Gruntwork release 2026-04
Guides / Update Guides / Releases / 2026-04
This page lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2026-04.
For instructions on how to use these updates in your code, check out the updating documentation.
Here are the repos that were updated:
Published: 4/28/2026 | Release notes
Published: 4/16/2026 | Release notes
Published: 4/13/2026 | Release notes
Published: 4/13/2026 | Release notes
Upgrade mise to 2026.4.11
Published: 4/7/2026 | Release notes
Published: 4/2/2026 | Release notes
Published: 4/29/2026 | Release notes
Published: 4/28/2026 | Release notes
Published: 4/23/2026 | Release notes
Published: 4/23/2026 | Release notes
Published: 4/20/2026 | Release notes
Published: 4/13/2026 | Release notes
Published: 4/10/2026 | Release notes
Published: 4/9/2026 | Release notes
Published: 4/8/2026 | Release notes
Published: 4/8/2026 | Release notes
Published: 4/2/2026 | Release notes
Published: 4/1/2026 | Release notes
Published: 4/7/2026 | Release notes
Published: 4/30/2026 | Release notes
Previously, Terragrunt plans that only changed Terraform outputs (no resource adds, changes, or destroys) rendered as Plan Summary: 0 to add, 0 to change, 0 to destroy, which was misleading.
Plan summaries now include per-action output counts and (in the GitHub formatter) a Changed Outputs list of changed output names. For example:
Plan Summary: 0 to add, 0 to change, 0 to destroy, 0 outputs to add, 1 outputs to change, 0 outputs to destroy
Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.16.0...v4.16.1
Published: 4/28/2026 | Release notes
Pipelines can now fail a pull request when it deletes a Terragrunt unit (or a file read by a unit) that is still referenced elsewhere in the DAG.
When enabled, orchestrate runs terragrunt find against the target ref and cross-references each deleted path against every Pipelines unit's dependencies and mark_as_read entries.
If any Pipelines unit still references a deleted path, the run fails on pull request events with a comment listing the offending references; on other events the violation is logged as a warning and the run continues.
This is an opt-in feature, disabled by default. Enable it by setting PIPELINES_FEATURE_VALIDATE_DAG_ON_DELETE=true in your repository's environment configuration.
To enable a feature flag, add it to the env block of repository in .gruntwork/repository.hcl:
repository &
env &
PIPELINES_FEATURE_VALIDATE_DAG_ON_DELETE = "true"
&
&
Validation of mark_as_read entries requires Terragrunt newer than v0.91.3; older versions only validate dependencies.
See the feature flag reference for full details.
Fixed a race where a Push event to the deploy branch could compute a changeset against a newer deploy-branch tip than the one that triggered the run if another pull request merged in between; the comparison only ever moved forward in history, never backward.
Pipelines no longer touches the local deploy branch on Push events; the runner's checkout already provides the correct state for the trigger commit. Pull request events are unchanged.
We recommend enabling "Require branches to be up to date before merging" in your repository's branch protection rules. That requirement prevents the wider class of races where two pull requests land against the same deploy-branch tip without either one seeing the other's changes.
mise version used in the preflight action lagged the version used in workflows (2025.10.0 -> 2026.4.11)
Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.15.1...v4.16.0
Published: 4/24/2026 | Release notes
Pipelines now calls a single terragrunt stack generate invocation with usage of the --filters-file flag when using a Terragrunt modern enough to support the --filters-file flag (>= v0.97.0) instead of calling terragrunt stack generate per stack being generated.
This allows Terragrunt to synchronize stack generations more carefully with full awareness of the stacks being generated, reducing the likelihood of contention between different stack generations.
Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.15.0...v4.15.1
Published: 4/23/2026 | Release notes
Published: 4/20/2026 | Release notes
The following improvements affect Account Factory customers using custom actions to extend Pipelines.
Added new optional inputs to pipelines-root, pipelines_actions_customizations_repo and pipelines_actions_customizations_ref. When set, custom-actions will be cloned from this repository instead of pipelines-actions.
A new custom action runs after provisioning access-control but before opening the pull request, allowing customization of the pull request contents.
Updated signatures of all custom actions with additional context. The job is the output from pipelines orchestrate, and account_names is a comma separate list of new accounts being created during account provisioning.
