Gruntwork release 2021-08
Guides / Update Guides / Releases / 2021-08
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2021-08. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 8/25/2021 | Release notes
Added support for passing in extra parameters for DNS configuration to the dns register subcommand. Some international domains require additional configuration.
Published: 8/20/2021 | Release notes
Starting this release, we will publish binaries for darwin/arm64 (Apple Silicon) architecture.
Published: 8/19/2021 | Release notes
This release contains updates to the formatting of any go code, and an update to documentation on how to run and configure automated tests with the trial license.
- Replaced
gofmt with goimports. - Updated documentation to detail how to update trial licenses
Published: 8/19/2021 | Release notes
Published: 8/19/2021 | Release notes
Published: 8/19/2021 | Release notes
Published: 8/17/2021 | Modules affected: server-group | Release notes
- Removed references to deprecated
template provider and replaced with official replacements.
Published: 8/17/2021 | Modules affected: memcached, redis | Release notes
- Removed references to deprecated
template provider
Published: 8/24/2021 | Modules affected: ecs-deploy-runner-standard-configuration, infrastructure-deploy-script | Release notes
- You can now pass through
terragrunt-log-level as command-args in EDR to infrastructure-deploy-script
Published: 8/20/2021 | Modules affected: ecs-deploy-runner | Release notes
- Bump to latest kubergrunt version in
ecs-deploy-runner container.
Published: 8/20/2021 | Release notes
- Updates edrhelpers test assertion with a new expected string value. No functional impact for users.
Published: 8/20/2021 | Modules affected: ecs-deploy-runner | Release notes
Updates the ecs-deploy-runner Dockerfile to use the correct version of terraform-aws-ci with updated and fixed build scripts.
Published: 8/18/2021 | Modules affected: ecs-deploy-runner-standard-configuration, infrastructure-deploy-script | Release notes
ecs-deploy-runner-standard-configurationinfrastructure-deploy-script
- Support
destroy in the CI / CD pipeline. The ecs-deploy-runner-standard-configuration has been updated to support running destroy, plan -destroy, and apply -destroy. The infrastructure-deploy-script has been updated to run destroy operations under certain protections:- It validates that the destroy request is only for a path/module that has indeed been deleted in the latest version of the repo for which the script is called.
- It makes sure that the destroy ref (commit/tag/branch) is indeed in the ancestry path of the main branch.
Published: 8/17/2021 | Modules affected: build-helpers, ecs-deploy-runner | Release notes
build-packer-artifact now supports HCL Packer templates. The ecs-deploy-runner Dockerfile has been updated to include hcl2json which is needed by the updated build-packer-artifact.
Published: 8/13/2021 | Modules affected: ecs-deploy-runner | Release notes
- ECS Deploy Runner now defaults to installing packer 1.7.4 and
terraform-aws-ci version 0.38.2
Published: 8/9/2021 | Modules affected: build-helpers | Release notes
- Updated
build-packer-artifact to be compatible with provider download specifications from packer 1.7. The script will now call packer init if the target template is non-json and the underlying packer version supports init.
Published: 8/27/2021 | Modules affected: landingzone, observability | Release notes
- This release reverts v0.24.0, updating MFA Delete = false for S3 Buckets.
Published: 8/27/2021 | Modules affected: networking, observability, security, landingzone | Release notes
- Update dependency gruntwork-io/terraform-aws-vpc to v0.17.3
- Update dependency gruntwork-io/terraform-aws-security to v0.54.0
- Update dependency gruntwork-io/terraform-aws-service-catalog to v0.59.4
Published: 8/24/2021 | Modules affected: landingzone, security | Release notes
Integrates Macie into the Landing Zone modules. This release also makes the buckets_to_analyze variable optional and defaults it to empty. When buckets_to_analyze has no entry for a particular region, the resource aws_macie2_classification_job will not be created in that region.
Published: 8/23/2021 | Modules affected: landingzone, networking, observability, security | Release notes
macie: Add support for multi-account setup. Add two additional resources to the macie module: aws_macie2_member and aws_macie2_invitation_accepter, whereby adding support for the multi-account setup. The multi-account setup functions in a similar way to Security Hub: administrator account will have a number of aws_macie2_member created in it (in each enabled region), one for each member account. This is controlled by the external_member_accounts variable. Member accounts will each have a aws_macie2_invitation_accepter resource created in them (in each enabled region). This is controlled by the administrator_account_id variable.
