Gruntwork release 2020-09
Guides / Update Guides / Releases / 2020-09
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2020-09. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 9/18/2020 | Modules affected: asg-rolling-deploy, server-group | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/29/2020 | Modules affected: redis | Release notes
- You can now restore a Redis cluster from a snapshot using the new
snapshot_name or snapshot_arn input variables.
Published: 9/28/2020 | Modules affected: (none) | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/30/2020 | Release notes
This is a maintenance release that exports some test helper functions for the ecs-deploy-runner as a new package under test/edrhelpers. This allows the helpers to be used by other projects.
Published: 9/25/2020 | Modules affected: infrastructure-deploy-script | Release notes
infrastructure-deploy-script now supports running the refresh command.
Published: 9/21/2020 | Modules affected: kubernetes-circleci-helpers | Release notes
- Allow non-zero patch versions of Kubernetes (e.g.,
1.17.12 vs 1.17.0) in setup-minikube - Fix bug where existing script was not compatible with newer minikube versions (>
1.0.0) - Updated default Kubernetes and minikube versions (
1.17.12 and 1.11.0).
Published: 9/14/2020 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner | Release notes
Adds a new flag, --idempotent, to the build-docker-image tool in the Kaniko image of the ecs-deploy-runner. Invoking the build-docker-image tool with the flag will cause it to check for the existence of an image before building and pushing.
Also adds an optional route53_tags to the Jenkins example code, making the example more portable and less specific to Gruntwork's testing processes.
Published: 9/3/2020 | Modules affected: ecs-deploy-runner-standard-configuration | Release notes
This release fixes a major regression bug identified in the previous release (v0.28.0), where omitting allowed_repos_regex for the ami_builder in the ecs-deploy-runner-standard-configuration module would inadvertently allow building from any repo.
Published: 9/2/2020 | Modules affected: ecs-deploy-runner-standard-configuration | Release notes
You can now specify repo restrictions as regex using allowed_repos_regex and infrastructure_live_repositories_regex input variables.
Published: 9/29/2020 | Modules affected: aurora, rds | Release notes
Add lifecycle block to ignore changes to snapshot_identifier so that restored DB clusters won't get destroyed during updates.
Published: 9/28/2020 | Modules affected: (none) | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/28/2020 | Modules affected: (none) | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/28/2020 | Modules affected: ecs-daemon-service | Release notes
- When updating this repo to work with AWS Provider 3.x in v0.21.0, we missed a
required_provider constraint in the ecs-daemon-service module, so it was still pinned to AWS Provider 2.x. This release fixes that.
Published: 9/28/2020 | Modules affected: ecs-cluster | Release notes
- Update comment and readme for to reflect current
roll-out-ecs-cluster-update.py functionality.
Published: 9/23/2020 | Modules affected: ecs-deploy-check-binaries | Release notes
Fix bug in the deployment check scripts that made it incompatible with awsvpc networking mode on EC2 based ECS clusters.
Published: 9/16/2020 | Modules affected: ecs-daemon-service | Release notes
- You can now specify the launch type for the
ecs-daemon-service module via the new launch_type input variable.
Published: 9/1/2020 | Modules affected: ecs-cluster | Release notes
- You can now use the
cluster_asg_metrics_enabled variable to specify the metrics to collect for the ASG deployed via the ecs-cluster module.
Published: 9/29/2020 | Modules affected: eks-cluster-control-plane | Release notes
Bump the executable-dependency module version so that the kubergrunt binary that is downloaded properly has 744 permissions.
Published: 9/26/2020 | Modules affected: eks-aws-auth-merger | Release notes
You can now optionally turn off the eks-aws-auth-merger module using the create_resources variable.
Published: 9/18/2020 | Modules affected: eks-cluster-workers | Release notes
The eks-cluster-workers module will now gracefully handle situations where the IAM role is externally deleted.
Published: 9/16/2020 | Modules affected: eks-cluster-control-plane, eks-alb-ingress-controller, eks-cloudwatch-container-logs, eks-k8s-cluster-autoscaler | Release notes
You can now adjust the namespace where the core services are deployed into (eks-cluster-control-plane, eks-alb-ingress-controller, eks-cloudwatch-container-logs, eks-k8s-cluster-autoscaler).
Published: 9/12/2020 | Modules affected: eks-aws-auth-merger, eks-k8s-role-mapping | Release notes
This release introduces the eks-aws-auth-merger, which is an alternative to eks-k8s-role-mapping for managing IAM role to RBAC group mappings. This module uses the aws-auth-merger tool to watch for ConfigMaps in a specified namespace, and merge them together into the aws-auth ConfigMap at runtime. You can learn more about it in the module docs.
