Gruntwork release 2021-04
Guides / Update Guides / Releases / 2021-04
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2021-04. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 4/22/2021 | Release notes
This release adds the --region flag when working with VCS secrets. Refer to the Setting up the tokens in AWS Secrets Manager section for details.
Published: 4/27/2021 | Release notes
This release adds a tool for generating example reference architectures for use in the for-production examples in terraform-aws-service-catalog.
In addition, there are many other bug fixes and updates, including:
- Fixes for renovatebot
- Docs updates
- Fixes for the ASG sample app
- Updates to the Circle CI config
Published: 4/16/2021 | Release notes
Published: 4/2/2021 | Release notes
Multitude of updates and fixes, including latest version of the service catalog, container image building for the deploy runner, app CI/CD, improved Jenkins Support, Elasticsearch blueprint, EKS bug fixes, and more.
Published: 4/28/2021 | Modules affected: asg-rolling-deploy, server-group | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/12/2021 | Modules affected: server-group | Release notes
- This release enable encryption by default for the root volume of instances in the ASG.
Published: 4/28/2021 | Modules affected: memcached, redis | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/12/2021 | Modules affected: redis | Release notes
- This release updates redis clusters to enable encryption by default for data in transit and at rest. Refer to the Migration guide.
Published: 4/27/2021 | Modules affected: jenkins-server | Release notes
- Bump to latest version of
terraform-aws-asg to fully support terraform 0.14.
Published: 4/19/2021 | Modules affected: gruntwork-module-circleci-helpers | Release notes
Fix regression bug where we no longer can download golang from the old location due to a 403.
Published: 4/14/2021 | Modules affected: ecs-deploy-runner | Release notes
- Upgraded the deploy runner to terraform 0.13.6
Published: 4/13/2021 | Modules affected: jenkins-server | Release notes
This releases enable encryption by default for the Jenkins EBS volume. Previously, the EBS volume was not encrypted by default. Unless you want to destroy to recreate your Jenkins data EBS volume, you MUST follow the migration guide below.
Published: 4/9/2021 | Modules affected: ec2-backup, ecs-deploy-runner-invoke-iam-policy, ecs-deploy-runner-standard-configuration, ecs-deploy-runner | Release notes
- Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x!
- From this release onward, we will only be running tests with Terraform
0.14.x against this repo, so we recommend updating to 0.14.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.14.x.
- Once all Gruntwork repos have been upgrade to work with
0.14.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/26/2021 | Modules affected: aws-securityhub | Release notes
- Use account's name as key for for_each instead of account_id in SecurityHub [BACKWARDS INCOMPATIBLE]
Published: 4/21/2021 | Modules affected: cleanup-expired-certs, aws-config-multi-region, cloudtrail, cross-account-iam-roles | Release notes
Update the versions of the following underlying modules:
terraform-aws-lambda to v0.10.1terraform-aws-security to v0.46.7terraform-aws-service-catalog to v0.35.0
Published: 4/13/2021 | Release notes
- Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x!
- From this release onward, we will only be running tests with Terraform
0.14.x against this repo, so we recommend updating to 0.14.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.14.x.
- Once all Gruntwork repos have been upgrade to work with
0.14.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/13/2021 | Modules affected: aws-config-multi-region, cloudtrail, iam-groups | Release notes
- Made some verifications for AWS Config required + add a comment with which CIS recommendation that belongs
- Add outputs from the Benchmark filters to the Cloudtrail module
- Add variable
kms_key_already_exists for Cloudtrail module, there was an error where the var.kms_key_arn != null was invalid due kms_key_arn being an output from another module. The same variable exists in terraform-aws-security.
- Add comments to IAM Groups around which recommendation belongs the hard-coded value
Published: 4/8/2021 | Modules affected: aws-config-multi-region, cleanup-expired-certs, cloudtrail, cloudwatch-logs-metric-filters | Release notes
This release updates versions of several underlying modules, including several backwards incompatible upgrades. Please see the Migration guide section for manual steps necessary to perform the upgrade.
⚠️ This is a backwards incompatible upgrade. Please follow the instructions in the linked Release Notes pages to upgrade! If you are upgrading across multiple backwards incompatible versions (e.g., v0.3.0 to v0.6.0), you MUST check the release notes for every release in between too! ⚠️
Published: 4/28/2021 | Modules affected: lambda-create-snapshot, aurora, efs, lambda-cleanup-snapshots | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/15/2021 | Modules affected: aurora, efs, rds, redshift | Release notes
- Encryption is now enabled by default for
aurora, efs, rds, and redshift.
