Skip to main content

Gruntwork release 2020-04

Guides / Update Guides / Releases / 2020-04

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2020-04. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:



Published: 4/17/2020 | Modules affected: ecs-deploy-runner, infrastructure-deploy-script | Release notes

  • Dockerfile for infrastructure-deploy-script now includes in known_hosts list.
  • Fix bug where v0.18.5 was incompatible with previous versions of infrastructure-deployer.


Published: 4/8/2020 | Modules affected: infrastructure-deployer, infrastructure-deploy-script, ecs-deploy-runner | Release notes

The ECS Deploy Runner stack now supports passing in a limited selection of command arguments to the underlying terraform/terragrunt commands.



Published: 4/10/2020 | Modules affected: ecs-service | Release notes

This release adds support for specifying multiple target groups with the ECS service, allowing you to link multiple ALBs and NLBs with your service. See the new docker-service-with-alb-and-nlb example for an example of how to associate multiple ALB/NLBs with the service.

Note that this is a backwards incompatible change. Review the migration guide below for how to migrate to this version without downtime.



Published: 4/11/2020 | Modules affected: eks-cluster-managed-workers | Release notes

You can now disable module calls to eks-cluster-managed-workers by setting create_resources = false. This allows you to implement conditional logic to turn on or off a module block in your terraform module.


Published: 4/10/2020 | Modules affected: eks-k8s-cluster-autoscaler | Release notes

You can now specify the docker repository to use for sourcing the cluster-autoscaler. Recent versions of the cluster-autoscaler is now region sensitive and you must pull from the corresponding repository.


NOTE: This release will cause a redeploy of the cluster-autoscaler, but since it is a stateless application, there is no risk of loss of data or functionality during the transition.


Published: 4/10/2020 | Modules affected: eks-cluster-workers | Release notes

Fix eks-cluster-workers to use properly use var.custom_tags_security_group to allow custom tags for SG.


Published: 4/8/2020 | Modules affected: eks-cluster-control-plane | Release notes

When upgrading from Kubernetes version 1.13 to 1.15, the coredns containers get updated to the latest version. In the newer versions of coredns, the configuration has a backwards incompatible change that was previously unhandled in the upgrade scripts. This release fixes that issue such that it will reformat the configuration to match expectations of later coredns versions.


Published: 4/6/2020 | Modules affected: eks-k8s-cluster-autoscaler-iam-policy | Release notes

The outputs for eks-k8s-cluster-autoscaler-iam-policy are now computed in a manner that is more robust to loss of credentials during an apply.



Published: 4/29/2020 | Modules affected: lambda, lambda-edge | Release notes

Both lambda and lambda-edge now support setting reserved_concurrent_executions on the underlying Lambda function.


Published: 4/27/2020 | Modules affected: scheduled-lambda-job, lambda, lambda-edge | Release notes

  • The lambda-edge module will now apply tags passed to it via the tags input variable to its IAM role.
  • The lambda module will now apply tags passed to it via the tags input variable to its IAM role and Security Group.
  • The scheduled-lambda-job module now exposes a new tags input variable which can be used to apply tags to the CloudWatch Event Rule it creates. This module now also outputs the Event Rule ARN and schedule via the output variables event_rule_arn and event_rule_schedule, respectively.



Published: 4/20/2020 | Modules affected: acm-tls-certificate | Release notes

This release introduces improvements to the module, including the ability to look up Route53 public zones by name when a hosted_zone_id is not supplied.

This release also introduces 3 new optional variables to assist with keeping your config dry:

  • global_tags - tags that will be applied to all certificates
  • default_verify_certificate - set to true to verify all your certificates
  • default_create_verification_record - set to true to create the necessary DNS records for certificate verification

See the file for more information


Published: 4/2/2020 | Modules affected: alb | Release notes

Add support for the new drop_invalid_header_fields option in the aws_lb resource.



Published: 4/9/2020 | Modules affected: sns | Release notes

You can now add tags to the SNS topic created by the sns module.



Published: 4/28/2020 | Modules affected: metrics/cloudwatch-dashboard | Release notes

The cloudwatch-dashboard module now supports managing multiple dashboards in one module.


Published: 4/24/2020 | Modules affected: alarms | Release notes

  • Added datapoints_to_alarm variable to ecs-service-alarms module: Addresses the module 'ecs-service-alarms' didn't pass through customizations to the variable 'datapoints_to_alarm'.


Published: 4/16/2020 | Modules affected: alarms | Release notes

In the sns-to-slack module, resources can now be optionally created using the create_resources boolean variable. Set the variable to false to have the module create no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the Lambda function and other resources should be created or not.


