Gruntwork release 2019-04
Guides / Update Guides / Releases / 2019-04
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2019-04. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 4/23/2019 | Release notes
Published: 4/18/2019 | Release notes
Published: 4/24/2019 | Modules affected: server-group | Release notes
- Per our aws 2.0 strategy, we added in the nightly build for this repo so that we can catch issues with provider upgrades in the future as they are released.
- Fixed a new exception that was being thrown because the healthchecker was being notified about the existence of a new EC2 instance and then was trying to check its health via the ELB before that instance had a chance to register itself with the ELB. This resulted in an exception being thrown. We now handle this properly.
Published: 4/21/2019 | Modules affected: jenkins-server | Release notes
- You can now set the
redirect_http_to_https variable to true on the jenkins-server module to automatically redirect all HTTP requests to HTTPS.
Published: 4/8/2019 | Modules affected: kubernetes-circleci-helpers | Release notes
kubernetes-circleci-helpers [NEW]
This release introduces scripts that help with setting up a Kubernetes testing environment in CircleCI. Specifically, this release introduces setup-minikube, a bash script that will install and start up minikube in CircleCI.
Published: 4/3/2019 | Modules affected: lambda-cleanup-snapshots | Release notes
- Filters snapshots by manual type, because automated snapshots may not be deleted manually
Published: 4/26/2019 | Modules affected: ecs-service, ecs-service-with-discovery, ecs-service-with-alb, ecs-daemon-service | Release notes
- Adds and exposes a task execution iam role so the tasks can pull private images from ECR and read secrets from AWS Secrets Manager.
NOTE: This release introduces new resources that require additional permissions to update an existing deployment. If you were using restricted IAM policies for your deployment accounts, you will need to add the following IAM permissions:
iam:GetPolicyiam:GetPolicyVersioniam:ListEntitiesForPolicy
Published: 4/18/2019 | Modules affected: ecs-cluster | Release notes
- The
ecs-clsuter module now allows you to set the termination policy for the underlying Auto Scaling Group using a new termination_policies input variable. This module now sets the default termination policy to OldestInstance. Before, we used to use the default termination policy, but recent changes to the default termination policy breaks the ability of the roll-out-ecs-cluster-update.py script to do zero-downtime rolling updates of the ECS cluster. Switching to OldestInstance should fix this issue.
Published: 4/9/2019 | Modules affected: ecs-deploy-check-binaries | Release notes
- This release fixes #125, where the ALB Healthcheck was not checking that all the tasks were registered, so was prematurely passing the deployment check. Starting this release, the LB checker now verifies that all the tasks for the newest versions are actually registered in the list before checking the health status.
Published: 4/2/2019 | Modules affected: ecs-service, ecs-service-with-discovery, ecs-service-with-alb, ecs-fargate | Release notes
- Sometimes the ECS service creation will fail because it can not associate the IAM role for the task. This release adds a sleep for each
aws_iam_role creation to give time to propagate before associating the role.
Published: 4/29/2019 | Modules affected: eks-k8s-external-dns, eks-k8s-external-dns-iam-policy, eks-alb-ingress-controller | Release notes
This release introduces the following changes:
eks-alb-ingress-controller
- Make AWS API debug logs configurable at the module level instead of hardcoding to true.
eks-k8s-external-dns
- Make
updatePolicy a configurable option. This allows you to configure external-dns to run in sync mode (as opposed to the default upsert-only mode), which will delete records that do not map to Ingress resources. Note that this will not touch any records that it does not explicitly know about, which is tracked through TXT records on the hosted zone. - Allow filtering Hosted Zones to manage by tags.
eks-k8s-external-dns-iam-policy
- Grant permissions to list tags on Hosted Zones, so that you can filter by tags when specifying hosted zones for the external-dns to manage.
Published: 4/23/2019 | Modules affected: eks-k8s-external-dns, eks-k8s-external-dns-iam-policy, eks-alb-ingress-controller | Release notes
This release introduces a new module eks-k8s-external-dns that can be used to deploy external-dns. This is a Kubernetes application that can map Ingress resource host paths to route 53 domain records so that you automatically configure host name routes to hit the Ingress endpoints. See the module documentation for more information.
Published: 4/18/2019 | Modules affected: eks-vpc-tags, eks-cloudwatch-container-logs, eks-alb-ingress-controller, eks-alb-ingress-controller-iam-policy | Release notes
This release introduces two new modules: eks-alb-ingress-controller and eks-alb-ingress-controller-iam-policy. These two modules can be used to deploy the AWS ALB Ingress Controller, which allows you to map Ingress resources to AWS ALBs. See the module documentation for more information.
This release also includes the following updates:
eks-vpc-tags now tags the public subnets with kubernetes.io/role/elb: 1 so that public ELBs will use those subnets.eks-cloudwatch-container-logs module input variable pod_node_affinity has been tweaked to support specifying the operator. This requires changes to your code. See the migration guide below.
Published: 4/12/2019 | Modules affected: eks-cluster-control-plane | Release notes
- This release exposes
enabled_cluster_log_types, which allow you to access control plane logging in CloudWatch Logs. You can read more about this feature in the official AWS documentation.
