Gruntwork release 2020-07
Guides / Update Guides / Releases / 2020-07
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2020-07. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 7/1/2020 | Release notes
Published: 7/8/2020 | Modules affected: asg-rolling-deploy | Release notes
Fix bug where asg-rolling-deploy
errors out on the aws_autoscaling_group
resource in AWS provider versions >v2.63.0.
Published: 7/31/2020 | Modules affected: ecs-deploy-runner, infrastructure-deployer | Release notes
The ecs-deploy-runner
can now be provisioned with an EC2 worker pool to use as reserved workers to speed up the initial boot sequence for the ECS deploy runner tasks.
Published: 7/31/2020 | Modules affected: install-jenkins | Release notes
- Update
install-jenkins
to use the new Linux Repository signing keys, as the old ones expired.
Published: 7/30/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner, infrastructure-deploy-script | Release notes
The infrastructure-deploy-script
now supports passing in -var-file
to terraform
and terragrunt
.
Published: 7/22/2020 | Modules affected: ecs-deploy-runner | Release notes
Add the ability to set custom tags on all the resources managed by the ecs-deploy-runner
module.
Published: 7/21/2020 | Modules affected: ecs-deploy-runner-standard-configuration | Release notes
You can now disable specific containers in the standard configuration by setting the corresponding configuration option to null
.
Published: 7/20/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner, infrastructure-deployer, infrastructure-deploy-script | Release notes
This release enhances the ecs-deploy-runner
and infrastructure-deployer
CLI to support deploying generic infrastructure code beyond just terraform
and terragrunt
modules. Prior to this release, the ecs-deploy-runner
and infrastructure-deployer
CLI only supported invoking the infrastructure-deploy-script
. With this release, you can install and invoke arbitrary scripts in the deploy runner container.
The following is a summary of the feature enhancements included in this release:
- Invoke predefined list of scripts, not just
infrastructure-deploy-script
. Enforced in container using a custom entrypoint script.
- Ability to directly access secrets manager entries in the ECS tasks (as opposed to implicitly with environment variable injection)
- Module for a standard configuration that includes four containers for separation of concerns and least privileges:
docker-image-builder
, ami-builder
, terraform-planner
, and terraform-applier
.
- Custom
kaniko
container for building docker images in ECS Fargate with support for pushing to ECR.
build-packer-artifact
and terraform-update-variable
supports injecting SSH key via secrets manager.
terraform-update-variable
supports appending additional text to the commit message via the --skip-ci-flag
option.
terraform-update-variable
supports updating multiple name value pairs.
infrastructure-deploy-script
now checks what refs are allowed to run apply
.
Published: 7/14/2020 | Modules affected: ecs-deploy-runner, infrastructure-deploy-script, infrastructure-deployer | Release notes
You can now set the backend-config
option on the init
call in the ecs-deploy-runner
by passing in --backend-config
to the infrastructure-deployer
CLI.
Published: 7/13/2020 | Modules affected: infrastructure-deploy-script, infrastructure-deployer | Release notes
infrastructure-deployer
and infrastructure-deploy-script
now supports deploying the repo root path using ""
for --deploy-path
. This is now the default for --deploy-path
when it is omitted from the CLI args.
Published: 7/6/2020 | Modules affected: iam-policies | Release notes
The iam-policies
modules will now output the policy JSON even when the policy is not created.
Published: 7/1/2020 | Modules affected: ecs-deploy-runner | Release notes
Fix bug where command-args
was not flowing properly from the lambda function to the deploy script.
Published: 7/30/2020 | Modules affected: cross-account-iam-roles, iam-groups, saml-iam-roles | Release notes
This release bumps the module-security package version in the iam-groups
module to get:
logs
groups.
sts:TagSession
support.
Published: 7/21/2020 | Modules affected: aurora | Release notes
- Remove an unused
is_primary
parameter from the aurora
module. If you were passing this parameter to the module, please remove it. This is an API change only; there should be no change in behavior.
Published: 7/10/2020 | Modules affected: redshift | Release notes
Published: 7/8/2020 | Modules affected: aurora | Release notes
- The
aurora
module now sets aurora-mysql
(MySQL 5.7-compatible) instead of aurora
(MySQL 5.6-compatible) as the default engine. Also, updated variable descriptions and example code to better show how to run a global Aurora cluster. You can (and in most cases, probably already are!) override the default via the engine
parameter.
- The
aurora
module no longer ignores the password
param when snapshot_identifier
is set. This allows you to restore from a snapshot by setting snapshot_identifier
to a value and password
to null
and then later to change the password
by updating that param.
- Fix a bug in the
aurora
module where it did not allow allow_connections_from_cidr_blocks
to be set to an empty list.
