Skip to main content

Gruntwork release 2022-04

Guides / Update Guides / Releases / 2022-04

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2022-04. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:



Published: 4/28/2022 | Release notes

Full Changelog:


Published: 4/21/2022 | Release notes

Full Changelog:



Published: 4/21/2022 | Release notes

  • Example server-group/without-load-balancer updated to replace deprecated data source aws_subnet_ids with aws_subnets.


Published: 4/19/2022 | Modules affected: server-group | Release notes

  • Adds compatibility with running on various AWS partitions (e.g. GovCloud and other private partitions)



Published: 4/26/2022 | Modules affected: sign-binary-helpers, infrastructure-deployer | Release notes

  • Introduced new module sign-binary-helpers that can sign executable files for MacOS and Windows.
  • Added new option --no-wait to infrastructure-deployer CLI. When passed in, it will instruct the infrastructure-deployer not to wait for the ECS task to finish and immediately exit without error.


Published: 4/22/2022 | Modules affected: infrastructure-deployer | Release notes

  • Fixed regression where the logs from infrastructure-deployer became very chatty after v0.47.7.


Published: 4/22/2022 | Modules affected: infrastructure-deployer | Release notes

  • Updated infrastructure-deployer CLI to handle intermittent network connectivity errors when looking up the ECS task with retry logic.


Published: 4/19/2022 | Modules affected: install-jenkins | Release notes

  • Fixed bug where the systemd file was unchanged for Jenkins, so all configurations were overwritten at boot time. Now we create a systemd override file so Jenkins uses the updated config setup at install time.


Published: 4/19/2022 | Modules affected: ecs-deploy-runner-invoke-iam-policy, ecs-deploy-runner, iam-policies | Release notes

  • Updated all places where ARNs are hardcoded to be partition-aware


Published: 4/18/2022 | Modules affected: ecs-deploy-runner | Release notes

  • Updated ecs-deploy-runner to support repositories that has dockerfiles on the root of the repository


Published: 4/16/2022 | Modules affected: infrastructure-deployer | Release notes

  • Added retry logic in retrieving metadata of ECS tasks.



Published: 4/21/2022 | Modules affected: ecs-deploy-runner-steampipe-standard-configuration, ecs-deploy-runner-with-steampipe-runner, steampipe-runner | Release notes

Initial release of Steampipe Runner for Gruntwork Pipelines. This repo contains modules to configure Gruntwork Pipelines to continuously run Steampipe mod checks against an AWS account. Refer to the READMEs of the various modules for more information.



Published: 4/13/2022 | Modules affected: aurora | Release notes

  • Exposed restore_to_time parameter for point in time restore.



Published: 4/24/2022 | Modules affected: eks-k8s-cluster-autoscaler | Release notes

  • Fix issue with autoscaler priority expander ConfigMap not rendered properly


Published: 4/24/2022 | Modules affected: eks-k8s-external-dns | Release notes

  • Exposed advanced external-dns parameters to tweak syncing behavior. These parameters are useful for avoiding the Route 53 API limits. Refer to the new README section for more details.


Published: 4/22/2022 | Modules affected: eks-iam-role-assume-role-policy-for-service-account | Release notes

  • Exposed the condition operator for service account selection as a configurable parameter in eks-iam-role-assume-role-policy-for-service-account.


Published: 4/20/2022 | Modules affected: eks-cluster-control-plane, eks-container-logs, eks-k8s-cluster-autoscaler, eks-k8s-external-dns | Release notes

The default version of Kubernetes installed by the module has been updated to 1.22. As a result of this, the default version of addons were updated to support installation into 1.22. Specifically:

  • cluster-autoscaler: The default app version and chart version has been updated to 1.22.6 and 9.17.0.
  • aws-load-balancer-controller: The default app version and chart version has been updated to 2.4.1 and 1.4.1.
  • external-dns: The chart version has been updated to 6.2.4
  • aws-for-fluent-bit: The chart version has been updated to 0.1.15


