Skip to main content

Gruntwork release 2021-06

Guides / Update Guides / Releases / 2021-06

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2021-06. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:



Published: 6/12/2021 | Release notes

This release adds the gruntwork aws reset-password command to allow resetting the password of an IAM user. See #72 for the relevant code.



Published: 6/24/2021 | Release notes

Correctly populates the arguments when generating examples.

  • #343


Published: 6/24/2021 | Release notes

Fixes path to the CIS service catalog when generating examples.

  • #342


Published: 6/24/2021 | Release notes

Another fix for generating for-production examples.

  • #340


Published: 6/23/2021 | Release notes

Attempts to fix issues with generating the for-production examples.

  • #338


Published: 6/23/2021 | Release notes

Fixes another issue with test failures in the refarch-deployer unit tests.

  • #335


Published: 6/22/2021 | Release notes

Fixes an issue with testing when on a tag ref vs a branch.

  • #330


Published: 6/22/2021 | Release notes

  • Bumps terraform-aws-service-catalog, terraform-aws-security, terragrunt, and gruntwork-installer to the latest versions.

  • Adds CI build step to generate for-production examples in the service catalogs

  • Fixes the source URL in the CIS service catalog for-production examples

  • #328

  • #205

  • #255

  • #310

  • #297

  • #327

  • #322

  • #295


Published: 6/15/2021 | Release notes

  • Hand off text generated now as part of the repo root, in
  • Bunch of other updates!
  • #300
  • #301
  • #302
  • #304
  • #305
  • #306
  • #307
  • #298
  • #316
  • #318
  • #317
  • #319
  • #320
  • #196



Published: 6/14/2021 | Modules affected: server-group | Release notes

  • Fix bug where the IAM permissions were not being attached before the ASG was created



Published: 6/17/2021 | Modules affected: infrastructure-deployer | Release notes

  • infrastructure-deployer now supports AWS SSO and ~/.aws/config.
  • Fix typos in various docs.


Published: 6/11/2021 | Release notes

  • Add toggles for backup routines in Jenkins example


Published: 6/8/2021 | Release notes

The jenkins module now supports Ubuntu 20.04. Note that starting this release, support for Ubuntu 16.04 is dropped.



Published: 6/30/2021 | Modules affected: landingzone | Release notes

  • Remove unused code from SecurityHub codegen and fix run_tests
  • Expose missing bucket variables for Account Baseline Root


Published: 6/28/2021 | Modules affected: observability, security, landingzone, networking | Release notes

  • Add Terraform Validate test
  • Update for-production examples for architecture catalog v0.0.15
  • Update underlying dependencies
    • gruntwork-io/terraform-aws-security to v0.49.4
    • gruntwork-io/terraform-aws-service-catalog to v0.44.5


Published: 6/21/2021 | Modules affected: observability, security, landingzone, networking | Release notes

Update underlying dependencies:

  • gruntwork-io/terraform-aws-monitoring to v0.29.1
  • gruntwork-io/terraform-aws-security to v0.49.3
  • gruntwork-io/terraform-aws-service-catalog to v0.44.0
  • gruntwork-io/terraform-aws-vpc to v0.15.5


Published: 6/18/2021 | Modules affected: security/aws-securityhub | Release notes

  • Introduce aws_securityhub_invite_accepter [BACKWARDS INCOMPATIBLE]
  • Port run_test functionality from terraform-aws-service-catalog


Published: 6/17/2021 | Modules affected: landingzone, security, observability, networking | Release notes

  • Adds a locking mechanism to Securityhub tests, to prevent a race condition that happened during concurrent runs of these tests.
  • Adds for-production examples.
  • Updates variable description for the Security Hub's email.
  • Cleans up unused variables in account-baseline-root.
  • Updates log filters to meet CIS 1.4 recommendations.
  • Updates version references from v1.3 to v1.4 throughout the codebase.


