Gruntwork release 2024-01
Guides / Update Guides / Releases / 2024-01
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2024-01. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 1/26/2024 | Release notes
Published: 1/18/2024 | Release notes
Published: 1/16/2024 | Release notes
Published: 1/9/2024 | Release notes
Published: 1/9/2024 | Release notes
Published: 1/23/2024 | Release notes
Published: 1/24/2024 | Release notes
This release introduces a couple changes that significantly alter how the architecture catalog works with respect to the templates for vended accounts.
- The account vending process now supports delegated
infrastructure-live
repositories. These are repositories that are granted limited control over a subset of the total AWS accounts managed within a central infrastructure-live
repository. These delegated repositories currently include the following:
a. SDLC repositories: These are repositories that control the Software Delivery Lifecycle (dev/stage/prod) for particular teams. The baselines for the relevant accounts are still managed within the main infrastructure-live
repository, but the application workloads can now be managed by infrastructure-live-<TEAM NAME>
repositories that only have control over their particular workloads.
b. Sandbox repositories: These are repositories that are vended by the main infrastructure-live
repository and are the same as the SDLC repositories with the exception that they only have one account. - IAM roles used for CI within
infrastructure-pipelines
have been renamed to better reflect the limits of their capabilities and to introduce a new set of roles that are assumed exclusively by infrastructure-pipelines
when configuration updates are made in delegated repos. - A new set of IAM roles called
pipelines-pre-auth
roles have been added as a control mechanism for authorizing requests made to the infrastructure-pipelines
repository from infrastructure-live
repositories. This is done by the controls documented here. - Automatically looking up Control Tower provisioning artifact ID instead of requiring it to be passed as input.
- Added check to ensure that
infrastructure-live
repos do not dispatch workflows to infrastructure-pipelines
if they are behind main
to ensure the integrity of pipelines-execute
actions.
- Added retries for intermittent errors that can be encountered when using Control Tower modules for provisioning Macie resources.
- Increased default timeout for Control Tower.
- Added retries for state locks to ensure that concurrent attempts to make the same state update wait instead of immediately failing.
- Added logic to ensure that state resources are provisioned prior to attempts to make updates in new accounts.
Full Changelog: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/compare/v1.3.3...v2.0.0
Published: 1/11/2024 | Release notes
Published: 1/11/2024 | Release notes
Published: 1/22/2024 | Modules affected: server-group | Release notes
- Updates the
server-group
module to make block_device_mapping
optional (you can toggle disable with the var enable_block_device_mappings)
Published: 1/31/2024 | Modules affected: networking | Release notes
- Feature - exposing the secondary_cidr_blocks argument
Published: 1/26/2024 | Release notes
boilerplate-single-account-baseline
- Fixed
pipelines-pre-auth-role
dependency in single-account-baseline
Published: 1/26/2024 | Release notes
boilerplate-single-account-baseline
- Added VPC skip flag in single account baselining.
Published: 1/16/2024 | Release notes
Updates the single account baseline template by:
- Renaming pipelines permissions
- Adds permissions for accounts vended into team-infra-live repos
- Adds pipelines pre-auth role
Ensure that theenvcommon
files listed below are available in the infrastructure-live repo where a new account will be vended into:
- _envcommon/landingzone/central-pipelines-apply-role.hcl
- _envcommon/landingzone/central-pipelines-plan-role.hcl
- _envcommon/landingzone/github-actions-openid-connect-provider.hcl
- _envcommon/landingzone/pipelines-policy-apply-update-role.hcl
- _envcommon/landingzone/pipelines-policy-plan-update-role.hcl
- _envcommon/landingzone/pipelines-pre-auth-plan-role.hcl
- _envcommon/landingzone/team-pipelines-apply-role.hcl (If vending SDLC accounts)
- _envcommon/landingzone/team-pipelines-plan-role.hcl (If vending SDLC accounts)
Published: 1/11/2024 | Modules affected: landingzone | Release notes
- Mitigating Terraform optimization bug when
accounts.yml
is homogeneous.
