Substrate release notes

2022.05

Allow customization of EC2 instances from the Instance Factory by using a launch template named InstanceFactory-arm64 or InstanceFactory-x86_64, if the one matching the requested instance type is defined. See customizing EC2 instances from the Instance Factory for details and an example.
Add cloudtrail:DeleteTrail to the (short) list of APIs that are denied by the Substrate-managed service control policy on your management account.
Remove verion constraints from Terraform modules in the modules/ tree, instead letting all the version constraints come from the root module.
Upgrade the Terraform AWS provider to at least 4.12.
Remove dormant copies of various parts of the Intranet, which were deprecated as their functionality was moved into the monolithic Intranet IAM role and Lambda function.
Bug fix: Add organizations:DescribeOrganization to the IAM policy attached to the CredentialFactory IAM user so that it can orient itself fully.
Bug fix: Submit your Intranet URL to AWS so that when you’re logged out of the AWS Console it links you to how you get back in instead of to the Substrate product page.
Bug fix: Sort Terraform resources by their type and label as has always been intended. This will result in differences in source code but not in Terraform plans.
Bug fix: Print prompts to standard error so they don’t corrupt parseable output.

After upgrading Substrate:

substrate bootstrap-management-account
substrate create-admin-account -quality quality for each of your admin accounts

2022.04

Enforce, via organization-wide Service Control Policy, that EC2 instances must be launched with access to IMDSv2 and not IMDSv1. The Instance Factory has been launching compatible instances since 2021.10. If for some reason you need to roll this step back, use your Intranet’s Accounts page to open the AWS Console in your management account with the OrganizationAdministrator role, visit https://console.aws.amazon.com/organizations/v2/home/policies/service-control-policy, and delete SubstrateServiceControlPolicy. When you’ve migrated whatever needed IMDSv1 to use IMDSv2, re-run substrate bootstrap-management-account.
Substrate now ships with a rudimentary autocomplete mechanism for Bash, Z shell, and other shells with compatibility for Bash completion.
Substrate can now be used to drive the --profile option to the standard AWS CLI. See using AWS CLI profiles for details.
Upgrade the AWS Terraform provider to version 4.9.0 or (slightly) newer.
Remove the dependency on the AWS CLI in the generated modules/substrate Terraform code.
Bug fix: Lessen the possibility of a TooManyRequestsException from AWS Organizations during Terraform runs.
Bug fix: Update the SubstrateVersion tag on your AWS accounts themselves when Substrate tries to create them and finds that they already exist.
Bug fix: This time Substrate actually asks if it may post telemetry to Source & Binary as promised in the previous release.
Bug fix: Prevent a rare crash when trying to post tememetry early so commands can exit earlier.
Bug fix: Use Terraform resource references in root-modules/deploy to avoid a race during substrate bootstrap-deploy-account.
Bug fix: Properly support older instance types, especially t2, in the Instance Factory.

After upgrading Substrate:

Configure Substrate shell completion
substrate bootstrap-management-account
substrate create-admin-account -quality quality for each of your admin accounts

2022.03

Substrate now asks if it may post telemetry to Source & Binary. The data will be used to better understand how Substrate is being used and how it can be improved.
Address deprecation warnings from the AWS Terraform provider by refactoring root-modules/deploy.
Bug fix: Correctly pass an AWS access key to Terraform even if that access key is from an IAM user. This situation is unlikely but can come up during bootstrapping in brownfield environments.
Bug fix: Display environments and qualities in the order they’re defined in substrate.environments and substrate.qualities on the Intranet’s Accounts page and in the output of substrate accounts and substrate root-modules.

After upgrading Substrate:

substrate bootstrap-deploy-account
substrate-create-admin-account -quality="..." for each of your admin accounts

2022.02

Upgrade to Terraform 1.1.6.
Manage L-29A0C5DF, the AWS service limit on the number of accounts in an AWS organization, so that substrate-create-admin-account and substrate-create-account can proceed smoothly when you create your 11th account.
Remove the SubstrateVersion tag from Terraform-managed resources. It hasn’t been as helpful here as it is on Substrate-managed resources. Plus, Terraform plans are much easier to read without it.
Bug fix: Pin the Terraform AWS provider to versions less than 4.0 which contains breaking changes that will be addressed in a subsequent Substrate release.

