Skip to main content

Gruntwork release 2017-03

Guides / Update Guides / Releases / 2017-03

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2017-03. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:



Published: 3/9/2017 | Release notes Add support for an env helper that allows you to look up environment variables in your boilerplate templates.


Published: 3/8/2017 | Release notes The shell helper and hooks now allow you to specify environment variables to pass to your scripts.



Published: 3/17/2017 | Release notes Fix a bug with the terraform-update-variable script where it would exit with a confusing error message if no --git-url parameter was included.


Published: 3/3/2017 | Release notes The scheduled-lambda-job module now makes running in a VPC optional. It exposes a new input variable called run_in_vpc which, if set to true, will give the lambda function access to a VPC you specify via the vpc_id and subnet_ids input variables. However, by default, it's set to false, and you can omit vpc_id and subnet_ids.

This is useful for lambda functions that use the AWS APIs and don't need direct access to a VPC anyway. Moreover, a recent bug in Terraform causes issues when you try to delete a lambda function that was deployed into a VPC.



Published: 3/31/2017 | Release notes You can now specify a custom KMS key to use to encrypt RDS or Aurora instances.


Published: 3/8/2017 | Release notes To allow the bastion host to talk to RDS or Aurora, you now have to explicitly set the allow_connections_from_bastion_host input variable to true. Before, we only exposed the bastion_host_security_group_id input variable, but if you fed dynamic data into that variable (e.g. from a terraform_remote_state data source), you'd get an error. This is now fixed.


Published: 3/6/2017 | Release notes The aurora module no longer specifies availability zones when creating an Aurora cluster. This is a workaround for a strange issue where you get the error along the lines of "Availability zone ‘us-east-1c’ is unavailable in this region, please choose another zone set."


Published: 3/3/2017 | Release notes We've added four new modules:

  1. lambda-create-snapshot: A lambda function that runs on a scheduled basis to take snapshots of an RDS DB. Useful if the once-nightly snapshots aren't enough and, even more importantly, this is the first step if you want to backup your snapshots to another AWS account.

  2. lambda-share-snapshot: A lambda function that can share an RDS snapshot with another AWS account. This is the second step in backing up your snapshots to another AWS account.

  3. lambda-copy-snapshot: A lambda function that runs on a scheduled basis to make a local copies of RDS snapshots shared from an external AWS account. This is the third step and it needs to run in the AWS account you're using to backup your snapshots.

  4. lambda-cleanup-snapshots: A lambda function that runs on a scheduled basis to delete old RDS snapshots. You configure it with a maximum number of snapshots to keep, and once that number is exceeded, it deletes the oldest snapshots. This is useful to keep the number of snapshots from step 1 and 3 above from getting out of hand.



Published: 3/9/2017 | Release notes You can now set the tenancy parameter on the ecs-cluster module if you need to use dedicated instances.


Published: 3/1/2017 | Release notes Added a new script called that you can use to automatically roll out new versions of your ECS cluster AMI with zero-downtime. Check out How do you make changes to the EC2 Instances in the cluster? for instructions.



Published: 3/29/2017 | Release notes The allow_inbound_from_cidr_blocks input variable in module-alb is now a list so you can specify multiple CIDR blocks.


Published: 3/9/2017 | Release notes


Two bug fixes:

  1. Due to a Terraform bug with merge and zipmap, some of the listener outputs were simply disappearing. For example, if your ALB had only HTTP listeners, the outputs for the HTTPS listeners would disappear, as would the aggregate listener that contained both HTTP and HTTPS listeners. Since we have other modules that depend on these outputs, this made the ALB unusable.

    As a result, the listener_arns and https_listener_arns outputs have been removed. The available outputs are now http_listener_arns, https_listener_non_acm_cert_arns, https_listener_acm_cert_arns.

  2. There was a bug in the previous release that caused an error to show up any time you tried to use an ACM cert. This has now been fixed.


