Gruntwork release 2020-07
Guides / Update Guides / Releases / 2020-07
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2020-07. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 7/1/2020 | Release notes
Published: 7/8/2020 | Modules affected: asg-rolling-deploy | Release notes
Fix bug where asg-rolling-deploy errors out on the aws_autoscaling_group resource in AWS provider versions >v2.63.0.
Published: 7/31/2020 | Modules affected: ecs-deploy-runner, infrastructure-deployer | Release notes
The ecs-deploy-runner can now be provisioned with an EC2 worker pool to use as reserved workers to speed up the initial boot sequence for the ECS deploy runner tasks.
Published: 7/31/2020 | Modules affected: install-jenkins | Release notes
- Update
install-jenkins to use the new Linux Repository signing keys, as the old ones expired.
Published: 7/30/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner, infrastructure-deploy-script | Release notes
The infrastructure-deploy-script now supports passing in -var-file to terraform and terragrunt.
Published: 7/22/2020 | Modules affected: ecs-deploy-runner | Release notes
Add the ability to set custom tags on all the resources managed by the ecs-deploy-runner module.
Published: 7/21/2020 | Modules affected: ecs-deploy-runner-standard-configuration | Release notes
You can now disable specific containers in the standard configuration by setting the corresponding configuration option to null.
Published: 7/20/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner, infrastructure-deployer, infrastructure-deploy-script | Release notes
This release enhances the ecs-deploy-runner and infrastructure-deployer CLI to support deploying generic infrastructure code beyond just terraform and terragrunt modules. Prior to this release, the ecs-deploy-runner and infrastructure-deployer CLI only supported invoking the infrastructure-deploy-script. With this release, you can install and invoke arbitrary scripts in the deploy runner container.
The following is a summary of the feature enhancements included in this release:
- Invoke predefined list of scripts, not just
infrastructure-deploy-script. Enforced in container using a custom entrypoint script. - Ability to directly access secrets manager entries in the ECS tasks (as opposed to implicitly with environment variable injection)
- Module for a standard configuration that includes four containers for separation of concerns and least privileges:
docker-image-builder, ami-builder, terraform-planner, and terraform-applier. - Custom
kaniko container for building docker images in ECS Fargate with support for pushing to ECR. build-packer-artifact and terraform-update-variable supports injecting SSH key via secrets manager.terraform-update-variable supports appending additional text to the commit message via the --skip-ci-flag option.terraform-update-variable supports updating multiple name value pairs.infrastructure-deploy-script now checks what refs are allowed to run apply.
Published: 7/14/2020 | Modules affected: ecs-deploy-runner, infrastructure-deploy-script, infrastructure-deployer | Release notes
You can now set the backend-config option on the init call in the ecs-deploy-runner by passing in --backend-config to the infrastructure-deployer CLI.
Published: 7/13/2020 | Modules affected: infrastructure-deploy-script, infrastructure-deployer | Release notes
infrastructure-deployer and infrastructure-deploy-script now supports deploying the repo root path using "" for --deploy-path. This is now the default for --deploy-path when it is omitted from the CLI args.
Published: 7/6/2020 | Modules affected: iam-policies | Release notes
The iam-policies modules will now output the policy JSON even when the policy is not created.
Published: 7/1/2020 | Modules affected: ecs-deploy-runner | Release notes
Fix bug where command-args was not flowing properly from the lambda function to the deploy script.
Published: 7/30/2020 | Modules affected: cross-account-iam-roles, iam-groups, saml-iam-roles | Release notes
This release bumps the module-security package version in the iam-groups module to get:
logs groups.sts:TagSession support.
Published: 7/21/2020 | Modules affected: aurora | Release notes
- Remove an unused
is_primary parameter from the aurora module. If you were passing this parameter to the module, please remove it. This is an API change only; there should be no change in behavior.
Published: 7/10/2020 | Modules affected: redshift | Release notes
Published: 7/8/2020 | Modules affected: aurora | Release notes
- The
aurora module now sets aurora-mysql (MySQL 5.7-compatible) instead of aurora (MySQL 5.6-compatible) as the default engine. Also, updated variable descriptions and example code to better show how to run a global Aurora cluster. You can (and in most cases, probably already are!) override the default via the engine parameter. - The
aurora module no longer ignores the password param when snapshot_identifier is set. This allows you to restore from a snapshot by setting snapshot_identifier to a value and password to null and then later to change the password by updating that param. - Fix a bug in the
aurora module where it did not allow allow_connections_from_cidr_blocks to be set to an empty list.
Published: 7/31/2020 | Modules affected: ecs-cluster | Release notes
You can now conditionally shut off the ecs-cluster module using the create_resources input flag. You can also provide a base64 user data parameter for cloud-init configurations.
