Gruntwork release 2020-10

Guides / Update Guides / Releases / 2020-10

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2020-10. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:

• boilerplate
• infrastructure-live-multi-account-acme
• infrastructure-modules-multi-account-acme
• terraform-aws-beanstalk
• terraform-aws-ci
• terraform-aws-cis-service-catalog
• terraform-aws-data-storage
• terraform-aws-eks
• terraform-aws-lambda
• terraform-aws-load-balancer
• terraform-aws-monitoring
• terraform-aws-sam
• terraform-aws-security
• terraform-aws-server
• terraform-aws-service-catalog
• terraform-aws-static-assets

boilerplate

v0.3.2: Support rendering variable inputs to json

Published: 10/30/2020 | Release notes

This release fixes an issue with using toJson and related sprig functions within Boilerplate templates. It's now possible to read variable inputs from Boilerplate YML files and render those to JSON.

See related PR.

v0.3.1: Add partials feature

Published: 10/26/2020 | Release notes

Adds the new partials feature for better template reuse.

infrastructure-live-multi-account-acme

v0.0.1-20201021

Published: 10/21/2020 | Release notes

Since this repo is solely used for examples/demonstrations, and NOT meant for direct production use, we simply publish all changes at v0.0.1, with a date marker for when it was published.

NOTE: we switched the date format for releases to v0.0.1-YYYYMMDD. Previously, this was v0.0.1-MMDDYYYY.

All the modules have been updated to be compatible with:

• Ubuntu 18.04
• Packer 1.6
• AWS Provider v3

In the process, the following module versions have been updated. Refer to the release notes of the corresponding repos for a description of the full changes.

Refer to the migration guide in infrastructure-modules-multi-account-acme for instructions on how to update existing reference architectures.

infrastructure-modules-multi-account-acme

v0.0.1-20201021

Published: 10/21/2020 | Release notes

Since this repo is solely used for examples/demonstrations, and NOT meant for direct production use, we simply publish all changes at v0.0.1, with a date marker for when it was published.

NOTE: we switched the date format for releases to v0.0.1-YYYYMMDD. Previously, this was v0.0.1-MMDDYYYY.

All the modules have been updated to be compatible with:

• Ubuntu 18.04
• Packer 1.6
• AWS Provider v3

In the process, the following module versions have been updated. Refer to the release notes of the corresponding repos for a description of the full changes.

• module-security: v0.22.0 => v0.36.8 Release notes
• module-aws-monitoring: v0.13.2 => v0.22.2 Release notes
• module-ci: v0.19.0 => v0.28.1 Release notes
• module-vpc: v0.7.8 => v0.9.4 Release notes
• module-load-balancer: v0.14.1 => v0.20.4 Release notes
• package-openvpn: v0.9.10 => v0.11.1 Release notes

• module-cache: v0.6.1 => v0.9.4 Release notes
• module-data-storage: v0.9.0 => v0.15.0 Release notes
• package-zookeeper: v0.6.6 => v0.6.9 Release notes
• package-kafka: v0.6.0 => v0.6.3 Release notes
• package-elk: v0.4.0 => v0.6.0 Release notes
• package-messaging: v0.3.0 => v0.3.4 Release notes

• package-lambda: v0.6.0 => v0.8.1 Release notes
• module-ecs: v0.16.0 => v0.22.0 Release notes
• terraform-aws-eks: v0.20.1 => v0.22.1 Release notes
• module-asg: v0.8.0 => v0.10.0 Release notes

You can follow the following guide to update each component to the newer versions offered in this refresh:

• cloudtrail : Update the module to the new version (v0.36.8), apply the state transitions, and change the KMS key configuration so that the logs are encrypted using a key in the security account (instructions).

• kms-master-key : Update the module to the new version (v0.36.8) and apply the state transitions (instructions).

• iam-groups : Update the module to the new version (v0.36.8) and apply the state transitions (instructions)

• iam-cross-account : Update to the module to the new version (v0.36.8). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.

• iam-user-password-policy : Update the module to the new version (v0.36.8). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.

• openvpn-server : Update the module to the new version (v0.11.1) and switch the AMI to use Ubuntu 18.04. (instructions)

• jenkins : Update the module to the new version (v0.28.1) and switch the AMI to use Ubuntu 18.04. (instructions)

• vpc-app and vpc-mgmt : Update to the new version (v0.9.4). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.

• alb : Update to the new version (v0.20.4). This update requires a state change. See the migration guide in the underlying module for instructions on how to update the state. Refer to this commit for a reference of the requisite updates to the code.

