Gruntwork release 2022-02
Guides / Update Guides / Releases / 2022-02
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2022-02. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 2/25/2022 | Release notes
https://github.com/gruntwork-io/boilerplate/pull/87: Updated templateFolder and outputFolder helper functions to return absolute paths instead of relative. This makes the resulting path behave as expected when they are set from relative paths in the CLI (e.g., boilerplate --template-url ./template/foo --output-folder ./out).
For almost all use cases of these functions, this should be functionally equivalent to the previous version. However, if you are reliant on the path being relative (e.g., if you are outputting the function output directly in a template), this change in behavior could break your existing templates as the absolute path will now be output.
Published: 2/23/2022 | Release notes
Published: 2/21/2022 | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/574
Published: 2/17/2022 | Modules affected: asg-instance-refresh, asg-rolling-deploy, server-group | Release notes
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/16/2022 | Modules affected: asg-instance-refresh, asg-rolling-deploy, server-group | Release notes
Published: 2/21/2022 | Modules affected: memcached, redis | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: memcached, redis | Release notes
- Housekeeping: Updated CODEOWNERS, Added GitHub PR & Issue Templates, and whitespace changes.
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/24/2022 | Modules affected: ecs-deploy-runner | Release notes
- Exposed the ability to configure IAM permissions boundary for the invoker lambda IAM role.
Published: 2/22/2022 | Modules affected: ecs-deploy-runner | Release notes
- Updated to use
name_prefix instead of name for outbound security group of ECS Deploy Runner to support deploying multiple instances of ecs-deploy-runner in a single VPC.
Published: 2/21/2022 | Modules affected: ec2-backup, ecs-deploy-runner-invoke-iam-policy, ecs-deploy-runner-standard-configuration, ecs-deploy-runner | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: ec2-backup, ecs-deploy-runner-invoke-iam-policy, ecs-deploy-runner-standard-configuration, ecs-deploy-runner | Release notes
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/11/2022 | Modules affected: ecs-deploy-runner | Release notes
- Updated Lambda module version and exposed CloudWatch Log Group settings
Published: 2/10/2022 | Modules affected: ecs-deploy-runner, ec2-backup, jenkins-server, infrastructure-deploy-script | Release notes
- Improved error message for destroy ref not based on default branch in the
infrastructure-deploy-script - Updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.
- Updated the
deploy-runner docker container to use a non-root user to follow security best practices.
Published: 2/28/2022 | Modules affected: landingzone/account-baseline-root | Release notes
- Flow through
reserved_concurrent_executions in account-baseline-root for the cleanup-expired-certs module.
Published: 2/25/2022 | Modules affected: landingzone/account-baseline-security | Release notes
- Flow through
reserved_concurrent_executions in account-baseline-security for the cleanup-expired-certs module.
Published: 2/25/2022 | Modules affected: landingzone | Release notes
- Flow the
reserved_concurrent_executions var through account-baseline-app.
Published: 2/25/2022 | Modules affected: security/cleanup-expired-certs | Release notes
- Exposed the ability to configure
reserved_concurrent_executions on the cleanup-expired-certs lambda function.
Published: 2/23/2022 | Modules affected: landingzone/account-baseline-app, landingzone/account-baseline-root, landingzone/account-baseline-security, observability/aws-config-multi-region | Release notes
- Updated dependency
terraform-aws-service-catalog to v0.78.1 - Exposed AWS Config encryption parameters.
Published: 2/22/2022 | Modules affected: security/iam-password-policy | Release notes
Introduce iam_password_policy_hard_expiry input variable to control password policy hard expiry, as the previously hard-coded true is too strict for most use cases. Hard expiry requires an administrator to reset the password, which greatly degrades the UX of IAM users accessing the AWS console. This also increases the risk of account lock out (e.g., if you have no administrators in the account).
Default value is still true.
Published: 2/21/2022 | Modules affected: landingzone, networking, observability, security | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/21/2022 | Modules affected: landingzone, observability | Release notes
- Allow configuration of CloudTrail CloudWatch log group retention period. Default to 14 days instead of the previous 0 days.
Published: 2/17/2022 | Modules affected: landingzone, networking, observability, security | Release notes
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/8/2022 | Modules affected: networking/vpc-app-network-acls | Release notes
- Add support for custom outbound NACLs from private app networks
Published: 2/4/2022 | Modules affected: landingzone/account-baseline-root, observability/cloudtrail | Release notes
- Updated to expose the organization trail configuration parameters for CloudTrail in
account-baseline-root.
