Skip to main content

Gruntwork release 2020-07

Guides / Update Guides / Releases / 2020-07

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2020-07. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:

gruntwork

v0.1.4

Published: 7/1/2020 | Release notes

terraform-aws-asg

v0.9.1

Published: 7/8/2020 | Modules affected: asg-rolling-deploy | Release notes

Fix bug where asg-rolling-deploy errors out on the aws_autoscaling_group resource in AWS provider versions >v2.63.0.

terraform-aws-ci

v0.25.0

Published: 7/31/2020 | Modules affected: ecs-deploy-runner, infrastructure-deployer | Release notes

The ecs-deploy-runner can now be provisioned with an EC2 worker pool to use as reserved workers to speed up the initial boot sequence for the ECS deploy runner tasks.

v0.24.4

Published: 7/31/2020 | Modules affected: install-jenkins | Release notes

  • Update install-jenkins to use the new Linux Repository signing keys, as the old ones expired.

v0.24.3

Published: 7/30/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner, infrastructure-deploy-script | Release notes

The infrastructure-deploy-script now supports passing in -var-file to terraform and terragrunt.

v0.24.2

Published: 7/22/2020 | Modules affected: ecs-deploy-runner | Release notes

Add the ability to set custom tags on all the resources managed by the ecs-deploy-runner module.

v0.24.1

Published: 7/21/2020 | Modules affected: ecs-deploy-runner-standard-configuration | Release notes

You can now disable specific containers in the standard configuration by setting the corresponding configuration option to null.

v0.24.0

Published: 7/20/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner, infrastructure-deployer, infrastructure-deploy-script | Release notes

This release enhances the ecs-deploy-runner and infrastructure-deployer CLI to support deploying generic infrastructure code beyond just terraform and terragrunt modules. Prior to this release, the ecs-deploy-runner and infrastructure-deployer CLI only supported invoking the infrastructure-deploy-script. With this release, you can install and invoke arbitrary scripts in the deploy runner container.

The following is a summary of the feature enhancements included in this release:

  • Invoke predefined list of scripts, not just infrastructure-deploy-script. Enforced in container using a custom entrypoint script.
  • Ability to directly access secrets manager entries in the ECS tasks (as opposed to implicitly with environment variable injection)
  • Module for a standard configuration that includes four containers for separation of concerns and least privileges: docker-image-builder, ami-builder, terraform-planner, and terraform-applier.
  • Custom kaniko container for building docker images in ECS Fargate with support for pushing to ECR.
  • build-packer-artifact and terraform-update-variable supports injecting SSH key via secrets manager.
  • terraform-update-variable supports appending additional text to the commit message via the --skip-ci-flag option.
  • terraform-update-variable supports updating multiple name value pairs.
  • infrastructure-deploy-script now checks what refs are allowed to run apply.

v0.23.4

Published: 7/14/2020 | Modules affected: ecs-deploy-runner, infrastructure-deploy-script, infrastructure-deployer | Release notes

You can now set the backend-config option on the init call in the ecs-deploy-runner by passing in --backend-config to the infrastructure-deployer CLI.

v0.23.3

Published: 7/13/2020 | Modules affected: infrastructure-deploy-script, infrastructure-deployer | Release notes

infrastructure-deployer and infrastructure-deploy-script now supports deploying the repo root path using "" for --deploy-path. This is now the default for --deploy-path when it is omitted from the CLI args.

v0.23.2

Published: 7/6/2020 | Modules affected: iam-policies | Release notes

The iam-policies modules will now output the policy JSON even when the policy is not created.

v0.23.1

Published: 7/1/2020 | Modules affected: ecs-deploy-runner | Release notes

Fix bug where command-args was not flowing properly from the lambda function to the deploy script.

terraform-aws-cis-service-catalog

v0.5.0

Published: 7/30/2020 | Modules affected: cross-account-iam-roles, iam-groups, saml-iam-roles | Release notes

