Gruntwork release 2022-06
Guides / Update Guides / Releases / 2022-06
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2022-06. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 6/8/2022 | Release notes
Published: 6/2/2022 | Release notes
This is a backward incompatible releaese
Starting this release, the following repos are no longer being copied. All of these repos were put on hold as of February 2022 and are no longer being maintained by Gruntwork.
If you wish to include any of these repos, please fork and build a new version of the repo-copier with the repos you need uncommented.
gruntwork-io/terraform-aws-influx
gruntwork-io/terraform-aws-zookeeper
gruntwork-io/terraform-aws-kafka
gruntwork-io/terraform-aws-elk
gruntwork-io/infrastructure-live-acme
gruntwork-io/infrastructure-modules-acme
gruntwork-io/sample-app-frontend-acme
gruntwork-io/cis-infrastructure-modules-acme
gruntwork-io/cis-infrastructure-live-acme
gruntwork-io/sample-app-backend-acme
gruntwork-io/infrastructure-modules-multi-account-acme
gruntwork-io/infrastructure-live-multi-account-acme
gruntwork-io/sample-app-backend-multi-account-acme
gruntwork-io/sample-app-frontend-multi-account-acme
gruntwork-io/terraform-aws-sam
gruntwork-io/terraform-aws-couchbase
gruntwork-io/terraform-helm-gke-exts
gruntwork-io/terraform-google-static-assets
gruntwork-io/terraform-google-load-balancer
gruntwork-io/terraform-google-influx
gruntwork-io/terraform-google-sql
gruntwork-io/terraform-google-security
gruntwork-io/terraform-google-ci
gruntwork-io/terraform-google-gke
gruntwork-io/terraform-google-network
hashicorp/terraform-aws-vault
hashicorp/terraform-aws-consul
hashicorp/terraform-aws-nomad
hashicorp/terraform-google-vault
hashicorp/terraform-google-consul
hashicorp/terraform-google-nomad
https://github.com/gruntwork-io/repo-copier/pull/118
Published: 6/21/2022 | Modules affected: asg-instance-refresh, asg-rolling-deploy, server-group | Release notes
- Unlock AWS provider v4. Require minimum 3.75.1. This update includes a few tests that make sure upgrading to this module from the last release is easy. However, you may need to bump your AWS provider version. See the migration guide notes below for more.
Published: 6/13/2022 | Modules affected: asg-rolling-deploy | Release notes
- Added
max_instance_lifetime
var to asg-rolling-deploy
module
Published: 6/6/2022 | Modules affected: asg-rolling-deploy, server-group | Release notes
- Updated examples to be compatible with
terraform-provider-aws
v4.
- Updated tests to include additional cases and OSes.
- Support for python2 has been dropped. All modules that depend on python now require python 3, and calls out to
python3
directly. Most users should not be impacted by this change, as almost all operating systems ship with python3
now.
Published: 6/27/2022 | Modules affected: ecs-deploy-runner, infrastructure-deployer | Release notes
- Updated the Fargate platform version to default to
1.4.0
instead of 1.3.0
.
- Fixed bug where very short ECS tasks oftentimes end up with no streaming logs despite the logs showing up in CloudWatch. We have identified this to be a race condition between retrieving log events and the first logs to show up from the ECS task. This is addressed by adding a short delay between the ECS task starting, and the
infrastructure-deployer
CLI reading log events.
Published: 6/9/2022 | Modules affected: ecs-deploy-runner-standard-configuration, infrastructure-deploy-script | Release notes
- Added the ability to
ecs-deploy-runner
to init and update submodules in the infra live repo.
Published: 6/6/2022 | Modules affected: jenkins-server | Release notes
- Updated dependency
terraform-aws-asg
from v0.13.0
to v0.18.0
in jenkins-server
module.
Published: 6/6/2022 | Modules affected: test/upgrades | Release notes
- Updated upgrade testing framework to run
apply -refresh-only
to avoid terraform output changes causing resource counting to fail.
Published: 6/3/2022 | Modules affected: test/upgrades | Release notes
- Made the repo name configurable in upgrade testing framework.
Published: 6/1/2022 | Modules affected: ecs-deploy-runner, infrastructure-deploy-script | Release notes
- Added a new go package for upgrade tests.
- Added the ability to install multiple terraform versions into the
deploy-runner
docker container by using the build arg additional_terraform_versions
. Example: --build-arg additional_terraform_versions=0.12.31,0.15.1
- Fixed bug where SSH key without trailing
\n
was being rejected by ssh-add
when attempting to load into the deploy runner.
