Gruntwork release 2024-03
Guides / Update Guides / Releases / 2024-03
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2024-03. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 3/27/2024 | Release notes
Published: 3/8/2024 | Release notes
Published: 3/5/2024 | Release notes
Published: 3/6/2024 | Release notes
This release includes the following improvements:
- Bumped terragrunt Go module to
v0.55.11 in order to work around some bugs.
Published: 3/1/2024 | Release notes
This release includes the following improvements:
- The
--target flag now accepts a version parameter to pin versions e.g: patcher update --target some/module/name@v0.1.0.- you can also supply constraints. e.g:
patcher update --target some/module/name@^v0.1.0
- The
report command now only works non-interactively. - Fixed a bug where Patcher would occasionally fail to discover and apply patches.
- Numerous security fixes from upstream libraries (docker, containerd, buildkit and xcrypto)
Published: 3/26/2024 | Release notes
Published: 3/26/2024 | Release notes
Published: 3/19/2024 | Release notes
Published: 3/19/2024 | Release notes
Published: 3/1/2024 | Release notes
Published: 3/1/2024 | Release notes
Published: 3/14/2024 | Release notes
Full Changelog: https://github.com/gruntwork-io/repo-copier/compare/v0.5.3...v0.5.4
During the first and subsequent incremental copying, repo-copier, reverts its previous "Resolve references" commit and then creates a new merge commit, with updates from the gruntwork repository (original), with commit name "Merge branch 'main' of ....".
The issue was that repo-copier reverted not only "Resolve references", but also its own "Merge branch 'main' of ...." made in the previous copy, in other words, it rolled back the updates made in the previous copy.
The logic is that commits that exist in the copied repository and are not in the original repository are considered third-party. Since the merge commit itself "Merge branch 'main' of ...." is a commit with a new hash about which nothing is known in the original repository, it was considered third-party, and therefore was reverted.
The fix is that during the comparison we need to take into account not only the hash of the commit itself, but also if it is a merge commit, retrieve the hash of the commit that was merged with. Thus, when repo-copier tries to determine whether the "Merge branch 'main' of ...." commit is ours or foreign, it also compares its parent hashes, then it determines that the parent hash belongs to original repository commit, so this is our commit (changes) and it doesn't need to be reverted.
While this fix will ensure that subsequent updates work correctly, unfortunately repo-copier is not able to undo those incorrect reverts made when was running repo-copier with that issue. Therefore, in cases of using v0.5.3 release, after switching to this release, customers need to overwrite all repositories once, to do this, you need to run repo-copier with the --force-overwrite flag.
Published: 3/28/2024 | Release notes
Published: 3/26/2024 | Release notes
This release introduces a couple changes that significantly alter how the architecture catalog works with respect to the templates for vended accounts.
- The account vending process now supports delegated
infrastructure-live repositories. These are repositories that are granted limited control over a subset of the total AWS accounts managed within a central infrastructure-live repository. These delegated repositories currently include the following:
a. SDLC repositories: These are repositories that control the Software Delivery Lifecycle (dev/stage/prod) for particular teams. The baselines for the relevant accounts are still managed within the main infrastructure-live repository, but the application workloads can now be managed by infrastructure-live-<TEAM NAME> repositories that only have control over their particular workloads.
b. Sandbox repositories: These are repositories that are vended by the main infrastructure-live repository and are the same as the SDLC repositories with the exception that they only have one account. - IAM roles used for CI within
infrastructure-pipelines have been renamed to better reflect the limits of their capabilities and to introduce a new set of roles that are assumed exclusively by infrastructure-pipelines when configuration updates are made in delegated repos. - A new set of IAM roles called
pipelines-pre-auth roles have been added as a control mechanism for authorizing requests made to the infrastructure-pipelines repository from infrastructure-live repositories. This is done by the controls documented here. - Automatically looking up Control Tower provisioning artifact ID instead of requiring it to be passed as input.
- Added check to ensure that
infrastructure-live repos do not dispatch workflows to infrastructure-pipelines if they are behind main to ensure the integrity of pipelines-execute actions.
- Added retries for intermittent errors that can be encountered when using Control Tower modules for provisioning Macie resources.
- Increased default timeout for Control Tower.
- Added retries for state locks to ensure that concurrent attempts to make the same state update wait instead of immediately failing.
- Added logic to ensure that state resources are provisioned prior to attempts to make updates in new accounts.
