Skip to main content

Gruntwork release 2024-01

Guides / Update Guides / Releases / 2024-01

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2024-01. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:

boilerplate

v0.5.9

Published: 1/26/2024 | Release notes

Full Changelog: https://github.com/gruntwork-io/boilerplate/compare/v0.5.8...v0.5.9

pipelines-cli

v0.5.1

Published: 1/18/2024 | Release notes

v0.5.0

Published: 1/16/2024 | Release notes

v0.4.0

Published: 1/9/2024 | Release notes

v0.3.0

Published: 1/9/2024 | Release notes

repo-copier

v0.4.4

Published: 1/23/2024 | Release notes

Full Changelog: https://github.com/gruntwork-io/repo-copier/compare/v0.4.3...v0.4.4

terraform-aws-architecture-catalog

v2.0.0-alpha

Published: 1/24/2024 | Release notes

This release introduces a couple changes that significantly alter how the architecture catalog works with respect to the templates for vended accounts.

  1. The account vending process now supports delegated infrastructure-live repositories. These are repositories that are granted limited control over a subset of the total AWS accounts managed within a central infrastructure-live repository. These delegated repositories currently include the following: a. SDLC repositories: These are repositories that control the Software Delivery Lifecycle (dev/stage/prod) for particular teams. The baselines for the relevant accounts are still managed within the main infrastructure-live repository, but the application workloads can now be managed by infrastructure-live-<TEAM NAME> repositories that only have control over their particular workloads. b. Sandbox repositories: These are repositories that are vended by the main infrastructure-live repository and are the same as the SDLC repositories with the exception that they only have one account.
  2. IAM roles used for CI within infrastructure-pipelines have been renamed to better reflect the limits of their capabilities and to introduce a new set of roles that are assumed exclusively by infrastructure-pipelines when configuration updates are made in delegated repos.
  3. A new set of IAM roles called pipelines-pre-auth roles have been added as a control mechanism for authorizing requests made to the infrastructure-pipelines repository from infrastructure-live repositories. This is done by the controls documented here.
  4. Automatically looking up Control Tower provisioning artifact ID instead of requiring it to be passed as input.
  5. Added check to ensure that infrastructure-live repos do not dispatch workflows to infrastructure-pipelines if they are behind main to ensure the integrity of pipelines-execute actions.
  1. Added retries for intermittent errors that can be encountered when using Control Tower modules for provisioning Macie resources.
  2. Increased default timeout for Control Tower.
  3. Added retries for state locks to ensure that concurrent attempts to make the same state update wait instead of immediately failing.
  4. Added logic to ensure that state resources are provisioned prior to attempts to make updates in new accounts.

Full Changelog: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/compare/v1.3.3...v2.0.0

v1.3.3

Published: 1/11/2024 | Release notes

v1.3.2

Published: 1/11/2024 | Release notes

Full Changelog: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/compare/v1.3.1...v1.3.2

terraform-aws-asg

v0.21.12

Published: 1/22/2024 | Modules affected: server-group | Release notes

  • Updates the server-group module to make block_device_mapping optional (you can toggle disable with the var enable_block_device_mappings)

terraform-aws-cis-service-catalog

v0.48.3

Published: 1/31/2024 | Modules affected: networking | Release notes

  • Feature - exposing the secondary_cidr_blocks argument

terraform-aws-control-tower

v0.4.2

Published: 1/26/2024 | Release notes

  • boilerplate-single-account-baseline
  • Fixed pipelines-pre-auth-role dependency in single-account-baseline

v0.4.1

Published: 1/26/2024 | Release notes

  • boilerplate-single-account-baseline
  • Added VPC skip flag in single account baselining.

v0.4.0

Published: 1/16/2024 | Release notes

Updates the single account baseline template by:

  • Renaming pipelines permissions
  • Adds permissions for accounts vended into team-infra-live repos
  • Adds pipelines pre-auth role

Ensure that theenvcommon files listed below are available in the infrastructure-live repo where a new account will be vended into:

  1. _envcommon/landingzone/central-pipelines-apply-role.hcl
  2. _envcommon/landingzone/central-pipelines-plan-role.hcl
  3. _envcommon/landingzone/github-actions-openid-connect-provider.hcl
  4. _envcommon/landingzone/pipelines-policy-apply-update-role.hcl
  5. _envcommon/landingzone/pipelines-policy-plan-update-role.hcl
  6. _envcommon/landingzone/pipelines-pre-auth-plan-role.hcl
  7. _envcommon/landingzone/team-pipelines-apply-role.hcl (If vending SDLC accounts)
  8. _envcommon/landingzone/team-pipelines-plan-role.hcl (If vending SDLC accounts)

v0.3.1

Published: 1/11/2024 | Modules affected: landingzone | Release notes

  • landingzone
  • Mitigating Terraform optimization bug when accounts.yml is homogeneous.

