aws

Gruntwork Newsletter, April 2021

Once a month, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made in the last month, news in the…
Gruntwork Newsletter, April 2021
Amanda Ohmer
Published June 4, 2021

Once a month, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made in the last month, news in the DevOps industry, and important security updates. Note that many of the links below go to private repos in the Gruntwork Infrastructure as Code Library and Reference Architecture that are only accessible to customers.

Hello Grunts,

In the last month, we’ve updated all our code to work with Terraform 0.14 (so it’s time for you to upgrade!), started on the Terraform 0.15 upgrade, released a new Unified CloudWatch Agent module, started updating our code to work with Ubuntu 20.04, and made lots of other fixes and improvements. Also, Gruntwork is now a 5 year old company, and we’ve published a blog post on 5 of the most important lessons we’ve learned along the way!

As always, if you have any questions or need help, email us at support@gruntwork.io!

Gruntwork Updates

It’s time to update to Terraform 0.14!

Motivation: A few months ago, HashiCorp released version 0.14.0 of Terraform. It brought several new features, but also some backwards incompatible changes. In our last newsletter, we announced that most of our modules had been upgraded, but a few items still remained.

Solution: We’ve finished the Terraform 0.14 upgrade and it’s ready for you to take it for a spin! We’ve tested all our modules with Terraform 0.14, fixed all the incompatibility issues we ran into, released new versions of all the repos, and put together a migration guide for you to follow (which includes a version compatibility table).

What to do about it: You can now update all of your repos to use Terraform 0.14 and the new versions of the Gruntwork repos. Follow our migration guide and let us know how it goes!

Terraform 0.15

Motivation: HashiCorp has just released version 0.15 of Terraform. This brings in various new features and improvements, but also many backwards incompatibilities, wo now we need to go through and update the entire IaC Library again.

Solution: It looks like HashiCorp is doing these large, backwards incompatible releases far more frequently now, probably on the road to Terraform 1.0.0. We’ll be revisiting how we do upgrades to see if we can speed things up and match HashiCorp’s new, frantic pace.

What to do about it: We will start working on the 0.15 upgrade soon. In the meantime, we recommend upgrading to Terraform 0.14 as per the previous entry.

Gruntwork turns 5!

Motivation: In March, 2021, Gruntwork turned 5 years old, and we wanted to share lessons learned growing the company from nothing to ~20 people and ~$4.5M in annual recurring revenue (ARR), all without raising any money or taking on any debt.

Solution: We wrote a blog post called 5 years of Gruntwork where we share some of the lessons we’ve learned over those 5 years, including:

  1. Serendipity, timing, and luck
  2. Talent is evenly distributed, opportunity is not
  3. It’s a marathon, not a sprint
  4. Life first, then work
  5. It’s always day 1

What to do about it: Check out the blog post and let us know what you think!

Unified CloudWatch Agent Module

Motivation: Gruntwork’s IaC Library includes modules to set up CloudWatch Logs Agent and CloudWatch Monitoring Scripts, but nowadays, AWS recommends using the CloudWatch Unified Agent instead, as it handles both logs and metrics.

Solution: We’ve added a new cloudwatch-agent module, which makes it easier to configure your EC2 instances to send logs and metrics to CloudWatch. You can install it (e.g., in a Packer tempalte) using the Gruntwork Installer:

gruntwork-install \
--module-name agents/cloudwatch-agent \
--repo https://github.com/gruntwork-io/module-aws-monitoring \
--ref v0.26.1 \
--module-param aws-region=us-east-1

Then, when your instance is booting (e.g., in a User Data script), you can configure which log files to send to CloudWatch, such as syslog via the --syslog flag, the auth log via the --authlog flag, or custom log files via one or more --log-file flags:

/etc/user-data/cloudwatch-agent/configure-cloudwatch-agent.sh \
--syslog \
--authlog \
--log-file /var/log/kern.log \
--log-group-name example-log-group \
--log-stream-name '{instance_id}-syslog'

Finally, start the CloudWatch Unified Agent:

/etc/user-data/cloudwatch-agent/restart-cloudwatch-agent.sh

Now, the log files you specified will be automatically sent to CloudWatch, as well as critical metrics for your EC2 instance not available by default in CloudWatch, such as memory and disk space usage. Check out the cloudwatch-agent example for fully working sample code.

