Gruntwork release 2021-06
Guides / Update Guides / Releases / 2021-06
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2021-06. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 6/12/2021 | Release notes
This release adds the gruntwork aws reset-password
command to allow resetting the password of an IAM user. See #72 for the relevant code.
Published: 6/24/2021 | Release notes
Correctly populates the arguments when generating examples.
Published: 6/24/2021 | Release notes
Fixes path to the CIS service catalog when generating examples.
Published: 6/24/2021 | Release notes
Another fix for generating for-production examples.
Published: 6/23/2021 | Release notes
Attempts to fix issues with generating the for-production examples.
Published: 6/23/2021 | Release notes
Fixes another issue with test failures in the refarch-deployer
unit tests.
Published: 6/22/2021 | Release notes
Fixes an issue with testing when on a tag ref vs a branch.
Published: 6/22/2021 | Release notes
Bumps terraform-aws-service-catalog, terraform-aws-security, terragrunt, and gruntwork-installer to the latest versions.
Adds CI build step to generate for-production examples in the service catalogs
Fixes the source URL in the CIS service catalog for-production examples
#328
#205
#255
#310
#297
#327
#322
#295
Published: 6/15/2021 | Release notes
- Hand off text generated now as part of the repo root, in QUICK_START.md.
- Bunch of other updates!
- #300
- #301
- #302
- #304
- #305
- #306
- #307
- #298
- #316
- #318
- #317
- #319
- #320
- #196
Published: 6/14/2021 | Modules affected: server-group | Release notes
- Fix bug where the IAM permissions were not being attached before the ASG was created
Published: 6/17/2021 | Modules affected: infrastructure-deployer | Release notes
infrastructure-deployer
now supports AWS SSO and ~/.aws/config
.- Fix typos in various docs.
Published: 6/11/2021 | Release notes
- Add toggles for backup routines in Jenkins example
Published: 6/8/2021 | Release notes
The jenkins
module now supports Ubuntu 20.04. Note that starting this release, support for Ubuntu 16.04 is dropped.
Published: 6/30/2021 | Modules affected: landingzone | Release notes
- Remove unused code from SecurityHub codegen and fix run_tests
- Expose missing bucket variables for Account Baseline Root
Published: 6/28/2021 | Modules affected: observability, security, landingzone, networking | Release notes
- Add Terraform Validate test
- Update for-production examples for architecture catalog v0.0.15
- Update underlying dependencies
- gruntwork-io/terraform-aws-security to v0.49.4
- gruntwork-io/terraform-aws-service-catalog to v0.44.5
Published: 6/21/2021 | Modules affected: observability, security, landingzone, networking | Release notes
Update underlying dependencies:
- gruntwork-io/terraform-aws-monitoring to v0.29.1
- gruntwork-io/terraform-aws-security to v0.49.3
- gruntwork-io/terraform-aws-service-catalog to v0.44.0
- gruntwork-io/terraform-aws-vpc to v0.15.5
Published: 6/18/2021 | Modules affected: security/aws-securityhub | Release notes
- Introduce
aws_securityhub_invite_accepter
[BACKWARDS INCOMPATIBLE] - Port run_test functionality from terraform-aws-service-catalog
Published: 6/17/2021 | Modules affected: landingzone, security, observability, networking | Release notes
- Adds a locking mechanism to Securityhub tests, to prevent a race condition that happened during concurrent runs of these tests.
- Adds
for-production
examples. - Updates variable description for the Security Hub's email.
- Cleans up unused variables in
account-baseline-root
. - Updates log filters to meet CIS 1.4 recommendations.
- Updates version references from v1.3 to v1.4 throughout the codebase.
Published: 6/14/2021 | Modules affected: landingzone, observability, security, networking | Release notes
- Fixes in a bug in the password policies where all credentials would get expired after 90 days, and not just unused ones. It also amends the 90 days period to 45 days, to comply with the new 1.4 version of the CIS AWS Benchmark.
- Updates dependencies:
- gruntwork-io/terraform-aws-security to v0.49.2
- gruntwork-io/terraform-aws-service-catalog to v0.42.0
Published: 6/11/2021 | Modules affected: aws-config-multi-region, aws-securityhub, cleanup-expired-certs, cloudtrail | Release notes
Published: 6/7/2021 | Modules affected: networking, aws-config-multi-region, cloudtrail, cross-account-iam-roles | Release notes
Update the underlying versions of the following modules
- gruntwork-io/terraform-aws-vpc to v0.15.4
- gruntwork-io/terraform-aws-security to v0.49.1
- gruntwork-io/terraform-aws-service-catalog to v0.41.0
The terraform-aws-service-catalog
update contains backwards incompatible changes. Please go through the migration guides associated with all the major version releases of terraform-aws-service-catalog
between v0.37.0 and v0.41.0 and make any necessary changes in your code.
