Skip to main content

Gruntwork release 2026-06

Guides / Update Guides / Releases / 2026-06

This page lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2026-06. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:

pipelines-actions

v4.11.1

Published: 6/18/2026 | Release notes

Full Changelog: https://github.com/gruntwork-io/pipelines-actions/compare/v4.11.0...v4.11.1

v4.11.0

Published: 6/15/2026 | Release notes

v4.10.1

Published: 6/11/2026 | Release notes

pipelines-cli

v0.55.3

Published: 6/25/2026 | Release notes

Details on user-facing changes will be documented in the release notes for:

v0.55.2

Published: 6/22/2026 | Release notes

Details on user-facing changes will be documented in the release notes for:

v0.55.2-glab-remote

Published: 6/24/2026 | Release notes

Details on user-facing changes will be documented in the release notes for:

v0.55.1

Published: 6/18/2026 | Release notes

Details on user-facing changes will be documented in the release notes for:

v0.55.0

Published: 6/17/2026 | Release notes

Details on user-facing changes will be documented in the release notes for:

pipelines-workflows

v4.19.0

Published: 6/25/2026 | Release notes

Added support for after_hook

This release introduces Pipeline Hooks, a new Enterprise feature that lets you extend pipeline runs with custom logic in response to Terragrunt plans and applies.

As a first step, we’re introducing the after_hook repository block, which allows you to run a custom script after Terragrunt execution completes. Support for before_hook and error_hook is planned for a future release.

Hooks receive rich context about the pipeline run, including execution results and access to plan files for each unit. They can also generate custom output that is displayed in the pull request comment, making it easy to tailor the developer experience to your team’s needs.

See the documentation for setup instructions and additional details.

Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.18.2...v4.19.0

v4.18.4

Published: 6/23/2026 | Release notes

This release removes some unused features from 4.18.3 to maximize stability of the 4.18 release series. The as-yet-unreleased features will be introduced in 4.19.

Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.18.3...v4.18.4

v4.18.3

Published: 6/22/2026 | Release notes

This is a preparation release for our upcoming new feature: after-hooks. Included is, currently unused, foundational APIs that will be exposed in an upcoming release.

Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.18.2...v4.18.3

v4.18.2

Published: 6/11/2026 | Release notes

Previously the first mise install call was incorrectly running outside of the infra live directory. This caused the initial cache value to be incorrectly populated with only the mise binary (no Terragrunt or OpenTofu/Terraform binaries). Fixing this improves subsequent mise install times in execute steps.

Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.18.2

v4.18.1

Published: 6/1/2026 | Release notes

When force pushing updates to the drift detection branch, the Drift Detection workflow could force push updates to the deploy branch if branch protection settings were not enabled, and a stale drift detection branch was allowed to go stale with self-hosted runners.

The force push for updating the drift detection branch is now restricted to the relevant Refspec, preventing accidental rewinds of the deploy branch, even when branch protection is removed.

Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.18.1

terraform-aws-architecture-catalog

v6.0.0

Published: 6/30/2026 | Release notes

Full Changelog: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/compare/v5.0.0...v6.0.0

terraform-aws-control-tower

v2.1.0

Published: 6/19/2026 | Modules affected: landingzone | Release notes

  • fix: harden cloud-nuke cleanup CI and bump to v0.50.0
  • Bump cloud-nuke cleanup to v0.52.0 (parallel scan)
  • Feat: Add landingzone 4.0 support

terraform-aws-data-storage

v1.2.0

Published: 6/5/2026 | Modules affected: - rds, - rds-proxy, - rds-replicas, - backup-plan | Release notes

  • rds

  • rds-proxy

  • rds-replicas

  • backup-plan

  • opensearch

  • feat(opensearch): add identity_center_options support (#594). New nullable variable for AWS IAM Identity Center integration, defaulting to null (disabled). Breaking: raises the module's AWS provider floor from >= 5.0.0 to >= 6.20.0.

