v2.9.1

🧰 Included Tools

Update dependency cryptography to v42.0.3 @renovate (#919)

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
cryptography (changelog)	==42.0.2 -> ==42.0.3

---

Release Notes

pyca/cryptography (cryptography)

v42.0.3

Compare Source

---

Update AWS CLI packages @renovate (#920)

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
awscli (source, changelog)	==1.32.39 -> ==1.32.44
boto3	==1.34.39 -> ==1.34.44

---

Release Notes

aws/aws-cli (awscli)

v1.32.44

Compare Source

=======

• api-change:connectparticipant: Doc only update to GetTranscript API reference guide to inform users about presence of events in the chat transcript.
• api-change:emr: adds fine grained control over Unhealthy Node Replacement to Amazon ElasticMapReduce
• api-change:firehose: This release adds support for Data Message Extraction for decompressed CloudWatch logs, and to use a custom file extension or time zone for S3 destinations.
• api-change:lambda: Documentation-only updates for Lambda to clarify a number of existing actions and properties.
• api-change:rds: Doc only update for a valid option in DB parameter group
• api-change:sns: This release marks phone numbers as sensitive inputs.

v1.32.43

Compare Source

=======

• api-change:artifact: This is the initial SDK release for AWS Artifact. AWS Artifact provides on-demand access to compliance and third-party compliance reports. This release includes access to List and Get reports, along with their metadata. This release also includes access to AWS Artifact notifications settings.
• api-change:codepipeline: Add ability to override timeout on action level.
• api-change:detective: Doc only updates for content enhancement
• api-change:guardduty: Marked fields IpAddressV4, PrivateIpAddress, Email as Sensitive.
• api-change:healthlake: This release adds a new response parameter, JobProgressReport, to the DescribeFHIRImportJob and ListFHIRImportJobs API operation. JobProgressReport provides details on the progress of the import job on the server.
• api-change:opensearch: Adds additional supported instance types.
• api-change:polly: Amazon Polly adds 1 new voice - Burcu (tr-TR)
• api-change:sagemaker: This release adds a new API UpdateClusterSoftware for SageMaker HyperPod. This API allows users to patch HyperPod clusters with latest platform softwares.
• api-change:secretsmanager: Doc only update for Secrets Manager
• api-change:endpoint-rules: Update endpoint-rules command to latest version

v1.32.42

Compare Source

=======

• api-change:controltower: Adds support for new Baseline and EnabledBaseline APIs for automating multi-account governance.
• api-change:lookoutequipment: This feature allows customers to see pointwise model diagnostics results for their models.
• api-change:qbusiness: This release adds the metadata-boosting feature, which allows customers to easily fine-tune the underlying ranking of retrieved RAG passages in order to optimize Q&A answer relevance. It also adds new feedback reasons for the PutFeedback API.

v1.32.41

Compare Source

=======

• api-change:lightsail: This release adds support to upgrade the major version of a database.
• api-change:marketplace-catalog: AWS Marketplace Catalog API now supports setting intent on requests
• api-change:resource-explorer-2: Resource Explorer now uses newly supported IPv4 'amazonaws.com' endpoints by default.
• api-change:securitylake: Documentation updates for Security Lake
• api-change:endpoint-rules: Update endpoint-rules command to latest version

v1.32.40

Compare Source

=======

• api-change:appsync: Adds support for new options on GraphqlAPIs, Resolvers and Data Sources for emitting Amazon CloudWatch metrics for enhanced monitoring of AppSync APIs.
• api-change:cloudwatch: Update cloudwatch command to latest version
• api-change:neptune-graph: Adding a new option "parameters" for data plane api ExecuteQuery to support running parameterized query via SDK.
• api-change:route53domains: This release adds bill contact support for RegisterDomain, TransferDomain, UpdateDomainContact and GetDomainDetail API.

boto/boto3 (boto3)

v1.34.44

Compare Source

=======

• api-change:connectparticipant: [botocore] Doc only update to GetTranscript API reference guide to inform users about presence of events in the chat transcript.
• api-change:emr: [botocore] adds fine grained control over Unhealthy Node Replacement to Amazon ElasticMapReduce
• api-change:firehose: [botocore] This release adds support for Data Message Extraction for decompressed CloudWatch logs, and to use a custom file extension or time zone for S3 destinations.
• api-change:lambda: [botocore] Documentation-only updates for Lambda to clarify a number of existing actions and properties.
• api-change:rds: [botocore] Doc only update for a valid option in DB parameter group
• api-change:sns: [botocore] This release marks phone numbers as sensitive inputs.

v1.34.43

Compare Source

=======

• api-change:artifact: [botocore] This is the initial SDK release for AWS Artifact. AWS Artifact provides on-demand access to compliance and third-party compliance reports. This release includes access to List and Get reports, along with their metadata. This release also includes access to AWS Artifact notifications settings.
• api-change:codepipeline: [botocore] Add ability to override timeout on action level.
• api-change:detective: [botocore] Doc only updates for content enhancement
• api-change:guardduty: [botocore] Marked fields IpAddressV4, PrivateIpAddress, Email as Sensitive.
• api-change:healthlake: [botocore] This release adds a new response parameter, JobProgressReport, to the DescribeFHIRImportJob and ListFHIRImportJobs API operation. JobProgressReport provides details on the progress of the import job on the server.
• api-change:opensearch: [botocore] Adds additional supported instance types.
• api-change:polly: [botocore] Amazon Polly adds 1 new voice - Burcu (tr-TR)
• api-change:sagemaker: [botocore] This release adds a new API Updat...

v2.9.0 Update to Debian 12.4 from 11.8 (minor breaking change)

In this release we upgrade from Debian 11 (buster) to Debian 12 (bookworm). This introduces a minor breaking change.

