Upgrading 3.32.1 Updated ECS AMIs to the latest versions. 3.32.0 Add support for managed gateways via The Things Gateway Controller. The Gateway Configuration Server and Device Claiming Server use TLS client authentication. When using AWS Private CA (CertificateAuthorityARN in 4-2a-configuration), the client certificate can be issued automatically. To specify a custom TLS client certificate, enable EnableTTGCCustomCertificate in 4-1-secrets and specify the certificate and key according to the format in the description. Add support for gateways using The Things Industries Gateway Protocol. This requires TLS mutual authentication and TLS termination by the proxy. Make sure that SupportProxyTLS is enabled. This adds a new public listener (port 8889) that is mapped to the proxy that forwards traffic to the Gateway Server (port 1889). Fixed the rate-limiting profile for the ApplicationUpStorage service in the Application Server. Add default values for the default and maximum page sizes in the ApplicationUpStorage service in the Application Server. 3.31.1 Proxy Add TenantAccess grpc service and routes. 3.31.0 Updated ECS AMIs to the latest versions. 3.30.2 TimescaleDB replicas are now split to a separate template. Previously replicas had an ephemeral disk that needed to be copied when the replica was re-deployed. This made some upgrades really long to complete. Now the replicas are standalone and have their own disk that can be reattached to a new instance. This change should make upgrades faster and more reliable. Upgrade procedure Disable TimescaleDB replicas in the 5-4-ecs-services template. Upgrade the 2-5-db-timescale template. This will remove TimescaleDB replicas if there were any. Deploy the 2-6-db-timescale-replica template for each replica that was removed in the previous step. Re-enable TimescaleDB replicas in the 5-4-ecs-services template. 2-5-db-timescale Rename to 2-5-db-timescale-master. Remove replica configuration from the template. 2-6-db-timescale-replica Add new optional template for TimescaleDB replica. 4-2a-configuration Add configuration parameters for the UDP rate limiting firewall (UDPRateLimitingFirewallEnabled/UDPRateLimitingFirewallMessages/UDPRateLimitingFirewallThreshold). Environments which use the general purpose rate limiting of the Gateway Server (via 4-2b-configuration-rate-limiting) do not need to enable this firewall. 3.30.1 Proxy Add email validation paths. 3.30.0 2-4c-mtls-s3 Remove unused bucket policies and update resource tags. 3-1-security-group-rules Add ingress rules for LBSCUPSmTLS. Only enabled if LBSCUPSmTLSEnabled is true. 3-2-load-balancer-rules Add new listener for LBSCUPSmTLS. Remove dependency of port 443 and 8886 on SupportProxyTLSCondition. Update target group on Interop TLS connections when SupportProxyTLSCondition is true. 4-1-secrets Remove GSGatewayTokensHashKey. 4-2a-configuration Remove GSGatewayTokensHashKey configuration. 5-1-ecs-cluster Migrated from ECS Launch Configuration to ECS Launch Templates. The c6g, c7g, m6g, m7g, t4g, r6g and r7g families of machines are now available for hosting. 5-4-ecs-services Update GCS task role and remove mTLS bucket support for GS task role. The default NOC Grafana image has been updated to ghcr.io/thethingsindustries/lorawan-stack-noc-grafana:3.30.0. 5-5-ecs-monitoring Renamed to 5-6-ecs-monitoring. 5-6-ecs-proxy Renamed to 5-7-ecs-proxy. Add conditions for LBSCUPSmTLS. 5-7a-certs-le Renamed to 5-8a-certs-le. Updated naming of inputs related to mTLS. 5-7b-ecs-certbot-scheduled-task Renamed to 5-8b-ecs-certbot-scheduled-task. 3.29.2 3.29.1 3.29.0 2-1-db-aurora-master, 2-2-db-aurora-replica Update the default database engine version to 13.8. Engine versions 14, 15 and 16 are now supported. 2-5-db-timescale Updated the default node_exporter version to 1.7.0. Updated the default postgres_exporter version to 1.5.0. Extension version 2.13.1 is now supported. Engine version 16 is now supported, but note that this requires an extension version of at least 2.13.1. The default extension version is now 2.10.1. The default engine version is now 15. 2-6-queue-sqs Renamed from 5-9a-sqs. 5-4-ecs-cluster Updated the default node_exporter version to 1.7.0. 3.28.2 Proxy Add Network Operations Center Grafana WebSocket paths support. 4-2b-configuration-rate-limiting Add OAuth server and Account app rate limiting. Add Azure IoT Hub and Central rate limiting overrides. 5-9a-sqs Add new optional template for AWS SQS. 3.28.1 Proxy Add Console events paths. 4-2b-configuration-rate-limiting Add Console events request rate limiting. 3.28.0 2-3-db-redis The r7g family of machines is now available for hosting. 