Every few months, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made since the last newsletter and news from the DevOps industry. Note that many of the links below go to private repos in the Gruntwork Infrastructure as Code Library and Reference Architecture that are only accessible to customers.

Hello Grunts,

Since the last newsletter, the early release of Terraform: Up & Running, 3rd edition has come out, we’ve published a new guide for how to successfully adopt the cloud called the Gruntwork Production Framework, we’ve updated all our modules to be compatible with Terraform 1.1, created a new module for using Tailscale as an alternative VPN solution, started working on the AWS Provider 4.x upgrade, and continue to build out our knowledge base.

As always, if you have any questions or need help, email us at [email protected]!

• Gruntwork Updates
• DevOps News

Gruntwork Updates

The early release of Terraform: Up & Running, 3rd edition is now available!

Motivation: The 2nd edition of Terraform: Up & Running came out in 2019 and there have been many changes in the Terraform world since then.

Solution: The early release of the 3rd edition of Terraform: Up & Running is here! The 3rd edition adds about 100 pages of new content, including two totally new chapters, plus major updates to all the existing chapters:

• New chapter: secrets management with Terraform (KMS, Vault, OIDC, etc)
• New chapter: multiple regions, accounts, & clouds (incl. Kubernetes!).
• All code examples have been updated from Terraform 0.12 to 1.1.
• Provider management with required_providers blocks & the lock file.
• Variable validation and sensitive variables.
• Refactoring with moved blocks.
• Using count and for_each with module blocks.
• Policy enforcement using OPA.
• And much more!

What to do about it: Check out the announcement blog post for the full details of what changed and start reading the early release on the O’Reilly website now!

Gruntwork Production Framework

Motivation: Going to production on the public cloud is hard, and many companies struggle with it, but all they have to guide them are “cloud operating models” that are too vague and high level to be of any use.

Solution: We have published a new guide called The Gruntwork Production Framework, which defines a clear mental model of how to think about cloud usage, plus a set of concrete, opinionated set of steps you can follow to make better use of the cloud at your company. At Gruntwork, we’ve had the privilege to work with everything from tiny startups to massive Fortune 50 companies to some of the world’s largest government agencies, and this document captures the common patterns we’ve seen that actually worked.

What to do about it: Have a read through the The Gruntwork Production Framework and let us know what you think!

[NEW MODULE]: Tailscale

Motivation: Gruntwork customers were interested in alternatives to our OpenVPN solution for connecting to their networks.

Solution: We’ve added a new module to the Gruntwork Service Catalog for running Tailscale! Tailscale is a zero config VPN solution, built on top of the WireGuard protocol, that manages firewall rules for you (no messing with security groups), supports SSO and MFA, and provides a nice UI for managing users and access. The new module is called tailscale-subnet-router, and you can use it to deploy a production-grade server that acts as a Tailscale subnet router, which allows you to expose that VPC’s network to the tailnet.

What to do about it: Give the tailscale-subnet-router module a try and let us know what you think!

Terraform 1.1

Motivation: Version 1.1 of Terraform recently came out.

Solution: We upgraded the entire Gruntwork IaC Library to be compatible with Terraform 1.1.

What to do about it: Check out our Terraform 1.1 upgrade guide to get your code upgraded to be compatible with Terraform 1.1!

AWS Provider 4.x

Motivation: Version 4.0 of the Terraform AWS provider recently came out, and it includes many breaking changes.

Solution: We are currently working to upgrade the Gruntwork IaC Library to be compatible with AWS Provider 4.x.

What to do about it: For now, keep yourself pinned to version 3.x to avoid errors. We will announce when the 4.x upgrade is completed!

Knowledge Base

Motivation: We wanted to create a way to capture common questions and discussions in a single place that’s easy to search (including via Google!) and filter.

Solution: As we mentioned in the last newsletter, we have adopted GitHub Discussions as our Knowledge Base. We are gradually moving more and more of our support discussions there, as it’s far more effective for search, filtering, marking official answers, tagging, etc. than Slack.

What to do about it: Give the Knowledge Base a try, and let us know how it works for you!