  • fix(rds): use vpc_security_group_*_rule to avoid create race (#591). Swaps aws_security_group_rule for aws_vpc_security_group_ingress_rule / aws_vpc_security_group_egress_rule in rds, rds-proxy, rds-replicas. Inputs, outputs, and AWS end state unchanged; only state representation changes. Included Patcher patch handles migration. See UPGRADING.md.

  • fix(backup-plan): wire completion_window, start_window, recovery_point_tags (#595, LIB-5144). These local vars now pass through to the aws_backup_plan resource.

  • chore: cloud-nuke CI maintenance (#587, #588, #589). Bumps cloud-nuke to v0.50.0 and hardens cleanup. CI only; no module changes.

Special thanks to the following users for their contribution!

terraform-aws-load-balancer

v1.3.2

Published: 6/2/2026 | Modules affected: alb | Release notes

  • Added security_group_tags variable to modules/alb providing a simple way to customize specific security group tags independently of custom_tags

terraform-aws-service-catalog

v2.12.0

Published: 6/30/2026 | Modules affected: data-stores, mgmt, services | Release notes

  • Bump cloud-nuke cleanup to v0.52.0 (parallel scan)
  • Bump data-stores rds, rds-replica, aurora to data-storage v1.2.0
  • feat(data-stores): expose backup-plan start_window, completion_window, recovery_point_tags
  • Test fix: resolve failing mgmt test
  • Upgraded OVPN resources

v2.11.0

Published: 6/18/2026 | Modules affected: services/eks-workers | Release notes

  • Drop unused cloud-nuke --config from cloud_nuke_cleanup
  • fix(eks-workers): AL2023 nodes fail to rejoin the cluster after a reboot:
    • AL2023 EKS worker nodes (managed node groups or self-managed ASGs using an AL2023_* ami_type) previously failed to rejoin the cluster after a reboot, kubelet never restarted and the node was stuck NotReady until terminated and replaced.
    • The module bootstrapped AL2023 nodes with a one-time cloud-init script that wrote /etc/eks/nodeconfig.yaml and ran nodeadm init; on reboot the AMI's nodeadm-config.service reads the NodeConfig only from the instance user-data (caching to /run, which is tmpfs and wiped on reboot), found none, and the bootstrap failed.
    • The fix delivers the core NodeConfig as an application/node.eks.aws user-data MIME part so nodeadm finds it on every boot, and reduces the cloud-init script to writing the EC2-tag node labels to a persistent /etc/eks/nodeadm.d/ drop-in that nodeadm-run.service re-merges on each boot. max_pods_allowed and eks_kubelet_extra_args continue to be honored on AL2023. The AL2 path is unchanged.

v2.10.0

Published: 6/8/2026 | Modules affected: - data-stores | Release notes

  • data-stores

  • rds: Added configuration variables for read replica instance settings (read_replica_instance_type, read_replica_multi_az) and read replica CloudWatch alarms (replication_error_*, high_replica_lag_*). Bumps the underlying terraform-aws-data-storage//modules/rds module from v0.47.0 to v1.1.0.

This release bumps the rds module's reference to terraform-aws-data-storage from v0.47.0 to v1.1.0. That upstream version replaces the legacy aws_security_group_rule resources with one aws_vpc_security_group_ingress_rule / aws_vpc_security_group_egress_rule per CIDR. The AWS end state is identical (same security group, same rules); only the Terraform state representation changed, so a state migration is required.

  • Recommended path is patcher upgrade. The upstream repo ships migrations that terraform import the existing rules under their new addresses, producing no destroy/create plan diff.
  • Without Patcher, terraform plan will show a destroy and recreate for each security group rule. Apply in a maintenance window, since each rule is briefly removed before recreation.
  • Treat allow_connections_from_*_cidr_blocks and allow_outbound_* lists as ordered. Reordering entries on a future change will recreate the corresponding rule resources.

See the upstream guide for full details: https://github.com/gruntwork-io/terraform-aws-data-storage/blob/v1.1.0/UPGRADING.md

Special thanks to @a-hat for this contribution!