Published: 7/31/2020 | Modules affected: ecs-cluster, ecs-daemon-service, ecs-service | Release notes
- Constrain aws provider version to 2.x.
- Add ECS capacity provider functionality to ECS clusters.
Published: 7/18/2020 | Modules affected: ecs-service | Release notes
You can now set the permissions boundary for the ECS service IAM role for ELBs.
Published: 7/14/2020 | Modules affected: ecs-daemon-service | Release notes
You can now set the permission boundary on the IAM roles created in the ecs-daemon-service module.
Published: 7/13/2020 | Modules affected: ecs-cluster | Release notes
The roll-out-ecs-cluster-update.py script will now directly detach the old instances from ASG in a rollout to ensure the old ones get removed.
Published: 7/9/2020 | Modules affected: ecs-cluster | Release notes
Fix bug where ecs-cluster errors out on the aws_autoscaling_group resource in AWS provider versions >v2.63.0.
Published: 7/2/2020 | Modules affected: ecs-cluster | Release notes
- The
ecs-cluster module now supports block device encryption using the new cluster_instance_root_volume_encrypted input variable.
Published: 7/22/2020 | Modules affected: eks-cluster-control-plane | Release notes
The upgrade scripts for eks-cluster-control-plane now support upgrading to Kubernetes 1.17. Note that in the process, the AWS VPC CNI version was also updated for ALL kubernetes versions to match expectations with AWS. This means that the CNI controller will be automatically updated when migrating to this version. This should not cause any issue for your cluster, but you may experience some network connectivity issues on new pods as the switch over is happening.
Published: 7/8/2020 | Modules affected: eks-cluster-workers | Release notes
Fix bug where eks-cluster-workers errors out on the aws_autoscaling_group resource in AWS provider versions >v2.63.0.
Published: 7/17/2020 | Modules affected: lb-listener-rules | Release notes
- Add Load Balancer Listener Rules module, which is an alternative to creating lb_listener_rule resources directly in Terraform, which can be convenient, for example, when configuring listener rules in a Terragrunt configuration.
Published: 7/30/2020 | Modules affected: alarms/route53-health-check-alarms | Release notes
Published: 7/28/2020 | Modules affected: metrics/cloudwatch-memory-disk-metrics-scripts, alarms/route53-health-check-alarms | Release notes
- Add unzip to needed for Amazon Linux 2
- Allow route53-health-check-alarms to create multiple resources
Published: 7/29/2020 | Modules affected: openvpn-server | Release notes
This release updates the var.subnet_id variable to a list, var.subnet_ids, to permit the ASG to use more than one subnet.
Published: 7/4/2020 | Modules affected: gruntsam, gruntsam | Release notes
- Fixed a bug where
gruntsam could generate aws_api_gateway_method_response resources in a different order each time you ran it, leading to spurious diffs in version control. - Fixed a bug where
gruntsam would silently ignore errors in launching AWS SAM Local.
- Fixed a bug where
gruntsam could generate aws_api_gateway_method_response resources in a different order each time you ran it, leading to spurious diffs in version control. - Fixed a bug where
gruntsam would silently ignore errors in launching AWS SAM Local.
Published: 7/31/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, cross-account-iam-roles | Release notes
This release adds a role with permissions only to access support, as required by the CIS AWS Foundations Benchmark. Previously, this permission was available in iam-groups, but not as an IAM role.
Published: 7/21/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, aws-config | Release notes
- Add missing AWS service access principal to
account-baseline-root. This should get rid of a spurious diff in the plan. - Removed the
aws_organizations_organization data source from account-baseline-root, as on the very first apply, the AWS organization may not exist yet! - Fixed several typos and copy paste errors in the Landing Zone Deployment Guide.
- Allow enabling, disabling, and naming all IAM groups in
account-baseline-security. The module now exposes should_create_iam_group_xxx and iam_group_name_xxx input parameters for every group xxx we support (e.g., full-access, read-only, billing, etc). - Converted
AWSConfigSNSPublishPolicy in the aws-config module from a standalone IAM policy to an inline policy. This avoids name conflicts in case you deploy this more than once. Be aware that when you apply this module (or any of the account-baseline-xxx modules that use it under the hood), it is expected that it will delete the standalone policy and recreate it as an inline policy.
Published: 7/20/2020 | Modules affected: account-baseline-root, account-baseline-app, account-baseline-security, aws-config-multi-region | Release notes
Updated account-baseline-root to allow you to turn off AWS Config and CloudTrail entirely. This is necessary
if you want to aggregate AWS Config and CloudTrail data in a child account (e.g., a dedicated logs account), but
that child account doesn't initially exist and doesn't contain S3 buckets / KMS CMKs when you first run apply.
