Gruntwork release 2022-01
Guides / Update Guides / Releases / 2022-01
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2022-01. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 1/12/2022 | Release notes
https://github.com/gruntwork-io/repo-copier/pull/112:
- You can now have
repo-copier append a suffix to the name of each copied repo using the new --repo-name-suffix parameter. This is useful to ensure each repo name is unique and doesn't conflict with any repos you already have. - Improve error handling on GitLab repos to make it clearer you must specify a group in the URL, not a repo or user.
Published: 1/18/2022 | Release notes
What's Changed
- f73b8cb Documentation for tfenv and upgrading terraform. (#555)
Published: 1/13/2022 | Release notes
Published: 1/26/2022 | Modules affected: [**NEW**] | Release notes
- Adds support for ASG instance_refresh to provide rolling deploys (i.e., replace N% of the ASG at a time), with health checks and a warm-up period
Published: 1/19/2022 | Modules affected: ecs-deploy-runner | Release notes
Added permissions_boundary to ecs-deploy-runner ECS Task IAM role and ECS Task Execution IAM role.
- This variable is optional, and therefore backwards compatible. It will allow adding an additional layer of permissions restrictions and scope for the IAM role it applies to.
Published: 1/14/2022 | Modules affected: ecs-deploy-runner, gruntwork-module-circleci-helpers | Release notes
ecs-deploy-runnergruntwork-module-circleci-helpers [BACKWARD INCOMPATIBLE]
- [ecs-deploy-runner] tfenv is now included in the ECS Deploy Runner for managing terraform versions.
- This release updates the ECS Deploy Runner Dockerfile to include the installation of
tfenv. This means your CI/CD pipeline will be able to use multiple versions of terraform for the same repo, which makes upgrades easier! Read more about this feature in the core-concepts docs. - This also necessitated a change to
gruntwork-module-circieci-helpers module in the script configure-environment-for-gruntwork-module, which configures the CI build environment for typical Gruntwork modules. It now installs tfenv and includes a new configuration option --tfenv-version, which is enabled by default. If also configured to install terraform, this script will use tfenv to install and manage that terraform version. Because this change is backard incompatible, please see the migration guide below.
Most users will not be affected by the change to configure-environment-for-gruntwork-module. If you do not need terraform installed in your environment you would pass in --terraform-version NONE, and now you also must pass in --tfenv-version NONE. If you don't pass in --tfenv-version NONE, it will install the latest version of tfenv. Note: if you want to install terraform without tfenv, you would only set --tfenv-version NONE, and it will still install terraform as usual.
Published: 1/14/2022 | Modules affected: ecs-deploy-runner | Release notes
- Exposed the ability to configure reserved concurrent execution for ECS Deploy Runner invoker lambda.
Published: 1/12/2022 | Modules affected: ecs-deploy-runner-standard-configuration, ecs-deploy-runner | Release notes
- Updated
ecs-deploy-runner to handle options without arguments by adding allowed options in list allowed_options_without_args
Published: 1/13/2022 | Modules affected: landingzone/account-baseline-app, landingzone/account-baseline-root, landingzone/account-baseline-security, security/aws-securityhub | Release notes
Updated dependency gruntwork-io/terraform-aws-service-catalog to v0.70.1. As a part of this change, support for ap-southeast-3 (Jakarta) region was added to the multi region modules. This is a backward incompatible change - refer to the migration guide for more details.
Published: 1/11/2022 | Modules affected: security/revoke-unused-iam-credentials, security/cleanup-expired-certs | Release notes
- Updated
cleanup-expired-certs to configure reserved concurrent executions to 1 - Added a new module (
security/revoke-unused-iam-credentials) that will automatically revoke unused IAM credentials
Published: 1/31/2022 | Modules affected: redshift | Release notes
- Added
enhanced_vpc_routing and logging options to redshift module.
Published: 1/26/2022 | Modules affected: eks-cluster-control-plane | Release notes
- Updated control plane module to provision the required KMS permission to the CMK policy when using envelope encryption.
