Skip to main content

Gruntwork release 2021-09

Guides / Update Guides / Releases / 2021-09

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2021-09. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:


v0.3.8: Bugfix not_path on skip, and introduce pathExists helper

Published: 9/30/2021 | Release notes Fixed bug where not_path on skip directive did not work correctly. Added helper function pathExists that returns whether the given path exists on the filesystem.

v0.3.7: Support for not_path in skip

Published: 9/21/2021 | Release notes Implemented support for not_path configuration for skip directive. You can now specify which files should be kept when the skip condition is true. All files that do NOT match the not_path configuration will be skipped.



Published: 9/22/2021 | Release notes



Published: 9/24/2021 | Release notes


Published: 9/23/2021 | Release notes


Published: 9/17/2021 | Release notes

  • 160205a Add Macie related variables to LZ examples (#434)
  • ac439fb Handle hyphenated account names (#437)
  • f908638 Fixes for linux server as bastion host (#432)
  • c89ed90 Make sure the AMI can be built from local machine (#433)
  • 7f54f97 Fixed ASG default key pair name (#431)
  • 127628b Add username/password credential in jenkins (#429)
  • e666a0e Update with better instructions on usage. (#427)
  • fe40bed Update dependency gruntwork-io/terraform-aws-service-catalog to v0.60.1 (#422)


Published: 9/10/2021 | Release notes

  • 4d0bf1e Support the destroy pipeline in a ref arch. (#368)
  • 0435aba Add instructions for update examples script (#424)
  • 5aefc41 Handle no db deployments (#401)
  • dd52c03 Bump terraform-aws-security to latest (#417)
  • 38b2851 Update dependency hashicorp/terraform to v1.0.6 (#309)
  • ddd59c6 Update dependency gruntwork-io/terratest to v0.37.7 (#341)
  • e9eca8d Update dependency gruntwork-io/terragrunt to v0.31.8 (#329)
  • 66354ca Update dependency cli/cli to v1.14.0 (#349)
  • eb145ac Update dependency gruntwork-io/terraform-aws-utilities to v0.6.0 (#357)
  • bce3b6e Update dependency gruntwork-io/terraform-aws-cis-service-catalog to v0.27.0 (#397)
  • e17cdf0 Pull out commonerror. (#386)
  • b57295a Remove broken link. (#372)
  • 42e12a8 Implement Github machine username check (#406)
  • 0de17c4 Fixes for EC2 workers for EDR (#400)
  • f36f476 Update dependency gruntwork-io/terraform-aws-ci to v0.38.9 (#396)
  • e00e998 Update dependency gruntwork-io/terraform-aws-service-catalog to v0.59.4 (#393)
  • 1d3e98d Enable EC2 based ECS Deploy Runners in the deployment script (#388)
  • 8085519 gitlab setup bugfix: Need aws options so that assume role happens (#376)
  • a538e8b eks-fargate app server cluster offering (#395)
  • cf59799 Update dependency gruntwork-io/terraform-aws-ci to v0.38.6 (#355)



Published: 9/29/2021 | Modules affected: install-jenkins | Release notes

  • Updates Java version to 11 in the Jenkins installation script.


Published: 9/27/2021 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner, infrastructure-deploy-script, infrastructure-deployer | Release notes

  • Exposed ability to store stdout and stderr from ECS Deploy Runner runs in S3 to programmatically interact with command outputs. Refer to the updated docs for more info.


Published: 9/27/2021 | Modules affected: jenkins-server | Release notes

  • Updated the jenkins-server module to propagate custom tags to more resources


Published: 9/10/2021 | Modules affected: ecs-deploy-runner-standard-configuration | Release notes

Allows passing optional custom hardcoded options and args for the docker image builder using new var.docker_image_builder_hardcoded_options and var. docker_image_builder_hardcoded_args.



Published: 9/30/2021 | Modules affected: observability, security | Release notes

  • Adjusts the minimum version of the Terraform AWS provider in the aws-securityhub module.
  • Updates dependency gruntwork-io/terraform-aws-security to v0.55.3.