• sns-topics : Update to the new version (v0.3.4). This update is backwards compatible.

• cloudwatch-dashboard : Update to the new version (v0.22.2). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.

• lambda : Update to the new version (v0.8.1) and apply the state transitions. (instructions).

• rds : Update to the new version (v0.15.0) and apply the state transitions. (instructions)

• redis : Update to the new version (v0.9.4) and apply the state transitions. (instructions)

• zookeeper and kafka : Update to the respective new versions and switch the AMIs to use Ubuntu 18.04. Note that the module will automatically perform a rolling update for both services when you apply with the new AMI. Refer to this commit for a reference of the requisite updates. Make sure to update zookeeper before updating kafka.

• elk-single-cluster and elk-multi-cluster : Update to the new version (v0.6.0) and switch the AMIs to use Ubuntu 18.04. Note that the module will automatically perform a rolling update for all the services. Be aware that the default ELK versions within each module have changed: if it is not desirable to update Elasticsearch versions, make sure to specify the specific ES version in the packer templates. Refer to this commit for a reference of the requisite updates.

• ecs-cluster : Update to the new version (v0.22.0) and switch the AMI to use Ubuntu 18.04. (instructions)

• ecs-service-with-alb : Update to the new version (v0.22.0) and apply the state transitions. (instructions)

• EKS modules : Update to the new version (v0.22.1). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.

• static-website : Update to the new version (v0.6.5). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.

• asg-service : Update to the new version (v0.10.0). This update does not require any state transitions if you apply the necessary code changes. Refer to this commit for a reference of the requisite updates.

terraform-aws-beanstalk

v0.1.1

Published: 10/12/2020 | Modules affected: elasticbeanstalk-environment | Release notes

• You can now specify the load balancer type to use in the elasticbeanstalk-environment module by using the new load_balancer_type input variable.

terraform-aws-ci

v0.29.1

Published: 10/28/2020 | Modules affected: ecs-deploy-runner | Release notes

You can now configure the ECS deploy runner with repository credentials for pulling down the images using the new repository_credentials_secrets_manager_arn input var.

v0.29.0

Published: 10/2/2020 | Modules affected: (none) | Release notes

• Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform 0.13.x!
  • From this release onward, we will only be running tests with Terraform 0.13.x against this repo, so we recommend updating to 0.13.x soon!
  • To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.13.x.
  • Once all Gruntwork repos have been upgrade to work with 0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.

terraform-aws-cis-service-catalog

v0.9.0

Published: 10/27/2020 | Modules affected: aws-securityhub | Release notes

• Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform 0.13.x!
  • From this release onward, we will only be running tests with Terraform 0.13.x against this repo, so we recommend updating to 0.13.x soon!
  • To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.13.x.
  • Once all Gruntwork repos have been upgrade to work with 0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.
• The aws-securityhub module will no longer automatically clean up associations with master accounts when you run destroy. See the migration guide below for upgrade instructions.

v0.8.1

Published: 10/22/2020 | Modules affected: custom-iam-entity | Release notes

Updates the custom-iam-entity module to use the latest version in module-security which improves the MFA experience for custom IAM roles. See the release notes for module-security v0.39.1.

v0.8.0

Published: 10/20/2020 | Modules affected: aws-securityhub | Release notes

• Switch from using a Python script to associate new member accounts in AWS Security Hub to using the new aws_securityhub_member resource. See the migration guide below for upgrade instructions.

v0.7.1

Published: 10/15/2020 | Modules affected: cloudtrail | Release notes

Expose ability to specify an existing KMS key for encrypting cloudtrail logs.

terraform-aws-data-storage

v0.16.2

Published: 10/16/2020 | Modules affected: aurora | Release notes

• You can now enable the HTTP endpoint for the Data API on Aurora Serverless using the new 'enable_http_endpoint' input variable.

terraform-aws-eks

v0.27.1

Published: 10/30/2020 | Modules affected: eks-cluster-workers | Release notes

Gracefully handle use_existing_cluster_config = false and use_cluster_security_group = true.

v0.27.0

Published: 10/28/2020 | Modules affected: eks-cluster-control-plane, eks-cloudwatch-container-logs, eks-container-logs, eks-aws-auth-merger | Release notes

• The fluentd based log shipping module (eks-cloudwatch-container-logs) has been deprecated and replaced by a new module based on fluent-bit. This supports additional targets such as Firehose and Kinesis in addition to Cloudwatch, while also being more efficient in terms of underlying resource usage. Refer to the migration guide for information on how to update.