Published: 1/26/2022 | Modules affected: eks-cluster-control-plane | Release notes
- Bump
kubergrunt to v0.8.0
Published: 1/24/2022 | Modules affected: eks-cluster-control-plane, eks-cluster-workers | Release notes
- Updated
aws provider version constraints to ensure Terraform doesn't use one with a bug around launch templates. - Added support for configuring prefix delegation mode on AWS VPC CNI. Prefix delegation mode increases the number of secondary IPs that can be provisioned to an EC2 instance, greatly expanding the number of Pods that can be scheduled on a node. Refer to the updated documentation for more details.
Note that this change is functionally backward compatible, but due to complexities around Kubernetes versioning, some of the settings may not be available across all Kubernetes versions, and therefore this release is marked as backward incompatible out of caution. If you run into errors, or have issues with the AWS VPC CNI as a result of upgrading to this release, you can disable the prefix delegation management in the module by setting var.use_vpc_cni_customize_script input variable to false.
Published: 1/11/2022 | Modules affected: eks-cluster-workers | Release notes
- Update codeowners to reflect current owners
- Enable detailed monitoring control for ASG EC2s. A new variable
asg_enable_detailed_monitoring allows you to configure whether or not detailed monitoring is enabled on the EC2 instances that comprise the EKS cluster workers auto scaling group.
Published: 1/7/2022 | Modules affected: eks-cluster-workers | Release notes
- Fixed bug where using name prefix breaks the iam role name output on
eks-cluster-workers module.
Published: 1/26/2022 | Modules affected: keep-warm, lambda-edge, lambda, api-gateway-account-settings | Release notes
- Updated to manage CloudWatch Log Group for the lambda function in Terraform. This enables you to configure various settings, like KMS encryption keys for encrypted log events, and retention periods. This change is backward incompatible: refer to the migration guide down below for more details.
Published: 1/24/2022 | Modules affected: api-gateway-account-settings, keep-warm, lambda-edge, lambda | Release notes
- Updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.
Note that this is a backward incompatible change: a naive update to this version will cause the IAM policies to shuffle, which will result in a temporary downtime of IAM permissions. If you wish to avoid this, you can set the new var.use_managed_iam_policies to false.
Published: 1/7/2022 | Modules affected: logs/load-balancer-access-logs | Release notes
- Exposed the ability to configure s3 server access logging for the ELB/ALB access logs bucket
Published: 1/6/2022 | Modules affected: metrics, alarms | Release notes
cloudwatch-custom-metrics-iam-policy: Added comment explaining why "ec2:DescribeTags" is needed- Updated
sns-to-slack module to use python 3.7 instead of 2.7.
Published: 1/14/2022 | Modules affected: openvpn-admin | Release notes
- openvpn-admin: Fixes a bug that was causing
openvpn-admin to return the instance's private IPv4 address. openvpn-admin now correctly returns the instance's public IPv4 address.
Published: 1/7/2022 | Modules affected: backup-openvpn-pki, install-openvpn, openvpn-server, start-openvpn-admin | Release notes
- Require IMDSv2 in aws_launch_configuration. This release allows you to configure the AWS Instance Metadata Service's (IMDS) state (enabled or disabled) and which versions of this endpoint to allow the use of via Terraform and these new variables:
var.enable_imdsvar.use_imdsv1
In addition, var.use_imdsv1 defaults to false to enforce use of the preferred IMDSv2 endpoint. If you don't need to also use IMDSv1, we recommend leaving this variable set to false, and updating your start-openvpn-admin script to this release tag.
Note that if you:
are upgrading to this tag
intend to use only IMDSv2 going forward
keep var.use_imdsv1 set to false
then you must update your start-openvpn-admin script to tag v0.19.0 in order to deploy a functioning openvpn server.
If you need to continue using IMDS version 1, you can set var.use_imdsv1 to true.
Published: 1/6/2022 | Modules affected: init-openvpn | Release notes
Updated to generate DSA-like Diffie-Hellman parameters (uses weak prime). The weaker prime is much less computationally intensive and can be generated quickly, without sacrificing on the secure nature of the parameters. If you wish to maintain the old behavior with strong primes, you can pass in the --gen-strong-prime option to the call to init-openvpn.
