Gruntwork Newsletter, April 2021
Once a month, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made in the last month, news in the…
Once a month, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made in the last month, news in the DevOps industry, and important security updates. Note that many of the links below go to private repos in the Gruntwork Infrastructure as Code Library and Reference Architecture that are only accessible to customers.
Hello Grunts,
In the last month, we’ve updated all our code to work with Terraform 0.14 (so it’s time for you to upgrade!), started on the Terraform 0.15 upgrade, released a new Unified CloudWatch Agent module, started updating our code to work with Ubuntu 20.04, and made lots of other fixes and improvements. Also, Gruntwork is now a 5 year old company, and we’ve published a blog post on 5 of the most important lessons we’ve learned along the way!
As always, if you have any questions or need help, email us at support@gruntwork.io!
Gruntwork Updates

It’s time to update to Terraform 0.14!
Motivation: A few months ago, HashiCorp released version 0.14.0 of Terraform. It brought several new features, but also some backwards incompatible changes. In our last newsletter, we announced that most of our modules had been upgraded, but a few items still remained.
Solution: We’ve finished the Terraform 0.14 upgrade and it’s ready for you to take it for a spin! We’ve tested all our modules with Terraform 0.14, fixed all the incompatibility issues we ran into, released new versions of all the repos, and put together a migration guide for you to follow (which includes a version compatibility table).
What to do about it: You can now update all of your repos to use Terraform 0.14 and the new versions of the Gruntwork repos. Follow our migration guide and let us know how it goes!
Terraform 0.15
Motivation: HashiCorp has just released version 0.15 of Terraform. This brings in various new features and improvements, but also many backwards incompatibilities, wo now we need to go through and update the entire IaC Library again.
Solution: It looks like HashiCorp is doing these large, backwards incompatible releases far more frequently now, probably on the road to Terraform 1.0.0. We’ll be revisiting how we do upgrades to see if we can speed things up and match HashiCorp’s new, frantic pace.
What to do about it: We will start working on the 0.15 upgrade soon. In the meantime, we recommend upgrading to Terraform 0.14 as per the previous entry.

Gruntwork turns 5!
Motivation: In March, 2021, Gruntwork turned 5 years old, and we wanted to share lessons learned growing the company from nothing to ~20 people and ~$4.5M in annual recurring revenue (ARR), all without raising any money or taking on any debt.
Solution: We wrote a blog post called 5 years of Gruntwork where we share some of the lessons we’ve learned over those 5 years, including:
- Serendipity, timing, and luck
- Talent is evenly distributed, opportunity is not
- It’s a marathon, not a sprint
- Life first, then work
- It’s always day 1
What to do about it: Check out the blog post and let us know what you think!
Unified CloudWatch Agent Module
Motivation: Gruntwork’s IaC Library includes modules to set up CloudWatch Logs Agent and CloudWatch Monitoring Scripts, but nowadays, AWS recommends using the CloudWatch Unified Agent instead, as it handles both logs and metrics.
Solution: We’ve added a new cloudwatch-agent
module, which makes it easier to configure your EC2 instances to send logs and metrics to CloudWatch. You can install it (e.g., in a Packer tempalte) using the Gruntwork Installer:
gruntwork-install \ --module-name agents/cloudwatch-agent \ --repo https://github.com/gruntwork-io/module-aws-monitoring \ --ref v0.26.1 \ --module-param aws-region=us-east-1
Then, when your instance is booting (e.g., in a User Data script), you can configure which log files to send to CloudWatch, such as syslog via the --syslog
flag, the auth log via the --authlog
flag, or custom log files via one or more --log-file
flags:
/etc/user-data/cloudwatch-agent/configure-cloudwatch-agent.sh \ --syslog \ --authlog \ --log-file /var/log/kern.log \ --log-group-name example-log-group \ --log-stream-name '{instance_id}-syslog'
Finally, start the CloudWatch Unified Agent:
/etc/user-data/cloudwatch-agent/restart-cloudwatch-agent.sh
Now, the log files you specified will be automatically sent to CloudWatch, as well as critical metrics for your EC2 instance not available by default in CloudWatch, such as memory and disk space usage. Check out the cloudwatch-agent
example for fully working sample code.