terraform-aws-ecs

v0.35.14

Published: 1/24/2024 | Modules affected: ecs-cluster | Release notes

  • ecs-cluster: Updated default EBS storage type to gp3 for cluster nodes

terraform-aws-eks

v0.65.5

Published: 1/20/2024 | Modules affected: eks-alb-ingress-controller-iam-policy, eks-alb-ingress-controller, eks-aws-auth-merger | Release notes

  • Fix ingress controller policy to allow non-default partitions (govcloud)
  • Bump upgrade-tests (CI Module) - [CORE-1384]
  • Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /modules/eks-aws-auth-merger/aws-auth-merger

v0.65.4

Published: 1/12/2024 | Modules affected: eks-container-logs | Release notes

  • Expose input.* and extraInputs

v0.65.3

Published: 1/9/2024 | Modules affected: eks-k8s-karpenter | Release notes

  • Expose Karpenter instance profile arn output

terraform-aws-lambda

v0.21.18

Published: 1/31/2024 | Modules affected: api-gateway-proxy | Release notes

  • Add ability to set security policy for API Gateway Domain Name

v0.21.17

Published: 1/23/2024 | Modules affected: api-gateway-proxy, lambda, lambda-http-api-gateway | Release notes

  • lambda-http-api-gateway: Add support for authorization_type
  • examples/lambda-build: updated build dependencies

terraform-aws-load-balancer

v0.29.21

Published: 1/2/2024 | Modules affected: alb | Release notes

  • alb: expose desync_mitigation_mode variable so it can be set and changed as-needed

terraform-aws-messaging

v0.12.5

Published: 1/11/2024 | Release notes

terraform-aws-monitoring

v0.36.11

Published: 1/10/2024 | Modules affected: logs | Release notes

  • load-balancer-access-logs: Use service principal for new regions created since 2022

terraform-aws-security

v0.70.2

Published: 1/18/2024 | Modules affected: github-actions-iam-role | Release notes

  • github-actions-iam-role
  • Set condition to repo:${repo}:* instead of repo:${repo}:ref:refs/heads/* when branch is * to ensure that PR branches are able to assume the OIDC role as well.

v0.70.1

Published: 1/12/2024 | Modules affected: github-actions-iam-role | Release notes

  • github-actions-iam-role
  • Add flag to github_actions_openid_connect_provider outputs to allow the create var to be set to false again

Special thanks to the following users for their contribution!

  • @bl-robinson

v0.70.0

Published: 1/10/2024 | Modules affected: aws-config-multi-region, ebs-encryption-multi-region, guardduty-multi-region, iam-access-analyzer-multi-region | Release notes

  • aws-config-multi-region
  • ebs-encryption-multi-region
  • guardduty-multi-region
  • iam-access-analyzer-multi-region
  • kms-grant-multi-region
  • kms-master-key-multi-region
  • aws-config
  • github-actions-iam-role
  • github-actions-openid-connect-provider (New)
  • Fix upgrade-tests (CI Module)
  • Update CODEOWNERS
  • Add Terrascan to CI
  • Add CMK policy to aws config module
  • Extract GitHub OIDC provider resource into separate module

terraform-aws-service-catalog

v0.108.4

Published: 1/31/2024 | Modules affected: networking | Release notes

  • Enhancement/vpc_secondary_cidr_blocks

v0.108.3

Published: 1/26/2024 | Modules affected: services | Release notes

  • ecs-cluster: Expose delete on termination for EBS volumes via var cluster_instance_ebs_delete_on_termination

v0.108.2

Published: 1/19/2024 | Modules affected: data-stores/aurora | Release notes

  • Expose ca_cert_identifier to enable certificate rotation

v0.108.1

Published: 1/18/2024 | Modules affected: data-stores/ecr-repos | Release notes

  • Add support for explicit deny rules for ECR repos.

v0.108.0

Published: 1/15/2024 | Modules affected: mgmt, networking, services | Release notes

  • Add Support for EKS 1.28

terraform-aws-vpc

v0.26.17

Published: 1/31/2024 | Modules affected: vpc-app | Release notes

  • Feature - VPC Secondary CIDR Blocks

v0.26.16

Published: 1/11/2024 | Modules affected: vpc-app-lookup, vpc-app | Release notes

  • vpc-app-lookup
  • vpc-app
  • Updating private_persistence_subnet_arn to private_persistence_subnet_arns as it's a list of ARNs. Note that to preserve backwards compatibility, private_persistence_subnet_arn has been deprecated instead of being removed.
  • Fixing Amazon Linux AMI lookup