Skip to main content

Gruntwork release 2022-05

Guides / Update Guides / Releases / 2022-05

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2022-05. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:



Published: 5/17/2022 | Release notes

Fix a bug in the gruntwork wizard command where declining the AWS account grants wizard would lead to a nil pointer dereference.


Published: 5/13/2022 | Release notes

Update the gruntwork wizard command to reuse as many questions as possible. Specifically, the wizard will now:

  • Only ask for the region once.
  • Only ask for the VCS platform once.
  • Only ask for the repo name instead of the URL.
  • Allow user to abort to before grant operation, and then reuse the account information to resume granting.


Published: 5/13/2022 | Release notes

Update the gruntwork wizard experience with improved interactivity, better explanations for variables, and many miscellaneous bug fixes to improve the process of using the wizard to prepare for a Reference Architecture deployment.


Published: 5/10/2022 | Release notes

Fix bug where the IAM policy for granting Gruntwork access was malformed JSON.


Published: 5/10/2022 | Release notes

This release updates the boilerplate references for the special branch we're using for the updated Gruntwork wizard experience


Published: 5/9/2022 | Release notes

This release fixed the following bugs in the form filling process:

  • Broken reference field for VCSPATSecretsManagerARN
  • Account IDs were being interpreted as numbers, failing validation checks.
  • UsingCISCompliance was being rendered incorrectly in the form.


Published: 5/9/2022 | Release notes

This release adds a new command, gruntwork form fill, can assist you in filling in your reference-architecture-form.yml when preparing for a Reference Architecture deployment. The same functionality has also been added to the gruntwork wizard experience, as an optional step to complete when preparing for a deployment.


Published: 5/3/2022 | Release notes Gruntwork is now handling Reference Architecture deploys from Gruntwork Pipelines internally. This means that we are now transitioning to an IAM role being the one assuming the Gruntwork admin role rather than users, and thus it will not be possible to guard the IAM role with MFA.

Note that IAM users in the Gruntwork AWS Account are required to have MFA to assume roles.



Published: 5/23/2022 | Release notes



Published: 5/26/2022 | Release notes

Minor update, all related to testing module upgrades to make our builds more stable across Gruntwork's IaC library.

  • Remove dead code from upgrade test.
  • Update PR Template
  • Make upgrade module testing function public.


Published: 5/24/2022 | Modules affected: ec2-backup, ecs-deploy-runner-invoke-iam-policy, ecs-deploy-runner, iam-policies | Release notes

  • Remove dep tests and config. This just removes some old tests that are no longer needed.
  • Unlock AWS provider v4. Require minimum 3.75.1. This update includes a few tests that make sure upgrading to this module from the last release is easy. However, you may need to bump your AWS provider version. See the migration guide notes below for more.


Published: 5/17/2022 | Modules affected: infrastructure-deployer | Release notes

  • Moved --no-wait check to before waiting for ECS task to start. Now when you pass in --no-wait, the infrastructure-deployer will immediately exit after invoking the lambda function.
  • Updated examples to be compatible with AWS Provider v4.


Published: 5/3/2022 | Modules affected: sign-binary-helpers, ecs-deploy-runner-standard-configuration, ecs-deploy-runner | Release notes

  • Updated sign-binary utility to pass sensitive files through stdin.
  • Updated the docker-image-builder component of ECS Deploy Runner to support assuming IAM roles for cross account docker image builds.



Published: 5/9/2022 | Modules affected: steampipe-runner | Release notes

Updated the default version of Steampipe that is installed in the steampipe-runner container to v0.13.6.



Published: 5/10/2022 | Modules affected: landingzone/account-baseline-app, landingzone/account-baseline-root, landingzone/account-baseline-security, networking/vpc | Release notes

  • Updated vpc, vpc-mgmt modules to support tagging of route tables.
    • If you'd like to configure tagging, set public_route_table_custom_tags, private_app_route_table_custom_tags, and private_persistence_route_table_custom_tags.
  • These dependencies were updated:
    • terraform-aws-service-catalog v0.85.2 => v0.86.1.
      • v0.86.0 requires minimum AWS provider version 3.75.0 for several modules.
    • terraform-aws-vpc v0.20.4 => v0.21.1.
      • v0.21.0 requires minimum AWS provider version 3.75.0 for vpc-flow-logs.
    • terraform-aws-monitoring to v0.33.3.
      • v0.33.0 requires minimum AWS provider version 3.75.0 for logs/load-balancer-access-logs.
    • terraform-aws-security to v0.64.1.
      • v0.64.0 introduces managed IAM policies.
      • v0.63.0 requires minimum AWS provider version 3.75.0 for several modules.
  • Exposed backward compatibility flags in LZ modules.



Published: 5/13/2022 | Modules affected: lambda-share-snapshot | Release notes

  • Updated ARNs to be partition-aware
  • Updated examples to use aws_subnets over aws_subnet_ids



Published: 5/23/2022 | Modules affected: ecs-cluster | Release notes

  • Added the ability to configure http_put_response_hop_limit on the metadata configuration.


Published: 5/19/2022 | Modules affected: ecs-cluster, ecs-daemon-service, ecs-deploy-check-binaries, ecs-service | Release notes

  • Support for python2.7 has been dropped from the modules where python was being used. You must have python3.5 or greater installed on the operator machine (where terraform is being called), and the python3 executable must be available on your PATH.



Published: 5/19/2022 | Modules affected: eks-aws-auth-merger | Release notes

  • Updated package dependencies of eks-aws-auth-merger.