Published: 4/9/2020 | Modules affected: alarms | Release notes

  • Fix a bug in the alb-alarms module where for "low" thresholds (e.g., low request count) it was using GreaterThanThreshold instead of LessThanThreshold.


Published: 4/2/2020 | Modules affected: alarms | Release notes

  • Fix a bug in the rds_disk_space_available alarm where it would be enabled, incorrectly, for Aurora instances.



Published: 4/3/2020 | Modules affected: openvpn-server | Release notes

This release fixes a bug in which if the Elastic IP associated with the OpenVPN Server was deleted, Terraform would throw an invalid index error.

Thanks to @syndbg for the contribution!



Published: 4/28/2020 | Modules affected: ssh-grunt, kms-master-key, kms-master-key-multi-region, guardduty-multi-region | Release notes

  • ssh-grunt sync every 5 minutes by default rather than every 30 minutes.

  • The cloudtrail and kms-master-key modules now accept a dependencies variable. This can be used to create a dependency between this module and resources created outside of this module. For example, you might need to create a dependency between the cloudtrail module and an IAM user created using the iam-user module because you want to name the user in the KMS key policy.

dependencies = values(module.iam_users.user_arns)

Now each resource in the cloudtrail module will depend on these ARNs.

  • The custom-iam-entity module now accepts the max_session_duration argument.

  • The multi-region modules (aws-config-multi-region, guardduty-multi-region, and kms-master-key-multi-region) have been updated to use the recently released aws_regions data source. Previously, regions were discovered with the get-enabled-regions python program.


Published: 4/16/2020 | Modules affected: ssh-grunt | Release notes

The behavior of ssh-grunt has changed with regards to its handling of duplicate users. Previously, if multiple IAM users resulted in the same clean OS username (e.g. ben and both result in ben for the OS username), ssh-grunt would exit with an error. This had the unfortunate side effect of requiring the administrator to log in as the default user to diagnose the issue.

The behavior has changed such that processing will now continue for all other IAM users. If a duplicate occurs, neither wins (in the example above, neither ben nor would win), but any additional users will still sync.


Published: 4/14/2020 | Modules affected: kms-master-key | Release notes

  • Fix dynamic statement creation in kms-master-key so that the optional released in v0.28.3 work properly.


Published: 4/9/2020 | Modules affected: kms-master-key, kms-master-key-multi-region, account-baseline-security, account-baseline-app | Release notes

  • You can now grant Service Principals (e.g., "") access to your KMS CMKs by setting the cmk_service_principals parameter and specifying the actions those Service Principals will be allowed to do via a new service_principal_actions input variable.


Published: 4/7/2020 | Modules affected: kms-master-key | Release notes

  • All the parameters passed to the customer_master_keys variable of the kms-master-key module are now optional instead of required. The module will now only add IAM policy statements for the parameters that are actually set.


Published: 4/3/2020 | Release notes

This fixes our automation process so that binaries will be attached to releases.


Published: 4/3/2020 | Modules affected: aws-config, cloudtrail | Release notes

Since AWS provider 2.0, setting num_days_after_which_delete_log_data = 0 no longer works and leads to a provider schema error. This meant that there was no way to configure S3 buckets to never delete data. Starting with this release, you can now prevent deletion of data in S3 for aws-config and cloudtrail by setting the respective variables to null.


Published: 4/1/2020 | Modules affected: iam-policies, iam-groups, account-baseline-security, account-baseline-root | Release notes

  • Account baseline modules now support managing KMS Customer Master Keys.
  • You can now specify multiple IAM roles for managing cross account access IAM groups.



Published: 4/9/2020 | Modules affected: single-server | Release notes

  • The single-server module now applies the tags passed in via the tags input variable to the EIP and IAM Role resources it creates.



Published: 4/13/2020 | Modules affected: s3-cloudfront | Release notes

  • You can now control the suffix appended to the access logs S3 bucket using the new optional input variable access_logs_bucket_suffix.



Published: 4/30/2020 | Modules affected: operating-system | Release notes

  • Fully rely on Python to determine the path separator. This is an internal refactor to make the code cleaner and safer and should have no impact on external behavior.



Published: 4/8/2020 | Modules affected: vpc-interface-endpoint | Release notes

  • vpc-interface-endpoint

This new module allows to create a VPC Interface Endpoint to connect services within your VPC without needing to create NAT Gateways neither private gateway. Previously, only VPC Gateway Endpoints (S3 and DynamoDB) were permitted.