Published: 6/3/2021 | Modules affected: iam-groups, landingzone/account-baseline-root | Release notes
This release adds a new Landing Zone service: Account Baseline Root.
It also removes the iam_group_name_cross_account_access_all
variable.
Published: 6/17/2021 | Modules affected: rds | Release notes
- You can now configure timeouts in the
rds
module using the new creating_timeout
, updating_timeout
, and deleting_timeout
input variables.
Published: 6/2/2021 | Modules affected: ecs-service | Release notes
- Fix a bug in the
ecs-service
module where it was failing to create the Assume Role Policy in some cases where it needed to.
Published: 6/5/2021 | Modules affected: eks-cluster-managed-workers, eks-cluster-workers | Release notes
- Make default configurations for Managed Node Groups more ergonomical by separating out single object into separate variables. This makes it easy to override a subset of the values (as you do not need to define the full object).
- Provide ability to assist Managed Node Group
for_each
call when the node_group_configurations
variable depends on a resource (e.g., if you are creating the launch templates in the same module). This can be done by statically defining the node group names using the node_group_names
variable. - Fix bug where the remote access subblock is included when using launch templates.
- Expose ability to customize the IAM role name. This is useful when the module is called multiple times.
- Expose ability to use an externally managed IAM role for the EKS workers. This is useful when the module is called multiple times.
Published: 6/3/2021 | Modules affected: eks-cluster-control-plane | Release notes
- Add support for skipping individual components during cluster upgrades. Note that you will need
kubergrunt
version v0.7.1
and above to take advantage of the skip feature.
Published: 6/10/2021 | Modules affected: auto-discovery, install-collectd, install-elastalert, install-elasticsearch | Release notes
- Add support for Ubuntu 20.04. Note that starting this release, support for Ubuntu 16.04 is dropped.
Published: 6/15/2021 | Release notes
- Ubuntu 20.04 and Amazon Linux 2 update: All the modules are now tested and verified with Ubuntu 20.04.
- Ubuntu 16.04 and Amazon Linux 1 deprecated: We are no longer testing and supporting compatibility with Ubuntu 16.04 and Amazon Linux 1. If you are still using Ubuntu 16.04 or Amazon Linux 1, update to Ubuntu 18.04, 20.04, or Amazon Linux 2.
Published: 6/17/2021 | Modules affected: agents/cloudwatch-agent | Release notes
- You can now disable metrics reporting using the new
--disable-cpu-metrics
, --disable-mem-metrics
, and --disable-disk-metrics
args of the configure-cloudwatch-agent.sh
script.
Published: 6/17/2021 | Modules affected: alarms, agents/cloudwatch-agent | Release notes
- The CloudWatch Agent is now configured to report disk usage percent and memory usage percent metrics.
- The EC2 and ASG alarms have been adjusted to be consistent
cloudwatch-agent
. This means that the new alarms are not compatible with the old cloudwatch-memory-disk-metrics-scripts
. If you wish to retain the old compatibility, you can set the namespace and metric name to the old values. See below migration guide for more info.
Published: 6/15/2021 | Modules affected: agents/cloudwatch-agent | Release notes
- Fix wrong error message in
configure-cloudwatch-agent.sh
Published: 6/15/2021 | Modules affected: logs/cloudwatch-log-aggregation-scripts, metrics/cloudwatch-memory-disk-metrics-scripts, agents/cloudwatch-agent | Release notes
- Fix bug in
agents/cloudwatch-agent
module where the metrics were not being reported under the InstanceId
dimension. - The
logs/cloudwatch-log-aggregation-scripts
and metrics/cloudwatch-memory-disk-metrics-scripts
modules have been removed, as they are now functionally replaced by agents/cloudwatch-agent
. Refer to the following pages for migration information:
Published: 6/22/2021 | Modules affected: custom-iam-entity | Release notes
- You can now attach inline custom IAM policies on the IAM group/role managed by
custom-iam-entity
.
Published: 6/16/2021 | Modules affected: private-s3-bucket | Release notes
Setting sse_algorithm
to null
will now disable encryption on S3 buckets.