Published: 6/30/2022 | Modules affected: steampipe-runner, ecs-deploy-runner-with-steampipe-runner | Release notes
steampipe-runner
[BACKWARD INCOMPATIBLE]
ecs-deploy-runner-with-steampipe-runner
[BACKWARD INCOMPATIBLE]
Updated the following dependencies:
terraform-aws-ci
: v0.41.0
=> v0.50.0
terraform-aws-service-catalog
: v0.85.0
=> v0.92.0
terraform-aws-security
: v0.62.3
=> v0.65.6
steampipe
: v0.13.6
=> v0.15.0
This release updates the default version of steampipe
that is installed into the docker container. If you wish to keep the old version of steampipe
for stability reasons, you can pass in the arg --build-arg steampipe_version=v0.13.6
when building the docker container.
This release is functionally equivalent and backward compatible with the previous release, but we are marking this as backward incompatible out of caution due to the platform version change in ECS for the ECS Deploy Runner. We recommend rebuilding containers and updating theinfrastructure-deployer
tool to terraform-aws-ci
version v0.50.0
when rolling out the update.
Published: 6/30/2022 | Modules affected: landingzone/account-baseline-root, landingzone/account-baseline-security, landingzone/account-baseline-app, observability/cloudtrail | Release notes
- Fixed bug where CloudWatch could not access the SNS Topic for the log metric filters when they are encrypted with KMS.
Published: 6/30/2022 | Modules affected: landingzone/account-baseline-app, landingzone/account-baseline-security, security/aws-securityhub | Release notes
- Added a new option
enable_cis_check
(security_hub_enable_cis_check
in landingzone
modules) which can be used to disable the CIS standards check in AWS SecurityHub. These are enabled by default to preserve current behavior. DIsabling them is useful if you are using another tool to run the checks, such as Steampipe.
Published: 6/28/2022 | Modules affected: security/cleanup-expired-certs, networking/vpc-app-network-acls, networking/vpc-mgmt-network-acls, observability/cloudwatch-logs-metric-filters | Release notes
- Updated dependencies:
terraform-aws-lambda
: v0.16.0
=> v0.19.3
terraform-aws-vpc
: v0.21.1
=> v0.22.1
terraform-aws-monitoring
: v0.33.3
=> v0.34.1
terraform-aws-security
: v0.64.1
=> v0.65.6
terraform-aws-service-catalog
: v0.86.1
=> v0.90.7
- Updated examples and test dependencies:
terraform-aws-utilities
: v0.6.0
=> v0.9.0
terraform
: 1.1.4
=> 1.2.3
terragrunt
: v0.36.0
=> v0.38.1
- Various go dependencies.
NOTE: Many dependencies were updated across backward incompatible versions, but all the backward incompatibilities have been confirmed not to affect the modules in this repo.
Published: 6/17/2022 | Modules affected: backup-vault, backup-plan, rds | Release notes
- Updated
backup-plan
to attach S3 backup and restore policies to the Vault.
- Added the ability to specify custom access policies for the Backup Vault. This is useful for configuring cross account access.
Published: 6/13/2022 | Modules affected: ecs-service | Release notes
- Added variable
listener_rule_ids
to make sure that external listeners are created before ECS service
Published: 6/27/2022 | Modules affected: eks-cluster-workers, eks-cloudwatch-agent | Release notes
- Added the ability to restrict IMDS on self managed workers. Additionally, the launch template is now updated to restrict the service to require tokens by default (IMDS v2).
Published: 6/17/2022 | Modules affected: eks-cluster-control-plane | Release notes
- Added better support for Windows to the
local-exec
calls in the eks-cluster-control-plane
module.
Published: 6/7/2022 | Modules affected: eks-cluster-managed-workers | Release notes
- Added the ability to mirror the tags applied to Managed Node Groups to the underlying ASGs. Note that this feature depends on an assumption that there is only one ASG per MNG to work around an issue with Terraform
for_each
and count
. If your environment has more than one ASG mapped to the MNG, then it is recommended to call the aws_autoscaling_group_tag
resource outside the eks-cluster-managed-workers
module.
Published: 6/16/2022 | Modules affected: run-lambda-entrypoint | Release notes
- Updated
run-lambda-entrypoint
to support wrapping the entrypoint call in the Runtime Interface Emulator for local testing. Note that you only need to use this feature if you are using a distroless container image for the Lambda function.
