Gruntwork release 2020-03
Guides / Update Guides / Releases / 2020-03
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2020-03. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 3/12/2020 | Modules affected: server-group | Release notes
- You can now configure the CloudWatch metrics to enable for the ASGs in the
server-group
module via the new enabled_metrics
input variable.
Published: 3/26/2020 | Modules affected: redis | Release notes
- You can now specify a custom KMS key to encrypt data at rest in
redis
using the new kms_key_id
input variable.
Published: 3/11/2020 | Modules affected: terraform-helpers | Release notes
This release updates the terraform-update-variables
script to run terraform in the same folder as the updated vars file so that it can take advantage of version rules set with tfenv
.
Published: 3/11/2020 | Modules affected: infrastructure-deployer | Release notes
This release fixes a bug in the infrastructure-deployer
CLI where it did not handle task start failures correctly.
Published: 3/6/2020 | Modules affected: terraform-helpers | Release notes
Add support for Mac OSX to the git-updated-folders
script.
Published: 3/24/2020 | Modules affected: rds | Release notes
- You can now configure the read replicas with separate settings from the primary. In particular, you can use the new
parameter_group_name_for_read_replicas
input variable to set a separate parameter group for read replicas and allow_connections_from_security_groups_to_read_replicas
and allow_connections_from_cidr_blocks_to_read_replicas
to configure a separate security group for read replicas.
Published: 3/16/2020 | Modules affected: rds | Release notes
- The
rds
module now allows you to enable IAM authentication for your database.
Published: 3/13/2020 | Modules affected: lambda-share-snapshot, lambda-create-snapshot, lambda-copy-shared-snapshot, lambda-cleanup-snapshots | Release notes
Each of the manual scheduled snapshot Lambda function modules now expose an input variable create_resources
to allow conditionally turning them off.
Published: 3/13/2020 | Modules affected: aurora | Release notes
- Solve #86: Add maintenance window for Aurora Cluster Instances.
Published: 3/7/2020 | Modules affected: lambda-create-snapshot | Release notes
Fix log message for lambda function in lambda-create-snapshot
to show what cloudwatch metric was updated.
Published: 3/6/2020 | Modules affected: lambda-create-snapshot, lambda-cleanup-snapshots | Release notes
lambda-create-snapshot
and lambda-cleanup-snapshots
now support namespacing snapshots so that you can differentiate between snapshots created with different schedules. Take a look at the lambda-rds-snapshot-multiple-schedules example for an example of how to use this feature to manage daily and weekly snapshots.
Published: 3/4/2020 | Modules affected: lambda-share-snapshot, lambda-create-snapshot, lambda-copy-shared-snapshot, lambda-cleanup-snapshots | Release notes
The lambda functions for snapshot management have been upgraded to the python3.7 runtime. Note that although the lambda functions need to be redeployed, it will not affect your snapshots or existing RDS instances.
Published: 3/3/2020 | Modules affected: lambda-create-snapshot | Release notes
This release fixes a bug where the lambda function for creating a snapshot needed the ability to invoke itself for retry logic.
Published: 3/19/2020 | Modules affected: ecs-cluster | Release notes
This release introduces two new list variables: allow_ssh_from_cidr_blocks
and allow_ssh_from_security_group_ids
. Use these lists to configure more flexible SSH access.
In addition, we have removed the num_alb_security_group_ids
variable since the GitHub issue that it previously referenced has since been fixed.
Finally, this also migrates from dep to Go Modules.
Published: 3/29/2020 | Modules affected: eks-cluster-control-plane | Release notes
The EKS cluster creation timeout is now 60 minutes.
Published: 3/28/2020 | Modules affected: eks-cluster-control-plane | Release notes
This release includes an internal implementation change for the fargate profiles to simplify the authentication mechanism when migrating the control plane services to Fargate. Note that if you were using schedule_control_plane_services_on_fargate = true
, you will now need to use the kubergrunt
version 0.5.12
or greater.
Published: 3/26/2020 | Modules affected: eks-cluster-control-plane | Release notes
This release removes the fargate_only
flag on eks-cluster-control-plane
module and replaces it with the more descriptive and accurate schedule_control_plane_services_on_fargate
. Additionally, the module no longer configures the Fargate Profile to span all of the default
and kube-system
Namespaces. Instead, the fargate profile only targets the control plane services, specifically coredns
.