Published: 3/8/2017 | Release notes To add an HTTPS listener, the ALB module originally had you pass in the https_listener_ports_and_ssl_certs input variable, which was a map of HTTPS ports to the ARNs of TLS certs (e.g. 443 = "arn:aws:acm:us-east-1:123456789012:certificate/12345678". The module now exposes a new input variable called https_listener_ports_and_acm_ssl_certs which is a more user-friendly map of HTTPS ports to the domain name of a TLS cert issues by the AWS Certificate Manager (e.g. 443 = *



Published: 3/5/2017 | Release notes The route 53 health checks module now supports an enabled parameter that you can use to disable or enable it. This is useful if you want to use the module inside another module and enable or disable it conditionally.



Published: 3/28/2017 | Release notes Fix a copy/paste bug in the iam-groups module where disabling the billing group would also disable the full-access group.


Published: 3/24/2017 | Release notes Fix a bug in the aws-cli-mfa script where it didn't properly clear the previous session token before fetching a new one.


Published: 3/23/2017 | Release notes We've added a new script called aws-cli-mfa that makes it much easier to use the AWS CLI with MFA enabled. The script can fetch temporary STS credentials and set them as environment variables in a single command. Check out the docs for usage instructions.


Published: 3/19/2017 | Release notes

  • ENHANCEMENT: The tls-cert-private module can now generate a TLS certificate that is valid for multiple domain names.


Published: 3/2/2017 | Release notes ssh-iam now supports cross-account access. This allows you to SSH to servers running in one AWS account (e.g. stage or prod) using your IAM credentials from a different AWS account (e.g. users). Check out the multiple AWS accounts docs for more info.


Published: 3/1/2017 | Release notes

  • NEW MODULE: We are pleased to introduce the os-hardening module!

    This module is our first step in providing a path to using a hardened OS Image based on the Center for Internet Security Benchmarks. These Benchmarks are freely downloadable and specific to a technology, which makes them straightforward to reference.

    At present, we support only a hardened OS for Amazon Linux, though we are open to adding support for additional OS's if customers request it. The primary OS hardening implemented in this release is the ability to create multiple disk partitions on the root volume in a Packer build, and mount each disk partition to a file system path with unique mount options.

    For example, we can now mount /tmp to its own disk partition so that a runaway program that fills up all of /tmp will not affect disk space available on other paths like /var/log where logs are stored. In addition, we can mount /tmp with the nosuid, nodev, and noexec options, which say that no file in /tmp should be allowed to assume the permissions of its file owner (a security risk), no external devices (like a block device) can be attached to /tmp and no files in /tmp can be executed, respectively.


Published: 3/1/2017 | Release notes Added support for easy cross-account access. You can now define all your IAM users in one AWS account (e.g. a users account), give those IAM users access to specific IAM roles in your other AWS accounts (e.g. a stage or prod account), and they will be able to switch accounts in the AWS console with just a few clicks.

To use this, you need to configure the new iam_groups_for_cross_account_access input variable in the iam-groups module in your users account and deploy the new cross-account-iam-roles module in the stage and prod accounts.



Published: 3/17/2017 | Release notes

  • BUG FIX: The mount-ebs-volume script in the persistent-ebs-volume module now correctly formats a volume with xfs. Previously, it worked only for ext4.


Published: 3/9/2017 | Release notes

  • ENHANCEMENT: The persistent-ebs-module script now supports a parameter that specifies file system mounting options, and explicitly supports creating file systems of type XFS.

    Previously, you could pass in alternative file systems to this script, but since even blank EBS Volume are formatted as ext4 by default, the script would not attempt to format the EBS Volume with the new file system type. That is now fixed.


Published: 3/7/2017 | Release notes module-server now allows you to control its tenancy settings via the tenancy parameter. This is useful if you need to be HIPAA compliant and must use dedicated tenancy for your servers.



Published: 3/7/2017 | Release notes First release! We've created an intermediate-variable module.



Published: 3/7/2017 | Release notes You can now use the tenancy parameter to control the tenancy of the VPCs created by the vpc-app and vpc-mgmt modules.