Published: 7/31/2020 | Modules affected: ecs-cluster | Release notes
You can now conditionally shut off the ecs-cluster
module using the create_resources
input flag. You can also provide a base64 user data parameter for cloud-init configurations.
Published: 7/31/2020 | Modules affected: ecs-cluster, ecs-daemon-service, ecs-service | Release notes
- Constrain aws provider version to 2.x.
- Add ECS capacity provider functionality to ECS clusters.
Published: 7/18/2020 | Modules affected: ecs-service | Release notes
You can now set the permissions boundary for the ECS service IAM role for ELBs.
Published: 7/14/2020 | Modules affected: ecs-daemon-service | Release notes
You can now set the permission boundary on the IAM roles created in the ecs-daemon-service
module.
Published: 7/13/2020 | Modules affected: ecs-cluster | Release notes
The roll-out-ecs-cluster-update.py
script will now directly detach the old instances from ASG in a rollout to ensure the old ones get removed.
Published: 7/9/2020 | Modules affected: ecs-cluster | Release notes
Fix bug where ecs-cluster
errors out on the aws_autoscaling_group
resource in AWS provider versions >v2.63.0.
Published: 7/2/2020 | Modules affected: ecs-cluster | Release notes
- The
ecs-cluster
module now supports block device encryption using the new cluster_instance_root_volume_encrypted
input variable.
Published: 7/22/2020 | Modules affected: eks-cluster-control-plane | Release notes
The upgrade scripts for eks-cluster-control-plane
now support upgrading to Kubernetes 1.17. Note that in the process, the AWS VPC CNI version was also updated for ALL kubernetes versions to match expectations with AWS. This means that the CNI controller will be automatically updated when migrating to this version. This should not cause any issue for your cluster, but you may experience some network connectivity issues on new pods as the switch over is happening.
Published: 7/8/2020 | Modules affected: eks-cluster-workers | Release notes
Fix bug where eks-cluster-workers
errors out on the aws_autoscaling_group
resource in AWS provider versions >v2.63.0.
Published: 7/17/2020 | Modules affected: lb-listener-rules | Release notes
- Add Load Balancer Listener Rules module, which is an alternative to creating lb_listener_rule resources directly in Terraform, which can be convenient, for example, when configuring listener rules in a Terragrunt configuration.
Published: 7/30/2020 | Modules affected: alarms/route53-health-check-alarms | Release notes
Published: 7/28/2020 | Modules affected: metrics/cloudwatch-memory-disk-metrics-scripts, alarms/route53-health-check-alarms | Release notes
- Add unzip to needed for Amazon Linux 2
- Allow route53-health-check-alarms to create multiple resources
Published: 7/29/2020 | Modules affected: openvpn-server | Release notes
This release updates the var.subnet_id
variable to a list, var.subnet_ids
, to permit the ASG to use more than one subnet.
Published: 7/4/2020 | Modules affected: gruntsam, gruntsam | Release notes
-
Fixed a bug where gruntsam
could generate aws_api_gateway_method_response
resources in a different order each time you ran it, leading to spurious diffs in version control.
-
Fixed a bug where gruntsam
would silently ignore errors in launching AWS SAM Local.
-
Fixed a bug where gruntsam
could generate aws_api_gateway_method_response
resources in a different order each time you ran it, leading to spurious diffs in version control.
-
Fixed a bug where gruntsam
would silently ignore errors in launching AWS SAM Local.
Published: 7/31/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, cross-account-iam-roles | Release notes
This release adds a role with permissions only to access support, as required by the CIS AWS Foundations Benchmark. Previously, this permission was available in iam-groups
, but not as an IAM role.
Published: 7/21/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, aws-config | Release notes
- Add missing AWS service access principal to
account-baseline-root
. This should get rid of a spurious diff in the plan
.
- Removed the
aws_organizations_organization
data source from account-baseline-root
, as on the very first apply
, the AWS organization may not exist yet!
- Fixed several typos and copy paste errors in the Landing Zone Deployment Guide.
- Allow enabling, disabling, and naming all IAM groups in
account-baseline-security
. The module now exposes should_create_iam_group_xxx
and iam_group_name_xxx
input parameters for every group xxx
we support (e.g., full-access
, read-only
, billing
, etc).
- Converted
AWSConfigSNSPublishPolicy
in the aws-config
module from a standalone IAM policy to an inline policy. This avoids name conflicts in case you deploy this more than once. Be aware that when you apply
this module (or any of the account-baseline-xxx
modules that use it under the hood), it is expected that it will delete the standalone policy and recreate it as an inline policy.
Published: 7/20/2020 | Modules affected: account-baseline-root, account-baseline-app, account-baseline-security, aws-config-multi-region | Release notes
-
Updated account-baseline-root
to allow you to turn off AWS Config and CloudTrail entirely. This is necessary
if you want to aggregate AWS Config and CloudTrail data in a child account (e.g., a dedicated logs account), but
that child account doesn't initially exist and doesn't contain S3 buckets / KMS CMKs when you first run apply
.
