Skip to main content

Gruntwork release 2020-03

Guides / Update Guides / Releases / 2020-03

This page is lists all the updates to the Gruntwork Infrastructure as Code Library that were released in 2020-03. For instructions on how to use these updates in your code, check out the updating documentation.

Here are the repos that were updated:

terraform-aws-asg

v0.8.6

Published: 3/12/2020 | Modules affected: server-group | Release notes

  • You can now configure the CloudWatch metrics to enable for the ASGs in the server-group module via the new enabled_metrics input variable.

terraform-aws-cache

v0.9.2

Published: 3/26/2020 | Modules affected: redis | Release notes

  • You can now specify a custom KMS key to encrypt data at rest in redis using the new kms_key_id input variable.

terraform-aws-ci

v0.18.4

Published: 3/11/2020 | Modules affected: terraform-helpers | Release notes

This release updates the terraform-update-variables script to run terraform in the same folder as the updated vars file so that it can take advantage of version rules set with tfenv.

v0.18.3

Published: 3/11/2020 | Modules affected: infrastructure-deployer | Release notes

This release fixes a bug in the infrastructure-deployer CLI where it did not handle task start failures correctly.

v0.18.2

Published: 3/6/2020 | Modules affected: terraform-helpers | Release notes

Add support for Mac OSX to the git-updated-folders script.

terraform-aws-data-storage

v0.12.11

Published: 3/24/2020 | Modules affected: rds | Release notes

  • You can now configure the read replicas with separate settings from the primary. In particular, you can use the new parameter_group_name_for_read_replicas input variable to set a separate parameter group for read replicas and allow_connections_from_security_groups_to_read_replicas and allow_connections_from_cidr_blocks_to_read_replicas to configure a separate security group for read replicas.

v0.12.10

Published: 3/16/2020 | Modules affected: rds | Release notes

  • The rds module now allows you to enable IAM authentication for your database.

v0.12.9

Published: 3/13/2020 | Modules affected: lambda-share-snapshot, lambda-create-snapshot, lambda-copy-shared-snapshot, lambda-cleanup-snapshots | Release notes

Each of the manual scheduled snapshot Lambda function modules now expose an input variable create_resources to allow conditionally turning them off.

v0.12.8

Published: 3/13/2020 | Modules affected: aurora | Release notes

  • Solve #86: Add maintenance window for Aurora Cluster Instances.

v0.12.7

Published: 3/7/2020 | Modules affected: lambda-create-snapshot | Release notes

Fix log message for lambda function in lambda-create-snapshot to show what cloudwatch metric was updated.

v0.12.6

Published: 3/6/2020 | Modules affected: lambda-create-snapshot, lambda-cleanup-snapshots | Release notes

lambda-create-snapshot and lambda-cleanup-snapshots now support namespacing snapshots so that you can differentiate between snapshots created with different schedules. Take a look at the lambda-rds-snapshot-multiple-schedules example for an example of how to use this feature to manage daily and weekly snapshots.

v0.12.5

Published: 3/4/2020 | Modules affected: lambda-share-snapshot, lambda-create-snapshot, lambda-copy-shared-snapshot, lambda-cleanup-snapshots | Release notes

The lambda functions for snapshot management have been upgraded to the python3.7 runtime. Note that although the lambda functions need to be redeployed, it will not affect your snapshots or existing RDS instances.

v0.12.4

Published: 3/3/2020 | Modules affected: lambda-create-snapshot | Release notes

This release fixes a bug where the lambda function for creating a snapshot needed the ability to invoke itself for retry logic.

terraform-aws-ecs

v0.18.0

Published: 3/19/2020 | Modules affected: ecs-cluster | Release notes

This release introduces two new list variables: allow_ssh_from_cidr_blocks and allow_ssh_from_security_group_ids. Use these lists to configure more flexible SSH access.

In addition, we have removed the num_alb_security_group_ids variable since the GitHub issue that it previously referenced has since been fixed.

Finally, this also migrates from dep to Go Modules.

terraform-aws-eks

v0.19.1

Published: 3/29/2020 | Modules affected: eks-cluster-control-plane | Release notes

The EKS cluster creation timeout is now 60 minutes.

v0.19.0

Published: 3/28/2020 | Modules affected: eks-cluster-control-plane | Release notes

This release includes an internal implementation change for the fargate profiles to simplify the authentication mechanism when migrating the control plane services to Fargate. Note that if you were using schedule_control_plane_services_on_fargate = true, you will now need to use the kubergrunt version 0.5.12 or greater.

v0.18.0

Published: 3/26/2020 | Modules affected: eks-cluster-control-plane | Release notes

This release removes the fargate_only flag on eks-cluster-control-plane module and replaces it with the more descriptive and accurate schedule_control_plane_services_on_fargate. Additionally, the module no longer configures the Fargate Profile to span all of the default and kube-system Namespaces. Instead, the fargate profile only targets the control plane services, specifically coredns.

