Gruntwork release 2020-08
Guides / Update Guides / Releases / 2020-08
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2020-08. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 8/25/2020 | Release notes
Published: 8/31/2020 | Release notes
Published: 8/1/2020 | Release notes
Published: 8/12/2020 | Release notes
Since this repo is solely used for examples/demonstrations, and NOT meant for direct production use, we simply publish all changes at v0.0.1, with a date marker for when it was published.
Updates in this version:
- Support for
nvme-cli
- Bumping to
t3.micro
- Bumping to latest
module-ci
for jenkins-server
- Bug fixes with helm
- Bug fixes in tls-scripts
- Compatibility update with latest terragrunt version
- Updating default kubernetes version to 1.16
- Update EKS modules to use helm 3.
Published: 8/12/2020 | Release notes
Since this repo is solely used for examples/demonstrations, and NOT meant for direct production use, we simply publish all changes at v0.0.1, with a date marker for when it was published.
Updates in this version:
- Support for
nvme-cli
- Bumping to
t3.micro
- Bumping to latest
module-ci
for jenkins-server
- Bug fixes with helm
- Bug fixes in tls-scripts
- Compatibility update with latest terragrunt version
- Updating default kubernetes version to 1.16
- Update EKS modules to use helm 3.
Published: 8/20/2020 | Modules affected: asg-rolling-deploy | Release notes
The availability_zones
input has been dropped from the asg-rolling-deploy
module, which is only used in EC2-Classic mode. To control availability zones, use the vpc_subnet_ids
input variable instead.
Published: 8/18/2020 | Modules affected: asg-rolling-deploy | Release notes
Adds the arn
of the ASG as an output.
Published: 8/14/2020 | Modules affected: redis | Release notes
- Fix the default parameter-group setting value when using clustered mode.
Published: 8/31/2020 | Modules affected: build-helpers/build-packer-artifact | Release notes
build-packer-artifact
now supports a new --idempotent
flag. When set as true
(e.g. --idempotent true
), the build-packer-artifact
script will search your AWS account for an AMI that matches the template, and if it exists, will not attempt to build a new AMI. This is useful for preserving the integrity of AMI versions in CI/CD workflows.
See the updated docs for more information.
Published: 8/21/2020 | Modules affected: install-jenkins | Release notes
- Update
install-jenkins
to the latest Jenkins version (2.235.5
), switch to https
URLs for the APT sources, and add DEBIAN_FRONTEND=noninteractive
to all apt-get
calls to ensure the installs don't show interactive prompts.
Published: 8/20/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner, infrastructure-deployer | Release notes
You can now query the available containers and scripts in the ecs-deploy-runner
using the --describe-containers
command. Refer to the updated documentation for more info.
Note that to use the new feature, you will need to update both ecs-deploy-runner
and infrastructure-deployer
to the new version.
Published: 8/18/2020 | Release notes
Starting this release, tests are run against v3.x series of the AWS provider. Note that this release is backwards compatible with v2.x of the AWS provider. However, there is no guarantee that backwards compatibility with v2.x of the AWS provider will be maintained going forward.
Published: 8/4/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner | Release notes
This release allows users to include environment variables in the ECS deploy-runner containers. To include an environment variable, use the environment_vars
field of the container_images
variable in the ecs-deploy-runner
and ecs-deploy-runner-standard-configuration
modules.
Published: 8/1/2020 | Modules affected: ecs-deploy-runner | Release notes
ecs-deploy-runner
now returns the ECS cluster EC2 worker pool IAM role and ASG name.
Published: 8/31/2020 | Modules affected: cloudtrail, cross-account-iam-roles | Release notes
The cross-account-iam-roles
module has been updated to include a support role, which is required for compliance with the Benchmark.
The cloudtrail
module has been updated to work with AWS provider v3.
Published: 8/31/2020 | Modules affected: aws-securityhub, cloudtrail | Release notes
Starting this release, tests are run against v3.x series of the AWS provider. Note that this release is backwards compatible with v2.x of the AWS provider. However, there is no guarantee that backwards compatibility with v2.x of the AWS provider will be maintained going forward.
Published: 8/18/2020 | Modules affected: custom-iam-entity | Release notes
custom-iam-entity
module now supports updating the max session duration of the IAM role.
Published: 8/28/2020 | Modules affected: ecs-cluster | Release notes
Set a default_capacity_provider_strategy
when providing capacity providers for the ECS cluster.
Published: 8/24/2020 | Modules affected: ecs-cluster | Release notes
Add prefix to the ECS capacity providers to support ECS cluster names that begin with ecs
or aws
. Note that upgrading to this release will recreate the capacity providers, but will not cause downtime to your services or ECS cluster.
Published: 8/17/2020 | Modules affected: ecs-cluster, ecs-service | Release notes
Update: when doing this upgrade, we accidentally missed updating the ecs-daemon-service
module, so it's still pinned to AWS Provider 2.x. If you're using that module, please update to release v0.22.0 instead.