What to do about it: Give the new cloudwatch-agent module a shot and let us know what you think!
Ubuntu 20.04 progress
Motivation: Ubuntu 20.04 is the latest LTS release for Ubuntu since April 23rd, 2020. It is a major release with notable backward incompatible changes, including the removal of Python 2.7 as a default. This and other changes have prevented our modules from being able to function on the Ubuntu 20.04 images.
Solution: We’ve started the work to update all our modules to be compatible with Ubuntu 20.04! So far, the following modules have been confirmed to work with Ubuntu 20.04 (and the release where the confirmation was made):
The following modules are on deck:
terraform-aws-security
terraform-aws-ci
terraform-aws-service-catalog
terraform-aws-zookeeper
terraform-aws-kafka
terraform-aws-vault
terraform-aws-consul
terraform-aws-nomad
terraform-aws-elk
terraform-aws-couchbase
What to do about it: Keep an eye out for our releases and the monthly newsletter for continuous updates on the progress of Ubuntu 20.04 compatibility in our modules!
Service Catalog Updates
terraform-aws-service-catalog
- v0.20.4: Use usable_fargate_subnet_ids for aws-auth-merger fargate profile
- v0.20.5: Support empty list for secrets_access in ecs-service. Output aws-auth-merger namespace name. Update dependency gruntwork-io/terraform-aws-ci to v0.30.0.
- v0.21.0: You can now configure multiple domain names to route to the ALB. This is useful if you want to use host based routing for your services.
- v0.22.0: The default version of Jenkins that gets installed by the
jenkins
module has been updated to the latest LTS release. This is a backwards incompatible change: refer to the release notes for more details. - v0.23.0: Updated redis module to resolve an issue with multi AZ deployments. This is a backwards incompatible change: refer to the release notes for more details. Creation of network ACLs is now optional in both
vpc
andvpc-mgmt
services. Update dependency gruntwork-io/terraform-aws-load-balancer to v0.22.0. Update default version of gruntwork-io/terragrunt installed on CI servers to v0.28.11. - v0.23.1:
vpc
andvpc-mgmt
services now exposevpc-ready
output parameter. - v0.23.2: Expose a number of missing fields in the
alb
service that you can now optionally configure. - v0.23.3: You can now set tags in the
s3-bucket
service using the newtags
input variable. - v0.24.0: The
s3-bucket
now sets theaccess_logging_bucket
param tonull
by default. This makes it easier to use the module with Terragrunt. - v0.24.1: Update dependency gruntwork-io/terragrunt to v0.28.16. Update dependency gruntwork-io/terraform-aws-vpc to 0.14.4 in the
vpc-mgmt
module. - v0.24.2: Packer templates have been updated to accept an
instance_type
variable. The value of that variable will be used to determine the EC2 instance type used by the Packer builder. This is to work around issues where the default type,t3.micro
, is unavailable in some regions/AZs. - v0.25.0: A few of the variables in the
vpc-mgmt
module had default values configured and were thus optional, when they should have been required. This release removes these defaults values thus making the variables required. In the unlikely case that you previously relied on these defaults, you will have to make changes to explicitly supply values for these variables. - v0.26.0: Address various inconsistencies in the
ecs-service
module. Update multiple dependencies. Refer to the Release Notes for more details. - v0.27.0: Updates the following dependencies:
gruntwork-io/gruntwork-installer
;gruntwork-io/terraform-aws-ci
;gruntwork-io/terraform-aws-ecs
- v0.27.1: Updates the following dependencies:
gruntwork-io/terraform-aws-load-balancer
;gruntwork-io/terraform-aws-static-assets
. Add Access Analyzer toaws_service_access_principals
atlandingzone/account-baseline-root
. - v0.27.2: Expose ability to configure TTL of domains in
k8s-service
module. Exposeseks_kubeconfig
output in theeks-cluster
module from underlyingeks-cluster-control-plane