Published: 4/22/2021 | Modules affected: ecs-service | Release notes
- You can now enable Amazon ECS Exec for your Tasks by setting the new
enable_execute_command input variable to true.
- Fixed a couple "interpolation only" warnings.
Published: 4/13/2021 | Modules affected: ecs-service | Release notes
- Fixes an "interpolation-only expressions" deprecation warning in
ecs-service.
Published: 4/13/2021 | Modules affected: ecs-cluster, ecs-daemon-service, ecs-service | Release notes
- Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x!
- From this release onward, we will only be running tests with Terraform
0.14.x against this repo, so we recommend updating to 0.14.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.14.x.
- Once all Gruntwork repos have been upgrade to work with
0.14.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/13/2021 | Modules affected: ecs-service | Release notes
- Fix health check and timeout settings for the target groups created by
ecs-service. Depending on the protocol you're using (e.g., TCP, UDP, TLS, etc), only certain values are permitted. The AWS docs are unclear on this, but we've done our best to implement the required rules.
Published: 4/1/2021 | Modules affected: ecs-daemon-service, ecs-service | Release notes
Remove var.environment_name from ecs-service and ecs-daemon-service. This was only used to name the IAM resources created within the modules, but was confusingly named. The functionality of the variable has been replaced with the following three, targeted variables:
var.custom_iam_role_name_prefix for the IAM role used by the ECS tasks.var.custom_task_execution_name_prefix for the IAM role used by ECS to spawn the tasks.var.custom_ecs_service_role_name for the IAM role used by the ECS service to access load balancers.
Refer to the migration guide to avoid recreating the IAM roles when updating to this release.
Published: 4/28/2021 | Modules affected: eks-alb-ingress-controller-iam-policy, eks-alb-ingress-controller, eks-aws-auth-merger, eks-cluster-control-plane | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/27/2021 | Modules affected: eks-iam-role-assume-role-policy-for-service-account, eks-k8s-external-dns | Release notes
- Remove unused local variables in
eks-iam-role-assume-role-policy-for-service-account
- Fix bug where affinity was not properly configured for
external-dns
Published: 4/15/2021 | Modules affected: eks-alb-ingress-controller-iam-policy, eks-alb-ingress-controller, eks-aws-auth-merger, eks-cluster-control-plane | Release notes
- Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x!
- From this release onward, we will only be running tests with Terraform
0.14.x against this repo, so we recommend updating to 0.14.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.14.x.
- Once all Gruntwork repos have been upgrade to work with
0.14.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
- Note that Terraform 0.14 seems to have exposed EKS authentication expiry issues more than previous versions, so when upgrading to this version, we recommend following the migration guide below.
Published: 4/12/2021 | Modules affected: eks-container-logs | Release notes
- You can now configure additional outputs for
fluent-bit using the extra_outputs input variable.
Published: 4/8/2021 | Modules affected: eks-alb-ingress-controller, eks-container-logs | Release notes
- Bump default helm chart versions of essential services to latest versions:
- Bump default version of AWS Load Balancer Controller to
v2.1.3 (was v2.0.1)
- Bump test dependency version to pull in security patches.
Published: 4/1/2021 | Modules affected: eks-cluster-control-plane | Release notes
- The naming logic of the default Fargate execution IAM role has been modified to support longer cluster names. You can now directly set the IAM role name using the new
custom_fargate_iam_role_name input variable. Note that the default name has also been shortened, using the suffix -fargate-role instead of -default-fargate-execution-role. To avoid recreating the IAM role, you can set var.custom_fargate_iam_role_name to CLUSTER_NAME-default-fargate-execution-role.
- Update documentation to use the new repository names in cross references.
Published: 4/28/2021 | Modules affected: keep-warm, lambda-edge, lambda, scheduled-lambda-job | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/16/2021 | Modules affected: keep-warm, lambda-edge, lambda | Release notes
- You can now use Docker images with the
lambda module by specifying the new input variables image_uri, entry_point, command, and working_directory.
