This release adds a new helper function called toYaml that will render a given input variable to a YAML string. This is similar to the toJson sprig function.
Since this repo is solely used for examples/demonstrations, and NOT meant for direct production use, we simply publish all changes at v0.0.1, with a date marker for when it was published.
The EKS modules have been updated to v0.28.0, which removes dependency on the helm 2 chart repository which has now been retired. This includes a backwards incompatible change for eks-core-services. To update to this version, the easiest approach would be to redeploy the services in eks-core-services by running a terragrunt destroy and then a terragrunt apply on that module. Note that this is a safe operation given that all the services in eks-core-services is stateless.
The efs module now allows you to grant root access to the EFS volume using the root_access_arns field in the efs_access_points input variable. This is a backwards incompatible update, so please see the migration guide for instructions.
You can now configure the permissions boundary for the auto scaling IAM role for in ecs-service using the new autoscaling_role_permissions_boundary_arn input variable.
This release updates eks-cluster-workers to allow you to specify different instance types for each ASG specified in var.autoscaling_group_configurations. As part of this change, var.autoscaling_group_configurations was converted from an object type with concrete attributes to an any to allow for optionality in the attributes. Now you only need to specify subnet_ids as opposed to the whole object, with the missing values being sourced from the variables prefixed with asg_default. Refer to the updated variable documentation for more details.
The cleanup routine for EKS control plane will now cull Security Groups created by the AWS Load Balancer Controller.
This release updates the eks-alb-ingress-controller to use the new chart location following the deprecation of the incubator and stable helm chart repository. In the process, the underlying controller has been upgraded to v2. Please refer to the migration guide below for information on updating to this release.
Fix a bug in the eks-container-logs where Elasticsearch output was being enabled by default. This also fixes a bug where the boolean encoding in the helm chart values were incorrect.
Expose the ability to configure pod_resources for the DaemonSet in eks-container-logs.
Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform 0.13.x!
From this release onward, we will only be running tests with Terraform 0.13.x against this repo, so we recommend updating to 0.13.x soon!
To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.13.x.
Once all Gruntwork repos have been upgrade to work with 0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
You can now configure a custom assume role policy for the IAM role in the lambda module using the new assume_role_policy input variable. This is useful in a few special cases when the default assume role policy won't work, such as using Lambda functions to rotate secrets in AWS Secrets Manager.
The lambda module now allows you to mount an EFS file system in your Lambda functions using the new mount_to_file_system, file_system_access_point_arn, and file_system_mount_path variables. See this example for sample usage.
The rds-alarms module will now only create the replication error alarm if there is more than one RDS instance (that is, if there are actual replicas to alert about!).
We're using easy-rsa v2.x on Ubuntu 20.04 - allows for continuity between the Ubuntu 16.04, 18.04, or 20.04 implementations of package-openvpn. There's an issue raised to follow up on this and upgrade to using easy-rsa v3.x
By adding support for Ubuntu 20.04, we're ensuring:
this package can work on the latest LTS distro and has been tested with it
users can use a more secure implementation of openVPN
users can reuse the /examples/packer/build.json to build an AMI with Ubuntu 20.04.
Docs have also been updated to allow future OS support contributions, and to make it clearer to users how to get started with the openvpn-host terraform example
This release fixes two issues with the ebs-encryption modules:
Previously, the aws_ebs_encryption_default_kms_key output of a list of strings, but the only possibility was a list of 0 or 1 elements. It now outputs a string instead.
A typo in the aws_ebs_encryption_default_kms_key output resulted in the wrong value. The output now exposes the intended value, which is the KMS key ARN of the default key.
If you were previously using this output as a list, update your code to instead expect a string value. Also be aware that the module now provides the actual key ARN correctly.
New module: secrets-manager-resource-policies. This module manages the resource-based policies that can be associated with AWS Secrets Manager secrets. You can use the module to manage read only and full access to secrets by specifying any user, role, or root ARN to the iam_entities_with_read_access and iam_entities_with_full_access variables, respectively. You can also construct a custom policy using the aws_iam_policy_document data source and providing it via the policy_statement_json variable.
You can now configure how many days to retain CloudWatch logs in the cloudtrail module using the new num_days_to_retain_cloudwatch_logs input variable.
The aws-organizations and account-baseline-root modules now output organization_root_id.
The aws-config-multi-region module can now configure default AWS Config rules (those defined by the aws-config-rules module) in every region AWS Config is enabled. This behavior is controlled using the new enable_config_rules input variable (NOTE: defaults to true).