This release also updates a number of dependencies:
gruntwork-io/terraform-aws-security to v0.53.7gruntwork-io/terraform-aws-lambda to v0.13.3gruntwork-io/terraform-aws-vpc to v0.17.2gruntwork-io/terraform-aws-monitoring to v0.30.1gruntwork-io/terraform-aws-service-catalog to v0.58.5
This release also updates the for-production examples for architecture catalog v0.0.18
Published: 8/11/2021 | Modules affected: landingzone, networking, observability, security | Release notes
- Terraform 1.0 upgrade: We have verified that this repo is compatible with Terraform
1.0.x! - From this release onward, we will only be running tests with Terraform
1.0.x against this repo, so we recommend updating to 1.0.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform
0.15.1 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 1.0.x. - Once all Gruntwork repos have been upgrade to work with
1.0.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 8/11/2021 | Modules affected: landingzone, networking, security, observability | Release notes
Add a module for deploying and configuring Amazon Macie.
This release also configures the RenovateBot not to update this repo itself, as well as updates the following dependencies:
gruntwork-io/terraform-aws-vpc to v0.17.1gruntwork-io/terraform-aws-security to v0.53.4gruntwork-io/terraform-aws-lambda to v0.13.2gruntwork-io/terraform-aws-service-catalog to v0.56.1
Published: 8/5/2021 | Modules affected: security, networking, observability, landingzone | Release notes
Update the codebase to new multi-region approach. In v0.51.0 of terraform-aws-security, we refactored how we build multi-region modules—that is, those modules that deploy resources across every single AWS region, such as aws-config-multi-region—to no longer create nested provider blocks, and instead, have users pass in providers via the providers map. In this release, we have updated the modules in this repo to use this new release of terraform-aws-security and to use the same behavior with providers. This reduces the number of providers that Terraform must instantiate, making the modules much faster and more stable to use. It also gives you full control over how to authenticate to your various AWS accounts. However, this is a backwards incompatible change, so make sure to read the migration guide below.
Update dependency versions: We have updated the versions of a number of dependencies in this repo. Here are the versions that have been updated in this release:
- Update dependency
gruntwork-io/terraform-aws-utilities to v0.6.0 - Update dependency
gruntwork-io/terraform-aws-lambda to v0.13.0 - Update dependency
gruntwork-io/terraform-aws-vpc to v0.17.0 - Update dependency
gruntwork-io/terraform-aws-monitoring to v0.30.0 - Update dependency
gruntwork-io/terraform-aws-security to v0.53.2 - Update dependency
gruntwork-io/terraform-aws-service-catalog to v0.55.1
Published: 8/3/2021 | Modules affected: networking/vpc | Release notes
- Override renovate.json ignorePaths so that it won't ignore examples or tests
- vpc: Expose default security group ID in outputs
Published: 8/18/2021 | Modules affected: aurora, lambda-cleanup-snapshots, lambda-copy-shared-snapshot, lambda-create-snapshot | Release notes
- Removed references to
template provider and replaced with official alternatives.
Published: 8/30/2021 | Modules affected: ecs-service | Release notes
Published: 8/25/2021 | Modules affected: ecs-service | Release notes
- Updated to expose
proxy_configuration subblock for the aws_ecs_task_definition resource to support App Mesh.
Published: 8/18/2021 | Modules affected: ecs-service | Release notes
- Removed references to the deprecated
template provider and replaced with official recommendation.
Published: 8/11/2021 | Modules affected: ecs-service | Release notes
- You can now enable the ECS "circuit breaker" feature via the new
deployment_circuit_breaker input variable.
Published: 8/25/2021 | Modules affected: eks-cluster-control-plane | Release notes
- Updated the
kubergrunt version that gets automatically installed to v0.7.9
Published: 8/20/2021 | Modules affected: eks-cluster-control-plane | Release notes
- Bump default kubergrunt download URL to the latest version
Published: 8/19/2021 | Modules affected: eks-container-logs | Release notes
- Exposed
extraFilters helm chart input value with the extra_filters var in the eks-container-logs module.