- We renamed all our repos to use HashiCorp's naming convention (
terraform-<cloud>-<name>, e.g., terraform-aws-vpc), so we went through each repo and updated all the internal references. This should not affect functionality.
Published: 4/28/2021 | Modules affected: acm-tls-certificate, alb, lb-listener-rules | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/26/2021 | Modules affected: acm-tls-certificate, alb | Release notes
- Enhance docs for ACM cert with mismatching zone
- Add alb_name length validation. The
alb_name variable will now only accept strings that are a maximum of 32 characters in length. This is a requirement imposed by the AWS API - so catching these issues on the client side prevents runtime errors. However, since native Terraform variable validation was released in v0.13.0, you will need to use at least Terraform v0.13.0 (or greater) going forward once you begin using this release.
Published: 4/8/2021 | Modules affected: acm-tls-certificate | Release notes
Published: 4/28/2021 | Modules affected: kinesis, sns, sqs | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/2/2021 | Modules affected: alarms | Release notes
- You can now configure custom auth settings for the nested
provider block within the route53-health-check-alarms module using the new input variables provider_role_arn, provider_external_id, provider_session_name, provider_profile, and provider_shared_credentials_file.
Published: 4/28/2021 | Modules affected: openvpn-server | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/15/2021 | Modules affected: openvpn-admin | Release notes
Update the version of dependencies used in openvpn-admin.
Published: 4/13/2021 | Modules affected: openvpn-admin | Release notes
You can now customize the mssfix value used in the openvpn config that is downloaded by openvpn-admin by using the --mssfix flag. Additionally, the openvpn-admin command will automatically identify the optimal mssfix value to use for the client machine when omitted.
Published: 4/9/2021 | Modules affected: openvpn-server | Release notes
- Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x!
- From this release onward, we will only be running tests with Terraform
0.14.x against this repo, so we recommend updating to 0.14.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.14.x.
- Once all Gruntwork repos have been upgrade to work with
0.14.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
- Add
gox to the test's README.md
- Add note for partial Ubuntu20 support
Published: 4/9/2021 | Modules affected: api-gateway-account-settings, gruntsam | Release notes
- Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x!
- From this release onward, we will only be running tests with Terraform
0.14.x against this repo, so we recommend updating to 0.14.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.14.x.
- Once all Gruntwork repos have been upgrade to work with
0.14.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/30/2021 | Modules affected: account-baseline-root | Release notes
- Use created Organization ID as default for
var.cloudtrail_organization_id. Now the account-baseline-root module can set up Cloudtrail both at the root-account level and organization-wide level.
Published: 4/29/2021 | Modules affected: account-baseline-app, account-baseline-root, account-baseline-security, aws-config-bucket | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/27/2021 | Modules affected: auto-update, ntp, ssm-healthchecks-iam-permissions, tls-cert-private | Release notes
Starting this release, all the modules have been updated to test with Ubuntu 20.04. As a result of this, support for Ubuntu 16.04 has been dropped.
Published: 4/26/2021 | Modules affected: account-baseline-security | Release notes
- Adding module-level flags to allow enabling or disabling of
aws-config, iam-groups, iam-cross-account-roles modules
Published: 4/20/2021 | Modules affected: iam-user-password-policy, iam-users | Release notes
- You can now attach IAM policies (AWS managed, customer managed, and inline policies) directly to user in the
iam-users module. Previously you were only able to attach IAM groups to the created users. Refer to the updated variable description for more details.
iam-users module is now robust to changes in the Access Key.
Published: 4/14/2021 | Modules affected: iam-policies | Release notes
The dev_permitted_services variable in the iam-policies module now allows fine-grained permissions. For example, this setting:
dev_permitted_services = [
"sns",
"s3:PutObject"
]
grants sns:* and s3:PutObject permissions.
This change is backward compatible, but you will notice a new sid for the policy to reflect the change in functionality.
Published: 4/13/2021 | Modules affected: iam-user-password-policy | Release notes
- Fixes the empty tuple errors when setting
var.create_resources to false in the iam-user-password-policy module.
Published: 4/2/2021 | Modules affected: iam-policies | Release notes
- Adds Glue actions to the ReadOnlyAccess IAM policy
Published: 4/1/2021 | Modules affected: account-baseline-root | Release notes
- You can now enable access logging for the CloudTrail S3 bucket in
account-baseline-root using the new enable_cloudtrail_s3_server_access_logging input variable.