What to do about it: Give the new cloudwatch-agent module a shot and let us know what you think!

Ubuntu 20.04 progress

Motivation: Ubuntu 20.04 is the latest LTS release for Ubuntu since April 23rd, 2020. It is a major release with notable backward incompatible changes, including the removal of Python 2.7 as a default. This and other changes have prevented our modules from being able to function on the Ubuntu 20.04 images.

Solution: We’ve started the work to update all our modules to be compatible with Ubuntu 20.04! So far, the following modules have been confirmed to work with Ubuntu 20.04 (and the release where the confirmation was made):

The following modules are on deck:

  • terraform-aws-security
  • terraform-aws-ci
  • terraform-aws-service-catalog
  • terraform-aws-zookeeper
  • terraform-aws-kafka
  • terraform-aws-vault
  • terraform-aws-consul
  • terraform-aws-nomad
  • terraform-aws-elk
  • terraform-aws-couchbase

What to do about it: Keep an eye out for our releases and the monthly newsletter for continuous updates on the progress of Ubuntu 20.04 compatibility in our modules!

Service Catalog Updates

terraform-aws-service-catalog

  • v0.20.4: Use usable_fargate_subnet_ids for aws-auth-merger fargate profile
  • v0.20.5: Support empty list for secrets_access in ecs-service. Output aws-auth-merger namespace name. Update dependency gruntwork-io/terraform-aws-ci to v0.30.0.
  • v0.21.0: You can now configure multiple domain names to route to the ALB. This is useful if you want to use host based routing for your services.
  • v0.22.0: The default version of Jenkins that gets installed by the jenkins module has been updated to the latest LTS release. This is a backwards incompatible change: refer to the release notes for more details.
  • v0.23.0: Updated redis module to resolve an issue with multi AZ deployments. This is a backwards incompatible change: refer to the release notes for more details. Creation of network ACLs is now optional in both vpc and vpc-mgmt services. Update dependency gruntwork-io/terraform-aws-load-balancer to v0.22.0. Update default version of gruntwork-io/terragrunt installed on CI servers to v0.28.11.
  • v0.23.1: vpc and vpc-mgmt services now expose vpc-ready output parameter.
  • v0.23.2: Expose a number of missing fields in the alb service that you can now optionally configure.
  • v0.23.3: You can now set tags in the s3-bucket service using the new tags input variable.
  • v0.24.0: The s3-bucket now sets the access_logging_bucket param to null by default. This makes it easier to use the module with Terragrunt.
  • v0.24.1: Update dependency gruntwork-io/terragrunt to v0.28.16. Update dependency gruntwork-io/terraform-aws-vpc to 0.14.4 in the vpc-mgmt module.
  • v0.24.2: Packer templates have been updated to accept an instance_type variable. The value of that variable will be used to determine the EC2 instance type used by the Packer builder. This is to work around issues where the default type, t3.micro, is unavailable in some regions/AZs.
  • v0.25.0: A few of the variables in the vpc-mgmt module had default values configured and were thus optional, when they should have been required. This release removes these defaults values thus making the variables required. In the unlikely case that you previously relied on these defaults, you will have to make changes to explicitly supply values for these variables.
  • v0.26.0: Address various inconsistencies in the ecs-service module. Update multiple dependencies. Refer to the Release Notes for more details.
  • v0.27.0: Updates the following dependencies: gruntwork-io/gruntwork-installer ; gruntwork-io/terraform-aws-ci ; gruntwork-io/terraform-aws-ecs
  • v0.27.1: Updates the following dependencies: gruntwork-io/terraform-aws-load-balancer ; gruntwork-io/terraform-aws-static-assets . Add Access Analyzer to aws_service_access_principals at landingzone/account-baseline-root.
  • v0.27.2: Expose ability to configure TTL of domains in k8s-service module. Exposes eks_kubeconfig output in the eks-cluster module from underlying eks-cluster-control-plane module. Allows disabling EBS volumes in Elasticsearch domains, thus permitting the use of instance types with optimized instance storage such as i3 instances.
  • v0.27.3: Port of account-baseline-root fixes from terraform-aws-security (v0.45.6 and v0.46.2).
  • v0.28.0: Update various dependencies. Add ability to specify the encryption configuration for the images in the ECR repo. Fix several bugs in the ecs-cluster module. This is a backward incompatible change. Refer to the Release notes for more info.
  • v0.29.0: Update dependency gruntwork-io/terragrunt to v0.28.19. Also update dependency gruntwork-io/terraform-aws-eks to v0.35.1 (was v0.33.1). This is a backward incompatible change. Refer to the Release notes for more info.
  • v0.30.0: Update various dependencies. The jenkins module will now force https protocol for the ALB. The domain settings for openvpn-server now allow you to specify a custom domain. account-baseline-app now has a number of conditional variables that can be used to enable/disable the creation of resources and can optionally deploy theiam-access-analyzer-multi-region module. This is a backward incompatible change. Refer to the Release notes for more info.
  • v0.31.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!
  • v0.32.0: Encryption is now enabled by default for Elasticsearch. Encryption is now by default for the Jenkins EBS volume. All Packer templates now enable encryption by default for the root volume of the image. The sns-topics module now accepts a kms_master_key_id and a list of allow_publish_services that allow the given AWS services to publish to the SNS topic. This is a backward incompatible change. Refer to the Release notes for more info.
  • v0.33.0: Enhance ordering of wildcard certificates when creating public zones. You can now order a single certificate that protects both the apex (example.com) and the first level of subdomains (*.example.com) by passing *.example.com in the subject_alternative_names field. This is a backward incompatible change. Refer to the Release notes for more info.
  • v0.34.0: EKS clusters use short-lived authentication tokens that can expire in the middle of an ‘apply’ or ‘destroy’. This has been a potential problem for some time now with Terraform and EKS, but in our testing with Terraform 0.14, the problem has become more frequent. To work around this issue, we have updated the eks-cluster and eks-core-services modules to be able to use an exec-based plugin to fetch an up-to-date token. This is a backward incompatible change. Refer to the Release notes for more info.
  • v0.34.1: Fix a bug in the output variables of the route53 module that, depending on the inputs you passed in, could lead to an "Inconsistent conditional result types" error.