Published: 4/6/2022 | Modules affected: eks-cluster-control-plane, eks-cluster-managed-workers | Release notes

  • If provided, apply IAM permission boundaries to default fargate role in eks-cluster-control-plane
  • Add ability to specify IAM permission boundaries to EKS worker role in eks-cluster-managed-workers



Published: 4/28/2022 | Modules affected: lambda | Release notes

  • Updated dynamic block logic to fix perpetual changes shown in plan when using image_uri


Published: 4/14/2022 | Modules affected: lambda | Release notes

  • Adds optional security_group_description input var


Published: 4/8/2022 | Modules affected: lambda-edge, lambda | Release notes

  • Adds compatibility with running on various AWS partitions (e.g. GovCloud and other private partitions)



Published: 4/8/2022 | Modules affected: lb-listener-rules | Release notes

Added the ability to use the OIDC Authentication feature of the AWS Loadbalancer, described in Authenticate users using an Application Load Balancer. Because it always needs an action afterwards, the configuration is part of the forward, redirect and fixed_response listener rules.



Published: 4/15/2022 | Modules affected: logs/log-filter-to-slack | Release notes

  • Added new module for configuring a CloudWatch Log Group Subscription Filter that can stream filtered log entries to Slack.


Published: 4/12/2022 | Modules affected: alarms | Release notes

  • Adds low_cpu_credit_balance explicitly for t2 instance classes


Published: 4/8/2022 | Modules affected: alarms, logs | Release notes

  • Updated documentation with timeout examples for long-running tests
  • New Feature: logs and alarms modules are partition aware (Commercial AWS, AWS Gov Cloud, etc)



Published: 4/17/2022 | Modules affected: openvpn-server | Release notes

  • Updated openvpn-server to support running in various AWS partitions (e.g. GovCloud and other private partitions).



Published: 4/26/2022 | Modules affected: github-actions-iam-role | Release notes

  • Exposed the ability to configure the condition operator for GitHub Actions IAM role. This allows you to construct an IAM role that can be assumed by any repo in a particular org.


Published: 4/20/2022 | Modules affected: aws-config-multi-region, aws-config, cloudtrail, cross-account-iam-roles | Release notes

  • The tests in this repository have been updated for more stability.
  • [BACKWARD INCOMPATIBLE] Updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.

Note that this is a backward incompatible change: a naive update to this version will cause the IAM policies to shuffle, which will result in a temporary downtime of IAM permissions. If you wish to avoid this, you can set the new var.use_managed_iam_policies to false.



Published: 4/24/2022 | Modules affected: mgmt/ecs-deploy-runner, mgmt/jenkins, mgmt/tailscale-subnet-router, mgmt/openvpn-server | Release notes

  • Added the ability to configure tags on the openvpn server module.
  • Exposed variable auto_minor_version_upgrade in aurora module.
  • Updated dependencies:
    • gruntwork-io/terraform-aws-ci: v0.47.2 => v0.47.8
    • gruntwork-io/terraform-aws-asg: v0.17.4 => v0.17.6
    • gruntwork-io/terraform-aws-data-storage: v0.23.1 => v0.23.3
    • gruntwork-io/terraform-aws-load-balancer: v0.28.0 => v0.28.2
    • gruntwork-io/terraform-aws-lambda: v0.18.2 => v0.18.4
    • Default version of helm installed on Jenkins server: v3.8.0 => v3.8.2


Published: 4/21/2022 | Release notes

  • Updated for-production examples to the latest version of the Gruntwork Reference Architecture.


Published: 4/21/2022 | Modules affected: services/lambda, services/eks-core-services | Release notes

  • Exposed output for the CloudWatch Log Group name in lambda service.
  • Exposed the ability to configure the Cluster Autoscaler log verbosity


Published: 4/21/2022 | Modules affected: services/eks-core-services | Release notes

  • Added the ability to optionally create k8s PriorityClass resources in eks-core-services.


Published: 4/19/2022 | Modules affected: services/lambda | Release notes

  • Exposed additional_security_group_ids which can be used to attach additional security groups to the lambda function when using VPC.


