Skip to main content

Gruntwork release 2019-05

Guides / Update Guides / Releases / 2019-05

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2019-05. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:



Published: 5/15/2019 | Release notes This integrates sprig into boilerplate so that the sprig functions are available in the templates rendered by boilerplate. Note that there are a few boilerplatefunctions that overlap withsprig. Each of these are now documented in the README. As such, starting this release those helpers are deprecated, and will be replaced with the sprig` versions in a future release. Please review the deprecation notes in the README, pasted below for convenience.

These helpers are deprecated. They are currently available for backwards compatibility, but may be removed in future versions. Please use the alternative supported forms listed in the description.

The following functions overlap with sprig, but have different functionality. There is an equivalent function listed above under a different name. These point to the boilerplate implementations for backwards compatibility. Please migrate to using the new naming scheme, as they will be updated to use the sprig versions in future versions of boilerplate.

  • round: In boilerplate, round returns the integer form as opposed to float. E.g {{ round 123.5555 }} will return 124. The following supported alternative functions are available:
    • roundFloat: The sprig version of round, which supports arbitrary decimal rounding. E.g {{ round 123.5555 3 }} returns 123.556. Note that {{ round 123.5555 0 }} returns 124.0.
    • roundInt: Another name for the boilerplate version of round. Use this if you would like to keep old behavior.
  • ceil and floor: In boilerplate, ceil and floor return integer forms as opposed to floats. E.g {{ ceil 1.1 }} returns 2, as opposed to 2.0 in the sprig version. The following supported alternative functions are available:
    • ceilFloat and floorFloat: The sprig version of ceil and floor.
    • ceilInt and floorInt: Another name for the boilerplate version ceil and floor. Use this if you would like to keep old behavior.
  • env: In boilerplate, env supports returning a default value if the environment variable is not defined. The following supported alternative functions are available:
    • readEnv: The sprig version of env. This always returns empty string if the environment variable is undefined.
    • envWithDefault: Another name for the boilerplate version of env. Use this if you would like to keep old behavior.
  • keys: In boilerplate, keys returns the keys of the map in sorted order. The following supported alternative functions are available:
    • keysUnordered: The sprig version of keys. This returns the list of keys in no particular order, and there is no guarantee that the order of the returned list is consistent.
    • keysSorted: Another name for the boilerplate version of keys. Use this if you would like to keep old behavior.
  • replace: In boilerplate, replace only replaces the first occurrence in the string, as opposed to all occurrences as in sprig. The following supported alternative functions are available:
    • replaceAll: The sprig version of replace.
    • replaceOne: Another name for the boilerplate version of replace. Use this if you would like to keep old behavior.
  • slice: In boilerplate, slice returns a list of numbers in the provided range. E.g {{ slice 1 5 1 }} returns the list [1, 2, 3, 4]. The following supported alternative functions are available:
    • sliceList: The sprig version of slice, which returns the slice of the given list. E.g {{ slice list n m }} returns list[n:m].
    • numRange: Another name for the boilerplate version of slice. Use this if you would like to keep old behavior.
  • trimPrefix and trimSuffix: In boilerplate, trimPrefix and trimSuffix takes the base string first. E.g {{ trimPrefix hello-world hello }} returns -world. The following supported alternative functions are available:
    • trimPrefixSprig and trimSuffixSprig: The sprig version of trimPrefix and trimSuffix. Unlike the boilerplate version, this takes the trim text first so that you can pipeline the trimming. E.g {{ "hello-world" | trimPrefix "hello" }} returns {{ -world }}.
    • trimPrefixBoilerplate and trimSuffixBoilerplate: Another name for the boilerplate versions of trimPrefix and trimSuffix. Use this if you would like to keep old behavior.



Published: 5/8/2019 | Modules affected: gruntwork-module-circleci-helpers | Release notes

  • gruntwork-module-circleci-helpers: Ensure the latest golang version is always installed



Published: 5/20/2019 | Modules affected: ecs-service-with-discovery, ecs-service-with-alb, ecs-fargate, ecs-daemon-service | Release notes

  • All the ECS service modules now allow you to optionally specify a custom prefix to use for the IAM execution role. The default value is to use the service name as before.


Published: 5/9/2019 | Modules affected: ecs-service | Release notes

  • You can now set a custom name prefix for the IAM roles created by the ecs-service module using the new task_execution_name_prefix input variable. The default is var.service_name, as before.


Published: 5/1/2019 | Modules affected: ecs-fargate | Release notes

  • This release fixes a bug where the fargate_without_lb resource incorrectly set a health_check_grace_period_seconds. From the terraform documentation, "Health check grace period is only valid for services configured to use load balancers".



Published: 5/9/2019 | Modules affected: eks-k8s-role-mapping, eks-cluster-control-plane, eks-cluster-workers | Release notes

  • Update package-terraform-utilities to latest version with terraform fmt to avoid drift
  • Add option to add load balancers to the eks worker asg


Published: 5/1/2019 | Modules affected: eks-cluster-control-plane | Release notes

This release confirms that external-dns and ALB ingress controller support ACM certificates. Additionally, this release extends the timeout for EKS cluster creation as some regions take longer than 15 minutes to provision the EKS cluster.