Debian 12 has symbolic links for /bin, /sbin, and /lib pointing to /usr/bin, /usr/sbin, and /usr/lib respectively. This can break certain customizations you may be making in your Dockerfile for your custom image, and can also affect Spacelift users.

If you are making a customized version of Geodesic

Previously, the Dockerfile command:

COPY rootfs/ /

worked fine even if you had /bin, /sbin, or /lib subdirectories under rootfs/. Previous versions of Geodesic did have a rootfs/sbin directory which contained a single file, docker, which was a script that explained that the docker command was not installed and gave instructions on how to install it. This caused the COPY command to fail with the error:

ERROR: failed to solve: cannot copy to non-directory: /var/lib/docker/overlay2/6568nfahv2cv3vak9y7g5xv4d/merged/bin

For this reason, we moved the docker stub from rootfs/sbin/ to rootfs/usr/bin. (The reason it had been in /sbin before was so that it would appear later on the path than /usr/bin, which is where the real docker command is installed. However, with the new symlinks, /usr/bin is the last real directory on the PATH, so we can no longer put the stub in a later directory. Now we put it in /usr/bin where it will get replaced when the real docker command is installed.)

To fix this error, move the content out of rootfs/bin, rootfs/sbin, and rootfs/lib and into rootfs/usr/bin, rootfs/usr/sbin, and rootfs/usr/lib.

---

If you are using Geodesic as the base image for Spacelift

Cloud Posse distributed Spacelift configuration scripts that included the line

ln -sfTv /bin/terraform /usr/bin/terraform

Since Debian replaced the /bin directory with a symlink to /usr/bin, this line should be changed to

[ /bin -ef /usr/bin ] || ln -sfTv /bin/terraform /usr/bin/terraform

or removed completely. Otherwise you will find that the terraform command cannot be found, and you might get an error like

Using Terraform: 
+ which terraform
[01HPMBE7B9D1XJBM622MGSGM46] Unexpected exit code when initializing workspace: 1

🚀 Enhancements

Update to Debian 12.4 and other updates @Nuru (#918)

what

• Update Google Cloud SDK from 455.0.0 to 463.0.0
• Update helm-diff from 3.8.1 to 3.9.4
• Updates to Debian-based Geodesic:
  • Update Debian from 11.8 to 12.4
  • Update Python from 3.11.6 to 3.12.2
  • Change architecture emulation message to inform user that native architecture is available
• Updates to Alpine-based Geodesic:
  • Update Alpine from 3.18.5 to 3.18.6
  • Add deprecation message to banner

why

• Reduce number of known vulnerabilities. See #916
• Inform Alpine users that we will be discontinuing support soon

references

A trivy image scan of a development build of this PR showed zero known fixed vulnerabilities present in the Debian version. It detected 1 known fixed vulnerability in the Alpine version: the Google Cloud SDK includes Python packages that include cryptography v41.0.7, which has a vulnerability that has been fixed in the site-wide installed Python package, version 42.0.2.

• Supersedes and closes #916

v2.8.7

🏗️ Build/Release Maintenance

Add OCI annotations @Nuru (#917)

what

• Add OCI annotations to published images

why

• Standard compliance and better support for third-party tooling

references

• OCI annotations
• Supersedes and closes #915

v2.8.6

🧰 Included Tools

Update dependency cryptography to v42 [Security] @renovate (#906)

GitHub Vulnerability Alerts

CVE-2023-50782

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

• Closes #912
• Closes #913

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
cryptography (changelog)	==41.0.7 -> ==42.0.2

---

Release Notes

pyca/cryptography (cryptography)

v42.0.2

Compare Source

v42.0.1

Compare Source

v42.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

Update AWS CLI packages @renovate (#914)

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
awscli (source, changelog)	==1.32.34 -> ==1.32.39
boto3	==1.34.34 -> ==1.34.39

---

Release Notes

aws/aws-cli (awscli)

v1.32.39

Compare Source

=======

• api-change:amp: Overall documentation updates.
• api-change:batch: This feature allows Batch to support configuration of repository credentials for jobs running on ECS
• api-change:braket: Creating a job will result in DeviceOfflineException when using an offline device, and DeviceRetiredException when using a retired device.
• api-change:cost-optimization-hub: Adding includeMemberAccounts field to the response of ListEnrollmentStatuses API.
• api-change:ecs: Documentation only update for Amazon ECS.
• api-change:iot: This release allows AWS IoT Core users to enable Online Certificate Status Protocol (OCSP) Stapling for TLS X.509 Server Certificates when creating and updating AWS IoT Domain Configurations with Custom Domain.
• api-change:pricing: Add Throttling Exception to all APIs.

v1.32.38

Compare Source

=======

• api-change:codepipeline: Add ability to execute pipelines with new parallel & queued execution modes and add support for triggers with filtering on branches and file paths.
• api-change:quicksight: General Interactions for Visuals; Waterfall Chart Color Configuration; Documentation Update
• api-change:workspaces: This release introduces User-Decoupling feature. This feature allows Workspaces Core customers to provision workspaces without providing users. CreateWorkspaces and DescribeWorkspaces APIs will now take a new optional parameter "WorkspaceName".

