Gruntwork release 2022-04
Guides / Update Guides / Releases / 2022-04
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2022-04. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 4/28/2022 | Release notes
Published: 4/21/2022 | Release notes
Published: 4/21/2022 | Release notes
- Example
server-group/without-load-balancer
updated to replace deprecated data source aws_subnet_ids
with aws_subnets
.
Published: 4/19/2022 | Modules affected: server-group | Release notes
- Adds compatibility with running on various AWS partitions (e.g. GovCloud and other private partitions)
Published: 4/26/2022 | Modules affected: sign-binary-helpers, infrastructure-deployer | Release notes
- Introduced new module
sign-binary-helpers
that can sign executable files for MacOS and Windows.
- Added new option
--no-wait
to infrastructure-deployer
CLI. When passed in, it will instruct the infrastructure-deployer
not to wait for the ECS task to finish and immediately exit without error.
Published: 4/22/2022 | Modules affected: infrastructure-deployer | Release notes
- Fixed regression where the logs from
infrastructure-deployer
became very chatty after v0.47.7
.
Published: 4/22/2022 | Modules affected: infrastructure-deployer | Release notes
- Updated
infrastructure-deployer
CLI to handle intermittent network connectivity errors when looking up the ECS task with retry logic.
Published: 4/19/2022 | Modules affected: install-jenkins | Release notes
- Fixed bug where the systemd file was unchanged for Jenkins, so all configurations were overwritten at boot time. Now we create a
systemd
override file so Jenkins uses the updated config setup at install time.
Published: 4/19/2022 | Modules affected: ecs-deploy-runner-invoke-iam-policy, ecs-deploy-runner, iam-policies | Release notes
- Updated all places where ARNs are hardcoded to be partition-aware
Published: 4/18/2022 | Modules affected: ecs-deploy-runner | Release notes
- Updated
ecs-deploy-runner
to support repositories that has dockerfiles on the root of the repository
Published: 4/16/2022 | Modules affected: infrastructure-deployer | Release notes
- Added retry logic in retrieving metadata of ECS tasks.
Published: 4/21/2022 | Modules affected: ecs-deploy-runner-steampipe-standard-configuration, ecs-deploy-runner-with-steampipe-runner, steampipe-runner | Release notes
Initial release of Steampipe Runner for Gruntwork Pipelines. This repo contains modules to configure Gruntwork Pipelines to continuously run Steampipe mod checks against an AWS account. Refer to the READMEs of the various modules for more information.
Published: 4/13/2022 | Modules affected: aurora | Release notes
- Exposed
restore_to_time
parameter for point in time restore.
Published: 4/24/2022 | Modules affected: eks-k8s-cluster-autoscaler | Release notes
- Fix issue with autoscaler priority expander
ConfigMap
not rendered properly
Published: 4/24/2022 | Modules affected: eks-k8s-external-dns | Release notes
- Exposed advanced
external-dns
parameters to tweak syncing behavior. These parameters are useful for avoiding the Route 53 API limits. Refer to the new README section for more details.
Published: 4/22/2022 | Modules affected: eks-iam-role-assume-role-policy-for-service-account | Release notes
- Exposed the condition operator for service account selection as a configurable parameter in
eks-iam-role-assume-role-policy-for-service-account
.
Published: 4/20/2022 | Modules affected: eks-cluster-control-plane, eks-container-logs, eks-k8s-cluster-autoscaler, eks-k8s-external-dns | Release notes
The default version of Kubernetes installed by the module has been updated to 1.22. As a result of this, the default version of addons were updated to support installation into 1.22. Specifically:
cluster-autoscaler
: The default app version and chart version has been updated to 1.22.6
and 9.17.0
.
aws-load-balancer-controller
: The default app version and chart version has been updated to 2.4.1
and 1.4.1
.