Published: 4/28/2021 | Modules affected: ec2-backup, single-server | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/30/2021 | Modules affected: services, base, mgmt, networking | Release notes
-
Updated dependencies for:
- gruntwork-io/terraform-aws-asg to v0.14.0
- gruntwork-io/terraform-aws-server to v0.12.0
- gruntwork-io/terraform-aws-vpc to v0.15.0
- gruntwork-io/terratest to v0.34.2
- gruntwork-io/kubergrunt to v0.6.14
- gruntwork-io/terragrunt to v0.29.1
-
Use created Organization ID as default for var.cloudtrail_organization_id. Now the account-baseline-root module can set up Cloudtrail both at the root-account level and organization-wide level.
Published: 4/26/2021 | Modules affected: services, landingzone, networking, base | Release notes
- Fixed the following bugs in
asg-service:
- The CloudWatch alarm variables
enable_cloudwatch_alarms and alarms_sns_topic_arn are now properly recognized. Previously these variables were ignored and no alarms for the ASG were being configured.
- You can now configure the name of the Target Group using the
target_group_name in the object passed to the server_ports input. This is useful when migrating an existing target group into the service catalog module.
- Adding module-level flags to allow enabling or disabling of
aws-config, iam-groups, iam-cross-account-roles modules. The default value of the enable_* flags is set to true, so using or calling these modules is not expected to change.
- Add variable validation to
alb_name to guard against the limit of 32 characters for ALB names
- Fix bug in
ec2-baseline where it incorrectly detected that dpkg was not available.
- Add sensible defaults for
ssh_grunt_iam_group and ssh_grunt_iam_group_sudo to the bastion-host and jenkins modules.
- You can now configure a
PodDisruptionBudget for your Kubernetes service deployed with the k8s-service module using the min_number_of_pods_available input variable.
Published: 4/21/2021 | Modules affected: networking/alb | Release notes
- The
ssl_policy on the ALB is now configurable.
Published: 4/20/2021 | Modules affected: services/eks-core-services | Release notes
- You can now selectively disable the services that are deployed with
eks-core-services using the new enable variables: var.enable_fluent_bit, var.enable_alb_ingress_controller, var.enable_external_dns, and var.enable_cluster_autoscaler. NOTE: This feature depends on Terraform 0.13.0 and above. If you are using Terraform 0.12, you must first upgrade to Terraform 0.13 to take advantage of this.
Published: 4/19/2021 | Modules affected: services/eks-core-services | Release notes
- You can now control annotations and labels for the autoscaler service in
eks-core-services using the new input variables cluster_autoscaler_pod_annotations and cluster_autoscaler_pod_labels, respectively.
Published: 4/16/2021 | Modules affected: networking/route53 | Release notes
- Fix a bug in the output variables of the
route53 module that, depending on the inputs you passed in, could lead to an "Inconsistent conditional result types" error.
Published: 4/15/2021 | Modules affected: mgmt/ecs-deploy-runner, mgmt/jenkins, mgmt/openvpn-server, services/eks-cluster | Release notes
- Update a few more dependencies to work with Terraform 0.14, including:
- Update dependency gruntwork-io/terraform-aws-eks to v0.36.0. This is a breaking change. See the migration guide below.
- Update dependency gruntwork-io/terraform-aws-openvpn to v0.14.1
- Update dependency gruntwork-io/terraform-aws-ci to v0.33.1
- Update dependency gruntwork-io/terraform-aws-ecs to v0.28.1
- Update dependency gruntwork-io/terraform-kubernetes-namespace to v0.2.0
Published: 4/15/2021 | Modules affected: networking | Release notes
Allows wildcard domains to be passed in the subject_alternative_names, making it easier to request a single ACM certificate that protects both the apex domain (example.com) AND the first level of subdomains (*.example.com). To achieve this, request example.com in the key of your var.public_zones map and pass *.example.com in the subject_alternative_names list for the same entry:
public_zones = {
"example.com" = {
comment = "You can add arbitrary text here"
tags = {
Foo = "bar"
}
force_destroy = true
subject_alternative_names = ["*.example.com"]
created_outside_terraform = true
base_domain_name_tags = {
original = true
}
}
}
NOTE: Starting this release, it is no longer possible to disable the creation of ACM certificates on the domains that are managed by the module. We introduced back the ability to disable ACM certificate creation in v0.44.5. It is advised to upgrade to at least that version if you want to avoid managing ACM certificates in this module.
