| title | aliases | |
|---|---|---|
Template Changelog |
|
All meaningful changes to templates are documented in this file.
- Update the default database engine version to
13.8. - Engine versions
14,15and16are now supported.
- Updated the default
node_exporterversion to1.7.0. - Updated the default
postgres_exporterversion to1.5.0. - Extension version
2.13.1is now supported. - Engine version
16is now supported, but note that this requires an extension version of at least2.13.1. - The default extension version is now
2.10.1. - The default engine version is now
15.
- Updated the default
node_exporterversion to1.7.0.
- Add Network Operations Center Grafana WebSocket paths support.
- Add OAuth server and Account app rate limiting.
- Add Azure IoT Hub and Central rate limiting overrides.
- Add new optional template for AWD SQS.
- Add Console events paths.
- Add Console events request rate limiting.
- The
r7gfamily of machines is now available for hosting.
- Add
EventsBatchingEnabled,EventsBatchingTargetSize,EventsBatchingDelayparameters. - Add correlation IDs ignored methods to the gRPC server configuration.
- Add Identity Server NS-ID configuration.
- The default NOC Grafana image has been updated to
ghcr.io/thethingsindustries/lorawan-stack-noc-grafana:3.27.2. This upgrades Grafana to version 10.1.0 and disables the news feed.
- The instance initialization scripts now automatically terminates the instance if the initialization fails.
- Added the
CollaboratorRightsSetOthersAsContactsparameter.
- The default number of desired instances for the Gateway Configuration Server, Network Operations Center and Network Operations Center Grafana services has been increased to 2. We recommend that production deployments consider deploying extra replicas in order to ensure high availability.
- Add
GOGCValueparameter which controls the Go garbage collector target. Sets theGOGCenvironment variable for stack components. Defaults to 100, which is also the default value in the absence of the environment variable.
- Add
GOGCValueparameter which controls the Go garbage collector target. Sets theGOGCenvironment variable for stack components. Defaults to 100, which is also the default value in the absence of the environment variable.
- Add
GOGCValueparameter which controls the Go garbage collector target. Sets theGOGCenvironment variable for stack components. Defaults to 100, which is also the default value in the absence of the environment variable.
- Grafana alerting is now disabled by default, as it is not usable in the current setup.
- Add
GOGCValueparameter which controls the Go garbage collector target. Sets theGOGCenvironment variable for stack components. Defaults to 100, which is also the default value in the absence of the environment variable.
- This release adds support for large (8 and 16 vCPU) task sizes. These large tasks are supported by AWS Fargate. Please note that due to limitations to the EC2 launch type, the 16 vCPU tasks may not be used with the EC2 launch type.
- Add support for 8 and 16 vCPUs tasks.
- Add support for 8 and 16 vCPUs tasks.
- Add support for 8 and 16 vCPUs tasks.
- Add support for 8 and 16 vCPUs tasks.
- Add support for 8 and 16 vCPUs tasks.
- Add support for 8 and 16 vCPUs tasks.
- The UDP Gateway Server service has been removed. Historically this service has been used in order to work around various limitations that AWS Network Load Balancer had with UDP traffic. The service is problematic as it runs as a daemon service on each available ECS host machine, and does not support rolling updates. As the support for UDP traffic has improved in the AWS Network Load Balancer, we have decided to remove this service and have UDP traffic be served by the replica Gateway Server service.
- As this version upgrade removes certain resources, the standard upgrade procedure which follows the template numbering order cannot be followed directly.
- The configuration of the
5-4-ecs-servicestemplate needs to be updated such that theEnableUDPGSRateLimitingandIncludeUDPGatewayServerparameters are set tofalse. The template does not have to be updated yet, only the configuration. This will remove the UDP Gateway Server service instances. - The standard upgrade procedure can commence after the template has been upgraded.
- While upgrading the
5-4-ecs-servicestemplate, consider increasing the number of tasks, or allocated resources, for the Gateway Server service.
- UDP Gateway Server references have been removed.
- The UDP target group target type has been changed from
instancetoip.
- The UDP Gateway Server rate limiting configuration has been marked as deprecated. The configuration will be removed in a future version.
- Add NOC rate limiting configuration.
- The UDP Gateway Server service has been removed. The UDP traffic will now be served by the existing Gateway Server service.
- The default NOC Grafana image has been updated to
ghcr.io/thethingsindustries/lorawan-stack-noc-grafana:3.26.0. - Add NOC rate limiting.
