Gruntwork release 2019-08
Guides / Update Guides / Releases / 2019-08
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2019-08. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 8/19/2019 | Release notes
https://github.com/gruntwork-io/gruntwork/pull/48 : Add support for bootstrapping GCP Reference Architecture. This version introduces a new set of commands under the subcommand gcp
for setting up your GCP org for deploying the Gruntwork GCP Reference Architecture.
Published: 8/6/2019 | Modules affected: install-openvpn, init-openvpn | Release notes
- Add support for Duo OpenVPN Plugin for 2fa
Published: 8/29/2019 | Modules affected: aws-config | Release notes
This release adds a module for AWS Config. The module creates an S3 bucket and an SNS topic (or accepts an existing bucket/topic) and creates a config recorder in the given region. The module does not manage Config Rules. In a future update we may add a recommended set of Config Rules.
Published: 8/29/2019 | Modules affected: cloudtrail | Release notes
- The CloudTrail S3 bucket now has public access disabled.
- S3 Server Access Logging: This release adds an option to enable Server Access Logging for the CloudTrail S3 bucket. To use this feature, simply set
enable_s3_server_access_logging
to true
(defaults to false
). It will create a bucket for Access Logs, make sure the bucket does not allow public access policies, and enable S3 Access Logging to the new bucket on the Cloudtrail Bucket.
- CloudWatch Logs integration: This release adds integration for CloudTrail with CloudWatch Logs. To enable this feature, provide a CloudWatch Logs group name by setting the
cloudwatch_logs_group_name
variable. The module will create the log group and configure CloudTrail accordingly.
Published: 8/21/2019 | Modules affected: iam-users | Release notes
- We've added a new module called
iam-users
that you can use to create and manage IAM users as code. The module can create IAM users, add them to IAM groups, and generate console passwords and access keys for them, encrypting each with PGP so they don't end up in plaintext in Terraform state.
Published: 8/15/2019 | Modules affected: kms-master-key, cloudtrail | Release notes
The cloudtrail and kms-master-key modules each create KMS key resources. Previously, key rotation was disabled on these keys. This change enables key rotation by default. Any existing keys will be updated in place to have key rotation enabled. If you prefer to have to key rotation enabled, set enable_key_rotation=false
Published: 8/14/2019 | Modules affected: iam-groups | Release notes
- Fix bug where when upgrading the
iam-groups
module to tf12 with existing resources, terraform
gets into a state where you can't apply
, plan
, or destroy
.
Published: 8/9/2019 | Modules affected: ssh-grunt, iam-groups | Release notes
ssh-grunt
now supports passing in multiple IAM groups (by passing in --iam-group
and --iam-group-sudo
multiple times) to sync. When multiple groups are passed, users who are in at least one of the list of groups passed in will be synced to the server.
iam-groups
now supports creating multiple ssh-grunt
IAM groups that can be used to differentiate different groups of servers. Note that this is a backwards incompatible change: see the migration guide below for more details.
Published: 8/21/2019 | Modules affected: single-server | Release notes
single-server
now properly returns the public IP when attach_eip
is false
.
Published: 8/1/2019 | Modules affected: s3-static-website | Release notes
- Fix
type
constraint on the cors_rule
input variable in s3-static-website
.
Published: 8/19/2019 | Modules affected: vpc-flow-logs | Release notes
- The key managers for a KMS key used to encrypt VPC flow logs must now be provided as a variable. This is to avoid the situation in which different users running terraform will cause updates to the KMS key policy on each invocation.
Published: 8/12/2019 | Modules affected: vpc-flow-logs | Release notes
- Conditionally create a key (fixes #75) - previously, if a KMS key was specified when creating a flow log, the module would still create an (unused) KMS key. This release fixes that issue and adds regression tests to catch potential future related issues.
Published: 8/7/2019 | Modules affected: vpc-flow-logs | Release notes
This release adds a new submodule for managing VPC Flow Logs. Flow Logs capture IP traffic information, allowing you to observe, debug, and evaluate the network traffic to and from resources in a VPC.
The module has support for the following features:
- Manage flow logs for VPCs, subnets, and Elastic Network Interfaces (ENIs)
- Publish logs to CloudWatch Logs or to an S3 bucket
- Log retention policies (for CloudWatch: log retention, for S3: lifecycle rules)
Published: 8/7/2019 | Modules affected: vpc-app-network-acls | Release notes
- The
vpc-app-network-acls
module now sets allow_access_from_mgmt_vpc
to false
by default. This is a more sane default because (a) it's more secure and (b) mgmt_vpc_cidr_block
is null
by default, so if you left all parameters at their defaults, it doesn't actually work. If you are upgrading to this new version and you want to allow access to an app VPC from a mgmt VPC via VPC peering, you must now explicitly set allow_access_from_mgmt_vpc
to true.