Gruntwork release 2020-08
Guides / Update Guides / Releases / 2020-08
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2020-08. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 8/25/2020 | Release notes
Published: 8/31/2020 | Release notes
Published: 8/1/2020 | Release notes
Published: 8/12/2020 | Release notes
Since this repo is solely used for examples/demonstrations, and NOT meant for direct production use, we simply publish all changes at v0.0.1, with a date marker for when it was published.
Updates in this version:
- Support for
nvme-cli - Bumping to
t3.micro - Bumping to latest
module-ci for jenkins-server - Bug fixes with helm
- Bug fixes in tls-scripts
- Compatibility update with latest terragrunt version
- Updating default kubernetes version to 1.16
- Update EKS modules to use helm 3.
Published: 8/12/2020 | Release notes
Since this repo is solely used for examples/demonstrations, and NOT meant for direct production use, we simply publish all changes at v0.0.1, with a date marker for when it was published.
Updates in this version:
- Support for
nvme-cli - Bumping to
t3.micro - Bumping to latest
module-ci for jenkins-server - Bug fixes with helm
- Bug fixes in tls-scripts
- Compatibility update with latest terragrunt version
- Updating default kubernetes version to 1.16
- Update EKS modules to use helm 3.
Published: 8/20/2020 | Modules affected: asg-rolling-deploy | Release notes
The availability_zones input has been dropped from the asg-rolling-deploy module, which is only used in EC2-Classic mode. To control availability zones, use the vpc_subnet_ids input variable instead.
Published: 8/18/2020 | Modules affected: asg-rolling-deploy | Release notes
Adds the arn of the ASG as an output.
Published: 8/14/2020 | Modules affected: redis | Release notes
- Fix the default parameter-group setting value when using clustered mode.
Published: 8/31/2020 | Modules affected: build-helpers/build-packer-artifact | Release notes
build-packer-artifact now supports a new --idempotent flag. When set as true (e.g. --idempotent true), the build-packer-artifact script will search your AWS account for an AMI that matches the template, and if it exists, will not attempt to build a new AMI. This is useful for preserving the integrity of AMI versions in CI/CD workflows.
See the updated docs for more information.
Published: 8/21/2020 | Modules affected: install-jenkins | Release notes
- Update
install-jenkins to the latest Jenkins version (2.235.5), switch to https URLs for the APT sources, and add DEBIAN_FRONTEND=noninteractive to all apt-get calls to ensure the installs don't show interactive prompts.
Published: 8/20/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner, infrastructure-deployer | Release notes
You can now query the available containers and scripts in the ecs-deploy-runner using the --describe-containers command. Refer to the updated documentation for more info.
Note that to use the new feature, you will need to update both ecs-deploy-runner and infrastructure-deployer to the new version.
Published: 8/18/2020 | Release notes
Starting this release, tests are run against v3.x series of the AWS provider. Note that this release is backwards compatible with v2.x of the AWS provider. However, there is no guarantee that backwards compatibility with v2.x of the AWS provider will be maintained going forward.
Published: 8/4/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner | Release notes
This release allows users to include environment variables in the ECS deploy-runner containers. To include an environment variable, use the environment_vars field of the container_images variable in the ecs-deploy-runner and ecs-deploy-runner-standard-configuration modules.
Published: 8/1/2020 | Modules affected: ecs-deploy-runner | Release notes
ecs-deploy-runner now returns the ECS cluster EC2 worker pool IAM role and ASG name.
Published: 8/31/2020 | Modules affected: cloudtrail, cross-account-iam-roles | Release notes
The cross-account-iam-roles module has been updated to include a support role, which is required for compliance with the Benchmark.
The cloudtrail module has been updated to work with AWS provider v3.
Published: 8/31/2020 | Modules affected: aws-securityhub, cloudtrail | Release notes
Starting this release, tests are run against v3.x series of the AWS provider. Note that this release is backwards compatible with v2.x of the AWS provider. However, there is no guarantee that backwards compatibility with v2.x of the AWS provider will be maintained going forward.
Published: 8/18/2020 | Modules affected: custom-iam-entity | Release notes
custom-iam-entity module now supports updating the max session duration of the IAM role.
Published: 8/28/2020 | Modules affected: ecs-cluster | Release notes
Set a default_capacity_provider_strategy when providing capacity providers for the ECS cluster.
Published: 8/24/2020 | Modules affected: ecs-cluster | Release notes
Add prefix to the ECS capacity providers to support ECS cluster names that begin with ecs or aws. Note that upgrading to this release will recreate the capacity providers, but will not cause downtime to your services or ECS cluster.
Published: 8/17/2020 | Modules affected: ecs-cluster, ecs-service | Release notes
Update: when doing this upgrade, we accidentally missed updating the ecs-daemon-service module, so it's still pinned to AWS Provider 2.x. If you're using that module, please update to release v0.22.0 instead.
