Gruntwork release 2018-06
Guides / Update Guides / Releases / 2018-06
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2018-06. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 6/16/2018 | Release notes
Published: 6/5/2018 | Release notes
https://github.com/gruntwork-io/module-asg/pull/33: You can now specify a kms_key_id
parameter for the server-group
module to enable EBS Volume encryption with your own Customer Master Key (CMK). This will also automatically create an IAM Policy that gives the server access to that CMK.
Published: 6/20/2018 | Release notes
https://github.com/gruntwork-io/module-ci/pull/66: The terraform-update-variable
script used to require setting --skip-git "true"
, which is a non-idiomatic way to do flags in bash, and the parsing for it could fail silently. The script has now been updated so you just specify --skip-git
to disable Git, without any need to say "true". Note that if you were using the --skip-git
param before, this is a backwards incompatible change!
Published: 6/19/2018 | Release notes
https://github.com/gruntwork-io/module-ci/pull/62: The git-add-commit-push
script will now detect "Updates were rejected because the remote contains work that you do not have locally" errors and automatically git pull --rebase
and git push
in a retry loop (up to a max number of retries). This allows the script to work properly even if someone else happened to push some code to the same branch at the exact same time.
Published: 6/6/2018 | Release notes
Published: 6/28/2018 | Release notes
Published: 6/21/2018 | Release notes
Published: 6/19/2018 | Release notes
https://github.com/gruntwork-io/package-openvpn/pull/45: The supervisor
install has been moved from the run-process-requests
and run-process-revokes
scripts to the install-openvpn
script where it belongs. You'll need to build a new OpenVPN AMI to take advantage of this change.
Published: 6/29/2018 | Release notes
Published: 6/26/2018 | Release notes
https://github.com/gruntwork-io/module-security/pull/99
This release includes MAJOR changes to ssh-iam
that are backwards incompatible. These changes make it possible to add powerful new features to ssh-iam
(more on that soon!), but if you're an existing user of ssh-iam
, you will need to read these instructions carefully and do some work to upgrade without losing SSH access!
-
ssh-iam
has been renamed to ssh-grunt
. This is because we are updating it to support Identity Providers (IdPs) other than just IAM!
-
The ssh-iam-selinux-policy
module has been renamed to ssh-grunt-selinux-policy
.
-
All input and output variables in module_security
modules of the form xxx_ssh_iam_xxx
have been renamed to xxx_ssh_grunt_xxx
.
-
All IAM role and IAM group names that were of the form xxx-ssh-iam-xxx
have been renamed to xxx-ssh-grunt-xxx
.
-
All ssh-iam
commands now use the form ssh-grunt <idp> <command>
. For example, ssh-iam install
is now ssh-grunt iam install
and ssh-iam print-keys
is now ssh-grunt iam print-keys
. This allows us to add other IdPs in the future.
-
When a user is removed from an ssh-grunt
managed IdP group (e.g., a user is removed from an IAM group), ssh-grunt
will delete the synced OS user from your server, but it will no longer delete that user's home directory. You can enable the old behavior with --force-user-deletion
.
If you're already using ssh-iam
, here is how to upgrade to ssh-grunt
:
-
Update your Packer templates:
- Change the
--binary-name
param from ssh-iam
to ssh-grunt
.
- If you're using SELinux (e.g., you're on CentOS), update
ssh-iam-selinux-policy
to ssh-grunt-selinux-policy
in your Packer template too.
- Change
ssh-iam install
to ssh-grunt iam install
(all other params remain the same).
- Build a new AMI and update your Terraform code to deploy it.
-
If you update to the new cross-account-iam-roles
, iam-groups
, or saml-iam-roles
modules, you will need to:
- Rename any parameters you're passing as inputs to these modules, and any variables you're reading as outputs from these modules, form the form
xxx_ssh_iam_xxx
to the form xxx_ssh_grunt_xxx
. For example, allow_ssh_iam_access_from_other_account_arns
is now allow_ssh_grunt_access_from_other_account_arns
.
- Explicitly set the names of any
ssh-iam
/ ssh-grunt
IAM roles and groups created by these modules so you retain the old names you had before. The output of the plan
command will tell if you any are being renamed and what the old names were.
Here are the updates we've done to the Acme sample Reference Architectures that show the type of changes you'll need to make:
infrastructure-modules changes
infrastructure-live changes
Published: 6/26/2018 | Release notes
https://github.com/gruntwork-io/module-security/pull/97:
BACKWARDS INCOMPATIBLE CHANGE
The saml-iam-roles
module now sets a default max expiration of 12 hours for IAM Roles intended for human users (e.g., allow-read-only-access-from-saml
) and a default max expiration of 1 hour for IAM Roles intended for machine users (e.g., allow-auto-deploy-access-from-saml
). Both of these expiration values are configurable via the new input variables max_session_duration_human_users
and max_session_duration_machine_users
.
Published: 6/21/2018 | Release notes
https://github.com/gruntwork-io/module-security/pull/96: Setting should_require_mfa
to false
in the iam-policies
module should now work correctly, allowing you to disable the MFA requirement. This module is used under the hood in the iam-groups
, cross-account-iam-roles
, and saml-iam-roles
modules, so upgrade those modules if you need this fix.
Published: 6/18/2018 | Release notes
Published: 6/14/2018 | Release notes