release v0.5.0 from PR #843

release v0.5.0 from PR #843

.github/workflows/ci-cmd-line.yaml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java-version: [ '11', '17', '21']
+        java-version: [ '17', '21']
     name: bundle ${{ matrix.implementation }}
     steps:
       - name: Check out code

.github/workflows/ci-java-all.yaml

@@ -13,30 +13,21 @@ on:
       - 'rc-*'
 
 jobs:
-  # Java 11 - Oracle support ended 30 Sept 2023 ... but still what ships with GCP cloud shell!!!
-  ci_java11:
-    uses: ./.github/workflows/build-java.yaml
-    with:
-      java-version: '11'
 
   # Java 17 - supported until 30 Sept 2026; same as our default build as of Apr 2023
   ci_java17:
     uses: ./.github/workflows/build-java.yaml
     with:
       java-version: '17'
 
-  # Java 20 - support ended 19 Sept 2023
-  # NOTE: psoxy versions 0.4.40 supported this; if you need it, option to downgrade to that.
-  # although beyond me why 17 and 21 both work, but 20 doesn't; best guess is Mockito 5 degrading
-  # behavior in some way for 20 that isn't needed for 21 and doesn't matter for 17?
-
-  ci_java20:
-    uses: ./.github/workflows/build-java.yaml
-    with:
-      java-version: '20'
-
   # Java 21 - released 19 Sept 2023, supported until Sept 2028 (LTS)
   ci_java21:
     uses: ./.github/workflows/build-java.yaml
     with:
       java-version: '21'
+
+  # Java 23 - released 17 Sept 2024, supported until March 2025
+  ci_java23:
+    uses: ./.github/workflows/build-java.yaml
+    with:
+      java-version: '23'

.github/workflows/ci-java8-core.yaml → .github/workflows/ci-java17-core.yaml

@@ -1,6 +1,8 @@
-name: CI - java8 core
+name: CI - java17 core
 
-# CI to build and test project components for which we need java8 builds
+# NOTE: as of Dec 2024, regulard build is ALSO java17, so not useful - but let's keep around bc possibly Worklytics will use 17 beyond when that's the proxy default
+
+# CI to build and test project components for which we need java17 builds
 # NOTE: this is ONLY core/gateway-core libraries; we don't build the executable/deployment bundles
 #      (eg, this does not build, cmd-line,aws, gcp)
 #
@@ -15,9 +17,9 @@ on:
 #      - '**' # should match all branches
 
 jobs:
-  ci_java8_core:
+  ci_java17_core:
     env:
-      compile-profile: '-P java8 ' # NOTE: trailing space is important
+      # compile-profile: '-P java17 ' # NOTE: trailing space is important
       java-version: '17' # build w java 17, but pom configured to still build java 8 byte code
     runs-on: ubuntu-latest
     steps:

.github/workflows/ci-terraform-examples-release.yaml

@@ -14,14 +14,10 @@ jobs:
     strategy:
       matrix:
         example_path: [
-          'examples/aws-google-workspace',
-          'examples/aws-msft-365',
           'examples/gcp-bootstrap-cft',
           'examples/gcp-bootstrap-simple',
-          'examples/gcp-google-workspace',
-          'examples/msft-365'
         ]
-        terraform_version: [ '~1.3.0', '~1.4.0', '~1.5.0', '~1.6.0', '~1.7.0', '~1.8.0', '~1.9.0', 'latest' ]
+        terraform_version: [ '~1.6.0', '~1.7.0', '~1.8.0', '~1.9.0', '~1.10.0', 'latest' ]
     uses: ./.github/workflows/ci-terraform-example.yaml
     with:
       terraform_version: ${{ matrix.terraform_version }}

