Gruntwork release 2019-01
Guides / Update Guides / Releases / 2019-01
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2019-01. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 1/9/2019 | Modules affected: eks-cluster-control-plane | Release notes
eks-cluster-control-plane
- When provisioning an EKS cluster, we will now wait for the API endpoint to come up before marking the resource as created. This addresses an eventual consistency issue where chaining eks cluster resources to kubernetes resources could sometimes fail because terraform marks a resource as complete before the API comes up and is responsive. Note that this requires installation of
kubergrunt. You can get back to the older behavior by setting use_kubergrunt_verification to false in the module parameters.
- This release is not intended to be used in production, as core features of a production grade infrastructure are still missing. This is currently intended to be used for development and learning purposes so that you can plan out a migration to Gruntwork modules for managing EKS.
Published: 1/26/2019 | Modules affected: asg-rolling-deploy | Release notes
- The
asg-rolling-deploy module now allows you to configure enhanced monitoring on the instances via the enabled_metrics variable.
Published: 1/21/2019 | Modules affected: server-group | Release notes
- The
server-group module now allows you to configure IOPS for your EBS volumes by specifying the iops attribute for each EBS volume you configure via the ebs_volumes parameter.
Published: 1/17/2019 | Modules affected: redis | Release notes
redis (BACKWARDS INCOMPATIBLE)
redis: Adds 4 new aws_replication_group permutations to the Redis module, to workaround the inability to use interpolations in ignore_changes field in a lifecycle block (hashicorp/terraform#3116) which will have been the ideal solution to ignoring the number_cache_cluster field when in cluster_mode to prevent terraform plan diffs due to cluster resizing.
This release is backwards incompatible and to update an existing Redis cluster, use terragrunt state mv <old_address> <new_address> to ensure that your cluster isn't deleted when you run terraform apply.
For example, to migrate a cluster mode Redis cluster deployed via the aws_elasticache_replication_group.redis_with_snapshotting_without_auth_token resource, you'd simply run:
terraform state mv module.<your-module-name>.aws_elasticache_replication_group.redis_with_snapshotting_without_auth_token module.<your-module-name>.aws_elasticache_replication_group.redis_with_snapshotting_without_auth_token_with_cluster_mode
Published: 1/14/2019 | Modules affected: install-jenkins | Release notes
- You can now use the
--java-args flag to configure additional JVM args for Jenkins.
Published: 1/7/2019 | Modules affected: git-helpers | Release notes
- The
git-add-commit-push script will now retry on the "failed to update ref" error, which seems to come up occasionally.
Published: 1/30/2019 | Modules affected: rds | Release notes
- The RDS module now lets you set the option group name and monitoring IAM Role path with two new optional variables,
option_group_name and monitoring_role_arn_path, respectively.
Published: 1/28/2019 | Modules affected: aurora | Release notes
- The
aurora module now exposes the skip_final_snapshot parameter to allow you to skip a final snapshot when deleting a database.
Published: 1/3/2019 | Modules affected: aurora | Release notes
- You can now configure the
aurora module to export logs to CloudWatch using the new enabled_cloudwatch_logs_exports input parameter.
Published: 1/23/2019 | Modules affected: ecs-daemon-service | Release notes
- The ecs-daemon-service module now exposes setting
pid_mode via a new variable: ecs_task_definition_pid_mode . This allow setting the process namespace to use for the containers in the task. The valid values are host and task. The default value is task and the terraform provider will not accept an empty string value without error.
Published: 1/16/2019 | Modules affected: ecs-daemon-service | Release notes
- The
ecs-daemon-service module now exposes a deployment_minimum_healthy_percent parameter you can use to set the lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment.
Published: 1/16/2019 | Modules affected: ecs-service-with-discovery | Release notes
ecs-service-with-discovery
- The
ecs-service-with-discovery now includes a new domain_name output variable that will be set to the fully-qualified domain name configured for the module (if any).
Published: 1/10/2019 | Modules affected: ecs-service-with-discovery | Release notes
ecs-service-with-discovery [Breaking Change]
- The
ecs-service-with-discovery module now sets the default family name for the ECS Task Definition to ${var.service_name} rather than "${var.service_name}-task-definition" to be consistent with the other ECS modules. If you wish to retain the old naming convention, you can now explicitly set the family name using the new task_definition_family_name parameter.
Published: 1/14/2019 | Modules affected: eks-cluster-control-plane, eks-cluster-workers, eks-k8s-role-mapping, eks-vpc-tags | Release notes
eks-cluster-control-planeeks-cluster-workerseks-k8s-role-mappingeks-vpc-tags
This is a compatible release of terraform-aws-eks with package-k8s v0.1.4.
Published: 1/31/2019 | Release notes
- The ALB requires all listeners to have a "default action" that defines what to do for a request that doesn't match any listener rule. In the past, the only supported action was to forward requests to a target group, so we used to forward to an empty "black hole" target group, resulting in a 503. The ALB now supports fixed responses, so we've updated the default action of the
alb module to return a blank 404 page, which is a more appropriate status code.