Starting this release, tests are run against v3.x series of the AWS provider. Note that this release is backwards compatible with v2.x of the AWS provider. However, there is no guarantee that backwards compatibility with v2.x of the AWS provider will be maintained going forward.
Published: 8/6/2020 | Modules affected: ecs-service | Release notes
This release implements a workaround to an issue that can occur when the AWS API rejects updates made to ECS tasks of the same family that occur too closely together in time. This is sometimes encountered when attempting to update both the regular and canary task definitions simultaneously.
Published: 8/3/2020 | Modules affected: ecs-scripts | Release notes
- Fix issue an issue with how the
ecs-scripts
module could exit with an error when editing crontab
. Fix a number of ShellCheck warnings.
Published: 8/20/2020 | Modules affected: eks-cluster-control-plane, eks-cluster-workers, eks-k8s-cluster-autoscaler | Release notes
The EKS cluster control plane upgrade script now uses the right image tags for the core components. Additionally, this release drops support for k8s 1.13
and 1.14
in the upgrade script.
Published: 8/13/2020 | Modules affected: eks-cluster-control-plane | Release notes
Fix bug where the control plane upgrade scripts fail on python3.
Published: 8/12/2020 | Modules affected: eks-cluster-managed-workers | Release notes
eks-cluster-managed-workers
will now ignore changes to desired_size
after the initial deployment, to be compatible with the cluster autoscaler.
Published: 8/20/2020 | Modules affected: lb-listener-rules | Release notes
- The
lb-listener-rules
module now lets you use HTTP headers in conditions via the http_headers
param.
Published: 8/18/2020 | Modules affected: alb | Release notes
The arn_suffix
attribute is now available as an output from the alb
module.
Published: 8/12/2020 | Modules affected: openvpn-admin, openvpn-server | Release notes
Use python to manage sleeps to delay resource creation for IAM propagation. This means that you must have python installed on your machine to use this module.
Published: 8/25/2020 | Modules affected: aws-auth | Release notes
Resolve shellcheck
issues in aws-auth
.
Published: 8/25/2020 | Modules affected: account-baseline-app, account-baseline-security | Release notes
You can now set the max session duration for human and machine cross account IAM roles managed in the account-baseline
modules using the max_session_duration_human_users
and max_session_duration_machine_users
input vars.
Published: 8/22/2020 | Modules affected: kms-grant-multi-region, account-baseline-app, account-baseline-security, kms-master-key-multi-region | Release notes
This release introduces a new module kms-grant-multi-region
that allows you to manage KMS grants for KMS keys across multiple regions.
Published: 8/21/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, aws-config-bucket | Release notes
This release contains backwards incompatible changes. Make sure to follow the instructions in the migration guide below!
-
Refactored the account-baseline-xxx
modules to work around several chicken-and-egg problems related to AWS Config / CloudTrail. The initial deployment, as well as adding subsequent child accounts, can now be done in a single apply
per account, rather than the previous process, which required lots of back-and-forth and multiple apply
calls. Here's an overview of the changes:
-
Add first-class support for marking one of the child accounts as a "logs account" that should be used for aggregating AWS Config and CloudTrail data from all accounts. The account-baseline-root
module can now automatically create the logs account, authenticate to it, create an S3 bucket for AWS Config and an S3 bucket and KMS CMK for CloudTrail in that account, and then configure the root account to send all AWS Config and CloudTrail data to those S3 buckets. In the past, you had to disable AWS Config and CloudTrail on the very initial deployment, as the logs account did not exist, but with this release, you can leave it enabled, run apply
once,
and everything will "just work."
-
Switch from org-level AWS Config Rules to account-level AWS Config Rules. The Rules are exactly the same, but are now managed within each account, rather than solely at the root account. This is slightly less convenient / secure, but it works around a major chicken-and-egg problem when creating new child accounts. Org-level rules require every single child account to have a Config Recorder or deployment fails, so in the past, you had to initially disable Config Rules whenever you added a new child account, then create a Config Recorder in that account, and then re-enable the Rules. This process has now been reduced to a single apply
per account.
-
Updated the cloudtrail
module to:
- Use the
kms-master-key
module to create and manage the KMS CMK rather than custom code. This makes the code more DRY and maintainable.
- Properly support sharing a KMS CMK across multiple accounts. In the past, the
cloudtrail
module didn't have this ability and the account-baseline-xxx
modules were backfilling the missing permissions, but now it's all consolidated into the cloudtrail
module.
-
Extracted the S3 bucket creation logic from the aws-config
module into an aws-config-bucket
module so it can be reused elsewhere (namely, in account-baseline-root
).
-
Extracted the S3 bucket and KMS CMK creation logic from the cloudtrail
module into an cloudtrail-bucket
module so it can be reused elsewhere (namely, in account-baseline-root
).
