Skip to main content

Gruntwork release 2018-06

Guides / Update Guides / Releases / 2018-06

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2018-06. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:



Published: 6/16/2018 | Release notes Fix a bug where the server-group module would hit an error trying to create an IAM Policy for EBS volumes when the size param was set to 0.


Published: 6/5/2018 | Release notes You can now specify a kms_key_id parameter for the server-group module to enable EBS Volume encryption with your own Customer Master Key (CMK). This will also automatically create an IAM Policy that gives the server access to that CMK.



Published: 6/20/2018 | Release notes The terraform-update-variable script used to require setting --skip-git "true", which is a non-idiomatic way to do flags in bash, and the parsing for it could fail silently. The script has now been updated so you just specify --skip-git to disable Git, without any need to say "true". Note that if you were using the --skip-git param before, this is a backwards incompatible change!


Published: 6/19/2018 | Release notes The git-add-commit-push script will now detect "Updates were rejected because the remote contains work that you do not have locally" errors and automatically git pull --rebase and git push in a retry loop (up to a max number of retries). This allows the script to work properly even if someone else happened to push some code to the same branch at the exact same time.



Published: 6/6/2018 | Release notes You can now optionally customize the ALB Target Group name in ecs-service-with-alb using the alb_target_group_name parameter.



Published: 6/28/2018 | Release notes,

  1. Fix a bug with how the init-openvpn script configures the PKI backup cron job. This is an important fix, so we recommend upgrading.

  2. Default iops to 0 in the openvpn-server module. This is to work around a Terraform bug.


Published: 6/21/2018 | Release notes


Published: 6/19/2018 | Release notes The supervisor install has been moved from the run-process-requests and run-process-revokes scripts to the install-openvpn script where it belongs. You'll need to build a new OpenVPN AMI to take advantage of this change.



Published: 6/29/2018 | Release notes Update ssh-grunt to use the same data structures as Houston.


Published: 6/26/2018 | Release notes

This release includes MAJOR changes to ssh-iam that are backwards incompatible. These changes make it possible to add powerful new features to ssh-iam (more on that soon!), but if you're an existing user of ssh-iam, you will need to read these instructions carefully and do some work to upgrade without losing SSH access!

  1. ssh-iam has been renamed to ssh-grunt. This is because we are updating it to support Identity Providers (IdPs) other than just IAM!

  2. The ssh-iam-selinux-policy module has been renamed to ssh-grunt-selinux-policy.

  3. All input and output variables in module_security modules of the form xxx_ssh_iam_xxx have been renamed to xxx_ssh_grunt_xxx.

  4. All IAM role and IAM group names that were of the form xxx-ssh-iam-xxx have been renamed to xxx-ssh-grunt-xxx.

  5. All ssh-iam commands now use the form ssh-grunt <idp> <command>. For example, ssh-iam install is now ssh-grunt iam install and ssh-iam print-keys is now ssh-grunt iam print-keys. This allows us to add other IdPs in the future.

  6. When a user is removed from an ssh-grunt managed IdP group (e.g., a user is removed from an IAM group), ssh-grunt will delete the synced OS user from your server, but it will no longer delete that user's home directory. You can enable the old behavior with --force-user-deletion.

If you're already using ssh-iam, here is how to upgrade to ssh-grunt:

  1. Update your Packer templates:

    1. Change the --binary-name param from ssh-iam to ssh-grunt.
    2. If you're using SELinux (e.g., you're on CentOS), update ssh-iam-selinux-policy to ssh-grunt-selinux-policy in your Packer template too.
    3. Change ssh-iam install to ssh-grunt iam install (all other params remain the same).
    4. Build a new AMI and update your Terraform code to deploy it.
  2. If you update to the new cross-account-iam-roles, iam-groups, or saml-iam-roles modules, you will need to:

    1. Rename any parameters you're passing as inputs to these modules, and any variables you're reading as outputs from these modules, form the form xxx_ssh_iam_xxx to the form xxx_ssh_grunt_xxx. For example, allow_ssh_iam_access_from_other_account_arns is now allow_ssh_grunt_access_from_other_account_arns.
    2. Explicitly set the names of any ssh-iam / ssh-grunt IAM roles and groups created by these modules so you retain the old names you had before. The output of the plan command will tell if you any are being renamed and what the old names were.

Here are the updates we've done to the Acme sample Reference Architectures that show the type of changes you'll need to make:

infrastructure-modules changes infrastructure-live changes


Published: 6/26/2018 | Release notes


The saml-iam-roles module now sets a default max expiration of 12 hours for IAM Roles intended for human users (e.g., allow-read-only-access-from-saml) and a default max expiration of 1 hour for IAM Roles intended for machine users (e.g., allow-auto-deploy-access-from-saml). Both of these expiration values are configurable via the new input variables max_session_duration_human_users and max_session_duration_machine_users.


Published: 6/21/2018 | Release notes Setting should_require_mfa to false in the iam-policies module should now work correctly, allowing you to disable the MFA requirement. This module is used under the hood in the iam-groups, cross-account-iam-roles, and saml-iam-roles modules, so upgrade those modules if you need this fix.



Published: 6/18/2018 | Release notes The mount-ebs-volume script now supports NVMe block devices used by the new C5, C5d, M5, and i3.metal instances.



Published: 6/14/2018 | Release notes