external-dns
: The chart version has been updated to 6.2.4
aws-for-fluent-bit
: The chart version has been updated to 0.1.15
Published: 4/6/2022 | Modules affected: eks-cluster-control-plane, eks-cluster-managed-workers | Release notes
- If provided, apply IAM permission boundaries to default fargate role in
eks-cluster-control-plane
- Add ability to specify IAM permission boundaries to EKS worker role in
eks-cluster-managed-workers
Published: 4/28/2022 | Modules affected: lambda | Release notes
- Updated dynamic block logic to fix perpetual changes shown in plan when using
image_uri
Published: 4/14/2022 | Modules affected: lambda | Release notes
- Adds optional
security_group_description
input var
Published: 4/8/2022 | Modules affected: lambda-edge, lambda | Release notes
- Adds compatibility with running on various AWS partitions (e.g. GovCloud and other private partitions)
Published: 4/8/2022 | Modules affected: lb-listener-rules | Release notes
Added the ability to use the OIDC Authentication feature of the AWS Loadbalancer, described in Authenticate users using an Application Load Balancer.
Because it always needs an action afterwards, the configuration is part of the forward, redirect and fixed_response listener rules.
Published: 4/15/2022 | Modules affected: logs/log-filter-to-slack | Release notes
- Added new module for configuring a CloudWatch Log Group Subscription Filter that can stream filtered log entries to Slack.
Published: 4/12/2022 | Modules affected: alarms | Release notes
- Adds low_cpu_credit_balance explicitly for t2 instance classes
Published: 4/8/2022 | Modules affected: alarms, logs | Release notes
- Updated documentation with timeout examples for long-running tests
- New Feature:
logs
and alarms
modules are partition aware (Commercial AWS, AWS Gov Cloud, etc)
Published: 4/17/2022 | Modules affected: openvpn-server | Release notes
- Updated
openvpn-server
to support running in various AWS partitions (e.g. GovCloud and other private partitions).
Published: 4/26/2022 | Modules affected: github-actions-iam-role | Release notes
- Exposed the ability to configure the condition operator for GitHub Actions IAM role. This allows you to construct an IAM role that can be assumed by any repo in a particular org.
Published: 4/20/2022 | Modules affected: aws-config-multi-region, aws-config, cloudtrail, cross-account-iam-roles | Release notes
- The tests in this repository have been updated for more stability.
- [BACKWARD INCOMPATIBLE] Updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.
Note that this is a backward incompatible change: a naive update to this version will cause the IAM policies to shuffle, which will result in a temporary downtime of IAM permissions. If you wish to avoid this, you can set the new var.use_managed_iam_policies
to false
.
Published: 4/24/2022 | Modules affected: mgmt/ecs-deploy-runner, mgmt/jenkins, mgmt/tailscale-subnet-router, mgmt/openvpn-server | Release notes
- Added the ability to configure tags on the openvpn server module.
- Exposed variable
auto_minor_version_upgrade
in aurora
module.
- Updated dependencies:
gruntwork-io/terraform-aws-ci
: v0.47.2
=> v0.47.8
gruntwork-io/terraform-aws-asg
: v0.17.4
=> v0.17.6
gruntwork-io/terraform-aws-data-storage
: v0.23.1
=> v0.23.3
gruntwork-io/terraform-aws-load-balancer
: v0.28.0
=> v0.28.2
gruntwork-io/terraform-aws-lambda
: v0.18.2
=> v0.18.4
- Default version of
helm
installed on Jenkins server: v3.8.0
=> v3.8.2
Published: 4/21/2022 | Release notes
- Updated
for-production
examples to the latest version of the Gruntwork Reference Architecture.
Published: 4/21/2022 | Modules affected: services/lambda, services/eks-core-services | Release notes
- Exposed output for the CloudWatch Log Group name in lambda service.
- Exposed the ability to configure the Cluster Autoscaler log verbosity
Published: 4/21/2022 | Modules affected: services/eks-core-services | Release notes
- Added the ability to optionally create k8s
PriorityClass
resources in eks-core-services
.
Published: 4/19/2022 | Modules affected: services/lambda | Release notes
- Exposed
additional_security_group_ids
which can be used to attach additional security groups to the lambda function when using VPC.
