Gruntwork release 2024-10
Guides / Update Guides / Releases / 2024-10
This page is lists all the updates to the Gruntwork Infrastructure as Code
Library that were released in 2024-10. For instructions
on how to use these updates in your code, check out the updating
documentation.
Here are the repos that were updated:
Published: 10/15/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/25/2024 | Release notes
Published: 10/25/2024 | Release notes
Published: 10/9/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/25/2024 | Release notes
Published: 10/25/2024 | Release notes
Published: 10/17/2024 | Release notes
Published: 10/10/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/3/2024 | Release notes
Published: 10/4/2024 | Release notes
Published: 10/3/2024 | Release notes
Published: 10/9/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/1/2024 | Release notes
Published: 10/8/2024 | Release notes
This is a floating release tracking the latest v3.y.z
release.
Published: 10/31/2024 | Release notes
If your terragrunt.hcl
files use include {}
blocks to bring in data from other HCL files, pipelines will now detect if those hcl files are changed and trigger a HCL Changed event which will run a run-all plan
with --terragrunt-modules-that-include
argument pointed to the changed HCL file. This is currently limited to only work with the include
block, we plan to address other methods of nesting configuration such as read_terragrunt_config
in a later release.
- Bootstrap will now correctly detect missing configuration values in
.gruntwork/config.yml
. Previously empty values would be passed through which caused issues with templating new accounts.
- AWS credentials are now cached which significantly reduces the number of calls made to AWS APIs during a run-all
Full Changelog: https://github.com/gruntwork-io/pipelines-workflows/compare/v3...v3.1.0
Published: 10/10/2024 | Release notes
Published: 10/9/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Pipelines version 3 introduces several new features which include a number of breaking changes. The migration guide below should take less than 5 minutes for most teams to complete, but please do make sure to follow it closely. We're providing a checklist here to help teams ensure that steps are not skipped.
<details>
<summary><h2>Install and configure the Gruntwork.io GitHub App</h2></summary>
Pipelines now uses the Gruntwork.io GitHub App for workflow permissions, which simplifies permission management. Follow the GitHub App Installation Instructions to install the Gruntwork.io GitHub App and add your infrastructure-live-root
repository to your account.
Using the Gruntwork.io GitHub App is recommended and provides full feature support for pipelines workflows. Alternatively, if you do not wish to install the Gruntwork.io GitHub App you can modify your existing workflows to continue using GitHub secrets, although some features will not be available. Read more about App only features here.
<details>
<summary><h3>Alternative steps</h3></summary>
- Add
actions: read
permissions
Customers explicitly list permissions that Gruntwork Pipelines workflows has by default in the pipelines workflow files in .github/workflows
inside their infrastructure repositories. Pipelines v3 now requires actions: read
permissions in order to introspect its own runs and provide more helpful logging capabilities.
Customers should make the one-line change to add the actions: read
permission in the following files <b>in every repository that uses Gruntwork pipelines</b> (including root, access control and delegated repos). Note, most repositories will have only 1 or two of these workflow files, in which case update what is present and don't worry about the others.
.github/workflows/pipelines.yml
.github/workflows/pipelines-drift-detection.yml
.github/workflows/pipelines-root.yml
.github/workflows/pipelines-unlock.yml
permissions:
id-token: write
contents: write
pull-requests: write
permissions:
id-token: write
contents: write
pull-requests: write
actions: read
- (Enterprise only) Add PR_CREATE_TOKEN to delegated repository workflows.
Delegated repositories that are not using the Gruntwork.io GitHub App will need to add PR_CREATE_TOKEN: ${{ github.token }}
to the secrets in their workflow files:
secrets:
PIPELINES_READ_TOKEN: $&
secrets:
PIPELINES_READ_TOKEN: $&
PR_CREATE_TOKEN: $&
</details>
</details>
<details>
<summary><h2>Update to Terragrunt v0.67.16</h2></summary>
The latest pipelines works best with the latest version of Terragrunt. Recent versions of Terragrunt have much improved logging, performance and correctness improvements in run-all
scenarios with pipelines.
