Read our newest book, Fundamentals of DevOps and Software Delivery, for free!

Gruntwork Newsletter, March 2023

Headshot of Amanda Ohmer

Amanda Ohmer

MAR 9, 2022 | 6 min read
Featured Image of Gruntwork Newsletter, March 2023
Every few months, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made since the last newsletter and news from the DevOps industry. Note that many of the links below go to private repos in the Gruntwork Infrastructure as Code Library and Reference Architecture that are only accessible to customers.Hello Grunts,In the last few months, we released Gruntwork Patcher, a new tool to help you keep your infrastructure code up to date automatically, even with breaking changes; added new module and usage examples to our docs site; added a new Gruntwork Pipelines example and video; and made many other bug fixes and improvements.As always, if you have any questions or need help, email us at support@gruntwork.io!

We’re happy to announce the beta release of Gruntwork Patcher, a tool to automatically keep your infrastructure code up-to-date, even with breaking changes!This first release of Patcher allows Gruntwork Compliance customers to upgrade their Reference Architecture from version 1.4 to 1.5 of the CIS AWS Foundations Benchmark, pulling in over 200 changes, and fixing 3 breaking changes — automatically. In our subsequent releases, our goal is to automate just about all upgrades for users of the Gruntwork Infrastructure as Code Library: e.g., you’ll be able to use Patcher to keep your infrastructure up-to-date with the latest version of all the tools and services you use (e.g., new releases of EKS / Kubernetes, Terraform, Terraform providers, Docker, Packer), as well as the latest bug fixes, security patches, tooling updates, and new best practices — automatically.Check out the announcement blog post for a walkthrough of Patcher. If you’re interested in trying Patcher out, please contact the Gruntwork sales team.

A number of customers have requested an easier way to find the full list of the modules and services in the Infrastructure as Code Library and how to use them. We’ve now updated our docs site with a first class reference for:This reference shows all of our modules and services, their documentation, their full API (input and output variables), and sample usage code that you can copy & paste to get started in seconds.

Gruntwork Pipelines offers the most secure way to do CI / CD for app and infrastructure code, but it can be complicated to use. To make it simpler, and help you get started faster, we’ve added:
Give these a shot and let us know if they work for you!

A few months ago, we added new dedicated pages to track all Gruntwork releases, month by month! You can find details on every single update we do in the Gruntwork Releases page of our docs site.Here are the dedicated pages for new Gruntwork releases since the last newsletter:

AWS has launched two new global condition context keys that allow you to create SCPs and IAM policies that limit where an IAM role can be used from. For example, you can now create an SCP that only allows an IAM role to be assumed from EC2 instances in a specific VPC:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "StringNotEquals": { "aws:ec2InstanceSourceVPC": "${aws:SourceVpc}" }, "Null": { "ec2:SourceInstanceARN": "false" }, "BoolIfExists": { "aws:ViaAWSService": "false" } } }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "StringNotEquals": { "aws:ec2InstanceSourcePrivateIPv4": "${aws:VpcSourceIp}" }, "Null": { "ec2:SourceInstanceARN": "false" }, "BoolIfExists": { "aws:ViaAWSService": "false" } } } ] }
This makes it much less likely that a malicious actor can abuse an IAM role with powerful permissions.

AWS has updated the defaults for S3 buckets to be more secure: all new objects in S3 will now be encrypted by default and all buckets created after April, 2023, will automatically block public access and disable access control lists.

HashiCorp has released a new TerraCurl provider that offers an “escape hatch” for making RESTful API calls yourself to backfill a Terraform resource or data source that doesn’t exist yet. Here’s a rough example:
resource "terracurl_request" "example" { name = "example" # The API call to make to create the resource url = "http://example.com/some/api" method = "POST" response_codes = [200,201] headers = { Token = "some-api-token" } request_body = <<EOF { "foo": "bar, } EOF # The API call to make to destroy the resource destroy_url = "http://example.com/some/api" destroy_method = "DELETE" destroy_response_codes = [204] destroy_headers = { Token = "some-api-token" } }

One of the big issues with Lambda is cold starts: e.g., executing Java code in a Lambda function the very first time — going through the init phase — can take up to 10 seconds. AWS has launched new functionality called SnapStart that takes your lambda function code right after you upload it, runs it through the init phase, and stores an encrypted snapshot of the disk and memory after initialization. When your lambda function actually gets executed, it runs against this snapshot, so it doesn’t have to do the init phase, which can reduce cold starts by 90%. Currently, AWS only support SnapStart for Java code, but they will be adding support for other languages in the future.
Share
Grunty
Resources

Explore our latest blog

Get the most up-to-date information and trends from our DevOps community.
TerraformResouces Image

Promotion Workflows with Terraform

How to configure GitOps-driven, immutable infrastructure workflows for Terraform using Gruntwork Patcher.
avatar

Jason Griffin

October 3, 2023 7 min read
TerraformResouces Image

The Impact of the HashiCorp License Change on Gruntwork Customers

How to configure GitOps-driven, immutable infrastructure workflows for Terraform using Gruntwork Patcher.
avatar

Josh Padnick

October 3, 2023 7 min read