Gruntwork release 2021-08
Guides / Update Guides / Releases / 2021-08
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2021-08. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 8/25/2021 | Release notes
Added support for passing in extra parameters for DNS configuration to the dns register
subcommand. Some international domains require additional configuration.
Published: 8/20/2021 | Release notes
Starting this release, we will publish binaries for darwin/arm64
(Apple Silicon) architecture.
Published: 8/19/2021 | Release notes
This release contains updates to the formatting of any go
code, and an update to documentation on how to run and configure automated tests with the trial license.
- Replaced
gofmt
with goimports
.
- Updated documentation to detail how to update trial licenses
Published: 8/19/2021 | Release notes
Published: 8/19/2021 | Release notes
Published: 8/19/2021 | Release notes
Published: 8/17/2021 | Modules affected: server-group | Release notes
- Removed references to deprecated
template
provider and replaced with official replacements.
Published: 8/17/2021 | Modules affected: memcached, redis | Release notes
- Removed references to deprecated
template
provider
Published: 8/24/2021 | Modules affected: ecs-deploy-runner-standard-configuration, infrastructure-deploy-script | Release notes
- You can now pass through
terragrunt-log-level
as command-args
in EDR to infrastructure-deploy-script
Published: 8/20/2021 | Modules affected: ecs-deploy-runner | Release notes
- Bump to latest kubergrunt version in
ecs-deploy-runner
container.
Published: 8/20/2021 | Release notes
- Updates edrhelpers test assertion with a new expected string value. No functional impact for users.
Published: 8/20/2021 | Modules affected: ecs-deploy-runner | Release notes
Updates the ecs-deploy-runner Dockerfile
to use the correct version of terraform-aws-ci
with updated and fixed build scripts.
Published: 8/18/2021 | Modules affected: ecs-deploy-runner-standard-configuration, infrastructure-deploy-script | Release notes
-
ecs-deploy-runner-standard-configuration
-
infrastructure-deploy-script
-
Support destroy
in the CI / CD pipeline. The ecs-deploy-runner-standard-configuration
has been updated to support running destroy
, plan -destroy
, and apply -destroy
. The infrastructure-deploy-script
has been updated to run destroy operations under certain protections:
- It validates that the destroy request is only for a path/module that has indeed been deleted in the latest version of the repo for which the script is called.
- It makes sure that the destroy ref (commit/tag/branch) is indeed in the ancestry path of the main branch.
-
https://github.com/gruntwork-io/terraform-aws-ci/pull/327
Published: 8/17/2021 | Modules affected: build-helpers, ecs-deploy-runner | Release notes
build-packer-artifact
now supports HCL Packer templates. The ecs-deploy-runner Dockerfile
has been updated to include hcl2json
which is needed by the updated build-packer-artifact
.
Published: 8/13/2021 | Modules affected: ecs-deploy-runner | Release notes
- ECS Deploy Runner now defaults to installing packer 1.7.4 and
terraform-aws-ci
version 0.38.2
Published: 8/9/2021 | Modules affected: build-helpers | Release notes
- Updated
build-packer-artifact
to be compatible with provider download specifications from packer 1.7. The script will now call packer init
if the target template is non-json and the underlying packer version supports init
.
Published: 8/27/2021 | Modules affected: landingzone, observability | Release notes
- This release reverts v0.24.0, updating MFA Delete = false for S3 Buckets.
Published: 8/27/2021 | Modules affected: networking, observability, security, landingzone | Release notes
- Update dependency gruntwork-io/terraform-aws-vpc to v0.17.3
- Update dependency gruntwork-io/terraform-aws-security to v0.54.0
- Update dependency gruntwork-io/terraform-aws-service-catalog to v0.59.4
Published: 8/24/2021 | Modules affected: landingzone, security | Release notes
Integrates Macie into the Landing Zone modules. This release also makes the buckets_to_analyze
variable optional and defaults it to empty. When buckets_to_analyze
has no entry for a particular region, the resource aws_macie2_classification_job
will not be created in that region.