module. Allows disabling EBS volumes in Elasticsearch domains, thus permitting the use of instance types with optimized instance storage such asi3
instances. - v0.27.3: Port of
account-baseline-root
fixes fromterraform-aws-security
(v0.45.6 and v0.46.2). - v0.28.0: Update various dependencies. Add ability to specify the encryption configuration for the images in the ECR repo. Fix several bugs in the
ecs-cluster
module. This is a backward incompatible change. Refer to the Release notes for more info. - v0.29.0: Update dependency gruntwork-io/terragrunt to v0.28.19. Also update dependency gruntwork-io/terraform-aws-eks to v0.35.1 (was
v0.33.1
). This is a backward incompatible change. Refer to the Release notes for more info. - v0.30.0: Update various dependencies. The
jenkins
module will now force https protocol for the ALB. The domain settings foropenvpn-server
now allow you to specify a custom domain.account-baseline-app
now has a number of conditional variables that can be used to enable/disable the creation of resources and can optionally deploy theiam-access-analyzer-multi-region
module. This is a backward incompatible change. Refer to the Release notes for more info. - v0.31.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
! - v0.32.0: Encryption is now enabled by default for Elasticsearch. Encryption is now by default for the Jenkins EBS volume. All Packer templates now enable encryption by default for the root volume of the image. The
sns-topics
module now accepts akms_master_key_id
and a list ofallow_publish_services
that allow the given AWS services to publish to the SNS topic. This is a backward incompatible change. Refer to the Release notes for more info. - v0.33.0: Enhance ordering of wildcard certificates when creating public zones. You can now order a single certificate that protects both the apex (example.com) and the first level of subdomains (*.example.com) by passing *.example.com in the
subject_alternative_names
field. This is a backward incompatible change. Refer to the Release notes for more info. - v0.34.0: EKS clusters use short-lived authentication tokens that can expire in the middle of an ‘apply’ or ‘destroy’. This has been a potential problem for some time now with Terraform and EKS, but in our testing with Terraform 0.14, the problem has become more frequent. To work around this issue, we have updated the
eks-cluster
andeks-core-services
modules to be able to use an exec-based plugin to fetch an up-to-date token. This is a backward incompatible change. Refer to the Release notes for more info. - v0.34.1: Fix a bug in the output variables of the
route53
module that, depending on the inputs you passed in, could lead to an "Inconsistent conditional result types" error.
terraform-aws-cis-service-catalog
- v0.11.0: Updated all the underlying modules to their latest versions
- v0.11.1: Update IAM password policy to CIS v1.3. Some password restrictions no longer apply.
- v0.11.2: New module:
aws-config-multi-region
. This module has the IAM password policy checks for CIS. - v0.11.4: Cloudtrail SNS topics can now be encrypted via the new
benchmark_alarm_sns_topic_kms_master_key_id
variable. - v0.12.0: Add new modules for VPC and Management VPC, and integrate them with existing Network ACL modules, thus creating AWS CIS-compliant VPC modules.
- v0.13.0: Flow logs are now always created in modules
vpc
andvpc-mgmt
. To achieve this, these two modules no longer expose the variablecreate_flow_logs
. This release also exposes more necessary properties and removes variables allowing configuration for the CIS version ofaws-config-multi-region
module. Namely,config_name
,should_create_sns_topic
,sns_topic_name
,kms_key_arn
were added andenable_root_account_mfa_rule
was removed. - v0.14.0: Updated the underlying modules to their latest versions
Open Source Updates
Terragrunt
- v0.28.8: Terragrunt will now remove extraneous newlines from the log output of the
run-all
command. - v0.28.9: Updated the version of the AWS Go SDK used in Terragrunt. This should allow Terragrunt to work with AWS SSO / AWS CLI v2.