Published: 2/3/2022 | Modules affected: security/cleanup-expired-certs | Release notes
- Updated
cleanup-expired-certs module to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice. - Updated
cleanup-expired-certs module to manage CloudWatch Log Group for the lambda function in Terraform. This enables you to configure various settings, like KMS encryption keys for encrypted log events, and retention periods.
Published: 2/22/2022 | Modules affected: efs | Release notes
- Added option to enable open access via mount targets to EFS volumes.
Published: 2/21/2022 | Modules affected: aurora, backup-plan, backup-vault, efs | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: aurora, backup-plan, backup-vault, efs | Release notes
- Updated provider versioning to restrict to
< 4.0. AWS Provider 4.x series introduced a number of backward incompatible changes and these modules haven't been updated to work with them yet. - Exposed the ability to configure copy-on-write cloning for Aurora DB cluster.
Published: 2/21/2022 | Modules affected: ecs-cluster, ecs-daemon-service, ecs-service | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: ecs-cluster, ecs-daemon-service, ecs-service | Release notes
- Tweak CircleCI config to make more consistent with rest of repos
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/5/2022 | Modules affected: ecs-cluster, ecs-daemon-service, ecs-service | Release notes
- Rename vars.tf to more canonical variables.tf
- Fixed bug when the autoscale policy was deleted when changing the capacity provider
Published: 2/23/2022 | Modules affected: eks-cluster-workers | Release notes
- Fixed bug in
eks-cluster-workers module where IAM role conditional can sometimes lead to terraform error.
Published: 2/21/2022 | Modules affected: eks-cluster-control-plane, eks-cluster-workers, eks-container-logs, eks-fargate-container-logs | Release notes
Published: 2/17/2022 | Modules affected: eks-alb-ingress-controller-iam-policy, eks-alb-ingress-controller, eks-aws-auth-merger, eks-cloudwatch-agent | Release notes
- Tweaked CircleCI config to make more consistent with other repos
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/3/2022 | Modules affected: eks-cluster-control-plane | Release notes
- Added the ability to manage the control plane logging CloudWatch Log Group. Now you can configure encryption and retention settings on the Log Group that is used for storing control plane logs.
Published: 2/1/2022 | Modules affected: eks-cloudwatch-agent, eks-container-logs | Release notes
- Added the ability to configure the container image repository used to source the container insights images
Published: 2/25/2022 | Modules affected: lambda-edge | Release notes
- Fixed the CloudWatch log group name for
lambda@edge to sync with what is created by lambda@edge. Previously the CloudWatch Log Group name was incorrect, causing lambda@edge to create a new, separate log group instead of the one configured for it in the module.
Published: 2/25/2022 | Modules affected: lambda-edge, lambda | Release notes
- Add support to disable source code updates beyond initial creation
Published: 2/17/2022 | Modules affected: api-gateway-account-settings, api-gateway-proxy, keep-warm, lambda-edge | Release notes
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/16/2022 | Modules affected: api-gateway-account-settings, keep-warm, lambda-edge, lambda | Release notes
Published: 2/21/2022 | Modules affected: acm-tls-certificate, alb, lb-listener-rules | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: acm-tls-certificate, alb, lb-listener-rules | Release notes
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/3/2022 | Modules affected: acm-tls-certificate | Release notes
- Fixed a regression bug introduced with v0.27.2 where domain lookup by name should only be done if domain is not in lookup table
Published: 2/3/2022 | Modules affected: acm-tls-certificate | Release notes
- Fixed bug where hosted zone data source look ups causes the domains to be recreated on minor updates to the route 53 hosted zone. You can now work around this problem by using the new
domain_hosted_zone_ids input map. Refer to the PR description in https://github.com/gruntwork-io/terraform-aws-load-balancer/pull/133 for more information on this.
Published: 2/23/2022 | Modules affected: sqs-lambda-connection | Release notes
- Added a new module to use SQS as a trigger for Lambda. Please refer to the examples folder to check how to use it.
Published: 2/21/2022 | Modules affected: sns, kinesis, sns-sqs-connection, sqs | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: kinesis, sns, sqs, sns-sqs-connection | Release notes
- Renamed vars.tf to more canonical variables.tf
- Small fixes in preparation for Terraform 1.1 upgrade
- Renamed sns-sqs-connection vars.tf to more canonical variables.tf
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/9/2022 | Modules affected: sns-sqs-connection | Release notes
- Add module for connecting SNS to SQS. This is a new module and we can create a connection among a SNS topic and a SQS queue. More information can be found in the module documentation.