Published: 8/23/2021 | Modules affected: landingzone, networking, observability, security | Release notes
-
macie: Add support for multi-account setup. Add two additional resources to the macie module: aws_macie2_member
and aws_macie2_invitation_accepter
, whereby adding support for the multi-account setup. The multi-account setup functions in a similar way to Security Hub: administrator account will have a number of aws_macie2_member
created in it (in each enabled region), one for each member account. This is controlled by the external_member_accounts
variable. Member accounts will each have a aws_macie2_invitation_accepter
resource created in them (in each enabled region). This is controlled by the administrator_account_id
variable.
-
This release also updates a number of dependencies:
gruntwork-io/terraform-aws-security
to v0.53.7
gruntwork-io/terraform-aws-lambda
to v0.13.3
gruntwork-io/terraform-aws-vpc
to v0.17.2
gruntwork-io/terraform-aws-monitoring
to v0.30.1
gruntwork-io/terraform-aws-service-catalog
to v0.58.5
-
This release also updates the for-production
examples for architecture catalog v0.0.18
Published: 8/11/2021 | Modules affected: landingzone, networking, observability, security | Release notes
- Terraform 1.0 upgrade: We have verified that this repo is compatible with Terraform
1.0.x
!
- From this release onward, we will only be running tests with Terraform
1.0.x
against this repo, so we recommend updating to 1.0.x
soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.15.1
and above, as that version has several features in it (required_providers
with source
URLs) that make it more forwards compatible with 1.0.x
.
- Once all Gruntwork repos have been upgrade to work with
1.0.x
, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 8/11/2021 | Modules affected: landingzone, networking, security, observability | Release notes
Add a module for deploying and configuring Amazon Macie.
This release also configures the RenovateBot not to update this repo itself, as well as updates the following dependencies:
gruntwork-io/terraform-aws-vpc
to v0.17.1
gruntwork-io/terraform-aws-security
to v0.53.4
gruntwork-io/terraform-aws-lambda
to v0.13.2
gruntwork-io/terraform-aws-service-catalog
to v0.56.1
Published: 8/5/2021 | Modules affected: security, networking, observability, landingzone | Release notes
-
Update the codebase to new multi-region approach. In v0.51.0 of terraform-aws-security
, we refactored how we build multi-region modules—that is, those modules that deploy resources across every single AWS region, such as aws-config-multi-region
—to no longer create nested provider
blocks, and instead, have users pass in providers via the providers
map. In this release, we have updated the modules in this repo to use this new release of terraform-aws-security
and to use the same behavior with providers. This reduces the number of providers that Terraform must instantiate, making the modules much faster and more stable to use. It also gives you full control over how to authenticate to your various AWS accounts. However, this is a backwards incompatible change, so make sure to read the migration guide below.
-
Update dependency versions: We have updated the versions of a number of dependencies in this repo. Here are the versions that have been updated in this release:
- Update dependency
gruntwork-io/terraform-aws-utilities
to v0.6.0
- Update dependency
gruntwork-io/terraform-aws-lambda
to v0.13.0
- Update dependency
gruntwork-io/terraform-aws-vpc
to v0.17.0
- Update dependency
gruntwork-io/terraform-aws-monitoring
to v0.30.0
- Update dependency
gruntwork-io/terraform-aws-security
to v0.53.2
- Update dependency
gruntwork-io/terraform-aws-service-catalog
to v0.55.1
Published: 8/3/2021 | Modules affected: networking/vpc | Release notes
- Override renovate.json ignorePaths so that it won't ignore examples or tests
- vpc: Expose default security group ID in outputs
Published: 8/18/2021 | Modules affected: aurora, lambda-cleanup-snapshots, lambda-copy-shared-snapshot, lambda-create-snapshot | Release notes
- Removed references to
template
provider and replaced with official alternatives.
Published: 8/30/2021 | Modules affected: ecs-service | Release notes
Published: 8/25/2021 | Modules affected: ecs-service | Release notes
- Updated to expose
proxy_configuration
subblock for the aws_ecs_task_definition
resource to support App Mesh.
Published: 8/18/2021 | Modules affected: ecs-service | Release notes
- Removed references to the deprecated
template
provider and replaced with official recommendation.
Published: 8/11/2021 | Modules affected: ecs-service | Release notes
- You can now enable the ECS "circuit breaker" feature via the new
deployment_circuit_breaker
input variable.