terraform-aws-cis-service-catalog

  • v0.11.0: Updated all the underlying modules to their latest versions
  • v0.11.1: Update IAM password policy to CIS v1.3. Some password restrictions no longer apply.
  • v0.11.2: New module: aws-config-multi-region. This module has the IAM password policy checks for CIS.
  • v0.11.4: Cloudtrail SNS topics can now be encrypted via the new benchmark_alarm_sns_topic_kms_master_key_id variable.
  • v0.12.0: Add new modules for VPC and Management VPC, and integrate them with existing Network ACL modules, thus creating AWS CIS-compliant VPC modules.
  • v0.13.0: Flow logs are now always created in modules vpc and vpc-mgmt. To achieve this, these two modules no longer expose the variable create_flow_logs. This release also exposes more necessary properties and removes variables allowing configuration for the CIS version of aws-config-multi-region module. Namely, config_name, should_create_sns_topic, sns_topic_name, kms_key_arn were added and enable_root_account_mfa_rule was removed.
  • v0.14.0: Updated the underlying modules to their latest versions

Open Source Updates

Terragrunt

  • v0.28.8: Terragrunt will now remove extraneous newlines from the log output of the run-all command.
  • v0.28.9: Updated the version of the AWS Go SDK used in Terragrunt. This should allow Terragrunt to work with AWS SSO / AWS CLI v2.
  • v0.28.10: Added a new property accesslogging_target_prefix to enable control over the TargetPrefix setting when Server Access Logging is enabled for Remote TF State S3 buckets.
  • v0.28.11: This release introduces a new command validate-inputs. You can use this to sanity check the inputs you are passing through terragrunt against the available variables in the terraform module. Refer to the command docs for more info.
  • v0.28.12: Starting this release, we will be publishing binaries for the darwin/arm64 (compatible with Mac M1 chips) and linux/arm64 platforms.
  • v0.28.13: We have updated the creack/pty dependency to to version 1.1.11. This will hopefully fix the "Setctty set but Ctty not valid in child" error when using terragrunt console.
  • v0.28.14: Hook configurations now accept a working_dir attribute to specify where the command should run.
  • v0.28.15: You can now specify a custom DynamoDB endpoint on the remote state configuration for S3 using the dynamodb_endpoint attribute in the config.
  • v0.28.16: Add a new helper function get_terragrunt_source_cli_flag for getting the value passed for the --terragrunt-source arg. This is useful for implementing various logic that depends on whether terragrunt is running in local dev mode or not. The source getter for terragrunt now supports multiple forced getters, such as git-remote-codecommit URLs.
  • v0.28.17: When automatically calling terraform init, Terragrunt will no longer pass the deprecated -get-plugins flag.
  • v0.28.18: Fixes bug where default = null was viewed as a required input variable by validate-inputs.
  • v0.28.19: Updated Terragrunt’s auto retry functionality so that you can now configure the number of retry attempts and the time between retries using the new config attributes retry_max_attempts and retry_sleep_interval_sec, respectively.
  • v0.28.20: When you pass in --terragrunt-strict-include, Terragrunt will now only execute within the directories passed in via --terragrunt-include-dir. If you set --terragrunt-strict-include, but don't pass in any directories via --terragrunt-include-dir, then Terragrunt will exit without doing anything.