Published: 6/14/2021 | Modules affected: landingzone, observability, security, networking | Release notes

  • Fixes in a bug in the password policies where all credentials would get expired after 90 days, and not just unused ones. It also amends the 90 days period to 45 days, to comply with the new 1.4 version of the CIS AWS Benchmark.
  • Updates dependencies:
    • gruntwork-io/terraform-aws-security to v0.49.2
    • gruntwork-io/terraform-aws-service-catalog to v0.42.0


Published: 6/11/2021 | Modules affected: aws-config-multi-region, aws-securityhub, cleanup-expired-certs, cloudtrail | Release notes


Published: 6/7/2021 | Modules affected: networking, aws-config-multi-region, cloudtrail, cross-account-iam-roles | Release notes

Update the underlying versions of the following modules

  • gruntwork-io/terraform-aws-vpc to v0.15.4
  • gruntwork-io/terraform-aws-security to v0.49.1
  • gruntwork-io/terraform-aws-service-catalog to v0.41.0

The terraform-aws-service-catalog update contains backwards incompatible changes. Please go through the migration guides associated with all the major version releases of terraform-aws-service-catalog between v0.37.0 and v0.41.0 and make any necessary changes in your code.


Published: 6/3/2021 | Modules affected: iam-groups, landingzone/account-baseline-root | Release notes

This release adds a new Landing Zone service: Account Baseline Root.

It also removes the iam_group_name_cross_account_access_all variable.



Published: 6/17/2021 | Modules affected: rds | Release notes

  • You can now configure timeouts in the rds module using the new creating_timeout, updating_timeout, and deleting_timeout input variables.



Published: 6/2/2021 | Modules affected: ecs-service | Release notes

  • Fix a bug in the ecs-service module where it was failing to create the Assume Role Policy in some cases where it needed to.



Published: 6/5/2021 | Modules affected: eks-cluster-managed-workers, eks-cluster-workers | Release notes

  • Make default configurations for Managed Node Groups more ergonomical by separating out single object into separate variables. This makes it easy to override a subset of the values (as you do not need to define the full object).
  • Provide ability to assist Managed Node Group for_each call when the node_group_configurations variable depends on a resource (e.g., if you are creating the launch templates in the same module). This can be done by statically defining the node group names using the node_group_names variable.
  • Fix bug where the remote access subblock is included when using launch templates.
  • Expose ability to customize the IAM role name. This is useful when the module is called multiple times.
  • Expose ability to use an externally managed IAM role for the EKS workers. This is useful when the module is called multiple times.


Published: 6/3/2021 | Modules affected: eks-cluster-control-plane | Release notes

  • Add support for skipping individual components during cluster upgrades. Note that you will need kubergrunt version v0.7.1 and above to take advantage of the skip feature.



Published: 6/17/2021 | Modules affected: agents/cloudwatch-agent | Release notes

  • You can now disable metrics reporting using the new --disable-cpu-metrics, --disable-mem-metrics, and --disable-disk-metrics args of the script.


Published: 6/17/2021 | Modules affected: alarms, agents/cloudwatch-agent | Release notes

  • The CloudWatch Agent is now configured to report disk usage percent and memory usage percent metrics.
  • The EC2 and ASG alarms have been adjusted to be consistent cloudwatch-agent. This means that the new alarms are not compatible with the old cloudwatch-memory-disk-metrics-scripts. If you wish to retain the old compatibility, you can set the namespace and metric name to the old values. See below migration guide for more info.


Published: 6/15/2021 | Modules affected: agents/cloudwatch-agent | Release notes

  • Fix wrong error message in


Published: 6/15/2021 | Modules affected: logs/cloudwatch-log-aggregation-scripts, metrics/cloudwatch-memory-disk-metrics-scripts, agents/cloudwatch-agent | Release notes

  • Fix bug in agents/cloudwatch-agent module where the metrics were not being reported under the InstanceId dimension.
  • The logs/cloudwatch-log-aggregation-scripts and metrics/cloudwatch-memory-disk-metrics-scripts modules have been removed, as they are now functionally replaced by agents/cloudwatch-agent. Refer to the following pages for migration information:



Published: 6/22/2021 | Modules affected: custom-iam-entity | Release notes

  • You can now attach inline custom IAM policies on the IAM group/role managed by custom-iam-entity.


Published: 6/16/2021 | Modules affected: private-s3-bucket | Release notes

Setting sse_algorithm to null will now disable encryption on S3 buckets.