Published: 1/4/2022 | Modules affected: openvpn-admin, openvpn-server | Release notes
- Added ability to configure access logging for the OpenVPN backup bucket
- Added ability to make IAM Groups for certificate management permissions optional
- Various updates to documentation
Published: 1/31/2022 | Modules affected: aws-config-multi-region | Release notes
- Removed inline provider that was errorneously added in.
Published: 1/24/2022 | Modules affected: aws-config-multi-region, aws-config | Release notes
- Updated the
kms_key_arn input variable for AWS Config to be regional for each SNS topic. Previously, it only allowed specifying a single KMS Key, but that was not correct for SNS topics, which are regional resources.
Published: 1/24/2022 | Modules affected: aws-config-bucket, aws-config-multi-region, aws-config, cloudtrail-bucket | Release notes
- Exposed the ability to configure access logging and replication settings on AWS Config and AWS Cloudtrail buckets in the respective modules.
Published: 1/12/2022 | Modules affected: aws-config-multi-region, aws-config, cloudtrail-bucket, custom-iam-entity | Release notes
- Updated to use the
aws_partition data source to lookup the partition when constructing ARNs. This allows the modules to be compatible with alternative AWS partitions like GovCloud and China.
Published: 1/11/2022 | Modules affected: kms-cmk-replica, kms-master-key-multi-region, kms-master-key | Release notes
NOTE: This release is functionally backward compatible, but requires an updated aws provider version to work (>= 3.64.0). For most users, this won't be an issue and Terraform will automatically update to the required provider version, but if you have wrapper modules that depend on an older aws provider version, you will need to update your wrapper module to be compatible with the newer provider before you can bump to this version.
- Added support for replicating a key cross region. Refer to the updated documentation of
kms-master-key-multi-region for more information.
Published: 1/11/2022 | Modules affected: aws-config-multi-region, aws-config | Release notes
- Added the ability to configure snapshot delivery frequency in aws config module.
Published: 1/11/2022 | Modules affected: private-s3-bucket, ssh-grunt, github-actions-iam-role | Release notes
- Minor tweaks to enhance functionality around object locking
- Updating dependencies:
- github.com/urfave/cli to v1.22.5
- github.com/go-errors/errors to v1.4.1
- circleci/python Docker tag to v3.10.1
- golang Docker tag to v1.17
- github.com/sirupsen/logrus to v1.8.1
- github.com/stretchr/testify to v1.7.0
- github.com/gruntwork-io/go-commons to v0.10.0
- github.com/aws/aws-sdk-go to v1.42.31
Published: 1/4/2022 | Modules affected: cross-account-iam-roles, custom-iam-entity, github-actions-iam-role | Release notes
- Added support for configuring IAM roles that allow access to GitHub Actions with OpenID Connect. Refer to the documentation for github-actions-iam-role for more info.
- Added support to
allow-auto-deploy-access-from-other-accounts to be assumed by GitHub Actions. This is configured using the new allow_auto_deploy_from_github_actions input variable on the cross-account-iam-roles module. - Added support for arbitrary configurations of the Assume Role policy on IAM roles created with
custom-iam-entity. This is configured using the new assume_role_iam_policy_json input variable.
Published: 1/19/2022 | Modules affected: single-server | Release notes
- Exposed ability to control associating a public IP address to the server in
single-server module, regardless of what is configured by default on the subnet.
Published: 1/11/2022 | Modules affected: single-server | Release notes
- Updated to allow associating domain with EC2 instance even without EIP
Published: 1/31/2022 | Modules affected: services/eks-core-services | Release notes
- Added EKS Container Insights metrics collection to EKS Core Services.