Published: 6/10/2022 | Modules affected: lambda | Release notes
Published: 6/1/2022 | Modules affected: run-lambda-entrypoint | Release notes
Updated release pipeline to build and publish run-lambda-entrypoint
.
Published: 6/27/2022 | Modules affected: alb | Release notes
- Added support for attaching additional secondary certificates to the ALB listeners.
Published: 6/21/2022 | Modules affected: logs/log-filter-to-slack | Release notes
Published: 6/20/2022 | Modules affected: alarms, logs, metrics | Release notes
- Small fix for
TestRdsAlarms
test.
- Unlock AWS provider v4. Require minimum 3.75.1. This update includes a few tests that make sure upgrading to this module from the last release is easy. However, you may need to bump your AWS provider version. See the migration guide notes below for more.
Published: 6/14/2022 | Modules affected: logs/load-balancer-access-logs | Release notes
- Updated dependency
terraform-aws-security
from v0.65.2
to v0.65.5
.
- Exposed the ability to hook to the access logs S3 Bucket being fully configured in the
logs/load-balancer-access-logs
module. This is useful for ensuring the S3 Bucket configuration is set up to support linking to AWS ELB.
Published: 6/1/2022 | Modules affected: logs | Release notes
- Data source update: use aws_subnets over aws_subnet_ids
- Update terraform-aws-security/private-s3-bucket to v0.65.2
Published: 6/2/2022 | Modules affected: openvpn-server | Release notes
- Bump target terraform to 1.2
- Allow specifying a prefix for the openvpn server backup bucket server logs
Published: 6/15/2022 | Modules affected: kms-cmk-replica, private-s3-bucket | Release notes
- Removed hard-coded AWS Partitions from ARNs. Now the partition is dynamically computed based on the configured provider.
Published: 6/14/2022 | Modules affected: private-s3-bucket | Release notes
- Add option to enable delete_marker_replication in the replication config
Published: 6/8/2022 | Modules affected: private-s3-bucket | Release notes
- Added a new output to
private-s3-bucket
that can be used to chain resources to the bucket being fully configured without using module depends_on
(which has quirks that can lead to perpetual diffs). The primary use case would be when you are configuring an object upload in the same module that is creating the bucket, you would want to make sure all the configuration options are set on the bucket before uploading the first object.
Published: 6/6/2022 | Modules affected: aws-config, cloudtrail, cross-account-iam-roles, private-s3-bucket | Release notes
- Added
.
to all permissions boundary variable descriptions
- Addressed deprecation warning for
object_lock_configuration
on private s3 bucket.
- Added
object_lock_configuration
to the lifecycle ignore_changes
to avoid perpetual diff.
Published: 6/27/2022 | Modules affected: single-server | Release notes
- Added
host_id
var to aws_instance
resource that will allow it to be created on a dedicated EC2 host.
Published: 6/22/2022 | Modules affected: single-server | Release notes
- Feature: add
get_password_data
parameter
Published: 6/30/2022 | Modules affected: base/ec2-baseline, services/ec2-instance, services/k8s-service, mgmt/bastion-host | Release notes
- Added support for deploying
k8s-service
in headless mode.
- Updated
default
user-data scripts to prefix the filename with _
so that it is run first.
Published: 6/29/2022 | Modules affected: landingzone/account-baseline-app, landingzone/account-baseline-security | Release notes
- Added support for making GuardDuty optional in
account-baseline
modules via the enable_guardduty
variable. This is useful when setting up org level GuardDuty access.
Published: 6/29/2022 | Modules affected: mgmt/ecs-deploy-runner, base/ec2-baseline, mgmt/jenkins, mgmt/bastion-host | Release notes
- Added support for binding additional TLS/ACM certificates to an ALB, via the new
additional_ssl_certs_for_ports
input variable.
- Updated dependencies:
terraform-aws-lambda
: v0.19.2
to v0.19.3
terraform-aws-security
: v0.65.5
to v0.65.6
terraform-aws-data-storage
: v0.23.4
to v0.23.5
terraform-aws-utilities
: v0.8.0
to v0.9.0
terraform-aws-monitoring
: v0.33.5
to v0.34.1
terraform-aws-vpc
: v0.21.1
to v0.22.1
terraform-aws-ci
: v0.49.1
to v0.50.0
terraform-aws-server
: v0.14.4
to v0.14.6
terraform-aws-load-balancer
: v0.28.2
to v0.28.3
helm-kubernetes-services
: v0.2.12
to v0.2.13
Published: 6/28/2022 | Modules affected: services/eks-cluster, services/eks-workers, services/eks-core-services, services/k8s-service | Release notes
- Added the ability to restrict IMDS on EKS workers (self managed and managed node groups). Additionally, the launch template is now updated to restrict the service to require tokens by default (IMDS v2).