- UDP Gateway Server references have been removed.
- Upgraded to Envoy 1.26.0.
- Updated the default
node_exporterversion to 1.5.0. - Replica updates now always maintain at least one instance during the upgrade.
- Postgres custom settings are now re-created on every master instance provisioning.
- Updated the default
node_exporterversion to 1.5.0.
- Prometheus has been upgraded to version 2.43.0.
- Added
PluginsConfigBucket.
- The Network Operations Center routes now have a 30 second timeout.
- The Basic Station and Tabs Hubs target groups now have a deregistration delay of zero.
- Service deployment configuration
MinimumHealthyPercentis now applied only to EC2 services.
- Service deployment configuration
MinimumHealthyPercentis now applied only to EC2 services.
- Service deployment configuration
MinimumHealthyPercentis now applied only to EC2 services.
- Grafana
gzipencoding is now enabled. - Service deployment configuration
MinimumHealthyPercentis now applied only to EC2 services. - The default NOC Grafana image has been updated to
ghcr.io/thethingsindustries/lorawan-stack-noc-grafana:3.25.1.
- Service deployment configuration
MinimumHealthyPercentis now applied only to EC2 services.
- The NOC API is now exposed by the proxy.
- Added TimescaleDB 2.10.1 support.
- The
r4gfamily of machines is now available for hosting.
- Added the NOC API paths.
- Added
RestrictAdminManagedFieldUpdatesparameter.
- AWS Graviton instances can now be used as bastion hosts.
- Added TimescaleDB 2.10.0 support.
- Added
RedisConnectionPoolMaxLifetimeparameter.
- Added support for Postgres engine version 15 and TimescaleDB 2.9.3.
- Added
KeyVaultCacheSize,KeyVaultCacheTTL,KeyVaultCacheErrorTTLparameters.
- Support for TLS mutual authentication terminated by The Things Stack has been removed. TLS authentication is now only terminated by the Network Load Balancer or Envoy Proxy.
- Support for LoRaWAN® Backend Interfaces interoperability with the Join Server has been removed.
- Crypto Server deployment has been removed.
- As this version upgrade removes certain resources, the standard upgrade procedure which follows the template numbering order cannot be followed directly.
- The
5-7a-certs-letemplate needs to be upgraded first. - The
5-3a-ecs-is-servicetemplate needs to be upgraded next, and haveInteropEnabledset todisabled. The value may be enabled again after every other template has been upgraded. - The standard upgrade procedure can commence after these two templates have been upgraded.
- Changed
InteropEnabledto a boolean since TLS mutual authentication is no longer terminated by The Things Stack.- If you were using
server-authenticationormutual-authentication, selecttrue; - If you were using
disabled, selectfalse.
- If you were using
- Removed
InteropTLSSecretand outputInteropTLSSecretID.
- Removed
InteropEnabledparameter. - Removed
CryptoServerDNSNameparameter. - Added
CertificateAuthorityARNparameter.
- Added
UseCertificateAuthorityARNparameter.
- Changed
InteropEnabledISto a boolean since TLS mutual authentication is no longer terminated by The Things Stack.- If you were using
server-authenticationormutual-authentication, selecttrue; - If you were using
disabled, selectfalse.
- If you were using
- Added
UseCertificateAuthorityARNparameter.
- Added
UseCertificateAuthorityARNparameter.
- Removed
InteropEnabledJSparameter. - Added
UseCertificateAuthorityARNparameter.
- Removed configuration for storing certificates for interoperability.
- This template has been removed and can be undeployed.
- The volumes used by the bastion hosts now use
gp3volumes.
- The volumes used by the TimescaleDB hosts now use
gp3volumes.
- UDP target groups now automatically kill active flows to deregistered targets. This enables the replacement of the ECS EC2 machines without having the UDP traffic blackhole in the NLB.
- Add configuration option for
HomeNSIDfor the DCS config object.
- The volumes used by the EC2 machines used by ECS now use
gp3volumes. Note that this will not apply retroactively to existing instances.
- Prometheus has been upgraded to version 2.40.5.
- Thanos default image has been upgraded to version 0.29.0.
- Fix RDS PostgreSQL 13 and 14 support for new deployments.
- The volumes used by the EC2 machine and by the RDS database are now
gp3volumes. - Fix Network Operation Center initialization for new deployments.
- Upgraded to Envoy 1.24.1.
For mTLS termination, check the upgrading guide at https://thethingsindustries.com/docs/the-things-stack/host/aws/ecs/mutual-tls/.