Published: 2/20/2022 | Modules affected: alarms, logs, metrics | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: alarms, logs, metrics | Release notes
- Remove space at the end of line in CircleCI config
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/10/2022 | Modules affected: agents | Release notes
- Install CloudWatch Script: Fixed architecture logic error to only log error if architecture is unexpected.
Published: 2/9/2022 | Modules affected: alarms, agents | Release notes
- Rename vars.tf to more canonical variables.tf
- Install CloudWatch Script: Whether you're using amd64 or am64, the cloudwatch agent download script will download the architecture-specific agent.
Published: 2/3/2022 | Modules affected: logs/load-balancer-access-logs | Release notes
- Updated to expose object locking settings for load balancer access logs bucket and S3 server access logging bucket.
Published: 2/23/2022 | Modules affected: openvpn-server | Release notes
- Enable ebs optimization by default . This release introduces a new
ebs_optimized variable that defaults to true.
Note that, for the vast majority of instance types, there is no additional charge for enabling EBS optimization, however for certain previous generation instances there will be an additional cost to have EBS optimization enabled. See the EC2 pricing page and the previous generation pricing page for more details.
Note that this is a backward incompatible change: a naive update to this version will cause the EC2 instances to shuffle, which will result in temporary downtime of your VPN service. If you wish to avoid this, you can set the new var.ebs_optimized to false.
Published: 2/21/2022 | Modules affected: openvpn-server | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: openvpn-server | Release notes
- Restricted provider version to < 4.0 due to breaking changes in new provider
- Cost savings: Make sure KMS keys created are deleted within 7 days, not the default 30 days!
- [BACKWARD INCOMPATIBLE] Updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.
Note that this is a backward incompatible change: a naive update to this version will cause the IAM policies to shuffle, which will result in a temporary downtime of IAM permissions. If you wish to avoid this, you can set the new var.use_managed_iam_policies to false.
Published: 2/25/2022 | Modules affected: cloudtrail-bucket, cloudtrail | Release notes
- Exposed the ability to extend the CloudTrail S3 bucket policy with additional statements using the new
additional_bucket_policy_statements input variable.
Published: 2/22/2022 | Modules affected: aws-config-multi-region, aws-config | Release notes
- Rearranged encryption settings for SNS and S3 in
aws-config to support independently configuring each. You can now configure the KMS key used for the s3 bucket using var.s3_bucket_kms_key_arn and the SNS topic using var.sns_topic_kms_key_arn. For aws-config-multi-region, the latter is configured using var.sns_topic_kms_key_region_map, as the KMS key needs to reside in the same region as the SNS topic.
Published: 2/21/2022 | Modules affected: aws-config-bucket, aws-config-multi-region, aws-config-rules, aws-config | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: aws-config-multi-region, aws-config-bucket, aws-config-rules, aws-config | Release notes
- Expand the kms_key_arn input variable docs to clarify the relation with SNS topics
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/8/2022 | Modules affected: aws-config-multi-region | Release notes
- Updated
aws-config-multi-region module to use explicit default provider pattern.
Published: 2/8/2022 | Modules affected: custom-iam-entity, cross-account-iam-roles | Release notes
- Added optional permission boundaries var for custom entity IAM Role
- Fixed bug where iam role policy was dropped for auto deploy cross account IAM role when only github actions access was configured.
Published: 2/7/2022 | Modules affected: cross-account-iam-roles | Release notes
- Fixed bug where the auto deploy IAM role was not created when only the github actions access was configured. Now you can configure the auto deploy IAM role with only setting the github actions input variable.
Published: 2/7/2022 | Modules affected: private-s3-bucket | Release notes
- Updated
private-s3-bucket module to expose a way to create and manage a replication IAM role for replicating an existing S3 bucket to the new bucket.
Published: 2/21/2022 | Modules affected: single-server | Release notes
- Fixes
invalid index error that happens occasionally on terraform destroy due to missing resource.
Published: 2/20/2022 | Modules affected: ec2-backup, single-server | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: single-server, ec2-backup | Release notes
- Updated tests README
- Renamed vars.tf to more canonical variables.tf
- Added test stages to route53 helpers test
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/25/2022 | Modules affected: mgmt/bastion-host, mgmt/openvpn-server, mgmt/jenkins, mgmt/ecs-deploy-runner | Release notes
- Exposed backward compatibility feature flags for managed IAM policies in all affected modules from
v0.80.0
Published: 2/25/2022 | Modules affected: data-stores/redis | Release notes
- Exposed the ability to restore a
redis DB from backup using the new snapshot_name or snapshot_arn input variable.