Now you can run apply
initially with AWS Config and CloudTrail disabled, create all the child accounts, apply a
security baseline to each child account (including creating the necessary S3 buckets and KMS CMKs), turn AWS Config
and CloudTrail back on in the root account, and run apply
again. Also, fixed a bug where this module will now
use the KMS key specified via the cloudtrail_kms_key_arn
input parameter rather than creating its own KMS master
key for encrypting CloudTrail data. See the Deployment Guide for the recommended configuration if deploying from
scratch. See the Migration Guide if you're updating an existing deployment.
-
Updated account-baseline-app
so that, depending on the settings you pass in, it can either store AWS Config and
CloudTrail data locally (e.g., if this is a dedicated account for aggregating logs) or send that data to a separate
account (e.g., if this is an app account such a dev, stage, or prod). See the Deployment Guide for the recommended
configuration if deploying from scratch. See the Migration Guide if you're updating an existing deployment.
-
Updated account-baseline-security
to allow configuring it to send AWS Config and CloudTrail data to an external
account (e.g., a separate logs account). Also, fixed a bug where it wasn't setting the config_linked_accounts
parameter correctly, which made AWS Config data not work correctly if trying to use the security account itself for
aggregation. See the Deployment Guide for the recommended configuration if deploying from scratch. See the Migration
Guide if you're updating an existing deployment.
-
Updated all account-baseline-xxx
modules to, by default, send CloudTrail data not only to an S3 bucket (e.g., for
aggregation in a logs account) but also CloudWatch Logs in the current account (for easy debugging).
-
Updated the aws-config-multi-region
, aws-organizations-config-rules
, and cloudtrail
modules with a
create_resources
parameter you can set to false
to disable the module entirely. This is a stopgap until Terraform
0.13 is generally available with support for using count
and for_each
on module
.
Published: 7/17/2020 | Modules affected: iam-policies | Release notes
Published: 7/17/2020 | Modules affected: account-baseline-security, kms-master-key-multi-region | Release notes
- Fix a syntactic error in
account-baseline-security
that prevented the module from working. Also, fix some test failures that obscured this.
Published: 7/16/2020 | Modules affected: account-baseline-app, account-baseline-security, aws-auth, kms-master-key | Release notes
When creating a CMK using the kms-master-key
module, you can now provide IAM conditions for the key users. Previously, the module only accepted a list of users, and did not accept any conditions.
Published: 7/4/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, cross-account-iam-roles | Release notes
- Added a new
logs
IAM policy, IAM group, and IAM role that grants access to logs in CloudTrail, AWS Config, and CloudWatch.
Published: 7/3/2020 | Release notes
- Fix
ssh_key
param in one of the examples so that tests will pass. No modules were changed.
Published: 7/30/2020 | Modules affected: ec2-backup | Release notes
- [NEW MODULE]: EC2 backup. This module makes it easy to deploy a data lifecycle manager that automatically creates snapshots of your EBS volumes at configurable intervals.
Published: 7/7/2020 | Modules affected: s3-cloudfront, s3-static-website | Release notes
Published: 7/7/2020 | Modules affected: s3-cloudfront, s3-static-website | Release notes
- Accept new variables
base_domain_name
and base_domain_name_tags
to lookup the relevant hosted zone so that hosted_zone_id
need not be provided.
Published: 7/17/2020 | Modules affected: instance-type | Release notes
- Added a new
instance-type
module that can tell you which of a list of instance types are available in all AZs in the current AWS region.
Published: 7/29/2020 | Modules affected: vpc-mgmt | Release notes
vpc-mgmt
now accepts the create_resources
variable to determine whether or not to create resources. This will be useful until TF 0.13 release support for count
on module blocks, at which point the create_resources
functionality will be removed from all Gruntwork modules.
Published: 7/27/2020 | Modules affected: vpc-app, vpc-mgmt | Release notes
This release adds subnet ARNs to the outputs for vpc-app
and vpc-mgmt
.
Published: 7/13/2020 | Modules affected: vpc-app, vpc-mgmt | Release notes
- Switch the
vpc-app
and vpc-mgmt
modules from using the deprecated blacklisted_names
and blacklisted_zone_ids
parameters to the new exclude_names
and exclude_zone_ids
parameters.
Published: 7/2/2020 | Modules affected: vpc-interface-endpoint | Release notes
add glue support to vpc-interface-endpoint
Published: 7/1/2020 | Modules affected: vpc-app | Release notes
- You can now disable VPC endpoints in the
vpc-app
module by setting the create_vpc_endpoints
variable to false
.