The aws-config-rules module can now separately apply rules related to global resources such as IAM using the new enable_global_resource_rules variable. As a result, the account baseline modules have been updated to manage the config rules in aws-config-multi-region as opposed to separately calling the aws-config-rules module, so that the config rules are applied in every supported by AWS Config. As a result, the resource addresses for the config rules have changed. Refer to the migration guide for information on how to upgrade to this version.
Additional parameters for managing aws-config-rules are now exposed in the account baseline modules. The following configuration parameters are now exposed in each account baseline module:
This release adds a new module, ebs-encryption, which allows you to control whether EC2 Elastic Block Storage volumes are encrypted by default. The corresponding ebs-encryption-multi-region module will do the same, but for multiple regions in parallel. The account-baseline-* modules have been updated to use these modules to enable EBS encryption by default. For usage details, refer to the example.
Update dependency gruntwork-io/terraform-aws-vpc: v0.10.0 => v0.11.0 (release notes). NOTE: This includes a backwards incompatible change for networking/vpc module if you had create_dns_forwarder = true. Refer to the migration guide from the underlying module for more information.
The aurora module can now read its DB config (e.g. username, password, port, engine, and database name) from a JSON object in an AWS Secrets Manager secret, similar to what was already available for the RDS module.
Update dependency gruntwork-io/terraform-aws-eks: v0.28.0 => v0.29.0 (release notes). Note that this will require code changes to the input variables. Refer to the migration guide from the underlying module for more information.
The outputs of the default EBS encryption in theaccount-baseline-app landingzone module have changed. See the v0.42.0module-security release notes for details.
Adds two new optional variables to the ecs-deploy-runner service:
shared_secrets_enabled: a boolean indicating whether or not shared secrets are to be used
shared_secrets_kms_cmk_arn: the ARN of a KMS key from another account used to encrypt shared secrets
The use case is to allow a single, central account, such as the shared-services account, to create AWS Secrets Manager secrets, encrypt them with a KMS CMK, and allow delegated accounts access to decrypt those secrets. If shared_secrets_enabled=true, then shared_secrets_kms_cmk_arn must be provided. The module will grant Decrypt and DescribeKey permissions to each of the ECS deploy runner containers as well as to the ECS task execution role.
Update default version of terragrunt installed in jenkins from v0.26.2 to v0.26.3.
Update dependency gruntwork-io/terraform-aws-eks: v0.27.2 => v0.28.0 (release notes). Note that this will redeploy the AWS ALB ingress controller, upgrading to v2 pods. The v2 ingress controller is backwards compatible with existing ingress resources, and this will not cause your ALBs to shuffle (no downtime to your apps).
Update terraform-aws-eks: v0.26.0 => v0.27.2 (Release notes: v0.26.1 ; v0.27.0 ; v0.27.1 ; v0.27.2). NOTE: This includes a backwards incompatible change for the eks-core-services module. Refer to the migration guide below for more info.
Update the default version of helm and packer that is installed in jenkins (v3.4.0 for helm and v1.6.5 for packer).
Update module-security version: v0.40.1 => v0.41.1 (Release notes: v0.40.2 ; v0.41.0 ; v0.41.1). NOTE: This includes a backwards incompatible change for the account-baseline modules. Refer to the migration guide below for more info.
module-security has been updated: v0.40.0 => v0.40.1 (release notes)
module-data-storage has been updated: v0.16.2 => v0.16.3 (release notes)
The pyenv .python-version file was removed from this repo. This was causing problems when invoking modules that used python, as it ended up in the directory tree of the module call.
Exposes the iam_database_authentication_enabled input variable for aurora and rds modules.
create_route53_entry has been removed from k8s-service. The variable is now computed based on domain_name. This is a backwards incompatible change: to update, remove the create_route53_entry input var from your module call.
Add a new service module for configuring a private S3 bucket.
Expose the cluster domain name as a module output for the AWS managed Elasticsearch cluster.
Bump the default version for the kubergrunt binary to v0.6.4.
This release updates the default names set for the VPC DNS resolvers. The names are now DESTINATION_VPC_NAME-from-ORIGIN_VPC_NAME-in for the inbound resolver and ORIGIN_VPC_NAME-to-DESTINATION_VPC_NAME-out for the outbound resolver. You can override these names using the destination_vpc_resolver_name and origin_vpc_resolver_name input variables.