Rationale: fargate_only implies that the cluster can only be used with Fargate but that is not true as you can attach self managed or managed worker nodes to the cluster and create a new Namespace to run non-fargate workloads. Additionally, the previous flag made it impossible to run pods that were in the kube-system namespace on anything other than Fargate. This change was implemented to promote better flexibility on the cluster.

Refer to the migration guide for information on preserving the same semantics for existing clusters that have fargate_only set to true.

v0.17.2

Published: 3/25/2020 | Modules affected: eks-k8s-cluster-autoscaler | Release notes

Fix bug where the cluster autoscaler in IRSA mode was unable to get the necessary IAM permissions to access the ASG.

v0.17.1

Published: 3/24/2020 | Modules affected: eks-cluster-workers | Release notes

eks-cluster-workers now supports the create_resources parameter, which when false, will turn off all the resources in the module.

v0.17.0

Published: 3/20/2020 | Modules affected: eks-cluster-control-plane | Release notes

This release adds support for Kubernetes 1.15 and drops support for 1.12.

If you are using Kubernetes version 1.12, upgrade to at least 1.13 prior to updating the module. NOTE: AWS will be auto upgrading all EKS clusters running 1.12 on May 11th, 2020.

v0.16.1

Published: 3/19/2020 | Modules affected: eks-k8s-external-dns, eks-k8s-cluster-autoscaler, eks-cloudwatch-container-logs, eks-alb-ingress-controller | Release notes

Fix an issue with the helm provider where the stable helm repository does not refresh correctly in certain circumstances.

v0.16.0

Published: 3/19/2020 | Modules affected: eks-k8s-external-dns, eks-k8s-cluster-autoscaler, eks-cloudwatch-container-logs, eks-alb-ingress-controller | Release notes

This release introduces Helm v3 compatibility for the EKS administrative application modules, eks-k8s-external-dns, eks-k8s-cluster-autoscaler, eks-cloudwatch-container-logs, and eks-alb-ingress-controller. The major difference between this release and previous releases is that we no longer are creating the ServiceAccounts in terraform and instead rely on the Helm charts to create the ServiceAccounts. Refer to the Migration Guide for information on how to migrate to this version.

v0.15.5

Published: 3/18/2020 | Modules affected: eks-cluster-workers | Release notes

You can now use cloud-init for boot scripts for self-managed workers by providing it as user_data_base64.

v0.15.4

Published: 3/12/2020 | Modules affected: eks-cluster-workers | Release notes

eks-cluster-workers now supports attaching secondary security groups in addition to the one created internally. This is useful to break cyclic dependencies between modules when setting up ELBs.

v0.15.3

Published: 3/11/2020 | Modules affected: eks-cluster-control-plane | Release notes

This release introduces support for setting encryption configurations on your EKS cluster to implement envelope encryption of Secrets. Refer to the official AWS technical blog post for more information.

NOTE: This is only available for new EKS clusters. If you would like this on your cluster, you must relaunch your cluster to enable this.

v0.15.2

Published: 3/4/2020 | Modules affected: eks-cloudwatch-container-logs | Release notes

The eks-cloudwatch-container-logs module now deploys a newer version of the fluentd container that supports IRSA.

terraform-aws-lambda

v0.7.5

Published: 3/29/2020 | Modules affected: lambda-edge | Release notes

You can now specify a permissions boundary on the IAM role created for lambda-edge.

v0.7.4

Published: 3/12/2020 | Modules affected: scheduled-lambda-job, lambda | Release notes

The lambda and scheduled-lambda-job modules now support conditionally turning off resources in the module using the create_resources input parameter.

terraform-aws-load-balancer

v0.19.0

Published: 3/31/2020 | Modules affected: acm-tls-certificate | Release notes

This release adds support for requesting, and automatically verifying, multiple certificates via the ACM module.

v0.18.1

Published: 3/10/2020 | Modules affected: acm-tls-certificate | Release notes

  • Fix deprecation warning with destroy provisioner.

v0.18.0

Published: 3/2/2020 | Modules affected: alb | Release notes

  • This release removes two unneeded input variables: aws_account_id and aws_region. Because these variables are unused, they can be safely removed.

terraform-aws-monitoring

v0.19.0

Published: 3/2/2020 | Modules affected: logs/load-balancer-access-logs | Release notes

This release removes two unused variables: aws_account_id and aws_region. Both of these variables are unused by the logs/load-balancer-access-logs module, and therefore can be safely removed.