Published: 6/14/2021 | Modules affected: aws-config-multi-region, aws-config-rules | Release notes

Adds a new AWS Config rule for checking unused credentials. Introduces two new variables enable_iam_user_unused_credentials_check and iam_user_max_credential_usage_age in both aws-config-rules and aws-config-multi-region modules.


Published: 6/4/2021 | Modules affected: custom-iam-entity | Release notes

Adds a new feature to the custom-iam-entity module to make it easier to create an IAM group that only has permissions to assume one or more IAM roles. See iam_group_assume_role_arns for more information.



Published: 6/14/2021 | Modules affected: persistent-ebs-volume, attach-eni | Release notes

  • Fix error message when describing vols by tag
  • Add retry logic when pulling new interface ID in attach-eni script.
  • Add sleep at end of attach-eni script to give kernel a chance to boot up the newly configured interface.



Published: 6/30/2021 | Modules affected: services | Release notes

  • Fix bug where eks-cluster required both worker types.


Published: 6/28/2021 | Modules affected: services | Release notes

  • k8s-service: add support for custom resources


Published: 6/25/2021 | Modules affected: networking | Release notes

  • You can now avoid creating the default ACM certificate in the route53 module by setting provision_certificates on the input parameter.


Published: 6/25/2021 | Modules affected: landingzone | Release notes

  • Expose several new variables in the Landing Zone modules (account-baseline-app, account-baseline-root, account-baseline-security) for configuring CloudTrail:
    • is_multi_region_trail
    • cloudtrail_enable_key_rotation
    • cloudtrail_num_days_to_retain_cloudwatch_logs
    • cloudtrail_data_logging_enabled
    • cloudtrail_data_logging_read_write_type
    • cloudtrail_data_logging_include_management_events
    • cloudtrail_data_logging_resource_type
    • cloudtrail_data_logging_resource_values


Published: 6/24/2021 | Modules affected: services/ec2-instance, mgmt | Release notes

  • services/ec2-instance [NEW]
  • mgmt
  • Update dependency gruntwork-io/terragrunt to v0.31.0
  • Update dependency gruntwork-io/terraform-aws-ci to v0.37.2
  • Update for-production examples for architecture catalog v0.0.13
  • Implement services/ec2-instance

#714 #716 #753 #579


Published: 6/21/2021 | Modules affected: networking/vpc | Release notes

  • You can now expose the type of traffic to capture in VPC flow logs in the vpc module using the new traffic_type input variable.


Published: 6/21/2021 | Modules affected: networking/vpc | Release notes

  • You can now get the ID of the default security group from the vpc module using the new default_security_group_id output variable.
  • Updated the for-production examples to the latest.


Published: 6/18/2021 | Modules affected: base/ec2-baseline, data-stores/aurora, data-stores/elasticsearch, data-stores/memcached | Release notes

  • Jenkins module backup function is now converted to use AWS Data Lifecycle Manager instead of a custom lambda function. If you wish to continue to use the lambda based backup function, you can set backup_using_lambda = true.
  • The dashboard widgets and alarms for EC2 and ASG based modules have been updated to work with the new CloudWatch agent instead of cloudwatch-memory-disk-metrics. To ensure compatibility, make sure to rebuild your server AMIs to align with this version.


Published: 6/16/2021 | Modules affected: base/ec2-baseline, data-stores/aurora, data-stores/elasticsearch, data-stores/memcached | Release notes

  • [BACKWARDS INCOMPATIBLE] Updates dependency gruntwork-io/terraform-aws-monitoring to v0.28.0. As a result of this, server metrics are now shipped via the cloudwatch-agent instead of the cloudwatch-memory-disk-metrics script. Note that the metric namespaces have changed from System/Linux to CWAgent as a result of this change. You may need to update dashboards or consumers of these metrics accordingly.
  • CloudWatch Logs group names are now configurable for ECS cluster
  • Updated the for-production/infrastructure-live examples with many bug fixes and updates.
  • Setting sse_algorithm to null will now disable encryption on S3 buckets.