Starting this release, tests are run against v3.x series of the AWS provider. Note that this release is backwards compatible with v2.x of the AWS provider. However, there is no guarantee that backwards compatibility with v2.x of the AWS provider will be maintained going forward.
Published: 8/6/2020 | Modules affected: ecs-service | Release notes
This release implements a workaround to an issue that can occur when the AWS API rejects updates made to ECS tasks of the same family that occur too closely together in time. This is sometimes encountered when attempting to update both the regular and canary task definitions simultaneously.
Published: 8/3/2020 | Modules affected: ecs-scripts | Release notes
- Fix issue an issue with how the
ecs-scripts module could exit with an error when editing crontab. Fix a number of ShellCheck warnings.
Published: 8/20/2020 | Modules affected: eks-cluster-control-plane, eks-cluster-workers, eks-k8s-cluster-autoscaler | Release notes
The EKS cluster control plane upgrade script now uses the right image tags for the core components. Additionally, this release drops support for k8s 1.13 and 1.14 in the upgrade script.
Published: 8/13/2020 | Modules affected: eks-cluster-control-plane | Release notes
Fix bug where the control plane upgrade scripts fail on python3.
Published: 8/12/2020 | Modules affected: eks-cluster-managed-workers | Release notes
eks-cluster-managed-workers will now ignore changes to desired_size after the initial deployment, to be compatible with the cluster autoscaler.
Published: 8/20/2020 | Modules affected: lb-listener-rules | Release notes
- The
lb-listener-rules module now lets you use HTTP headers in conditions via the http_headers param.
Published: 8/18/2020 | Modules affected: alb | Release notes
The arn_suffix attribute is now available as an output from the alb module.
Published: 8/12/2020 | Modules affected: openvpn-admin, openvpn-server | Release notes
Use python to manage sleeps to delay resource creation for IAM propagation. This means that you must have python installed on your machine to use this module.
Published: 8/25/2020 | Modules affected: aws-auth | Release notes
Resolve shellcheck issues in aws-auth.
Published: 8/25/2020 | Modules affected: account-baseline-app, account-baseline-security | Release notes
You can now set the max session duration for human and machine cross account IAM roles managed in the account-baseline modules using the max_session_duration_human_users and max_session_duration_machine_users input vars.
Published: 8/22/2020 | Modules affected: kms-grant-multi-region, account-baseline-app, account-baseline-security, kms-master-key-multi-region | Release notes
This release introduces a new module kms-grant-multi-region that allows you to manage KMS grants for KMS keys across multiple regions.
Published: 8/21/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, aws-config-bucket | Release notes
This release contains backwards incompatible changes. Make sure to follow the instructions in the migration guide below!
Refactored the account-baseline-xxx modules to work around several chicken-and-egg problems related to AWS Config / CloudTrail. The initial deployment, as well as adding subsequent child accounts, can now be done in a single apply per account, rather than the previous process, which required lots of back-and-forth and multiple apply calls. Here's an overview of the changes:
Add first-class support for marking one of the child accounts as a "logs account" that should be used for aggregating AWS Config and CloudTrail data from all accounts. The account-baseline-root module can now automatically create the logs account, authenticate to it, create an S3 bucket for AWS Config and an S3 bucket and KMS CMK for CloudTrail in that account, and then configure the root account to send all AWS Config and CloudTrail data to those S3 buckets. In the past, you had to disable AWS Config and CloudTrail on the very initial deployment, as the logs account did not exist, but with this release, you can leave it enabled, run apply once,
and everything will "just work."
Switch from org-level AWS Config Rules to account-level AWS Config Rules. The Rules are exactly the same, but are now managed within each account, rather than solely at the root account. This is slightly less convenient / secure, but it works around a major chicken-and-egg problem when creating new child accounts. Org-level rules require every single child account to have a Config Recorder or deployment fails, so in the past, you had to initially disable Config Rules whenever you added a new child account, then create a Config Recorder in that account, and then re-enable the Rules. This process has now been reduced to a single apply per account.
Updated the cloudtrail module to:
- Use the
kms-master-key module to create and manage the KMS CMK rather than custom code. This makes the code more DRY and maintainable. - Properly support sharing a KMS CMK across multiple accounts. In the past, the
cloudtrail module didn't have this ability and the account-baseline-xxx modules were backfilling the missing permissions, but now it's all consolidated into the cloudtrail module.
Extracted the S3 bucket creation logic from the aws-config module into an aws-config-bucket module so it can be reused elsewhere (namely, in account-baseline-root).
Extracted the S3 bucket and KMS CMK creation logic from the cloudtrail module into an cloudtrail-bucket module so it can be reused elsewhere (namely, in account-baseline-root).
