Gruntwork release 2024-02
Guides / Update Guides / Releases / 2024-02
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2024-02. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 2/13/2024 | Release notes
Published: 2/16/2024 | Release notes
Published: 2/15/2024 | Release notes
Published: 2/15/2024 | Release notes
Published: 2/15/2024 | Release notes
Published: 2/14/2024 | Release notes
Published: 2/28/2024 | Release notes
Published: 2/14/2024 | Release notes
Published: 2/14/2024 | Release notes
Published: 2/2/2024 | Release notes
Published: 2/7/2024 | Release notes
This release introduces a couple changes that significantly alter how the architecture catalog works with respect to the templates for vended accounts.
- The account vending process now supports delegated
infrastructure-live repositories. These are repositories that are granted limited control over a subset of the total AWS accounts managed within a central infrastructure-live repository. These delegated repositories currently include the following:
a. SDLC repositories: These are repositories that control the Software Delivery Lifecycle (dev/stage/prod) for particular teams. The baselines for the relevant accounts are still managed within the main infrastructure-live repository, but the application workloads can now be managed by infrastructure-live-<TEAM NAME> repositories that only have control over their particular workloads.
b. Sandbox repositories: These are repositories that are vended by the main infrastructure-live repository and are the same as the SDLC repositories with the exception that they only have one account. - IAM roles used for CI within
infrastructure-pipelines have been renamed to better reflect the limits of their capabilities and to introduce a new set of roles that are assumed exclusively by infrastructure-pipelines when configuration updates are made in delegated repos. - A new set of IAM roles called
pipelines-pre-auth roles have been added as a control mechanism for authorizing requests made to the infrastructure-pipelines repository from infrastructure-live repositories. This is done by the controls documented here. - Automatically looking up Control Tower provisioning artifact ID instead of requiring it to be passed as input.
- Added check to ensure that
infrastructure-live repos do not dispatch workflows to infrastructure-pipelines if they are behind main to ensure the integrity of pipelines-execute actions.
- Added retries for intermittent errors that can be encountered when using Control Tower modules for provisioning Macie resources.
- Increased default timeout for Control Tower.
- Added retries for state locks to ensure that concurrent attempts to make the same state update wait instead of immediately failing.
- Added logic to ensure that state resources are provisioned prior to attempts to make updates in new accounts.
Full Changelog: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/compare/v1.3.3...v2.0.0
Published: 2/22/2024 | Modules affected: landingzone | Release notes
- Add ability to publish GuardDuty findings to S3 and/or SNS
Published: 2/21/2024 | Modules affected: networking | Release notes
- Enhancement/ Blackhole ENI name, description, and tags
Published: 2/12/2024 | Modules affected: networking | Release notes
- Enhancement/customizable blackhole routes. This release allows for full customization of blackhole routes on a per subnet basis.
The following variables have been removed:
create_blackhole_route
blackhole_route_table_names
blackhole_cidr_block
The following variables have been added:
blackhole_routes
Published: 2/9/2024 | Modules affected: landingzone/account-baseline-app, networking | Release notes
- Make SecurityHub optional. Default to enabling to remain backwards compatible.
- Format Terraform in
networking
Published: 2/29/2024 | Modules affected: templates/landingzone/boilerplate-single-account-baseline | Release notes
- templates/landingzone/boilerplate-single-account-baseline
- [Bug fix] Include envcommon settings for service quota module used in the single-account-baseline template
Published: 2/29/2024 | Modules affected: templates/landingzone/boilerplate-single-account-baseline | Release notes
- templates/landingzone/boilerplate-single-account-baseline
- Update request-qoutas module version used in single-accout-baseline template
Published: 2/29/2024 | Release notes
boilerplate-single-account-factory
- Removed unnecessary
AccountBaselineCISServiceCatalogVersion variable in boilerplate-single-account-factory template
Published: 2/28/2024 | Release notes
boilerplate-single-account-baseline - Added optional configurations for disabling opt-in features on an account by account basis.
- Added account level overrides for opt-ins of services like SecurityHub, GuardDuty and Macie.
Published: 2/27/2024 | Modules affected: templates/landingzone/boilerplate-single-account-factory | Release notes
Overriding/setting module configuration for generating baselines after creating a new account should now happen in one central location: the infra-pipelines workflow file that invokes the single-account-baseline template.
