Skip to main content

Engine Release 8.8

ยท 8 min read

Key Updates

Expo Mobile App Updates

With recent changes to both expo and the release of iOS16 we have made the usual annual changes to catch up with the latest changes.

  • Expo SDK46+ changed the way that OTA updates are published and we have updated the build process to support this in hamlet
  • Support has been updated around fastlane and the use of the Transporter app for mobile updates to TestFlight
  • All configuration for signing, publishing and controlling the mobile apps has been moved out of settings into solution based configuration. This makes the configuration available from our docs site and added defaults and validation to make sure it works as expected

bash

  • (expo): update cli usage for SDK 46+
  • (expo): testing updates for expo publish (#350)
  • workaround for fastlane missing support for transporter move
  • make search for signing more specific
  • include symbols disable and bitcode
  • disable signing on 3rd party libraries
  • ensure manual signing enabled on pod project
  • (expo): sdk differences in updates
  • (expo): use right app version when picking cli
  • (expo): align publish script with engine
  • (expo): reduce command line options
  • deprecate turtle and move to prebuild process
  • (expo): reinstate archive upload for sourcemaps (#349)

engine

  • (mobileapp): remove default on expo id override (#2045)

aws

  • (mobileapp): lookup for firebase properties (#641)
  • (mobileapp): testing updates

python

  • remove deprecated expo_app_publish param

AWS S3 Public Access Block By default

Inline with best practice security and those pesky news reports we have now enabled public access blocking across S3 buckets by default.

  • ACL based public access for objects can not be enabled by default within the hamlet aws implementation
  • To use policy based public access you can use the S3 component public access which will allow for bucket policy updates
  • The App Public permission has been removed which created an automatic public share on the ops data bucket. To ensure limited exposure we recommend creating an explicit S3 bucket for public access

engine

  • (s3): block public access on account s3

aws

  • (s3): disable public access by default
  • remove app public permissions attribute
  • remove app public attributes

Data Catalog Component

This new component represents services like AWS Glue which are used to provide a catalog of data sources that used across a system along with a centralised schema reference point. The focus of the initial release was to add support for creating a data catalog of AWS Service logs which are stored in S3.

Details on the module are available in PR #647) but essentially if you need to access any AWS services used in hamlet that log to S3 ( cdn/CloudFront, lb/Application Load Balancer) you can add the module and get the logs added into Glue and can make queries of the data using Athena

core

  • (datacatalog): add new component (#2049)
  • (datacatalog): initial support using Glue

aws

  • (module): add aws s3 service log datacatalog (#647)
  • (catalog): add base testing
  • SerDe naming

WAF Rule Engines

Web Application Firewalls offered by Cloud Providers have been extended to support more functionality including managed rules, rate limiting and more complex matching capabilities. In this release we have extended the support in hamlet to support these different WAF rules with the idea of a Rule engine. The engine is how a given rule is processed.

The engines included in this release are:

  • Rate Based: IP based tracking of requests and the enforcement of a rate limit for a given client IP
  • Vendor Managed: Rules that can be added to your WAF that are managed by a third party vendor. These rules are generally updated to align with the latest security incidents or over collective knowledge and automated processes developed by the vendor

core

  • (waf): add rule engines
  • (wafrule): engine type spelling (#2058)
  • (waf): cleanup of shared provider setup

aws

  • (waf): add support for more wafv2 rules
  • (waf): various fixes in WAF Handling

Extended CDN Support for Complex Scenarios

The CDN component has been updated to support more complex scenarios when dealing with distributions that perform complex routing or have shared caching policies across different parts of a site

This included the addition of some new subcomponents for the CDN:

  • origin is a new subcomponent which represents a single origin that can be consumed by multiple routes
  • response policy adds support for CDN providers which can modify things like response headers as they are returned to a client. For example, AWS CloudFront can now inject common security headers like HSTS or CORS if the origin doesn't include them
  • cache policy CDN Cache Policy defines a caching policy which can be used across multiple routes to standardise how caching is performed

You don't need to use these additional components if you don't want to and all existing support for controlling these options via the route are still in place.