- v0.28.10: Added a new property
accesslogging_target_prefix
to enable control over theTargetPrefix
setting when Server Access Logging is enabled for Remote TF State S3 buckets. - v0.28.11: This release introduces a new command
validate-inputs
. You can use this to sanity check the inputs you are passing through terragrunt against the available variables in the terraform module. Refer to the command docs for more info. - v0.28.12: Starting this release, we will be publishing binaries for the
darwin/arm64
(compatible with Mac M1 chips) andlinux/arm64
platforms. - v0.28.13: We have updated the
creack/pty
dependency to to version 1.1.11. This will hopefully fix the "Setctty set but Ctty not valid in child" error when usingterragrunt console
. - v0.28.14: Hook configurations now accept a
working_dir
attribute to specify where the command should run. - v0.28.15: You can now specify a custom DynamoDB endpoint on the remote state configuration for S3 using the
dynamodb_endpoint
attribute in the config. - v0.28.16: Add a new helper function
get_terragrunt_source_cli_flag
for getting the value passed for the--terragrunt-source
arg. This is useful for implementing various logic that depends on whether terragrunt is running in local dev mode or not. Thesource
getter for terragrunt now supports multiple forced getters, such asgit-remote-codecommit
URLs. - v0.28.17: When automatically calling
terraform init
, Terragrunt will no longer pass the deprecated-get-plugins
flag. - v0.28.18: Fixes bug where
default = null
was viewed as a required input variable byvalidate-inputs
. - v0.28.19: Updated Terragrunt’s auto retry functionality so that you can now configure the number of retry attempts and the time between retries using the new config attributes
retry_max_attempts
andretry_sleep_interval_sec
, respectively. - v0.28.20: When you pass in
--terragrunt-strict-include
, Terragrunt will now only execute within the directories passed in via--terragrunt-include-dir
. If you set--terragrunt-strict-include
, but don't pass in any directories via--terragrunt-include-dir
, then Terragrunt will exit without doing anything. - v0.28.21: Added a new
get_original_terragrunt_dir()
helper, which returns the directory where the original Terragrunt configuration file (by defaultterragrunt.hcl
) lives. This is primarily useful when one Terragrunt config is being read from another: e.g., if/terraform-code/terragrunt.hcl
callsread_terragrunt_config("/foo/bar.hcl")
, and withinbar.hcl
, you callget_original_terragrunt_dir()
, you'll get back/terraform-code
. Updated thegenerate
andremote_state
settings so that they can be set either as blocks or attributes. This makes it possible to, for example, read these settings fromcommon.hcl
usingread_terragrunt_config
and set them dynamically. - v0.28.22: Updated the versions of
sops
,aws-sdk-go
, andvault
libraries that we depend on. As a result, thesops_decrypt_file()
function should now work with data encrypted via HashiCorp Vault. - v0.28.23: Remove
init
from the list of commands returned byget_terraform_commands_that_need_locking()
, asinit
does not support locking, and as of Terraform 0.15, will exit with an error if you try to use the lock parameters with it. - v0.28.24: If
skip_bucket_versioning
is set totrue
, and you are using GCS as a backend, Terragrunt will not only not enable versioning automatically, but now it will also no longer try to check if versioning is enabled either.
Terratest
- v0.32.9: Remove debug logging from
azure
code that was polluting thestdout
in tests. You can now specify a docker build target via the newTarget
field in thedocker.BuildOptions
struct. Fix link in the docs website to the GCP example. - v0.32.10: This is an internal refactor to rename one of the libraries that terratest depends on. There shouldn’t be any functional difference to the modules.
- v0.32.11: Added new
aws.GetRecommendedRdsInstanceType
methods which allow you to pass in a list of RDS instance types (e.g.,db.t2.micro
,db.t3.micro
, etc) and get back an instance type that is supported in the current region. This is useful for running automated tests against RDS code across multiple regions, as not all regions support all instance types. - v0.32.12: Add helper functions for interacting with ReplicaSets.
- v0.32.13: Add configuration option for terraform plugin dir to the
terraform.Options
struct (using thePluginDir
attribute). - v0.32.14: Introduce helper function (
ContainerInspect.GetExposedHostPort
) to get exposed randomized host ports for set by-P
flag. - v0.32.15: Minor bug fixes! Improved some k8s ReplicaSet tests and fixed a bug in git when getting the current branch when there are no commits.