Published: 4/11/2019 | Modules affected: eks-cluster-workers-cross-access, eks-cloudwatch-container-logs | Release notes
This release introduces support for specifying tolerations on the fluentd-cloudwatch Pods deployed using the eks-cloudwatch-container-logs module. This allows you to schedule the fluentd-cloudwatch Pods on nodes that have taints that prevent normal scheduling of Pods.
Additionally, this release introduces the eks-cluster-workers-cross-access module which allows defining security group rules that allow communication across multiple worker groups. Take a look at the module docs for more information. Check out the usage in the eks-cluster-with-supporting-services example for example usage.
Published: 4/10/2019 | Modules affected: eks-cluster-control-plane | Release notes
- This release updates all the examples to switch to a data source based token retrieval scheme to authenticate the kubernetes utilities (
kubergrunt, kubectl, and the kubernetes + helm providers) as opposed to authentication by kubeconfig. This improves the experience for team based workflows, as now the terraform code is no longer dependent on having setup kubectl to work (NOTE: you still have to setup helm, but in the future this will also be changed to a data source based method). Take a look at the eks-cluster-basic example for an example. - Given the new authentication scheme, we no longer recommend using the
configure_kubectl option. This is great for a single person example setup, but when using in production, it can lead to team confusion. As such starting this release, the option is set to false by default. If you would like the old behavior, you can set it to true in your module.
Published: 4/10/2019 | Modules affected: eks-cluster-control-plane | Release notes
Published: 4/8/2019 | Modules affected: eks-cluster-control-plane | Release notes
- This fixes a bug where
kubergrunt was still required even if all the feature flags were turned off. - Various fixes to the README and examples.
Published: 4/2/2019 | Modules affected: eks-cloudwatch-container-logs | Release notes
Published: 4/24/2019 | Modules affected: alb | Release notes
- This release fixes an issue with multiple duplicate ACM certs - e.g. you're rotating to a new cert and still have systems using the old cert - where previously it errored out if multiple ACM certs matched the domain. Instead, we will now pick the newer one.
Special thanks to @jasonmcintosh for the contribution!
Published: 4/11/2019 | Modules affected: acm-tls-certificate | Release notes
acm-tls-certificate [NEW MODULE!]
- Added a new
acm-tls-certificate module that you can use to programmatically issue and validate a free, auto-renewing TLS certificate in AWS Certificate Manager (ACM). This makes it easy to manage your TLS certs as code and easily attach them to ALBs, CloudFront, API Gateway, etc.
Published: 4/3/2019 | Modules affected: logs/cloudwatch-log-aggregation-iam-policy | Release notes
- Extend cloudwatch log aggregation IAM policy with
logs:DescribeLogGroups as needed by fluentd.
Published: 4/2/2019 | Modules affected: alarms/sqs-alarms | Release notes
- This release introduces
sqs-alarms, which can be used to setup CloudWatch alarms for SQS queues. Check out the example for how to set it up. - This release verifies compatibility with AWS provider 2.X. NOTE: there are no changes to the underlying modules (only the examples), so there are no breaking changes with this release.
Published: 4/9/2019 | Modules affected: gruntsam | Release notes
Published: 4/9/2019 | Modules affected: api-gateway-account-settings | Release notes
- Add a new
create_resources input variable that, if set to false, will result in the api-gateway-account-settings module creating no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack that will allow us to conditionally decide if the API Gateway account settings should be created or not.
Published: 4/10/2019 | Modules affected: cross-account-iam-roles, kms-master-key | Release notes
cross-account-iam-roles: Add support for IAM role name prefix via new input variable iam_role_name_prefix. This way, we can have all the IAM roles created with names such as houston-<account-name>-xxx: e.g., houston-stage-allow-full-access-from-other-accounts and houston-prod-allow-full-access-from-other-accounts.kms-master-key: Add a new create_resources input variable to kms-master-key that, if set to false, will result in the module creating no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack that will allow us to conditionally decide if the KMS master key should be created or not.
Published: 4/4/2019 | Modules affected: s3-static-website | Release notes
- The
s3-static-website module now has a new output called website_bucket_endpoint_path_style that has a path-style output of the S3 bucket endpoint, which will be of the format s3-<region>.amazonaws.com/<bucket-name>. The advantage of this style of endpoint is that it works over both HTTP and HTTPS.
Published: 4/19/2019 | Release notes
This release introduces a new module list-remove which can be used to remove items from a terraform list. See the module docs for more info.
Published: 4/10/2019 | Release notes
This release formats all the modules using terraform fmt. No functional changes are introduced.
Published: 4/19/2019 | Modules affected: vpc-dns-forwarder, vpc-dns-forwarder-rules | Release notes
vpc-dns-forwarder [NEW]vpc-dns-forwarder-rules [NEW]
This release introduces two new modules that can be used to setup Route 53 Resolver endpoints to forward DNS queries over a peering network. This can be used to allow domains in Route 53 Private Hosted Zones to be resolved over a peering connection. See the module documentation for more details.
Published: 4/15/2019 | Release notes
- This release improves the examples and documentation.