Published: 1/24/2024 | Modules affected: ecs-cluster | Release notes
- ecs-cluster: Updated default EBS storage type to gp3 for cluster nodes
Published: 1/20/2024 | Modules affected: eks-alb-ingress-controller-iam-policy, eks-alb-ingress-controller, eks-aws-auth-merger | Release notes
- Fix ingress controller policy to allow non-default partitions (govcloud)
- Bump upgrade-tests (CI Module) - [CORE-1384]
- Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /modules/eks-aws-auth-merger/aws-auth-merger
Published: 1/12/2024 | Modules affected: eks-container-logs | Release notes
- Expose
input.*
and extraInputs
Published: 1/9/2024 | Modules affected: eks-k8s-karpenter | Release notes
- Expose Karpenter instance profile arn output
Published: 1/31/2024 | Modules affected: api-gateway-proxy | Release notes
- Add ability to set security policy for API Gateway Domain Name
Published: 1/23/2024 | Modules affected: api-gateway-proxy, lambda, lambda-http-api-gateway | Release notes
- lambda-http-api-gateway: Add support for authorization_type
- examples/lambda-build: updated build dependencies
Published: 1/2/2024 | Modules affected: alb | Release notes
- alb: expose
desync_mitigation_mode
variable so it can be set and changed as-needed
Published: 1/11/2024 | Release notes
Published: 1/10/2024 | Modules affected: logs | Release notes
- load-balancer-access-logs: Use service principal for new regions created since 2022
Published: 1/18/2024 | Modules affected: github-actions-iam-role | Release notes
- Set condition to
repo:${repo}:*
instead of repo:${repo}:ref:refs/heads/*
when branch is *
to ensure that PR branches are able to assume the OIDC role as well.
Published: 1/12/2024 | Modules affected: github-actions-iam-role | Release notes
- Add flag to github_actions_openid_connect_provider outputs to allow the create var to be set to false again
Special thanks to the following users for their contribution!
Published: 1/10/2024 | Modules affected: aws-config-multi-region, ebs-encryption-multi-region, guardduty-multi-region, iam-access-analyzer-multi-region | Release notes
aws-config-multi-region
ebs-encryption-multi-region
guardduty-multi-region
iam-access-analyzer-multi-region
kms-grant-multi-region
kms-master-key-multi-region
aws-config
github-actions-iam-role
github-actions-openid-connect-provider
(New)
- Fix upgrade-tests (CI Module)
- Update CODEOWNERS
- Add Terrascan to CI
- Add CMK policy to aws config module
- Extract GitHub OIDC provider resource into separate module
Published: 1/31/2024 | Modules affected: networking | Release notes
- Enhancement/vpc_secondary_cidr_blocks
Published: 1/26/2024 | Modules affected: services | Release notes
- ecs-cluster: Expose delete on termination for EBS volumes via var
cluster_instance_ebs_delete_on_termination
Published: 1/19/2024 | Modules affected: data-stores/aurora | Release notes
- Expose
ca_cert_identifier
to enable certificate rotation
Published: 1/18/2024 | Modules affected: data-stores/ecr-repos | Release notes
- Add support for explicit deny rules for ECR repos.
Published: 1/15/2024 | Modules affected: mgmt, networking, services | Release notes
Published: 1/31/2024 | Modules affected: vpc-app | Release notes
- Feature - VPC Secondary CIDR Blocks
Published: 1/11/2024 | Modules affected: vpc-app-lookup, vpc-app | Release notes
- Updating
private_persistence_subnet_arn
to private_persistence_subnet_arns
as it's a list of ARNs. Note that to preserve backwards compatibility, private_persistence_subnet_arn
has been deprecated instead of being removed. - Fixing Amazon Linux AMI lookup