4-2a-configuration Add EventsBatchingEnabled, EventsBatchingTargetSize, EventsBatchingDelay parameters. Add correlation IDs ignored methods to the gRPC server configuration. Add Identity Server NS-ID configuration. 3.27.2 5-4-ecs-services The default NOC Grafana image has been updated to ghcr.io/thethingsindustries/lorawan-stack-noc-grafana:3.27.2. This upgrades Grafana to version 10.1.0 and disables the news feed. 3.27.1 2-5-db-timescale The instance initialization scripts now automatically terminates the instance if the initialization fails. 4-2a-configuration Added the CollaboratorRightsSetOthersAsContacts parameter. 3.27.0 5-4-ecs-services The default number of desired instances for the Gateway Configuration Server, Network Operations Center and Network Operations Center Grafana services has been increased to 2. We recommend that production deployments consider deploying extra replicas in order to ensure high availability. 3.26.2 5-2-ecs-ops Add GOGCValue parameter which controls the Go garbage collector target. Sets the GOGC environment variable for stack components. Defaults to 100, which is also the default value in the absence of the environment variable. 5-3a-ecs-is-service Add GOGCValue parameter which controls the Go garbage collector target. Sets the GOGC environment variable for stack components. Defaults to 100, which is also the default value in the absence of the environment variable. 5-3c-tbs-service Add GOGCValue parameter which controls the Go garbage collector target. Sets the GOGC environment variable for stack components. Defaults to 100, which is also the default value in the absence of the environment variable. 5-4-ecs-services Grafana alerting is now disabled by default, as it is not usable in the current setup. Add GOGCValue parameter which controls the Go garbage collector target. Sets the GOGC environment variable for stack components. Defaults to 100, which is also the default value in the absence of the environment variable. 3.26.1 ECS Templates This release adds support for large (8 and 16 vCPU) task sizes. These large tasks are supported by AWS Fargate. Please note that due to limitations to the EC2 launch type, the 16 vCPU tasks may not be used with the EC2 launch type. 5-3a-ecs-is-service Add support for 8 and 16 vCPUs tasks. 5-3b-ecs-external-is-proxy Add support for 8 and 16 vCPUs tasks. 5-3c-tbs-service Add support for 8 and 16 vCPUs tasks. 5-4-ecs-services Add support for 8 and 16 vCPUs tasks. 5-5-ecs-monitoring Add support for 8 and 16 vCPUs tasks. 5-6-ecs-proxy Add support for 8 and 16 vCPUs tasks. 3.26.0 ECS templates The UDP Gateway Server service has been removed. Historically this service has been used in order to work around various limitations that AWS Network Load Balancer had with UDP traffic. The service is problematic as it runs as a daemon service on each available ECS host machine, and does not support rolling updates. As the support for UDP traffic has improved in the AWS Network Load Balancer, we have decided to remove this service and have UDP traffic be served by the replica Gateway Server service. Upgrade procedure As this version upgrade removes certain resources, the standard upgrade procedure which follows the template numbering order cannot be followed directly. The configuration of the 5-4-ecs-services template needs to be updated such that the EnableUDPGSRateLimiting and IncludeUDPGatewayServer parameters are set to false. The template does not have to be updated yet, only the configuration. This will remove the UDP Gateway Server service instances. The standard upgrade procedure can commence after the template has been upgraded. While upgrading the 5-4-ecs-services template, consider increasing the number of tasks, or allocated resources, for the Gateway Server service. 1-2-bastion UDP Gateway Server references have been removed. 3-2-load-balancer-rules The UDP target group target type has been changed from instance to ip. 4-2b-configuration-rate-limiting The UDP Gateway Server rate limiting configuration has been marked as deprecated. The configuration will be removed in a future version. Add NOC rate limiting configuration. 5-4-ecs-services The UDP Gateway Server service has been removed. The UDP traffic will now be served by the existing Gateway Server service. The default NOC Grafana image has been updated to ghcr.io/thethingsindustries/lorawan-stack-noc-grafana:3.26.0. Add NOC rate limiting. 5-5-ecs-monitoring UDP Gateway Server references have been removed. 3.25.2 Proxy Upgraded to Envoy 1.26.0. 2-5-db-timescale Updated the default node_exporter version to 1.5.0. Replica updates now always maintain at least one instance during the upgrade. Postgres custom settings are now re-created on every master instance provisioning. 5-4-ecs-cluster Updated the default node_exporter version to 1.5.0. 