v1.32.37

Compare Source

=======

• api-change:datasync: AWS DataSync now supports manifests for specifying files or objects to transfer.
• api-change:lexv2-models: Update lexv2-models command to latest version
• api-change:redshift: LisRecommendations API to fetch Amazon Redshift Advisor recommendations.

v1.32.36

Compare Source

=======

• api-change:appsync: Support for environment variables in AppSync GraphQL APIs
• api-change:ecs: This release is a documentation only update to address customer issues.
• api-change:es: This release adds clear visibility to the customers on the changes that they make on the domain.
• api-change:logs: This release adds a new field, logGroupArn, to the response of the logs:DescribeLogGroups action.
• api-change:opensearch: This release adds clear visibility to the customers on the changes that they make on the domain.
• api-change:wafv2: You can now delete an API key that you've created for use with your CAPTCHA JavaScript integration API.

v1.32.35

Compare Source

=======

• api-change:glue: Introduce Catalog Encryption Role within Glue Data Catalog Settings. Introduce SASL/PLAIN as an authentication method for Glue Kafka connections
• api-change:workspaces: Added definitions of various WorkSpace states

boto/boto3 (boto3)

v1.34.39

Compare Source

=======

• api-change:amp: [botocore] Overall documentation updates.
• api-change:batch: [botocore] This feature allows Batch to support configuration of repository credentials for jobs running on ECS
• api-change:braket: [botocore] Creating a job will result in DeviceOfflineException when using an offline device, and DeviceRetiredException when using a retired device.
• api-change:cost-optimization-hub: [botocore] Adding includeMemberAccounts field to the response of ListEnrollmentStatuses API.
• api-change:ecs: [botocore] Documentation only update for Amazon ECS.
• api-change:iot: [botocore] This release allows AWS IoT Core users to enable Online Certificate Status Protocol (OCSP) Stapling for TLS X.509 Server Certificates when creating and updating AWS IoT Domain Configurations with Custom Domain.
• api-change:pricing: [botocore] Add Throttling Exception to all APIs.

v1.34.38

Compare Source

=======

• api-change:codepipeline: [botocore] Add ability to execute pipelines with new parallel & queued execution modes and add support for triggers with filtering on branches and file paths.
• api-change:quicksight: [botocore] General Interactions for Visuals; Waterfall Chart Color Configuration; Documentation Update
• api-change:workspaces: [botocore] This release introduces User-Decoupling feature. This feature allows Workspaces Core customers to provision workspaces without providing users. CreateWorkspaces and DescribeWorkspaces APIs will now ta...

v2.8.5

🧰 Included Tools

Update AWS CLI packages @renovate (#909)

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
awscli (source, changelog)	==1.32.30 -> ==1.32.34
boto3	==1.34.30 -> ==1.34.34

---

Release Notes

aws/aws-cli (awscli)

v1.32.34

Compare Source

=======

• api-change:dynamodb: Any number of users can execute up to 50 concurrent restores (any type of restore) in a given account.
• api-change:sagemaker: Amazon SageMaker Canvas adds GenerativeAiSettings support for CanvasAppSettings.
• api-change:endpoint-rules: Update endpoint-rules command to latest version

v1.32.33

Compare Source

=======

• api-change:cognito-idp: Added CreateIdentityProvider and UpdateIdentityProvider details for new SAML IdP features
• api-change:ivs: This release introduces a new resource Playback Restriction Policy which can be used to geo-restrict or domain-restrict channel stream playback when associated with a channel. New APIs to support this resource were introduced in the form of Create/Delete/Get/Update/List.
• api-change:managedblockchain-query: This release adds support for transactions that have not reached finality. It also removes support for the status property from the response of the GetTransaction operation. You can use the confirmationStatus and executionStatus properties to determine the status of the transaction.
• api-change:mediaconvert: This release includes support for broadcast-mixed audio description tracks.
• api-change:neptune-graph: Adding new APIs in SDK for Amazon Neptune Analytics. These APIs include operations to execute, cancel, list queries and get the graph summary.

v1.32.32

Compare Source

=======

• api-change:cloudformation: CloudFormation IaC generator allows you to scan existing resources in your account and select resources to generate a template for a new or existing CloudFormation stack.
• api-change:elbv2: Update elbv2 command to latest version
• api-change:glue: Update page size limits for GetJobRuns and GetTriggers APIs.
• api-change:ssm: This release adds an optional Duration parameter to StateManager Associations. This allows customers to specify how long an apply-only-on-cron association execution should run. Once the specified Duration is out all the ongoing cancellable commands or automations are cancelled.

v1.32.31

Compare Source

=======

• api-change:datazone: Add new skipDeletionCheck to DeleteDomain. Add new skipDeletionCheck to DeleteProject which also automatically deletes dependent objects
• api-change:route53: Update the SDKs for text changes in the APIs.

boto/boto3 (boto3)

v1.34.34

Compare Source

=======

• api-change:dynamodb: [botocore] Any number of users can execute up to 50 concurrent restores (any type of restore) in a given account.
• api-change:sagemaker: [botocore] Amazon SageMaker Canvas adds GenerativeAiSettings support for CanvasAppSettings.
• api-change:endpoint-rules: [botocore] Update endpoint-rules client to latest version

v1.34.33

Compare Source

=======

• api-change:cognito-idp: [botocore] Added CreateIdentityProvider and UpdateIdentityProvider details for new SAML IdP features
• api-change:ivs: [botocore] This release introduces a new resource Playback Restriction Policy which can be used to geo-restrict or domain-restrict channel stream playback when associated with a channel. New APIs to support this resource were introduced in the form of Create/Delete/Get/Update/List.
• api-change:managedblockchain-query: [botocore] This release adds support for transactions that have not reached finality. It also removes support for the status property from the response of the GetTransaction operation. You can use the confirmationStatus and executionStatus properties to determine the status of the transaction.
• api-change:mediaconvert: [botocore] This release includes support for broadcast-mixed audio description tracks.
• api-change:neptune-graph: [botocore] Adding new APIs in SDK for Amazon Neptune Analytics. These APIs include operations to execute, cancel, list queries and get the graph summary.