You must upgrade to Terraform 1.1.6 in order to use Substrate 2022.02. Terraform 1.1.6 may be found here:

After upgrading Substrate, do the following to land the Terraform upgrade and remove the SubstrateVersion tags:

substrate-bootstrap-network-account
substrate-bootstrap-deploy-account
substrate-create-admin-account -quality="..." for each of your admin accounts
substrate-create-account -domain="..." -environment="..." -quality="..." for each of your service accounts

2022.01

The -role="..." option to substrate-assume-role now defaults to OrganizationAdministrator, Auditor, DeployAdministrator, or NetworkAdministrator for the special accounts and Administrator for admin and service accounts (or Auditor pretty much across the board, if you begin in the Auditor role). This should save a great deal of typing.
Add a navigational header to the Intranet to help folks get around.
Allow the Auditor role in the audit account to use Amazon Athena to query the CloudTrail logs stored in S3 there. See auditing your Substrate-managed AWS organization for more details.
Bug fix: Substrate 2021.12 inadvertantly stopped accepting EC2 instance profile credentials on Instance Factory instances. (The instances are still assigned the correct role, Substrate programs just wouldn’t use it.) Substrate programs once again use EC2 instance profile credentials when available.

After upgrading Substrate:

substrate-create-admin-account -quality="..."
Upgrade Substrate in your Instance Factory instances, if you install it there

2021.12

Substate now uses your default region (the one you chose to host your organization’s CloudTrail logs, among other things) when it executes global root modules. This allows you to more completely decouple yourself from us-east-1 if you so choose.
Bug fix: Allow the Instance Factory to pass any IAM role configured in your IdP on to EC2 instances your non-Administrator users launch.
Safety feature: No longer read ~/.aws/credentials under any circumstances. Since we never use this file in a Substrate-managed AWS organization, reading this file can only serve to “cross the streams” with a legacy AWS account.

The upgrade process this month is much more involved that most. As such, we’ll talk in Slack about when you’re going to perform the upgrade to ensure support’s available in the moment.

Before upgrading Substrate, audit your Terraform modules for resources in global modules that aren’t from global AWS serivces by copying the following program to audit.sh in your Substrate repository and running sh audit.sh.

set -e

substrate root-modules |
grep "/global\$" |
while read DIRNAME
do
    echo "$DIRNAME" >&2
    terraform -chdir="$DIRNAME" state pull >"$DIRNAME/audit.tfstate"
    grep -F ":us-east-1:" "$DIRNAME/audit.tfstate" || :
    rm -f "$DIRNAME/audit.tfstate"
    echo >&2
done

Every resource this program identifies needs to be modified before proceeding. The most likely modification is to add provider = aws.us-east-1 to resources in the Terraform code that manages them.

Block all your coworkers from making Terraform changes however you usually do (announcing in Slack, deactivating CI/CD jobs, taking state file locks, etc.) and move your global state files from us-east-1 to your default region by copying the following program to mv-state.sh in your Substrate repository and running sh mv-state.sh.

set -e

DEFAULT_REGION="$(cat "substrate.default-region")"
PREFIX="$(cat "substrate.prefix")"

if [ "$DEFAULT_REGION" = "us-east-1" ]
then exit # nothing to do
fi

eval $(substrate-assume-role -role="DeployAdministrator" -special="deploy")

substrate root-modules |
grep "/global\$" |
while read DIRNAME
do
    echo "$DIRNAME" >&2
    aws s3 cp "s3://$PREFIX-terraform-state-us-east-1/$DIRNAME/terraform.tfstate" "s3://$PREFIX-terraform-state-$DEFAULT_REGION/$DIRNAME/terraform.tfstate"
    aws s3 rm "s3://$PREFIX-terraform-state-us-east-1/$DIRNAME/terraform.tfstate"
    echo >&2
done

Once you’ve run this program, there’s a provider to thread through the tree of Terraform modules before you can upgrade to Substrate 2021.12.