- v0.32.16: Fix a bug where
terraform.TgApplyAll
andterraform.TgDestroyAll
was ignoring theLock
configuration interraform.Options
. - v0.32.17: Added a
terraform.WorkspaceDelete
function for deleting Terraform workspaces. - v0.32.18: Fix bug in
helm.RenderTemplate
where it leaks stderr (e.g., warning logs) into the yaml output. - v0.32.19: Add helper functions to make it easier to navigate
plan
structures. Refer to terraform_aws_example_plan_test.go for example usage of the new functions. - v0.32.20: Add helper methods to check SSH connections/commands with retry
- v0.32.21: Added a new
aws.InvokeFunctionWithParams
function that gives you more control when invoking Lambda functions. - v0.32.22: Feature: enable Azure PostgreSQL Server testing. Refer to the new functions in azure/postgresql.go for the list of supported actions.
- v0.32.23: Added a
terraform.Validate
function you can use to runterraform validate
in your test suites.
go-commons (previously gruntwork-cli)
- v0.8.0: The package has been renamed to to
go-commons
. You will need to update your references fromgruntwork-cli
togo-commons
to use the updated version. - v0.8.1: Add new functions to allow running a command over SSH.
- v0.8.2: Add new functions to allow for retrying a specific action.
fetch
- v0.4.2: Update the build to publish Darwin / ARM 64 binaries that work with the new ARM-based Macs.
kubergrunt
- v0.6.11: This is an internal code cleanup release, where some functions were moved to a common library. There is no change in behavior to
kubergrunt
in this release.
terraform-aws-consul
- v0.8.6: Fix a bug in how
install-consul
checks that theconsul
binary was installed correctly to handle the case where the install dir has restricted permissions.
bash-commons
- v0.1.4: Added a new
aws_wrapper_get_asg_rally_point
function that can calculate a "rally point" instance in an Auto Scaling Group (ASG) and return its hostname. This is a deterministic way for the instances in an ASG to all pick the same single instance to perform some action: e.g., this instance could become the leader in a cluster or run some initialization script that should only be run once for the entire ASG. Under the hood, this method picks the instance in the ASG with the earliest launch time; in the case of ties, the instance with the earliest instance ID (lexicographically) is returned.
terraform-aws-vault
- v0.14.3: You can now enable access logging for the Vault ELB using the new
access_logs
input variable. - v0.15.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
! - v0.15.1: You can now tell the
install-vault
skip callingapt-get update
oryum update
by passing the--skip-package-update
flag.
terraform-kubernetes-namespace
- v0.2.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
!
terraform-aws-couchbase
- v0.5.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
!
gruntwork-installer
- v0.0.36: Added some missing CLI options in the help text.
terraform-aws-nomad
- v0.8.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
!
cloud-nuke
- v0.1.29: Update to the latest versions of Go and the
build-go-binaries
script, socloud-nuke
will now build binaries for Darwin ARM 64 CPUs.
Other updates
terraform-aws-asg
- v0.12.0: Terraform 0.14.0 update. We have verified that this repo is compatible with Terraform
0.14.x
! - v0.12.1: Replace usage of
null_data_source
withlocals
to resolve deprecation warning.
terraform-aws-vpc
- v0.14.0: Terraform 0.14.0 update. We have verified that this repo is compatible with Terraform
0.14.x
! - v0.14.1: Support for optional resource creation via the
create_resources
parameter was added to the following modules:network-acl-inbound
,network-acl-outbound
,vpc-app-network-acls
. - v0.14.2: Support for optional resource creation via the
create_resources
parameter was added tovpc-mgmt-network-acls
. - v0.14.3: Older versions of Terraform could not use lists with ternary syntax, so we had to use
split
andjoin
to work around it. This should not be a problem in current Terraform versions, so we've removed the workaround in this release. There should be no change in behavior, other than, as a nice side effect,plan
output should work better now for NAT Gateways. - v0.14.4: If
create_resources
was set tofalse
in thevpc-mgmt-network-acls
module, the module would break due to attempting to index empty lists. This release fixes that bug.
terraform-aws-server
- v0.11.0: Terraform 0.14.0 update. We have verified that this repo is compatible with Terraform
0.14.x
!
terraform-aws-ci
- v0.30.0: You can now build docker images against a specific commit SHA in the ECS Deploy Runner using the
--sha
argument tobuild-docker-image
script. - v0.31.0:
build-go-binaries
now supports building arbitrary os and architecture combinations with the new--osarch
flag.build-go-binaries
now defaults to building the following binaries:darwin/amd64
,darwin/arm64
,linux/amd64
,linux/386
,linux/arm64
,windows/amd64
,windows/386
. - v0.31.1: Fixes a bug in the
ecs-deploy-runner
fargate runtime where it did not support running scripts with no args.
terraform-aws-messaging
- v0.4.4: Fix a bug where the
sns
module would show errors with output variable access whencreate_resources
was set tofalse
.
terraform-aws-security
- v0.45.4: Exposed the ability to encrypt the SNS topic in the Guard Duty modules with a KMS CMK.