v1.34.32

Compare Source

=======

• api-change:cloudformation: [botocore] CloudFormation IaC generator allows you to scan existing resources in your account and select resources to generate a template for a new or existing CloudFormation stack.
• api-change:elbv2: [botocore] Update elbv2 client to latest version
• api-change:glue: [botocore] Update page size limits for GetJobRuns and GetTriggers APIs.
• api-change:ssm: [botocore] This release adds an optional Duration parameter to StateManager Associations. This allows customers to specify how long an apply-only-on-cron association execution should run. Once the specified Duration is out all the ongoing cancellable commands or automations are cancelled.

v1.34.31

Compare Source

=======

• api-change:datazone: [botocore] Add new skipDeletionCheck to DeleteDomain. Add new skipDeletionCheck to DeleteProject which also automatically deletes dependent objects
• api-change:route53: [botocore] Update the SDKs for text changes in the APIs.

---

🏗️ Build/Release Maintenance

Update actions used by GitHub workflows @Nuru (#910)

what

• Update actions in workflows to current versions using NodeJS v20
• Minor revisions to README

why

• Earlier versions of NodeJS are now deprecated
• Improve the readability

v2.8.4

Clean up narrative of Geodesic history @Nuru (#905)

what

• Emphasize current Geodesic version over historical versions
• Remove remnants of explanation of why Geodesic was not supporting Apple Silicon
• Make documentation of historical changes more concsise

why

• Give the most relevant information first
• Make historical information easier to understand

🧰 Included Tools

Update AWS CLI packages @renovate (#907)

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
awscli (source, changelog)	==1.32.23 -> ==1.32.30
boto3	==1.34.23 -> ==1.34.30

---

Release Notes

aws/aws-cli (awscli)

v1.32.30

Compare Source

=======

• api-change:autoscaling: EC2 Auto Scaling customers who use attribute based instance-type selection can now intuitively define their Spot instances price protection limit as a percentage of the lowest priced On-Demand instance type.
• api-change:comprehend: Comprehend PII analysis now supports Spanish input documents.
• api-change:ec2: EC2 Fleet customers who use attribute based instance-type selection can now intuitively define their Spot instances price protection limit as a percentage of the lowest priced On-Demand instance type.
• api-change:mwaa: This release adds MAINTENANCE environment status for Amazon MWAA environments.
• api-change:rds: Introduced support for the InsufficientDBInstanceCapacityFault error in the RDS RestoreDBClusterFromSnapshot and RestoreDBClusterToPointInTime API methods. This provides enhanced error handling, ensuring a more robust experience.
• api-change:snowball: Modified description of createaddress to include direction to add path when providing a JSON file.

v1.32.29

Compare Source

=======

• api-change:connect: Update list and string length limits for predefined attributes.
• api-change:inspector2: This release adds ECR container image scanning based on their lastRecordedPullTime.
• api-change:sagemaker: Amazon SageMaker Automatic Model Tuning now provides an API to programmatically delete tuning jobs.

v1.32.28

Compare Source

=======

• api-change:acm-pca: AWS Private CA now supports an option to omit the CDP extension from issued certificates, when CRL revocation is enabled.
• api-change:lightsail: This release adds support for IPv6-only instance plans.

v1.32.27

Compare Source

=======

• api-change:ec2: Introduced a new clientToken request parameter on CreateNetworkAcl and CreateRouteTable APIs. The clientToken parameter allows idempotent operations on the APIs.
• api-change:ecs: Documentation updates for Amazon ECS.
• api-change:outposts: DeviceSerialNumber parameter is now optional in StartConnection API
• api-change:rds: This release adds support for Aurora Limitless Database.
• api-change:storagegateway: Add DeprecationDate and SoftwareVersion to response of ListGateways.

v1.32.26

Compare Source

=======

• api-change:inspector2: This release adds support for CIS scans on EC2 instances.

v1.32.25

Compare Source

=======

• bugfix:s3 sync: Disable S3 Express support for s3 sync command

v1.32.24

Compare Source

=======

• api-change:appconfigdata: Fix FIPS Endpoints in aws-us-gov.
• api-change:cloud9: Doc-only update around removing AL1 from list of available AMIs for Cloud9
• api-change:cloudfront-keyvaluestore: This release improves upon the DescribeKeyValueStore API by returning two additional fields, Status of the KeyValueStore and the FailureReason in case of failures during creation of KeyValueStore.
• api-change:connectcases: This release adds the ability to view audit history on a case and introduces a new parameter, performedBy, for CreateCase and UpdateCase API's.
• api-change:ec2: Documentation updates for Amazon EC2.
• api-change:ecs: This release adds support for Transport Layer Security (TLS) and Configurable Timeout to ECS Service Connect. TLS facilitates privacy and data security for inter-service communications, while Configurable Timeout allows customized per-request timeout and idle timeout for Service Connect services.
• api-change:finspace: Allow customer to set zip default through command line arguments.
• api-change:organizations: Doc only update for quota increase change
• api-change:rds: Introduced support for the InsufficientDBInstanceCapacityFault error in the RDS CreateDBCluster API method. This provides enhanced error handling, ensuring a more robust experience when creating database clusters with insufficient instance capacity.
• api-change:endpoint-rules: Update endpoint-rules command to latest version