Add the following four lines in the domain module stanzas in root-modules/*/*/*/global/main.tf:
```
providers = {
  aws           = aws
  aws.us-east-1 = aws.us-east-1
}
```
Add the following three lines below aws = { in modules/*/global/versions.tf except modules/lambda-function/global/versions.tf, modules/substrate/global/versions.tf, and your own modules:
```
configuration_aliases = [
  aws.us-east-1,
]
```

(I regret not being able to provide a patch(1) file for these operations but the contents of versions.tf post-Terraform 1.0 are too unpredictable to do so safely.)

Now you can upgrade Substrate. Don’t release your block just yet, though.

After upgrading Substrate:

substrate-bootstrap-deploy-account
substrate-create-admin-account -quality="..." for each of your admin accounts
substrate-create-account -domain="..." -environment="..." -quality="..." for each of your service accounts

Once all of these have run successfully, ensure all your coworkers upgrade Substrate and unblock Terraform changes.

I regret the complexity of this upgrade process but feel it is, on balance, less risky than attempting to hide all this motion behind automation. Thanks for your patience.

2021.11

New installations no longer configure a SAML provider. Instead, all AWS API and Console access is brokered by OAuth OIDC and your Intranet. Existing SAML providers are not removed.
For those using Google as their IdP, read the name of the role to assume in the Credential and Instance Factories and the AWS Console from custom attributes on Google Workspace users. (For Okta users, Administrator is still the default.)
Forward Cookie headers to HTTP(S) services wired into the Intranet by the experimental new modules/intranet/regional/proxy module. The theoretical security benefit of not exposing raw cookies (and instead exposing identity) is not remotely worth the loss in functionality it cost.
Reduce the chance of Intranet misconfiguration by limiting which API Gateways can forward to the substrate-intranet Lambda function.
Bug fix: The links to other parts of the Intranet from the page that substrate-credentials opens in your browser are relative links and were missing the ../ prefix, which has now been added.
Removed version pinning of the long-unused Terraform archive provider.
Removed -no-cloudwatch from substrate-bootstrap-management-account, substrate-create-admin-account, and substrate-create-account in favor of just actually detecting when it’s necessary and not doing it when it’s not.

Before upgrading Substrate, if you’re using Google as your IdP:

Add an additional custom attribute as follows:
1. Visit https://admin.google.com/ac/customschema in a browser (or visit https://admin.google.com, click Users, click More, and click Manage custom attributes)
2. Click the AWS section
3. In the blank bottom row, enter “RoleName” for Name, select “Text” for Info type, select “Visible to user and admin” for Visibility, select “Single Value” for No. of values
4. Click SAVE
Visit https://admin.google.com/ac/users and set the RoleName attribute in the AWS category to “Administrator” for every user authorized to use AWS.
Visit https://console.cloud.google.com/apis/library/admin.googleapis.com, confirm the selected project is the one that contains your Intranet’s OAuth OIDC configuration (its name will be listed next to "Google Cloud Platform" in the header), and click ENABLE.

After upgrading Substrate:

Run substrate-create-admin-account -quality="..." to upgrade your Intranet.

2021.10

The Intranet’s /accounts page now logs you into the AWS Console and assumes the specified role without requiring you to have already been logged in.
The -console option to substrate-assume-role likewise now logs into the AWS Console and assumes the specified role without requiring you to have already been logged in.
Auditor roles can now assume other Auditor roles, making it possible for Auditor to move throughout the organization while retaining its read-only status.
The lists of principals that can assume the Administrator and Auditor roles may now be augmented by adding a JSON-encoded assume role policy in substrate.Administrator.assume-role-policy.json and/or substrate.Auditor.assume-role-policy.json.
Enforce the use of IMDSv2 on instances from the Instance Factory. This is a prerequisite for organization-wide enforcement of using IMDSv2, which is an important default that reduces the potential impact of SSRF vulnerabilities.
substrate-whoami output now also includes your IAM role ARN.
Prompt folks to cd or set SUBSTRATE_ROOT when they try to eval $(substrate-credentials) from outside the Substrate repository.
Allow all accounts in the organization, not just admin accounts, to read shared CloudWatch metrics.
Added experimental modules/intranet/regional/proxy that makes it easy to put SSO in front of internal websites and HTTP APIs. See protecting internal websites for more information and an example.
Bug fix: Grant s3:PutObjectAcl so that it’s possible for all authorized principals to upload objects with the bucket-owner-full-control canned ACL.
Bug fix: Extract substrate-intranet.zip from the substrate binary during Terraform runs in root-modules/admin/*/* instead of only during substrate-create-admin-account. This makes it far less painful for mulitple teammates to work in the same Substrate repository and for CI/CD systems to apply Terraform changes.
Bug fix: Prevent a race between VPC sharing and tagging that caused substrate-create-admin-account and substrate-create-account to fail every time they were used to actually create an account.
Added -no-cloudwatch to substrate-bootstrap-management-account, substrate-create-admin-account, and substrate-create-account that skips the slow process of managing all the roles necessary for cross-account CloudWatch sharing. (Useful if you’re certain you’ve not created a new account and you’re in a hurry.)

