When provisioning an EKS cluster, we will now wait for the API endpoint to come up before marking the resource as created. This addresses an eventual consistency issue where chaining eks cluster resources to kubernetes resources could sometimes fail because terraform marks a resource as complete before the API comes up and is responsive. Note that this requires installation of kubergrunt. You can get back to the older behavior by setting use_kubergrunt_verification to false in the module parameters.
This release is not intended to be used in production, as core features of a production grade infrastructure are still missing. This is currently intended to be used for development and learning purposes so that you can plan out a migration to Gruntwork modules for managing EKS.
The server-group module now allows you to configure IOPS for your EBS volumes by specifying the iops attribute for each EBS volume you configure via the ebs_volumes parameter.
redis: Adds 4 new aws_replication_group permutations to the Redis module, to workaround the inability to use interpolations in ignore_changes field in a lifecycle block (hashicorp/terraform#3116) which will have been the ideal solution to ignoring the number_cache_cluster field when in cluster_mode to prevent terraform plan diffs due to cluster resizing.
This release is backwards incompatible and to update an existing Redis cluster, use terragrunt state mv <old_address> <new_address> to ensure that your cluster isn't deleted when you run terraform apply.
For example, to migrate a cluster mode Redis cluster deployed via the aws_elasticache_replication_group.redis_with_snapshotting_without_auth_token resource, you'd simply run:
terraform state mv module.<your-module-name>.aws_elasticache_replication_group.redis_with_snapshotting_without_auth_token module.<your-module-name>.aws_elasticache_replication_group.redis_with_snapshotting_without_auth_token_with_cluster_mode
The RDS module now lets you set the option group name and monitoring IAM Role path with two new optional variables, option_group_name and monitoring_role_arn_path, respectively.
The ecs-daemon-service module now exposes setting pid_mode via a new variable: ecs_task_definition_pid_mode . This allow setting the process namespace to use for the containers in the task. The valid values are host and task. The default value is task and the terraform provider will not accept an empty string value without error.
The ecs-daemon-service module now exposes a deployment_minimum_healthy_percent parameter you can use to set the lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment.
The ecs-service-with-discovery now includes a new domain_name output variable that will be set to the fully-qualified domain name configured for the module (if any).
The ecs-service-with-discovery module now sets the default family name for the ECS Task Definition to ${var.service_name} rather than "${var.service_name}-task-definition" to be consistent with the other ECS modules. If you wish to retain the old naming convention, you can now explicitly set the family name using the new task_definition_family_name parameter.
This release includes big improvements in testing. Tests are upgraded to terratest v0.13.20 and tests are now test executed using 3 different Linux distributions: Ubuntu, AmazonLinux and CentOS.
Also, a number of module dependencies were updated to more recent versions.
The ALB requires all listeners to have a "default action" that defines what to do for a request that doesn't match any listener rule. In the past, the only supported action was to forward requests to a target group, so we used to forward to an empty "black hole" target group, resulting in a 503. The ALB now supports fixed responses, so we've updated the default action of the alb module to return a blank 404 page, which is a more appropriate status code.
For most teams, the new 404 behavior is better, so no code changes will be necessary. However, if you wish to override this 404 behavior, you have two options:
You can override the default fixed response via the default_action_content_type, default_action_body, default_action_status_code parameters.
You can add an ALB Listener Rule that catches ALL requests (i.e., *) and have that rule forward to a custom Target Group so your own apps can respond in any way you wish.
Add DEBIAN_FRONTEND=noninteractive to calls to apt-get so that the install doesn't hang during automated builds. Use systemctl instead of update-rc.d to boot fail2ban on Ubuntu.
mount-ebs-volume now uses the UUID instead of the device name to mount volumes. With some OS and volume configurations, the device name can change after a reboot, so using the UUID ensures that the volume is always identified the same way.
The mount-ebs-volume script will now retry correctly if an EBS volume exists but is attached to a different EC2 instance. This is useful to ensure the script retries while an old instance shuts down and releases the volume.
Some users may have requirements for tighter security group rules on instances, but the single-server module currently has a hard coded rule to allow all outbound traffic.
What we changed:
Added an allow_all_outbound_traffic variable to the single-server module and implemented it so the allow_outbound_all security group rule can be toggled on/off by end-users.
The variable defaults to true so existing users will be unaffected.
This release introduces modules that support running python PEX files in Terraform in a way such that the scripts themselves do not need to be embedded in the pex. See the documentation to learn more about pex.
run-pex-as-data-source can be used to run python pex files as an external data source.
run-pex-as-resource can be used to run python pex files as a local-exec provisioner on a null_resource.
Introduces a new module require-executable that can be used to ensure particular executables is available in the PATH, with a customizable error message when it is not found.
The Network ACLs now allow outbound DNS (UDP, port 53) traffic, by default. Most services need DNS, so it seems like a bug to not have exposed this properly before. Note that internal AWS DNS seems to work without this, but for other DNS systems, such as the one used by Kubernetes, this is an important fix.
You can now create Elastic IP Addresses (EIPs) for your NAT Gateways outside of the vpc-app module and tell the module to use those EIPs by setting the use_custom_nat_eips parameter to true and passing in the list of EIP allocation IDs using the custom_nat_eips parameter.
Fix a misconfiguration of the count parameter for Security Group rules on inbound CIDR blocks that would lead to errors with duplicate Security Group rules being created.
The run-health-checker module will now properly pass healthchecks for single-node ZooKeeper clusters running in "standalone" mode (e.g., in pre-prod environments).
Improved ZooKeeper health checking by not only monitoring availability of the ZK client port, but actually checking the cluster status of the node with a stat command using a custom health-checker script target.
The RBAC roles and RBAC role bindings are now managed using the kubernetes provider as opposed to kubectl.
This is a backwards incompatible change. Specifically, the modules no longer need to specify a kubectl_config_context_name and kubectl_config_path. Additionally, we now require the number of rbac roles to be passed in as a variable to work around a terraform limitation with looping interpolated lists.
Introduces k8s-namespace terraform module, which will create a namespace and RBAC roles for admin access and read only access restricted to the namespace.
Introduces k8s-service-account terraform module, which will create a service account. This module also supports binding RBAC roles to the service account.