Published: 6/14/2021 | Modules affected: aws-config-multi-region, aws-config-rules | Release notes
Adds a new AWS Config rule for checking unused credentials. Introduces two new variables enable_iam_user_unused_credentials_check
and iam_user_max_credential_usage_age
in both aws-config-rules
and aws-config-multi-region
modules.
Published: 6/4/2021 | Modules affected: custom-iam-entity | Release notes
Adds a new feature to the custom-iam-entity
module to make it easier to create an IAM group that only has permissions to assume one or more IAM roles. See iam_group_assume_role_arns
for more information.
Published: 6/14/2021 | Modules affected: persistent-ebs-volume, attach-eni | Release notes
- Fix error message when describing vols by tag
- Add retry logic when pulling new interface ID in
attach-eni
script. - Add sleep at end of
attach-eni
script to give kernel a chance to boot up the newly configured interface.
Published: 6/30/2021 | Modules affected: services | Release notes
- Fix bug where
eks-cluster
required both worker types.
Published: 6/28/2021 | Modules affected: services | Release notes
- k8s-service: add support for custom resources
Published: 6/25/2021 | Modules affected: networking | Release notes
- You can now avoid creating the default ACM certificate in the
route53
module by setting provision_certificates
on the input parameter.
Published: 6/25/2021 | Modules affected: landingzone | Release notes
- Expose several new variables in the Landing Zone modules (
account-baseline-app
, account-baseline-root
, account-baseline-security
) for configuring CloudTrail:is_multi_region_trail
cloudtrail_enable_key_rotation
cloudtrail_num_days_to_retain_cloudwatch_logs
cloudtrail_data_logging_enabled
cloudtrail_data_logging_read_write_type
cloudtrail_data_logging_include_management_events
cloudtrail_data_logging_resource_type
cloudtrail_data_logging_resource_values
Published: 6/24/2021 | Modules affected: services/ec2-instance, mgmt | Release notes
services/ec2-instance
[NEW]mgmt
- Update dependency gruntwork-io/terragrunt to v0.31.0
- Update dependency gruntwork-io/terraform-aws-ci to v0.37.2
- Update for-production examples for architecture catalog v0.0.13
- Implement services/ec2-instance
#714
#716
#753
#579
Published: 6/21/2021 | Modules affected: networking/vpc | Release notes
- You can now expose the type of traffic to capture in VPC flow logs in the
vpc
module using the new traffic_type
input variable.
Published: 6/21/2021 | Modules affected: networking/vpc | Release notes
- You can now get the ID of the default security group from the
vpc
module using the new default_security_group_id
output variable. - Updated the
for-production
examples to the latest.
Published: 6/18/2021 | Modules affected: base/ec2-baseline, data-stores/aurora, data-stores/elasticsearch, data-stores/memcached | Release notes
- Jenkins module backup function is now converted to use AWS Data Lifecycle Manager instead of a custom lambda function. If you wish to continue to use the lambda based backup function, you can set
backup_using_lambda = true
. - The dashboard widgets and alarms for EC2 and ASG based modules have been updated to work with the new CloudWatch agent instead of
cloudwatch-memory-disk-metrics
. To ensure compatibility, make sure to rebuild your server AMIs to align with this version.
Published: 6/16/2021 | Modules affected: base/ec2-baseline, data-stores/aurora, data-stores/elasticsearch, data-stores/memcached | Release notes
- [BACKWARDS INCOMPATIBLE] Updates dependency gruntwork-io/terraform-aws-monitoring to v0.28.0. As a result of this, server metrics are now shipped via the
cloudwatch-agent
instead of the cloudwatch-memory-disk-metrics
script. Note that the metric namespaces have changed from System/Linux
to CWAgent
as a result of this change. You may need to update dashboards or consumers of these metrics accordingly. - CloudWatch Logs group names are now configurable for ECS cluster
- Updated the
for-production/infrastructure-live
examples with many bug fixes and updates. - Setting
sse_algorithm
to null will now disable encryption on S3 buckets.
Published: 6/15/2021 | Modules affected: base | Release notes
- Update dependency gruntwork-io/bash-commons to v0.1.7
- [ec2-baseline] Make sure each log file managed by
cloudwatch-agent
goes to separate streams
Published: 6/11/2021 | Modules affected: services/eks-cluster, services/eks-workers, mgmt, networking | Release notes
- Update all
kubergrunt
and terraform-aws-eks
references to v0.7.1
and v0.41.0
- Create a new module
eks-workers
that lets you manage EKS worker groups (self-managed ASGs and Manged Node Groups) separately from the EKS cluster. - Add support for deploying Managed Node Groups
IMPORTANT: This is a backward incompatible release. A naive update will redeploy all worker nodes and cause downtime. Refer to the migration guide below for strategies to avoid the downtime.