Now you can run apply initially with AWS Config and CloudTrail disabled, create all the child accounts, apply a
security baseline to each child account (including creating the necessary S3 buckets and KMS CMKs), turn AWS Config
and CloudTrail back on in the root account, and run apply again. Also, fixed a bug where this module will now
use the KMS key specified via the cloudtrail_kms_key_arn input parameter rather than creating its own KMS master
key for encrypting CloudTrail data. See the Deployment Guide for the recommended configuration if deploying from
scratch. See the Migration Guide if you're updating an existing deployment.
Updated account-baseline-app so that, depending on the settings you pass in, it can either store AWS Config and
CloudTrail data locally (e.g., if this is a dedicated account for aggregating logs) or send that data to a separate
account (e.g., if this is an app account such a dev, stage, or prod). See the Deployment Guide for the recommended
configuration if deploying from scratch. See the Migration Guide if you're updating an existing deployment.
Updated account-baseline-security to allow configuring it to send AWS Config and CloudTrail data to an external
account (e.g., a separate logs account). Also, fixed a bug where it wasn't setting the config_linked_accounts
parameter correctly, which made AWS Config data not work correctly if trying to use the security account itself for
aggregation. See the Deployment Guide for the recommended configuration if deploying from scratch. See the Migration
Guide if you're updating an existing deployment.
Updated all account-baseline-xxx modules to, by default, send CloudTrail data not only to an S3 bucket (e.g., for
aggregation in a logs account) but also CloudWatch Logs in the current account (for easy debugging).
Updated the aws-config-multi-region, aws-organizations-config-rules, and cloudtrail modules with a
create_resources parameter you can set to false to disable the module entirely. This is a stopgap until Terraform
0.13 is generally available with support for using count and for_each on module.
Published: 7/17/2020 | Modules affected: iam-policies | Release notes
Published: 7/17/2020 | Modules affected: account-baseline-security, kms-master-key-multi-region | Release notes
- Fix a syntactic error in
account-baseline-security that prevented the module from working. Also, fix some test failures that obscured this.
Published: 7/16/2020 | Modules affected: account-baseline-app, account-baseline-security, aws-auth, kms-master-key | Release notes
When creating a CMK using the kms-master-key module, you can now provide IAM conditions for the key users. Previously, the module only accepted a list of users, and did not accept any conditions.
Published: 7/4/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, cross-account-iam-roles | Release notes
- Added a new
logs IAM policy, IAM group, and IAM role that grants access to logs in CloudTrail, AWS Config, and CloudWatch.
Published: 7/3/2020 | Release notes
- Fix
ssh_key param in one of the examples so that tests will pass. No modules were changed.
Published: 7/30/2020 | Modules affected: ec2-backup | Release notes
- [NEW MODULE]: EC2 backup. This module makes it easy to deploy a data lifecycle manager that automatically creates snapshots of your EBS volumes at configurable intervals.
Published: 7/7/2020 | Modules affected: s3-cloudfront, s3-static-website | Release notes
s3-cloudfronts3-static-website
- Accept new variables base_domain_name and base_domain_name_tags to lookup the relevant hosted zone so that hosted_zone_id need not be provided.
- Patch default variable for hosted_zone_ids to be
null.
Published: 7/7/2020 | Modules affected: s3-cloudfront, s3-static-website | Release notes
- Accept new variables
base_domain_name and base_domain_name_tags to lookup the relevant hosted zone so that hosted_zone_id need not be provided.
Published: 7/17/2020 | Modules affected: instance-type | Release notes
- Added a new
instance-type module that can tell you which of a list of instance types are available in all AZs in the current AWS region.
Published: 7/29/2020 | Modules affected: vpc-mgmt | Release notes
vpc-mgmt now accepts the create_resources variable to determine whether or not to create resources. This will be useful until TF 0.13 release support for count on module blocks, at which point the create_resources functionality will be removed from all Gruntwork modules.
Published: 7/27/2020 | Modules affected: vpc-app, vpc-mgmt | Release notes
This release adds subnet ARNs to the outputs for vpc-app and vpc-mgmt.
Published: 7/13/2020 | Modules affected: vpc-app, vpc-mgmt | Release notes
- Switch the
vpc-app and vpc-mgmt modules from using the deprecated blacklisted_names and blacklisted_zone_ids parameters to the new exclude_names and exclude_zone_ids parameters.
Published: 7/2/2020 | Modules affected: vpc-interface-endpoint | Release notes
add glue support to vpc-interface-endpoint
Published: 7/1/2020 | Modules affected: vpc-app | Release notes
- You can now disable VPC endpoints in the
vpc-app module by setting the create_vpc_endpoints variable to false.