  • v0.28.21: Added a new get_original_terragrunt_dir() helper, which returns the directory where the original Terragrunt configuration file (by default terragrunt.hcl) lives. This is primarily useful when one Terragrunt config is being read from another: e.g., if /terraform-code/terragrunt.hcl calls read_terragrunt_config("/foo/bar.hcl"), and within bar.hcl, you call get_original_terragrunt_dir(), you'll get back /terraform-code. Updated the generate and remote_state settings so that they can be set either as blocks or attributes. This makes it possible to, for example, read these settings from common.hcl using read_terragrunt_config and set them dynamically.
  • v0.28.22: Updated the versions of sops, aws-sdk-go, and vault libraries that we depend on. As a result, the sops_decrypt_file() function should now work with data encrypted via HashiCorp Vault.
  • v0.28.23: Remove init from the list of commands returned by get_terraform_commands_that_need_locking(), as init does not support locking, and as of Terraform 0.15, will exit with an error if you try to use the lock parameters with it.
  • v0.28.24: If skip_bucket_versioning is set to true, and you are using GCS as a backend, Terragrunt will not only not enable versioning automatically, but now it will also no longer try to check if versioning is enabled either.

Terratest

  • v0.32.9: Remove debug logging from azure code that was polluting the stdout in tests. You can now specify a docker build target via the new Target field in the docker.BuildOptions struct. Fix link in the docs website to the GCP example.
  • v0.32.10: This is an internal refactor to rename one of the libraries that terratest depends on. There shouldn’t be any functional difference to the modules.
  • v0.32.11: Added new aws.GetRecommendedRdsInstanceType methods which allow you to pass in a list of RDS instance types (e.g., db.t2.micro, db.t3.micro, etc) and get back an instance type that is supported in the current region. This is useful for running automated tests against RDS code across multiple regions, as not all regions support all instance types.
  • v0.32.12: Add helper functions for interacting with ReplicaSets.
  • v0.32.13: Add configuration option for terraform plugin dir to the terraform.Options struct (using the PluginDir attribute).
  • v0.32.14: Introduce helper function (ContainerInspect.GetExposedHostPort) to get exposed randomized host ports for set by -P flag.
  • v0.32.15: Minor bug fixes! Improved some k8s ReplicaSet tests and fixed a bug in git when getting the current branch when there are no commits.
  • v0.32.16: Fix a bug where terraform.TgApplyAll and terraform.TgDestroyAll was ignoring the Lock configuration in terraform.Options.
  • v0.32.17: Added a terraform.WorkspaceDelete function for deleting Terraform workspaces.
  • v0.32.18: Fix bug in helm.RenderTemplate where it leaks stderr (e.g., warning logs) into the yaml output.
  • v0.32.19: Add helper functions to make it easier to navigate plan structures. Refer to terraform_aws_example_plan_test.go for example usage of the new functions.
  • v0.32.20: Add helper methods to check SSH connections/commands with retry
  • v0.32.21: Added a new aws.InvokeFunctionWithParams function that gives you more control when invoking Lambda functions.
  • v0.32.22: Feature: enable Azure PostgreSQL Server testing. Refer to the new functions in azure/postgresql.go for the list of supported actions.
  • v0.32.23: Added a terraform.Validate function you can use to run terraform validate in your test suites.