Published: 5/13/2019 | Modules affected: sqs | Release notes

  • The sqs module had a very unsafe default configuration that allowed unauthenticated incoming requests from any IP. In this update, IP-based access is now disabled completely by default. Unless you intend to allow unauthenticated IP-based, we strongly recommend updating to this new version. If you wish to preserve the original IP-based access, set apply_ip_queue_policy to true and specify the IPs that should be able to access the queue via allowed_cidr_blocks.

A huge thanks to @burtino for spotting this and providing a fix.



Published: 5/21/2019 | Modules affected: logs | Release notes

  • Fixes policy principal so NLBs can write to S3 bucket


Published: 5/14/2019 | Modules affected: logs/load-balancer-access-logs | Release notes

  • This release adds conditional support for the logs/load-balancer-access-logs module. You can now set create_resources = false on the module call to avoid creating the S3 bucket.


Published: 5/9/2019 | Modules affected: All | Release notes

  • You can now set tags on all the alarms modules via a new tags input variable.
  • You can now configure the snapshot period and snapshot evaluation period for the elasticsearch-alarms module using the new snapshot_period and snapshot_evaluation_period input variables, respectively.
  • We made a few fixes/improvements to our examples and docs, including fixing a bug with source_ami_filter for the example CentOS Packer template and cleaning up some typos.



Published: 5/24/2019 | Modules affected: cloudtrail | Release notes

  • You can now configure an optional SNS delivery notification topic for the cloudtrail module using a new sns_delivery_topic input variable.


Published: 5/15/2019 | Modules affected: iam-groups | Release notes

  • You can now tell the iam-groups module to not create the "access-all" group by setting the new input variable should_create_iam_group_cross_account_access_all to false. This can help work around an AWS limitation where we exceed the max IAM policy length.


Published: 5/3/2019 | Modules affected: fail2ban | Release notes

This release fixes, where fail2ban was not correctly working on non-ubuntu instances. Specifically:

  • For CentOS and Amazon Linux 2, fail2ban installed firewalld. firewalld by default disallows all inbound access except for SSH, which leads to frustrating UX where you have to explicitly enable your web services running on the instance. Additionally, this behavior doesn't play well with docker clusters like ECS and EKS, where the service ports are dynamic. This release fixes this behavior by updating firewalld to default to trust all traffic. See for more info.
  • For Amazon Linux 1, the fail2ban configuration had a bug where it was not starting up correctly. This release fixes that so that fail2ban starts correctly.
  • For Amazon Linux 1, the default regex for searching for failed SSH attempts was incorrect for the messages actually emitted by sshd on the platform. This release installs updated regex rules that properly detect the failing messages.
  • For CentOS and RHEL, the script had a bug preventing execution. This release fixes that.



Published: 5/16/2019 | Modules affected: k8s-tiller, k8s-tiller-tls-certs, k8s-helm-client-tls-certs | Release notes

This brings in TLS generation into the k8s-tiller module. In particular, k8s-tiller has a new required variable tiller_tls_gen_method which indicates how the module should generate the TLS certificates. Currently there are three options:

  • kubergrunt: Use the kubergrunt utility to generate the TLS certificates and upload as a Kubernetes Secret resource.
  • provider: Use the tls Terraform provider to generate the TLS certs, and then use the kubernetes provider to upload them as a Kubernetes Secret resource.
  • none: Don't generate any TLS certs and look them up based on the input variable tiller_tls_secret_name.

The characteristics of the three approaches are summarized in the table below. You can refer to the module README for more details.

MethodAmount of ControlTerraform FeaturesSecrets in Terraform StateExternal Dependencies
DirectFull controlN/AOnly referencesYes (TLS certs must be generated externally)
ProviderLimited controlFull supportAll Secrets are stored in Terraform StateNo
KubergruntLimited controlLimited supportOnly referencesYes (kubergrunt binary)

Additionally, this introduces the k8s-tiller-tls-certs and k8s-helm-client-tls-certs modules, which can be used to manually manage the TLS certificates for Tiller using the tls Terraform provider. Refer to the module READMEs for more details.

You can refer to the updated root example for example usage of the new modules.


Published: 5/8/2019 | Release notes

This updates the READMEs in all the modules to be compatible with the Terraform registry.


Published: 5/6/2019 | Modules affected: k8s-namespace, k8s-namespace-roles | Release notes

  • k8s-namespace and k8s-namespace-roles modules now support conditionally creating the namespace and roles via the create_resources input variable.


Published: 5/2/2019 | Modules affected: k8s-tiller, k8s-service-account, k8s-namespace, k8s-namespace-roles | Release notes

This release introduces a new module k8s-tiller, which can be used to use manage Tiller deployments using Terraform. The difference with the kubergrunt approach is that this supports using Terraform to apply updates to the Tiller Deployment resource. E.g you can now upgrade Tiller using Terraform, or update the number of replicas of Tiller Pods to deploy. Note that you still need to use kubergrunt to manage the TLS certificates.

The other modules have backwards compatible minor changes in the way dependencies are managed.