Published: 6/15/2021 | Modules affected: base | Release notes

  • Update dependency gruntwork-io/bash-commons to v0.1.7
  • [ec2-baseline] Make sure each log file managed by cloudwatch-agent goes to separate streams


Published: 6/11/2021 | Modules affected: services/eks-cluster, services/eks-workers, mgmt, networking | Release notes

  • Update all kubergrunt and terraform-aws-eks references to v0.7.1 and v0.41.0
  • Create a new module eks-workers that lets you manage EKS worker groups (self-managed ASGs and Manged Node Groups) separately from the EKS cluster.
  • Add support for deploying Managed Node Groups

IMPORTANT: This is a backward incompatible release. A naive update will redeploy all worker nodes and cause downtime. Refer to the migration guide below for strategies to avoid the downtime.


Published: 6/10/2021 | Modules affected: mgmt, services | Release notes

  • Update dependency hashicorp/terraform to v0.15.5
  • Update dependency hashicorp/packer to v1.7.2
  • Updates for-production examples
  • Use standardized naming of packer templates
  • Allow setting Cluster Autoscaler version in eks-core-services


Published: 6/8/2021 | Modules affected: mgmt, services | Release notes

  • Update dependency helm/helm to v3.6.0
  • Update dependency gruntwork-io/gruntkms to v0.0.10
  • Update dependency gruntwork-io/terragrunt to v0.29.10
  • Update dependency gruntwork-io/terraform-aws-ecs to v0.29.1


Published: 6/8/2021 | Modules affected: data-stores, networking, services, mgmt | Release notes

  • Update dependency gruntwork-io/terraform-aws-cache to v0.15.0
  • Update dependency gruntwork-io/terraform-aws-vpc to v0.15.4
  • Update dependency gruntwork-io/terraform-aws-static-assets to v0.10.0
  • Update dependency gruntwork-io/terraform-aws-ci to v0.37.0
  • Update dependency gruntwork-io/terraform-aws-lambda to v0.11.1
  • Update dependency gruntwork-io/terraform-aws-security to v0.49.1
  • Update dependency gruntwork-io/terratest to v0.35.3


Published: 6/7/2021 | Modules affected: base, networking, services | Release notes

  • Update dependency gruntwork-io/bash-commons to v0.1.4
  • Update dependency gruntwork-io/terraform-aws-load-balancer to v0.26.0


Published: 6/4/2021 | Modules affected: base, mgmt | Release notes

  • AMIs updated to use Ubuntu 20.04 as base


Published: 6/4/2021 | Modules affected: services | Release notes

  • You can now override the sources of the external-dns app in eks-core-services


Published: 6/4/2021 | Modules affected: networking/vpc | Release notes

  • You can now configure the subnet spacing / sizing in the vpc module using the new input variables subnet_spacing, private_subnet_spacing, persistence_subnet_spacing, public_subnet_bits, private_subnet_bits, and persistence_subnet_bits.


Published: 6/3/2021 | Modules affected: data-stores/redis | Release notes

Adds support for tags to the redis module.


Published: 6/2/2021 | Modules affected: networking/vpc | Release notes

  • Fix a bug in the vpc module where, if you disabled a subnet tier, it would still try to create NACLs for that subnet tier. You can now also independently control whether the NACLs for each subnet tier will be created using the new create_public_subnet_nacls, create_private_app_subnet_nacls, and create_private_persistence_subnet_nacls input variables. Finally, you can also control if the default security group is created using the new enable_default_security_group input variable.


Published: 6/2/2021 | Modules affected: data-stores/ecr-repos, data-stores/rds | Release notes

  • You can now configure whether image tags are mutable or not in the ecr-repos module using the new image_tag_mutability field in the repositories input variable.
  • Fix a bug in the rds module where it would create a new KMS key, but wasn't actually using it, and was using the default RDS key instead. The API has changed now: to create and use a custom KMS key, set create_custom_kms_key to true; to use an existing KMS key, set create_custom_kms_key to false and pass in the KMS key to use via kms_key_arn. If create_custom_kms_key is false and you don't pass in a custom KMS key, the module will use the default RDS key.


Published: 6/1/2021 | Modules affected: account-baseline-root | Release notes

  • Remove dependency between Cloudtrail and Config their respective buckets, and rename the cloudtrail_s3_bucket_already_exists variable.



Published: 6/21/2021 | Modules affected: vpc-flow-logs | Release notes

  • Update the vpc-flow-logs module to add the necessary IAM permissions to allow the VPC flow logs service to write to the S3 bucket.