This release bumps the module-security package version in the iam-groups module to get:

  • logs groups.
  • sts:TagSession support.

terraform-aws-data-storage

v0.15.0

Published: 7/21/2020 | Modules affected: aurora | Release notes

  • Remove an unused is_primary parameter from the aurora module. If you were passing this parameter to the module, please remove it. This is an API change only; there should be no change in behavior.

v0.14.1

Published: 7/10/2020 | Modules affected: redshift | Release notes

  • add redshift support

v0.14.0

Published: 7/8/2020 | Modules affected: aurora | Release notes

  • The aurora module now sets aurora-mysql (MySQL 5.7-compatible) instead of aurora (MySQL 5.6-compatible) as the default engine. Also, updated variable descriptions and example code to better show how to run a global Aurora cluster. You can (and in most cases, probably already are!) override the default via the engine parameter.
  • The aurora module no longer ignores the password param when snapshot_identifier is set. This allows you to restore from a snapshot by setting snapshot_identifier to a value and password to null and then later to change the password by updating that param.
  • Fix a bug in the aurora module where it did not allow allow_connections_from_cidr_blocks to be set to an empty list.

terraform-aws-ecs

v0.20.10

Published: 7/31/2020 | Modules affected: ecs-cluster | Release notes

You can now conditionally shut off the ecs-cluster module using the create_resources input flag. You can also provide a base64 user data parameter for cloud-init configurations.

v0.20.9

Published: 7/31/2020 | Modules affected: ecs-cluster, ecs-daemon-service, ecs-service | Release notes

  • Constrain aws provider version to 2.x.
  • Add ECS capacity provider functionality to ECS clusters.

v0.20.8

Published: 7/18/2020 | Modules affected: ecs-service | Release notes

You can now set the permissions boundary for the ECS service IAM role for ELBs.

v0.20.7

Published: 7/14/2020 | Modules affected: ecs-daemon-service | Release notes

You can now set the permission boundary on the IAM roles created in the ecs-daemon-service module.

v0.20.6

Published: 7/13/2020 | Modules affected: ecs-cluster | Release notes

The roll-out-ecs-cluster-update.py script will now directly detach the old instances from ASG in a rollout to ensure the old ones get removed.

v0.20.5

Published: 7/9/2020 | Modules affected: ecs-cluster | Release notes

Fix bug where ecs-cluster errors out on the aws_autoscaling_group resource in AWS provider versions >v2.63.0.

v0.20.4

Published: 7/2/2020 | Modules affected: ecs-cluster | Release notes

  • The ecs-cluster module now supports block device encryption using the new cluster_instance_root_volume_encrypted input variable.

terraform-aws-eks

v0.21.0

Published: 7/22/2020 | Modules affected: eks-cluster-control-plane | Release notes

The upgrade scripts for eks-cluster-control-plane now support upgrading to Kubernetes 1.17. Note that in the process, the AWS VPC CNI version was also updated for ALL kubernetes versions to match expectations with AWS. This means that the CNI controller will be automatically updated when migrating to this version. This should not cause any issue for your cluster, but you may experience some network connectivity issues on new pods as the switch over is happening.

v0.20.4

Published: 7/8/2020 | Modules affected: eks-cluster-workers | Release notes

Fix bug where eks-cluster-workers errors out on the aws_autoscaling_group resource in AWS provider versions >v2.63.0.

terraform-aws-load-balancer

v0.20.2

Published: 7/17/2020 | Modules affected: lb-listener-rules | Release notes

  • Add Load Balancer Listener Rules module, which is an alternative to creating lb_listener_rule resources directly in Terraform, which can be convenient, for example, when configuring listener rules in a Terragrunt configuration.

terraform-aws-monitoring

v0.22.1

Published: 7/30/2020 | Modules affected: alarms/route53-health-check-alarms | Release notes