.github/workflows/ci-terraform-examples.yaml

@@ -13,13 +13,9 @@ jobs:
       matrix:
         example_path: [
                         'examples-dev/aws',
-                        'examples-dev/aws-all',
-                        'examples-dev/aws-google-workspace',
-                        'examples-dev/aws-msft-365',
                         'examples-dev/gcp',
-                        'examples-dev/gcp-google-workspace',
         ]
-        terraform_version: [ '~1.3.0', '~1.4.0', '~1.5.0', '~1.6.0', '~1.7.0', '~1.8.0', '~1.9.0', 'latest' ]
+        terraform_version: [ '~1.6.0', '~1.7.0', '~1.8.0', '~1.9.0', '~1.10.0', 'latest' ]
     uses: ./.github/workflows/ci-terraform-example.yaml
     with:
       terraform_version: ${{ matrix.terraform_version }}

.github/workflows/ci-terraform-modules.yaml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        terraform_version: [ '~1.3.0', '~1.4.0', '~1.5.0', '~1.6.0', '~1.7.0', '~1.8.0', '~1.9.0', 'latest' ]
+        terraform_version: [ '~1.6.0', '~1.7.0', '~1.8.0', '~1.9.0', '~1.10.0', 'latest' ]
     steps:
       - name: Check out code
         uses: actions/checkout@v4
@@ -26,10 +26,3 @@ jobs:
         run: |
           terraform init -reconfigure
           terraform validate
-
-      - name: "Terraform - validate modules/worklytics-ip-blocks"
-        working-directory: infra/modules/worklytics-ip-blocks
-        run: |
-          terraform init -reconfigure
-          terraform validate
-          terraform apply --auto-approve

.github/workflows/ci-tools.yaml

@@ -14,7 +14,7 @@ jobs:
         # 16 is min version recommended to users; but unmaintained since 2023-10
         # 18 released 2022-04-19 - maintained until June 2025
         # 20 maintained until June 2026
-        # 21 released Oct 2023; superceded in May 2024
+        # 21 released Oct 2023; superseded in May 2024
         # latest is the 22 as of May 2024; 23 coming in Oct 2024
         node-version: [ 18, 20, 21, latest]
     steps:

.github/workflows/codeql.yml

@@ -0,0 +1,91 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+    push:
+        branches: [ "main", "rc-*" ]
+    pull_request:
+        branches: [ "main", "rc-*" ]
+    schedule:
+        - cron: '25 4 * * 5'
+
+jobs:
+    analyze:
+        name: Analyze (${{ matrix.language }})
+        # Runner size impacts CodeQL analysis time. To learn more, please see:
+        #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+        #   - https://gh.io/supported-runners-and-hardware-resources
+        #   - https://gh.io/using-larger-runners (GitHub.com only)
+        # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+        runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+        permissions:
+            # required for all workflows
+            security-events: write
+
+            # required to fetch internal or private CodeQL packs
+            packages: read
+
+            # only required for workflows in private repositories
+            actions: read
+            contents: read
+
+        strategy:
+            fail-fast: false
+            matrix:
+                include:
+                    - language: java-kotlin
+                      build-mode: none # This mode only analyzes Java. Set this to 'autobuild' or 'manual' to analyze Kotlin too.
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v4
+
+            -   name: Setup Java
+                uses: actions/setup-java@v4
+                with:
+                    java-version: 17
+                    distribution: zulu
+            # Initializes the CodeQL tools for scanning.
+            - name: Initialize CodeQL
+              uses: github/codeql-action/init@v3
+              with:
+                  languages: ${{ matrix.language }}
+                  build-mode: ${{ matrix.build-mode }}
+                  # If you wish to specify custom queries, you can do so here or in a config file.
+                  # By default, queries listed here will override any specified in a config file.
+                  # Prefix the list here with "+" to use these queries and those in the config file.
+
+                  # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+                  # queries: security-extended,security-and-quality
+
+            -
+
+            # If the analyze step fails for one of the languages you are analyzing with
+            # "We were unable to automatically build your code", modify the matrix above
+            # to set the build mode to "manual" for that language. Then modify this step
+            # to build your code.
+            # ℹ️ Command-line programs to run using the OS shell.
+            # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+            - if: matrix.build-mode == 'manual'
+              shell: bash
+              run: |
+                  echo 'If you are using a "manual" build mode for one or more of the' \
+                    'languages you are analyzing, replace this with the commands to build' \
+                    'your code, for example:'
+                  echo '  make bootstrap'
+                  echo '  make release'
+                  exit 1
+
+            - name: Perform CodeQL Analysis
+              uses: github/codeql-action/analyze@v3
+              with:
+                  category: "/language:${{matrix.language}}"

