​

Version 1.4.1

​

Tooling and Terraform Modules Versions

​

Version 1.4.0

​

Architecture Redesign & Core Enhancements

• Adopted Terragrunt for infrastructure orchestration:
  • Centralized configuration and DRY principles across environments
  • Simplified multi-region, multi-cluster deployments
  • Scalable, environment-specific overrides and reusability of modules
  • Clear separation of global vs regional resources in code structure
• Global Repository Refactor:
  • Applied modular design with reusable Terraform modules for common components (e.g., networking, IAM, logging)
  • Isolated environment-specific configurations for improved clarity and separation of concerns
  • Reduced duplication and improved maintainability through standardized structure

​

Features

• New Terraform Modules Added
  • Route53 and ACM (AWS Certificate Manager) modules for DNS and TLS automation
  • Custom VPN module, migrated from Cloud Conexa to pure Terraform, incorporating security and compliance best practices
  • Permissions module now integrated directly into the core infrastructure repository

​

Improvements

• Universal CI/CD Pipeline:
  • Introduced a standardized pipeline pattern to support the majority of use cases
  • Enables consistent delivery, automated testing, and streamlined environment rollout
• User Management:
  • IAM Role Naming Overhaul. Adopted a new naming convention for IAM roles, optimizing them for automation and manual management
  • Enables cleaner policy assignments and reduces friction in permission debugging
  • Added a default role for user provisioning and access control enforcement across environments
• Observability & Automation:
  • Drift Alert Manager: Parameter Management Automation where Input files for each Organizational Unit are automatically synchronized with S3 and the integrated drift detection mechanism triggers alerts for unsynced or modified parameters.
  • Automated OpenSearch Logging Cluster Provisioning through Lambda-based automation, covering Index creation, Lifecycle policy management, Retention and rollover configuration, removing the need for manual setup and reducing misconfiguration risk

​

Version 1.3.2

​

Features

• Added topology constraint configurations to Application’s charts - Added topologySpreadConstraints feature to standard application
• Alarms Module now allows for tag-based custom behavior - Custom behavior for alarms can now be managed using tags in AWS Resources. This includes enabling/disabling an alarm, and configuring thresholds
• Allowed specific users to create, delete and edit Automatic Alarm Tags in resources - Allowed only alarm Lambda, Karpenter and admin roles to modify alarm-related tags in resources. Increased security for the Alarms Custom Behavior Based on Tags feature
• Added custom cluster security group rules for EKS - Added cluster_security_group_additional_rules to add security groups to EKS. Changed default values of public and private deploy key parameter name
• Allowed excluding AZs from Karpenter’s nodepools - Allow Excluding AZs that do not have good support for ec2 spot instances

​

Improvements

• Added EBS CSI Driver Helm Chart - Allows installing EBS driver as separate add-on, increasing EKS deploy stability and decreasing deploy times or errors

​

Tooling

​

Providers

​

Version 1.3.1

​

Features

• Deploy VPN connector with Terraform: gives Fast Foundation independence from traditional OpenVPN deployment, allowing a better management of resources, and making it more compliant, addressing some AWS SecurityHub findings

​

Improvements

• Added templating in CloudFront module: allows for dynamic content delivery based on variables and conditions
• Use namespace in IRSA name if specified: enhances security by ensuring unique role names for each namespace
• Critical S3 buckets hardening:
  • Increased object lock retention time to 10 years
  • Current version expiration deleted
  • Increased non-current version object expiration to 2 years and 10 versions
  • Created event notification lambda slack integration
  • Created Access logs bucket in infrastructure account

​

Version 1.3.0

​

Features

• 💎 ECS module - Fast Foundation now supports ECS clusters
• Added Persistent Storage Configuration for Prometheus
• Added AWS Centralized Root Access Management
• Added FluentBit Service Monitor and Alerts
• Added Organization Budget and Billing alarms
• Added Timeout Metric Alarm for automatic alarm creation Lambda Function

