Gruntwork release 2024-10
Guides / Update Guides / Releases / 2024-10
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2024-10. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 10/15/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/25/2024 | Release notes
Published: 10/25/2024 | Release notes
Published: 10/9/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/25/2024 | Release notes
Published: 10/25/2024 | Release notes
Published: 10/17/2024 | Release notes
Published: 10/10/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/3/2024 | Release notes
Published: 10/4/2024 | Release notes
Published: 10/3/2024 | Release notes
Published: 10/9/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/1/2024 | Release notes
Published: 10/8/2024 | Release notes
This is a floating release tracking the latest v3.y.z release.
Published: 10/10/2024 | Release notes
Published: 10/9/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Pipelines version 3 introduces several new features which include a number of breaking changes. The migration guide below should take less than 5 minutes for most teams to complete, but please do make sure to follow it closely. We're providing a checklist here to help teams ensure that steps are not skipped.
<details>
<summary><h2>Install and configure the Gruntwork.io GitHub App</h2></summary>
Pipelines now uses the Gruntwork.io GitHub App for workflow permissions, which simplifies permission management. Follow the GitHub App Installation Instructions to install the Gruntwork.io GitHub App and add your infrastructure-live-root repository to your account.
Using the Gruntwork.io GitHub App is recommended and provides full feature support for pipelines workflows. Alternatively, if you do not wish to install the Gruntwork.io GitHub App you can modify your existing workflows to continue using GitHub secrets, although some features will not be available. Read more about App only features here.
<details>
<summary><h3>Alternative steps</h3></summary>
- Add
actions: read permissions
Customers explicitly list permissions that Gruntwork Pipelines workflows has by default in the pipelines workflow files in .github/workflows inside their infrastructure repositories. Pipelines v3 now requires actions: read permissions in order to introspect its own runs and provide more helpful logging capabilities.
Customers should make the one-line change to add the actions: read permission in the following files <b>in every repository that uses Gruntwork pipelines</b> (including root, access control and delegated repos). Note, most repositories will have only 1 or two of these workflow files, in which case update what is present and don't worry about the others.
.github/workflows/pipelines.yml.github/workflows/pipelines-drift-detection.yml.github/workflows/pipelines-root.yml.github/workflows/pipelines-unlock.yml
permissions:
id-token: write
contents: write
pull-requests: write
permissions:
id-token: write
contents: write
pull-requests: write
actions: read
- (Enterprise only) Add PR_CREATE_TOKEN to delegated repository workflows.
Delegated repositories that are not using the Gruntwork.io GitHub App will need to add PR_CREATE_TOKEN: ${{ github.token }} to the secrets in their workflow files:
secrets:
PIPELINES_READ_TOKEN: $&
secrets:
PIPELINES_READ_TOKEN: $&
PR_CREATE_TOKEN: $&
</details>
</details>
<details>
<summary><h2>Update to Terragrunt v0.67.16</h2></summary>
The latest pipelines works best with the latest version of Terragrunt. Recent versions of Terragrunt have much improved logging, performance and correctness improvements in run-all scenarios with pipelines.
</details>
<details>
<summary><h2>Allowlist Actions</h2></summary>
<i>This is only for customers who only allow GitHub actions to run if they are on an <a href="https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#allowing-select-actions-and-reusable-workflows-to-run">explicit allowlist</a></i>
<h3>New actions to add</h3>
gruntwork-io/pipelines-credentialsgruntwork-io/pipelines-actions/.github/actions/pipelines-drift-detection-consolidate-jobsgruntwork-io/pipelines-actions/.github/actions/pipelines-drift-detection-determine-unitsgruntwork-io/pipelines-actions/.github/actions/pipelines-drift-detection-determine-driftgruntwork-io/pipelines-actions/.github/actions/pipelines-new-pr-actiongruntwork-io/pipelines-actions/.github/actions/pipelines-get-job-logs-url
</details>
<details>
<summary><h2>(Enterprise Only) Install and activate Drift Detection</h2></summary>
Pipelines Drift Detection can be installed in your repositories by adding a new workflow file:
- Create a new file at
.github/workflows/pipelines-drift-detection.yml
- Add the following content to the file
name: Pipelines Drift Detection
run-name: "[GWP]: Pipelines Drift Detection"
on:
workflow_dispatch:
inputs:
path:
description: (Optional) Path to filter units e.g. "./management/*"
type: string
branch-name:
description: (Optional) branch name to open Drift Detection PRs with
default: drift-detection
type: string
permissions:
id-token: write
jobs:
GruntworkPipelines:
uses: gruntwork-io/pipelines-workflows/.github/workflows/pipelines-drift-detection.yml@v3
with:
path: $&
branch-name: $&
</details>
- Pipelines as a GitHub App
- Pipelines Drift Detection (Enterprise Only)
- Improved Account Factory Bootstrap Customization Hooks
- Pipelines Log Link Improvements
- new config options in
config.yaml
consolidate-added-or-changed: allows the pipeline to run as a single parallelized terragrunt instance such that dependencies are respected for deletionsconsolidate-deleted: Enable conslidating ModuleDeleted jobs with run-allenable-terragrunt-provider-cache: uses the new terragrunt provider cache so that you don't fetch the same 500 meg aws provider binary 20 times
Published: 10/9/2024 | Release notes
Published: 10/9/2024 | Release notes
Published: 10/9/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Modules affected: redis | Release notes
- Add dependency to redis auto scaling
Published: 10/9/2024 | Modules affected: infrastructure-deployer | Release notes
- Bump github.com/gruntwork-io/terratest from 0.44.1 to 0.47.0
- Update
gruntwork-cli to use go-commons.