• The default Kubernetes version used by the module has been updated to 1.18. Note that you will kubergrunt v0.6.3 or newer if you wish to upgrade your existing EKS clusters to Kubernetes version 1.18.

v0.26.1

Published: 10/27/2020 | Modules affected: eks-k8s-external-dns | Release notes

• You can now configure the triggerLoopOnEvent setting on the external-dns service.
• Update the documentation surrounding retrieving authentication tokens for EKS.

v0.26.0

Published: 10/20/2020 | Modules affected: eks-cluster-control-plane | Release notes

The automatic upgrade cluster feature now uses kubergrunt eks sync-core-components instead of an embedded script. This allows you to independently upgrade to newer EKS cluster versions as they are released without updating the module version.

If you were relying on the automatic update script to sync the core components prior to this release, you will need to ensure that you have kubergrunt installed (minimum version v0.6.2) to continue using it.

v0.25.0

Published: 10/2/2020 | Modules affected: eks-k8s-cluster-autoscaler | Release notes

Switch to using the new location for the cluster-autoscaler helm chart so that the module continues to work after the stable and incubator repos are decommissioned in November.

NOTE: This will redeploy the cluster-autoscaler pods, but all the data and variables are backwards compatible. We have marked this release as backwards incompatible due to the resulting downtime in the scaling functionality, but effectively, there will be no change to your cluster by redeploying the component (no downtime to your apps or EKS cluster).

v0.24.0

Published: 10/1/2020 | Modules affected: eks-cluster-control-plane, eks-cluster-workers | Release notes

The following variables and outputs have been renamed:

eks-cluster-control-plane

• [variable] vpc_master_subnet_ids => vpc_control_plane_subnet_ids
• [output] eks_master_security_group_id => eks_control_plane_security_group_id
• [output] eks_master_iam_role_arn => eks_control_plane_iam_role_arn
• [output] eks_master_iam_role_name => eks_control_plane_iam_role_name

eks-cluster-workers

• [variable] eks_master_security_group_id => eks_control_plane_security_group_id

All other functionality is preserved. To update to this version, replace usage of the old variable and output names to the new ones.

terraform-aws-lambda

v0.9.2

Published: 10/15/2020 | Modules affected: lambda | Release notes

This release adds the option to create an outbound "allow all" rule in the Lambda security group that will allow it to communicate with external services. To enable this, set should_create_outbound_rule=true when calling the lambda module. Defaults to false.

terraform-aws-load-balancer

v0.21.0

Published: 10/15/2020 | Modules affected: acm-tls-certificate, alb, lb-listener-rules | Release notes

• Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform 0.13.x!
  • From this release onward, we will only be running tests with Terraform 0.13.x against this repo, so we recommend updating to 0.13.x soon!
  • To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.13.x.
  • Once all Gruntwork repos have been upgrade to work with 0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.

terraform-aws-monitoring

v0.23.2

Published: 10/27/2020 | Modules affected: alarms | Release notes

• Fix a bug in the alb-target-group-alarms module, switching the module to use "Seconds" instead of "Count" as the proper unit for the TargetResponseTime alarm.

terraform-aws-sam

v0.3.1

Published: 10/7/2020 | Modules affected: gruntsam | Release notes

• Added the create_before_destroy = true lifecycle setting to the aws_api_gateway_deployment resource to work around intermittent "BadRequestException: Active stages pointing to this deployment must be moved or deleted" errors.

v0.3.0

Published: 10/2/2020 | Modules affected: api-gateway-account-settings, gruntsam | Release notes

• Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform 0.13.x!
  • From this release onward, we will only be running tests with Terraform 0.13.x against this repo, so we recommend updating to 0.13.x soon!
  • To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.13.x.
  • Once all Gruntwork repos have been upgrade to work with 0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.

terraform-aws-security

v0.40.1

Published: 10/29/2020 | Modules affected: private-s3-bucket | Release notes

• In private-s3-bucket, the server side encryption algorithm is now configurable through the newly exposed sse_algorithm variable

v0.40.0

Published: 10/26/2020 | Modules affected: cloudtrail-bucket, cloudtrail, account-baseline-app, account-baseline-root | Release notes

This release contains backwards incompatible changes. Make sure to follow the instructions in the migration guide below!