Published: 6/27/2022 | Modules affected: services, data-stores | Release notes
- Fix variable description typos
- Add
var.preferred_backup_window
to aurora module
Published: 6/23/2022 | Modules affected: services/public-static-website | Release notes
- Updated
public-static-website
to support restricting access to S3 Bucket to only CloudFront. This will make the S3 Bucket private instead of public. Note that this is only supported if the private bucket is deployed in us-east-1
.
Published: 6/23/2022 | Modules affected: landingzone/account-baseline-root, landingzone/account-baseline-app, landingzone/account-baseline-security | Release notes
- Exposed the ability to add service principals to the Cloudtrail key.
Published: 6/21/2022 | Modules affected: mgmt/jenkins, services/eks-core-services, services/k8s-service | Release notes
- Locked version of
helm
provider to < 2.6.0
to work around an issue with the client authentication token. Refer to https://github.com/gruntwork-io/knowledge-base/discussions/478 for more information.
- Updated the default version of tools installed in
jenkins
:
- Terraform:
v1.2.2
=> v1.2.3
- Terragrunt:
v0.37.1
=> v0.37.4
- Updated test dependencies.
Published: 6/17/2022 | Modules affected: services/ecs-cluster, services/ecs-service, services/eks-cluster, services/public-static-website | Release notes
- Exposed EKS Add-ons Variables
- Update various dependencies:
terraform-aws-ecs
: v0.33.1
to v0.33.2
terraform-aws-static-assets
: v0.15.3
to v0.15.5
terraform-aws-lambda
: v0.19.1
to v0.19.2
Published: 6/16/2022 | Modules affected: services, networking | Release notes
- Prefix base_domain_name references with var so that docs.gruntwork.io properly renders it.
- Exposed variables to specify a custom s3 bucket for alb logs.
Published: 6/16/2022 | Modules affected: networking/vpc, services/eks-cluster, services/eks-core-services, services/eks-workers | Release notes
- Updated dependency
terraform-aws-eks
from v0.51.4
to v0.51.5
- Exposed the ability to mirror tags on Managed Node Groups to the associated Auto Scaling Group.
Published: 6/15/2022 | Modules affected: mgmt/bastion-host, mgmt/openvpn-server, mgmt/jenkins, mgmt/tailscale-subnet-router | Release notes
- Updated
eks-workers
and eks-cluster
to support log aggregation of server system logs (syslog
and auth
logs). This is different from the log aggregation managed by fluent-bit
, which ships container level logs. To enable, set enable_cloudwatch_log_aggregation = true
in the eks-workers
module call (or enable_worker_cloudwatch_log_aggregation
in eks-cluster
).
- All packer templates have been updated to require
amazon
plugin version at least 1.0.6
.
Published: 6/15/2022 | Modules affected: services/public-static-website, mgmt/jenkins, services/asg-service, base/ec2-baseline | Release notes
- Fixed bug where
alb
module may sometimes fail deploys due to race conditions in the S3 bucket.
- Updated the default version of Tailscale that is installed from
v1.24.0
to v1.26.0
. This is a backward compatible version update, and is compatible with older client versions of Tailscale.
- Exposed the ability to configure security response headers in the CloudFront distribution for the
public-static-website
module.
- Exposed the ability to link Lambda@Edge functions with the CloudFront distribution.
- Updated URL in documentation for AWS Load Balancer Controller Ingress Annotations.
- Updated dependencies:
terraform-aws-messaging
: v0.8.1
to v0.8.2
terraform-aws-monitoring
: v0.33.3
to v0.33.5
terraform-aws-asg
: v0.17.6
to v0.18.1
terraform-aws-ci
: v0.48.1
to v0.49.1
terraform-aws-security
: v0.65.4
to v0.65.5
Published: 6/14/2022 | Modules affected: base/ec2-baseline, data-stores/rds, data-stores/s3-bucket, landingzone/account-baseline-app | Release notes
- Updated dependency
terraform-aws-security
from v0.64.1
to v0.65.2
Published: 6/7/2022 | Modules affected: services/public-static-website | Release notes
- Exposed parameter in
public-static-websites
to prevent perpetual diff in older AWS Accounts.
