#35543)
• Performance enhancements for resource evaluation, especially when large numbers of resource instances are involved (#35558)
• The plan, apply, and refresh commands now produce a deprecated warning when using the -state flag. Instead use the path attribute within the local backend to modify the state file. (#35660)
• backend/cos: Add new auth for Tencent Cloud backend (#35888)

UPGRADE NOTES:

• backend/s3: Removes deprecated attributes for assuming IAM role. Must use the assume_role block (#35721)
• backend/s3: The s3 backend now supports S3 native state locking. When used with DynamoDB-based locking, locks will be acquired from both sources. In a future minor release of Terraform the DynamoDB locking mechanism and associated arguments will be deprecated. (#35661)
• moved: Moved blocks now respect reserved keywords when parsing resource addresses. Configurations that reference resources with type names that match top level blocks and keywords from moved blocks will need to prepend the resource. identifier to these references. (#35850)
• config: In order to ensure consistency in results from HCL conditional expressions, marks must be combined from all values within the expression to avoid losing mark information. This typically improves accuracy when validating configuration, but users may see sensitive results where they were lost previously.

Previous Releases

For information on prior major and minor releases, refer to their changelogs:

• v1.9
• v1.8
• v1.7
• v1.6
• v1.5
• v1.4
• v1.3
• v1.2
• v1.1
• v1.0
• v0.15
• v0.14
• v0.13
• v0.12
• v0.11 and earlier

NOTES:

• resource/aws_s3_bucket_lifecycle_configuration: Lifecycle configurations can now be applied to directory buckets (#40268)

FEATURES:

• New Resource: aws_iam_organizations_features (#40164)

ENHANCEMENTS:

• data-source/aws_memorydb_cluster: Add engine attribute (#40224)
• data-source/aws_memorydb_snapshot: Add cluster_configuration.engine attribute (#40224)
• resource/aws_memorydb_cluster: Add engine argument (#40224)
• resource/aws_memorydb_snapshot: Add cluster_configuration.engine attribute (#40224)

BUG FIXES:

• data-source/aws_rds_reserved_instance_offering: When product_description (e.g., "postgresql") is a substring of multiple products, fix Error: multiple RDS Reserved Instance Offerings matched; use additional constraints to reduce matches to a single RDS Reserved Instance Offering (#40281)
• provider: Suppress Warning: AWS account ID not found for provider when skip_requesting_account_id is true (#40264)
• resource/aws_batch_job_definition: Fix crash when specifying eksProperties or ecsProperties block (#40172)
• resource/aws_bedrock_guardrail: Fix perpetual diff if multiple content_policy_config.filters_configs are specified. (#40304)
• resource/aws_chatbot_slack_channel_configuration: Fix inconsistent provider result when order of sns_topic_arnschanges (#40253)
• resource/aws_chatbot_teams_channel_configuration: Fix inconsistent provider result when order of sns_topic_arnschanges (#40291)
• resource/aws_db_instance: When changing storage_type from io1 or io2 to gp3, fix bug causing error InvalidParameterCombination: You must specify both the storage size and iops when modifying the storage size or iops on a DB instance that has iops (#37257)
• resource/aws_db_instance: When changing a gp3 volume's allocated_storage to a value larger than the threshold value for engine, fix bug causing error InvalidParameterCombination: You must specify both the storage size and iops when modifying the storage size or iops on a DB instance that has iops (#28847)

FEATURES:

• New Resource: google_healthcare_pipeline_job (#19717)
• New Resource: google_secure_source_manager_branch_rule (#19773)

IMPROVEMENTS:

• container: google_container_cluster will now accept server-specified values for node_pool_auto_config.0.node_kubelet_config when it is not defined in configuration and will not detect drift. Note that this means that removing the value from configuration will now preserve old settings instead of reverting the old settings. (#19817)
• discoveryengine: added chat_engine_config.dialogflow_agent_to_link field to google_discovery_engine_chat_engine resource (#19723)
• networkconnectivity: added field migration to resource google_network_connectivity_internal_range (#19757)
• networkservices: added routing_mode field to google_network_services_gateway resource (#19764)

BUG FIXES:

