All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
This release is in beta. Click here to see changes since 4.0.2.
4.0.2 (2021-10-19)
- add coverage for undef config case (#761) (a3f3f09)
- AppDeployer needs perms to create new env (#762) (fe75f8b)
- display unavailable after config deletion (#760) (9c1daa4)
4.0.1 (2021-10-15)
Notes: We recommend to apply this patch as soon as possible if you use CICD component
4.0.0 (2021-10-14)
Service Workbench is incrementing a major release version to bring attention to three new features.
The Service Workbench member account onboarding process is changed to be more in line with the Bring Your Own Bucket (BYOB) process. The general intent is that the process to onboard an account in support of hosting data should be the same as onboarding an account in support of hosting researcher workspace compute. Twelve points of context switching and manual data entry have been eliminated with the new process.
This change applies to all updated installations, and can be applied to those installations that have already onboarded member accounts.
To learn more about the new process, refer to the updated instructions in the Service Workbench Post Deployment guide.
Important Notes:
- If you have already onboarded a member account for your Service Workbench installation, and this account has active or stopped workspaces, the safest course would be to terminate all workspaces prior to the update. We did test a scenario with active and stopped workspaces and observed no impact during testing, but because this update is a major release, we recommend the safest course.
- Any member accounts that were onboarded prior to this update will need to be updated through the Service Workbench user interface, and you will be prompted to do so when visiting the new “Accounts” page in Service Workbench. This update is necessary because there is a new capability that will check to see if the member and main account code versions are in sync, and provide a visual indicator if not, allowing you a clear indication of update.
Introduction of AppStream 2.0 as an access point for Service Workbench workspaces. With this enabled, researchers will not be able to egress the data from their Service Workbench workspaces to their client machine, and Service Workbench workspaces will not have access to the internet.
Core networking changes within the member account will move researcher workspaces to the private subnets, and the method of connecting to a researcher workspace changes. Restricting access by public IP is no longer available, and the layer of security per workspace that replaces IP restriction is outlined in connection instructions in the Service Workbench workspace UI.
This feature is disabled by default upon install. To enable this feature, change the feature flag isAppStreamEnabled in the configuration file to true.
Important Notes:
- Once this feature is enabled for a Service Workbench installation, it cannot be disabled without deleting the installation and reinstalling. This is because there are core networking changes for workspaces that cannot be reverted.
- If you have an existing installation without the feature flag enabled, and want to activate this feature flag, terminate all workspaces prior to activating the flag.
- AppStream service use does incur additional cost and we recommend you review the cost impact prior to configuring your AppStream fleet: https://aws.amazon.com/appstream2/pricing/
- Because the Service Workbench workspaces do not have internet connectivity, VPC endpoints are introduced for all AWS services that the workspaces use (such as S3, EC2, and AppStream).
- Significant updates to the post deployment configuration instructions when this feature is enabled are outlined here
As a compliment to the Secure Desktop functionality, this feature provides a mount point per workspace (that is only accessible from that workspace) for a researcher to stage data that they wish to take out of the Service Workbench installation. Once the data is put to this location (called the Egress Store), the researcher can choose the Submit Egress Request button and a message is generated to a SNS Topic (https://aws.amazon.com/sns/) containing the metadata for their egress request.
Like the Secure Desktop feature, this feature is also disabled by default upon install. To enable this feature, you must change the feature flag enableEgressStore in the configuration file to true. Note that this feature flag is independent from the Secure Desktop feature flag, but if it is activated by itself, there is nothing preventing the researcher from copying data to their local client (thus outside the egress store).
Important Notes:
- Currently, the message goes to the SNS topic - but there is not subscriber added to the topic. It is your responsibility to subscribe to the topic, and to act on the Egress Store data source with elevated permissions through the AWS Management Console.
- When this feature is enabled, the Bring Your Own Buckets (BYOB) data sources are only allowed to be read only. This is because a BYOB data source can live in a different AWS account (unlike MyStudy and Organizational Study that live in the main Service Workbench main account). Allowing write to a BYOB data source would be uncontrolled egress.