boto/boto3 (boto3)

v1.34.30

Compare Source

=======

• api-change:autoscaling: [botocore] EC2 Auto Scaling customers who use attribute based instance-type selection can now intuitively define their Spot instances price protection limit as a percentage of the lowest priced On-Demand instance type.
• api-change:comprehend: [botocore] Comprehend PII analysis now supports Spanish input documents.
• api-change:ec2: [botocore] EC2 Fleet customers who use attribute based instance-type selection can now intuitively define their Spot instances price protection limit as a percentage of the lowest priced On-Demand instance type.
• api-change:mwaa: [botocore] This release adds MAINTENANCE environment status for Amazon MWAA environments.
• api-change:rds: [botocore] Introduced support for the InsufficientDBInstanceCapacityFault error in the RDS RestoreDBClusterFromSnapshot and RestoreDBClusterToPointInTime API methods. This provides enhanced error handling, ensuring a more robust experience.
• api-change:snowball: [botocore] Modified description of createaddress to include direction to add path when providing a JSON file.

v1.34.29

Compare Source

=======

• api-change:connect: [botocore] Update list and string length limits for predefined attributes.
• api-change:inspector2: [botocore] This release adds ECR container image scanning based on their lastRecordedPullTime.
• api-change:sagemaker: [botocore] Amazon SageMaker Automatic Model Tuning now provides an API to programmatically delete tuning jobs.

v1.34.28

Compare Source

=======

• api-change:acm-pca: [botocore] AWS Private CA now supports an option to omit the CDP extension from issued certificates, when CRL revocation is enabled.
• api-change:lightsail: [botocore] This release adds support for IPv6-only instance plans.

v1.34.27

Compare Source

=======

• api-change:ec2: [botocore] Introduced a new clientToken request parameter on CreateNetworkAcl and CreateRouteTable APIs. The clientToken parameter allows idempotent operations on the APIs.
• api-change:ecs: [botocore] Documentation updat...

v2.8.3

🏗️ Build/Release Maintenance

Add banner @osterman (#904)

what

• add a repo banner

why

• Spruce up the readme

Add explicit permissions to labeler @Nuru (#903)

what

• Add explicit permissions to labeler

why

• Labeler needs write permission to update labels, which was previously granted by default but now must be explicit

🧰 Included Tools

Update AWS CLI packages @renovate (#902)

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
awscli (source, changelog)	==1.32.17 -> ==1.32.23
boto3	==1.34.17 -> ==1.34.23

---

Release Notes

aws/aws-cli (awscli)

v1.32.23

Compare Source

=======

• api-change:athena: Introducing new NotebookS3LocationUri parameter to Athena ImportNotebook API. Payload is no longer required and either Payload or NotebookS3LocationUri needs to be provided (not both) for a successful ImportNotebook API call. If both are provided, an InvalidRequestException will be thrown.
• api-change:codebuild: Release CodeBuild Reserved Capacity feature
• api-change:dynamodb: This release adds support for including ApproximateCreationDateTimePrecision configurations in EnableKinesisStreamingDestination API, adds the same as an optional field in the response of DescribeKinesisStreamingDestination, and adds support for a new UpdateKinesisStreamingDestination API.
• api-change:qconnect: Increased Quick Response name max length to 100

v1.32.22

Compare Source

=======

• api-change:b2bi: Increasing TestMapping inputFileContent file size limit to 5MB and adding file size limit 250KB for TestParsing input file. This release also includes exposing InternalServerException for Tag APIs.
• api-change:cloudtrail: This release adds a new API ListInsightsMetricData to retrieve metric data from CloudTrail Insights.
• api-change:connect: GetMetricDataV2 now supports 3 groupings
• api-change:drs: Removed invalid and unnecessary default values.
• api-change:firehose: Allow support for Snowflake as a Kinesis Data Firehose delivery destination.
• api-change:sagemaker-featurestore-runtime: Increase BatchGetRecord limits from 10 items to 100 items

v1.32.21

Compare Source

=======

• api-change:dynamodb: Updating note for enabling streams for UpdateTable.
• api-change:keyspaces: This release adds support for Multi-Region Replication with provisioned tables, and Keyspaces auto scaling APIs

v1.32.20

Compare Source

=======

• api-change:iot: Revert release of LogTargetTypes
• api-change:iotfleetwise: Updated APIs: SignalNodeType query parameter has been added to ListSignalCatalogNodesRequest and ListVehiclesResponse has been extended with attributes field.
• api-change:macie2: This release adds support for analyzing Amazon S3 objects that are encrypted using dual-layer server-side encryption with AWS KMS keys (DSSE-KMS). It also adds support for reporting DSSE-KMS details in statistics and metadata about encryption settings for S3 buckets and objects.
• api-change:payment-cryptography: Provide an additional option for key exchange using RSA wrap/unwrap in addition to tr-34/tr-31 in ImportKey and ExportKey operations. Added new key usage (type) TR31_M1_ISO_9797_1_MAC_KEY, for use with Generate/VerifyMac dataplane operations with ISO9797 Algorithm 1 MAC calculations.
• api-change:personalize-runtime: Documentation updates for Amazon Personalize
• api-change:personalize: Documentation updates for Amazon Personalize.
• api-change:rekognition: This release adds ContentType and TaxonomyLevel attributes to DetectModerationLabels and GetMediaAnalysisJob API responses.
• api-change:securityhub: Documentation updates for AWS Security Hub

v1.32.19

Compare Source

=======

• api-change:sagemaker: This release will have ValidationException thrown if certain invalid app types are provided. The release will also throw ValidationException if more than 10 account ids are provided in VpcOnlyTrustedAccounts.