Service Catalog Updates

terraform-aws-service-catalog

• v0.68.7: Added the ability to configure an OpenID Connect Provider for GitHub Actions to use to authenticate to AWS in LandingZone (account-baseline-app and account-baseline-security).
• v0.68.8: Added reader_endpoint output to Aurora module.
• v0.69.0: Added the ability to configure and manage the cloudwatch log group for ECS service, via the new create_cloudwatch_log_group, cloudwatch_log_group_name, cloudwatch_log_group_retention, and cloudwatch_log_group_kms_key_id input variables. Updated various dependencies — refer to the release notes for more information.
• v0.69.1: Added the ability to configure encryption on the FluentBit CloudWatch Log Group. Updated various dependencies — refer to the release notes for more information.
• v0.70.0: Updated snapshot retention for redis to 15 days. Updated dependency gruntwork-io/terraform-aws-security to v0.57.1 to add support for ap-southeast-3 region to multi region modules.
• v0.70.1: Added the ability to provide static list of thumbprints for better security posture when configuring an OIDC provider for GitHub Actions. Update various dependencies — refer to the release notes for more information.
• v0.71.0: Added the ability to manage the CloudWatch Log Group for EC2 log aggregation in Terraform. Now base/ec2-baseline (and all modules that depend on it) will create and manage the CloudWatch Log Group before the server is launched by default. This allows you to configure options such as KMS key based encryption and log event retention periods on the Log Group. Updated various dependencies. Updated for-production example with latest version of CI scripts.
• v0.72.0: Added EKS Container Insights metrics collection to EKS Core Services.
• v0.72.1: Fixed a bug where setting up the VPC peering connection in the vpc module can lead to to count errors on certain inputs.
• v0.73.0: Exposed the ability to configure kms key deletion_window_in_days for VPC flow logs. Also exposed the ability to configure ICMP access through the NACLs.
• v0.73.1: Updated default EKS disallowed availability zones list to include a new AZ for ca-central-1 that doesn’t support EKS Fargate. Updated dependency terraform-aws-vpc to v0.18.12 and exposed new functionality in the vpc module (refer to the Release Notes for more info).
• v0.73.2: Updated to allow configuring GitHub Actions assume role access to the auto deploy cross account role in the baseline modules.
• v0.74.0: Updated eks-workers and eks-clusters modules to support deploying an EKS cluster with workers in Prefix Delegation network mode of aws-vpc-cni. Prefix Delegation mode allows allocating secondary IPs in blocks of 16 addresses, greatly increasing the limit of available IPs for Pods in the EKS workers. Upgrade dependency gruntwork-io/terraform-aws-eks to v0.47.2.
• v0.75.0: Updated dependency gruntwork-io/terraform-aws-eks to v0.48.0. As a result, you can now configure the app image container repository and version tag of aws-for-fluent-bit and cloudwatch-agent in core services. You can also now configure the CloudWatch Log Group for the control plane.
• v0.75.1: Updated default version of terraform-aws-openvpn used in AMI for openvpn server; Updated default k8s-service helm chart version to latest; Converted modules readme files into markdown; Restricted AWS Provider version to < 4.0 due to breaking changes in the provider.
• v0.75.2: Updated account-baseline-root to not create ssh grunt IAM groups by default, since the root account is not meant to run any servers in there; Fixed bug where ssh grunt related sign in urls were being outputted as IAM role arns for an unrelated cross account IAM role in account-baseline module outputs.
• v0.75.3: Fixed cross account IAM role bug with github actions auto deploy role where allow_auto_deploy_access_from_other_accounts needed to be set to configure allow_auto_deploy_from_github_actions_for_sources.
• v0.75.4: Exposed the ability to set a custom Cloudtrail trail name.
• v0.76.0: Updated password policy hard expiry to default to false, as true is too strict for most use cases.
• v0.77.0: Verified that this repo is compatible with Terraform 1.1.x.
• v0.77.1: Added the ability to attach a CloudWatch log filtered subscription to eks-core-services for the CloudWatch Log Group used by fluent-bit.
• v0.78.0: Updated dependency terraform-aws-security to v0.62.1.
• v0.78.1: Exposed the ability to configure KMS keys for encrypting the S3 bucket and SNS topic used by AWS Config.
• v0.79.0: Bump dependency terraform-aws-eks to v0.49.1; Bump dependency terraform-aws-ci to v0.45.0. In the process, expose the ability to configure the CloudWatch Log Group for the invoker lambda function in ecs-deploy-runner; Exposed ability to directly specify max pods allowed per instance group ASG/NodeGroup in eks-workers and eks-cluster modules.
• v0.79.1: Exposed optional provider configuration options for route53 health check module.
• v0.80.0: Some of our modules have been updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.
• v0.80.1: Updated dependency terraform-aws-load-balancer to v0.27.3; Fixed bug in route53 module where minor changes to the hosted zone like updating tags inadvertently causes the records for ACM verification to be recreated, causing outages in the ACM certificate. Now minor updates to the hosted zone no longer cause changes to the records.
• v0.80.2: Exposed the ability to restore a redis DB from backup using the new snapshot_name or snapshot_arn input variable.
• v0.80.3: Exposed backward compatibility feature flags for managed IAM policies in all affected modules from v0.80.0.
• v0.81.0: Updated dependency terraform-aws-monitoring to v0.32.0; Fixed bug in ASG and EC2 disk alarms where the metric dimensions were incompatible with the CloudWatch Agent; Exposed the ability to configure Performance Insights for an RDS database using the new performance_insights_enabled input variable.
• v0.82.0: Exposed the ability to configure permission boundaries on the IAM role for VPC flow logs via the iam_role_permissions_boundary input parameter. Updated dependency terraform-aws-vpc to v0.20.1.
• v0.82.1: Exposed iam_role_permissions_boundary to vpc-mgmt module.
• v0.83.0: Exposed ability to set ebs_optimized on bastion-host and ec2-instance module. This new variable defaults to true; Exposed additional parameters for restoring an Aurora RDS Database from a snapshot (restore_type and copy_tags_to_snapshot); Added the ability to extend the ECS Deploy Runner with additional container images via the new additional_container_images input variable; Fixed bug where elb_target_group_deregistration_delay was not being passed through in ecs-service module; Updated various dependencies — refer to the release notes for more info.
• v0.84.0: Exposed ability to configure CloudWatch subscriptions for services/lambda; Enabled detailed monitoring for EKS Managed Node Group and self managed ASG instances. You can configure this using the new parameters to configure it; Updated various dependencies — refer to the release notes for more info.
• v0.84.1: Exposed the ability to link GitHub Actions to the root account via the account-baseline-root module; Exposed the ability to configure EBS IOPS and THROUGHPUT parameters for EKS self managed ASG workers.
• v0.84.2: Exposed the set_source_code_hash parameter in the services/lambda module.
• v0.84.3: Exposed ability to set up periodic background job to invoke ecs-deploy-runner. This can be used to run various tasks on a periodic basis in the background, such as running terragrunt run-all plan on a regular basis to detect infrastructure drift.
• v0.84.4: Exposed the ‘auth_token’ parameter in redis module to allow configuring password protected redis instances. Update dependency terraform-aws-server to v0.14.2.
• v0.85.0: Updated ecs-deploy-runner to manage the CloudWatch Log Group associated with ECS Tasks in Terraform and exposed the variables to configure it. Updated various dependencies — refer to the release notes for more info.
• v0.85.1: Exposed the ability to bind custom iam policies to the lambda service IAM role; Added the ability to configure ECR repo to grant access to create lambda functions externally.
• v0.85.2: Added a new module to deploy Tailscale Subnet Routers in a VPC. Refer to the module documentation for more information.