Published: 9/29/2021 | Modules affected: networking, landingzone | Release notes

  • Updated dependency gruntwork-io/terraform-aws-vpc to v0.17.5
  • Updated dependency gruntwork-io/terraform-aws-service-catalog to v0.62.0
  • Updated for-production examples for architecture catalog v0.0.22
  • Updated dependency gruntwork-io/terraform-aws-service-catalog to v0.62.1
  • Added service-linked roles for security account in account-baseline-security


Published: 9/15/2021 | Modules affected: landingzone, networking, observability, security | Release notes

This release introduces changes in variables of account-baseline-root:

  • Pass cloudtrail_kms_key_arn to base module
  • Make cloudtrail_should_create_s3_bucket and config_should_create_s3_bucket configurable

This release also updates versions of the following dependencies:

  • gruntwork-io/terraform-aws-security to v0.55.1
  • gruntwork-io/terraform-aws-service-catalog to v0.61.1


Published: 9/13/2021 | Release notes

  • Update for-production examples for architecture catalog v0.0.19 (#238, #239)

This release introduces a change to the CI / CD pipeline (Gruntwork Pipelines) that automates destroying infrastructure. To read more about how it works, check out the blog post and the documentation.

To update your existing Gruntwork Reference Architecture to have this new support, make the following changes:

The destroy feature was added in terraform-aws-ci v0.38.5. So as long as you update your Ref Arch to point to this version or newer, you're good. In the steps below, we'll be using v0.38.9, but you can use the latest version as well.

  1. Update your infrastructure-live repo:
    • Pull in changes to:
      • .circleci/config.yml (if using CircleCI) from example config. View the diff.
      • _ci/scripts/ from example View the diff.
        • NOTE: Line 120 is wrong and should be: command_args="$([[ "$command" == "destroy" ]] && echo "" || echo "-destroy")"
    • Modify the 2 container image files:
      • Bump DOCKERFILE_REPO_REF to point to >= v0.38.9 of terraform-aws-ci in shared/<AWS_REGION>/_regional/container_images/ View the diff.
      • Bump DOCKERFILE_REPO_REF to point to >= v0.38.9 of terraform-aws-ci in shared/<AWS_REGION>/_regional/container_images/ View the diff.
      • Set chmod +x shared/<AWS_REGION>/_regional/container_images/*.sh.
        • You can get <AWS_REGION> with cat common.hcl | hcledit attribute get locals.default_region.
    • Update common.hcl:
      • Bump version tags for deploy_runner_container_image_tag and kaniko_container_image_tag. The new AMI tags should match the terraform-aws-ci version, >= v0.38.9. View the diff.
  2. Push all changes to a branch. Get it approved. Merge it up to default branch. Wait for CI job to complete.
    • CI job should run _ci/scripts/ which will rebuild the docker images for ECS Deploy Runner and Kaniko, and will push these images to AWS ECR as new container images.
  3. Manually redeploy the ECS Deploy Runner across all regions:
    • In each <account>/<AWS_REGION>/mgmt/ecs-deploy-runner, run aws-vault exec <account_profile> -- terragrunt apply --terragrunt-source-update -auto-approve.

Unfortunately we cannot regenerate the documentation for your particular Reference Architecture (located in /docs). However, we have updated these docs and recommend that you pull in the changes so that you have them handy locally.


Published: 9/3/2021 | Modules affected: observability, landingzone, networking, security | Release notes

This release enables passing additional data logging resources to the cloudtrail module, via the new additional_data_logging_resources variable.

This release also updates all the README badges to point to the v1.4.0 of the CIS Benchmark. It also updates the versions of the following dependencies:

  • gruntwork-io/terraform-aws-monitoring to v0.30.2
  • gruntwork-io/terraform-aws-security to v0.55.0
  • gruntwork-io/terraform-aws-vpc to v0.17.4



Published: 9/23/2021 | Modules affected: lambda-copy-shared-snapshot | Release notes

  • Enhanced global cluster example to show how to create a cross region replica
  • BACKWARD INCOMPATIBLE Removes unused rds_db_arn variable from the lambda-copy-shared-snapshot module.