  • Fix alarm_configs type.

v0.22.0

Published: 7/28/2020 | Modules affected: metrics/cloudwatch-memory-disk-metrics-scripts, alarms/route53-health-check-alarms | Release notes

  • Add unzip to needed for Amazon Linux 2
  • Allow route53-health-check-alarms to create multiple resources

terraform-aws-openvpn

v0.10.0

Published: 7/29/2020 | Modules affected: openvpn-server | Release notes

This release updates the var.subnet_id variable to a list, var.subnet_ids, to permit the ASG to use more than one subnet.

terraform-aws-sam

v0.2.1

Published: 7/4/2020 | Modules affected: gruntsam, gruntsam | Release notes

  • Fixed a bug where gruntsam could generate aws_api_gateway_method_response resources in a different order each time you ran it, leading to spurious diffs in version control.

  • Fixed a bug where gruntsam would silently ignore errors in launching AWS SAM Local.

  • Fixed a bug where gruntsam could generate aws_api_gateway_method_response resources in a different order each time you ran it, leading to spurious diffs in version control.

  • Fixed a bug where gruntsam would silently ignore errors in launching AWS SAM Local.

terraform-aws-security

v0.34.2

Published: 7/31/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, cross-account-iam-roles | Release notes

This release adds a role with permissions only to access support, as required by the CIS AWS Foundations Benchmark. Previously, this permission was available in iam-groups, but not as an IAM role.

v0.34.1

Published: 7/21/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, aws-config | Release notes

  • Add missing AWS service access principal to account-baseline-root. This should get rid of a spurious diff in the plan.
  • Removed the aws_organizations_organization data source from account-baseline-root, as on the very first apply, the AWS organization may not exist yet!
  • Fixed several typos and copy paste errors in the Landing Zone Deployment Guide.
  • Allow enabling, disabling, and naming all IAM groups in account-baseline-security. The module now exposes should_create_iam_group_xxx and iam_group_name_xxx input parameters for every group xxx we support (e.g., full-access, read-only, billing, etc).
  • Converted AWSConfigSNSPublishPolicy in the aws-config module from a standalone IAM policy to an inline policy. This avoids name conflicts in case you deploy this more than once. Be aware that when you apply this module (or any of the account-baseline-xxx modules that use it under the hood), it is expected that it will delete the standalone policy and recreate it as an inline policy.

v0.34.0

Published: 7/20/2020 | Modules affected: account-baseline-root, account-baseline-app, account-baseline-security, aws-config-multi-region | Release notes

  • Updated account-baseline-root to allow you to turn off AWS Config and CloudTrail entirely. This is necessary if you want to aggregate AWS Config and CloudTrail data in a child account (e.g., a dedicated logs account), but that child account doesn't initially exist and doesn't contain S3 buckets / KMS CMKs when you first run apply. Now you can run apply initially with AWS Config and CloudTrail disabled, create all the child accounts, apply a security baseline to each child account (including creating the necessary S3 buckets and KMS CMKs), turn AWS Config and CloudTrail back on in the root account, and run apply again. Also, fixed a bug where this module will now use the KMS key specified via the cloudtrail_kms_key_arn input parameter rather than creating its own KMS master key for encrypting CloudTrail data. See the Deployment Guide for the recommended configuration if deploying from scratch. See the Migration Guide if you're updating an existing deployment.

  • Updated account-baseline-app so that, depending on the settings you pass in, it can either store AWS Config and CloudTrail data locally (e.g., if this is a dedicated account for aggregating logs) or send that data to a separate account (e.g., if this is an app account such a dev, stage, or prod). See the Deployment Guide for the recommended configuration if deploying from scratch. See the Migration Guide if you're updating an existing deployment.