- The local Redis client has been upgraded to version
6.xfrom4.0.
- Support storing TLS credentials in AWS Secrets Manager.
- Create S3 buckets to store CA certificates.
- Update rules to terminate TLS in Envoy (if
SupportProxyTLSis enabled).
- Add new secret to store server TLS credentials.
- Add new KeyVault IDs for Gateway Tokens.
- Add Configuration options for Gateway Tokens.
- Add
/to the ignored logging HTTP request paths. - The default values of
PubSubProviderMQTTandPubSubProviderNATSare changed todisabled.
- Add options to use Gateway Tokens.
- Add Device Repository peer settings to Device Claiming Server.
- Add options to support mTLS termination.
- Store server TLS credentials in AWS Secrets Manager if
SupportProxyTLSis enabled.
- Support mTLS cert forwarding and hot reloading certificates.
- Add two new parameters:
DBEngineVersion, which controls the PostgreSQL engine major version, andDBTimescaleDBExtensionVersion, which controls the TimescaleDB extension version.- By default,
DBEngineVersionis12, andDBTimescaleDBExtensionVersionis2.7.0. - Major upgrades require manual migration via
pg_upgrade.
- By default,
Add versioning to S3 buckets. Versioning is enabled by default.
- The
pkg/networkserver:duplicate_uplinkandpkg/networkserver:device_not_founderrors of the/ttn.lorawan.v3.GsNs/HandleUplinkRPC are now ignored.
- Clusters are now marked as
MultiAZEnabledenabled when theRedisMultiAZparameter is enabled.- Previously the
RedisMultiAZparameter would control theAutomaticFailoverEnabledattribute only, but now it impliesMultiAZEnabledas well.
- Previously the
- The
t4gfamily of machines is now available for hosting, and the default machine size has been promoted tocache.m6g.large.
- The
t4gfamily of machines is now available for hosting, and the default machine size has been promoted todb.t4g.medium.
- Updated the default
node_exporterversion to 1.4.0.
- Add Console
dtctarget address.
- Updated the default
node_exporterversion to 1.4.0.
- The
t4gfamily of machines is now available for ElastiCache, and the default machine size has been promoted tocache.t4g.small. - The
t4gfamily of machines is now available for RDS, and the default machine size has been promoted todb.t4g.small. - Add Console
dtctarget address.
- Added new
EntityLimitsparameters.
- Fixed the connection of the Device Claiming Server to the QR Code Generator.
- The
node_exporteralerts now contain the instance ID and instance name.
- The
node_exportermetrics are now tagged with the EC2 instance ID and instance name.
- Increased backup and redeployment timeout
- Added new parameters
EventsRedisPublishQueueSize,EventsRedisPublishMaxWorkers,PacketBrokerHomeNetworkWorkerCountLimit,PacketBrokerForwarderWorkerCountLimit
- Added alerts for TimescaleDB running out of storage
- Added new parameters
TLSCertificate,TLSCertificateCA,TLSCertificateKey
- Added Notification Service routes.
- Added account invitations routes.
- Added a hosted zone for internal use
- Added new parameter
NumReplicas - Added new parameter
DeploymentName - Before updating this template, please remove non-default records from the
${NetworkName}.${Environment}.${Cluster}.db.as.localhosted zone and turn off the Application Server Storage Integration
- Added new parameters
IncludeNOC,NOCGrafanaAdminPassword,NOCOAuthClientIDValue,NOCOAuthClientSecretValue
- Added new parameters
ConsoleURLForNOC,IncludeNetworkOperationsCenter,NOCMaxIdleConnections,NOCMaxOpenConnections,NOCRawDataRetention,NOCTargetInsertBatchSize,NOCTargetInsertBatchWindow - Added
is.email.assets-base-urlandis.email.branding-base-url. These options are set to the values of the existing parameters.