terraform-aws-cis-service-catalog

• v0.28.0: Updated dependency gruntwork-io/terraform-aws-vpc to v0.18.6; Updated dependency gruntwork-io/terraform-aws-service-catalog to v0.65.4; Fixed CIS non-compliance of the default NACL created for the VPC.
• v0.28.1: Updated cleanup-expired-certs to configure reserved concurrent executions to 1. Added a new module (security/revoke-unused-iam-credentials) that will automatically revoke unused IAM credentials.
• v0.29.0: Updated dependency gruntwork-io/terraform-aws-service-catalog to v0.70.1. As a part of this change, support for ap-southeast-3 (Jakarta) region was added to the multi region modules. This is a backward incompatible change – refer to the migration guide for more details.
• v0.30.0: Updated cleanup-expired-certs module to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice. Updated cleanup-expired-certs module to manage CloudWatch Log Group for the lambda function in Terraform. This enables you to configure various settings, like KMS encryption keys for encrypted log events, and retention periods.
• v0.30.1: Updated to expose the organization trail configuration parameters for CloudTrail in account-baseline-root.
• v0.30.2: Added support for custom outbound NACLs from private app networks.
• v0.30.3: Restricted AWS Provider version to < 4.0 due to breaking changes in the provider.
• v0.30.4: Exposed configuration of CloudTrail CloudWatch log group retention period. Default to 14 days instead of the previous 0 days.
• v0.31.0: Verified that this repo is compatible with Terraform 1.1.x.
• v0.31.1: Introduce iam_password_policy_hard_expiry input variable to control password policy hard expiry, as the previously hard-coded true is too strict for most use cases. Hard expiry requires an administrator to reset the password, which greatly degrades the UX of IAM users accessing the AWS console. This also increases the risk of account lock out (e.g., if you have no administrators in the account).
• v0.32.0: Updated dependency terraform-aws-service-catalog to v0.78.1; Exposed AWS Config encryption parameters.
• v0.32.1: Exposed the ability to configure reserved_concurrent_executions on the cleanup-expired-certs lambda function.
• v0.32.2: Flow the reserved_concurrent_executions var through account-baseline-app.
• v0.32.3: Flow through reserved_concurrent_executions in account-baseline-security for the cleanup-expired-certs module.
• v0.32.4: Flow through reserved_concurrent_executions in account-baseline-root for the cleanup-expired-certs module.
• v0.32.5: Updated account-baseline-root module to allow to use external accounts as the administrator account for macie and securityhub.
• v0.33.0: Updated the macie module (and in turn, the landingzone modules) to allow configuring and managing the Macie CloudWatch Log Group within Terraform. This allows a user to configure encryption settings for the Log Group or retention settings.
• v0.33.1: Updated the vpc-mgmt-network-acls and vpc-app-network-acls modules to expose the ability to configure the initial rule number used for the rules. This allows a user to set a sufficiently high number to provide more head room for inserting higher priority rules.
• v0.33.2: Fixed bug where the rule numbers were not all relative to the new var.initial_nacl_rule_number input variable.
• v0.34.0: Updated dependency gruntwork-io/terraform-aws-service-catalog to v0.85.2.