Published: 9/29/2021 | Modules affected: ecs-cluster, ecs-service, ecs-daemon-service | Release notes

  • Exposed ability to configure tags on ecs-daemon-service
  • Exposed ability to customize the IAM role name of the ECS cluster
  • Exposed ability to configure permissions boundary on ecs-cluster instance IAM role


Published: 9/28/2021 | Modules affected: ecs-service | Release notes

  • Exposed ability to configure tags on the ELB Target Group in the ecs-service module (via the variable lb_target_group_tags).


Published: 9/23/2021 | Modules affected: ecs-service | Release notes

  • Exposed service discovery ARN as one of the outputs.


Published: 9/15/2021 | Modules affected: ecs-scripts | Release notes

  • Updated configure-ecs-instance script to handle setting arbitrary ECS configurations. You can now set arbitrary configuration values using the --custom-config option.


Published: 9/14/2021 | Modules affected: ecs-scripts | Release notes

  • The configure-ecs-instance script no longer calls docker login for ECS, as the ECS Agent does that automatically nowadays. Also, updated the script to make --docker-auth-type optional and the --ecr-aws-region is now a no-op. Both params still work, so this is a backwards compatible release, but you may want to remove them both if you are using ECR.



Published: 9/7/2021 | Modules affected: eks-alb-ingress-controller, eks-alb-ingress-controller-iam-policy, eks-container-logs | Release notes

(no description found in release notes)


Published: 9/7/2021 | Modules affected: eks-container-logs, eks-fargate-container-logs | Release notes

  • Added new module (eks-fargate-container-logs) for setting up log aggregation to AWS resources (CloudWatch Logs, Kinesis, or Elasticsearch) for Fargate pods.


Published: 9/6/2021 | Modules affected: eks-k8s-cluster-autoscaler | Release notes

  • You can now set the expanderPriorities and priorityConfigMapAnnotations properties of the cluster-auto-scaler Helm chart using the new expander_priorities and priority_config_map_annotations input variables, respectively. These settings are useful when If scaling_strategy is set to priority.



Published: 9/28/2021 | Modules affected: aws-auth | Release notes

  • Exposed ability to set role-session-name for the assume role session created by aws-auth.


Published: 9/28/2021 | Modules affected: private-s3-bucket | Release notes

  • Adds a depends_on between the bucket object ownership and the policy in private-s3-bucket. This resolves an issue where we expected an implicit dependency between the resources (formed by a resource reference) but there was none, resulting in conflicting conditional operation errors.


Published: 9/14/2021 | Modules affected: aws-auth, private-s3-bucket, iam-users, custom-iam-entity | Release notes

  • MFA Delete Script improvements (PR #539)
  • Improves mfa-delete script instructions (PR #541)
  • Documentation on how to delete users created by the iam-users module (PR #543)
  • Adds the ability to input JSON-formatted IAM policies with custom-iam-entity and iam-users (PR #538)


Published: 9/3/2021 | Modules affected: cloudtrail, private-s3-bucket | Release notes

This release adds the capability for the cloudtrail module to handle multiple data logging resources. For this purpose, a new variable data_logging_resources has been added to the cloudtrail module, which has replaced variables data_logging_resource_type and data_logging_resource_values. See migration guide for instructions on how to migrate to using the new variable.

This release also adds a script to enable MFA Delete for the private-s3-bucket module.



Published: 9/15/2021 | Modules affected: disable-instance-metadata, persistent-ebs-volume, route53-helpers, single-server | Release notes

  • Migrate route53-helpers example to IMDSv2 and introduce disable-instance-metadata module. The route53-helpers example now demonstrates how to correctly use AWS Instance Metadata Service version 2, which is specifically hardened against several attack vectors, and therefore preferred over version 1.
  • [NEW MODULE] In addition, these changes introduce the new disable-instance-metadata module that contains a convenience script you can use to disable future calls to the Instance Metadata Service once your instance has retrieved all the information it requires.



Published: 9/26/2021 | Modules affected: services/eks-core-services, services/ecs-service | Release notes

  • Makes load_balancing_algorithm_type configurable in the ecs-service module.
  • Updates for-production examples for architecture catalog v0.0.21
  • Adds README for the ecs-deploy-runner module.
  • Optional retention period for fluent-bit CloudWatch log group.