- Exposed
forward_headers
parameter in public-static-websites
.
Published: 6/7/2022 | Modules affected: services/ec2-instance, services/ecs-cluster, services/eks-workers, services/public-static-website | Release notes
- Updated documentation for VPC filter in
ec2-instance.pkr.hcl
packer template.
- Added support for specifying the AWS Organizations and AWS Organizations Unit access for AMI access in all packer templates.
- Updated dependency
terraform-aws-static-assets
from v0.15.1
to v0.15.2
Published: 6/7/2022 | Modules affected: services/ecs-cluster, services/public-static-website, mgmt/openvpn-server, data-stores/ecr-repos | Release notes
- Added the ability to configure the IMDS settings for EC2 Instances used as ECS workers in the
ecs-cluster
module.
- Exposed the ability to configure minimum protocol version for viewer certificates in the public-static-website module.
- Exposed the
artifact_config
variable in the ecs-deploy-runner
module.
- Added
ecr:ListImages
to the list of IAM Permissions for read access in ecr-repos
- Exposed the
cors_rule
variable in the public-static-website
module
- Updated dependencies:
terraform-aws-openvpn
: v0.23.1
to v0.24.1
terraform-aws-static-assets
: v0.14.1
to v0.15.1
Published: 6/2/2022 | Modules affected: services/ecs-service, mgmt/jenkins, services/public-static-website, base/ec2-baseline | Release notes
- Updated module dependencies:
terraform-aws-lambda
: 0.18.4
=> v0.19.1
terraform-aws-data-storage
: v0.23.3
=> v0.23.4
terraform-aws-eks
: v0.51.2
=> v0.51.4
terraform-aws-ci
: v0.47.10
=> v0.48.1
terraform-aws-server
: v0.14.2
=> v0.14.4
terraform-aws-ecs
: v0.32.1
=> v0.33.1
- (example only)
terraform-aws-utilities
: v0.7.0
=> v0.8.0
- Updated the default version of tools installed in Jenkins:
terragrunt
to v0.37.1
terraform
to v1.2.2
packer
to v1.8.1
helm
to v3.9.0
- Updated various test dependencies.
- Added support for configuring error responses in Cloudfront for the
public-static-website
module. This also defaults to serving 404
error responses from a root document 404.html
, and 500
responses from a root document 500.html
.
Published: 6/16/2022 | Modules affected: s3-static-website | Release notes
Added a new output to indicate the S3 Bucket is fully configured. This is useful for ensuring the Bucket is ready to link to CloudFront prior to setting up the CloudFront Distribution.
Published: 6/16/2022 | Modules affected: s3-static-website | Release notes
- Fixed an outdated reference in a variable description.
- In the
s3-static-website
module, we fixed a bug in how routing_rule
is parsed.
Published: 6/14/2022 | Modules affected: s3-cloudfront | Release notes
- Exposed the
response_headers_policy_id
attribute of the aws_cloudfront_distribution
resource so that one could attach a custom response header policy to the CloudFront Distribution.
Published: 6/7/2022 | Modules affected: s3-cloudfront, s3-static-website | Release notes
- Fixed bug where the S3 bucket configuration flip flopped due to missing lifecycle ignore rules.
Published: 6/2/2022 | Modules affected: s3-cloudfront, s3-static-website | Release notes
Updated dependency terraform-aws-security
to v0.65.2
.
Published: 6/20/2022 | Modules affected: instance-type, request-quota-increase | Release notes
- Updated the CircleCI config (internal to this repo only).
- Unlocked AWS provider v4. Require minimum 3.75.1. This update includes a few upgrade tests that make sure upgrading to this module from the last release is easy. However, you may need to bump your AWS provider version. See the migration guide notes below for more.
Published: 6/21/2022 | Modules affected: vpc-app, vpc-mgmt | Release notes
- Removed
aws_region
variable requirement. Now the region is derived from the provider configuration.
Published: 6/20/2022 | Modules affected: network-acl-inbound, network-acl-outbound, vpc-app-network-acls, vpc-app | Release notes
- Internal updates (PR template and patches)
- Unlocked AWS provider v4, requiring minimum 3.75.1. This update includes a few tests that make sure upgrading to this module from the last release is easy. However, you may need to bump your AWS provider version. See the migration guide notes below for more.