</details>
<details>
<summary><h2>Allowlist Actions</h2></summary>
<i>This is only for customers who only allow GitHub actions to run if they are on an <a href="https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#allowing-select-actions-and-reusable-workflows-to-run">explicit allowlist</a></i>
<h3>New actions to add</h3>
gruntwork-io/pipelines-credentials
gruntwork-io/pipelines-actions/.github/actions/pipelines-drift-detection-consolidate-jobs
gruntwork-io/pipelines-actions/.github/actions/pipelines-drift-detection-determine-units
gruntwork-io/pipelines-actions/.github/actions/pipelines-drift-detection-determine-drift
gruntwork-io/pipelines-actions/.github/actions/pipelines-new-pr-action
gruntwork-io/pipelines-actions/.github/actions/pipelines-get-job-logs-url
</details>
<details>
<summary><h2>(Enterprise Only) Install and activate Drift Detection</h2></summary>
Pipelines Drift Detection can be installed in your repositories by adding a new workflow file:
- Create a new file at
.github/workflows/pipelines-drift-detection.yml
- Add the following content to the file
name: Pipelines Drift Detection
run-name: "[GWP]: Pipelines Drift Detection"
on:
workflow_dispatch:
inputs:
path:
description: (Optional) Path to filter units e.g. "./management/*"
type: string
branch-name:
description: (Optional) branch name to open Drift Detection PRs with
default: drift-detection
type: string
permissions:
id-token: write
jobs:
GruntworkPipelines:
uses: gruntwork-io/pipelines-workflows/.github/workflows/pipelines-drift-detection.yml@v3
with:
path: $&
branch-name: $&
</details>
- Pipelines as a GitHub App
- Pipelines Drift Detection (Enterprise Only)
- Improved Account Factory Bootstrap Customization Hooks
- Pipelines Log Link Improvements
- new config options in
config.yaml
consolidate-added-or-changed
: allows the pipeline to run as a single parallelized terragrunt instance such that dependencies are respected for deletions
consolidate-deleted
: Enable conslidating ModuleDeleted jobs with run-all
enable-terragrunt-provider-cache
: uses the new terragrunt provider cache so that you don't fetch the same 500 meg aws provider binary 20 times
Published: 10/9/2024 | Release notes
Published: 10/9/2024 | Release notes
Published: 10/9/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Release notes
Published: 10/8/2024 | Modules affected: redis | Release notes
- Add dependency to redis auto scaling
Published: 10/31/2024 | Modules affected: ecs-deploy-runner | Release notes
- Introduce
additional_apk_adds
build argument to enable specifying extra packages downstream without the need for a derived image
- Bump
github.com/gruntwork-io/terratest
from 0.47.0 to 0.47.2 in /test
Published: 10/9/2024 | Modules affected: infrastructure-deployer | Release notes
- Bump github.com/gruntwork-io/terratest from 0.44.1 to 0.47.0
- Update
gruntwork-cli
to use go-commons
.
- Update
github.com/urfave/cli
to github.com/urfave/cli/v2
in infrastructure-deployer
- NOTE: some interface signatures have changed in
infrastructure-deployer
with this release. These are internal changes to the application that should not effect external consumption.
Published: 10/17/2024 | Modules affected: networking | Release notes
When customers want to update/add NACL rules using modules/networking/vpc, they face the following error:
Error: NetworkAclEntryAlreadyExists: EC2 Network ACL (acl-0d8dd4609b298bccd) Rule (egress: false)(7) already exists
which is raised due to Simple Resource Creation (create-before-destroy) and NACL rules need to follow destroy-before-create behavior.
In order to fix this issue, we modified rule_incrementer
logic so that it is no longer connected to the index of the specific rule in the list of rules and no longer uses starting rule number. Instead, rule_incrementer is based on MD5 value of the IP-port-proto combination and belongs to rule number range 1-16300
for Allow
rules and 16301-32700
for Deny
rules.
Published: 10/14/2024 | Modules affected: networking | Release notes
- Update CODEOWNERS
- Add policy for the VPC Gateway Endpoint resources on Mgmt VPC
Published: 10/17/2024 | Modules affected: rds, redshift | Release notes
Added Cloudwatch log destination in addition to S3. Logging details can be found on Database audit logging. This version adds new Terraform resource aws_redshift_logging
that controls audit logging configuration and replaces logging
attribute group of aws_redshift_cluster
resource.