Rationale: fargate_only
implies that the cluster can only be used with Fargate but that is not true as you can attach self managed or managed worker nodes to the cluster and create a new Namespace to run non-fargate workloads. Additionally, the previous flag made it impossible to run pods that were in the kube-system
namespace on anything other than Fargate. This change was implemented to promote better flexibility on the cluster.
Refer to the migration guide for information on preserving the same semantics for existing clusters that have fargate_only
set to true
.
Published: 3/25/2020 | Modules affected: eks-k8s-cluster-autoscaler | Release notes
Fix bug where the cluster autoscaler in IRSA mode was unable to get the necessary IAM permissions to access the ASG.
Published: 3/24/2020 | Modules affected: eks-cluster-workers | Release notes
eks-cluster-workers
now supports the create_resources
parameter, which when false
, will turn off all the resources in the module.
Published: 3/20/2020 | Modules affected: eks-cluster-control-plane | Release notes
This release adds support for Kubernetes 1.15
and drops support for 1.12
.
If you are using Kubernetes version 1.12
, upgrade to at least 1.13
prior to updating the module. NOTE: AWS will be auto upgrading all EKS clusters running 1.12
on May 11th, 2020.
Published: 3/19/2020 | Modules affected: eks-k8s-external-dns, eks-k8s-cluster-autoscaler, eks-cloudwatch-container-logs, eks-alb-ingress-controller | Release notes
Fix an issue with the helm provider where the stable
helm repository does not refresh correctly in certain circumstances.
Published: 3/19/2020 | Modules affected: eks-k8s-external-dns, eks-k8s-cluster-autoscaler, eks-cloudwatch-container-logs, eks-alb-ingress-controller | Release notes
This release introduces Helm v3 compatibility for the EKS administrative application modules, eks-k8s-external-dns
, eks-k8s-cluster-autoscaler
, eks-cloudwatch-container-logs
, and eks-alb-ingress-controller
. The major difference between this release and previous releases is that we no longer are creating the ServiceAccounts
in terraform and instead rely on the Helm charts to create the ServiceAccounts
. Refer to the Migration Guide for information on how to migrate to this version.
Published: 3/18/2020 | Modules affected: eks-cluster-workers | Release notes
You can now use cloud-init
for boot scripts for self-managed workers by providing it as user_data_base64
.
Published: 3/12/2020 | Modules affected: eks-cluster-workers | Release notes
eks-cluster-workers
now supports attaching secondary security groups in addition to the one created internally. This is useful to break cyclic dependencies between modules when setting up ELBs.
Published: 3/11/2020 | Modules affected: eks-cluster-control-plane | Release notes
This release introduces support for setting encryption configurations on your EKS cluster to implement envelope encryption of Secrets. Refer to the official AWS technical blog post for more information.
NOTE: This is only available for new EKS clusters. If you would like this on your cluster, you must relaunch your cluster to enable this.
Published: 3/4/2020 | Modules affected: eks-cloudwatch-container-logs | Release notes
The eks-cloudwatch-container-logs
module now deploys a newer version of the fluentd container that supports IRSA.
Published: 3/29/2020 | Modules affected: lambda-edge | Release notes
You can now specify a permissions boundary on the IAM role created for lambda-edge
.
Published: 3/12/2020 | Modules affected: scheduled-lambda-job, lambda | Release notes
The lambda
and scheduled-lambda-job
modules now support conditionally turning off resources in the module using the create_resources
input parameter.
Published: 3/31/2020 | Modules affected: acm-tls-certificate | Release notes
This release adds support for requesting, and automatically verifying, multiple certificates via the ACM module.
Published: 3/10/2020 | Modules affected: acm-tls-certificate | Release notes
- Fix deprecation warning with
destroy
provisioner.
Published: 3/2/2020 | Modules affected: alb | Release notes
- This release removes two unneeded input variables:
aws_account_id
and aws_region
. Because these variables are unused, they can be safely removed.
Published: 3/2/2020 | Modules affected: logs/load-balancer-access-logs | Release notes
This release removes two unused variables: aws_account_id
and aws_region
. Both of these variables are unused by the logs/load-balancer-access-logs module, and therefore can be safely removed.