After upgrading Substrate:

Run substrate-bootstrap-deploy-account to fix the bucket policy so that all authorized principals in the organization can upload to the deploy artifact bucket(s).
Run substrate-create-admin-account -quality="..." to upgrade your Intranet and Auditor roles. Note well this will produce a fair number of new resources; this is step one in a multi-month process of brining some naming consistency to Substrate-managed resources in IAM, Lambda, and other AWS services.

2021.09.28

Bug fix: Properly detect when Substrate tools are invoked via symbolic links (i.e. in their original substrate-assume-role form rather than their new substrate assume-role form) on MacOS.

If you’re upgrading from 2021.08, follow the upgrade instructions from 2021.09. If you already upgraded to 2021.09, there are no further upgrade steps.

2021.09

This release changes the interactive interface to substrate-bootstrap-network-account and substrate-create-admin-account to make them easier to run in CI. If you are automating these commands by providing yes and no answers on standard input, this release will break your automation; you should run these commands interactively first to see what’s changed. The details of what’s changed are listed in the usual format below.

Move all Substrate commands into the substrate binary with symbolic links replacing the substrate-* binaries from previous releases. This can mostly be considered a no-op but note that now Substrate commands may be also be invoked as substrate subcommand. This is not a deprecation notice for the original invocation style.
Added -fully-interactive, -minimally-interactive, and -non-interactive to all Substrate commands. -fully-interactive is almost identical (see below) to the behavior of 2021.08 and earlier releases. -minimally-interactive is the new default and removes the incessant “is this correct? (yes/no)” dialogs, which I thought would be welcome but turned out to be annoying. -non-interactive will never prompt for input and will instead exit with a non-zero status if input is required.
Changed the interactive prompts concerning Google and Okta configuration to make them less bothersome and (in the Okta case) less prone to unintentional changes. If you are automating substrate-create-admin-account by providing yes and no answers on standard input, this change will break your automation; you should run this command interactively first to see what’s changed.
Added a confirmation to substrate-create-admin-account and substrate-create-account to prevent errant creation of new AWS accounts (which are tedious to delete in case creation was a mistake) plus a new -create option to suppress that confirmation.
Updated the Substrate-managed Service Control Policy attached to your organization to deny access to the cloudtrail:CreateTrail API. Substrate creates a multi-region, organization-wide trail early in its initialization. This policy prevents additional trails from being created because they are excessively expensive and redundant.
Added e-mail address columns to tables of AWS accounts in substrate.accounts.txt, substrate-accounts, and the Intranet’s /accounts page.
Added -format=shell to substrate-accounts, which enumerates AWS accounts as shell commands to the various substrate-bootstrap-* and substrate-create-* commands. This is useful for driving CI/CD of Terraform changes. It’s also useful for automating Substrate upgrades.
Added substrate-root-modules, which enumerates every Substrate-managed Terraform root module in a sensible order. This, too, is useful for driving CI/CD of Terraform changes.
Added a new root-modules/deploy/global root module under the management of substrate-bootstrap-deploy-account. Substrate doesn’t manage any resources there but you’re free to.
Bug fix: Ensure that objects put into the deploy buckets in S3 by any account in your organization may actually be fetched by other accounts in your organization. Requires objects be uploaded with the bucket-owner-full-control canned ACL.
Bug fix: Avoid a fork bomb in case substrate-whoami is invoked with a / in the pathname (i.e. as ~/bin/substrate-whoami).