go-commons (previously gruntwork-cli)

  • v0.8.0: The package has been renamed to to go-commons. You will need to update your references from gruntwork-cli to go-commons to use the updated version.
  • v0.8.1: Add new functions to allow running a command over SSH.
  • v0.8.2: Add new functions to allow for retrying a specific action.

fetch

  • v0.4.2: Update the build to publish Darwin / ARM 64 binaries that work with the new ARM-based Macs.

kubergrunt

  • v0.6.11: This is an internal code cleanup release, where some functions were moved to a common library. There is no change in behavior to kubergrunt in this release.

terraform-aws-consul

  • v0.8.6: Fix a bug in how install-consul checks that the consul binary was installed correctly to handle the case where the install dir has restricted permissions.

bash-commons

  • v0.1.4: Added a new aws_wrapper_get_asg_rally_point function that can calculate a "rally point" instance in an Auto Scaling Group (ASG) and return its hostname. This is a deterministic way for the instances in an ASG to all pick the same single instance to perform some action: e.g., this instance could become the leader in a cluster or run some initialization script that should only be run once for the entire ASG. Under the hood, this method picks the instance in the ASG with the earliest launch time; in the case of ties, the instance with the earliest instance ID (lexicographically) is returned.

terraform-aws-vault

  • v0.14.3: You can now enable access logging for the Vault ELB using the new access_logs input variable.
  • v0.15.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!
  • v0.15.1: You can now tell the install-vault skip calling apt-get update or yum update by passing the --skip-package-update flag.

terraform-kubernetes-namespace

  • v0.2.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!

terraform-aws-couchbase

  • v0.5.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!

gruntwork-installer

  • v0.0.36: Added some missing CLI options in the help text.

terraform-aws-nomad

  • v0.8.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!

cloud-nuke

  • v0.1.29: Update to the latest versions of Go and the build-go-binaries script, so cloud-nuke will now build binaries for Darwin ARM 64 CPUs.

Other updates

terraform-aws-asg

  • v0.12.0: Terraform 0.14.0 update. We have verified that this repo is compatible with Terraform 0.14.x!
  • v0.12.1: Replace usage of null_data_source with locals to resolve deprecation warning.

terraform-aws-vpc

  • v0.14.0: Terraform 0.14.0 update. We have verified that this repo is compatible with Terraform 0.14.x!
  • v0.14.1: Support for optional resource creation via the create_resources parameter was added to the following modules: network-acl-inbound, network-acl-outbound, vpc-app-network-acls .
  • v0.14.2: Support for optional resource creation via the create_resources parameter was added to vpc-mgmt-network-acls.
  • v0.14.3: Older versions of Terraform could not use lists with ternary syntax, so we had to use split and join to work around it. This should not be a problem in current Terraform versions, so we've removed the workaround in this release. There should be no change in behavior, other than, as a nice side effect, plan output should work better now for NAT Gateways.
  • v0.14.4: If create_resources was set to false in the vpc-mgmt-network-acls module, the module would break due to attempting to index empty lists. This release fixes that bug.

terraform-aws-server

  • v0.11.0: Terraform 0.14.0 update. We have verified that this repo is compatible with Terraform 0.14.x!