.github/workflows/publish-examples.yaml

@@ -16,13 +16,13 @@ jobs:
     uses: ./.github/workflows/publish-example.yaml
     with:
       example-repo: 'Worklytics/psoxy-example-aws'
-      example-to-copy: 'infra/examples-dev/aws-all'
+      example-to-copy: 'infra/examples-dev/aws'
       example-repo-token: ${{ secrets.PSOXY_EXAMPLE_AWS_TOKEN }}
       release: ${{ inputs.release }}
   publish-example-gcp:
     uses: ./.github/workflows/publish-example.yaml
     with:
       example-repo: 'Worklytics/psoxy-example-gcp'
-      example-to-copy: 'infra/examples-dev/gcp-all'
+      example-to-copy: 'infra/examples-dev/gcp'
       example-repo-token: ${{ secrets.PSOXY_EXAMPLE_GCP_TOKEN }}
       release: ${{ inputs.release }}

.github/workflows/require-merge-via-rc.yaml

@@ -0,0 +1,21 @@
+name: "require PRs to be merged via 'rc-*' branches"
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize]
+
+jobs:
+  check-branch-name:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check that PR's base branch is an 'rc-' branch, unless the head branch is an 'rc-' branch
+        run: |
+          BASE_BRANCH="${{ github.event.pull_request.base.ref }}"
+          HEAD_BRANCH="${{ github.event.pull_request.head.ref }}"
+
+          # Check if base branch starts with 'rc-'
+          if [[ "$BASE_BRANCH" != rc-* && "$HEAD_BRANCH" != rc-* ]]; then
+            echo "Error: The base branch '$BASE_BRANCH' is not an 'rc-' branch; and the head branch '$HEAD_BRANCH' is not an 'rc-' branch."
+            exit 1
+          fi

.github/workflows/terraform-sec-analysis-examples.yaml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       matrix:
         example_path: [
-          'examples-dev/aws-all',
+          'examples-dev/aws',
           'examples-dev/gcp',
         ]
     uses: ./.github/workflows/terraform-sec-analysis.yaml

CHANGELOG.md

@@ -7,6 +7,25 @@ Changes to be including in future/planned release notes will be added here.
 
 ## Next
 
+## [0.5.0](https://github.com/Worklytics/psoxy/release/tag/v0.5.0)
+
+BREAKING:
+  - minimum `azuread` provider version is generally 2.44; if you're using an older version, you'll need to
+    upgrade (`terraform init --upgrade`); a state refresh (`terraform refresh`) may help if it complains about unknown attributes
+    present in your state
+   - `azuread-local-cert` module variables have changed; you must now pass `application_id` instead
+    of `application_object_id`; these refer to different values you can obtain via the [Microsoft Entra admin center](https://entra.microsoft.com/#home)
+    portal (formally Azure AD portal blade)
+  - variables to `aws-host`/`gcp-host` modules to have changed slightly; if you initially copied an
+    example based on 0.4.x, you may have to update some variable names in your `main.tf`.
+  - minimum `google` provider version is now 5.0; this applies whether you're using GCP-hosted proxy, or merely Google Workspace as a
+    data source
+  - various migrations applicable to 0.4.x have been removed; if upgrading from 0.4.x, make sure you first upgrade to latest version of 0.4.x (eg, 0.4.61), run
+    `terraform apply`, and THEN update to 0.5.x
+  - the v0.3 pseudonymization algorithm is no longer supported; attempting to do so should result in an error
+  - `scope` field will no longer be sent with JSON-encoded pseudonyms.
+  - minimum java version in now 17; java 11 no longer supported (as it's a deprecated runtime in GCP; and Oracle support has ended)
+
 ## [0.4.61](https://github.com/Worklytics/psoxy/release/tag/v0.4.61)
  - added some `columnsToPseudonymizeIfPresent` to survey bulk connectors; these are to avoid PII
    being sent to Worklytics if these unexpected columns sent, but without errors in usual case, when
@@ -18,7 +37,6 @@ Changes to be including in future/planned release notes will be added here.
  - MSFT Teams: Support for listing callRecords
 