- Added new parameters
IncludeNetworkOperationsCenter,NOCTimescaleDBDeploymentName,ApplicationServerStorageTimescaleDBDeploymentName,ApplicationServerStorageReplicaEnabled
- Added new parameter
ApplicationServerStorageTimescaleDBDeploymentName,ApplicationServerStorageReplicaEnabled - Added new parameters
IncludeNetworkOperationsCenter,NOCTimescaleDBDeploymentName,NetworkOperationsCenter*,NetworkOperationsCenterGrafana*
- Added new parameter
IncludeNetworkOperationsCenter
- Added new parameter
IncludeNetworkOperationsCenter
- Added new parameter
ConsoleStatusPageBaseURL - Added new parameter
UserRightsUpdatePrimaryEmailAddress - Added new parameter
UserRightsUpdateName - Added the
RedisConnectionPoolSizeandRedisConnectionPoolIdleTimeoutparameters to control the Redis connection pool of each component - Added new parameter
ClusterIDAddressTemplate. For single-cluster deployments this should be equal toDomain
- Added the
ttn_lw_workerpootl_queue_latency_seconds_bucket_rate:by_poolaggregation, which aggregates the time spent by items in the worker pool queues
- It is now allowed to specify your own database password, instead of using the autogenerated one. This is done via the
AuroraPasswordparameter. If you're upgrading from a previous version, keep this parameter empty in order to keep your old, autogenerated password
- Added new bucket for DCS configuration files. Create a
config.ymlfile at the root of this bucket. This can be left empty if claiming via an external Join Server is not necessary.
- Add new config items for the DCS service.
- Add policy and environment for the DCS service.
- Redis upgraded to version 6.2
- Connect to the RDS database using TLS
- The database now expects TLS connections
- Added support for Aurora Postgres 12 and 13
- Added support for Aurora Postgres 12 and 13
- Upgraded Redis to version 6.2
- Added the
WebhooksUnhealthyAttemptsThresholdandWebhooksUnhealthyRetryIntervalparameters. - Added the
DatabaseMaxIdleConnsandDatabaseMaxOpenConnsto control the database connection pool of the Identity Server.
- Fixed rate limiting keys of AS RPCs.
- New export that is required by other stacks
- Fixed an issue where The Things Stack wouldn't connect to Redis when using password
- Increased CPU/Memory used by the ops task
- Fixed an issue where The Things Stack wouldn't connect to Redis when using password
- Updated IAM role
- Added missing
ExternalIdentityServerparameter
- Fixed an issue where The Things Stack wouldn't connect to Redis when using password
- Updated IAM role
- Fixed an issue where The Things Stack wouldn't connect to Redis when using password
- Updated IAM role
- Updated IAM role
- Updated IAM role
- Templates that define ECS services now got the
*RuntimePlatformparameter. This parameter can be used to run ARM64 images using AWS Graviton2. Depending on particular use case, performance might be better or worse.
- Machine now supports connection from AWS Session Manager. Added parameter
SessionManagerLogGroup
- Machine now supports connection from AWS Session Manager. Added parameter
SessionManagerLogGroup
- Machines now support connection from AWS Session Manager. Added parameter
SessionManagerLogGroup. You need to manually update the SSM Agent usingyum update amazon-ssm-agent
- Added parameters
EnableTLSListenersandEnableNonTLSListeners
- Fixed
RedisMultiAZSupport. Previously the parameter was always read asfalse. Before update please read the description of the newRedisSnapshottingClusterIDparameter.
- The
InteropEnabledparameter has different values. Deployments that used valuefalseshould now choosedisabled. Deployments that used valuetrueshould now choosemutual-authentication.server-only-authenticationis a new option, please refer to documentation: https://www.thethingsindustries.com/docs/the-things-stack/host/aws/ecs/interop/
InteropEnabledparameter renamed toInteropEnabledIS. Deployments that used valueidentity-servershould now choosemutual-authentication, otherwisedisable.
InteropEnabledparameter renamed toInteropEnabledJS. Deployments that used valuejoin-servershould now choosemutual-authentication, otherwisedisable.
- Added the
CidrBlockparameter to specify the CIDR block used by the VPC
-
All templates now have an output
VersionTag, which contains template version. Normally, CloudFormation rejects updates that don't contain changes to Resources and Outputs, but contain changes to Parameters. Having this allows CloudFormation to accept all updates, even if changes are only in the Parameters section. It is important to keep stacks up to date. -
Added ARM-based RDS and ElastiCache instance types.
- Added missing
db.r5instances.