Published: 9/9/2020 | Modules affected: eks-cluster-workers | Release notes
The eks-cluster-wokers module can now be configured to take in the external dependencies as variables instead of looking the info up dynamically.
Published: 9/1/2020 | Modules affected: eks-k8s-external-dns, eks-cluster-control-plane | Release notes
Starting this release we will no longer use kubergrunt to get the OIDC provider thumbprint, and instead rely on terraform native functionality.
Published: 9/24/2020 | Modules affected: lambda | Release notes
- You can now set the new
source_code_hash input variable to the hash of the zip file you upload to S3 as a way to allow the lambda module to know when that Zip file has changed, and therefore, when the Lambda function needs to be redeployed.
Published: 9/18/2020 | Modules affected: keep-warm, lambda-edge, lambda, scheduled-lambda-job | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/28/2020 | Modules affected: (none) | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/15/2020 | Modules affected: sns | Release notes
- You can now allow AWS Services (e.g.,
events.amazonaws.com) permissions to write to your SNS topic using the new allow_publish_services input variable. - Fix a bug where the
topic_policy output variable used to only return default policy of the SNS topic. It will now return the full topic policy as created by the sns module.
Published: 9/28/2020 | Modules affected: metrics/cloudwatch-memory-disk-metrics-scripts | Release notes
This updates install-cloudwatch-monitoring-scripts.sh to set cache removal on reboot so that any cached info about the instances are reset on every boot.
Published: 9/28/2020 | Modules affected: (none) | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/8/2020 | Modules affected: logs/load-balancer-access-logs | Release notes
- You can now enable server-side encryption for the S3 bucket used to store load balancer access logs using the new
s3_bucket_encryption input variable. Note that ALBs and CLBs already encrypt the access logs by default, so this is mainly useful to (a) make sure the bucket reflects this and (b) if you want to enable encryption for NLB access logs.
Published: 9/28/2020 | Modules affected: openvpn-admin, openvpn-server | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/1/2020 | Modules affected: openvpn-server | Release notes
- We now enable server-side encryption by default for the backup S3 bucket. We were enabling encryption whenever uploading data to the bucket already, so this is merely an extra layer of defense to make it harder to ever mess that up.
- Add explicit rules to deny any possible public access for the backup S3 bucket. The bucket was already private by default, so this is also an extra layer of defense to make it harder to mess things up.
Published: 9/30/2020 | Modules affected: gruntsam | Release notes
gruntsam now supports OPTIONS requests.
Published: 9/6/2020 | Modules affected: gruntsam | Release notes
- You can now set stage variables using the new
stage_variables input variable. - You can now customize the lambda permission statement ID using the new
xxx_lambda_permission_statement_id input variable. This is useful to avoid name conflicts. - You can now set a qualifier on the lambda permission using the new
xxx_lambda_qualifier input variable.
Published: 9/29/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, private-s3-bucket | Release notes
- You can now specify tags to apply to CloudTrail and IAM Role resources created by the
account-baseline-xxx modules using the new input variables cloudtrail_tags and iam_role_tags, respectively. - Fix a minor typo in a comment in
private-s3-bucket.
Published: 9/25/2020 | Modules affected: fail2ban | Release notes
Fix bug where fail2ban cloudwatch configuration script used the incorrect command for restarting fail2ban on Amazon Linux 1.
Published: 9/24/2020 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security | Release notes
- The
account-baseline-xxx modules now allow you to configure the IAM password policy settings of allowing users to change their own password and whether password expiration requires an admin reset using the new input variables iam_password_policy_allow_users_to_change_password and iam_password_policy_hard_expiry, respectively. Both default to true, as before.
Published: 9/23/2020 | Modules affected: kms-grant-multi-region, account-baseline-app, account-baseline-security, kms-master-key-multi-region | Release notes
This release updates the AWSConfigRole managed policy in the aws-config and aws-config-multi-region modules to the new AWS_ConfigRole managed policy due to a deprecation notice from AWS. There are also several updates to stabilize tests and improve the docs.
Published: 9/21/2020 | Modules affected: account-baseline-root, account-baseline-security, cloudtrail-bucket, cloudtrail | Release notes
This is a cleanup release that removes several unused variables and fixes a few other small issues.