Full Changelog: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/compare/v1.3.3...v2.0.11
Published: 3/18/2024 | Release notes
Published: 3/15/2024 | Release notes
Published: 3/15/2024 | Release notes
Published: 3/15/2024 | Release notes
Published: 3/14/2024 | Release notes
Published: 3/13/2024 | Release notes
Published: 3/12/2024 | Release notes
Published: 3/11/2024 | Release notes
Published: 3/5/2024 | Release notes
Published: 3/4/2024 | Release notes
Published: 3/23/2024 | Modules affected: server-group | Release notes
server-group: Add option to configure self-assume for IAM Role
Published: 3/26/2024 | Release notes
Published: 3/26/2024 | Modules affected: jenkins-server | Release notes
- Add flag to Jenkins server module to allow IAM role self assume
Published: 3/22/2024 | Modules affected: sign-binary-helpers | Release notes
- Switch to maintained bearer/gon MacOS signer version
Published: 3/21/2024 | Modules affected: sign-binary-helpers | Release notes
- Updated gon version to 0.2.5
Published: 3/12/2024 | Modules affected: networking/vpc | Release notes
networking/vpc: add support for configuring ACLs and rules for transit subnets
Published: 3/3/2024 | Modules affected: networking | Release notes
- Enhancement vpc customization features
Published: 3/1/2024 | Modules affected: networking | Release notes
- exposed blackhole_network_interface_private_ips
Published: 3/26/2024 | Modules affected: control-tower-app-account-baseline | Release notes
control-tower-app-account-baseline
- DEV-140 Propagate GuardDuty Inputs
Published: 3/25/2024 | Modules affected: landingzone/control-tower-app-account-baseline, landingzone/control-tower-security-account-baseline | Release notes
landingzone/control-tower-app-account-baselinelandingzone/control-tower-security-account-baseline
- DEV-140 Propagate GuardDuty Inputs
Published: 3/14/2024 | Release notes
landingzone/boilerplate-single-account-baseline
- Adjusted the
state_bucket local to be a state_bucket_pattern instead with a wildcard for the region.
Published: 3/14/2024 | Release notes
Published: 3/14/2024 | Modules affected: landingzone/control-tower-account-factory | Release notes
landingzone/control-tower-account-factory
- Added docs to address
ResourceInUseException issue that can be encountered with Service Catalog
Published: 3/14/2024 | Modules affected: landingzone/control-tower-app-account-baseline, landingzone/control-tower-security-account-baseline | Release notes
landingzone/control-tower-app-account-baselinelandingzone/control-tower-security-account-baseline
- Added requisite Config rule to ensure that the
revoke_unused_iam_credentials works
Published: 3/8/2024 | Modules affected: landingzone | Release notes
- Added
revoke_unused_iam_credentials module to baselines
Published: 3/6/2024 | Modules affected: landingzone | Release notes
- Bumped
account-baseline-security module to v0.110.1
Published: 3/4/2024 | Modules affected: landingzone/control-tower-account-factory, landingzone/control-tower-multi-account-factory | Release notes
landingzone/control-tower-account-factorylandingzone/control-tower-multi-account-factory
Added new discover_ous_recursively variable that allows organizational units (OUs) to be discovered recursively from the organization root. Prior to this update, OUs had to be defined in a flat structure to be supported by these modules, as the organizations_organizational_units data source only supports listing organizations in a flat OU structure.
To support this change, the discovery of OUs was moved from the landingzone/control-tower-account-factory to the landingzone/control-tower-multi-account-factory to reduce the number of times that OUs are queried. As a consequence, a breaking change was introduced to require an ous variable to be passed into the landingzone/control-tower-account-factory.
This requirement may be removed in a future release (see https://github.com/gruntwork-io/terraform-aws-control-tower/pull/66), but it will be required in order to use the module as is (to lookup an organization by name alone, without the corresponding ID).
If you are currently using landingzone/control-tower-account-factory via landingzone/control-tower-multi-account-factory, no changes are necessary to support this update.
The breaking change is transparently integrated into the landingzone/control-tower-multi-account-factory module. If you are using the landingzone/control-tower-account-factory directly, a list of OUs will have to be provided directly.
How to do so can be found by following the usage here.