Published: 4/13/2022 | Modules affected: data-stores/rds, data-stores/aurora | Release notes
- Added ability to bind a domain to database endpoints.
Published: 4/11/2022 | Modules affected: mgmt/tailscale-subnet-router, services/k8s-service | Release notes
- Fixed link to
install-tailscale.sh
script in documentation.
- Added the ability to expose multiple container ports in a Kubernetes service.
Published: 4/8/2022 | Modules affected: services/eks-workers | Release notes
- EKS Workers: Added inline comments for the max pods logic in the user-data script
Published: 4/15/2022 | Modules affected: s3-static-website | Release notes
- Fixes ACL creation error when enforcing S3 bucket ownership
Published: 4/7/2022 | Modules affected: s3-static-website, s3-cloudfront | Release notes
Changed to add Terraform AWS 4.x provider support:
s3-static-website
[BACKWARD INCOMPATIBLE]
Version changes only:
Changes to support Terraform AWS 4.x provider in the s3-static-website
module.
This release updates the s3-static-website
module and other modules in this repo (s3-cloudfront
and examples) that use s3-static-website
.
If not using routing_rules
/routing_rule
, point your module source to this release (v0.14.0
), run terraform init -upgrade
, and run terraform apply
.
When you run terraform apply
there should be no destroyed or recreated resources. You will see newly created resources and sometimes in-place modifications.
- Rename your usage of
routing_rules
to routing_rule
.
- Convert your JSON to hcl using json2hcl, or manually.
- Convert the resulting keys from CamelCase to snake_case.
- See the variable definition for full details.
For example, you are currently passing in a JSON string such as:
routing_rules = <<EOF
[&
"Condition": &
"KeyPrefixEquals": "docs/"
&
"Redirect": &
"ReplaceKeyPrefixWith": "documents/"
&
&
EOF
You may be able to use json2hcl to convert this into a map. Then you should also convert the CamelCase to snake_case.
$ echo '&
"Condition": &
"KeyPrefixEquals": "docs/"
&
"Redirect": &
"ReplaceKeyPrefixWith": "documents/"
&
&
"Condition" = &
"KeyPrefixEquals" = "docs/"
&
"Redirect" = &
"ReplaceKeyPrefixWith" = "documents/"
&
Finally:
routing_rule = &
condition = &
key_prefix_equals = "docs/"
&
redirect = &
replace_key_prefix_with = "documents/"
&
&
Please note: The AWS provider only supports one (1) rule in the routing_rule
.
Alas we had no choice but to drop support for the AWS Provider 3.x style of routing_rules
for an S3 bucket's website configuration. The AWS Provider 4.x style is called routing_rule
and has a different format. Previously you could pass in a JSON string which would get interpreted by the provider. Now, you must pass in a map to this s3-static-website
module, which will appropriately funnel values from that map into the block format expected by the provider. See the variable definition for more.
If you are not using routing rules, you have no backward incompatibilities with this upgrade. In this case, it is a functionally backward compatible upgrade, verified with partially automated upgrade testing. Upgrade testing was done to ensure that running init/plan/apply on pre-existing resources created by s3-static-website
will not run into issues when you upgrade to this version of the module.
- Besides
routing_rules
, no other configuration changes are needed for users of s3-static-website
module. We handled the remaining provider upgrade changes within the module itself, so that your module configuration can remain the same.
- We have verified there is no need to run
terraform import
as suggested in the Hashicorp upgrade guide.
- However, you do need to bump the provider when upgrading. Read on.
Modules calling s3-static-website
and s3-cloudfront
have to bump the provider to at least 3.75.0 (>= 3.75.0
). You will need to rerun apply
to add the new S3 bucket resources created by the AWS 4.x provider. Note that because s3-static-website
and s3-cloudfront
now require a minimum AWS provider version of 3.75.0
, you will need to run terraform init
with -upgrade
to pull the new provider version. See HashiCorp's guide on upgrading providers for more details.
Published: 4/17/2022 | Modules affected: vpc-app | Release notes
- Allow a customer setting custom tags on all kind of route tables (public, private and private persistance)