Published: 1/26/2022 | Modules affected: base, data-stores, landingzone, mgmt | Release notes
- Updated dependency
gruntwork-io/terraform-aws-security to version 0.59.0
Published: 1/25/2022 | Modules affected: mgmt/bastion-host, mgmt/jenkins, mgmt/openvpn-server, mgmt/ecs-deploy-runner | Release notes
- Added the ability to manage the CloudWatch Log Group for EC2 log aggregation in Terraform. Now
base/ec2-baseline (and all modules that depend on it) will create and manage the CloudWatch Log Group before the server is launched by default. This allows you to configure options such as KMS key based encryption and log event retention periods on the Log Group. Note that this is a backward incompatible change. Refer to the migration guide below for more information. - Updated dependencies:
gruntwork-io/terraform-aws-ci to v0.41.0gruntwork-io/terraform-aws-security to v0.58.1 (for server scripts installed with base/ec2-baseline)
- Update
for-production example with latest version of CI scripts.
Published: 1/14/2022 | Modules affected: networking, services, base, mgmt | Release notes
Update various dependencies.
- Update Terraform github.com/gruntwork-io/terraform-aws-vpc to v0.18.7
- Update Terraform github.com/gruntwork-io/terraform-aws-eks to v0.46.10
- Update Terraform github.com/gruntwork-io/terraform-aws-server to v0.13.8
- Update Terraform github.com/gruntwork-io/terraform-aws-security to v0.58.0
- Update for-production examples for architecture catalog v0.0.25
- Update Terraform github.com/gruntwork-io/terraform-aws-ci to v0.40.2
- Bump terraform-aws-openvpn to v0.19.1
Published: 1/11/2022 | Modules affected: tls-scripts, services, mgmt, base | Release notes
- Added the ability to provide static list of thumbprints for better security posture when configuring an OIDC provider for GitHub Actions.
- Update various dependencies:
gruntwork-io/terraform-aws-asg to v0.16.0github.com/gruntwork-io/terraform-aws-monitoring to v0.30.5gruntwork-io/terraform-aws-eks to v0.46.9gruntwork-io/terraform-aws-openvpn to v0.18.0gruntwork-io/helm-kubernetes-services to v0.2.10
Published: 1/6/2022 | Modules affected: landingzone, mgmt/ecs-deploy-runner, data-stores, base | Release notes
- Updated snapshot retention for redis to 15 days.
- Updated dependency
gruntwork-io/terraform-aws-security to v0.57.1 to add support for ap-southeast-3 region to multi region modules.
Published: 1/6/2022 | Modules affected: services, mgmt, data-stores, networking | Release notes
- Added the ability to configure encryption on the FluentBit CloudWatch Log Group
- Updated various dependencies:
gruntwork-io/terratest to v0.38.8gruntwork-io/kubergrunt to v0.7.11gruntwork-io/terraform-aws-lambda to v0.14.3gruntwork-io/terraform-aws-data-storage to v0.22.4gruntwork-io/terraform-aws-eks to v0.46.8gruntwork-io/terraform-aws-ecs to v0.31.8gruntwork-io/terraform-aws-vpc to v0.18.6gruntwork-io/terraform-aws-ecs to v0.31.8gruntwork-io/terraform-aws-openvpn to v0.17.1hashicorp/terraform-provider-kubernetes to allow any 2.x version that is not 2.6.0.
Published: 1/4/2022 | Modules affected: services/k8s-service, mgmt, services | Release notes
- Added the ability to configure and manage the cloudwatch log group for ECS service, via the new
create_cloudwatch_log_group, cloudwatch_log_group_name, cloudwatch_log_group_retention, and cloudwatch_log_group_kms_key_id input variables. - Updated dependencies:
gruntwork-io/terragrunt to v0.35.16gruntwork-io/terraform-aws-ci to v0.40.0- Helm chart
k8s-service to v0.2.9
Published: 1/4/2022 | Modules affected: data-stores | Release notes
- Add
reader_endpoint output to Aurora module
Published: 1/31/2022 | Modules affected: vpc-app | Release notes
- Now the creation of the Internet Gateway is optional. We can have public subnets and still disable the IGW by setting the variable
enable_igw to false (it's true by default). This fixes #150.
Published: 1/11/2022 | Modules affected: vpc-app, vpc-peering-cross-accounts-accepter | Release notes
- Configure Patcher for CircleCI
- Add timeouts to route table and routes
Now there are three variables (shown below) that control timeouts for the Route Table creation.
route_table_creation_timeout
route_table_update_timeout
route_table_deletion_timeout