3.5.0 (2021-10-14)
- build ami version bug (#738) (a39b3b4)
- bypass develop protection when adding beta (#725) (fe4c0ff)
- downgrade node-ssh version to fix integ tests (#744) (f5ce251)
- integ test setup flakiness fix (#727) (65ea43d)
- namespace code works with configs with no namespace param (#717) (72c9fe3)
- Update libcurl-devel package for RStudio to correct version (#726) (04bb82c)
- version number before backend deployment (#724) (6d545dd)
3.4.0 (2021-09-16)
- display Configuration Name and Instance Type on Workspace details card (#669) (f0fa819)
- Pre-populate variable values in input section of new workspace configuration (#680) (8ce51b2)
- add label to stop timeout during e2e test (#688) (ff0b4cc)
- end2end test terminated existing ws (#685) (9c74ac7)
- github cypress setup (#686) (23f6d03)
- go bug during deployment is handled (#641) (4c21a30)
- no sagemaker autostop or EC2 stop lag (#703) (8cb199b)
- properly handle very long error messages on env update (#705) (d920abd)
- reset ForceLogout component upon relogin (#640) (5c2aaee)
- static namespace bug fix (#615) (bacb469)
- sync UI and API func (#709) (a188b3c)
- update int test readme to include adv test info (#634) (5453f5e)
3.3.1 (2021-07-26)
- application version number (#573) (fada154)
- Clear timer in ForceLogout.test.js to allow tests to end (#570) (4871e0f)
- Remove delete user feature from UI and handle study permissions which have stale users (#595) (8be3f90)
- Added details found needed while onboarding (#593) (d375785)
- IDP configuration guide (#569) (406c656)
3.3.0 (2021-06-25)
3.2.0 (2021-06-11)
- Add warning that internal authentication shouldn't be used in production (#506) (1586278)
- Encrypt s3 buckets for EMR log bucket and CICD Artifact bucket (#508) (e86fd06)
- study permissions only shown to Study Admin (#501) (f3eaae8)
- add termination status for non-found workspaces (#502) (8c30378)
- adds 'stopped' filter for workspaces (960b592)
- Allow sagemaker to have the proper IAM permission to autostop itself (#515) (32007ed)
- Corrected Spark defaults to fix read/write functionality from Spark (#526) (f96e1bd)
- Do not allow users to change root password (#503) (a436f73)
- moved notification boxes to avoid blocking the top ribbon. (#483) (5a226d7)
- react compilation error (#500) (547f2ad)
- Redirect non admin users to "/" if they try to access "/users" (#489) (ee3a58e)
3.1.0 (2021-05-10)
- Allow uploading a folder to My Studies (#475) (cb17d4b)
- Run coverage for merge commit (#458) (03afe0e)
- Test coverage (#456) (252b504)
- Fix BYOB app role to only modify FS roles (#454) (35f6cce)
- free-form strings for workspace configs (#479) (fca73f4)
- properly handle SC products with no active versions (#468) (3c561f4)
- Update workspace name reg exp and workspace config tags reg exp (#452) (f9b7d62)
- refactor: restricting AppDeployer permissions
- refactor: Remove permission boundary condition on launch constraint role
- refactor: restrict sc roles
Permissions boundaries are being added to the several important IAM roles used by Service Workbench as a security best practice.
Customer Impact: Below outlines the actions required for you to successfully adopt this security enhancement. The first two items are applicable to all customers. If you have created custom workspace types, then all three items below are applicable.
-
After running the update, onboard all hosting accounts once again to benefit from the enhanced security, and test the application. Note: The attached pdf contains steps for onboarding hosting accounts, contact your Service Workbench Administrator if you have not performed these steps before.
-
After running the update, import and use the newly available Service Catalog product versions for workspace types (latest version numbers) to benefit from the enhanced security.
-
ONLY Customers that have created custom workspace types: It is possible that the permissions boundaries would prevent actions that were formerly allowed. You should plan to validate your custom workspace types after the update. Issues should be addressed by modifying the custom workspaces to work within the permissions granted, or modify the permissions boundary for your installation (this would require a change to Service Workbench code (specifically the IAM policies that are attached as the permissions boundary) for your install). Note: Any existing custom or non-custom workspaces types (for example, EC2 Linux/Windows, EMR, SageMaker, R Studio) are not impacted by this upgrade.
- feat: Display SWB Version in UI's Top Bar
- fix: Fix cost dashboard bugs
- fix: Ensure sdk retry logic is enabled in prod
- docs: Readme updated
- fix: assume role on added member account
- fix: managing pnpm version for nodejs compatibility
- fix: adding required AppDeployer permissions
- chore: package dependency updates
- fix: added X-ray support and fix CWL IAM permissions
If you have been using CI/CD pipeline, please redeploy the pipeline stack to incorporate this fix by following the steps listed on the main/cicd/README.md file.