For most teams, the new 404 behavior is better, so no code changes will be necessary. However, if you wish to override this 404 behavior, you have two options:
- You can override the default fixed response via the
default_action_content_type, default_action_body, default_action_status_code parameters. - You can add an ALB Listener Rule that catches ALL requests (i.e.,
*) and have that rule forward to a custom Target Group so your own apps can respond in any way you wish.
Published: 1/31/2019 | Modules affected: cloudwatch-dashboard-metric-widget, cloudwatch-dashboard | Release notes
cloudwatch-dashboard-metric-widget (BACKWARDS INCOMPATIBLE)cloudwatch-dashboard
cloudwatch-dashboard-metric-widget: Changes the stacked variable type from a string to a boolcloudwatch-dashboard: Updates replacement algorithm for creating valid json from Terraform json_encode output
This release is backwards incompatible and to update an existing metric widget, simply remove the surrounding quotes on the boolean value supplied.
Published: 1/22/2019 | Modules affected: alarms/alb-target-group-alarms | Release notes
alarms/alb-target-group-alarms
- Fixes a bug where the wrong variable was used for treating missing data on the high request count alarm.
Published: 1/30/2019 | Modules affected: gruntsam | Release notes
Published: 1/24/2019 | Release notes
Published: 1/21/2019 | Modules affected: fail2ban | Release notes
- Add
DEBIAN_FRONTEND=noninteractive to calls to apt-get so that the install doesn't hang during automated builds. Use systemctl instead of update-rc.d to boot fail2ban on Ubuntu.
Published: 1/23/2019 | Modules affected: persistent-ebs-volume | Release notes
persistent-ebs-volume [BREAKING CHANGE]
mount-ebs-volume now uses the UUID instead of the device name to mount volumes. With some OS and volume configurations, the device name can change after a reboot, so using the UUID ensures that the volume is always identified the same way.
Published: 1/9/2019 | Modules affected: persistent-ebs-volume | Release notes
- The
mount-ebs-volume script will now retry correctly if an EBS volume exists but is attached to a different EC2 instance. This is useful to ensure the script retries while an old instance shuts down and releases the volume.
Published: 1/8/2019 | Release notes
single-server
Some users may have requirements for tighter security group rules on instances, but the single-server module currently has a hard coded rule to allow all outbound traffic.
What we changed:
- Added an allow_all_outbound_traffic variable to the single-server module and implemented it so the allow_outbound_all security group rule can be toggled on/off by end-users.
- The variable defaults to true so existing users will be unaffected.
Published: 1/9/2019 | Modules affected: **[NEW]**, **[NEW]** | Release notes
- [NEW]
run-pex-as-data-source - [NEW]
run-pex-as-resource
This release introduces modules that support running python PEX files in Terraform in a way such that the scripts themselves do not need to be embedded in the pex. See the documentation to learn more about pex.
run-pex-as-data-source can be used to run python pex files as an external data source.run-pex-as-resource can be used to run python pex files as a local-exec provisioner on a null_resource.
Published: 1/9/2019 | Modules affected: require-executable | Release notes
- Allows the
require-executable module to ignore empty lists and strings on the input so that the check can be conditional.
Published: 1/8/2019 | Modules affected: **[NEW]** | Release notes
- Introduces a new module
require-executable that can be used to ensure particular executables is available in the PATH, with a customizable error message when it is not found.
Published: 1/29/2019 | Modules affected: vpc-app, vpc-mgmt | Release notes
- Increased the
timeouts on create on the aws_route resources to 5 minutes to work around a Terraform bug.
Published: 1/14/2019 | Modules affected: vpc-app-network-acls | Release notes
- The Network ACLs now allow outbound DNS (UDP, port 53) traffic, by default. Most services need DNS, so it seems like a bug to not have exposed this properly before. Note that internal AWS DNS seems to work without this, but for other DNS systems, such as the one used by Kubernetes, this is an important fix.
Published: 1/9/2019 | Modules affected: vpc-app | Release notes
- You can now get the NAT Gateway IDs from the
vpc-app module using the new nat_gateway_ids output attribute.
Published: 1/4/2019 | Modules affected: vpc-app | Release notes
- You can now create Elastic IP Addresses (EIPs) for your NAT Gateways outside of the
vpc-app module and tell the module to use those EIPs by setting the use_custom_nat_eips parameter to true and passing in the list of EIP allocation IDs using the custom_nat_eips parameter.
Published: 1/18/2019 | Modules affected: k8s-namespace, k8s-service-account | Release notes
k8s-namespace [BACKWARDS INCOMPATIBLE] k8s-service-account [BACKWARDS INCOMPATIBLE]
- The RBAC roles and RBAC role bindings are now managed using the kubernetes provider as opposed to kubectl.
This is a backwards incompatible change. Specifically, the modules no longer need to specify a kubectl_config_context_name and kubectl_config_path. Additionally, we now require the number of rbac roles to be passed in as a variable to work around a terraform limitation with looping interpolated lists.
Published: 1/14/2019 | Modules affected: k8s-namespace, k8s-service-account | Release notes
k8s-namespacek8s-service-account
- Introduces
k8s-namespace terraform module, which will create a namespace and RBAC roles for admin access and read only access restricted to the namespace. - Introduces
k8s-service-account terraform module, which will create a service account. This module also supports binding RBAC roles to the service account.