terraform-aws-openvpn

v0.9.11

Published: 3/23/2020 | Modules affected: openvpn-server | Release notes

The openvpn-server module now accepts base64-encoded user data in the user_data_base64 variable. This is in addition to standard, plaintext user data in the user_data variable.

v0.9.10

Published: 3/6/2020 | Modules affected: openvpn-server | Release notes

You can now restrict the CIDR blocks that are allowed to access the OpenVPN port with the variable allow_vpn_from_cidr_list.

terraform-aws-security

v0.27.2

Published: 3/31/2020 | Modules affected: kms-master-key-multi-region | Release notes

This release introduces a new module kms-master-key-multi-region, which can be used to manage KMS CMKs across all enabled regions of an account.

v0.27.1

Published: 3/19/2020 | Modules affected: auto-update, ntp, tls-cert-private | Release notes

v0.27.0

Published: 3/16/2020 | Modules affected: kms-master-key | Release notes

This release introduces support for managing more than one KMS Customer Master Key (CMK) using the kms-master-key module.

v0.26.1: Allow read-only users to filter CloudWatch by resource groups

Published: 3/6/2020 | Modules affected: iam-policies | Release notes

v0.26.0

Published: 3/6/2020 | Modules affected: iam-groups | Release notes

This release updates the iam-groups module to use for_each instead of count. By using for_each, the groups are less affected by changes in the input list var.iam_groups_for_cross_account_access.

See this blog post for more info on the differences between for_each and count.

terraform-aws-server

v0.8.1: Expose base64-encoded user data

Published: 3/9/2020 | Modules affected: single-server | Release notes

This release exposes the user_data_base64 attribute when launching a server. We've also added an example of using base64 user data with cloud-init.

v0.8.0

Published: 3/3/2020 | Modules affected: single-server | Release notes

  • The single-server module now allows you to add custom security group IDs to using the additional_security_group_ids input variable.
  • The parameters that control SSH access in the single-server module have been refactored:
    • The allow_ssh_from_cidr and allow_ssh_from_security_group parameters have been removed. Terraform used to be much more picky about what you can reference in count parameters, but versions 0.12 and above allow data sources, and even looking up lengths on resources, so these redundant parameters are no longer necessary.
    • allow_ssh_from_security_group_id has been renamed to allow_ssh_from_security_group_ids and is now a list of security group IDs (instead of just one) from which SSH access will be allowed.
    • allow_rdp_from_cidr_list: A new input variable that is a list of CIDR blocks from which RDP access will be allowed.
    • allow_rdp_from_security_group_ids: A new input variable that is a list of security group IDs from which RDP access will be allowed.
  • The source_ami_filter we were using to find the latest CentOS AMI in Packer templates started to pick up the wrong AMI, probably due to some change in the AWS Marketplace. We've updated our filter to fix this as described below.

terraform-aws-static-assets

v0.6.2

Published: 3/25/2020 | Modules affected: s3-static-website, s3-cloudfront | Release notes

Resolve source of perpetual diff when using the cloudfront default certificate

v0.6.1

Published: 3/19/2020 | Modules affected: s3-static-website | Release notes

Fix a bug in s3-static-website module with versions of terraform >0.12.11, where the output calculation fails with an error.

v0.6.0

Published: 3/16/2020 | Modules affected: s3-cloudfront | Release notes

  • Instead of supporting solely 404 and 500 error responses, now that we have Terraform 0.12, the s3-cloudfront module can now take in a dynamic list of error responses using the new error_responses input parameter, which allows you to specify custom error responses for any 4xx and 5xx error.

terraform-aws-vpc

v0.8.5: Outbound NACLs between private subnets

Published: 3/27/2020 | Modules affected: vpc-app-network-acls | Release notes

This change allows all outbound traffic from private subnets to other private subnets and similarly all outbound traffic from the persistent subnets to the other persistent subnets. Previously, only TCP traffic was permitted.

Thanks to @scottclk for this contribution.

v0.8.4: More control over subnet spacing

Published: 3/3/2020 | Modules affected: vpc-mgmt, vpc-app | Release notes

Previously, users had limited control over the spacing between subnets across AZs. The private and persistence subnets shared the same variable and an automatic calculation was used to assign an address space to the persistence subnets.

With this release, we introduce two optional variables to the vpc-app module: private_subnet_spacing and persistence_subnet_spacing. If either of these are provided, that value will be used as the netnum argument to cidrsubnet. Otherwise, the usual subnet_spacing variable and its automatic calculation will still apply.

Additionally, vpc-mgmt is now more customizable with the introduction of the private_subnet_bits variable.

Thanks to @mmiranda for his contribution, and to @marinalimeira for her suggestions!