5-5-ecs-monitoring Prometheus has been upgraded to version 2.43.0. 3.25.1 2-4b-routing-s3 Added PluginsConfigBucket. Proxy The Network Operations Center routes now have a 30 second timeout. 3-2-load-balancer-rules The Basic Station and Tabs Hubs target groups now have a deregistration delay of zero. 5-3a-ecs-is-service Service deployment configuration MinimumHealthyPercent is now applied only to EC2 services. 5-3b-ecs-external-is-proxy Service deployment configuration MinimumHealthyPercent is now applied only to EC2 services. 5-3c-tbs-service Service deployment configuration MinimumHealthyPercent is now applied only to EC2 services. 5-4-ecs-services Grafana gzip encoding is now enabled. Service deployment configuration MinimumHealthyPercent is now applied only to EC2 services. The default NOC Grafana image has been updated to ghcr.io/thethingsindustries/lorawan-stack-noc-grafana:3.25.1. 5-6-ecs-proxy Service deployment configuration MinimumHealthyPercent is now applied only to EC2 services. 3.25.0 Proxy The NOC API is now exposed by the proxy. 2-5-db-timescale Added TimescaleDB 2.10.1 support. 2-3-db-redis The r4g family of machines is now available for hosting. 4-2a-configuration Added the NOC API paths. Added RestrictAdminManagedFieldUpdates parameter. 3.24.2 1-2-bastion AWS Graviton instances can now be used as bastion hosts. 2-5-db-timescale Added TimescaleDB 2.10.0 support. 3.24.1 2-5-db-timescale Added support for Postgres engine version 15 and TimescaleDB 2.9.3. Fixed the master configuration for new Postgres engine version 12 deployments. 4-2a-configuration Added RedisConnectionPoolMaxLifetime parameter. Added KeyVaultCacheSize, KeyVaultCacheTTL, KeyVaultCacheErrorTTL parameters. 3.24.0 ECS templates Support for TLS mutual authentication terminated by The Things Stack has been removed. TLS authentication is now only terminated by the Network Load Balancer or Envoy Proxy. Support for LoRaWAN Backend Interfaces interoperability with the Join Server has been removed. Crypto Server deployment has been removed. Upgrade procedure As this version upgrade removes certain resources, the standard upgrade procedure which follows the template numbering order cannot be followed directly. The 5-7a-certs-le template needs to be upgraded first. The 5-3a-ecs-is-service template needs to be upgraded next, and have InteropEnabled set to disabled. The value may be enabled again after every other template has been upgraded. The standard upgrade procedure can commence after these two templates have been upgraded. 3-2-load-balancer-rules Changed InteropEnabled to a boolean since TLS mutual authentication is no longer terminated by The Things Stack. If you were using server-authentication or mutual-authentication, select true; If you were using disabled, select false. 4-1-secrets Removed InteropTLSSecret and output InteropTLSSecretID. 4-2a-configuration Removed InteropEnabled parameter. Removed CryptoServerDNSName parameter. Added CertificateAuthorityARN parameter. 5-2-ecs-ops Added UseCertificateAuthorityARN parameter. 5-3a-ecs-is-service Changed InteropEnabledIS to a boolean since TLS mutual authentication is no longer terminated by The Things Stack. If you were using server-authentication or mutual-authentication, select true; If you were using disabled, select false. Added UseCertificateAuthorityARN parameter. 5-3c-ecs-tbs-service Added UseCertificateAuthorityARN parameter. 5-4-ecs-services Removed InteropEnabledJS parameter. Added UseCertificateAuthorityARN parameter. 5-7a-certs-le Removed configuration for storing certificates for interoperability. 200-1-crypto This template has been removed and can be undeployed. 3.23.2 3.23.1 1-2-bastion The volumes used by the bastion hosts now use gp3 volumes. 2-5-db-timescale The volumes used by the TimescaleDB hosts now use gp3 volumes. 3-2-load-balancer-rules UDP target groups now automatically kill active flows to deregistered targets. This enables the replacement of the ECS EC2 machines without having the UDP traffic blackhole in the NLB. 4-2a-configuration Add configuration option for HomeNSID for the DCS config object. 5-1-ecs-cluster The volumes used by the EC2 machines used by ECS now use gp3 volumes. Note that this will not apply retroactively to existing instances. 5-5-ecs-monitoring Prometheus has been upgraded to version 2.40.5. Thanos default image has been upgraded to version 0.29.0. AMI/BYOL template Fix RDS PostgreSQL 13 and 14 support for new deployments. The volumes used by the EC2 machine and by the RDS database are now gp3 volumes. Fix Network Operation Center initialization for new deployments. Proxy Upgraded to Envoy 1.24.1. 3.23.0 For mTLS termination, check the upgrading guide at https://thethingsindustries.com/docs/getting-started/aws/ecs/mutual-tls/.