  • Updated account-baseline-security to allow configuring it to send AWS Config and CloudTrail data to an external account (e.g., a separate logs account). Also, fixed a bug where it wasn't setting the config_linked_accounts parameter correctly, which made AWS Config data not work correctly if trying to use the security account itself for aggregation. See the Deployment Guide for the recommended configuration if deploying from scratch. See the Migration Guide if you're updating an existing deployment.

  • Updated all account-baseline-xxx modules to, by default, send CloudTrail data not only to an S3 bucket (e.g., for aggregation in a logs account) but also CloudWatch Logs in the current account (for easy debugging).

  • Updated the aws-config-multi-region, aws-organizations-config-rules, and cloudtrail modules with a create_resources parameter you can set to false to disable the module entirely. This is a stopgap until Terraform 0.13 is generally available with support for using count and for_each on module.

v0.33.2

Published: 7/17/2020 | Modules affected: iam-policies | Release notes

Adds the sts:TagSession permission to the allow_access_to_other_accounts IAM policy. This will allow session tags. As an example, this is used with the "Configure AWS Credentials" GitHub action.

v0.33.1

Published: 7/17/2020 | Modules affected: account-baseline-security, kms-master-key-multi-region | Release notes

  • Fix a syntactic error in account-baseline-security that prevented the module from working. Also, fix some test failures that obscured this.

v0.33.0

Published: 7/16/2020 | Modules affected: account-baseline-app, account-baseline-security, aws-auth, kms-master-key | Release notes

When creating a CMK using the kms-master-key module, you can now provide IAM conditions for the key users. Previously, the module only accepted a list of users, and did not accept any conditions.

v0.32.5

Published: 7/4/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, cross-account-iam-roles | Release notes

  • Added a new logs IAM policy, IAM group, and IAM role that grants access to logs in CloudTrail, AWS Config, and CloudWatch.

v0.32.4

Published: 7/3/2020 | Release notes

  • Fix ssh_key param in one of the examples so that tests will pass. No modules were changed.

terraform-aws-server

v0.8.4

Published: 7/30/2020 | Modules affected: ec2-backup | Release notes

  • [NEW MODULE]: EC2 backup. This module makes it easy to deploy a data lifecycle manager that automatically creates snapshots of your EBS volumes at configurable intervals.

terraform-aws-static-assets

v0.6.5

Published: 7/7/2020 | Modules affected: s3-cloudfront, s3-static-website | Release notes

v0.6.4

Published: 7/7/2020 | Modules affected: s3-cloudfront, s3-static-website | Release notes

  • Accept new variables base_domain_name and base_domain_name_tags to lookup the relevant hosted zone so that hosted_zone_id need not be provided.

terraform-aws-utilities

v0.2.1

Published: 7/17/2020 | Modules affected: instance-type | Release notes

  • Added a new instance-type module that can tell you which of a list of instance types are available in all AZs in the current AWS region.

terraform-aws-vpc

v0.9.2

Published: 7/29/2020 | Modules affected: vpc-mgmt | Release notes

vpc-mgmt now accepts the create_resources variable to determine whether or not to create resources. This will be useful until TF 0.13 release support for count on module blocks, at which point the create_resources functionality will be removed from all Gruntwork modules.

v0.9.1

Published: 7/27/2020 | Modules affected: vpc-app, vpc-mgmt | Release notes

This release adds subnet ARNs to the outputs for vpc-app and vpc-mgmt.

v0.9.0

Published: 7/13/2020 | Modules affected: vpc-app, vpc-mgmt | Release notes

  • Switch the vpc-app and vpc-mgmt modules from using the deprecated blacklisted_names and blacklisted_zone_ids parameters to the new exclude_names and exclude_zone_ids parameters.

v0.8.12

Published: 7/2/2020 | Modules affected: vpc-interface-endpoint | Release notes

add glue support to vpc-interface-endpoint

v0.8.11

Published: 7/1/2020 | Modules affected: vpc-app | Release notes

  • You can now disable VPC endpoints in the vpc-app module by setting the create_vpc_endpoints variable to false.