Published: 8/13/2021 | Modules affected: eks-k8s-cluster-autoscaler-iam-policy | Release notes
- Updated Cluster Autoscaler IAM permissions to allow describing launch templates
Published: 8/13/2021 | Modules affected: eks-cluster-control-plane, eks-cluster-workers-cross-access, eks-k8s-external-dns | Release notes
- Removed usage of the deprecated
template provider and replaced them with HashiCorp recommended replacements.
Published: 8/13/2021 | Modules affected: eks-aws-auth-merger, eks-cluster-control-plane | Release notes
- Upgraded dependencies of
aws-auth-merger. - Updated examples to use packer 1.7 with HCL2.
- Bumped reference
kubergrunt version to 0.7.4.
Published: 8/18/2021 | Modules affected: lambda-edge | Release notes
- Add a
required_providers block to the lambda-edge module so you can pass in a custom provider and not get warnings in Terraform 0.15 and above.
Published: 8/11/2021 | Modules affected: lambda | Release notes
- You can now have the
lambda module use an existing IAM role, rather than creating a new one, by passing in the IAM role's ARN via the new existing_role_arn input variable.
Published: 8/9/2021 | Modules affected: lambda-edge, lambda | Release notes
- Removed usage of the
template provider which is now deprecated.
Published: 8/17/2021 | Release notes
- Examples have been updated to not use the deprecated
template provider. No changes to modules.
Published: 8/10/2021 | Modules affected: sqs | Release notes
- Removed references to the deprecated
template provider
Published: 8/30/2021 | Modules affected: alarms/elasticache-redis-alarms | Release notes
- Fix copy/paste error in the
curr_connections and replication-lag alarm names in elasticache-redis-alarms. - Several fixes to stabilize automated tests in this repo.
Published: 8/19/2021 | Modules affected: alarms | Release notes
- Removed references to deprecated
template provider and replaced with official Hashicorp alternatives.
Published: 8/17/2021 | Release notes
- Removed references to deprecated
template provider in examples (no changes to underlying modules).
Published: 8/24/2021 | Modules affected: aws-config-bucket, aws-config-multi-region, aws-config, cloudtrail-bucket | Release notes
- Remove variable
enable_lifecycle_rules (introduced at v0.53.1) from Config and Cloudtrail buckets
This variable was only being used when mfa_delete=true, to reduce complexity we removed it and mfa_delete is being used as a toggle for the Lifecycle rules.
Published: 8/19/2021 | Modules affected: private-s3-bucket | Release notes
- Added a new boolean flag,
var.enable_sse, that dictates whether or not to enable SSE on S3 buckets.
Published: 8/19/2021 | Modules affected: aws-config | Release notes
- You can now control if the
aws-config module tries to attach IAM policies to the IAM role using the new should_attach_sns_policy input variable.
Published: 8/17/2021 | Modules affected: custom-iam-entity, os-hardening | Release notes
- Removed references to the deprecated
template provider and replaced with official recommendations.
Published: 8/11/2021 | Modules affected: cloudtrail-bucket, cloudtrail, aws-config-multi-region, aws-config | Release notes
- Clarifies optional direct usage of cloudtrail-bucket module
- Explains how to configure the cloudtrail bucket to exist outside of the management account
- Updates the aws-config module aggregator functionality to work with the
aws_region data source and module depends_on. For details, see https://github.com/gruntwork-io/terraform-aws-security/pull/509.
Published: 8/10/2021 | Modules affected: aws-config-multi-region, aws-config | Release notes
- Introduced
enable_all_regions_for_config_aggregator which can be used to configure whether AWS should set the config aggregator to all regions regardless of opt_in_regions.
Published: 8/18/2021 | Modules affected: single-server | Release notes
- Added variable for passing a map of tags to set on the root volume.
Published: 8/10/2021 | Release notes
- Removed references to deprecated
template provider
Published: 8/3/2021 | Modules affected: single-server | Release notes
- You can now configure the
single-server module to point the Route 53 DNS record at the private IP of the EIP rather than the public IP by setting the new dns_uses_private_ip variable to true.