Open Source Updates

terragrunt

• v0.36.0: We are now testing Terragrunt against Terraform 1.1 and is confirmed to be working.
• v0.36.1: Fixed a bug in tfr source where relative paths returned from third party registries was not handled correctly.
• v0.36.2: Implemented support for merge strategies to control how to merge outputs with mocks.
• v0.36.3: Introduced new function get_repo_root, that can be used to get the absolute path to the root of Git repository.
• v0.36.4: Added caching of IAM roles to improve parsing speed of HCL files.
• v0.36.5: Updated Terragrunt to configure blocking of public access to the access logs S3 bucket when access logging of the state bucket is configured.
• v0.36.6: Updated repo root functions to use platform agnostic path separators

terratest

• v0.40.0: Verified that this repo is compatible with Terraform 1.1.x.
• v0.40.1: Added function to require an env var is defined in test (environment.RequireEnvVar).
• v0.40.2: Added functions useful for interacting with docker images and building remote images.
• v0.40.3: Added new functions for copying terraform and terragrunt modules to a provided dest folder instead of tmp. This is useful if you don’t want to pollute the tmp folder of build servers.
• v0.40.4: Fixed a bug in CopyTerraformFolderToDest where the parameters were flipped, causing the folder to be incorrectly copied.
• v0.40.5: Simplified implementation of CopyTerraformFolderToTemp by using CopyTerraformFolderToDest to avoid code duplication. There is no functional difference between this version and the previous version.
• v0.40.6: Added new function to retrieve the git repo root dir (git.GetRepoRoot and git.GetRepoRootE).

cloud-nuke

• v0.10.0: cloud-nuke will now delete KMS Customer Managed Keys. If you wish to avoid nuking KMS Keys, you can either pass in --exclude-resource-type kmscustomerkeys, or specify a config file.
• v0.11.0: cloud-nuke will now delete CloudWatch Log Groups. If you wish to avoid nuking Log Groups, you can either pass in --exclude-resource-type cloudwatch-loggroup, or specify a config file.
• v0.11.1: KMS Customer Managed Key deletion now supports the config file format to filter by alias.
• v0.11.2: ElasticIPs, AutoScalingGroups, LaunchConfigurations and EC2 instances can now be filtered by the config file using their names.
• v0.11.3: Updates VPC config to filter by name instead of VPC Id.

helm-kubernetes-services

• v0.2.9: Fixed bug where Ingress resources mismatch the networking.k8s.io/v1 API spec, affecting installs to k8s 1.19.
• v0.2.10: Added the ability to configure custom container lifecycle hooks on the Pods using the new lifecycleHooks input value. Note that configuring a custom preStop lifecycle hook takes precedence over the existing shutdownDelay configuration. Refer to the input value documentation for lifecycleHooks in the values.yaml file for more information.
• v0.2.11: Added the ability to configure session affinity on the Service.
• v0.2.12: Fixed bug where number based service port settings on ingress were not being interpreted correctly as number when set in values.yaml.

