Gruntwork release 2018-06
Guides / Update Guides / Releases / 2018-06
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2018-06. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 6/16/2018 | Release notes
Published: 6/5/2018 | Release notes
https://github.com/gruntwork-io/module-asg/pull/33: You can now specify a kms_key_id parameter for the server-group module to enable EBS Volume encryption with your own Customer Master Key (CMK). This will also automatically create an IAM Policy that gives the server access to that CMK.
Published: 6/20/2018 | Release notes
https://github.com/gruntwork-io/module-ci/pull/66: The terraform-update-variable script used to require setting --skip-git "true", which is a non-idiomatic way to do flags in bash, and the parsing for it could fail silently. The script has now been updated so you just specify --skip-git to disable Git, without any need to say "true". Note that if you were using the --skip-git param before, this is a backwards incompatible change!
Published: 6/19/2018 | Release notes
https://github.com/gruntwork-io/module-ci/pull/62: The git-add-commit-push script will now detect "Updates were rejected because the remote contains work that you do not have locally" errors and automatically git pull --rebase and git push in a retry loop (up to a max number of retries). This allows the script to work properly even if someone else happened to push some code to the same branch at the exact same time.
Published: 6/6/2018 | Release notes
Published: 6/28/2018 | Release notes
Published: 6/21/2018 | Release notes
Published: 6/19/2018 | Release notes
https://github.com/gruntwork-io/package-openvpn/pull/45: The supervisor install has been moved from the run-process-requests and run-process-revokes scripts to the install-openvpn script where it belongs. You'll need to build a new OpenVPN AMI to take advantage of this change.
Published: 6/29/2018 | Release notes
Published: 6/26/2018 | Release notes
https://github.com/gruntwork-io/module-security/pull/99
This release includes MAJOR changes to ssh-iam that are backwards incompatible. These changes make it possible to add powerful new features to ssh-iam (more on that soon!), but if you're an existing user of ssh-iam, you will need to read these instructions carefully and do some work to upgrade without losing SSH access!
ssh-iam has been renamed to ssh-grunt. This is because we are updating it to support Identity Providers (IdPs) other than just IAM!
The ssh-iam-selinux-policy module has been renamed to ssh-grunt-selinux-policy.
All input and output variables in module_security modules of the form xxx_ssh_iam_xxx have been renamed to xxx_ssh_grunt_xxx.
All IAM role and IAM group names that were of the form xxx-ssh-iam-xxx have been renamed to xxx-ssh-grunt-xxx.
All ssh-iam commands now use the form ssh-grunt <idp> <command>. For example, ssh-iam install is now ssh-grunt iam install and ssh-iam print-keys is now ssh-grunt iam print-keys. This allows us to add other IdPs in the future.
When a user is removed from an ssh-grunt managed IdP group (e.g., a user is removed from an IAM group), ssh-grunt will delete the synced OS user from your server, but it will no longer delete that user's home directory. You can enable the old behavior with --force-user-deletion.
If you're already using ssh-iam, here is how to upgrade to ssh-grunt:
Update your Packer templates:
- Change the
--binary-name param from ssh-iam to ssh-grunt. - If you're using SELinux (e.g., you're on CentOS), update
ssh-iam-selinux-policy to ssh-grunt-selinux-policy in your Packer template too. - Change
ssh-iam install to ssh-grunt iam install (all other params remain the same). - Build a new AMI and update your Terraform code to deploy it.
If you update to the new cross-account-iam-roles, iam-groups, or saml-iam-roles modules, you will need to:
- Rename any parameters you're passing as inputs to these modules, and any variables you're reading as outputs from these modules, form the form
xxx_ssh_iam_xxx to the form xxx_ssh_grunt_xxx. For example, allow_ssh_iam_access_from_other_account_arns is now allow_ssh_grunt_access_from_other_account_arns. - Explicitly set the names of any
ssh-iam / ssh-grunt IAM roles and groups created by these modules so you retain the old names you had before. The output of the plan command will tell if you any are being renamed and what the old names were.
Here are the updates we've done to the Acme sample Reference Architectures that show the type of changes you'll need to make:
infrastructure-modules changes
infrastructure-live changes
Published: 6/26/2018 | Release notes
https://github.com/gruntwork-io/module-security/pull/97:
BACKWARDS INCOMPATIBLE CHANGE
The saml-iam-roles module now sets a default max expiration of 12 hours for IAM Roles intended for human users (e.g., allow-read-only-access-from-saml) and a default max expiration of 1 hour for IAM Roles intended for machine users (e.g., allow-auto-deploy-access-from-saml). Both of these expiration values are configurable via the new input variables max_session_duration_human_users and max_session_duration_machine_users.
Published: 6/21/2018 | Release notes
https://github.com/gruntwork-io/module-security/pull/96: Setting should_require_mfa to false in the iam-policies module should now work correctly, allowing you to disable the MFA requirement. This module is used under the hood in the iam-groups, cross-account-iam-roles, and saml-iam-roles modules, so upgrade those modules if you need this fix.
Published: 6/18/2018 | Release notes
Published: 6/14/2018 | Release notes