To update to this release, ensure that your configuration does not set any of the following variables (all of which were unused in the module anyway, likely leftover from previous refactoring):
var.enable_cloudtrail in the cloudtrail-bucket modulevar.name_prefix in the ssm-healthchecks-iam-permissions modulecloudtrail_external_aws_account_ids_with_write_access in the account-baseline-root module
Published: 9/21/2020 | Modules affected: fail2ban | Release notes
The configure-fail2ban-cloudwatch.sh script will now restart fail2ban after configuring the cloudwatch metrics actions.
Published: 9/21/2020 | Modules affected: (none) | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/16/2020 | Modules affected: private-s3-bucket | Release notes
- Added a new
private-s3-bucket module that can be used to an Amazon S3 bucket that enforces best practices for private access:- No public access: all public access is completely blocked.
- Encryption at rest: server-side encryption is enabled, optionally with a custom KMS key.
- Encryption in transit: the bucket can only be accessed over TLS.
Published: 9/11/2020 | Modules affected: iam-policies | Release notes
Adds eks:Describe* and eks:List* permissions to the Read Only IAM policy.
Published: 9/10/2020 | Modules affected: cloudtrail-bucket | Release notes
This release removes the CloudTrail S3 bucket policy from the aws_s3_bucket resources. The policy is already attached via a separate aws_s3_bucket_policy resource, hence the attachment in the aws_s3_bucket was redundant.
Note that you have to double apply this change for terraform to sort it self out. On the first apply, Terraform will remove the bucket policy since it was removed from aws_s3_bucket. On the next apply, Terraform will re-add the bucket policy since it realizes that aws_s3_bucket_policy now generates a diff.
Published: 9/8/2020 | Modules affected: iam-policies | Release notes
Adds the rds:Download* permission to the Read Only policy in the iam-policies module.
Published: 9/8/2020 | Modules affected: aws-config-rules | Release notes
Fix a bug in the outputs for aws-config-rules introduced by v0.36.0.
Published: 9/4/2020 | Modules affected: ssm-healthchecks-iam-permissions | Release notes
Fixes the ARN for the AmazonSSMManagedInstanceCore managed policy, which was previously incorrect.
Published: 9/3/2020 | Modules affected: aws-auth | Release notes
Fix regression bug in aws-auth where the command broke for MFA token session retrieval without role assume.
Published: 9/1/2020 | Modules affected: ssm-healthchecks-iam-permissions | Release notes
replace ssm role with new best practice
Published: 9/18/2020 | Modules affected: ec2-backup, single-server | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/30/2020 | Modules affected: mgmt, services | Release notes
- Update all Packer templates to ensure that they explicitly request a public IP address. Otherwise, if that setting is not enabled by default in a VPC, the Packer build would fail.
Published: 9/30/2020 | Modules affected: data-stores | Release notes
Updated underlying module dependencies:
gruntwork-io/module-data-storage to v0.16.1gruntwork-io/module-cache to v0.10.1
Published: 9/29/2020 | Modules affected: mgmt/openvpn-server | Release notes
You can now configure the --search-domain option on the OpenVPN server. Note that this includes a change to the user-data script even if no variable inputs are changed, but it will not take down the OpenVPN server on deploy (0-downtime). It is not necessary to rotate the server unless you want to take advantage of the new search domain option.
Published: 9/29/2020 | Modules affected: mgmt/openvpn-server, mgmt/bastion-host, mgmt/ecs-deploy-runner, mgmt/jenkins | Release notes
Update user data scripts to invoke EC2 baseline with cwmonitoring user included in ip-lockdown. Note that this will require rotating the servers. Refer to the migration guide for guidelines on how to rotate the servers for each module.
Updated underlying module dependencies:
gruntwork-io/terragrunt to v0.25.1gruntwork-io/terraform-aws-eks to v0.23.2gruntwork-io/module-security to v0.38.3gruntwork-io/module-ecs to v0.23.0gruntwork-io/terratest to v0.30.3gruntwork-io/terraform-aws-vpc to v0.10.1gruntwork-io/module-ci to v0.28.4gruntwork-io/terraform-aws-eks to v0.23.3gruntwork-io/module-cache to v0.10.0gruntwork-io/module-data-storage to v0.16.0gruntwork-io/package-openvpn to v0.12.0gruntwork-io/terraform-aws-monitoring to v0.23.1
Published: 9/25/2020 | Modules affected: services/k8s-service | Release notes
- Fix bug where the
configmaps_as_env_vars and secrets_as_env_vars variables of k8s-service module was the incorrect type. - Fix bug where the default value of
ingress_path was incorrectly locked to /, and not any subpath.