The pipelines-execute action inputs infra_live_repo_branch, infra_live_repo, and infra_live_directory are now deprecated. Use ref in place of infra_live_repo_branch.
Added the following commands to the pipelines CLI. These should be used in place for the deprecated pipelines-bootstrap context from v3 (no longer available in v4).
pipelines config get --wd . <path_to.hcl_config_value>pipelines account-factory get-account-request-field --wd . --acount-name <account_name> <path_to.account_request_yaml>pipelines account-factory execute-via-control-tower --wd . --job ${{ inputs.job }} --terragrunt-command <command> --path <path_to_unit>
These fixes work in tandem with template changes in terraform-aws-architecture-catalog v4.5.0
Value would incorrectly include https://, leading to invalid module sources like git://https://
Value was ignored, now correctly passed to delegated repository template
Similar to pipelines_read_token_name this value can be used to customize the secret name for PR_CREATE_TOKEN when templating a new repository
pipelines_workflow_location was previously being ignored. Fixed this and added pipelines_workflow_ref.
Previously pipelines_workflow_location was documented as being the full path to a forked pipelines workflow e.g. acme-org/pipelines-workflows/.github/workflows/pipelines.yml@X. If migrating from pipelines YAML config, this value needs to be changed to the path up to but not including the workflow file name e.g. acme-org/pipelines-workflows/.github/workflows. This value is then used in the pipelines, unlock, and drift-detection workflows.
Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.13.0...v4.14.0
Published: 4/13/2026 | Release notes
Published: 4/10/2026 | Release notes
Published: 4/9/2026 | Release notes
✨ Added a new status_update configuration block for the repository block. This allows you to control how Pipelines posts status comments on pull/merge requests.
By default, Pipelines creates a new comment for every push to a PR branch. You can now set new_comment_per_push = false to have Pipelines update a single comment in-place instead. On GitHub, previous plan outputs are preserved in the comment's edit history. On GitLab, previous outputs are overwritten since GitLab does not support comment edit history.
repository &
status_update &
new_comment_per_push = false
&
&
Read more in the docs
Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.12.0
Published: 4/9/2026 | Release notes
- ✨ Added support for
PIPELINES_GRUNTWORK_READ_TOKEN and PIPELINES_CUSTOMER_ORG_READ_TOKEN as fallback secrets. These optional fallback secrets take precedence over PIPELINES_READ_TOKEN and can be used in situations where a single PAT cannot access both the gruntwork-io organization and the customer organization. Read the full docs here
- ⚡ pipelines-credentials now fetches tokens from the Gruntwork Dev portal in parallel, saving a few seconds of overhead per job.
Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.11.0
Published: 4/8/2026 | Release notes
- 🐛 Fix issues with whitespace in unit paths causing separate args to be passed to
terragrunt run --all
- 🐛 Remove invalid PIPELINES_READ_TOKEN preflight checks
- ⚙ Updated actions to remove deprecated node version warnings
- ⚡ Some small speed improvements to job overheads by parallelizing some tasks, in our tests this can save anywhere from 1 to 20 seconds per job
Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.10.3
Published: 4/28/2026 | Release notes
- Updated the architecture catalog from CIS AWS Foundations Benchmark v1.5.0 to v3.0.0 and restructures CloudTrail implementation to use a single organization trail instead of per-account trails
- New required boilerplate variables: Users re-running boilerplate generation will now be prompted for SecurityContactName, SecurityContactEmail, SecurityContactPhone, and SecurityContactTitle
- These have no defaults and must be provided.
- Users running
--non-interactive must add --var SecurityContactName=... --var SecurityContactEmail=... etc. to their commands.