Published: 4/15/2021 | Modules affected: data-stores/elasticsearch, mgmt/jenkins-server, mgmt/bastion-host, services/eks-cluster | Release notes
- Encryption is now enabled by default for Elasticsearch
- Encryption is now by default for the Jenkins EBS volume.
- All Packer templates now enable encryption by default for the root volume of the image.
- The
sns-topics module now accepts a kms_master_key_id and a list of allow_publish_services that allow the given AWS services to publish to the SNS topic.
Published: 4/14/2021 | Modules affected: base, data-stores, landingzone, mgmt | Release notes
- Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x!
- From this release onward, we will only be running tests with Terraform
0.14.x against this repo, so we recommend updating to 0.14.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.14.x.
- Once all Gruntwork repos have been upgrade to work with
0.14.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/14/2021 | Modules affected: mgmt/jenkins, mgmt/openvpn-server, data-stores, services | Release notes
- All modules that were exporting CloudWatch dashboard metric widgets now also expose all the widgets in a single list output
all_metric_widgets. This makes it easier to construct dashboards for specific services.
- The
jenkins module will now force https protocol for the ALB. Previously, the jenkins ALB was accessible under both http (port 80) and https (port 443). Now the ALB will automatically redirect to https when accessed under http.
- The default version of Jenkins installed with the
jenkins-server packer template is now 2.277.2 (previously 2.263.4). The default version of Terraform installed with the jenkins-server packer template is now 0.13.6 (previously 0.12.21).
- The domain settings for
openvpn-server now allow you to specify a custom domain.
account-baseline-app now has a number of conditional variables that can be used to enable/disable the creation of resources.account-baseline-app now has the option to automatically deploy the iam-access-analyzer-multi-region module inline with the other account baselines. Note: this is disabled by default.
adds a number of conditional variables to the App Account Baseline in order to override the creation of resources with their CIS-compatible variants.- Update dependency gruntwork-io/terraform-aws-eks to v0.35.2. You can now configure additional output streams for
fluent-bit on the eks-core-services module.
- Update dependency gruntwork-io/gruntwork-installer to v0.0.36
- Update dependency gruntwork-io/kubergrunt to v0.6.12
Published: 4/9/2021 | Modules affected: services/eks-cluster, services, mgmt, networking | Release notes
- Update dependency gruntwork-io/terraform-aws-eks to v0.35.1 (was
v0.33.1). This is a backward incompatible change. This update renames the default Fargate Execution IAM role that gets created by the eks-cluster-control-plane module. To avoid recreating the IAM role, you need to configure custom_default_fargate_iam_role_name to be <CLUSTER_NAME>-default-fargate-execution-role.
- Update dependency gruntwork-io/terragrunt to v0.28.19
Published: 4/8/2021 | Modules affected: services/ecs-cluster, services, base, data-stores | Release notes
-
Several bug fixes in the ecs-cluster module:
- Remove unused variables (
allow_requests_from_public_alb, include_internal_alb, enable_cloudwatch_alarms). If you were configuring these, you will need to remove them from your module call.
enable_ecs_cloudwatch_alarms, enable_cloudwatch_metrics, and enable_cloudwatch_log_aggregation now default to true like all the other modules in the Service Catalog. Set to false if you were using the default values.- Remove redundant cloudwatch logs aggregation IAM policy attachment.
-
Update dependency gruntwork-io/terraform-aws-monitoring to v0.26.1
-
Add ability to specify the encryption configuration for the images in the ECR repo
-
Update dependency gruntwork-io/kubergrunt to v0.6.11
-
Update dependency gruntwork-io/terraform-aws-security to v0.46.4
-
Update dependency gruntwork-io/terratest to v0.32.21
Published: 4/7/2021 | Modules affected: landingzone | Release notes
- Add comment about why we are setting domain TTL so low
- Port of
account-baseline-root fixes from terraform-aws-security (v0.45.6 and v0.46.2)
Published: 4/6/2021 | Modules affected: services/eks-cluster, data-stores/elasticsearch | Release notes
- Expose ability to configure TTL of domains in
k8s-service module.