After upgrading Substrate:

Run substrate-bootstrap-management-account to update your organization’s Service Control Policy.
Run substrate-bootstrap-deploy-account to reconfigure the deploy buckets in S3 and generate the global root module.
Run substrate-create-admin-account -quality="..." to add the e-mail address column to your Intranet’s /accounts page.

2021.08

Roll substrate-apigateway-authorizer, substrate-credential-factory, and substrate-instance-factory into substrate-intranet. This is a no-op listed here for transparency. It’s a prerequisite step towards unifying all the Substrate tools as subcommands of substrate, thereby reducing the size and complexity of the Substrate distribution.
Stop using the archive and external Terraform providers by embedding substrate-intranet.zip directly in substrate-create-admin-account. Dependence on these providers will be made optional in a subsequent release.
VPCs are no longer shared organization-wide, leaving the fine-grained VPC sharing introduced in 2021.07 to maintain each service account’s access to its intended VPCs.
The Instance Factory now supports ARM instances (i.e. the a1, c6g, m6g, r6g, and t4g families).
Bug fix: Switch back to the original working directory in substrate-assume-role (which will have changed if invoked with SUBSTRATE_ROOT set) before forking and executing a child process.
Added substrate-whoami to make it easy to learn the domain, environment, and quality of the AWS account your current credentials operate on.
Added -format=json to substrate-accounts to make it easier to enumerate and act programatically on every AWS account in your organization. See enumerating all your AWS accounts for an example.

After upgrading Substrate:

Run substrate-bootstrap-management-account to grant substrate-whoami the permissions it needs.
Run substrate-bootstrap-network-account to remove coarse-grained organization-wide VPC sharing.
Run substrate-create-admin-account -quality="..." to upgrade your Intranet.

2021.07

The Intranet’s /accounts page now opens the AWS Console in new browser tabs as it probably always should have.
Substrate now only manages the version constraint on the archive, aws, and external providers rather than all of versions.tf. This opens the door to Substrate users adding (and version constraining) additional providers. See additional Terraform providers for an example.
Upgrade to and pin Terraform 1.0.2 and the aws provider >= 3.49.0.
Tag many more AWS resources with Manager and SubstrateVersion using the default_tags facility of the AWS provider. If you encounter the following error, remove Manager and SubstrateVersion (if present) from the indicated resources and re-run.
```
Error: "tags" are identical to those in the "default_tags" configuration block of the provider: please de-duplicate and try again
```
All Substrate tools will now change their working directory to the value of the SUBSTRATE_ROOT environment variable, if set, rather than always proceeding in whatever the working directory was when invoked.
Share VPCs specifically with accounts that match their environment and quality. This is a no-op that enables a future release to remove organization-wide VPC sharing.

You must upgrade to Terraform 1.0.2 in order to use Substrate 2021.07. Terraform 1.0.2 may be found here:

After upgrading Terraform and Substrate:

Run substrate-bootstrap-network-account and substrate-bootstrap-deploy-account to complete the Terraform 1.0.2 upgrade there. Note well that tags and tags_all output will be somewhat confusing but will ultimately do the right thing.
Run substrate-create-admin-account and substrate-create-account to complete the Terraform 1.0.2 upgrade for each of your admin and service accounts. Here, too, note well that tags and tags_all output will be somewhat confusing but will ultimately do the right thing.

2021.06

List all the Intranet resources on the Intranet homepage, not just top-level resources.
Roll substrate-apigateway-authenticator and substrate-apigateway-index into substrate-intranet. This is a no-op listed here for transparency.
Tag shared VPCs in service accounts to clearly indicate in the AWS Console which one you should be using. This lays the groundwork for finer-grained VPC sharing in a future release.
Upgrade to and pin Terraform 0.15.5 and newer providers with relaxed >= version constraints on providers (but not Terraform itself).