Published: 2/25/2022 | Modules affected: networking/route53, networking/alb, services/asg-service, services/ecs-service | Release notes
- Updated dependency
terraform-aws-load-balancer to v0.27.3 - Fixed bug in
route53 module where minor changes to the hosted zone like updating tags inadvertently causes the records for ACM verification to be recreated, causing outages in the ACM certificate. Now minor updates to the hosted zone no longer cause changes to the records.
Published: 2/24/2022 | Modules affected: base/ec2-baseline, services/ec2-instance, services/k8s-service, mgmt/bastion-host | Release notes
- Some of our modules have been updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.
Note that this is a backward incompatible change: a naive update to this version will cause the IAM policies to shuffle, which will result in a temporary downtime of IAM permissions. If you wish to avoid this, you can set the new var.use_managed_iam_policies to false.
IMPORTANT: Not all affected modules had the var.use_managed_iam_policies variable exposed in this release. All modules that did not originally expose this backward compatibility feature flag now has it in version 0.80.3.
Published: 2/24/2022 | Modules affected: services/asg-service, services/ecs-service | Release notes
- Exposed optional provider configuration options for route53 health check module.
Published: 2/24/2022 | Modules affected: services/eks-cluster, services/eks-workers, services/eks-core-services, mgmt/ecs-deploy-runner | Release notes
- Bump dependency
terraform-aws-eks to v0.49.1 - Bump dependency
terraform-aws-ci to v0.45.0. In the process, expose the ability to configure the CloudWatch Log Group for the invoker lambda function in ecs-deploy-runner. - Exposed ability to directly specify max pods allowed per instance group ASG/NodeGroup in
eks-workers and eks-cluster modules.
Published: 2/22/2022 | Modules affected: landingzone | Release notes
- Exposed the ability to configure KMS keys for encrypting the S3 bucket and SNS topic used by AWS Config.
Published: 2/22/2022 | Modules affected: landingzone/account-baseline-app, landingzone/account-baseline-security, landingzone/account-baseline-root, base/ec2-baseline | Release notes
- Updated dependency
terraform-aws-security to v0.62.1
Published: 2/22/2022 | Modules affected: services | Release notes
- Added the ability to attach a CloudWatch log filtered subscription to
eks-core-services for the CloudWatch Log Group used by fluent-bit.
Published: 2/21/2022 | Modules affected: data-stores, landingzone, mgmt, networking | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
This release also include minor documentation fixes and updates to README files.
Published: 2/17/2022 | Modules affected: landingzone/account-baseline-security | Release notes
Updated password policy hard expiry to default to false, as true is too strict for most use cases.
Hard expiry requires an administrator to reset the password, which greatly degrades the UX of IAM users accessing the AWS console when combined with the default password expiry period of 30 days. This degraded UX, combined with the risk of account lock out (e.g., if you have no administrators in the account), makes the hard expiry flag a difficult flag to enable for most use cases, and thus we have decided to roll back to defaulting to false.
Published: 2/17/2022 | Modules affected: landingzone | Release notes
- Exposed the ability to set a custom Cloudtrail trail name.
Published: 2/16/2022 | Modules affected: landingzone | Release notes
- Fixed cross account IAM role bug with github actions auto deploy role where
allow_auto_deploy_access_from_other_accounts needed to be set to configure allow_auto_deploy_from_github_actions_for_sources.
Published: 2/15/2022 | Modules affected: landingzone | Release notes
- Updated
account-baseline-root to not create ssh grunt IAM groups by default, since the root account is not meant to run any servers in there. - Fixed bug where ssh grunt related sign in urls were being outputted as IAM role arns for an unrelated cross account IAM role in account-baseline module outputs.
Published: 2/15/2022 | Modules affected: mgmt, networking, landingzone, services | Release notes
- Updated default version of
terraform-aws-openvpn used in AMI for openvpn server. - Updated default
k8s-service helm chart version to latest - Converted modules readme files into markdown
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/8/2022 | Modules affected: services/eks-cluster, services/eks-workers, services/eks-core-services, services/k8s-service | Release notes
- Updated dependency
gruntwork-io/terraform-aws-eks to v0.48.0 - Exposed new EKS features from underlying module:
- Configuring the app image container repository and version tag of
aws-for-fluent-bit and cloudwatch-agent in core services. - Configuring the CloudWatch Log Group for the control plane. This is a backward incompatible change - refer to the migration guide below for more info.