- v0.45.5: Fix conditional formatting at
account-baseline-root
andaws-organizations
; Improve Cloudtrail test: fix swapedassert.Equal
parameters; Pin Cloudtrail to AWS provider 3 to standardize behavior; Do not calldata
whencreate_resources = false
in the aws-config module. - v0.45.6: This release fixes a bug in the
account-baseline-root
module in which certain changes to the child account configuration would result in permissions errors. - v0.45.7: Add
create_resources
variable toiam-user-password-policy
module - v0.45.8: Update the billing IAM policy to use the AWS-managed billing policy under the hood (so it’s always up to date), but still layer the MFA requirement on top. This will also affect the modules that use this policy under the hood, including the billing IAM group in the
iam-groups
module and the billing IAM role in thecross-account-iam-roles
module. Thecloudtrail-bucket
,cloudtrail
, andaccount-baseline-root
modules now all expose a newcloudtrail_organization_id
input variable that you can use to configure an organization-wide CloudTrail. - v0.46.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
! - v0.46.1: Update the read-only policy in the
iam-policies
module to the latest permissions for Amazon Elasticsearch. Note that this will also affect the modules that rely oniam-policies
, includingiam-groups
andcross-account-iam-roles
. - v0.46.2: Fixes an issue in
account-baseline-root
introduced in v0.45.6 when creating an organization. The module will nowsleep
for enough time to allow the Organization and child accounts be created. - v0.46.3: You can now enable access logging for the CloudTrail S3 bucket in
account-baseline-root
using the newenable_cloudtrail_s3_server_access_logging
input variable. - v0.46.4: Adds Glue actions to the
ReadOnlyAccess
IAM policy. - v0.46.5: Fixes the empty tuple errors when setting
var.create_resources
tofalse
in theiam-user-password-policy
module.
terraform-aws-load-balancer
- v0.22.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
! - v0.23.0: Fix bug where the
listener_arns
attribute was ignored on each rules map in thelb-listener-rules
module. - v0.24.0: Clarify in docs and comments that
hosted_zone_id
is required when you request a certificate whose domain does not exactly match the name of the hosted zone you are attaching it to. This is a backward incompatible change. Refer to the Release notes for more info.
terraform-aws-lambda
- v0.10.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
! - v0.10.1: You can now use Docker images with the
lambda
module by specifying the new input variablesimage_uri
,entry_point
,command
, andworking_directory
.
terraform-aws-sam
- v0.4.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
!
terraform-aws-kafka
- v0.7.1: You can now configure which CloudWatch metrics to enable for the ASGs in the
kafka-cluster
andconfluent-tools-cluster
modules using the newenabled_metrics
input variable. - v0.8.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
!
terraform-aws-data-storage
- v0.18.1: Set
ignore_changes
on thesnapshot_identifier
param in theredshift
module so that you can properly restore Redshift clusters from snapshots.
terraform-aws-eks
- v0.33.1: You can now force detach policies on destroy for the IAM role created with self managed workers through the
eks-cluster-workers
module. - v0.34.0: You can now customize the
external-dns
service to directly configure the list of sources it watches for using thesources
input variable. You can now configure theexternal-dns
service to only watch for resources in a specific namespace using theendpoints_namespace
input variable. You can now grant thecluster-autoscaler
service to query and manipulate any ASGs with the tagk8s.io/cluster-autoscaler/CLUSTER_NAME
instead of the set of ASGs that were passed in. You can now configure theeks-k8s-cluster-autoscaler
module to create a Fargate Profile but use an existing Fargate execution role that is created in the same terraform configuration. Previously this led to an error due tocount
values not being available atplan
time. - v0.35.0: The naming logic of the default Fargate execution IAM role has been modified to support longer cluster names. You can now directly set the IAM role name using the new
custom_fargate_iam_role_name
input variable. - v0.35.1: Bump default helm chart versions of essential services to latest versions. Also bump default version of AWS Load Balancer Controller to
v2.1.3
(wasv2.0.1
). - v0.35.2: You can now configure additional outputs for
fluent-bit
using theextra_outputs
input variable. - v0.36.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform 0.14.x!