- CloudTrail migration to organization trail: Existing deployments that have per-account CloudTrail trails will be migrated to a single organization trail:
- The management account trail becomes an org trail; This requires the management account to have
organizations:ListAccounts and organizations:DescribeOrganization permissions
- Sub-account baselines disable their individual CloudTrail trails (
enable_cloudtrail = false); Users must apply the management account changes first (to enable the org trail) before applying sub-account changes (which disable their individual trails), or there will be a window with no CloudTrail coverage
- AWS provider constraint tightened: The minimum AWS provider version moves from ~> 6.0 to ~> 6.25
- KMS key policy change in shared account: The addition of
allow_manage_key_permissions_with_iam = true to both KMS keys changes how key access is managed; Existing key policies will be updated on the next apply
- New Terragrunt units: The following new units must be applied:
account-security-contact (all accounts)default-vpc-hardening (all accounts; gracefully skips if no default VPC exists)ebs-encryption (management account only)s3-account-public-access-block (all accounts)s3-tls-enforcement-scp (management account only)iam-groups (management account only)
Full Changelog: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/compare/v4.5.0...v5.0.0
Published: 4/20/2026 | Release notes
Published: 4/10/2026 | Release notes
Published: 4/20/2026 | Modules affected: observability | Release notes
- Updated
observability/cloudtrail with a new data-events-only mode to disable logging management events if Control Tower is already capturing them
Published: 4/3/2026 | Modules affected: data-stores, landingzone, networking, observability | Release notes
- Add IPv6 CIDR block support for dual-stack networking
- CIS AWS Foundations Benchmark v3.0.0 support
- Test fixes/improvements
Published: 4/22/2026 | Modules affected: landingzone | Release notes
- feat: CT Role Description variable
Published: 4/21/2026 | Modules affected: landingzone | Release notes
chore: bump cloud-nuke to v0.49.0
chore: run cloud-nuke cleanup across all regions
plumb through enable_default_standards in security hub
Published: 4/9/2026 | Modules affected: landingzone | Release notes
- CIS AWS Foundations Benchmark v3.0.0 support
Published: 4/10/2026 | Modules affected: aurora, rds, rds-replicas, rds-proxy | Release notes
aurorardsrds-replicasrds-proxyredshiftopensearchbackup-planbackup-vaultdmsefsorg-backup-policylambda-create-snapshot (REMOVED)lambda-share-snapshot (REMOVED)lambda-copy-shared-snapshot (REMOVED)lambda-cleanup-snapshots (REMOVED)
Lambda snapshot modules removed. The following modules have been deleted in favor of AWS Backup's native capabilities (#580):
lambda-create-snapshot → Use backup-plan with a cron schedulelambda-share-snapshot → Use copy_action in backup plan rulelambda-copy-shared-snapshot → Use copy_action with automatic KMS re-encryptionlambda-cleanup-snapshots → Use lifecycle { delete_after } on source and destination
See the backup-rds-cross-account example for a full end-to-end replacement.
-
RDS: Add multi_az support for read replicas (#575)
-
Aurora/RDS: Replace local-exec sleep provisioners with time_sleep resources, replace element(concat(...)) with one(), add output descriptions (#578)
-
All modules: Standardize Terraform (>= 1.3.0) and AWS provider (>= 5.0.0, < 7.0.0) version constraints (#577)
-
CI: Add gw: namespaced tagging for test resources, scheduled cloud-nuke cleanup (#582, #583)
-
Aurora: Fix cross-region replica example — add explicit KMS key, fix parameter group attachment bug (#573)
-
Tests: Restrict all tests to known-good AWS regions to avoid quota issues (#576)
-
Resolve 8 Dependabot alerts: upgrade pgx/v4→v5, grpc (critical auth bypass), go-getter, logrus, x/oauth2, x/crypto, ulikunitz/xz (#584)
-
Update module READMEs with new feature entries, typo fixes, maturity notes (#579)
-
Align all examples to required_version >= 1.3.0, remove OpenSearch rough-edges warning, clean up skipped tests (#584)
Special thanks to the following users for their contribution!
Published: 4/7/2026 | Modules affected: eks-aws-auth-merger, eks-cluster-control-plane, eks-ebs-csi-driver, eks-k8s-cluster-autoscaler | Release notes
eks-aws-auth-mergereks-cluster-control-planeeks-ebs-csi-drivereks-k8s-cluster-autoscaler
Default EKS version is 1.34 with this release! Please see the links below for full details of the EKS 1.34 release including new features and any API changes.
Kubernetes 1.34 ("Of Wind & Will") highlights:
- Dynamic Resource Allocation (DRA) core functionality graduated to GA
- VolumeAttributesClass (VAC) graduated to GA (storage.k8s.io/v1)
- 23 enhancements graduating to stable, including Direct Service Return (DSR) for Windows kube-proxy
- No deprecated APIs or removed features — safe upgrade path
Official AWS EKS 1.34 Announcement
Amazon EKS Distro Docs
Kubernetes 1.34 Announcement
Kubernetes 1.34 Release Notes
No breaking changes. The default EKS version has been updated to 1.34. Users pinning a specific version via the kubernetes_version variable are unaffected.