The aws-config and aws-config-multi-region modules now expose a new, required aggregate_config_data_in_external_account parameter that must be set to true if you're aggregating AWS Config data in an external account (i.e., if setting the central_account_id param). This redundant parameter is unfortunately necessary to work around a Terraform limitation.
Fixed a bug in the aws-config module where it was not setting s3_key_prefix on aws_config_delivery_channel.
Renamed the aws-organization-config-rules module to aws-config-rules, as it now supports creating other org-level rules (the default) or account-level rules (if you set create_account_rules to true).
Updated the kms-master-key module with support for passing in a list of ARNs via cmk_read_only_user_iam_arns that will get read-only access. That is, they will only be able to decrypt data using the KMS CMK, but not the ability to encrypt data or manage the CMK in any other way.
Refactored the aws-organizations output variables to so that (a) they always show the data after child accounts have been created, rather than before and (b) they depend on the child account resources so you can build dependency chains that wait for the child accounts to be created.
Published: 8/17/2020 | Modules affected: aws-config-multi-region, guardduty-multi-region, kms-master-key-multi-region | Release notes
Starting this release, tests are run against v3.x series of the AWS provider. Note that this release is backwards compatible with v2.x of the AWS provider. However, there is no guarantee that backwards compatibility with v2.x of the AWS provider will be maintained going forward.
Published: 8/17/2020 | Modules affected: aws-config, aws-organizations, cloudtrail, custom-iam-entity | Release notes
- There appears to be a Terraform bug where, when you run
destroy, you can get errors about (valid) references to resources that use count or for_each (e.g., foo.bar[0]). This release has a workaround for this issue, so hopefully, destroy works correctly now.
Published: 8/13/2020 | Modules affected: iam-policies | Release notes
This release adds read only permissions to the read_only IAM policy for the Performance Insights service.
Published: 8/12/2020 | Modules affected: cloudtrail | Release notes
Allows an empty list of users and admins in cloudtrail-created KMS keys. Previously, the kms_key_user_iam_arns and kms_key_administrator_iam_arns variables were required. They are now optional and default to an empty list. If they are left as empty, then allow_cloudtrail_access_with_iam must be true.
Published: 8/1/2020 | Modules affected: ec2-backup, single-server | Release notes
This release includes a fix for the ec2-backup module, making its tag configurations more flexible. It also fixes a few links in the module-server documentation.
Published: 8/25/2020 | Modules affected: openvpn-server, ecs-service, ecs-cluster, account-baseline-app | Release notes
Updates to ecs-service and ecs-cluster
This release introduces a number of bug fixes for the ecs-service and ecs-cluster modules. For details, see #158 and #163.
Updates to openvpn
Published: 8/19/2020 | Modules affected: mgmt/bastion-host, mgmt/openvpn-server, mgmt/ecs-deploy-runner, mgmt/jenkins | Release notes
All packer templates now support using a custom KMS CMK for encrypting the snapshot and root volume.
Published: 8/19/2020 | Modules affected: networking, tls-scripts, base, landingzone | Release notes
- Updates the ec2-baseline to use the latest version of module-security
- Updates each of the
account-baseline-* modules to use the latest version of module-security - Updates
openvpn-server to use the latest version of package-openvpn - Adds the
tls-scripts module
Published: 8/17/2020 | Modules affected: networking/vpc-mgmt, data-stores/memcached, base/ec2-baseline | Release notes
New Modules:
networking/vpc-mgmt: A module for creating a management VPC with 2 subnet tiers (public and private).data-stores/memcached: A module for creating ElastiCache with Memcached.
Bug fixes:
- Fix bug where
cloud_init_parts could not be set to an empty list in ec2-baseline. - Fix docs for aurora module.
Published: 8/10/2020 | Release notes
This is the initial release of the Gruntwork AWS Service Catalog! This release contains the following service modules:
Data stores: (data-stores)
Landing Zone (landingzone)
account-baseline-appaccount-baseline-rootaccount-baseline-security
Infrastructure Management (mgmt)
bastion-hostopenvpn-serverjenkinsecs-deploy-runner
Networking (networking)
Service Management (services)
ecs-clusterecs-serviceeks-clustereks-core-servicesk8s-namespacek8s-servicepublic-static-website
Published: 8/25/2020 | Modules affected: vpc-peering-external, vpc-flow-logs | Release notes
This release introduces two changes:
- In the
vpc-peering-external module, it's now possible to disable the network ACL DENY rules by setting enable_blanket_deny=false. This can be useful when you need to add your own ACLs and you're bumping up against the 20 rule limit. - As outlined in the Terraform AWS provider v3 upgrade guide, CloudWatch Logs group ARNs no longer include the
:* at the end, which caused a problem in the vpc-flow-logs module. This is now resolved.