Published: 8/25/2021 | Modules affected: eks-cluster-control-plane | Release notes
- Updated the
kubergrunt
version that gets automatically installed to v0.7.9
Published: 8/20/2021 | Modules affected: eks-cluster-control-plane | Release notes
- Bump default kubergrunt download URL to the latest version
Published: 8/19/2021 | Modules affected: eks-container-logs | Release notes
- Exposed
extraFilters
helm chart input value with the extra_filters
var in the eks-container-logs
module.
Published: 8/13/2021 | Modules affected: eks-k8s-cluster-autoscaler-iam-policy | Release notes
- Updated Cluster Autoscaler IAM permissions to allow describing launch templates
Published: 8/13/2021 | Modules affected: eks-cluster-control-plane, eks-cluster-workers-cross-access, eks-k8s-external-dns | Release notes
- Removed usage of the deprecated
template
provider and replaced them with HashiCorp recommended replacements.
Published: 8/13/2021 | Modules affected: eks-aws-auth-merger, eks-cluster-control-plane | Release notes
- Upgraded dependencies of
aws-auth-merger
.
- Updated examples to use packer 1.7 with HCL2.
- Bumped reference
kubergrunt
version to 0.7.4
.
Published: 8/18/2021 | Modules affected: lambda-edge | Release notes
- Add a
required_providers
block to the lambda-edge
module so you can pass in a custom provider and not get warnings in Terraform 0.15 and above.
Published: 8/11/2021 | Modules affected: lambda | Release notes
- You can now have the
lambda
module use an existing IAM role, rather than creating a new one, by passing in the IAM role's ARN via the new existing_role_arn
input variable.
Published: 8/9/2021 | Modules affected: lambda-edge, lambda | Release notes
- Removed usage of the
template
provider which is now deprecated.
Published: 8/17/2021 | Release notes
- Examples have been updated to not use the deprecated
template
provider. No changes to modules.
Published: 8/10/2021 | Modules affected: sqs | Release notes
- Removed references to the deprecated
template
provider
Published: 8/30/2021 | Modules affected: alarms/elasticache-redis-alarms | Release notes
- Fix copy/paste error in the
curr_connections
and replication-lag
alarm names in elasticache-redis-alarms
.
- Several fixes to stabilize automated tests in this repo.
Published: 8/19/2021 | Modules affected: alarms | Release notes
- Removed references to deprecated
template
provider and replaced with official Hashicorp alternatives.
Published: 8/17/2021 | Release notes
- Removed references to deprecated
template
provider in examples (no changes to underlying modules).
Published: 8/24/2021 | Modules affected: aws-config-bucket, aws-config-multi-region, aws-config, cloudtrail-bucket | Release notes
- Remove variable
enable_lifecycle_rules
(introduced at v0.53.1) from Config and Cloudtrail buckets
This variable was only being used when mfa_delete=true
, to reduce complexity we removed it and mfa_delete
is being used as a toggle for the Lifecycle rules.
Published: 8/19/2021 | Modules affected: private-s3-bucket | Release notes
- Added a new boolean flag,
var.enable_sse
, that dictates whether or not to enable SSE on S3 buckets.
Published: 8/19/2021 | Modules affected: aws-config | Release notes
- You can now control if the
aws-config
module tries to attach IAM policies to the IAM role using the new should_attach_sns_policy
input variable.
Published: 8/17/2021 | Modules affected: custom-iam-entity, os-hardening | Release notes
- Removed references to the deprecated
template
provider and replaced with official recommendations.
Published: 8/11/2021 | Modules affected: cloudtrail-bucket, cloudtrail, aws-config-multi-region, aws-config | Release notes
- Clarifies optional direct usage of cloudtrail-bucket module
- Explains how to configure the cloudtrail bucket to exist outside of the management account
- Updates the aws-config module aggregator functionality to work with the
aws_region
data source and module depends_on
. For details, see https://github.com/gruntwork-io/terraform-aws-security/pull/509.
Published: 8/10/2021 | Modules affected: aws-config-multi-region, aws-config | Release notes
- Introduced
enable_all_regions_for_config_aggregator
which can be used to configure whether AWS should set the config aggregator to all regions regardless of opt_in_regions
.
Published: 8/18/2021 | Modules affected: single-server | Release notes
- Added variable for passing a map of tags to set on the root volume.
Published: 8/10/2021 | Release notes
- Removed references to deprecated
template
provider
Published: 8/3/2021 | Modules affected: single-server | Release notes
- You can now configure the
single-server
module to point the Route 53 DNS record at the private IP of the EIP rather than the public IP by setting the new dns_uses_private_ip
variable to true
.