Other updates

terraform-aws-security

• v0.56.0: Updated management of S3 bucket replication configuration to use the aws_s3_bucket_replication_configuration resource so that users can have more control over the replication configuration.
• v0.57.0: Added support for new AWS region (ap-southeast-3 Jakarta) to multiregion modules. As a result, you will need to add this region to your list of region providers.
• v0.57.1: Added support for configuring IAM roles with access from GitHub Actions. Refer to the release notes for more details.
• v0.57.2: Minor tweaks to enhance functionality around object locking. Updated various dependencies of go utilities. Refer to the release notes for more details.
• v0.57.3: Added the ability to configure snapshot delivery frequency in aws config module.
• v0.58.0: Added support for replicating a key cross region. Refer to the updated documentation of kms-master-key-multi-region for more information.
• v0.58.1: Updated to use the aws_partition data source to lookup the partition when constructing ARNs. This allows the modules to be compatible with alternative AWS partitions like GovCloud and China.
• v0.58.2: Exposed the ability to configure access logging and replication settings on AWS Config and AWS Cloudtrail buckets in the respective modules.
• v0.59.0: Updated the kms_key_arn input variable for AWS Config to be regional for each SNS topic. Previously, it only allowed specifying a single KMS Key, but that was not correct for SNS topics, which are regional resources.
• v0.60.0: Removed inline provider that was errorneously added in.
• v0.60.1: Updated private-s3-bucket module to expose a way to create and manage a replication IAM role for replicating an existing S3 bucket to the new bucket.
• v0.60.2: Fixed bug where the auto deploy IAM role was not created when only the github actions access was configured. Now you can configure the auto deploy IAM role with only setting the github actions input variable.
• v0.60.3: Added optional permission boundaries var for custom entity IAM Role; Fixed bug where iam role policy was dropped for auto deploy cross account IAM role when only github actions access was configured.
• v0.61.0: Updated aws-config-multi-region module to use explicit default provider pattern.
• v0.61.1: Expand the kms_key_arn input variable docs to clarify the relation with SNS topics; Restricted AWS Provider version to < 4.0 due to breaking changes in the provider.
• v0.62.0: Verified that this repo is compatible with Terraform 1.1.x.
• v0.62.1: Rearranged encryption settings for SNS and S3 in aws-config to support independently configuring each. You can now configure the KMS key used for the s3 bucket using var.s3_bucket_kms_key_arn and the SNS topic using var.sns_topic_kms_key_arn. For aws-config-multi-region, the latter is configured using var.sns_topic_kms_key_region_map, as the KMS key needs to reside in the same region as the SNS topic.
• v0.62.2: Exposed the ability to extend the CloudTrail S3 bucket policy with additional statements using the new additional_bucket_policy_statements input variable.
• v0.62.3: Added the ability to set custom conditions on assume role for custom-iam-entity via the new assume_role_custom_conditions input variable; Exposed the ability to configure advanced_event_selectors in cloudtrail module via the new advanced_event_selectors input variable.
• v0.62.4: Fixed bug where setting replica_regions = ["*"] in a conditional did not have the intended effect.
• v0.62.5: Added secretsmanager:DescribeSecret and secretsmanager:GetResourcePolicy to read-only permissions.
• v0.63.0: Added support for Terraform AWS Provider 4 in private-s3-bucket. No changes are needed to your configurations! However, you need to bump your provider version to at least 3.75.0.
• v0.63.1: Exposed the ability to specify additional service principals that should be granted for CloudTrail key. This is useful for granting access to additional services for different needs, such as to CloudWatch for setting up log metric filters correctly.

terraform-aws-ecs

• v0.31.8: Added the ability to configure the runtime_platform block, extending support for Graviton2/Operating system family.
• v0.31.9: Fixed bug when the autoscale policy was deleted when changing the capacity provider.
• v0.31.10: Restricted AWS Provider version to < 4.0 due to breaking changes in the provider.
• v0.32.0: Verified that this repo is compatible with Terraform 1.1.x.
• v0.32.1: Exposed configuration parameters for restricting IMDS endpoints on EC2 instances in ECS cluster. Refer to the new enable_imds and use_imdsv1 input parameters for more information.

terraform-aws-eks

• v0.46.8: Exposed the ability to set priorityClassName on k8s cluster-autoscaler (via the pod_priority_class_name input variable).
• v0.46.9: Fixed bug where using name prefix breaks the iam role name output on eks-cluster-workers module.
• v0.46.10: Enable detailed monitoring control for ASG EC2s. A new variable asg_enable_detailed_monitoring allows you to configure whether or not detailed monitoring is enabled on the EC2 instances that comprise the EKS cluster workers auto scaling group.
• v0.47.0: Updated AWS Provider version constraints to ensure Terraform doesn’t use one with a bug around launch templates. Added support for configuring prefix delegation mode on AWS VPC CNI. Prefix delegation mode increases the number of secondary IPs that can be provisioned to an EC2 instance, greatly expanding the number of Pods that can be scheduled on a node. Refer to the updated documentation for more details.
• v0.47.1: Updated kubergrunt to v0.8.0.
• v0.47.2: Updated control plane module to provision the required KMS permission to the CMK policy when using envelope encryption.
• v0.47.3: Added the ability to configure the container image repository used to source the container insights images.
• v0.48.0: Added the ability to manage the control plane logging CloudWatch Log Group. Now you can configure encryption and retention settings on the Log Group that is used for storing control plane logs.
• v0.48.1: Restricted provider version to < 4.0 due to breaking changes in new provider.
• v0.49.0: Verified that this repo is compatible with Terraform 1.1.x; Convert to use managed IAM policies.
• v0.49.1: Fixed bug in eks-cluster-workers module where IAM role conditional can sometimes lead to terraform error.
• v0.50.0: Exposed the ability to configure detailed monitoring per ASG, instead of only on all ASGs.
• v0.50.1: Exposed ability to configure EBS IOPS and Throughput parameters for self managed ASG workers.
• v0.50.2: Add support for managing EKS add-ons.
• v0.50.3: Fix kubergrunt arguments when syncing core components
• v0.50.4: If provided, apply IAM permission boundaries to default fargate role in eks-cluster-control-plane. Add ability to specify IAM permission boundaries to EKS worker role in eks-cluster-managed-workers