Published: 5/23/2022 | Modules affected: lambda-http-api-gateway, run-lambda-entrypoint, api-gateway-proxy | Release notes

  • Added a new module (lambda-http-api-gateway) for configuring an AWS HTTP (V2) API Gateway hooked up to different Lambda functions. Unlike api-gateway-proxy, this allows you to configure various HTTP requests to invoke different lambda functions (e.g., GET request on /hello can invoke the foo lambda function, while POST request on /hello can invoke the bar lambda function. Refer to the module documentation for more information.
  • Added a new module (run-lambda-entrypoint) that can be used as an entrypoint for container image based Lambda function to expose AWS Secrets Manager secrets as environment variables to the Lambda function. This is useful if you don't want to leak the Secrets Manager entries into the Lambda function metadata which most traditional integrations will do as they rely on standard Lambda settings like Environment Variables. Refer to the module documentation for more information.



Published: 5/31/2022 | Modules affected: msk | Release notes

  • New msk module for managing Amazon Managed Streaming for Apache Kafka (Amazon MSK)
  • Fix typo in documentation
  • Update versions of tools in circleci
  • Update PR Template



Published: 5/24/2022 | Modules affected: openvpn-server | Release notes

  • Added a comment indicating that OpenVPN works with both imdsv1 and imdsv2
  • Unlock AWS provider v4. Require minimum 3.75.1. This update includes a few tests that make sure upgrading to this module from the last release is easy. However, you may need to bump your AWS provider version. See the migration guide notes below for more.



Published: 5/25/2022 | Modules affected: aws-config-multi-region, aws-config, cloudtrail, cross-account-iam-roles | Release notes

  • Updated modules that creates IAM roles to expose the ability to set permission boundaries.


Published: 5/23/2022 | Modules affected: private-s3-bucket | Release notes

  • Ignore changes to various S3 configuration: A bug was introduced in our v0.63.0 release of this repo. When upgrading the private-s3-bucket module, a race condition in the plan could leave your S3 bucket in a state where configurations were actually removed. The plan would show in-place updates, but depending on execution order and completion of the AWS API calls, the update to remove the configuration could happen last, thereby removing the configuration on the bucket. While not ideal, you could work around this issue by running apply a second time, picking up the discrepancy and adding the configurations back to the bucket, but this update makes it so you don't have to run apply a second time. When upgrading your modules, including making them AWS Provider v4 compatible, we recommend using this v0.65.1 version. See the PR and associated issue for more details.


Published: 5/20/2022 | Modules affected: aws-config-bucket, aws-config-multi-region, aws-config-rules, aws-config | Release notes

The modules list above makes it look like a scary update; however, this should be a no-op upgrade for you. Details below!



Published: 5/19/2022 | Modules affected: ec2-backup, single-server | Release notes

  • Exposed the ability to configure permissions_boundary on each of the IAM roles created by the modules.


Published: 5/13/2022 | Modules affected: attach-eni | Release notes

  • Fixes default route conflict when attaching multiple ENIs on Ubuntu



Published: 5/31/2022 | Modules affected: data-stores | Release notes

  • Check in simplified pull request template
  • Ignore .github folder in pre-commit checks
  • Pass variables through for s3 object lock


Published: 5/23/2022 | Modules affected: services/ecs-service, data-stores/rds | Release notes

  • Added documentation of lb_listener authenticate_oidc options
  • Support enhanced monitoring in the rds module in service catalog


Published: 5/18/2022 | Modules affected: mgmt/tailscale-subnet-router | Release notes

  • Updated Tailscale Subnet Router to not accept DNS. Tailscale recommends having AWS handle DNS configurations on EC2.


Published: 5/13/2022 | Modules affected: services/eks-cluster, services/eks-workers, services/eks-core-services, services/k8s-service | Release notes

  • Added support for Kubernetes 1.22.
  • Fixed bug in multi region provider configuration which lead to extended periods of hanging. We recommend reviewing the and terragrunt.hcl in our examples to get the latest version which sets the skip_get_ec2_platforms = false for opted out regions.
  • Update examples to reflect latest best practices.


Published: 5/4/2022 | Modules affected: networking/route53 | Release notes

  • Added ability to create multiple subdomain records of different types for public zones in the route53 module.


Published: 5/3/2022 | Modules affected: networking/vpc | Release notes

  • Exposed route table tagging variables in vpc module.


Published: 5/3/2022 | Modules affected: networking/vpc, networking/vpc-mgmt, networking/alb, networking/sns-topics | Release notes

  • Exposed underlying lb_target_group_tags input in ecs-service module.
  • Updated various dependencies:
    • terraform-aws-vpc to v0.21.1
    • terraform-aws-ci to v0.47.10
    • terraform-aws-security to v0.64.1
    • terraform-aws-openvpn to v0.23.1
    • terraform-aws-monitoring to v0.33.3
    • terraform-aws-static-assets to v0.14.1
  • Updated examples to use aws_subnets data source over the deprecated aws_subnet_ids data source.


Published: 5/3/2022 | Modules affected: mgmt/tailscale-subnet-router | Release notes

  • Updated tailscale packer template to support configuring the tailscale version.
  • Updated core testing libraries (no impact on modules).



Published: 5/24/2022 | Modules affected: s3-cloudfront, s3-static-website | Release notes

  • Unlock AWS provider v4. Require minimum 3.75.1. This update includes a few tests that make sure upgrading to this module from the last release is easy. However, you may need to bump your AWS provider version. See the migration guide notes below for more.
  • Update to remove some upgrade test settings particular to testing the provider lock removal, which no longer apply going forward.



Published: 5/6/2022 | Modules affected: executable-dependency, operating-system, prepare-pex-environment, require-executable | Release notes

Support for python2 has been dropped. All modules that depend on python now require python 3, and calls out to python3 directly. Most users should not be impacted by this change, as almost all operating systems ship with python3 now.