Gruntwork release 2020-10
Guides / Update Guides / Releases / 2020-10
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2020-10. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 10/30/2020 | Release notes
Published: 10/26/2020 | Release notes
Published: 10/21/2020 | Release notes
Since this repo is solely used for examples/demonstrations, and NOT meant for direct production use, we simply publish all changes at v0.0.1, with a date marker for when it was published.
NOTE: we switched the date format for releases to v0.0.1-YYYYMMDD
. Previously, this was v0.0.1-MMDDYYYY.
All the modules have been updated to be compatible with:
- Ubuntu 18.04
- Packer 1.6
- AWS Provider v3
In the process, the following module versions have been updated. Refer to the release notes of the corresponding repos for a description of the full changes.
Refer to the migration guide in infrastructure-modules-multi-account-acme for instructions on how to update existing reference architectures.
Published: 10/21/2020 | Release notes
Since this repo is solely used for examples/demonstrations, and NOT meant for direct production use, we simply publish all changes at v0.0.1, with a date marker for when it was published.
NOTE: we switched the date format for releases to v0.0.1-YYYYMMDD
. Previously, this was v0.0.1-MMDDYYYY.
All the modules have been updated to be compatible with:
- Ubuntu 18.04
- Packer 1.6
- AWS Provider v3
In the process, the following module versions have been updated. Refer to the release notes of the corresponding repos for a description of the full changes.
You can follow the following guide to update each component to the newer versions offered in this refresh:
-
cloudtrail : Update the module to the new version (v0.36.8
), apply the state transitions, and change the KMS key configuration so that the logs are encrypted using a key in the security
account (instructions).
-
kms-master-key : Update the module to the new version (v0.36.8
) and apply the state transitions (instructions).
-
iam-groups : Update the module to the new version (v0.36.8
) and apply the state transitions (instructions)
-
iam-cross-account : Update to the module to the new version (v0.36.8
). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.
-
iam-user-password-policy : Update the module to the new version (v0.36.8
). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.
-
openvpn-server : Update the module to the new version (v0.11.1
) and switch the AMI to use Ubuntu 18.04. (instructions)
-
jenkins : Update the module to the new version (v0.28.1
) and switch the AMI to use Ubuntu 18.04. (instructions)
-
vpc-app and vpc-mgmt : Update to the new version (v0.9.4
). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.
-
alb : Update to the new version (v0.20.4
). This update requires a state change. See the migration guide in the underlying module for instructions on how to update the state. Refer to this commit for a reference of the requisite updates to the code.
-
sns-topics : Update to the new version (v0.3.4
). This update is backwards compatible.
-
cloudwatch-dashboard : Update to the new version (v0.22.2
). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.
-
lambda : Update to the new version (v0.8.1
) and apply the state transitions. (instructions).
-
rds : Update to the new version (v0.15.0
) and apply the state transitions. (instructions)
-
redis : Update to the new version (v0.9.4
) and apply the state transitions. (instructions)
-
zookeeper and kafka : Update to the respective new versions and switch the AMIs to use Ubuntu 18.04. Note that the module will automatically perform a rolling update for both services when you apply
with the new AMI. Refer to this commit for a reference of the requisite updates. Make sure to update zookeeper before updating kafka.
-
elk-single-cluster and elk-multi-cluster : Update to the new version (v0.6.0
) and switch the AMIs to use Ubuntu 18.04. Note that the module will automatically perform a rolling update for all the services. Be aware that the default ELK versions within each module have changed: if it is not desirable to update Elasticsearch versions, make sure to specify the specific ES version in the packer templates. Refer to this commit for a reference of the requisite updates.
-
ecs-cluster : Update to the new version (v0.22.0
) and switch the AMI to use Ubuntu 18.04. (instructions)
-
ecs-service-with-alb : Update to the new version (v0.22.0
) and apply the state transitions. (instructions)
-
EKS modules : Update to the new version (v0.22.1
). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.
-
static-website : Update to the new version (v0.6.5
). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.
-
asg-service : Update to the new version (v0.10.0
). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.
Published: 10/12/2020 | Modules affected: elasticbeanstalk-environment | Release notes
- You can now specify the load balancer type to use in the
elasticbeanstalk-environment
module by using the new load_balancer_type
input variable.
Published: 10/28/2020 | Modules affected: ecs-deploy-runner | Release notes
You can now configure the ECS deploy runner with repository credentials for pulling down the images using the new repository_credentials_secrets_manager_arn
input var.
Published: 10/2/2020 | Modules affected: (none) | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x
!
- From this release onward, we will only be running tests with Terraform
0.13.x
against this repo, so we recommend updating to 0.13.x
soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers
with source
URLs) that make it more forwards compatible with 0.13.x
.
- Once all Gruntwork repos have been upgrade to work with
0.13.x
, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 10/27/2020 | Modules affected: aws-securityhub | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x
!