• The cloudtrail-bucket module has been refactored to use the private-s3-bucket module under the hood to configure the cloudtrail S3 bucket.
• The cloudtrail-bucket module will now configure the bucket to default to encrypting objects with the newly created KMS key, or the provided KMS key if it already exists.

v0.39.2

Published: 10/22/2020 | Modules affected: private-s3-bucket | Release notes

• Fix invocations of for_each to default to empty list instead of null. This bug in the private-s3-bucket module that made it impossible to configure bucket replication.

v0.39.1

Published: 10/21/2020 | Modules affected: private-s3-bucket, custom-iam-entity | Release notes

• In private-s3-bucket, the bucket ACL is now configurable through the newly exposed acl variable.
• In custom-iam-entity, previously, IAM roles and groups were treated the same with regards to MFA. With this release, for roles, we no longer attach the require_mfa_policy from the iam-policies module. Instead, we apply MFA to the trust policy. This change allows for sessions longer than 1 hour in duration (which are otherwise imposed due to role chaining limitations).

v0.39.0

Published: 10/14/2020 | Modules affected: account-baseline-root | Release notes

• Fix a bug where account-baseline-root did not work correctly if none of the accounts in child_accounts had is_logs_account set to true.

terraform-aws-server

v0.9.1

Published: 10/19/2020 | Modules affected: single-server | Release notes

• You can now specify the principals that will be allowed to assume the IAM role created by the single-server module. This can be useful, for example, to override the default from ["ec2.amazonaws.com"] to ["ec2.amazonaws.com.cn"] when using the AWS China region.

terraform-aws-service-catalog

v0.5.2

Published: 10/27/2020 | Modules affected: base, data-stores, landingzone, mgmt | Release notes

• Bump all underlying module version numbers and require Terraform 0.12.26 or above, which means you can now use the Service Catalog with Terraform 0.13.x as well! The only exception are the Kubernetes / EKS services, as the underlying modules do not support Terraform 0.13.x yet; we are working on that now and will do a new release when that's ready.

v0.5.1

Published: 10/23/2020 | Modules affected: data-stores/aurora | Release notes

This release exposes the cluster_resource_id attribute as an output from the aurora module.

v0.5.0

Published: 10/22/2020 | Modules affected: networking/route53, networking/alb, networking/vpc, services/eks-cluster | Release notes

This release adds the following features to the catalog:

• The route53 module now outputs the generated TLS cert ARNs
• The alb module now allows you to pass an existing S3 bucket for ALB access logs. This is useful for sending ALB logs to a central log account
• For EKS, you can now provide a list of CIDR ranges or security groups that are permitted to access the private EKS API endpoint.

We've also caught up to the latest release of the module-security and terraform-aws-eks repositories.

Migration guide for eks-cluster This release bumps the terraform-aws-eks module up to the latest version, including some backwards incompatible changes. Please review the release notes in the following order:

• v0.24.0 - renames several variables in eks-cluster-control-plan and eks-cluster-workers
• v0.25.0 - moves the location of the eks-cluster-autoscaler helm chart with a brief downtime in autoscaling activity (no other changes needed)
• v0.26.0 - changes the behavior of the automatic cluster upgrade functionality. Now requires kubergrunt >= v0.6.2.

v0.4.0

Published: 10/20/2020 | Modules affected: data-stores/rds, services/package-static-assets, mgmt/bastion-host, base/ec2-baseline | Release notes

• Incorporates latest releases from across the library
• For account-baseline-root: Fixes a bug where account-baseline-root did not work correctly if none of the accounts in child_accounts had is_logs_account set to true.

v0.3.4

Published: 10/16/2020 | Release notes

This release updates the following modules to the latest releases of their respective downstream modules:

• networking/vpc
• networking/vpc-mgmt
• services/eks-cluster
• services/eks-core-services
• services/k8s-service
• mgmt/ecs-deploy-runner
• mgmt/jenkins
• mgmt/openvpn-server
• landingzone/account-baseline-*
• base/ec2-baseline
• data-stores/rds

terraform-aws-static-assets

v0.7.0

Published: 10/16/2020 | Modules affected: (none) | Release notes

• Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform 0.13.x!
  • From this release onward, we will only be running tests with Terraform 0.13.x against this repo, so we recommend updating to 0.13.x soon!
  • To give you more time to upgrade, for the time being, all modules will still support Terraform 0.12.26 and above, as that version has several features in it (required_providers with source URLs) that make it more forwards compatible with 0.13.x.
  • Once all Gruntwork repos have been upgrade to work with 0.13.x, we will publish a migration guide with a version compatibility table and announce it all via the Gruntwork Newsletter.