Skip to main content

Gruntwork release 2019-08

Guides / Update Guides / Releases / 2019-08

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2019-08. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:



Published: 8/19/2019 | Release notes : Add support for bootstrapping GCP Reference Architecture. This version introduces a new set of commands under the subcommand gcp for setting up your GCP org for deploying the Gruntwork GCP Reference Architecture.



Published: 8/6/2019 | Modules affected: install-openvpn, init-openvpn | Release notes

  • Add support for Duo OpenVPN Plugin for 2fa


v0.18.5: Added aws-config module

Published: 8/29/2019 | Modules affected: aws-config | Release notes

This release adds a module for AWS Config. The module creates an S3 bucket and an SNS topic (or accepts an existing bucket/topic) and creates a config recorder in the given region. The module does not manage Config Rules. In a future update we may add a recommended set of Config Rules.

v0.18.4: Updates to the CloudTrail module

Published: 8/29/2019 | Modules affected: cloudtrail | Release notes

  • The CloudTrail S3 bucket now has public access disabled.
  • S3 Server Access Logging: This release adds an option to enable Server Access Logging for the CloudTrail S3 bucket. To use this feature, simply set enable_s3_server_access_logging to true (defaults to false). It will create a bucket for Access Logs, make sure the bucket does not allow public access policies, and enable S3 Access Logging to the new bucket on the Cloudtrail Bucket.
  • CloudWatch Logs integration: This release adds integration for CloudTrail with CloudWatch Logs. To enable this feature, provide a CloudWatch Logs group name by setting the cloudwatch_logs_group_name variable. The module will create the log group and configure CloudTrail accordingly.


Published: 8/21/2019 | Modules affected: iam-users | Release notes

  • We've added a new module called iam-users that you can use to create and manage IAM users as code. The module can create IAM users, add them to IAM groups, and generate console passwords and access keys for them, encrypting each with PGP so they don't end up in plaintext in Terraform state.

v0.18.2: Enable KMS key rotation by default

Published: 8/15/2019 | Modules affected: kms-master-key, cloudtrail | Release notes

The cloudtrail and kms-master-key modules each create KMS key resources. Previously, key rotation was disabled on these keys. This change enables key rotation by default. Any existing keys will be updated in place to have key rotation enabled. If you prefer to have to key rotation enabled, set enable_key_rotation=false


Published: 8/14/2019 | Modules affected: iam-groups | Release notes

  • Fix bug where when upgrading the iam-groups module to tf12 with existing resources, terraform gets into a state where you can't apply, plan, or destroy.


Published: 8/9/2019 | Modules affected: ssh-grunt, iam-groups | Release notes

ssh-grunt now supports passing in multiple IAM groups (by passing in --iam-group and --iam-group-sudo multiple times) to sync. When multiple groups are passed, users who are in at least one of the list of groups passed in will be synced to the server.

iam-groups now supports creating multiple ssh-grunt IAM groups that can be used to differentiate different groups of servers. Note that this is a backwards incompatible change: see the migration guide below for more details.



Published: 8/21/2019 | Modules affected: single-server | Release notes

  • single-server now properly returns the public IP when attach_eip is false.



Published: 8/1/2019 | Modules affected: s3-static-website | Release notes

  • Fix type constraint on the cors_rule input variable in s3-static-website.



Published: 8/19/2019 | Modules affected: vpc-flow-logs | Release notes

  • The key managers for a KMS key used to encrypt VPC flow logs must now be provided as a variable. This is to avoid the situation in which different users running terraform will cause updates to the KMS key policy on each invocation.


Published: 8/12/2019 | Modules affected: vpc-flow-logs | Release notes

  • Conditionally create a key (fixes #75) - previously, if a KMS key was specified when creating a flow log, the module would still create an (unused) KMS key. This release fixes that issue and adds regression tests to catch potential future related issues.


Published: 8/7/2019 | Modules affected: vpc-flow-logs | Release notes

This release adds a new submodule for managing VPC Flow Logs. Flow Logs capture IP traffic information, allowing you to observe, debug, and evaluate the network traffic to and from resources in a VPC.

The module has support for the following features:

  • Manage flow logs for VPCs, subnets, and Elastic Network Interfaces (ENIs)
  • Publish logs to CloudWatch Logs or to an S3 bucket
  • Log retention policies (for CloudWatch: log retention, for S3: lifecycle rules)


Published: 8/7/2019 | Modules affected: vpc-app-network-acls | Release notes

  • The vpc-app-network-acls module now sets allow_access_from_mgmt_vpc to false by default. This is a more sane default because (a) it's more secure and (b) mgmt_vpc_cidr_block is null by default, so if you left all parameters at their defaults, it doesn't actually work. If you are upgrading to this new version and you want to allow access to an app VPC from a mgmt VPC via VPC peering, you must now explicitly set allow_access_from_mgmt_vpc to true.