Published: 4/13/2022 | Modules affected: data-stores/rds, data-stores/aurora | Release notes

  • Added ability to bind a domain to database endpoints.


Published: 4/11/2022 | Modules affected: mgmt/tailscale-subnet-router, services/k8s-service | Release notes

  • Fixed link to script in documentation.
  • Added the ability to expose multiple container ports in a Kubernetes service.


Published: 4/8/2022 | Modules affected: services/eks-workers | Release notes

  • EKS Workers: Added inline comments for the max pods logic in the user-data script



Published: 4/15/2022 | Modules affected: s3-static-website | Release notes

  • Fixes ACL creation error when enforcing S3 bucket ownership


Published: 4/7/2022 | Modules affected: s3-static-website, s3-cloudfront | Release notes

Changed to add Terraform AWS 4.x provider support:

  • s3-static-website [BACKWARD INCOMPATIBLE]

Version changes only:

  • s3-cloudfront

Changes to support Terraform AWS 4.x provider in the s3-static-website module.

This release updates the s3-static-website module and other modules in this repo (s3-cloudfront and examples) that use s3-static-website.

If not using routing_rules/routing_rule, point your module source to this release (v0.14.0), run terraform init -upgrade, and run terraform apply.

When you run terraform apply there should be no destroyed or recreated resources. You will see newly created resources and sometimes in-place modifications.

  • Rename your usage of routing_rules to routing_rule.
  • Convert your JSON to hcl using json2hcl, or manually.
  • Convert the resulting keys from CamelCase to snake_case.
  • See the variable definition for full details.

For example, you are currently passing in a JSON string such as:

routing_rules = <<EOF
"Condition": {
"KeyPrefixEquals": "docs/"
"Redirect": {
"ReplaceKeyPrefixWith": "documents/"

You may be able to use json2hcl to convert this into a map. Then you should also convert the CamelCase to snake_case.

$ echo '{
"Condition": {
"KeyPrefixEquals": "docs/"
"Redirect": {
"ReplaceKeyPrefixWith": "documents/"
}' | json2hcl

"Condition" = {
"KeyPrefixEquals" = "docs/"

"Redirect" = {
"ReplaceKeyPrefixWith" = "documents/"


routing_rule = {
condition = {
key_prefix_equals = "docs/"
redirect = {
replace_key_prefix_with = "documents/"

Please note: The AWS provider only supports one (1) rule in the routing_rule.

Alas we had no choice but to drop support for the AWS Provider 3.x style of routing_rules for an S3 bucket's website configuration. The AWS Provider 4.x style is called routing_rule and has a different format. Previously you could pass in a JSON string which would get interpreted by the provider. Now, you must pass in a map to this s3-static-website module, which will appropriately funnel values from that map into the block format expected by the provider. See the variable definition for more.

If you are not using routing rules, you have no backward incompatibilities with this upgrade. In this case, it is a functionally backward compatible upgrade, verified with partially automated upgrade testing. Upgrade testing was done to ensure that running init/plan/apply on pre-existing resources created by s3-static-website will not run into issues when you upgrade to this version of the module.

  • Besides routing_rules, no other configuration changes are needed for users of s3-static-website module. We handled the remaining provider upgrade changes within the module itself, so that your module configuration can remain the same.
  • We have verified there is no need to run terraform import as suggested in the Hashicorp upgrade guide.
  • However, you do need to bump the provider when upgrading. Read on.

Modules calling s3-static-website and s3-cloudfront have to bump the provider to at least 3.75.0 (>= 3.75.0). You will need to rerun apply to add the new S3 bucket resources created by the AWS 4.x provider. Note that because s3-static-website and s3-cloudfront now require a minimum AWS provider version of 3.75.0, you will need to run terraform init with -upgrade to pull the new provider version. See HashiCorp's guide on upgrading providers for more details.



Published: 4/17/2022 | Modules affected: vpc-app | Release notes

  • Allow a customer setting custom tags on all kind of route tables (public, private and private persistance)