- Added
RedisKMSKeyIDparameter to specify key for at-rest encryption. Non-empty value forces replacement
- ECS Container Insights may now be enabled using the
ContainerInsightsparameter
- Removed
RedisPrimary*andRedisReplica*parameters in theAlertinggroup, addedRedis*parameters instead
- Added
RedisKmsKeyIdandRedisPasswordparameters for at-rest and in-transit encryption
- Added recording rules for tenant fetcher metrics
- Added recording rules for Application Server metadata store and caches
- Updated UserData to handle TLS connection to redis
- Added
RedisTLSparameter
- Added new
EnableNonTLSListenersparameter
- Added
GeneralRedisTLS,CacheRedisTLS,EventsRedisTLSparameters
- Added
GeneralRedisTLS,CacheRedisTLS,EventsRedisTLSparameters
- Added
GeneralRedisTLS,CacheRedisTLS,EventsRedisTLSparameters
- Added
GeneralRedisTLS,CacheRedisTLS,EventsRedisTLSparameters
- Added the
ProbeHTTPparameter
- Fixed routing of authentication providers and external users API.
- Updated
Strict-Transport-Securityheader, increasing max-age to 2 years, including subdomains and enabling pre-loading. - Added custom static and error responses.
- Added recording rules for gRPC server/client stream messages sent/received.
- Added new parameter
PeerRequesterAccountId. Use empty value if you're not deploying external CryptoServer
- Added new
SSLPolicyparameter - Added new parameter
InteropEnabled
- Added new resource
InteropTLSSecret. This resource is a placeholder for certbot to upload TLS certificates
- Added the
ForwardOnlyOwnedDevAddrsparameter - Added the
InteropEnabled,InteropPacketBrokerEnabled,InteropPacketBrokerTokenIssuerandCryptoServerDNSNameparameters. - Added the
PacketBrokerMapperparameter
- Added the
InteropEnabledparameter
- Added the
InteropEnabledparameter
- Now certbot will upload the TLS certificate to AWS Secrets Manager
- New template. Deploy only if you use external CryptoServer
- New template for CryptoServer
- Added metrics for the number of currently running subscription sets, and for subscription set publishing rates.
- Added metrics for the number dropped gateway status messages.
- Added metrics for the number of receive/forwarded/dropped gateway transmission acknowledgements.
- Added the
UDPConnectionExpiresandUDPConnectionErrorExpiresparameters, which control the UDP gateway connection (error) timeouts. - Added the
ExperimentalFeaturesparameter, which can be used to enable experimental features of The Things Stack. - Added the
UserCredentialsLoginDisabledparameter, which disables user login with credentials, so that The Things Stack only lets users login with an external OpenID Connect provider. - Removed the
PacketBrokerClusterIDparameter. NowDomainis used instead
- Fixed routing of "related events" API.
- Added
EBSKmsKeyIdparameter to choose EBS boot volume encryption key. From now on, EBS boot volumes are encrypted.
- Created a hosted zone for internal use
- This template has been reworked so that updates are now possible. Before updating make a backup of the volume. For more information, please refer to the documentation at https://www.thethingsindustries.com/docs/the-things-stack/host/aws/ecs/updating/#2-5-db-timescale
- Added
EBSKmsKeyIdparameter to choose EBS volume encryption key. From now on, EBS volumes are encrypted. Previously only data volume would be encrypted using the default key. Encrypting boot drive does not significantly increase security, and is mainly targeted towards compliance with regulations. If you wish to encrypt your boot drive, please:- Change the
ApplicationServerStorageEnabledparameter in5-2-ocs-opsand5-4-ecs-servicestofalse. - Create a snapshot of the TimescaleDB EBS volume.
- Download your existing
2-5-db-timescalestack template, remove theInstance,StorageVolume,StorageVolumeLifecyclePolicyandVolumeLifecycleRoleresources along with theOutputssection. Update the stack, the change set should remove these resources. - Update the
2-5-db-timescalestack with new template to create the EC2 instance and volume again. Do not forget to specify EBS volume snapshot. - Change the
ApplicationServerStorageEnabledparameter in5-2-ocs-opsand5-4-ecs-servicesback totrue. - For more complex use cases, like changing encryption key, refer to AWS documentation.
- Change the
- Added
ISSupportLinkparameter - Added
UplinkTasksNumConsumersandDownlinkTasksNumConsumersparameters to the Network Server tasks, which allow the number of task consumers to be configured. - Added
SkipVersionCheckparameter to omit version checks NetworkServerClusterIDhas been renamed toClusterID, as now it's a parameter accessed by all services. Make sure you enter the old value.
- Added a new template for resource limiting
- This template now imports TimescaleDB address in a different way.
- This template now imports TimescaleDB address in a different way.
- Added recording rules for Gateway Server transmission success / failure
- Added recording rules for Application Server worker pools, webhooks and application packages
- Allowed any string matching the
((10)|(11))\.\d+regex as Aurora version so that RDS with up-to-date minor version can be deployed.