Published: 8/26/2021 | Modules affected: services | Release notes
- Update ecs-service module with newly added inputs to configure App Mesh behavior
Published: 8/25/2021 | Modules affected: landingzone/account-baseline-security | Release notes
Optionally create service-linked roles for security account using var.service_linked_roles.
Published: 8/25/2021 | Modules affected: services | Release notes
- Updated
eks-workers module to allow specifying per Managed Node Group (MNG) --kublet-extra-args. You can now configure eks_kubelet_extra_args on each MNG group to override the extra args that should be passed to the underlying kubelet process. You can also configure different user data boot scripts for each worker by setting the cloud_init_parts field on the MNG configuration.
Published: 8/24/2021 | Modules affected: services | Release notes
- Updated
eks-workers module to allow specifying per ASG --kublet-extra-args. You can now configure eks_kubelet_extra_args on each ASG group to override the extra args that should be passed to the underlying kubelet process. You can also configure different user data boot scripts for each worker by setting the cloud_init_parts field on the ASG configuration.
Published: 8/24/2021 | Modules affected: data-stores, landingzone, networking | Release notes
- Set MFA Delete to false by default on S3 buckets [BACKWARDS INCOMPATIBLE]
- Adding
apply_default_nacl_rules to the VPC module
Published: 8/20/2021 | Modules affected: data-stores/s3-bucket, mgmt | Release notes
- Add a new boolean flag,
var.enable_sse, that dictates whether or not to enable SSE on S3 buckets. - Update dependency gruntwork-io/terraform-aws-ci to v0.38.6
Published: 8/20/2021 | Modules affected: mgmt, networking, services, base | Release notes
- Added ability to configure additional filters on
fluent-bit in eks-core-services module - Update dependency gruntwork-io/kubergrunt to v0.7.6
- Update dependency gruntwork-io/terraform-aws-eks to v0.44.4
- Update dependency gruntwork-io/terraform-aws-ci to v0.38.5
- Update dependency gruntwork-io/terraform-aws-server to v0.13.3
- Update dependency gruntwork-io/terraform-aws-monitoring to v0.30.1
- Update dependency gruntwork-io/terraform-aws-data-storage to v0.21.1
- Update dependency gruntwork-io/terraform-aws-openvpn to v0.16.1
- Update dependency gruntwork-io/terraform-aws-asg to v0.15.1
- Update dependency gruntwork-io/terraform-aws-cache to v0.16.1
- Update dependency gruntwork-io/terraform-aws-load-balancer to v0.27.1
- Update dependency gruntwork-io/terraform-aws-ecs to v0.30.3
- Update dependency gruntwork-io/terraform-aws-messaging to v0.7.2
- Update dependency gruntwork-io/terraform-aws-vpc to v0.17.2
Published: 8/19/2021 | Modules affected: data-stores | Release notes
- Add support for passing CORS Rules via
var.cors_rules
Published: 8/19/2021 | Modules affected: services/ec2-instance | Release notes
- When you set
dns_zone_is_private to true, the ec2-instance module will now associate the private IP of the instance with the Route 53 private zone.
Published: 8/19/2021 | Modules affected: mgmt, base, services | Release notes
- Allow the Elastic IP to not be created in the ec2-instance module.
- The following dependencies were updated to:
- Update dependency gruntwork-io/terragrunt to v0.31.5
- Update dependency gruntwork-io/terraform-aws-server to v0.13.2
- Update dependency gruntwork-io/terraform-aws-lambda to v0.13.3
- Update dependency gruntwork-io/terraform-aws-ci to v0.38.4
- Update dependency gruntwork-io/gruntwork-installer to v0.0.37
Published: 8/17/2021 | Modules affected: services | Release notes
- Added the ability to track external Fargate Profile executor IAM roles in the aws-auth configmap
- Fixed bug where managed node groups could not be updated post deployment due to an error message about MIME format.
- Fixed bug where using managed node groups sometimes caused an error with IAM roles for self managed ASGs.
- Fixed bug where baseline IAM policies for various services were not being attached to managed node groups.