- From this release onward, we will only be running tests with Terraform
0.13.x
against this repo, so we recommend updating to 0.13.x
soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers
with source
URLs) that make it more forwards compatible with 0.13.x
.
- Once all Gruntwork repos have been upgrade to work with
0.13.x
, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
- The
aws-securityhub
module will no longer automatically clean up associations with master accounts when you run destroy
. See the migration guide below for upgrade instructions.
Published: 10/22/2020 | Modules affected: custom-iam-entity | Release notes
Published: 10/20/2020 | Modules affected: aws-securityhub | Release notes
- Switch from using a Python script to associate new member accounts in AWS Security Hub to using the new
aws_securityhub_member
resource. See the migration guide below for upgrade instructions.
Published: 10/15/2020 | Modules affected: cloudtrail | Release notes
Expose ability to specify an existing KMS key for encrypting cloudtrail logs.
Published: 10/16/2020 | Modules affected: aurora | Release notes
- You can now enable the HTTP endpoint for the Data API on Aurora Serverless using the new 'enable_http_endpoint' input variable.
Published: 10/30/2020 | Modules affected: eks-cluster-workers | Release notes
Gracefully handle use_existing_cluster_config = false
and use_cluster_security_group = true
.
Published: 10/28/2020 | Modules affected: eks-cluster-control-plane, eks-cloudwatch-container-logs, eks-container-logs, eks-aws-auth-merger | Release notes
-
The fluentd
based log shipping module (eks-cloudwatch-container-logs
) has been deprecated and replaced by a new module based on fluent-bit
. This supports additional targets such as Firehose and Kinesis in addition to Cloudwatch, while also being more efficient in terms of underlying resource usage. Refer to the migration guide for information on how to update.
-
The default Kubernetes version used by the module has been updated to 1.18. Note that you will kubergrunt
v0.6.3 or newer if you wish to upgrade your existing EKS clusters to Kubernetes version 1.18.
Published: 10/27/2020 | Modules affected: eks-k8s-external-dns | Release notes
- You can now configure the
triggerLoopOnEvent
setting on the external-dns
service.
- Update the documentation surrounding retrieving authentication tokens for EKS.
Published: 10/20/2020 | Modules affected: eks-cluster-control-plane | Release notes
The automatic upgrade cluster feature now uses kubergrunt eks sync-core-components
instead of an embedded script. This allows you to independently upgrade to newer EKS cluster versions as they are released without updating the module version.
If you were relying on the automatic update script to sync the core components prior to this release, you will need to ensure that you have kubergrunt
installed (minimum version v0.6.2) to continue using it.
Published: 10/2/2020 | Modules affected: eks-k8s-cluster-autoscaler | Release notes
Switch to using the new location for the cluster-autoscaler
helm chart so that the module continues to work after the stable
and incubator
repos are decommissioned in November.
NOTE: This will redeploy the cluster-autoscaler
pods, but all the data and variables are backwards compatible. We have marked this release as backwards incompatible due to the resulting downtime in the scaling functionality, but effectively, there will be no change to your cluster by redeploying the component (no downtime to your apps or EKS cluster).
Published: 10/1/2020 | Modules affected: eks-cluster-control-plane, eks-cluster-workers | Release notes
The following variables and outputs have been renamed:
eks-cluster-control-plane
- [variable]
vpc_master_subnet_ids
=> vpc_control_plane_subnet_ids
- [output]
eks_master_security_group_id
=> eks_control_plane_security_group_id
- [output]
eks_master_iam_role_arn
=> eks_control_plane_iam_role_arn
- [output]
eks_master_iam_role_name
=> eks_control_plane_iam_role_name
eks-cluster-workers
- [variable]
eks_master_security_group_id
=> eks_control_plane_security_group_id
All other functionality is preserved. To update to this version, replace usage of the old variable and output names to the new ones.
Published: 10/15/2020 | Modules affected: lambda | Release notes
This release adds the option to create an outbound "allow all" rule in the Lambda security group that will allow it to communicate with external services. To enable this, set should_create_outbound_rule=true
when calling the lambda
module. Defaults to false.
Published: 10/15/2020 | Modules affected: acm-tls-certificate, alb, lb-listener-rules | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x
!
- From this release onward, we will only be running tests with Terraform
0.13.x
against this repo, so we recommend updating to 0.13.x
soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers
with source
URLs) that make it more forwards compatible with 0.13.x
.
- Once all Gruntwork repos have been upgrade to work with
0.13.x
, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 10/27/2020 | Modules affected: alarms | Release notes
- Fix a bug in the
alb-target-group-alarms
module, switching the module to use "Seconds"
instead of "Count"
as the proper unit for the TargetResponseTime
alarm.
Published: 10/7/2020 | Modules affected: gruntsam | Release notes
- Added the
create_before_destroy = true
lifecycle setting to the aws_api_gateway_deployment
resource to work around intermittent "BadRequestException: Active stages pointing to this deployment must be moved or deleted" errors.
Published: 10/2/2020 | Modules affected: api-gateway-account-settings, gruntsam | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x
!