 ## [0.4.58](https://github.com/Worklytics/psoxy/release/tag/v0.4.58)
- - Including rules for Slack Huddles through *Rooms* as part of conversation history endpoint
  - Rules for Outlook Calendar, Outlook Mail and Teams have been updated for *no app id* and *no group id* cases
    to avoid supporting requests with plain user GUIDs instead of pseudonymized.
  - Slack: Including rules for Slack Huddles through *Rooms* as part of conversation history endpoint

docs/README.md

@@ -212,16 +212,15 @@ command line tools.
 
 You will need all the following in your deployment environment (eg, your laptop):
 
-| Tool                                            | Version                | Test Command          |
-|-------------------------------------------------|------------------------|-----------------------|
-| [git](https://git-scm.com/)                     | 2.17+                  | `git --version`       |
-| [Maven](https://maven.apache.org/)              | 3.6+                   | `mvn -v`              |
-| [Java JDK 11+](https://openjdk.org/install/) | 11, 17, 21 (see notes) | `mvn -v \| grep Java` |
-| [Terraform](https://www.terraform.io/)          | 1.3+, <= 1.9           | `terraform version`   |
+| Tool                                            | Version               | Test Command          |
+|-------------------------------------------------|-----------------------|-----------------------|
+| [git](https://git-scm.com/)                     | 2.17+                 | `git --version`       |
+| [Maven](https://maven.apache.org/)              | 3.6+                  | `mvn -v`              |
+| [Java JDK 11+](https://openjdk.org/install/) | 17, 21 (see notes) | `mvn -v \| grep Java` |
+| [Terraform](https://www.terraform.io/)          | 1.6+, < 2.0           | `terraform version`   |
 
 NOTE: we will support Java versions for duration of official support windows, in particular the
-LTS versions. As of Nov 2023, we  still support java 11 but may end this at any time. Minor
-versions, such as 12-16, and 18-20, which are out of official support, may work but are not
+LTS versions. Minor versions, such as 18-20, which are out of official support, may work but are not
 routinely tested.
 
 NOTE: Using `terraform` is not strictly necessary, but it is the only supported method. You may
@@ -230,8 +229,6 @@ tool, but we don't offer documentation or support in doing so.  Adapting one of
 [terraform examples](https://github.com/Worklytics/psoxy/tree/main/infra/examples) or writing your own config that re-uses our
 [modules](https://github.com/Worklytics/psoxy/tree/main/infra/modules) will simplify things greatly.
 
-NOTE: Refrain to use Terraform versions 1.4.x that are < v1.4.3. We've seen bugs.
-
 NOTE: from v0.4.59, we've relaxed Terraform version constraint on our modules to allow up to 1.9.x.
 However, we are not officially supporting this, as we strive to maintain compatibility with both
 OpenTofu and Terraform.

docs/SUMMARY.md

@@ -1,6 +1,6 @@
 # Table of contents
 
-* [PSOXY](README.md)
+* [Worklytics Pseudonymizing Proxy](README.md)
 * [Overview](overview.md)
   * [Authentication](authentication-authorization.md)
 * [Install Prerequisites](prereqs-ubuntu.md)

docs/aws/encryption-keys.md

@@ -18,7 +18,7 @@ be set as the encryption key for these resources. A few caveats:
 - CloudWatch must be able to use the key, as described in
   [AWS CloudWatch docs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)
 
-In `example-dev/aws-all/kms-cmek.tf`, we provide a bunch of lines that you can uncomment to use
+In `example-dev/aws/kms-cmek.tf`, we provide a bunch of lines that you can uncomment to use
 encryption on S3 and properly set key policy to support S3/CloudWatch use.
 
 For production use, you should adapt the key policy to your environment and scope as needed to