You can now have repo-copier append a suffix to the name of each copied repo using the new --repo-name-suffix parameter. This is useful to ensure each repo name is unique and doesn't conflict with any repos you already have.
Improve error handling on GitLab repos to make it clearer you must specify a group in the URL, not a repo or user.
Added permissions_boundary to ecs-deploy-runner ECS Task IAM role and ECS Task Execution IAM role.
This variable is optional, and therefore backwards compatible. It will allow adding an additional layer of permissions restrictions and scope for the IAM role it applies to.
[ecs-deploy-runner] tfenv is now included in the ECS Deploy Runner for managing terraform versions.
This release updates the ECS Deploy Runner Dockerfile to include the installation of tfenv. This means your CI/CD pipeline will be able to use multiple versions of terraform for the same repo, which makes upgrades easier! Read more about this feature in the core-concepts docs.
This also necessitated a change to gruntwork-module-circieci-helpers module in the script configure-environment-for-gruntwork-module, which configures the CI build environment for typical Gruntwork modules. It now installs tfenv and includes a new configuration option --tfenv-version, which is enabled by default. If also configured to install terraform, this script will use tfenv to install and manage that terraform version. Because this change is backard incompatible, please see the migration guide below.
Most users will not be affected by the change to configure-environment-for-gruntwork-module. If you do not need terraform installed in your environment you would pass in --terraform-version NONE, and now you also must pass in --tfenv-version NONE. If you don't pass in --tfenv-version NONE, it will install the latest version of tfenv. Note: if you want to install terraform without tfenv, you would only set --tfenv-version NONE, and it will still install terraform as usual.
Updated dependency gruntwork-io/terraform-aws-service-catalog to v0.70.1. As a part of this change, support for ap-southeast-3 (Jakarta) region was added to the multi region modules. This is a backward incompatible change - refer to the migration guide for more details.
Updated aws provider version constraints to ensure Terraform doesn't use one with a bug around launch templates.
Added support for configuring prefix delegation mode on AWS VPC CNI. Prefix delegation mode increases the number of secondary IPs that can be provisioned to an EC2 instance, greatly expanding the number of Pods that can be scheduled on a node. Refer to the updated documentation for more details.
Note that this change is functionally backward compatible, but due to complexities around Kubernetes versioning, some of the settings may not be available across all Kubernetes versions, and therefore this release is marked as backward incompatible out of caution. If you run into errors, or have issues with the AWS VPC CNI as a result of upgrading to this release, you can disable the prefix delegation management in the module by setting var.use_vpc_cni_customize_script input variable to false.
Enable detailed monitoring control for ASG EC2s. A new variable asg_enable_detailed_monitoring allows you to configure whether or not detailed monitoring is enabled on the EC2 instances that comprise the EKS cluster workers auto scaling group.
Updated to manage CloudWatch Log Group for the lambda function in Terraform. This enables you to configure various settings, like KMS encryption keys for encrypted log events, and retention periods. This change is backward incompatible: refer to the migration guide down below for more details.
Updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.
Note that this is a backward incompatible change: a naive update to this version will cause the IAM policies to shuffle, which will result in a temporary downtime of IAM permissions. If you wish to avoid this, you can set the new var.use_managed_iam_policies to false.
openvpn-admin: Fixes a bug that was causing openvpn-admin to return the instance's private IPv4 address. openvpn-admin now correctly returns the instance's public IPv4 address.
Require IMDSv2 in aws_launch_configuration. This release allows you to configure the AWS Instance Metadata Service's (IMDS) state (enabled or disabled) and which versions of this endpoint to allow the use of via Terraform and these new variables:
var.enable_imds
var.use_imdsv1
In addition, var.use_imdsv1 defaults to false to enforce use of the preferred IMDSv2 endpoint. If you don't need to also use IMDSv1, we recommend leaving this variable set to false, and updating your start-openvpn-admin script to this release tag.
Note that if you:
are upgrading to this tag
intend to use only IMDSv2 going forward
keep var.use_imdsv1 set to false
then you must update your start-openvpn-admin script to tag v0.19.0 in order to deploy a functioning openvpn server.
If you need to continue using IMDS version 1, you can set var.use_imdsv1 to true.
Updated to generate DSA-like Diffie-Hellman parameters (uses weak prime). The weaker prime is much less computationally intensive and can be generated quickly, without sacrificing on the secure nature of the parameters. If you wish to maintain the old behavior with strong primes, you can pass in the --gen-strong-prime option to the call to init-openvpn.
Updated the kms_key_arn input variable for AWS Config to be regional for each SNS topic. Previously, it only allowed specifying a single KMS Key, but that was not correct for SNS topics, which are regional resources.
Updated to use the aws_partition data source to lookup the partition when constructing ARNs. This allows the modules to be compatible with alternative AWS partitions like GovCloud and China.
NOTE: This release is functionally backward compatible, but requires an updated aws provider version to work (>= 3.64.0). For most users, this won't be an issue and Terraform will automatically update to the required provider version, but if you have wrapper modules that depend on an older aws provider version, you will need to update your wrapper module to be compatible with the newer provider before you can bump to this version.
Added support for replicating a key cross region. Refer to the updated documentation of kms-master-key-multi-region for more information.
Added support for configuring IAM roles that allow access to GitHub Actions with OpenID Connect. Refer to the documentation for github-actions-iam-role for more info.
Added support to allow-auto-deploy-access-from-other-accounts to be assumed by GitHub Actions. This is configured using the new allow_auto_deploy_from_github_actions input variable on the cross-account-iam-roles module.
Added support for arbitrary configurations of the Assume Role policy on IAM roles created with custom-iam-entity. This is configured using the new assume_role_iam_policy_json input variable.
Exposed ability to control associating a public IP address to the server in single-server module, regardless of what is configured by default on the subnet.
Added the ability to manage the CloudWatch Log Group for EC2 log aggregation in Terraform. Now base/ec2-baseline (and all modules that depend on it) will create and manage the CloudWatch Log Group before the server is launched by default. This allows you to configure options such as KMS key based encryption and log event retention periods on the Log Group. Note that this is a backward incompatible change. Refer to the migration guide below for more information.
Updated dependencies:
gruntwork-io/terraform-aws-ci to v0.41.0
gruntwork-io/terraform-aws-security to v0.58.1 (for server scripts installed with base/ec2-baseline)
Update for-production example with latest version of CI scripts.
Added the ability to configure and manage the cloudwatch log group for ECS service, via the new create_cloudwatch_log_group, cloudwatch_log_group_name, cloudwatch_log_group_retention, and cloudwatch_log_group_kms_key_id input variables.
Now the creation of the Internet Gateway is optional. We can have public subnets and still disable the IGW by setting the variable enable_igw to false (it's true by default). This fixes #150.