​

Improvements

• Security Hub Centralized Management
• Alarms Created by Automatic Alarm Creation and Deletion module are now tagged
• Added Static Security Group for Communicating with RDS
• Added Cluster Name to Argo Alarms for easier identification
• Stopped Notifying when Alarm goes from Insufficient Data to OK State
• Trust Relationship for Opensearch Ingestion roles are now restricted to specific roles
• Added Topology Constraint for Critical Services
• Conditional creation for deployKey ssm parameter
• Bumped axios from 1.6.8 to 1.8.4 in /additional_resources/modules/serverless/cicd/gitlab-node-project-repo

​

Fixes

• Added try clause to VPN CIDR blocks
• Added try clause and index to alb_vpn_security_group output
• Fixed cluster-permissions output
• Added conditional creation for OpenSearch ingressroute
• Increased Lambda duration alarm “period” threshold to 600 to avoid creation errors
• Fixed Nucleus ECR Policies
• Other minor changes and fixes

​

Breaking Changes

• ⚠️ [improvement] Dynamic Argo RBAC definition
• ⚠️ [improvement] Use AWS Config service linked role

​

Version 1.2.1

​

Features

• Added the possibility of using static secrets instead of creating different secrets for each new cluster
• Added the possibility of selecting security groups by ID or tags for Karpenter Nodepools
• Added automation to block a specific session token using SCP

​

Improvements

• Improved alerting for Karpenter
• Improved message in alerts: Added cluster name to the title
• Improved output from cluster permissions with application details, simplifying application configuration
• Improved naming convention for IRSA roles, making migrations easier by automatically generating role names for service accounts

​

Fixes

• Fixed Load Balancer Alarms
• Fixed EC2 Status Check alarm with disabled action
• Added flags for resources that should be conditionally created
• Fixed Nucleus Welcome image port and healthcheck path configuration
• Other minor changes and fixes

​

Breaking Changes

• ⚠️ [improvement] Optionally add an rds security group for nodes connected to DB
• ⚠️ [feature] Additional NLB feature
• ⚠️ [fix] 1.2.1 general findings
• ⚠️ [improvement] Nucleus v1.1.0 compatibility

​

Version 1.2.0

​

Features

• ⭐ Upgraded EKS cluster version to 1.31, and tooling version to the latest available version
• 💎 Added capability for implementing blue/green canary deployments for upgraded clusters
• Added external ALB common to all clusters, as opposed to the current strategy of one ALB per cluster
• Added capability for adding antiaffinity rules, to maximize application spread in the assigned nodes
• Added possibility of adding tags to secrets, for attribute based access control
• Added possibility of adding additional access entries for applications or human users to interact with EKS cluster
• Added capability for adding additional secrets to a pod using the “standard application” helm templates

​

Improvements

• Added automatic snapshot techniques for OpenSearch, and recovery scripts for quickly reacting to disaster scenarios
• Added SQS for Karpenter to know beforehand about some critical AWS events, like Spot Interruption, Instance Terminating, etc

​

Fixes

• Fixed s3 logging buckets outputs
• Fixed deploy key parameter name
• Other minor changes and fixes

​

Breaking Changes

• ⚠️ [improvement] ingress and vpn-ingress tool modules are deprecated for ingressroutes and vpn-ingressroutes
  • Updating module nlb-vpn:
    • Target group and listener are defined different. This will require moving terraform resources with moved block for 3 resources, these 2 and the target group attachment. This last resource will be recreated due to port addition, it has NO downtime on terraform apply
    • Security group for NLB cannot be attached once the NLB is created, for legacy behavior set create_security_group = false. Also add this rule for ALB security group (to allow traffic from connector):
    Copy

              {
                      allow_vpn_connector_vpc = {
                        from_port   = 443
                        to_port     = 443
                        ip_protocol = "tcp"
                        description = "rule added for legacy. VPN NLB does not have SG"
                        cidr_ipv4   = data.terraform_remote_state.networking-vpn[0].outputs.vpc_vpn_cidr
                    }
              }
    