terraform-aws-ci

  • v0.30.0: You can now build docker images against a specific commit SHA in the ECS Deploy Runner using the --sha argument to build-docker-image script.
  • v0.31.0: build-go-binaries now supports building arbitrary os and architecture combinations with the new --osarch flag. build-go-binaries now defaults to building the following binaries: darwin/amd64, darwin/arm64, linux/amd64, linux/386, linux/arm64, windows/amd64, windows/386.
  • v0.31.1: Fixes a bug in the ecs-deploy-runner fargate runtime where it did not support running scripts with no args.

terraform-aws-messaging

  • v0.4.4: Fix a bug where the sns module would show errors with output variable access when create_resources was set to false.

terraform-aws-security

  • v0.45.4: Exposed the ability to encrypt the SNS topic in the Guard Duty modules with a KMS CMK.
  • v0.45.5: Fix conditional formatting at account-baseline-root and aws-organizations; Improve Cloudtrail test: fix swaped assert.Equal parameters; Pin Cloudtrail to AWS provider 3 to standardize behavior; Do not call data when create_resources = false in the aws-config module.
  • v0.45.6: This release fixes a bug in the account-baseline-root module in which certain changes to the child account configuration would result in permissions errors.
  • v0.45.7: Add create_resources variable to iam-user-password-policy module
  • v0.45.8: Update the billing IAM policy to use the AWS-managed billing policy under the hood (so it’s always up to date), but still layer the MFA requirement on top. This will also affect the modules that use this policy under the hood, including the billing IAM group in the iam-groups module and the billing IAM role in the cross-account-iam-roles module. The cloudtrail-bucket, cloudtrail, and account-baseline-root modules now all expose a new cloudtrail_organization_id input variable that you can use to configure an organization-wide CloudTrail.
  • v0.46.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!
  • v0.46.1: Update the read-only policy in the iam-policies module to the latest permissions for Amazon Elasticsearch. Note that this will also affect the modules that rely on iam-policies, including iam-groups and cross-account-iam-roles.
  • v0.46.2: Fixes an issue in account-baseline-root introduced in v0.45.6 when creating an organization. The module will now sleep for enough time to allow the Organization and child accounts be created.
  • v0.46.3: You can now enable access logging for the CloudTrail S3 bucket in account-baseline-root using the new enable_cloudtrail_s3_server_access_logging input variable.
  • v0.46.4: Adds Glue actions to the ReadOnlyAccess IAM policy.
  • v0.46.5: Fixes the empty tuple errors when setting var.create_resources to false in the iam-user-password-policy module.

terraform-aws-load-balancer

  • v0.22.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!
  • v0.23.0: Fix bug where the listener_arns attribute was ignored on each rules map in the lb-listener-rules module.
  • v0.24.0: Clarify in docs and comments that hosted_zone_id is required when you request a certificate whose domain does not exactly match the name of the hosted zone you are attaching it to. This is a backward incompatible change. Refer to the Release notes for more info.

terraform-aws-lambda

  • v0.10.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!
  • v0.10.1: You can now use Docker images with the lambda module by specifying the new input variables image_uri, entry_point, command, and working_directory.

terraform-aws-sam

  • v0.4.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!

terraform-aws-kafka

  • v0.7.1: You can now configure which CloudWatch metrics to enable for the ASGs in the kafka-cluster and confluent-tools-cluster modules using the new enabled_metrics input variable.
  • v0.8.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!

terraform-aws-data-storage

  • v0.18.1: Set ignore_changes on the snapshot_identifier param in the redshift module so that you can properly restore Redshift clusters from snapshots.

terraform-aws-eks

  • v0.33.1: You can now force detach policies on destroy for the IAM role created with self managed workers through the eks-cluster-workers module.
  • v0.34.0: You can now customize the external-dns service to directly configure the list of sources it watches for using the sources input variable. You can now configure the external-dns service to only watch for resources in a specific namespace using the endpoints_namespace input variable. You can now grant the cluster-autoscaler service to query and manipulate any ASGs with the tag k8s.io/cluster-autoscaler/CLUSTER_NAME instead of the set of ASGs that were passed in. You can now configure the eks-k8s-cluster-autoscaler module to create a Fargate Profile but use an existing Fargate execution role that is created in the same terraform configuration. Previously this led to an error due to count values not being available at plan time.
  • v0.35.0: The naming logic of the default Fargate execution IAM role has been modified to support longer cluster names. You can now directly set the IAM role name using the new custom_fargate_iam_role_name input variable.
  • v0.35.1: Bump default helm chart versions of essential services to latest versions. Also bump default version of AWS Load Balancer Controller to v2.1.3 (was v2.0.1).
  • v0.35.2: You can now configure additional outputs for fluent-bit using the extra_outputs input variable.
  • v0.36.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!