You must upgrade to Terraform 0.15.5 in order to use Substrate 2021.06. Terraform 0.15.5 may be found here:

After upgrading Terraform and Substrate:

Run substrate-bootstrap-network-account and substrate-bootstrap-deploy-account to complete the Terraform 0.15.5 upgrade there.
Run substrate-create-admin-account -quality="..." to update your Intranet.
Run substrate-create-account -domain="..." -environment="..." -quality="..." for all your service accounts to tag your shared VPCs.

If you’ve added any stub provider blocks to your modules, leave them in place for now and accept the deprecation warning. Terraform only allows one required_providers block and that is now managed by Substrate. A future release will accommodate these additional providers.

2021.05

Bug fix: S3 traffic from private subnets is now correctly routed via the VPC Endpoint and not through the NAT Gateway.
Bug fix: Allow outbound IPv6 traffic from Instance Factory instances to match IPv4 and enable use of the IPv6 Internet.
Bug fix: Instance Factory instances now have 100GB disks instead of whatever the AMI happened to request, which recently shrank from 8GB to 2GB.
Bug fix: The Instance Factory now only lists instances which belong to you. It previously listed all instances for all your users.
By popular request, authorize admin accounts to directly access CloudWatch logs and metrics from all your accounts.

After upgrading:

Run substrate-bootstrap-network-account to fix S3 routes.
Run substrate-create-admin-account -quality="..." to enable direct CloudWatch access and make Instance Factory improvements.

2021.04

Added /accounts to the Intranet with links to assume the Administrator and Auditor roles in all your accounts in the AWS Console.
Added -console to substrate-assume-role which attempts to open the AWS Console’s role switching screen in your web browser with all the values filled in.
Added substrate-create-terraform-module which creates the directory structure (with the global and regional pattern), providers, and Substrate metadata for a new Terraform module.
Now building for M1 Macs, too.

After upgrading, run substrate-create-admin-account -quality="..." to add /accounts to your Intranet.

2021.03

Extended AWS Console sessions to 12 hours for organizations using Google as their IdP.
Upgrade to and pin Terraform 0.14.7.
substrate-bootstrap-network-account now creates peering connections between all VPCs in all regions for each environment across all valid qualities.
Fixed a bug in the Administrator role in admin accounts that prevented Instance Factory instances from seamlessly assuming the role.

You must upgrade to Terraform 0.14.7 in order to use Substrate 2021.03. Terraform 0.14.7 may be found here:

After upgrading:

rm -f -r root-modules/network/*/peering and remove these files from version control.
substrate-bootstrap-network-account to peer all your VPCs that should be peered.
substrate-create-admin-account -quality="..." to fix Instance Factory IAM roles, following the Google SAML setup guide if Google is your IdP to also get 12-hour AWS Console sessions.

2021.02

Added -format from substrate-credentials to substrate-assume-role per request from a customer. Now credentials can be had with or without the export prefix or as JSON a la aws sts assume-role itself.
Removed root-modules/admin/*’s awkward dependency on finding GOBIN in the environment. The generated Makefile in each root module remains, however.
Upgrade to and pin Terraform 0.13.6 and the Terraform AWS provider 3.26.0.
substrate-assume-role and substrate-credentials now (better) tolerate being invoked from subdirectories of your Substrate repository.
Fix a bug in Terraform module generation in which the aws.network provider was incorrectly added to global modules and thus should have been expected in module stanzas.
Stop printing the export AWS_ACCESS_KEY_ID=... line when substrate-assume-role is given a command to execute directly.
Provide the Intranet’s REST API ID, root resource ID, and a few other necessities as outputs from the intranet/regional module to facilitate adding more resources to these APIs.

You must upgrade to Terraform 0.13.6 in order to use Substrate 2021.02. Terraform 0.13.6 may be found here:

2021.01

You must run substrate-create-admin-account for each of your admin accounts before you’ll be able to use eval $(substrate-credentials) to streamline your use of the Credential Factory.

2020.12

You must run substrate-bootstrap-management-account in order to re-tag your former master account as your management account. (This rename follows AWS’ own renaming.)

2020.11 and prior releases

Contact hello@src-bin.com for prior release notes.