terraform-aws-monitoring
- v0.26.0: All the modules except for have
logs/cloudwatch-log-aggregation-scripts
have been tested for compatibility with Ubuntu 20.04. If you wish to use the log aggregation scripts on Ubuntu 20.04, migrate to the new Unified CloudWatch Agent using theagents/cloudwatch-agent
module. This release introduces a new module (agents/cloudwatch-agent
) for installing and configuring the Unified CloudWatch Agent which can be used for sending both metrics and logs to CloudWatch. - v0.26.1: You can now configure custom auth settings for the nested
provider
block within theroute53-health-check-alarms
module using the new input variablesprovider_role_arn
,provider_external_id
,provider_session_name
,provider_profile
, andprovider_shared_credentials_file
.
terraform-aws-ecs
- v0.26.0: Fix the
volumes
param in theecs-service
andecs-daemon-service
modules so that volumes can be updated safely, support optional params, and support thedocker_volume_configuration
. This is a breaking change, so make sure to see the Migration Guide below for how to upgrade. - v0.26.1: Fix a bug where the
aws_ecs_task_definition
for the canary task was not setting theexecution_role_arn
param. - v0.27.0: Remove
var.environment_name
fromecs-service
andecs-daemon-service
. This was only used to name the IAM resources created within the modules, but was confusingly named. The functionality of the variable has been replaced with the following three, targeted variables. Refer to the release notes for more details. - v0.27.1: Fix health check and timeout settings for the target groups created by
ecs-service
. Depending on the protocol you're using (e.g., TCP, UDP, TLS, etc), only certain values are permitted. - v0.28.0: Terraform 0.14 upgrade: We have verified that this repo is compatible with Terraform
0.14.x
!
terraform-aws-openvpn
- v0.14.1: You can now customize the
mssfix
value used in the openvpn config that is downloaded byopenvpn-admin
by using the--mssfix
flag. Additionally, theopenvpn-admin
command will automatically identify the optimalmssfix
value to use for the client machine when omitted.
DevOps News
Amazon has forked Elasticsearch into a new project called OpenSearch
What happened: Amazon has announced OpenSearch, an open source fork of Elasticsearch and Kibana. Also, Amazon’s Elasticsearch service is now called Amazon OpenSearch.
Why it matters: There’s a long history here, but the short, inaccurate version is:
- Elasticsearch started as an open source project.
- Elastic.co, the company behind Elasticsearch, monetized the project via a offering a SaaS / hosted version of Elasticsearch.
- Amazon released their own SaaS / hosted version of Elasticsearch called Amazon Elasticsearch.
- Elastic.co changed the license on Elasticsearch to explicitly ban competitive SaaS offerings. So the code is no longer under a “true” open source license.
- To work around the license change, Amazon has created OpenSearch, a fully open source version of Elasticsearch.
- Organizations such as Red Hat, SAP, Capital One, and Logz.io are apparently in support of OpenSearch too.
This is quite a messy situation. Could Amazon have partnered with Elastic.co instead of creating a competitive offering? Could Elastic.co have survived without moving away from a true open source license?
What to do about it: I suppose we now all need to pick sides. Will you stick by Elastic.co and Elasticsearch? Or will you be migrating to OpenSearch? Let us know!
EKS clusters boot faster now!
What happened: Amazon has announced that they have reduced the time it takes to spin up an EKS control plane by 40%.
Why it matters: Spinning up an EKS cluster used to take a long time, often well over 20 minutes. Now it takes less than 9. If you spin up EKS clusters often—e.g., for test environments—this is a huge win.
What to do about it: The change is live already, so there’s nothing for you to do, but enjoy the time savings!