Published: 8/16/2021 | Modules affected: networking, services | Release notes
- The default Kubernetes version deployed by the
eks-cluster module has been updated to 1.21. If you wish to maintain backward compatibility with your existing setup, you will want to configure the kubernetes_version parameter to the version of Kubernetes you are currently using. Note that 1.21 requires kubergrunt version 0.7.3 and above. - The default Kubernetes version used by the EKS worker packer template has been updated to
1.21. If you wish to maintain backward compatibility with your existing setup, you will want to configured the kubernetes_version packer parameter to the version of Kubernetes you are currently using. - The default cluster-autoscaler version has been updated to
1.21 in the eks-core-services module. If you wish to maintain backward compatibility with your existing setup, you will want to configure the cluster_autoscaler_version input variable.
Published: 8/12/2021 | Modules affected: services | Release notes
- Added support for configuring Horizontal Pod Autoscaler (via the
horizontal_pod_autoscaler input variable) and overriding chart inputs (via the override_chart_inputs input variable).
Published: 8/11/2021 | Modules affected: services | Release notes
- Exposed
additional_security_group_ids in ec2-instance module
Published: 8/10/2021 | Modules affected: base, services/ecs-cluster, services/eks-workers, mgmt/ecs-deploy-runner | Release notes
- [BACKWARD INCOMPATIBLE] This release updates all the Packer templates to HCL2. See the Getting started guide from HashiCorp for details on HCL2.
- Template data sources have been moved to
local values to avoid dependency issues. - The for-production examples have been updated.
- The test finder logic has been moved to the terraform-aws-ci repo.
Published: 8/9/2021 | Modules affected: mgmt, services | Release notes
- Increase default max resources for ecs-deploy-runner
- wrap with trimspace to we dont keep changing userdata, This changes fixes a perpetual diff that could occur on the
userdata field.
Published: 8/6/2021 | Modules affected: mgmt | Release notes
- Expose variable from inner module to bastion host
Published: 8/4/2021 | Modules affected: mgmt | Release notes
- install gruntkms in jenkins
Published: 8/3/2021 | Modules affected: services, mgmt, networking, base | Release notes
Terraform 1.0 upgrade: We have verified that this repo is compatible with Terraform 1.0.x!
- From this release onward, we will only be running tests with Terraform
1.0.x against this repo, so we recommend updating to 1.0.x soon! - To give you more time to upgrade, for the time being, all modules will still support Terraform
0.15.1 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 1.0.x. - Once all Gruntwork repos have been upgrade to work with
1.0.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Fixed a bug in the ec2-instance service module that prevented customization of the EBS volumes.
The following dependencies were updated to:
- Update dependency gruntwork-io/terratest to v0.37.2
- Update dependency gruntwork-io/terraform-kubernetes-namespace to v0.4.0
- Update dependency gruntwork-io/terraform-aws-utilities to v0.6.0
- Update dependency gruntwork-io/terraform-aws-ci to v0.38.1
- Update dependency gruntwork-io/aws-sample-app to v0.0.4
- Update dependency gruntwork-io/terragrunt to v0.31.2
- Update dependency gruntwork-io/terraform-aws-messaging to v0.7.1
Published: 8/24/2021 | Modules affected: s3-cloudfront | Release notes
Updated the s3-cloudfront module to create the S3 bucket for access logs using the private-s3-bucket module under the hood. This adds several extra layers of protection for the access logs bucket, including blocking all public access, enabling encryption at rest, and requiring encryption in transit. This is a backwards incompatible change, so see the migration guide for upgrade instructions.
Published: 8/25/2021 | Modules affected: vpc-interface-endpoint | Release notes
- Add VPC Interface Endpoint for Redshift Data API Service
Published: 8/20/2021 | Modules affected: vpc-interface-endpoint | Release notes
- The
vpc-interface-endpoint module can now automatically create a security group that allows HTTPS ingress to the endpoints from your VPC if you set create_https_security_group to true.
Published: 8/10/2021 | Modules affected: vpc-interface-endpoint, vpc-app, vpc-mgmt | Release notes
- Added support for EBS and Lambda interface endpoints.
- Removed usage of the deprecated
template provider.