Published: 6/10/2021 | Modules affected: mgmt, services | Release notes
- Update dependency hashicorp/terraform to v0.15.5
- Update dependency hashicorp/packer to v1.7.2
- Updates for-production examples
- Use standardized naming of packer templates
- Allow setting Cluster Autoscaler version in
eks-core-services
Published: 6/8/2021 | Modules affected: mgmt, services | Release notes
- Update dependency helm/helm to v3.6.0
- Update dependency gruntwork-io/gruntkms to v0.0.10
- Update dependency gruntwork-io/terragrunt to v0.29.10
- Update dependency gruntwork-io/terraform-aws-ecs to v0.29.1
Published: 6/8/2021 | Modules affected: data-stores, networking, services, mgmt | Release notes
- Update dependency gruntwork-io/terraform-aws-cache to v0.15.0
- Update dependency gruntwork-io/terraform-aws-vpc to v0.15.4
- Update dependency gruntwork-io/terraform-aws-static-assets to v0.10.0
- Update dependency gruntwork-io/terraform-aws-ci to v0.37.0
- Update dependency gruntwork-io/terraform-aws-lambda to v0.11.1
- Update dependency gruntwork-io/terraform-aws-security to v0.49.1
- Update dependency gruntwork-io/terratest to v0.35.3
Published: 6/7/2021 | Modules affected: base, networking, services | Release notes
- Update dependency gruntwork-io/bash-commons to v0.1.4
- Update dependency gruntwork-io/terraform-aws-load-balancer to v0.26.0
Published: 6/4/2021 | Modules affected: base, mgmt | Release notes
- AMIs updated to use Ubuntu 20.04 as base
Published: 6/4/2021 | Modules affected: services | Release notes
- You can now override the sources of the
external-dns
app in eks-core-services
Published: 6/4/2021 | Modules affected: networking/vpc | Release notes
- You can now configure the subnet spacing / sizing in the
vpc
module using the new input variables subnet_spacing
, private_subnet_spacing
, persistence_subnet_spacing
, public_subnet_bits
, private_subnet_bits
, and persistence_subnet_bits
.
Published: 6/3/2021 | Modules affected: data-stores/redis | Release notes
Adds support for tags to the redis module.
Published: 6/2/2021 | Modules affected: networking/vpc | Release notes
- Fix a bug in the
vpc
module where, if you disabled a subnet tier, it would still try to create NACLs for that subnet tier. You can now also independently control whether the NACLs for each subnet tier will be created using the new create_public_subnet_nacls
, create_private_app_subnet_nacls
, and create_private_persistence_subnet_nacls
input variables. Finally, you can also control if the default security group is created using the new enable_default_security_group
input variable.
Published: 6/2/2021 | Modules affected: data-stores/ecr-repos, data-stores/rds | Release notes
- You can now configure whether image tags are mutable or not in the
ecr-repos
module using the new image_tag_mutability
field in the repositories
input variable. - Fix a bug in the
rds
module where it would create a new KMS key, but wasn't actually using it, and was using the default RDS key instead. The API has changed now: to create and use a custom KMS key, set create_custom_kms_key
to true
; to use an existing KMS key, set create_custom_kms_key
to false
and pass in the KMS key to use via kms_key_arn
. If create_custom_kms_key
is false
and you don't pass in a custom KMS key, the module will use the default RDS key.
Published: 6/1/2021 | Modules affected: account-baseline-root | Release notes
- Remove dependency between Cloudtrail and Config their respective buckets, and rename the
cloudtrail_s3_bucket_already_exists
variable.
Published: 6/21/2021 | Modules affected: vpc-flow-logs | Release notes
- Update the
vpc-flow-logs
module to add the necessary IAM permissions to allow the VPC flow logs service to write to the S3 bucket.
Published: 6/10/2021 | Modules affected: install-open-jdk, install-supervisord | Release notes
- Add support for Ubuntu 20.04.
- Starting this release, we no longer support Ubuntu 16.04. If you were using Ubuntu 16.04 in your base images, upgrade to Ubuntu 18.04 or Ubuntu 20.04.