- fix: managing AppDeployer role permission boundary
- fix: CW log resources corrected in backend CFN template
- refactor: restrict ApiHandler role permissions
- refactor: restrict WorkflowLoopRunner role permissions
- refactor: restrict CrossAcctExec role permissions
- chore: team email removed from feedback section in readme
- chore: updates to npm dependencies
If you have been using CI/CD pipeline, please redeploy the pipeline stack to incorporate this fix by following the steps listed on the main/cicd/README.md file.
- chore: Enable SSE-S3 when registering buckets in BYOB
- refactor: restrict data source reachability Lambda role
- fix: Add 'reachable' and 'error' status to reachability check schema
- fix: added region parameter reference to elasticmapreduce bucket references
- fix: Upgraded react-dev-utils yarn dependency version
- feat: Added Bring Your Own Bucket(BYOB) functionality
- feat: Added integration testing for all APIs
- feat: Added OpenAPI documentation
- feat: Removed unused APIs- listWorkflowInstancesByStatus and createAuthenticationProviderConfig
- chore(deps): bump websocket-extensions from 0.1.3 to 0.1.4
- test: fix flaky integ tests
- fix: emr workspace image. Lock jupyterlab to version 2.2.6
- test: Implemented integration tests for service catalog workspaces
- feat: verbose integ test log
- fix: SageMaker environment status update
- fix: Validate Open Data ARNs
- test: Integration test components and framework
- chore: Dependency version bump
- fix: Added usernameInIdp property to update user schema
- fix: Made external researcher used UserOnboarding template less permissive
- fix: labeler yml syntax
- chore: add PR size labeler
We recommend to apply this patch as soon as possible
- feat: Adding ability to manage CIDR blocks of workspace's configured security group
Note:
- This feature has added permissions to the onboard-account template and requires re-onboarding existing member accounts. Please contact your system administrator for the same.
- For RStudio instances, please allow 2-5 minutes for CIDR changes to take effect.
- For SageMaker instances, currently application admins and workspace owners have ability to access the SageMaker platform directly, irrespective of CIDR inclusion.
- feat: Remove APIs for built-in workspaces
- fix: Fix a bug on the update user API
We recommend to apply this patch as soon as possible
- fix: Add tables back to cloudformation and don't authorize API Keys
We recommend to apply this patch as soon as possible
- fix: remove API Keys functionality
We recommend to apply this patch as soon as possible
- fix: open data scraper bugfix
- docs: improvements to deployment documentation
- fix: Upload Files button disappears for R/W users
- feat: install R3.6 and system packages required for dev
- fix: file not found error in download-env-config script
- test: Add github workflow for e2etest run
- feat: modify filter criteria for Open Data
- docs: delete dead links
- fix: changed RStudio server CSP headers to allow uploads from same-origin
- feat: Support Read/Write Study mounts for EC2 Windows
- fix: Fix a bug on the update study API
We recommend to apply this patch as soon as possible
- fix: Handling policy names for windows envs
- fix: Fix a bug on the create study API
We recommend to apply this patch as soon as possible
- feat: Study Read/Write and Permission propagation (Goofys)
- feat: Read/Only study mounts on AWS Service Catalog based EC2 Windows workspaces
- fix: Adding dependencies for Dynamo table creation to prevent install crash
- fix: Query string parameters were getting duplicated in the url
- feat: Pre-install git on RStudio workspaces
- chore: Create better env delete logs
- fix: Apply version name to products out of the box
- fix: changing rstudio check-idle logic
- fix: Cognito user pool domain name clashing issue
- fix(End to End test): When creating a workspace, select project by class item
- fix: Sagemaker instances respect CIDR blocks that are provided to the instance
- For existing service workbench deployments you will need to import Sagemaker as a workspace type again to mitigate the risk of exposing workspaces to all IPs
- Existing Sagemaker workspaces will continue to have this issue
- feat: manual stop and start functionality for EC2 Linux, EC2 Windows, RStudio and Sagemaker workspaces
- feat: auto stop functionality for SageMaker and RStudio workspaces
- bugfix: outdated lock file
- doc: update deployment and post-deployment documentation
- feat: user id change. We will be using a uid going forward as a user identity
- feat(backend): Also allow UPLOAD access for users with write access
- bugfix: rethrow unknown exceptions
- bugfix: rstudio connection fix, removing appsteam
- bugfix: metaconnection check for rstudio
- Add budget integration - Admin users can set up budget and alert notifications for AWS member accounts on-boarded with Service Workbench
- Adding RStudio Service Catalog product - Users can now use RStudio in Service Catalog
- Bug fix for Service Catalog product artifact creation (occurs when CfN template is edited in-place)
- Initial launch! 🚀