- Headers with underscores are now dropped, instead of rejecting the whole request.
- Upgraded to v2.29.2.
- Added
IncludeSemtechRJSConfigurationparameter to include/exclude Semtech RJS configuration. This is a bugfix, as previous version failed to deploy when Semtech RJS secrets weren't available.
- Fixed generated
is-proxyconfiguration. - Allow more concurrent requests (mostly event streams) to the Console.
- Added recording rule for JavaScript payload formatters latency metric.
Certain templates have different default values for machine types/memory/CPU in order to better reflect a typical deployment. These changes have no impact on functionalities, and do not affect existing users.
- Allowed encryption of the Aurora database. In order to encrypt existing database:
- Remove the
5-3a-ecs-is-service,5-2-ecs-opsand2-2-db-aurora-replica(NOTmaster) stacks. - Create a snapshot of the database for backup purposes.
- Log into the bastion, and perform an SQL dump of the database. Refer to the
/usr/bin/db-rocommand, which is a bash script, for help how to connect to the database. - Update the
2-1-db-aurora-mastertemplate to include encryption. Do NOT specify the snapshot, as then the encryption parameter will be ignored. - Log into the bastion, and restore the SQL dump.
- Recreate the
2-2-db-aurora-replica,5-2-ecs-opsand5-3a-ecs-is-servicestacks as needed.
- Remove the
- Added alternative certificates support for all TLS listeners.
- Changed log format to JSON.
- Added
NetworkServerClusterIDwhich identifies cluster in the Network Server for informative purposes. Suggested value the same asPacketBrokerClusterID. - Updated
ttnv2config. This change is not backwards compatible. This needs to be deployed before updating GS services tov3.14or higher. - Add
DevEUIBlockEnabledandDevEUIBlockApplicationLimitto Console configuration. - Add
ApplicationPackagesWorkerCountandApplicationPackagesWorkerCountto the Application Server configuration.
- Make execution and task policies conditional. This is compatible with existing deployments.
- Better control on what services Prometheus should expect to find, and what shouldn't. This change is mainly targeted to non-standard deployments. Added
Include*parameters which tell whether given component should be expected. Please note that by default bothIncludeIdentityServerandIncludeIdentityServerProxyaretrue, while actually it's one of these that is used.
- Added option to skip automatically fetching wildcard certificates for the sub domain.
- Added option to skip automatically fetching wildcard certificates for the sub domain.
- Upgraded image to Prometheus v2.28.1.
- Added discovery of Gateway Configuration Server and Device Claiming Server.
- Upgraded image to Envoy v1.19.0.
- Change log format to JSON.
- Add keep-alive with HTTP/2 PING.
- Add routes for tenant search API.
- Added recording rules for latency metrics.
- Fixed naming of security group rules for Basic Station and Interop.
- Added Basic Station port 1887. This is needed when a TLS-terminating load balancer preserves Client IP addresses.
- Added route for
ttn.lorawan.v3.EventsgRPC service.
- Added alert for the Cluster Proxy reaching its file descriptor limit and dropping new connections.
- Added
Strict-Transport-Securityheader when using HTTPS.
- Upgraded image to Prometheus v2.27.1.
- Add recording rule for v3.13.1
ttn_lw_log_messages_totalmetric. The recording rule for the oldttn_lw_log_messages_rateis also still present.
- Added client IP preservation to the Gateway Server MQTTv2, Gateway Server MQTTv3, Gateway Server BasicStation, GatewayServer TabsHubs and Application Server MQTT target groups. Deployments which set the Application Server MQTT connection rate limits to high values to avoid throttling should consider reverting the rate limit to the default value.
- Updated the default Gateway Server uplink rate to 100 uplinks per second (6000 per minute).
- Support injecting Rate Limiting configuration in docker containers.
- Fixes for
cacheandeventspurposes. This requires replacement of redis replication groups of these purposes but does NOT affect thegeneralpurpose.
- Modifications in
GlobalConfiguration, no replacement - Added temporary and experimental support for offloading traffic to legacy (v2) deployments.
- Added
SLAApplies,SupportPlanApplies,SLAInformationURL,FairUsePolicyInformationURL,SupportPlanInformationURL,ClusterPickerURLparameters, update of Console, IS and DCS configuration - This is now renamed as
4-2a-configuration. - Added
EventsStorageEnabledparameter to enable storage of event history in Redis. - Added
DevEUIBlockEnabled,DevEUIBlockApplicationLimit,DevEUIBlockPrefixandDevEUIBlockInitCounterparameters
- Added new Rate Limiting Configuration definitions. Rate Limiting can be enabled/disabled independently for each service.
