All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Bumped cross-spawn to
7.0.6to mitigate CVE-2024-21538
- Bumped http-proxy-middleware to
2.0.7to mitigate CVE-2024-21536
- Moved spoke service linked role template as conditional nested stack under spoke stack
- Bumped rollup to
2.79.2to mitigate CVE-2024-47068
- Bumped micromatch to
4.0.8to mitigate CVE-2024-4067 - Bumped webpack to
5.94.0to mitigate CVE-2024-43788 - Bumped express to
4.21.0to mitigate CVEs in sub-dependencies - Bump path-to-regexp to
6.3.0to address CVE-2024-45296
resource_exception_handlerdecorator does not catchIncorrectStateexception, allowing the exception to be raised asResourceBusyExceptionbyservice_exception_handlerdecorator
- Bumped axios to
1.7.4to mitigate CVE-2024-39338
- Bumped fast-xml-parser to
4.4.1to mitigate CVE-2024-41818
- Bumped jest to
29.7.0 - Bumped ts-jest to
29.1.4 - Bumped boto3 to
1.34.129 - Bumped botocore to
1.34.129
- Bumped ejs to
3.1.10to mitigate CVE-2024-33883 - Bumped
wsto resolve [CVE-2024-37890]
- Validation of transit gateway route table names to improve error message in case of duplicate names
- Removed dependency on 'requests' library to mitigate CVE-2024-3651
- Upgrade webpack-dev-middleware to mitigate CVE-2024-29180
- Updated Lambda Function runtime to Python 3.11 and Node.js 18
- Tags for Application in AppRegistry
- Upgrade @babel/traverse to mitigate CVE-2023-45133
- Upgrade urllib3 to mitigate CVE-2023-45803
New CloudFormation parameter to allow users to skip transit gateway registration with the global network.
Updated package versions to resolve security vulnerabilities.
- Move the service linked roles from hub and spoke stacks to separate stacks to allow multi-region deployments and avoid 'AlreadyExists' error.
- Support for new routing tag (route-to-tgw) that allows users to update route table for secondary subnets in the same availability zone.
- Support to update main route table associated with the subnets in the VPC.
- Support for new regions - Beijing, Ningxia and Stockholm.
- Option to deploy the solution without Web UI.
- Option to disable Transit Gateway resource sharing with external principals.
- Allow disabling Transit Gateway resource sharing with external principals.
- Ability to enable MFA for Cognito User Pool
- Updated Web UI console using CloudScape design system.
- Step Function execution name to reflect create or delete tagging action.
- Enabled X-Ray for Step Functions and AppSync GraphQL API
- Improve error handling in Step Functions to create Transit Gateway route table associations.
- Refactor VPC-TGW Attachment modules for maintainability.
- Refactor exception handling - use decorator in the BOTO3 client modules.
- AppRegistry Attribute Group name with a unique string.
- Allow spaces in CloudFormation parameters - CIDR blocks and Prefix Lists.
- Ability to register new and existing transit gateways with existing global network.
- GitHub Issues: #38, #39, #49, #50, #56, #60, #73, #77, #78, #81
- ObjectWriter ownership control to logs bucket, in response to S3 service change
- Updated python requests to 2.28.1 due to security patch required for certifi module which is a dependency. Using the latest requests version 2.28.1 installs the latest patched version of certifi v2022.12.07. For details please refer to https://nvd.nist.gov/vuln/detail/cve-2022-23491.
- package-lock.json to address dependabot identified vulnerabilities
- Support for App Registry
- Unit tests for ui and lambda
- Solution name from Serverless Transit Network Orchestrator (STNO) to Network Orchestration for AWS Transit Gateway
- package-lock.json to address dependabot identified vulnerabilities
- testing-requirements.txt to address dependabot identified vulnerabilities
- package-lock.json to address dependabot identified vulnerabilities
- CF template allows to connect external SAML identity provider to cognito user pool
- If SAML IdP is used, cognito-trigger function will add any federated user to ReadOnlyUserGroup after first login
- Added WAF protection to the CloudFront distribution
- Added Security relevant http headers in CloudFront responses
- Creation of ServiceLinkedRole can be skipped if it exists in spoke account
- Web UI will utilize Cognito Hosted UI instead of Amplify Authenticator component
- dependency versions and package-lock.json to address dependabot identified CVEs
- Tagging the Transit Gateway attachment with "Name" on both the hub and spoke accounts; with the account name, the AWS Organizations OU path and the VPC name
- ListOfVpcTagsForAttachment CloudFormation parameter to specify a comma separated list of tags which if found in the VPC, will be copied across to the TGW attachments
- Support for Organizations Tag policies
- STNO state machine logging using CloudWatch logs
- Improved reliability. Fixed race conditions (issue #1).
- Conditional auto-approval or auto-reject rules based on AWS Organizations OU membership, with separate rules for associations and propagations.
- Events now logged in CloudWatch Logs in addition to DynamoDB; to enable searching with CloudWatch Log Insights
- Allow VPCs deployed using CloudFormation, that has the STNO tags, to be deleted. This is done by triggering a deletion of the transit gateway attachment when CloudFormation attempts to delete the subnet.
- Transit Gateway peering feature now implemented using AWS Lambda
- Pinned dependency versions for deterministic builds
- CloudFormation parameters for log retention days have been moved to mappings section of the template
- SSM Parameter Store for UUID and SendMetrics flag. Both now added as environment variable to lambda functions
- Ability to peer inter-region transit gateways by tagging the transit gateway.
- Option to use an existing transit gateway.
- Ability to create or use existing global network.
- Register the transit gateway with the global network.
- Ability to add custom CIDR blocks to the VPC route tables in the spoke accounts.
- Ability to add customer-managed prefix lists to the VPC route tables in spoke accounts.
- Initial public release