terraform-aws-monitoring

  • v0.26.0: All the modules except for have logs/cloudwatch-log-aggregation-scripts have been tested for compatibility with Ubuntu 20.04. If you wish to use the log aggregation scripts on Ubuntu 20.04, migrate to the new Unified CloudWatch Agent using the agents/cloudwatch-agent module. This release introduces a new module (agents/cloudwatch-agent) for installing and configuring the Unified CloudWatch Agent which can be used for sending both metrics and logs to CloudWatch.
  • v0.26.1: You can now configure custom auth settings for the nested provider block within the route53-health-check-alarms module using the new input variables provider_role_arn, provider_external_id, provider_session_name, provider_profile, and provider_shared_credentials_file.

terraform-aws-ecs

  • v0.26.0: Fix the volumes param in the ecs-service and ecs-daemon-service modules so that volumes can be updated safely, support optional params, and support the docker_volume_configuration. This is a breaking change, so make sure to see the Migration Guide below for how to upgrade.
  • v0.26.1: Fix a bug where the aws_ecs_task_definition for the canary task was not setting the execution_role_arn param.
  • v0.27.0: Remove var.environment_name from ecs-service and ecs-daemon-service. This was only used to name the IAM resources created within the modules, but was confusingly named. The functionality of the variable has been replaced with the following three, targeted variables. Refer to the release notes for more details.
  • v0.27.1: Fix health check and timeout settings for the target groups created by ecs-service. Depending on the protocol you're using (e.g., TCP, UDP, TLS, etc), only certain values are permitted.
  • v0.28.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!

terraform-aws-openvpn

  • v0.14.1: You can now customize the mssfix value used in the openvpn config that is downloaded by openvpn-admin by using the --mssfix flag. Additionally, the openvpn-admin command will automatically identify the optimal mssfix value to use for the client machine when omitted.

DevOps News

Amazon has forked Elasticsearch into a new project called OpenSearch

What happened: Amazon has announced OpenSearch, an open source fork of Elasticsearch and Kibana. Also, Amazon’s Elasticsearch service is now called Amazon OpenSearch.

Why it matters: There’s a long history here, but the short, inaccurate version is:

  1. Elasticsearch started as an open source project.
  2. Elastic.co, the company behind Elasticsearch, monetized the project via a offering a SaaS / hosted version of Elasticsearch.
  3. Amazon released their own SaaS / hosted version of Elasticsearch called Amazon Elasticsearch.
  4. Elastic.co changed the license on Elasticsearch to explicitly ban competitive SaaS offerings. So the code is no longer under a “true” open source license.
  5. To work around the license change, Amazon has created OpenSearch, a fully open source version of Elasticsearch.
  6. Organizations such as Red Hat, SAP, Capital One, and Logz.io are apparently in support of OpenSearch too.

This is quite a messy situation. Could Amazon have partnered with Elastic.co instead of creating a competitive offering? Could Elastic.co have survived without moving away from a true open source license?

What to do about it: I suppose we now all need to pick sides. Will you stick by Elastic.co and Elasticsearch? Or will you be migrating to OpenSearch? Let us know!

EKS clusters boot faster now!

What happened: Amazon has announced that they have reduced the time it takes to spin up an EKS control plane by 40%.

Why it matters: Spinning up an EKS cluster used to take a long time, often well over 20 minutes. Now it takes less than 9. If you spin up EKS clusters often—e.g., for test environments—this is a huge win.

What to do about it: The change is live already, so there’s nothing for you to do, but enjoy the time savings!