Published: 8/26/2021 | Modules affected: services | Release notes
- Update ecs-service module with newly added inputs to configure App Mesh behavior
Published: 8/25/2021 | Modules affected: landingzone/account-baseline-security | Release notes
Optionally create service-linked roles for security account using var.service_linked_roles
.
Published: 8/25/2021 | Modules affected: services | Release notes
- Updated
eks-workers
module to allow specifying per Managed Node Group (MNG) --kublet-extra-args
. You can now configure eks_kubelet_extra_args
on each MNG group to override the extra args that should be passed to the underlying kubelet process. You can also configure different user data boot scripts for each worker by setting the cloud_init_parts
field on the MNG configuration.
Published: 8/24/2021 | Modules affected: services | Release notes
- Updated
eks-workers
module to allow specifying per ASG --kublet-extra-args
. You can now configure eks_kubelet_extra_args
on each ASG group to override the extra args that should be passed to the underlying kubelet process. You can also configure different user data boot scripts for each worker by setting the cloud_init_parts
field on the ASG configuration.
Published: 8/24/2021 | Modules affected: data-stores, landingzone, networking | Release notes
- Set MFA Delete to false by default on S3 buckets [BACKWARDS INCOMPATIBLE]
- Adding
apply_default_nacl_rules
to the VPC module
Published: 8/20/2021 | Modules affected: data-stores/s3-bucket, mgmt | Release notes
- Add a new boolean flag,
var.enable_sse
, that dictates whether or not to enable SSE on S3 buckets.
- Update dependency gruntwork-io/terraform-aws-ci to v0.38.6
Published: 8/20/2021 | Modules affected: mgmt, networking, services, base | Release notes
- Added ability to configure additional filters on
fluent-bit
in eks-core-services
module
- Update dependency gruntwork-io/kubergrunt to v0.7.6
- Update dependency gruntwork-io/terraform-aws-eks to v0.44.4
- Update dependency gruntwork-io/terraform-aws-ci to v0.38.5
- Update dependency gruntwork-io/terraform-aws-server to v0.13.3
- Update dependency gruntwork-io/terraform-aws-monitoring to v0.30.1
- Update dependency gruntwork-io/terraform-aws-data-storage to v0.21.1
- Update dependency gruntwork-io/terraform-aws-openvpn to v0.16.1
- Update dependency gruntwork-io/terraform-aws-asg to v0.15.1
- Update dependency gruntwork-io/terraform-aws-cache to v0.16.1
- Update dependency gruntwork-io/terraform-aws-load-balancer to v0.27.1
- Update dependency gruntwork-io/terraform-aws-ecs to v0.30.3
- Update dependency gruntwork-io/terraform-aws-messaging to v0.7.2
- Update dependency gruntwork-io/terraform-aws-vpc to v0.17.2
Published: 8/19/2021 | Modules affected: data-stores | Release notes
- Add support for passing CORS Rules via
var.cors_rules
Published: 8/19/2021 | Modules affected: services/ec2-instance | Release notes
- When you set
dns_zone_is_private
to true
, the ec2-instance
module will now associate the private IP of the instance with the Route 53 private zone.
Published: 8/19/2021 | Modules affected: mgmt, base, services | Release notes
- Allow the Elastic IP to not be created in the ec2-instance module.
- The following dependencies were updated to:
- Update dependency gruntwork-io/terragrunt to v0.31.5
- Update dependency gruntwork-io/terraform-aws-server to v0.13.2
- Update dependency gruntwork-io/terraform-aws-lambda to v0.13.3
- Update dependency gruntwork-io/terraform-aws-ci to v0.38.4
- Update dependency gruntwork-io/gruntwork-installer to v0.0.37
Published: 8/17/2021 | Modules affected: services | Release notes
- Added the ability to track external Fargate Profile executor IAM roles in the aws-auth configmap
- Fixed bug where managed node groups could not be updated post deployment due to an error message about MIME format.
- Fixed bug where using managed node groups sometimes caused an error with IAM roles for self managed ASGs.
- Fixed bug where baseline IAM policies for various services were not being attached to managed node groups.