v1.32.18

Compare Source

=======

• api-change:connect: Supervisor Barge for Chat is now supported through the MonitorContact API.
• api-change:connectparticipant: Introduce new Supervisor participant role
• api-change:location: Location SDK documentation update. Added missing fonts to the MapConfiguration data type. Updated note for the SubMunicipality property in the place data type.
• api-change:mwaa: This Amazon MWAA feature release includes new fields in CreateWebLoginToken response model. The new fields IamIdentity and AirflowIdentity will let you match identifications, as the Airflow identity length is currently hashed to 64 characters.
• api-change:s3control: S3 On Outposts team adds dualstack endpoints support for S3Control and S3Outposts API calls.
• api-change:supplychain: This release includes APIs CreateBillOfMaterialsImportJob and GetBillOfMaterialsImportJob.
• api-change:transfer: AWS Transfer Family now supports static IP addresses for SFTP & AS2 connectors and for async MDNs on AS2 servers.
• api-change:endpoint-rules: Update endpoint-rules command to latest version

boto/boto3 (boto3)

v1.34.23

Compare Source

=======

• api-change:athena: [botocore] Introducing new NotebookS3LocationUri parameter to Athena ImportNotebook API. Payload is no longer required and either Payload or NotebookS3LocationUri needs to be provided (not both) for a successful ImportNotebook API call. If both are provided, an InvalidRequestException will be thrown.
• api-change:codebuild: [botocore] Release CodeBuild Reserved Capacity feature
• api-change:dynamodb: [botocore] This release adds support for including ApproximateCreationDateTimePrecision configurations in EnableKinesisStreamingDestination API, adds the same as an optional field in the response of DescribeKinesisStreamingDestination, and adds support for a new UpdateKinesisStreamingDestination API.
• api-change:qconnect: [botocore] Increased Quick Response name max length to 100

v1.34.22

Compare Source

=======

• api-change:b2bi: [botocore] Increasing TestMapping inputFileContent file size limit to 5MB and adding file size limit 250KB for TestParsing input file. This release also includes exposing InternalServerException for Tag APIs.
• api-change:cloudtrail: [botocore] This release adds a new API ListInsightsMetricData to retrieve metric data from CloudTrail Insights.
• api-change:connect: [botocore] GetMetricDataV2 now supports 3 groupings
• api-change:drs: [botocore] Removed invalid and unnecessary default values.
• api-change:firehose: [botocore] Allow support for Snowflake as a Kinesis Data Firehose delivery destination.
• api-change:sagemaker-featurestore-runtime: [botocore] Increase BatchGetRecord limits from 10 items to 100 items

v1.34.21

Compare Source

=======

• api-change:dynamodb: [botocore] Updating note for enabling streams for UpdateTable.
• api-change:keyspaces: [botocore] This release adds suppo...

v2.8.2

🧰 Included Tools

Update AWS CLI packages @renovate (#897)

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
awscli (source, changelog)	==1.31.6 -> ==1.32.17
boto3	==1.33.6 -> ==1.34.17

---

Release Notes

aws/aws-cli (awscli)

v1.32.17

Compare Source

=======

• api-change:ec2: This release adds support for adding an ElasticBlockStorage volume configurations in ECS RunTask/StartTask/CreateService/UpdateService APIs. The configuration allows for attaching EBS volumes to ECS Tasks.
• api-change:ecs: This release adds support for adding an ElasticBlockStorage volume configurations in ECS RunTask/StartTask/CreateService/UpdateService APIs. The configuration allows for attaching EBS volumes to ECS Tasks.
• api-change:events: Update events command to latest version
• api-change:iot: Add ConflictException to Update APIs of AWS IoT Software Package Catalog
• api-change:iotfleetwise: The following dataTypes have been removed: CUSTOMER_DECODED_INTERFACE in NetworkInterfaceType; CUSTOMER_DECODED_SIGNAL_INFO_IS_NULL in SignalDecoderFailureReason; CUSTOMER_DECODED_SIGNAL_NETWORK_INTERFACE_INFO_IS_NULL in NetworkInterfaceFailureReason; CUSTOMER_DECODED_SIGNAL in SignalDecoderType
• api-change:secretsmanager: Doc only update for Secrets Manager
• api-change:workspaces: Added AWS Workspaces RebootWorkspaces API - Extended Reboot documentation update

v1.32.16

Compare Source

=======

• api-change:connectcampaigns: Minor pattern updates for Campaign and Dial Request API fields.
• api-change:location: This release adds API support for custom layers for the maps service APIs: CreateMap, UpdateMap, DescribeMap.
• api-change:logs: Add support for account level subscription filter policies to PutAccountPolicy, DescribeAccountPolicies, and DeleteAccountPolicy APIs. Additionally, PutAccountPolicy has been modified with new optional "selectionCriteria" parameter for resource selection.
• api-change:qconnect: QueryAssistant and GetRecommendations will be discontinued starting June 1, 2024. To receive generative responses after March 1, 2024 you will need to create a new Assistant in the Connect console and integrate the Amazon Q in Connect JavaScript library (amazon-q-connectjs) into your applications.
• api-change:redshift-serverless: Updates to ConfigParameter for RSS workgroup, removal of use_fips_ssl
• api-change:route53: Route53 now supports geoproximity routing in AWS regions
• api-change:wisdom: QueryAssistant and GetRecommendations will be discontinued starting June 1, 2024. To receive generative responses after March 1, 2024 you will need to create a new Assistant in the Connect console and integrate the Amazon Q in Connect JavaScript library (amazon-q-connectjs) into your applications.