terraform-aws-vpc

• v0.18.1: Support multiple route tables for the public subnets.
• v0.18.2: vpc-interface-endpoint: Fix typos in service names.
• v0.18.3: vpc-app: Add explicit Default Route Table tag.
• v0.18.4: Updated vpc-app module count calls to be more robust to changes; Updated vpc-mgmt module to allow you to manage the default Route Table, Security Group, and Network ACLs.
• v0.18.5: Added the ability to manage the default NACLs, but restrict association of subnets so that the subnets can be associated with a different NACL.
• v0.18.6: Updated to add the ability to configure allow_remote_vpc_dns_resolution on the VPC peering requester.
• v0.18.7: Updated to expose timeout configurations for route table and routes.
• v0.18.8: Exposed the ability to make Internet Gateway creation optional.
• v0.18.9: Exposed the ability to specify propagating virtual gateway routes for public route table (via the public_propagating_vgws variable).
• v0.18.10: Exposed icmp_type and icmp_code in var.private_app_allow_inbound_ports_from_cidr so that ICMP can be enabled.
• v0.18.11: Updated to expose deletion_window_in_days for the KMS key that is created to encrypt the VPC flow logs.
• v0.18.12: Implemented support for custom outbound NACLs to private app networks.
• v0.19.0: Restricted AWS Provider version to < 4.0 due to breaking changes in the provider. Updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is recommended by AWS as best practice.
• v0.20.0: Verified that this repo is compatible with Terraform 1.1.x.
• v0.20.1: Added iam_role_permissions_boundary variable to the vpc-flow-logs module.
• v0.20.2: Added the ability to configure additional bucket policies on the VPC flow logs bucket using the new additional_s3_bucket_policy_statements input variable.
• v0.20.3: Updated type table documentation for the additional_s3_bucket_policy_statements input variable; Updated the vpc-mgmt-network-acls and vpc-app-network-acls modules to expose the ability to configure the initial rule number used for the rules. This allows a user to set a sufficiently high number to provide more head room for inserting higher priority rules.
• v0.20.4: Fixed bug where the rule numbers were not all relative to the new initial_nacl_rule_number input variable.
• v0.21.0: Added support in vpc-flow-logs for changes to private-s3-bucket that make it compatible with Terraform AWS Provider 4. No configuration changes are required. You need to bump your AWS provider to at least 3.75.0.

terraform-aws-asg

• v0.16.0: We’ve updated the version of the boto library used in the asg-rolling-deploy module from 1.7.10 to 1.20.24 to fix a compatibility issue with python 3.10 (while still maintaining backwards compatibility with older python 3.7+ releases).
• v0.16.1: Adds support for ASG instance_refresh to provide rolling deploys (i.e., replace N% of the ASG at a time), with health checks and a warm-up period.
• v0.17.0: Updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.
• v0.17.1: Restricted AWS Provider version to < 4.0 due to breaking changes in the provider.
• v0.17.2: Allows attaching permission boundaries to the role attached to the server’s group role.
• v0.17.3: Converted usage of deprecated tags attribute to tag blocks. This change is backward compatible for your resources. Upgraded version of boto3 embedded in the server-group module for rolling deployment script.
• v0.17.4: Add support for attaching a launch template to asg with instance refresh.

terraform-aws-openvpn

• v0.17.1: Added ability to configure access logging for the OpenVPN backup bucket. Added ability to make IAM Groups for certificate management permissions optional. Various updates to documentation.
• v0.18.0: Updated to generate DSA-like Diffie-Hellman parameters (uses weak prime). The weaker prime is much less computationally intensive and can be generated quickly, without sacrificing on the secure nature of the parameters. If you wish to maintain the old behavior with strong primes, you can pass in the --gen-strong-prime option to the call to init-openvpn.
• v0.19.0: Require IMDSv2 in aws_launch_configuration. This release allows you to configure the AWS Instance Metadata Service’s (IMDS) state (enabled or disabled) and which versions of this endpoint to allow the use of.
• v0.19.1: Fixes a bug that was causing openvpn-admin to return the instance’s private IPv4 address. openvpn-admin now correctly returns the instance’s public IPv4 address.
• v0.20.0: Restricted Terraform AWS provider version to < 4.0 due to breaking changes in the provider. Ensured any created KMS keys are deleted within 7 days, not the default 30 days, saving you some money. Updated to use managed IAM policies instead of inline policies for all IAM roles, since this is recommended by AWS as best practice.
• v0.21.0: Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
• v0.22.0: Enable ebs optimization by default . This release introduces a new ebs_optimized variable that defaults to true.
• v0.23.0: Added support in openvpn-server for changes to private-s3-bucket that make it compatible with Terraform AWS Provider 4. No configuration changes are required. You need to bump your AWS provider to at least 3.75.0.