Published: 8/16/2021 | Modules affected: networking, services | Release notes
- The default Kubernetes version deployed by the
eks-cluster
module has been updated to 1.21
. If you wish to maintain backward compatibility with your existing setup, you will want to configure the kubernetes_version
parameter to the version of Kubernetes you are currently using. Note that 1.21
requires kubergrunt version 0.7.3
and above.
- The default Kubernetes version used by the EKS worker packer template has been updated to
1.21
. If you wish to maintain backward compatibility with your existing setup, you will want to configured the kubernetes_version
packer parameter to the version of Kubernetes you are currently using.
- The default cluster-autoscaler version has been updated to
1.21
in the eks-core-services
module. If you wish to maintain backward compatibility with your existing setup, you will want to configure the cluster_autoscaler_version
input variable.
Published: 8/12/2021 | Modules affected: services | Release notes
- Added support for configuring Horizontal Pod Autoscaler (via the
horizontal_pod_autoscaler
input variable) and overriding chart inputs (via the override_chart_inputs
input variable).
Published: 8/11/2021 | Modules affected: services | Release notes
- Exposed
additional_security_group_ids
in ec2-instance
module
Published: 8/10/2021 | Modules affected: base, services/ecs-cluster, services/eks-workers, mgmt/ecs-deploy-runner | Release notes
- [BACKWARD INCOMPATIBLE] This release updates all the Packer templates to HCL2. See the Getting started guide from HashiCorp for details on HCL2.
- Template data sources have been moved to
local
values to avoid dependency issues.
- The for-production examples have been updated.
- The test finder logic has been moved to the terraform-aws-ci repo.
Published: 8/9/2021 | Modules affected: mgmt, services | Release notes
- Increase default max resources for ecs-deploy-runner
- wrap with trimspace to we dont keep changing userdata, This changes fixes a perpetual diff that could occur on the
userdata
field.
Published: 8/6/2021 | Modules affected: mgmt | Release notes
- Expose variable from inner module to bastion host
Published: 8/4/2021 | Modules affected: mgmt | Release notes
- install gruntkms in jenkins
Published: 8/3/2021 | Modules affected: services, mgmt, networking, base | Release notes
-
Terraform 1.0 upgrade: We have verified that this repo is compatible with Terraform 1.0.x
!
- From this release onward, we will only be running tests with Terraform
1.0.x
against this repo, so we recommend updating to 1.0.x
soon!
- To give you more time to upgrade, for the time being, all modules will still support Terraform
0.15.1
and above, as that version has several features in it (required_providers
with source
URLs) that make it more forwards compatible with 1.0.x
.
- Once all Gruntwork repos have been upgrade to work with
1.0.x
, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
-
Fixed a bug in the ec2-instance
service module that prevented customization of the EBS volumes.
-
The following dependencies were updated to:
- Update dependency gruntwork-io/terratest to v0.37.2
- Update dependency gruntwork-io/terraform-kubernetes-namespace to v0.4.0
- Update dependency gruntwork-io/terraform-aws-utilities to v0.6.0
- Update dependency gruntwork-io/terraform-aws-ci to v0.38.1
- Update dependency gruntwork-io/aws-sample-app to v0.0.4
- Update dependency gruntwork-io/terragrunt to v0.31.2
- Update dependency gruntwork-io/terraform-aws-messaging to v0.7.1
Published: 8/24/2021 | Modules affected: s3-cloudfront | Release notes
Updated the s3-cloudfront
module to create the S3 bucket for access logs using the private-s3-bucket
module under the hood. This adds several extra layers of protection for the access logs bucket, including blocking all public access, enabling encryption at rest, and requiring encryption in transit. This is a backwards incompatible change, so see the migration guide for upgrade instructions.
Published: 8/25/2021 | Modules affected: vpc-interface-endpoint | Release notes
- Add VPC Interface Endpoint for Redshift Data API Service
Published: 8/20/2021 | Modules affected: vpc-interface-endpoint | Release notes
- The
vpc-interface-endpoint
module can now automatically create a security group that allows HTTPS ingress to the endpoints from your VPC if you set create_https_security_group
to true
.
Published: 8/10/2021 | Modules affected: vpc-interface-endpoint, vpc-app, vpc-mgmt | Release notes
- Added support for EBS and Lambda interface endpoints.
- Removed usage of the deprecated
template
provider.