v1.32.15

Compare Source

=======

• api-change:codebuild: Aws CodeBuild now supports new compute type BUILD_GENERAL1_XLARGE
• api-change:ec2: Amazon EC2 R7iz bare metal instances are powered by custom 4th generation Intel Xeon Scalable processors.
• api-change:route53resolver: This release adds support for query type configuration on firewall rules that enables customers for granular action (ALLOW, ALERT, BLOCK) by DNS query type.

v1.32.14

Compare Source

=======

• api-change:connect: Minor trait updates for User APIs
• api-change:kms: Documentation updates for AWS Key Management Service (KMS).
• api-change:redshift-serverless: use_fips_ssl and require_ssl parameter support for Workgroup, UpdateWorkgroup, and CreateWorkgroup

v1.32.13

Compare Source

=======

• api-change:config: Updated ResourceType enum with new resource types onboarded by AWS Config in November and December 2023.
• api-change:docdb: Adding PerformanceInsightsEnabled and PerformanceInsightsKMSKeyId fields to DescribeDBInstances Response.
• api-change:ecs: This release adds support for managed instance draining which facilitates graceful termination of Amazon ECS instances.
• api-change:es: This release adds support for new or existing Amazon OpenSearch domains to enable TLS 1.3 or TLS 1.2 with perfect forward secrecy cipher suites for domain endpoints.
• api-change:lightsail: This release adds support to set up an HTTPS endpoint on an instance.
• api-change:opensearch: This release adds support for new or existing Amazon OpenSearch domains to enable TLS 1.3 or TLS 1.2 with perfect forward secrecy cipher suites for domain endpoints.
• api-change:sagemaker: Adding support for provisioned throughput mode for SageMaker Feature Groups
• api-change:servicecatalog: Added Idempotency token support to Service Catalog AssociateServiceActionWithProvisioningArtifact, DisassociateServiceActionFromProvisioningArtifact, DeleteServiceAction API
• api-change:endpoint-rules: Update endpoint-rules command to latest version

v1.32.12

Compare Source

=======

• api-change:connect: Amazon Connect, Contact Lens Evaluation API increase evaluation notes max length to 3072.
• api-change:mediaconvert: This release includes video engine updates including HEVC improvements, support for ingesting VP9 encoded video in MP4 containers, and support for user-specified 3D LUTs.

v1.32.11

Compare Source

=======

• api-change:apprunner: AWS App Runner adds Python 3.11 and Node.js 18 runtimes.
• api-change:location: This release introduces a new parameter to bypasses an API key's expiry conditions and delete the key.
• api-change:quicksight: Add LinkEntityArn support for different partitions; Add UnsupportedUserEditionException in UpdateDashboardLinks API; Add support for New Reader Experience Topics

v1.32.10

Compare Source

=======

• api-change:codestar-connections: New integration with the GitLab self-managed provider type.
• api-change:kinesis-video-archived-media: NoDataRetentionException thrown when GetImages requested for a Stream that does not retain data (that is, has a DataRetentionInHours of 0).
• api-change:sagemaker: Amazon SageMaker Studio now supports Docker access from within app container

v1.32.9

Compare Source

======

• api-change:emr: Update emr command to latest version

v1.32.8

Compare Source

======

• api-change:iam: Documentation updates for AWS Identity and Access Management (IAM).
• api-change:endpoint-rules: Update endpoint-rules command to latest version

v1.32.7

Compare Source

======

• api-change:bedrock-agent: Adding Claude 2.1 support to Bedrock Agents
• api-change:endpoint-rules: Update endpoint-rules command to latest version
• api-change:glue: This release adds additional configurations for Query Session Context on the following APIs: GetUnfilteredTableMetadata, GetUnfilteredPartitionMetadata, GetUnfilteredPartitionsMetadata.
• api-change:lakeformation: This release adds additional configurations on GetTemporaryGlueTableCred...

v2.8.1

Make bindfs mapping bidirectional, remove host USER name from env @Nuru (#901)

REMINDER

This PR fixes an issue with using bindfs to work around file ownership issues caused by running the Docker daemon as root (#594). This support is provided as a courtesy, but the better solution is to run Docker in "rootless" mode, which is done automatically when you use Docker Desktop. Support for running Docker as root should be considered deprecated.

what

• Use bi-directional UID and GUID mapping in bindfs mount of host filesystem
• Remove host username ($USER) from Geodesic environment

why

• To guard against CVE-2022-24765, git checks the ownership of all directories it looks at for configuration, and complains if it finds a directory with a different owner.
• The host's username was injected to support ansible 8 years ago (#65). It was never working properly on Debian due to the different structure of the adduser command on Debian vs Alpine, and should not be necessary now. If it turns out to be needed for some reason, we should develop a more robust solution.

references

• Git vulnerability to configuration injection
• Supersedes and closes #900

📚️ Documentation

Update Demo GIF with VHS @osterman (#898)

what

• Updated demo with automation
• See

why

• Video was hopelessly out of date, with this change we can keep it regularly updated with each PR.