- Exposes
eks_kubeconfig output in the eks-cluster module from underlying eks-cluster-control-plane module.
- Allows disabling EBS volumes in Elasticsearch domains, thus permitting the use of instance types with optimized instance storage such as
i3 instances.
Published: 4/6/2021 | Modules affected: services/ecs-service, services/asg-service, networking, landingzone/account-baseline-root | Release notes
- Update dependency gruntwork-io/terraform-aws-static-assets to v0.8.0 (was v0.7.1)
- Update dependency gruntwork-io/terraform-aws-load-balancer to v0.23.0 (was v0.22.0)
- Add Access Analyzer to
var.organizations_aws_service_access_principals
Published: 4/1/2021 | Modules affected: services/ecs-service, services, mgmt | Release notes
- Update dependency gruntwork-io/gruntwork-installer to v0.0.35
- Update dependency gruntwork-io/terraform-aws-ci to v0.31.1 (was v0.30.0)
- Update dependency gruntwork-io/terraform-aws-ecs to v0.27.0 (was v0.26.0)
Published: 4/1/2021 | Modules affected: data-stores/redis, services/ecs-service, mgmt, base | Release notes
-
Address various inconsistencies in the ecs-service module:
- Cleaned up health check related parameters to distinguish between those config for the Route 53 health check and those for the ALB.
- Remove unused IAM role (
aws_iam_role.ecs_task_execution_role)
- Expose custom IAM role name prefixes.
- Adjust required variables:
ecs_cluster_name is now required, since it results in errors when set to null and ecs_node_port_mappings, which is only used in special circumstances, now defaults to null.
-
Update dependency gruntwork-io/terraform-aws-cache to v0.13.0 (previously v0.11.0)
-
Update dependency gruntwork-io/terraform-aws-security to v0.46.0 (previously v0.45.1)
-
Update dependency gruntwork-io/terratest to v0.32.18 (previously v0.32.10)
-
Update dependency gruntwork-io/terraform-aws-ecs to v0.25.3 (previously v0.25.1)
-
Update dependency gruntwork-io/terragrunt to v0.28.18 (previously v0.28.16)
-
Update dependency gruntwork-io/terraform-aws-server to v0.11.0 (previously v0.10.1)
-
Update dependency gruntwork-io/terraform-aws-eks to v0.33.1 (previously v0.32.4)
-
Update dependency gruntwork-io/terraform-aws-asg to v0.12.1 (previously v0.11.2)
-
Update dependency gruntwork-io/terraform-aws-data-storage to v0.18.1 (previously v0.17.3)
-
Update dependency gruntwork-io/terraform-aws-vpc to v0.14.4 (previously v0.13.1)
Published: 4/13/2021 | Modules affected: services/eks-cluster, services/k8s-namespace, mgmt, networking | Release notes
- Update dependency gruntwork-io/terraform-aws-eks v0.29.1 => v0.31.1 Release notes:
- Updated from
terraform-kubernetes-helm to terraform-kubernetes-namespace for managing Namespaces.
- Add Healthcheck variables and parameter passing to ecs-service for ELB.
Published: 4/28/2021 | Modules affected: s3-cloudfront | Release notes
- You can now configure the SSL protocol and origin protocol policy for CloudFront when it access the S3 bucket using the
bucket_origin_config_protocol_policy and bucket_origin_config_ssl_protocols variables.
Published: 4/28/2021 | Modules affected: s3-cloudfront, s3-static-website | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/27/2021 | Modules affected: s3-cloudfront, s3-static-website | Release notes
- You can now specify lifecycle rules for the S3 bucket using the new
lifecycle_rules input variable.
- You can now automatically generate a random suffix for the S3 bucket name by setting the
add_random_id_name_suffix input variable to true. This is helpful in ensuring that your S3 bucket name is globally unique.
Published: 4/28/2021 | Modules affected: executable-dependency, instance-type, join-path, list-remove | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 4/28/2021 | Modules affected: vpc-flow-logs, network-acl-inbound, network-acl-outbound, vpc-app-network-acls | Release notes
- Terraform 0.15 upgrade: We have verified that this repo is compatible with Terraform
0.15.x!
- From this release onward, we will only be running tests with Terraform
0.15.x against this repo, so we recommend updating to 0.15.x soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.15.x.
- Once all Gruntwork repos have been upgrade to work with
0.15.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.