Published: 2/7/2022 | Modules affected: services/eks-cluster, services/eks-workers, services/eks-core-services, services/k8s-service | Release notes
- Updated
eks-workers and eks-clusters modules to support deploying an EKS cluster with workers in Prefix Delegation network mode of aws-vpc-cni. Prefix Delegation mode allows allocating secondary IPs in blocks of 16 addresses, greatly increasing the limit of available IPs for Pods in the EKS workers. IMPORTANT Starting this version, EKS clusters managed with eks-clusters and eks-workers modules default to Prefix Delegation mode - if you wish to avoid this switch, refer to the migration guide for information on how to keep the old model of network management. - Upgrade dependency
gruntwork-io/terraform-aws-eks to v0.47.2
Published: 2/4/2022 | Modules affected: landingzone | Release notes
- Updated to allow configuring GitHub Actions assume role access to the auto deploy cross account role in the baseline modules.
Published: 2/3/2022 | Modules affected: services/eks-cluster, services/eks-core-services, networking/vpc, networking/vpc-mgmt | Release notes
- Updated default EKS disallowed availability zones list to include a new AZ for
ca-central-1 that doesn't support EKS Fargate - Updated dependency
terraform-aws-vpc to v0.18.12 - Exposed the following new functionality in the
vpc module:- Added support for making Internet Gateway creation optional.
- Added support for configuring routes to Virtual Private Gateways in each of the subnet tiers.
- Added support for configuring custom outbound NACL rules for the private app subnet tier.
Published: 2/3/2022 | Modules affected: networking/vpc, networking/vpc-mgmt | Release notes
- Exposed the ability to configure kms key
deletion_window_in_days for VPC flow logs. - Exposed the ability to configure ICMP access through the NACLs.
Published: 2/3/2022 | Modules affected: networking/vpc | Release notes
- Fixed a bug where setting up the VPC peering connection in the
vpc module can lead to to count errors on certain inputs.
Published: 2/20/2022 | Modules affected: s3-cloudfront, s3-static-website | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: s3-cloudfront, s3-static-website | Release notes
- Add GitHub PR & Issue Templates
- Add gruntwork-io/maintenance-tier-3-orion to CODEOWNERS
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/21/2022 | Modules affected: executable-dependency, instance-type, join-path, list-remove | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Release notes
- Modernized circleci implementation to help our tests pass again.
- Restricted provider version to < 4.0 due to breaking changes in new provider
Published: 2/23/2022 | Modules affected: vpc-flow-logs | Release notes
- Add
iam_role_permissions_boundary variable to the vpc-flow-logs module #253
Published: 2/21/2022 | Modules affected: network-acl-inbound, network-acl-outbound, vpc-app-network-acls, vpc-app | Release notes
Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
- From this release onward, we will only be running tests with Terraform
1.1.x against this repo, so we recommend updating to 1.1.x soon! - We have also updated the minimum required version of Terraform to
1.0.0. While our repos might continue to be compatible with pre-1.0.0 version of Terraform, we are no longer making any guarantees of that. - Once all Gruntwork repos have been upgraded to work with
1.1.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
Published: 2/17/2022 | Modules affected: vpc-flow-logs, network-acl-inbound, network-acl-outbound, vpc-app-network-acls | Release notes
- Restricted provider version to < 4.0 due to breaking changes in new provider.
- Updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.
Note that this is a backward incompatible change: a naive update to this version will cause the IAM policies to shuffle, which will result in a temporary downtime of IAM permissions. If you wish to avoid this, you can set the new var.use_managed_iam_policies to false.
Published: 2/3/2022 | Modules affected: vpc-app-network-acls | Release notes
- Implemented support for custom outbound NACLs to private app networks
Published: 2/2/2022 | Modules affected: vpc-flow-logs | Release notes
- Updated to expose
deletion_window_in_days for the KMS key that is created to encrypt the VPC flow logs.
Published: 2/1/2022 | Modules affected: vpc-app-network-acls | Release notes
Exposed icmp_type and icmp_code in var.private_app_allow_inbound_ports_from_cidr so that ICMP can be enabled.
Published: 2/1/2022 | Modules affected: vpc-app | Release notes
- Exposed the ability to specify propagating virtual gateway routes for public route table (via the
public_propagating_vgws variable).