- Add references to a default rate limiting config stub. No functional changes.
- Support Rate Limiting. If Rate Limiting is enabled, the corresponding configuration should be enabled in
4-2b-configuration-rate-limiting.
- Support Rate Limiting. If Rate Limiting is enabled, the corresponding configuration should be enabled in
4-2b-configuration-rate-limiting.
- Support Rate Limiting. If Rate Limiting is enabled for a service, the corresponding configuration for that service should be enabled in
4-2b-configuration-rate-limiting.
- Added
IncludeConsoleparameter (default valuetruevalid for current deployments)
- Added
IncludeConsoleparameter (default valuetruevalid for current deployments) - Changed Packet Broker domains from
*.packetbroker.orgto*.packetbroker.net - Set
IncludeGatewayConfigurationServertotrueby default.falseis not compatible with existing deployments where a GCS is required in the cluster. - Change
PacketBrokerEnabledparameter toIncludePacketBrokerAgentfor consistency. The default value oftrueis compatible with existing deployments. Set tofalseto disable PBA. - Changed Console configuration (no change in parameters)
- Added LifecycleHook for service draining when ECS EC2 machines are terminated. Added resources
ECSAutoScalingGroupDraining*, replacement ofECSLaunchConfiguration, update ofECSAutoScalingGroup- here it saysConditionalreplacement due to update ofLaunchConfigurationName, but in reality there is no replacement
- MinimumHealthyPercent set to 50 (CloudFormation doesn't update this setting in ECS, might require manual update)
- MinimumHealthyPercent set to 50 (CloudFormation doesn't update this setting in ECS, might require manual update)
- MinimumHealthyPercent set to 50 (CloudFormation doesn't update this setting in ECS, might require manual update)
- MinimumHealthyPercent set to 50 (CloudFormation doesn't update this setting in ECS, might require manual update)
- This template has been removed. To conditionally deploy the
gcsandconsoleservices, use5-4-ecs-services.
- MinimumHealthyPercent set to 50 (CloudFormation doesn't update this setting in ECS, might require manual update)
- Added Gateway Configuration Server Service.
- Added
Include<Service>parameter for each service (default valuetruevalid for current deployments)`. - Fixed combined alarms to switch on included services.
- Changed
PacketBrokerEnabledtoIncludePacketBrokerfor consistency. The value of the former is applicable to the latter.
- MinimumHealthyPercent set to 50 (CloudFormation doesn't update this setting in ECS, might require manual update)
- Set
IncludeGatewayConfigurationServertotrueby default.falseis not compatible with existing deployments where a GCS is required in the cluster.
- Added alerts for CPU, Memory and Disk issues on VMs.
- New
EnableVirtualHostWithTenantSubdomainandEnableVirtualHostWithoutTenantSubdomainparameters to enable/disable virtual hosts with or without tenant subdomain. - New
RedirectToDomainparameter to redirect catch-all requests to a different domain (than the cluster domain).- In multi-cluster deployments this should typically be set to the domain of the cluster picker.
- Removed GCS routes from the GS Service.
- Added
ApplicationServerDesiredCountparameter (ApplicationServer is not multi-instance) - Added Device Claiming Server task definition and service.
- The default values of the Device Claiming Server parameters are fully compatible with existing deployments. Since a new service is added, capacity adjustments may be necessary if the existing cluster is low on resources.
- Added Device Claiming Server to list of services to be scraped. This change is fully compatible with existing deployments.
- Added Device Claiming Server to list of services to be scraped.
- Make sure to use the docker image version v3.12 (
thethingsindustries/lorawan-stack:3.12-aws-proxy) and above.
- Make sure to use the docker image version v3.12 (
- Added Packet Broker routing clusters
namandapac. - Added
PacketBrokerControlPlaneparameter. This must becp.packetbroker.org:443for all non-testing deployments. - Added
PacketBrokerPacketBrokerForwarderIncludeGatewayEUI,PacketBrokerForwarderIncludeGatewayIDandPacketBrokerForwarderHashGatewayID.- For The Things Stack Cloud: do not include gateway EUI, do include the gateway ID, and enable hashing the ID
- For The Things Network: include gateway EUI and ID, and disable hashing the ID
- Removed
PubSubProviderAWSIoTparameter. - Added Device Claiming Server Configuration.