Published: 4/3/2026 | Modules affected: eks-alb-ingress-controller | Release notes
- Add
gw: namespaced tagging and scheduled cloud-nuke cleanup
- Expose all remaining
aws-load-balancer-controller helm chart values (v1.4.6) as Terraform variables for the eks-alb-ingress-controller module. This includes resource requests/limits, node scheduling (nodeSelector, topologySpreadConstraints, podDisruptionBudget), AWS feature toggles (WAF, Shield, WAFv2, EndpointSlices), webhook configuration, observability settings, and more. All new variables default to the chart's defaults to ensure no breaking changes.
Published: 4/29/2026 | Modules affected: - lambda-alias, - lambda-function-url, - api-gateway-account-settings, - api-gateway-proxy | Release notes
- feat: Add
gw:-namespaced default tagging and scheduled cloud-nuke cleanup workflow (#282)
- fix: Make CORS configuration optional in
lambda-function-url (#284)
- docs: Update module documentation (#285)
- chore: Bump cloud-nuke to v0.49.0 (#286)
- chore: Run cloud-nuke cleanup across all regions (#287)
- feat: Propagate
custom_tags to the api-gateway-proxy stage (#288)
- fix: Harden cloud-nuke cleanup CI and bump cloud-nuke to v0.50.0 (#289)
Published: 4/24/2026 | Modules affected: init-openvpn, install-openvpn, openvpn-server | Release notes
- feat: add gw: namespaced tagging and scheduled cloud-nuke cleanup
- chore: bump cloud-nuke to v0.49.0
- chore: run cloud-nuke cleanup across all regions
- Base Image upgrades
Published: 4/3/2026 | Modules affected: private-s3-bucket | Release notes
- Transition data source aws_region from name (deprecated) to region in output
Published: 4/20/2026 | Modules affected: networking/vpc, services/eks-argocd, services/eks-cluster, services/eks-core-services | Release notes
Published: 4/4/2026 | Modules affected: networking/vpc, services/eks-argocd, services/eks-cluster, services/eks-core-services | Release notes
-
networking/vpc
-
services/eks-argocd
-
services/eks-cluster
-
services/eks-core-services
-
services/eks-karpenter
-
services/eks-workers
-
services/helm-service
-
services/k8s-service
-
Bump terraform-aws-eks to v4.4.0
-
Replace alb_ingress_controller_extra_args with alb_ingress_controller_feature_gates (map(bool)) in eks-core-services
-
Expose all remaining aws-load-balancer-controller helm chart values (v1.4.6) as Terraform variables in eks-core-services, including resource requests/limits, node scheduling, security contexts, WAF/Shield/WAFv2 toggles, webhook configuration, observability settings, and more
> [!WARNING]
> #### Breaking Changes
> - alb_ingress_controller_extra_args has been removed and replaced with alb_ingress_controller_feature_gates. If you were using extra_args to pass feature gates, update your configuration:
>
> Before:
> hcl > alb_ingress_controller_extra_args = { > "feature-gates" = "NLBGatewayAPI=true,ALBGatewayAPI=true" > } >
>
> After:
> hcl > alb_ingress_controller_feature_gates = { > NLBGatewayAPI = true > ALBGatewayAPI = true > } >
Published: 4/3/2026 | Modules affected: base, data-stores, landingzone, mgmt | Release notes
- Updated all usage of terraform-aws-security to v1.4.1 and of terraform-aws-data-storage to v0.47.0
- Replace Lambda Snapshot usage in data-stores modules with AWS Backup (requires migration, see below)
Published: 4/23/2026 | Modules affected: vpc-app, transit-gateway-peering-attachment-accepter, vpc-app-lookup, vpc-flow-logs | Release notes
- chore: bump cloud-nuke to v0.49.0
- chore: run cloud-nuke cleanup across all regions
- LIB-4871 Don't create EIP if using private NAT gateway
- Fix TGW accepter: skip data lookup when attachment ID is provided
- Remove deprecated attribute "name" for aws_region resource