- Update
github.com/urfave/cli to github.com/urfave/cli/v2 in infrastructure-deployer
- NOTE: some interface signatures have changed in
infrastructure-deployer with this release. These are internal changes to the application that should not effect external consumption.
Published: 10/17/2024 | Modules affected: networking | Release notes
When customers want to update/add NACL rules using modules/networking/vpc, they face the following error:
Error: NetworkAclEntryAlreadyExists: EC2 Network ACL (acl-0d8dd4609b298bccd) Rule (egress: false)(7) already exists
which is raised due to Simple Resource Creation (create-before-destroy) and NACL rules need to follow destroy-before-create behavior.
In order to fix this issue, we modified rule_incrementer logic so that it is no longer connected to the index of the specific rule in the list of rules and no longer uses starting rule number. Instead, rule_incrementer is based on MD5 value of the IP-port-proto combination and belongs to rule number range 1-16300 for Allow rules and 16301-32700 for Deny rules.
Published: 10/14/2024 | Modules affected: networking | Release notes
- Update CODEOWNERS
- Add policy for the VPC Gateway Endpoint resources on Mgmt VPC
Published: 10/17/2024 | Modules affected: rds, redshift | Release notes
Added Cloudwatch log destination in addition to S3. Logging details can be found on Database audit logging. This version adds new Terraform resource aws_redshift_logging that controls audit logging configuration and replaces logging attribute group of aws_redshift_cluster resource.
Published: 10/9/2024 | Modules affected: ecs-service | Release notes
- Adding a role for
aws ecs exec
- Allow http healtcheck on tcp protocol
- Add ecs_task_definition_pid_mode variable for replica ECS service
- Test improvements/fixes
Published: 10/21/2024 | Modules affected: eks-cluster-control-plane | Release notes
- NOTE: The changes below have a typo in the variable name
access_entry_poilcy_associations. If upgrading to use Access Entry support, please skip this version and use the next version v0.72.0 which has the typo fix included in the release.
- [Breaking Change] Add Support for EKS Access Entries
- Expose access_config configuration block on
eks-cluster-control-plane module.
- NOTE: This is a breaking change. Upgrading to this version requires upgrading the AWS Terraform Provider to
>= 5.33.0. This version of the AWS Provider is the minimum version that supports the access_config configuration block.
- Add
access_entries and access_entry_poilcy_associations variables to support adding EKS Access Entries.
- Add
access_config_authentication_mode and bootstrap_cluster_creator_admin_permissions variables to support changing the Authentication mode of an EKS cluster.
- NOTE: Please see the AWS EKS Documentation for Access Entires for full details. Considerations should be made prior to changing the Authentication mode for a cluster.
- E.g. Changing from the default Authentication mode
CONFIG_MAP to either API or API_AND_CONFIG_MAP is a one-way operation and cannot be reverted.
Published: 10/4/2024 | Modules affected: eks-k8s-cluster-autoscaler-iam-policy | Release notes
- Add
autoscaling:DescribeScalingActivities permission to Cluster Autoscaler policy.
Published: 10/15/2024 | Modules affected: lambda | Release notes
- add example of using aws sam
- add optional Lambda Advanced Logging Configuration variable
- address dependabot alerts in
lambda-service example
Published: 10/30/2024 | Modules affected: alb | Release notes
- TODO: Address dependabot alerts
- TODO: Update CODEOWNERS
- TODO: Added Missing Default Action for ALB's HTTP(S) Listeners.
This PR does NOT introduce any changes that are not backwards compatible or require resources redeployment.
Published: 10/29/2024 | Modules affected: private-s3-bucket | Release notes
- private-s3-bucket: support newer_noncurrent_versions
Published: 10/30/2024 | Modules affected: data-stores | Release notes
- data-stores/s3-bucket: support newer_noncurrent_versions
Published: 10/30/2024 | Modules affected: networking, landingzone, services, services/eks-cluster | Release notes
- Add route53 alias default to null since it's optional
- Expose SNS topic name variable for CloudTrail
- Add Support for EKS Access Entries
- NOTE: this is a breaking change due to new AWS Provider minimum version requirements. Please see the Migration Guide below for details.
Published: 10/25/2024 | Modules affected: services | Release notes
- services/ecs-cluster: update ecs-cluster to v0.38.3
Published: 10/24/2024 | Modules affected: base, data-stores, landingzone, mgmt | Release notes
- LIB-112: Enabled terrascan, address dependabot alerts.
- SME-1960: Exposed http_default_action in service catalog ALB.
Published: 10/10/2024 | Modules affected: networking | Release notes
- Add policy for the VPC Gateway Endpoint resources on Mgmt VPC
Published: 10/2/2024 | Modules affected: data-stores | Release notes
- data-stores/rds: add variable for security group description
Published: 10/9/2024 | Modules affected: vpc-mgmt | Release notes
- Add policy for the VPC Gateway Endpoint resources on Mgmt VPC
Published: 10/29/2024 | Release notes