Published: 9/24/2020 | Modules affected: base/ec2-baseline, mgmt/openvpn-server, networking/vpc, networking/vpc-mgmt | Release notes
- The
openvpn-server module will now properly initialize the EC2 baseline scripts, which handle initializing server hardening scripts like fail2ban, ip-lockdown, and ssh-grunt. - The
openvpn-server now properly handles VPC peering routes. - The
vpc module now exposes num_availability_zones. - The
vpc module now sets up nACL routes for peers when peering is configured.
Published: 9/21/2020 | Release notes
Reverts the minikube version change introduced in v0.2.5.
Published: 9/21/2020 | Modules affected: base, data-stores, landingzone, mgmt | Release notes
Updated the following underlying module dependencies:
- gruntwork-io/terratest to v0.30.0
- gruntwork-io/terraform-aws-vpc to v0.10.0
- gruntwork-io/module-server to v0.9.0
- kubernetes/minikube to v1.13.1
- gruntwork-io/kubergrunt to v0.6.0
- gruntwork-io/module-ci to v0.28.3
- gruntwork-io/module-security to v0.37.1
- gruntwork-io/module-asg to v0.11.0
- helm/helm to v3.3.3
Published: 9/16/2020 | Modules affected: base, networking, services, data-stores | Release notes
Updated the following underlying module dependencies:
gruntwork-io/bash-commons to v0.1.3gruntwork-io/terraform-aws-eks to v0.23.0gruntwork-io/module-security to v0.36.10gruntwork-io/module-ci to v0.28.2gruntwork-io/module-ecs to v0.21.4
Updated documentation and tests:
- Fix bug in running tests for
tls-scripts - Add note private endpoints in variable description for
endpoint_public_access
Published: 9/9/2020 | Modules affected: base, data-stores, mgmt, networking | Release notes
Published: 9/9/2020 | Modules affected: base, data-stores, landingzone, mgmt | Release notes
This release contains the following updates:
- References to module-security have been bumped to v0.36.8
- A fix for the asg-service when calling ec2-baseline from a particular branch instead of a tag.
Published: 9/8/2020 | Modules affected: landingzone/account-access | Release notes
- Added new
gruntwork-access module customers can use to grant Gruntwork access to their AWS accounts for the purposes of (a) deploying a Reference Architecture or (b) troubleshooting. - Added an example of how to use the
gruntwork-access module with Terragrunt and account-baseline-root to create all child accounts for the Reference Architecture and grant Gruntwork access to them in a single apply.
Published: 9/4/2020 | Modules affected: mgmt, services | Release notes
This release catches a few dependencies up to the latest version.
Published: 9/4/2020 | Modules affected: networking, services, data-stores, landingzone | Release notes
This release catches up dependencies using the new RenovateBot functionality (see renovate.json in the repo root).
Published: 9/28/2020 | Modules affected: executable-dependency | Release notes
Fix OS permissions that are set on the downloaded binary from the executable-dependency module.
Published: 9/17/2020 | Modules affected: executable-dependency, instance-type, join-path, list-remove | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
- The
run-pex-as-resource module no longer supports running code on destroy. See the migration guide below for more details.
Published: 9/29/2020 | Modules affected: vpc-app, vpc-mgmt | Release notes
- Add DynamoDB VPC endpoints to the
vpc-mgmt module. We already had these endpoints in vpc-app, but somehow must've forgotten to add them to vpc-mgmt. - Propagate the tags from the
custom_tags input variable in vpc-app and vpc-mgmt to all VPC endpoints. This ensures more consistent tagging for all resources created by these modules.
Published: 9/24/2020 | Modules affected: vpc-app, vpc-mgmt | Release notes
The VPC modules now gracefully handles num_availability_zones values that are greater than the number of AZs in the region.
Published: 9/18/2020 | Modules affected: network-acl-inbound, network-acl-outbound, vpc-app-network-acls, vpc-app | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x! - From this release onward, we will only be running tests with Terraform
0.13.x against this repo, so we recommend updating to 0.13.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers with source URLs) that make it more forwards compatible with 0.13.x. - Once all Gruntwork repos have been upgrade to work with
0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 9/1/2020 | Modules affected: vpc-flow-logs | Release notes
This is a minor update that fixes a perpetual diff in the vpc-flow-logs module caused by the new AWS provider v3 chopping the :* off the CloudWatch Logs Group ARN.