terraform-aws-server

• v0.13.8: Updated to allow associating domain with EC2 instance even without EIP.
• v0.13.9: Exposed ability to control associating a public IP address to the server in single-server module, regardless of what is configured by default on the subnet.
• v0.13.10: Restricted provider version to < 4.0 due to breaking changes in new provider.
• v0.14.0: Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
• v0.14.1: Fixes invalid index error that happens occasionally on terraform destroy due to missing resource.
• v0.14.2: Allow to add specific seperate tags for SG, IAM or EIP.

terraform-aws-monitoring

• v0.30.4: cloudwatch-custom-metrics-iam-policy: Added comment explaining why “ec2:DescribeTags” is needed. Updated sns-to-slack module to use python 3.7 instead of 2.7.
• v0.30.5: Exposed the ability to configure s3 server access logging for the ELB/ALB access logs bucket.
• v0.30.6: Updated to expose object locking settings for load balancer access logs bucket and S3 server access logging bucket.
• v0.31.0: Verified that this repo is compatible with Terraform 1.1.x.
• v0.31.1: Added an optional InstanceType var to the alarms/ec2-memory-alarms module.
• v0.32.0: Fixed bug where disk alarms for ASG and EC2 were using an incorrect metric dimension to filter the metrics.
• v0.33.0: Added support in logs/load-balancer-access-logs for changes to private-s3-bucket that make it compatible with Terraform AWS Provider 4. No configuration changes are required. You need to bump your AWS provider to at least 3.75.0.

terraform-aws-load-balancer

• v0.27.2: Fixed bug where hosted zone data source look ups causes the domains to be recreated on minor updates to the route 53 hosted zone. You can now work around this problem by using the new domain_hosted_zone_ids input map. Refer to the PR description in #133 for more information.
• v0.27.3: Fixed a regression bug introduced with v0.27.2 where domain lookup by name should only be done if domain is not in lookup table.
• v0.27.4: Restricted provider version to < 4.0 due to breaking changes in new provider.
• v0.28.0: Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
• v0.28.1: Exposed the ability to set a custom ALB log prefix for ALB logs.
• v0.28.2: Added the ability to use the OIDC Authentication feature of the AWS Loadbalancer, described in Authenticate users using an Application Load Balancer.

terraform-aws-elk

• v0.11.1: Updated the default Elasticsearch version to latest patch that includes patch for log4j vulnerability.

terraform-aws-ci

• v0.40.2: Exposed the ability to configure reserved concurrent execution for ECS Deploy Runner invoker lambda.
• v0.41.0: tfenv is now included in the ECS Deploy Runner for managing terraform versions.
• v0.41.1: Added permissions_boundary to ecs-deploy-runner ECS Task IAM role and ECS Task Execution IAM role.
• v0.42.0: Improved error message for destroy ref not based on default branch in the infrastructure-deploy-script; Updated to use managed IAM policies instead of inline policies for all IAM roles; Updated the deploy-runner docker container to use a non-root user to follow security best practices.
• v0.43.0: Updated Lambda module version and exposed CloudWatch Log Group settings.
• v0.43.1: Restricted AWS Provider version to < 4.0 due to breaking changes in the provider.
• v0.44.0: Verified that this repo is compatible with Terraform 1.1.x.
• v0.45.0: Updated to use name_prefix instead of name for outbound security group of ECS Deploy Runner to support deploying multiple instances of ecs-deploy-runner in a single VPC.
• v0.45.1: Exposed the ability to configure IAM permissions boundary for the invoker lambda IAM role.
• v0.45.2: Updated the ecs-deploy-runner-standard-configuration module to not define a required_providers block, since it doesn’t have any provider resources; Updated the standard configuration of ecs-deploy-runner to allow calling --help without option args on scripts within EDR; Added the ability to pass through additional flags to go test command when using run-go-tests.
• v0.45.3: Synced versions of tags in Dockerfile for ECS Deploy Runner. The versions of installed software are backward compatible.
• v0.45.4: Exposed the lambda function name of the invoker as an output for ecs-deploy-runner module.
• v0.46.0: Updated setup-minikube to be compatible with Ubuntu 20.04, instead of the deprecated Ubuntu 16.04 image.
• v0.46.1: Fixed bug where infrastructure-deploy-script help text did not include overview docs.
• v0.47.0: Exposed the ability to configure the CloudWatch Log Group used by the ECS task launched with ecs-deploy-runner.
• v0.47.1: Exposed ability to install infrastructure-deploy-script and monorepo-helpers without sudo.
• v0.47.2: Fixed bug where there is a race condition between log group creation and ECS task creation for the ecs-deploy-runner.