Published: 10/9/2024 | Modules affected: ecs-service | Release notes
- Adding a role for
aws ecs exec
- Allow http healtcheck on tcp protocol
- Add ecs_task_definition_pid_mode variable for replica ECS service
- Test improvements/fixes
Published: 10/21/2024 | Modules affected: eks-cluster-control-plane | Release notes
- NOTE: The changes below have a typo in the variable name
access_entry_poilcy_associations
. If upgrading to use Access Entry support, please skip this version and use the next version v0.72.0 which has the typo fix included in the release.
- [Breaking Change] Add Support for EKS Access Entries
- Expose access_config configuration block on
eks-cluster-control-plane
module.
- NOTE: This is a breaking change. Upgrading to this version requires upgrading the AWS Terraform Provider to
>= 5.33.0
. This version of the AWS Provider is the minimum version that supports the access_config
configuration block.
- Add
access_entries
and access_entry_poilcy_associations
variables to support adding EKS Access Entries.
- Add
access_config_authentication_mode
and bootstrap_cluster_creator_admin_permissions
variables to support changing the Authentication mode of an EKS cluster.
- NOTE: Please see the AWS EKS Documentation for Access Entires for full details. Considerations should be made prior to changing the Authentication mode for a cluster.
- E.g. Changing from the default Authentication mode
CONFIG_MAP
to either API
or API_AND_CONFIG_MAP
is a one-way operation and cannot be reverted.
Published: 10/4/2024 | Modules affected: eks-k8s-cluster-autoscaler-iam-policy | Release notes
- Add
autoscaling:DescribeScalingActivities
permission to Cluster Autoscaler policy.
Published: 10/15/2024 | Modules affected: lambda | Release notes
- add example of using aws sam
- add optional Lambda Advanced Logging Configuration variable
- address dependabot alerts in
lambda-service
example
Published: 10/30/2024 | Modules affected: alb | Release notes
- TODO: Address dependabot alerts
- TODO: Update CODEOWNERS
- TODO: Added Missing Default Action for ALB's HTTP(S) Listeners.
This PR does NOT introduce any changes that are not backwards compatible or require resources redeployment.
Published: 10/31/2024 | Modules affected: agents | Release notes
- Fix precommit
- Bumps jqgo due to CVE
Published: 10/29/2024 | Modules affected: private-s3-bucket | Release notes
- private-s3-bucket: support newer_noncurrent_versions
Published: 10/30/2024 | Modules affected: data-stores | Release notes
- data-stores/s3-bucket: support newer_noncurrent_versions
Published: 10/30/2024 | Modules affected: networking, landingzone, services, services/eks-cluster | Release notes
- Add route53 alias default to null since it's optional
- Expose SNS topic name variable for CloudTrail
- NOTE: The changes below have a typo in the variable name
access_entry_poilcy_associations
. If upgrading to use EKS Access Entry support, please skip this version and use the next version v0.117.0 which has the typo fix included in the release.
- Add Support for EKS Access Entries
- NOTE: this is a breaking change due to new AWS Provider minimum version requirements. Please see the Migration Guide below for details.
Published: 10/25/2024 | Modules affected: services | Release notes
- services/ecs-cluster: update ecs-cluster to v0.38.3
Published: 10/24/2024 | Modules affected: base, data-stores, landingzone, mgmt | Release notes
- LIB-112: Enabled terrascan, address dependabot alerts.
- SME-1960: Exposed http_default_action in service catalog ALB.
Published: 10/10/2024 | Modules affected: networking | Release notes
- Add policy for the VPC Gateway Endpoint resources on Mgmt VPC
Published: 10/2/2024 | Modules affected: data-stores | Release notes
- data-stores/rds: add variable for security group description
Published: 10/9/2024 | Modules affected: vpc-mgmt | Release notes
- Add policy for the VPC Gateway Endpoint resources on Mgmt VPC
Published: 10/29/2024 | Release notes