- From this release onward, we will only be running tests with Terraform
0.13.x
against this repo, so we recommend updating to 0.13.x
soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers
with source
URLs) that make it more forwards compatible with 0.13.x
.
- Once all Gruntwork repos have been upgrade to work with
0.13.x
, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 10/29/2020 | Modules affected: private-s3-bucket | Release notes
- In
private-s3-bucket
, the server side encryption algorithm is now configurable through the newly exposed sse_algorithm
variable
Published: 10/26/2020 | Modules affected: cloudtrail-bucket, cloudtrail, account-baseline-app, account-baseline-root | Release notes
This release contains backwards incompatible changes. Make sure to follow the instructions in the migration guide below!
- The
cloudtrail-bucket
module has been refactored to use the private-s3-bucket
module under the hood to configure the cloudtrail S3 bucket.
- The
cloudtrail-bucket
module will now configure the bucket to default to encrypting objects with the newly created KMS key, or the provided KMS key if it already exists.
Published: 10/22/2020 | Modules affected: private-s3-bucket | Release notes
- Fix invocations of
for_each
to default to empty list instead of null
. This bug in the private-s3-bucket
module that made it impossible to configure bucket replication.
Published: 10/21/2020 | Modules affected: private-s3-bucket, custom-iam-entity | Release notes
- In
private-s3-bucket
, the bucket ACL is now configurable through the newly exposed acl
variable.
- In
custom-iam-entity
, previously, IAM roles and groups were treated the same with regards to MFA. With this release, for roles, we no longer attach the require_mfa_policy
from the iam-policies
module. Instead, we apply MFA to the trust policy. This change allows for sessions longer than 1 hour in duration (which are otherwise imposed due to role chaining limitations).
Published: 10/14/2020 | Modules affected: account-baseline-root | Release notes
- Fix a bug where
account-baseline-root
did not work correctly if none of the accounts in child_accounts
had is_logs_account
set to true
.
Published: 10/19/2020 | Modules affected: single-server | Release notes
- You can now specify the principals that will be allowed to assume the IAM role created by the
single-server
module. This can be useful, for example, to override the default from ["ec2.amazonaws.com"]
to ["ec2.amazonaws.com.cn"]
when using the AWS China region.
Published: 10/27/2020 | Modules affected: base, data-stores, landingzone, mgmt | Release notes
- Bump all underlying module version numbers and require Terraform
0.12.26
or above, which means you can now use the Service Catalog with Terraform 0.13.x
as well! The only exception are the Kubernetes / EKS services, as the underlying modules do not support Terraform 0.13.x
yet; we are working on that now and will do a new release when that's ready.
Published: 10/23/2020 | Modules affected: data-stores/aurora | Release notes
This release exposes the cluster_resource_id
attribute as an output from the aurora module.
Published: 10/22/2020 | Modules affected: networking/route53, networking/alb, networking/vpc, services/eks-cluster | Release notes
This release adds the following features to the catalog:
- The route53 module now outputs the generated TLS cert ARNs
- The alb module now allows you to pass an existing S3 bucket for ALB access logs. This is useful for sending ALB logs to a central log account
- For EKS, you can now provide a list of CIDR ranges or security groups that are permitted to access the private EKS API endpoint.
We've also caught up to the latest release of the module-security and terraform-aws-eks repositories.
Migration guide for eks-cluster
This release bumps the terraform-aws-eks
module up to the latest version, including some backwards incompatible changes. Please review the release notes in the following order:
- v0.24.0 - renames several variables in
eks-cluster-control-plan
and eks-cluster-workers
- v0.25.0 - moves the location of the
eks-cluster-autoscaler
helm chart with a brief downtime in autoscaling activity (no other changes needed)
- v0.26.0 - changes the behavior of the automatic cluster upgrade functionality. Now requires
kubergrunt
>= v0.6.2
.
Published: 10/20/2020 | Modules affected: data-stores/rds, services/package-static-assets, mgmt/bastion-host, base/ec2-baseline | Release notes
- Incorporates latest releases from across the library
- For
account-baseline-root
: Fixes a bug where account-baseline-root
did not work correctly if none of the accounts in child_accounts
had is_logs_account
set to true
.
Published: 10/16/2020 | Release notes
This release updates the following modules to the latest releases of their respective downstream modules:
networking/vpc
networking/vpc-mgmt
services/eks-cluster
services/eks-core-services
services/k8s-service
mgmt/ecs-deploy-runner
mgmt/jenkins
mgmt/openvpn-server
landingzone/account-baseline-*
base/ec2-baseline
data-stores/rds
Published: 10/16/2020 | Modules affected: (none) | Release notes
- Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform
0.13.x
!
- From this release onward, we will only be running tests with Terraform
0.13.x
against this repo, so we recommend updating to 0.13.x
soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (
required_providers
with source
URLs) that make it more forwards compatible with 0.13.x
.
- Once all Gruntwork repos have been upgrade to work with
0.13.x
, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.