- No new parameters are added and this change is fully compatible with existing deployments.
- Upgrade Prometheus to v2.26.0
- Added Device Claiming Server routes/servers.
- Added
LoadBalancerAccessLoggingEnabledandLoadBalancerLogsBucketNameparameters - Added
LoadBalancerLogsBucketandLoadBalancerLogsBucketPolicyresources - Modified attributes of LoadBalancer to allow logging
- Added
UDPAddrChangeBlock,UDPDownlinkPathExpiresandUDPPacketHandlersparameters. - Added environment name to Sentry configuration.
- Increased Prometheus retention.
- Disabled Thanos by default.
- Upgraded Envoy to v1.17.1.
- Changed configuration for changes in Envoy v1.17.
- Modified overload handling to degrade service more gracefully.
- Added recording and alerting rules for Cluster Proxy.
- Added TTI Root CA Support
- Made Certbot image consistent with other Docker Images. Use
thethingsindustries/lorawan-stack:3.x.x-aws-certbotimages.
- Added GCS routes to HTTP listener.
- Fixed wrong delimiter for GS gRPC cluster definition.
- Added config to enable ingress ports conditionally.
- The default values of new parameters are compatible with existing deployments, i.e., no new parameter values are needed for existing deployments to work.
- Added support for overriding certificates for all listeners.
- Added alternative Certificate chain support for HTTPS and Basic Station listeners.
- The default values of new parameters are compatible with existing deployments, i.e., no new parameter values are needed for existing deployments to work.
- Added option to select load balancer listeners and target groups.
- The default values of new parameters are compatible with existing deployments, i.e., no new parameter values are needed for existing deployments to work.
- Made per-service configuration selectable.
- The default values of new parameters are compatible with existing deployments, i.e., no new parameter values are needed for existing deployments to work.
- Added new optional template for a standalone Gateway Configuration Service.
- Added option to select services exposed on the proxy.
- Changed template to support one certificate per CFN stack.
- Delete the existing
5-7b-ecs-certbot-scheduled-taskstack before updating this template. - When deploying
5-7a-certs-lemake sure to unset theExistingCertArnparameter. This preserves existing certificates as backup if there are issues while querying new certificates.
- Delete the existing
- Changed template to support one certificate per CFN stack. Use the exported Task Definition ARN from
5-7a-certs-leto renew a particular certificate.
- Changed descriptions of security group ingress rules; no functional changes.
- Added Basic Station routes to HTTP listener.
- Added gRPC API routes to HTTP listener.
- Changed Redis engine compatibility version to
6.x
- Added
PacketBrokerTenantIDparameter back - Added optional
ConsoleURLForAccountAppparameter - Changed frequency plans directory to
/srv/ttn-lorawan/lorawan-frequency-plansand webhook templates directory to/srv/ttn-lorawan/lorawan-webhook-templates. - Added search path for Device Repository store.
- Relaxed Stripe pricing plans IDs validation
- Removed
MaximumPercent, MinimumHealthyPercentfrom NetworkServer service - Added NetworkServerDesiredCount
- Changed ApplicationServerTaskDefinition to also start Device Repository component
- Changes to certbot task definition, removed
CertbotTaskDefinitionArnoutput
- Changed default execution frequency to 2 days
- Removed ExecutionRole
- Added RuleRole
- General fixes to the Rule
- Added routes for Device Repository APIs.
- Update base image
no changes
- Added InstanceProfile to the EC2 machine, changed its UserData
- Added LifecyclePolicy to the EC2 machine's volume
- Added Packet Broker Agent API key ID and secret key parameters, PacketBrokerAgentSecrets
- Removed Packet Broker Agent TLS client certificate
- Added AdminRightsAll, PacketBrokerIAM parameters
- Removed PacketBrokerTenantID, PacketBrokerDevAddrPrefix, parameters
- Changed PacketBrokerAddress parameter allowed values
- Changed ISConfiguration and PBAConfiguration contents
- Changed PacketBrokerAgent TaskDefinition: added a secret
- Changed tasks' execution role: added access to packet borker's secret
- Chagned certbot task's environment (RenewBeforeExpiry) and execution role (detailed access to existing certificate)
- Added RenewBeforeExpiry parameter
- Removed EFS filesystem and mount targets
- Changed EC2 machine's UserData
- Changed EC2 machine's UserData
- New metrics and alerts
- Added a check if certificate needs a renewal