• bigtable: fixed an error where BigTable IAM resources could be created with conditions but the condition was not stored in state (#19725)
• container: fixed issue which caused to not being able to disable enable_cilium_clusterwide_network_policy field on google_container_cluster. (#19736)
• container: fixed a diff triggered by a new API-side default value for node_config.0.kubelet_config.0.insecure_kubelet_readonly_port_enabled. Terraform will now accept server-specified values for node_config.0.kubelet_config when it is not defined in configuration and will not detect drift. Note that this means that removing the value from configuration will now preserve old settings instead of reverting the old settings. (#19817)
• dataproc: fixed a bug in google_dataproc_cluster that prevented creation of clusters with internal_ip_only set to false (#19782)
• iam: addressed google_service_account creation issues caused by the eventual consistency of the GCP IAM API by ignoring 403 errors returned on polling the service account after creation. (#19727)
• logging: fixed the whitespace permadiff on exclusions.filter field in google_logging_billing_account_sink, google_logging_folder_sink, google_logging_organization_sink and google_logging_project_sink resources (#19744)
• pubsub: fixed permadiff with configuring an empty retry_policy in google_pubsub_subscription (#19784)
• secretmanager: fixed the issue of unpopulated fields labels, annotations and version_destroy_ttl in the terraform state for the google_secret_manager_secrets datasource (#19748)

FEATURES:

• New Data Source: google_oracle_database_cloud_exadata_infrastructure (#19856)
• New Data Source: google_oracle_database_cloud_vm_cluster (#19859)
• New Data Source: google_oracle_database_db_nodes (#19871)
• New Data Source: google_oracle_database_db_servers (#19823)
• New Resource: google_oracle_database_autonomous_database (#19860)
• New Resource: google_oracle_database_cloud_exadata_infrastructure (#19798)
• New Resource: google_oracle_database_cloud_vm_cluster (#19837)
• New Resource: google_transcoder_job_template (#19854)
• New Resource: google_transcoder_job (#19854)

IMPROVEMENTS:

• cloudfunctions: increased the timeouts to 20 minutes for google_cloudfunctions_function resource (#19799)
• cloudrunv2: added invoker_iam_disabled field to google_cloud_run_v2_service (#19833)
• compute: made google_compute_network_firewall_policy_rule use MMv1 engine instead of DCL. (#19862)
• compute: made google_compute_region_network_firewall_policy_rule use MMv1 engine instead of DCL. (#19862)
• compute: added ip_address_selection_policy field to google_compute_backend_service and google_compute_region_backend_service. (#19863)
• compute: added provisioned_throughput field to google_compute_instance_template resource (#19852)
• compute: added provisioned_throughput field to google_compute_region_instance_template resource (#19852)
• container: added support for additional values KCP_CONNECTION, and KCP_SSHDin google_container_cluster.logging_config (#19812)
• dialogflowcx: added advanced_settings.logging_settings and advanced_settings.speech_settings to google_dialogflow_cx_agent and google_dialogflow_cx_flow (#19801)
• networkconnectivity: added linked_producer_vpc_network field to google_network_connectivity_spoke resource (#19806)
• secretmanager: added is_secret_data_base64 field to google_secret_manager_secret_version and google_secret_manager_secret_version_access datasources (#19831)
• secretmanager: added is_secret_data_base64 field to google_secret_manager_regional_secret_version and google_secret_manager_regional_secret_version_access datasources (#19831)
• spanner: added kms_key_names to encryption_config in google_spanner_database (#19846)
• workstations: added max_usable_workstations field to google_workstations_workstation_config resource (#19872)
• workstations: added field allowed_ports to google_workstations_workstation_config (#19845)

BUG FIXES:

• bigquery: fixed a regression that caused google_bigquery_dataset_iam_* resources to attempt to set deleted IAM members, thereby triggering an API error (#19857)
• compute: fixed an issue in google_compute_backend_service and google_compute_region_backend_service to allow sending false for iap.enabled (#19795)
• container: node_config.linux_node_config, node_config.workload_metadata_config and node_config.kubelet_config will now successfully send empty messages to the API when terraform plan indicates they are being removed, rather than null, which caused an error. The sole reliable case is node_config.linux_node_config when the block is removed, where there will still be a permadiff, but the update request that's triggered will no longer error and other changes displayed in the plan should go through. (#19842)