Published: 2/26/2024 | Modules affected: templates/landingzone/boilerplate-single-account-baseline | Release notes
- templates/landingzone/boilerplate-single-account-baseline
- Update single account baseline template to use configurable modules and versions
Published: 2/23/2024 | Modules affected: landingzone/control-tower-app-account-baseline, landingzone/control-tower-security-account-baseline | Release notes
landingzone/control-tower-app-account-baselinelandingzone/control-tower-security-account-baseline
- Add ability to export GuardDuty findings to S3
Published: 2/21/2024 | Modules affected: landingzone/control-tower-account-factory | Release notes
landingzone/control-tower-account-factory
- Added length validation on account email
Published: 2/9/2024 | Modules affected: landingzone/control-tower-app-account-baseline | Release notes
- Make Security Hub optional
Published: 2/19/2024 | Modules affected: ecs-service | Release notes
- add support for codedeploy
Published: 2/19/2024 | Modules affected: lb-listener-rules | Release notes
- Adds option to ignore tg changes making it compatible with blue/green deployments
Published: 2/23/2024 | Modules affected: alarms | Release notes
- Add var to allow setting
treat_missing_data for lambda-alarms
Published: 2/13/2024 | Modules affected: metrics, alarms | Release notes
- metrics cleanup: Remove Amazon Linux 1 example and remove non-existent cloudwatch-agent flags from README
- route53-health-check-alarms: fix bug with HTTP_STR_MATCH and HTTPS_STR_MATCH type
Published: 2/16/2024 | Modules affected: guardduty-bucket, kms-master-key | Release notes
- New
guardduty-bucketmodule intended for exporting GuardDuty findings to S3. - Add a new optional parameter to
kms-master-key cmk_service_principals: additional_principals - list of additional service principals. Useful when, for example, granting access to opt-in region service endpoints (e.g. guardduty.me-south-1.amazonaws.com).
Published: 2/9/2024 | Modules affected: guardduty-multi-region, guardduty | Release notes
guardduty-multi-regionguardduty
Implement multiple GuardDuty features:
- GuardDuty admin account delegation
- Managing member accounts (manual and automatic) and accepting invitations.
- Managing organization level GuardDuty protections/features
- Managing findings S3 export
- Remove
guardduty_detector_account_id from guardduty module. The guardduty-multi-region never used that output.
The guardduty module removes the output guardduty_detector_account_id. Remove the output where it is used.
Published: 2/29/2024 | Modules affected: networking | Release notes
- enhancement/blackhole eni private IP
Published: 2/21/2024 | Modules affected: networking | Release notes
- Enhancement/Blackhole ENI Naming and Tags
Published: 2/21/2024 | Modules affected: landingzone | Release notes
- Add ability to export GuardDuty findings to S3
Published: 2/21/2024 | Modules affected: services/ecs-service | Release notes
- Add variable
listener_rule_ids which allows external listener rules to be created prior to ECS service creation - Updates module version of ecs-service to v0.35.15
- Updates module version of lb-listener-rules to v0.29.22 and adds
ignore_changes_to_target_groups variable
Published: 2/14/2024 | Modules affected: services | Release notes
- services/ecs-service: expose vars
platform_version and deployment_controller
Published: 2/12/2024 | Modules affected: networking | Release notes
- Enhancement/customizable blackhole routes. This release allows for full customization of blackhole routes on a per subnet basis.
The following variables have been removed:
create_blackhole_route
blackhole_route_table_names
blackhole_cidr_block
The following variables have been added:
blackhole_routes
Published: 2/9/2024 | Modules affected: services | Release notes
- Updated the
ecs-cluster to expose EBS storage type
Published: 2/6/2024 | Modules affected: services, mgmt | Release notes
- eks-workers: clarify Packer template params
- mgmt/jenkins: add IMDSv2 support to
Published: 2/28/2024 | Modules affected: s3-cloudfront | Release notes
- s3-cloudfront: support multiple s3 origins
Published: 2/21/2024 | Modules affected: request-quota-increase | Release notes
request-quota-increase [BACKWARD INCOMPATIBLE]
- Add codegen for adjustable quotas and allow arbitrary quota requests in
request-quota-increase - Fix upgrade-tests (CI Module)
- Update CODEOWNERS
- Add Terrascan to CI
The input resources_to_increase in request-quota-increase was removed. Change the input values to use quota-specific input variables, e.g.
module "quota_increase" {
source = "git::git@github.com:gruntwork-io/terraform-aws-utilities.git//modules/quota-increase?ref=<VERSION>"
vpc_rules_per_network_acl = 30
vpc_nat_gateways_per_availability_zone = 30
}
Published: 2/27/2024 | Modules affected: transit-gateway | Release notes
Update the outputs of the Transit Gateway module.