core

  • (cdn): enable/disable error response overrides
  • (cdn): extended support for managing CDNS
  • (cdn): Response Policy Child reference

aws

  • (cdn): origin request policy headers (#657)
  • add default header policy for placeholders
  • (cdn): add enable/disable for error responses
  • (cloudfront): complex cdn scenarios
  • (cdn): use cloudformation to find cdn id
  • (cdn): add type checks and fix resource name
  • (cdn): add testing and fixes
  • (cdn): Redirect processing (#643)

Dynamic Values

IP Address Group resolution to CIDR ranges has been added as a dynamic value source, while we support IPAdressGroups across components that use IP Access control. The dynamic value support lets you provide network details to container env vars for example.

Now that we have dynamic values it is easier to add composite values which use a dynamic value and some fixed content. With that in mind we've added callback and logout url solution level configuration to the userpool

core

  • (dynamicvalue): add IP Address group support
  • (userpool): add support callback urls solution

aws

  • (userpool): add solution callback urls

Logging Enabled by Default

For all components the default behaviour is now to enable logging if we can. While this could add some additional costs when deploying to cloud providers, the cost of regret when you forget to enable logging and need it in an incident is much higher. So we turn it on now to help support your deployments.

core

  • enable logging by default
  • (network): add prefix control for flow logs

aws

  • (network): add control over flowlog prefix (#648)

Overall Hamlet changes

Below are the minor changes and fixes made across hamlet overall.

Bash Executor

Full set of changes: 8.7.0...latest

New Features

  • support cliv2 kms encrypt (#345)

Fixes

  • add an empty suffix for running on MacOS (#353)
  • update sourceMappingURL value after bundle rename
  • adjust sentry url prefix react-native apps (#351)

Engine

Full set of changes: 8.7.0...latest

New Features

  • (globaldb): add enable support for indexes
  • migrate tiers and solution setup into configuration data approach
  • district based solutions
  • add support for base attribute set expansion
  • add support for links as image sources
  • extend missing link detail error message

Fixes

  • (dynamicvalue): correct the output for tasks (#2057)
  • set tier indexes for tiers not in network
  • tier network configuration (#2046)
  • (dynamicvalues): support objects in replace (#2043)
  • nested expansion of attributes (#2040)
  • split expand base configuration (#2039)
  • set fixed index for shared tier
  • index handling for network ordering
  • tier lookup id name
  • configuration loading
  • update component settings for dynamic values

Refactorings

  • dynamic value handling (#2042)
  • add apigw certificate
  • move AV configuration to shared

aws

Full set of changes: 8.7.0...latest

New Features

  • (cw): ensure lambda is deleted with canary
  • (globaldb): add support for enabling indexes

Fixes

  • engine case for rule lookup
  • (network): handle missing subnet lookup
  • (s3): oai permissions (#653)
  • (windows): logContent setup for windows logging
  • (ecs): handle container tagging for ecs version
  • dynamic value setup for aws secrets
  • smtp user permissions in module
  • (filetransfer): log group name for subscription
  • fall through on missing network
  • remove redundant line from script
  • (image): use container repository for images
  • (ecs): skip lb processing when no lb port
  • (efs): correct tag format for access points
  • (cloudwatch): dependencies on subscription
  • (dnszone): add deployment subset check
  • typo in test module
  • (spa): cdn reference for path
  • (cw): update permissions for cw logs to kinesis (#634)
  • (lambda): check deployment units on function

Refactorings

  • (network): checks for networked tiers (#645)
  • (mobileapp): build configuration updates
  • remove public app data prefixes
  • (network): remove use of segmentObject
  • (ec2): av migration to shared provider

Azure

Full set of changes: 8.7.0...latest

New Features

  • (network): manage vpn cipher configuration

Refactorings

  • use base level attribute sets (#307)

Core Engine

Full set of changes: [2.0.0, 8.6.0...latest](https://github.com/hamlet-io/engine-core/compare/2.0.0, 8.6.0...master)

Fixes

  • Dependency updates and updates to the bundled JRE version used

Python

Full set of changes: 9.23.0...master

Fixes

  • remove use of transport from httpx client