🏗️ Build/Release Maintenance

v2.8.0 Core updates

🚀 Enhancements

• Enhance kubectl-auto-select to work with Debian

🧰 Included Tools

Non-automatic tool updates @Nuru (#894)

what

• Enhance kubectl-auto-select to work with Debian
• Configure Debian version by codename
• Upgrade Alpine to use Fuse 3
• For Alpine, configure bindfs version via Docker ARG and upgrade bindfs v1.15.1 -> 1.17.6
• Upgrade Python on Debian from v3.10.10 to v3.11.6
• Upgrade Google Cloud SDK v422.0.0 -> 455.0.0
• Upgrade kubectx v0.9.4 -> v0.9.5
• Upgrade helm-diff v3.6.0 -> v3.8.1

why

• kubectl-auto-select was written for Alpine and failed on Debian due to differing package managers
• Python is configured by Debian codename, so keep it in sync with Debian by using codename is both places
• Debian upgraded to Fuse 3 in v11 "bullseye" so keep Alpine relatively in sync
• Alpine bindfs version was hard coded, but not easily changed, and was old. Debian installs bindfs via package, and for some reason is sticking to v1.14.7.
• Alpine is using Python 3.11.6, so update Debian to corresponding version
• Update tools not tracked by automation to current versions

Update dependency cryptography to v41.0.7 @renovate (#890)

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
cryptography (changelog)	==41.0.5 -> ==41.0.7

---

Release Notes

pyca/cryptography (cryptography)

v41.0.7

Compare Source

---

Update alpine Docker tag to v3.18.5 @renovate (#893)

This PR contains the following updates:

Package	Type	Update	Change
alpine	final	patch	3.18.4 -> 3.18.5
alpine	stage	patch	3.18.4 -> 3.18.5

---

Update AWS CLI packages @renovate (#888)

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
awscli (source, changelog)	==1.29.78 -> ==1.31.6
boto3	==1.28.78 -> ==1.33.6

---

Release Notes

aws/aws-cli (awscli)

v1.31.6

Compare Source

======

• api-change:qconnect: This release adds the PutFeedback API and allows providing feedback against the specified assistant for the specified target.
• api-change:rbin: Added resource identifier in the output and updated error handling.
• api-change:verifiedpermissions: Adds description field to PolicyStore API's and namespaces field to GetSchema.

v1.31.5

Compare Source

======

• api-change:arc-zonal-shift: This release adds a new capability, zonal autoshift. You can configure zonal autoshift so that AWS shifts traffic for a resource away from an Availability Zone, on your behalf, when AWS determines that there is an issue that could potentially affect customers in the Availability Zone.
• api-change:glue: Adds observation and analyzer support to the GetDataQualityResult and BatchGetDataQualityResult APIs.
• api-change:sagemaker: This release adds support for 1/ Code Editor, based on Code-OSS, Visual Studio Code Open Source, a new fully managed IDE option in SageMaker Studio 2/ JupyterLab, a new fully managed JupyterLab IDE experience in SageMaker Studio

v1.31.4

Compare Source

======

• api-change:marketplace-agreement: The AWS Marketplace Agreement Service provides an API interface that helps AWS Marketplace sellers manage their agreements, including listing, filtering, and viewing details about their agreements.
• api-change:marketplace-catalog: This release enhances the ListEntities API to support new entity type-specific strongly typed filters in the request and entity type-specific strongly typed summaries in the response.
• api-change:marketplace-deployment: AWS Marketplace Deployment is a new service that provides essential features that facilitate the deployment of software, data, and services procured through AWS Marketplace.
• api-change:redshift-serverless: This release adds the following support for Amazon Redshift Serverless: 1) cross-account cross-VPCs, 2) copying snapshots across Regions, 3) scheduling snapshot creation, and 4) restoring tables from a recovery point.
• api-change:endpoint-rules: Update endpoint-rules command to latest version

v1.31.3

Compare Source

======

• api-change:application-autoscaling: Amazon SageMaker customers can now use Application Auto Scaling to automatically scale the number of Inference Component copies across an endpoint to meet the varying demand of their workloads.
• api-change:cleanrooms: AWS Clean Rooms now provides differential privacy to protect against user-identification attempts and machine learning modeling to allow two parties to identify similar users in their data.
• api-change:cleanroomsml: Public Preview SDK release of AWS Clean Rooms ML APIs
• api-change:opensearch: Launching Amazon OpenSearch Service support for new zero-ETL integration with Amazon S3. Customers can now manage their direct query data sources to Amazon S3 programatically
• api-change:opensearchserverless: Amazon OpenSearch Serverless collections support an additional attribute called standby-replicas. This allows to specify whether a collection should have redundancy enabled.
• api-change:sagemaker-runtime: Update sagemaker-runtime command to latest version
• api-change:sagemaker: This release adds following support 1/ Improved SDK tooling for model deployment. 2/ New Inference Component based features to lower inference costs and latency 3/ SageMaker HyperPod management. 4/ Additional parameters for FM Fine Tuning in Autopilot
• api-change:sts: Documentation updates for AWS Security Token Service.
• api-change:endpoint-rules: Update endpoint-rules command to latest version

v1.31.2

Compare Source

======

• api-change:accessanalyzer: This release adds support for external access findings for S3 directory buckets to help you easily identify cross-account access. Updated service API, documentation, and paginators.
• api-change:bedrock: This release adds support for customization types, model life cycle status and minor versions/aliases for model identifiers.
• api-change:bedrock-agent: This release introduces Agents for Amazon B...