terraform-aws-lambda

• v0.15.0: Updated to use managed IAM policies instead of inline policies for all IAM roles. Managed IAM policies are more friendly for compliance checkers and is generally recommended by AWS as best practice.
• v0.16.0: Updated to manage CloudWatch Log Group for the lambda function in Terraform. This enables you to configure various settings, like KMS encryption keys for encrypted log events, and retention periods.
• v0.17.0: Verified that this repo is compatible with Terraform 1.1.x.
• v0.17.1: Restricted AWS Provider version to < 4.0 due to breaking changes in the provider.
• v0.17.2: Add support to disable source code updates beyond initial creation.
• v0.18.0: Fixed the CloudWatch log group name for lambda@edge to sync with what is created by lambda@edge. Previously the CloudWatch Log Group name was incorrect, causing lambda@edge to create a new, separate log group instead of the one configured for it in the module.
• v0.18.1: The modules for Lambda and Lambda Edge functions can now have optional CloudWatch logs subscription.
• v0.18.2: Exposed the ability to specify input json for scheduled-lambda-job when periodically invoking lambda function.

terraform-aws-static-assets

• v0.12.3: Restricted provider version to < 4.0 due to breaking changes in new provider.
• v0.13.0: Terraform 1.1 upgrade: We have verified that this repo is compatible with Terraform 1.1.x!
• v0.13.1: Adds ability to override S3 bucket ownership and bucket policy.
• v0.13.2: Fix example cloudfront-s3-private-with-custom-bucket-policy.
• v0.14.0: Updated s3-static-website module to make it compatible with AWS Provider 4! If you are using routing_rules, details in the release notes should help you migrate to the new routing_rule format. No other configuration changes are required. You need to bump your AWS provider to at least 3.75.0.

terraform-aws-data-storage

• v0.22.5: Added the options to use enhanced_vpc_routing and logging to configure the redshift module.
• v0.22.6: Restricted AWS Provider version to < 4.0 due to breaking changes in the provider. We also exposed the ability to configure copy-on-write cloning for Aurora DB cluster.
• v0.23.0: Added Terraform 1.1.x support!
• v0.23.1: Added option to enable open access via mount targets to EFS volumes.
• v0.23.2: Update versions of tools in CircleCI. We also added support for Oracle parameter groups in the RDS module.

DevOps News

Lambda improvements: more disk space and built-in URLs

What happened: AWS has made several improvements to Lambda: first, you can now configure up to 10GB of ephemeral disk space and second, Lambda functions now natively support HTTPs URLs (without having to use API Gateway).

Why it matters: In the past, Lambda functions were limited to just 512MB of disk space, so allowing up to 10GB is a 20x increase. Moreover, in the past, you could only expose Lambda functions to the outside world by configuring API Gateway, which was a whole new service to learn, with quite a few settings to configure. Now, you can expose a function with a native URL in just a few clicks.

What to do about it: Give these new features a shot and let us know how they work for you! Note that native URL support for Lambda functions is not yet supported in Terraform; follow this issue for progress.

Closing AWS accounts is now much easier!

What happened: AWS Organizations now supports closing child AWS accounts from the console and via the API.

Why it matters: In the past, closing a child account was a painful process: you had to login to the child account as the root user, hook up a payment method, go through several CAPTCHAS plus a phone verification, disconnect from the root of the organization, and only then could you finally close the account. None of this was exposed via API, so it was a 100% manual process. Now, finally, it’s fully automated, as you can do it with a few clicks from the AWS Organizations console of the root account, or via the new CloseAccount API.

What to do about it: It is now far more convenient to spin up and tear down lots of AWS accounts for testing, experimenting, sandbox, etc, so give it a shot! For more info, see the announcement blog post.

Automatic recovery for EC2 instances

What happened: AWS has announced that EC2 instances will now have auto recovery enabled by default.

Why it matters: In the past, if an EC2 instance went down, you had to recover it manually, or use an Auto Scaling Group to do it for you. Now, all EC2 instances will recover automatically.

What to do about it: This is enabled by default, so there’s nothing to do. For more info, see the announcement blog post.