Published: 3/23/2020 | Modules affected: openvpn-server | Release notes
The openvpn-server
module now accepts base64-encoded user data in the user_data_base64
variable. This is in addition to standard, plaintext user data in the user_data
variable.
Published: 3/6/2020 | Modules affected: openvpn-server | Release notes
You can now restrict the CIDR blocks that are allowed to access the OpenVPN port with the variable allow_vpn_from_cidr_list
.
Published: 3/31/2020 | Modules affected: kms-master-key-multi-region | Release notes
This release introduces a new module kms-master-key-multi-region
, which can be used to manage KMS CMKs across all enabled regions of an account.
Published: 3/19/2020 | Modules affected: auto-update, ntp, tls-cert-private | Release notes
auto-update
ntp
tls-cert-private
- Fix a bug where some of our install scripts were missing
DEBIAN_FRONTEND=noninteractive
on the apt-get update
calls. As a result, certain updates (such as tzdata
) would occasionally try to request an interactive prompt, which would freeze or break Packer or Docker builds.
Published: 3/16/2020 | Modules affected: kms-master-key | Release notes
This release introduces support for managing more than one KMS Customer Master Key (CMK) using the kms-master-key
module.
Published: 3/6/2020 | Modules affected: iam-policies | Release notes
Published: 3/6/2020 | Modules affected: iam-groups | Release notes
This release updates the iam-groups module to use for_each
instead of count
. By using for_each
, the groups are less affected by changes in the input list var.iam_groups_for_cross_account_access
.
See this blog post for more info on the differences between for_each
and count
.
Published: 3/9/2020 | Modules affected: single-server | Release notes
Published: 3/3/2020 | Modules affected: single-server | Release notes
- The
single-server
module now allows you to add custom security group IDs to using the additional_security_group_ids
input variable. - The parameters that control SSH access in the
single-server
module have been refactored:- The
allow_ssh_from_cidr
and allow_ssh_from_security_group
parameters have been removed. Terraform used to be much more picky about what you can reference in count
parameters, but versions 0.12 and above allow data sources, and even looking up lengths on resources, so these redundant parameters are no longer necessary. allow_ssh_from_security_group_id
has been renamed to allow_ssh_from_security_group_ids
and is now a list of security group IDs (instead of just one) from which SSH access will be allowed.allow_rdp_from_cidr_list
: A new input variable that is a list of CIDR blocks from which RDP access will be allowed.allow_rdp_from_security_group_ids
: A new input variable that is a list of security group IDs from which RDP access will be allowed.
- The
source_ami_filter
we were using to find the latest CentOS AMI in Packer templates started to pick up the wrong AMI, probably due to some change in the AWS Marketplace. We've updated our filter to fix this as described below.
Published: 3/25/2020 | Modules affected: s3-static-website, s3-cloudfront | Release notes
Resolve source of perpetual diff when using the cloudfront default certificate
Published: 3/19/2020 | Modules affected: s3-static-website | Release notes
Fix a bug in s3-static-website
module with versions of terraform >0.12.11, where the output calculation fails with an error.
Published: 3/16/2020 | Modules affected: s3-cloudfront | Release notes
- Instead of supporting solely 404 and 500 error responses, now that we have Terraform 0.12, the
s3-cloudfront
module can now take in a dynamic list of error responses using the new error_responses
input parameter, which allows you to specify custom error responses for any 4xx and 5xx error.
Published: 3/27/2020 | Modules affected: vpc-app-network-acls | Release notes
This change allows all outbound traffic from private subnets to other private subnets and similarly all outbound traffic from the persistent subnets to the other persistent subnets. Previously, only TCP traffic was permitted.
Thanks to @scottclk for this contribution.
Published: 3/3/2020 | Modules affected: vpc-mgmt, vpc-app | Release notes
Previously, users had limited control over the spacing between subnets across AZs. The private and persistence subnets shared the same variable and an automatic calculation was used to assign an address space to the persistence subnets.
With this release, we introduce two optional variables to the vpc-app
module: private_subnet_spacing
and persistence_subnet_spacing
. If either of these are provided, that value will be used as the netnum
argument to cidrsubnet
. Otherwise, the usual subnet_spacing
variable and its automatic calculation will still apply.
Additionally, vpc-mgmt
is now more customizable with the introduction of the private_subnet_bits
variable.
Thanks to @mmiranda for his contribution, and to @marinalimeira for her suggestions!