• ⚠️ [improvement] local.resources_per_cluster.secret replaced with local.resources_per_cluster.secret_name because it causes conflict with new definition
• ⚠️ [improvement] Traefik IngressRoute apiVersion traefik.containo.us/v1alpha1 deprecated. Replaced by traefik.io/v1alpha1
• ⚠️ [improvement] Karpenter CRDs apiVersion changed from karpenter.k8s.aws/v1beta1 to karpenter.k8s.aws/v1 and requiere additional configurations:
  • EC2NodeClass:
    • spec.amiSelectorTerms instead of amiFamily
  • NodePool:
    • spec.template.spec.nodeClassRef.group instead of apiVersion
    • spec.disruption.consolidationPolicy allowed values changed
    • spec.disruption.consolidateAfter required

​

Tooling

​

Providers

​

Version 1.1.1

​

Features

• Added transformation functions. Custom transformation functions can be added to extract and modify information from Eventbridge events. The output can then be used in the alarm’s definition
• EKS logs can be dynamically managed from the infrastructure’s parameter
• Deployed nucleus welcome image for new applications to use. Updates CICD to include a welcome image when a new app is deployed

​

Improvements

• Replaced Cloudfront resources with cloudfront module

​

Fixes

• Added “region != us-east-1” to resources that should not be created if region is us-east-1
• Added us-east-1 slack arn topic to lambdas
• ALB alarms now use complete id instead of ARN
• Cloudfront alarms are created now in us-east-1, as metrics are not accessible from other regions
• Added missing bucket for permissions states
• Changed folder name under organization management from infrastructure to management account
• Fixed Minor Naming issues
• Bucket name for networking state files now includes environment
• Kubecost role now allows cross-account access to CUR reports in S3
• Added conditions for Alarms lambda resources
• Extended Linkerd’s webhook certificate authority public certificate validity

​

Breaking Changes

• ⚠️ eks.argo.git_webhook_secret changed - In Infrastructure/Workloads/workload-{environment}/secrets.dynamic.json, the field eks.argo.git_webhook_secret` was changed for eks.argo.githubSecret and eks.argo.gitlabSecret. Replace accordingly.

​

Version 1.1.0

​

Features

• 💎 Smart Alarms Module. This new module allows for a centralized alarm management configuration system, ensuring that resource alarms are kept consistent when resources are created/updated/deleted, no matter who or what is performing the change
• Added the capability to deploy DataDog Agent with the EKS module automatically
• Added capability for hosting more than one environment in the same cluster
• Added nodePool parameter in helm charts to dynamically assign pods to specific nodegroups
• Security Module now deploys all services as code across all accounts in the organization, including AWS Config, AWS Security Hub, AWS Cloudtrail, and Fast Foundation Smart Alarms Module
• Started using Priority Class labels for node-critical applications, preventing rollouts of new applications from freezing due to critical pods being unable to be deployed because nodes were full
• Template for CronJobs to be automatically deployed into the cluster
• Added Datadog charts for automatic deployment when using Datadog

​

Improvements

• Improved organization of Logging Indexes. Optimized Application and Ingress views in OpenSearch. Enabled Traefik JSON logging. Improved tagging strategy for Fluentbit-Kubernetes filters
• Enabled Traefik JSON logs
• Added Argo Service Monitor to Prometheus Stack
• Logs now include a tag with the cluster name for scenarios where more than one cluster is deployed in the same environment
• Established naming conventions for IAM Roles for service accounts. Fixed length and cyphertext strings to avoid collision and character limitations
• Karpenter nodepool’s CPU limits are now fixable using an infrastructure parameter
• Fixed dependency versions for their latest versions
• General improvements to file structure
• Updated Tooling/Provider versions (see table below)

​

Fixes

• Fixed EFS driver dynamic provisioning and job-application
• Logging now uses the environment as a prefix instead of the cluster name
• Added options for backward compatibility with previous versions
• Added capability to set Argo’s target revision branch
• Added conditionals for optional resources like Kubecost and Nucleus
• Truncated port names to avoid character limit errors
• Subnets for ALBs and NLBs are now dynamically chosen depending on how many availability zones the region has
• Added some mandatory roles for Karpenter to work correctly with Spot and Spot fleets
• Fixed Karpenter alarm descriptions
• Removed roles that were no longer in use
• Other minor name and typo fixes

​

Tooling

​

Providers

​

Fast Foundation for AWS is out!

​

Tooling

​

Providers