Published: 9/18/2021 | Modules affected: services/eks-core-services, mgmt, networking | Release notes

  • Update dependency hashicorp/terraform to v1.0.7
  • Update dependency gruntwork-io/terraform-aws-eks to v0.45.0
  • Bump k8s-servce helm chart version to v0.2.6


Published: 9/17/2021 | Modules affected: networking, data-stores | Release notes

  • Update dependency gruntwork-io/terraform-aws-vpc to v0.17.5
  • Extend Elasticsearch to support Multi AZ & Master Accounts
  • Expose security_group_tags for App VPCs.


Published: 9/14/2021 | Modules affected: mgmt/ecs-deploy-runner | Release notes


Published: 9/14/2021 | Modules affected: services/ecs-cluster | Release notes

  • Replaced ECS cluster autoscaling machinery from CPU based to Capacity Provider based autoscaling. Capacity provider based autoscaling is a more superior form of ECS cluster autoscaling that bases decisions on ECS task scheduling and cluster availability. Refer to the AWS blog post on ECS cluster autoscaling for more information on how this works. This is a backward incompatible change. Refer to the migration guide for information on how to adapt your ECS cluster to this new form of autoscaling.


Published: 9/13/2021 | Modules affected: services/ecs-service, networking/vpc | Release notes

  • Networking/VPC: Fix VPC peering when subnet tiers are disabled (#943)
  • Services/ECS-Service: Remove unused force_destroy variable (#944)
  • Services/ECS-Service: Add enable_execute_command variable (#946)
  • Update for-production examples for architecture catalog v0.0.19 (#947)


Published: 9/9/2021 | Modules affected: mgmt, services | Release notes

  • All packer templates now support configuring region_kms_key_ids for encrypting multi region AMIs.


Published: 9/8/2021 | Modules affected: services/eks-core-services, mgmt/ecs-deploy-runner, services, mgmt | Release notes

  • [BREAKING] Updated eks-core-services to configure fluent-bit for log aggregation for Fargate pods.
  • [BREAKING] Updated ecs-deploy-runner to properly support multi-region kms grants. In v0.51.0 of terraform-aws-security, we refactored how we build multi-region modules—that is, those modules that deploy resources across every single AWS region, such as kms-grants-multi-region—to no longer create nested provider blocks, and instead, have users pass in providers via the providers map. In this release, we have updated the ecs-deploy-runner module to use the latest version of terraform-aws-security for the managing kms grants. This reduces the number of providers that Terraform must instantiate, making the ecs-deploy-runner module much faster and more stable to use. It also gives you full control over how to authenticate to your various AWS accounts. However, this is a backward incompatible change, so make sure to read the migration guide below.
  • Updated k8s-service module to expose the target-type parameter on the Ingress resource.
  • Updated openvpn and eks-worker packer templates to expose region_kms_key_ids variable for encrypting multi region images.
  • Update various dependencies:
    • Update dependency gruntwork-io/terratest to v0.37.7
    • Update dependency gruntwork-io/kubergrunt to v0.7.9
    • Update dependency gruntwork-io/terraform-aws-ci to v0.38.9
    • Update dependency gruntwork-io/terragrunt to v0.31.7
    • Update dependency gruntwork-io/terraform-aws-vpc to v0.17.3
    • Update dependency gruntwork-io/terraform-aws-ecs to v0.30.4
    • Update dependency gruntwork-io/terraform-aws-security to v0.53.1



Published: 9/8/2021 | Modules affected: s3-cloudfront | Release notes

  • You can now disable access logging in the s3-cloudfront module using the new disable_logging input variable. This is useful in regions where CloudFront access logging isn't supported.



Published: 9/15/2021 | Modules affected: vpc-app | Release notes

  • Add custom tags for Security Groups in VPC-App


Published: 9/3/2021 | Modules affected: vpc-interface-endpoint | Release notes

  • Add support for EFS interface endpoints to the vpc-interface-endpoint module.