Published: 3/1/2024 | Modules affected: landingzone/control-tower-app-account-baseline, landingzone/control-tower-security-account-baseline | Release notes
landingzone/control-tower-app-account-baselinelandingzone/control-tower-security-account-baseline
- Add ability specify additional GuardDuty findings S3 bucket policies
Published: 3/21/2024 | Release notes
Published: 3/20/2024 | Modules affected: rds, rds-proxy, org-backup-policy, efs | Release notes
Published: 3/15/2024 | Modules affected: ecs-service | Release notes
Published: 3/12/2024 | Modules affected: eks-k8s-karpenter | Release notes
- [BACKWARD INCOMPATIBLE] Upgrade
eks-k8s-karpenter modules to support Karpenter v0.32.7
Published: 3/12/2024 | Modules affected: eks-alb-ingress-controller | Release notes
- Allow setting defaults_tags for alb-ingress-controller
Published: 3/5/2024 | Modules affected: eks-cluster-control-plane, eks-k8s-karpenter | Release notes
- Bugifx: Update Karpenter variable type from bool to string
- Bugfix: Remove SG cleanup for eks control plane
Published: 3/21/2024 | Modules affected: logs | Release notes
- Address syslog module failures with Amazon Linux 2023
Published: 3/12/2024 | Modules affected: alarms | Release notes
- route53-health-check-alarms: fix bug with CALCULATED, CLOUDWATCH_METRIC, and RECOVERY_CONTROL
Published: 3/1/2024 | Modules affected: agents | Release notes
- cloudwatch-agent: fix config bug to support Ubuntu 22.04
Published: 3/25/2024 | Modules affected: guardduty-bucket, guardduty-multi-region, guardduty | Release notes
guardduty-bucketguardduty-multi-regionguardduty
- SME-223 Pre-create GuardDuty findings prefix
Published: 3/21/2024 | Modules affected: auto-update, fail2ban | Release notes
- Add AL2023 support to auto-update module (dnf), remove AL2023 support from fail2ban
Published: 3/6/2024 | Modules affected: guardduty-bucket | Release notes
- Passed through
force_destroy to GuardDuty bucket configuration
Published: 3/1/2024 | Modules affected: guardduty, guardduty-bucket | Release notes
- Revert Pin Terraform version transitive for SNS topic in guardduty
- Allow additional bucket policies for GuardDuty findings S3 bucket
Published: 3/27/2024 | Modules affected: services | Release notes
- services/lambda: expose architecture variable for aws lambda functions
Published: 3/26/2024 | Modules affected: account-baseline-app | Release notes
- Added
guardduty_admin_account_id input to the account-baseline-app module
Published: 3/25/2024 | Modules affected: landingzone/account-baseline-app, landingzone/account-baseline-root, landingzone/account-baseline-security | Release notes
landingzone/account-baseline-applandingzone/account-baseline-rootlandingzone/account-baseline-security
- SME-219 Propagate GuardDuty inputs
Published: 3/22/2024 | Modules affected: networking, services/eks-* | Release notes
- BACKWARD INCOMPATIBLE CHANGES!!
- Updated terraform-aws-eks to v0.66.0
- Updated
eks-karpenter default version to v0.32.7 which has significant API changes (breaking changes) - Please review the following upgrade guides prior to updating to this version of the Service Catalog!!
Published: 3/15/2024 | Modules affected: services/lambda | Release notes
- Expose
treat_missing_data variable for lambda-alarms
Special thanks to the following users for their contribution!
Published: 3/13/2024 | Modules affected: services | Release notes
- Add detailed monitoring option (var) to modules/services/ec2-instance
Published: 3/13/2024 | Modules affected: mgmt, networking, services | Release notes
- Update terraform-aws-eks to v0.65.7
- Expose Karpenter instance profile arn output
- Expose input.* and extraInputs for Fluent Bit
- Expose alb-ingress-controller IAM Role Arn
- Bugfix: Update Karpenter variable type from bool to string
- Bugfix: Remove SG cleanup for eks control plane
- Allow setting defaults_tags for alb-ingress-controller
Published: 3/7/2024 | Modules affected: services/ec2-instance, networking/vpc | Release notes
- Add input variable for root volume encryption
- Ability to configure VPC transit subnet ACLs
Published: 3/6/2024 | Modules affected: landingzone | Release notes
- Bumped
guardduty-bucket to v0.71.3
Published: 3/3/2024 | Modules affected: networking | Release notes
- consistency for variable type and validation
Published: 3/3/2024 | Modules affected: networking | Release notes
- added natgw private IP customization
- Enhancement_vpc_customization_features
Published: 3/1/2024 | Modules affected: landingzone | Release notes
- Ability to add additional bucket policy statements to GuardDuty findings bucket
Published: 3/19/2024 | Modules affected: s3-cloudfront | Release notes
- s3-cloudfront: allow setting a custom cache_policy_id for default_cache_behaviour
Published: 3/7/2024 | Modules affected: vpc-app-network-acls | Release notes
Published: 3/4/2024 | Modules affected: vpc-app-lookup | Release notes
- carried over subnet tier naming from
vpc-app module to vpc-app-lookup module
Published: 3/2/2024 | Modules affected: vpc-app | Release notes
- enhancement\custom subnet naming
- Enhancement/VPC Endpoints for Transit subnets
- Enhancement/Boolean to disable the default route table routes
Published: 3/1/2024 | Modules affected: vpc-app | Release notes
- enhancement/natgw assigned private IP address