-
The aws-config
and aws-config-multi-region
modules now expose a new, required aggregate_config_data_in_external_account
parameter that must be set to true
if you're aggregating AWS Config data in an external account (i.e., if setting the central_account_id
param). This redundant parameter is unfortunately necessary to work around a Terraform limitation.
-
Fixed a bug in the aws-config
module where it was not setting s3_key_prefix
on aws_config_delivery_channel
.
-
Renamed the aws-organization-config-rules
module to aws-config-rules
, as it now supports creating other org-level rules (the default) or account-level rules (if you set create_account_rules
to true
).
-
Updated the kms-master-key
module with support for passing in a list of ARNs via cmk_read_only_user_iam_arns
that will get read-only access. That is, they will only be able to decrypt data using the KMS CMK, but not the ability to encrypt data or manage the CMK in any other way.
-
Refactored the aws-organizations
output variables to so that (a) they always show the data after child accounts have been created, rather than before and (b) they depend on the child account resources so you can build dependency chains that wait for the child accounts to be created.
Published: 8/17/2020 | Modules affected: aws-config-multi-region, guardduty-multi-region, kms-master-key-multi-region | Release notes
Starting this release, tests are run against v3.x series of the AWS provider. Note that this release is backwards compatible with v2.x of the AWS provider. However, there is no guarantee that backwards compatibility with v2.x of the AWS provider will be maintained going forward.
Published: 8/17/2020 | Modules affected: aws-config, aws-organizations, cloudtrail, custom-iam-entity | Release notes
- There appears to be a Terraform bug where, when you run
destroy
, you can get errors about (valid) references to resources that use count
or for_each
(e.g., foo.bar[0]
). This release has a workaround for this issue, so hopefully, destroy
works correctly now.
Published: 8/13/2020 | Modules affected: iam-policies | Release notes
This release adds read only permissions to the read_only
IAM policy for the Performance Insights service.
Published: 8/12/2020 | Modules affected: cloudtrail | Release notes
Allows an empty list of users and admins in cloudtrail-created KMS keys. Previously, the kms_key_user_iam_arns
and kms_key_administrator_iam_arns
variables were required. They are now optional and default to an empty list. If they are left as empty, then allow_cloudtrail_access_with_iam
must be true
.
Published: 8/1/2020 | Modules affected: ec2-backup, single-server | Release notes
This release includes a fix for the ec2-backup
module, making its tag configurations more flexible. It also fixes a few links in the module-server
documentation.
Published: 8/25/2020 | Modules affected: openvpn-server, ecs-service, ecs-cluster, account-baseline-app | Release notes
Updates to ecs-service
and ecs-cluster
This release introduces a number of bug fixes for the ecs-service
and ecs-cluster
modules. For details, see #158 and #163.
Updates to openvpn
Published: 8/19/2020 | Modules affected: mgmt/bastion-host, mgmt/openvpn-server, mgmt/ecs-deploy-runner, mgmt/jenkins | Release notes
All packer templates now support using a custom KMS CMK for encrypting the snapshot and root volume.
Published: 8/19/2020 | Modules affected: networking, tls-scripts, base, landingzone | Release notes
- Updates the ec2-baseline to use the latest version of module-security
- Updates each of the
account-baseline-*
modules to use the latest version of module-security
- Updates
openvpn-server
to use the latest version of package-openvpn
- Adds the
tls-scripts
module
Published: 8/17/2020 | Modules affected: networking/vpc-mgmt, data-stores/memcached, base/ec2-baseline | Release notes
New Modules:
networking/vpc-mgmt
: A module for creating a management VPC with 2 subnet tiers (public and private).
data-stores/memcached
: A module for creating ElastiCache with Memcached.
Bug fixes:
- Fix bug where
cloud_init_parts
could not be set to an empty list in ec2-baseline
.
- Fix docs for aurora module.
Published: 8/10/2020 | Release notes
This is the initial release of the Gruntwork AWS Service Catalog! This release contains the following service modules:
Data stores: (data-stores
)
aurora
ecr-repos
rds
redis
Landing Zone (landingzone
)
account-baseline-app
account-baseline-root
account-baseline-security
Infrastructure Management (mgmt
)
bastion-host
openvpn-server
jenkins
ecs-deploy-runner
Networking (networking
)
alb
route53
sns-topics
vpc
Service Management (services
)
ecs-cluster
ecs-service
eks-cluster
eks-core-services
k8s-namespace
k8s-service
public-static-website
Published: 8/25/2020 | Modules affected: vpc-peering-external, vpc-flow-logs | Release notes
This release introduces two changes:
- In the
vpc-peering-external
module, it's now possible to disable the network ACL DENY rules by setting enable_blanket_deny=false
. This can be useful when you need to add your own ACLs and you're bumping up against the 20 rule limit.
- As outlined in the Terraform AWS provider v3 upgrade guide, CloudWatch Logs group ARNs no longer include the
:*
at the end, which caused a problem in the vpc-flow-logs
module. This is now resolved.