Gruntwork Newsletter, December, 2023
Every few months, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made since the last newsletter and news from the DevOps industry. Note that many of the links below go to private repos in the Gruntwork Infrastructure as Code Library and Reference Architecture that are only accessible to customers.
Hello Grunts,
In the last few months, we updated our Landing Zone solution with a self-service account factory that can automate the process of setting up a new multi-account structure and full SDLC (Software Development Life Cycle) workflow for your dev teams; updated our VPC code with support for IPv6, IPAM, transit subnets, private NATs, and black hole routes; and made huge progress on OpenTofu, including a release candidate that may become our first stable release. Also, one more reminder: Gruntwork will be closed for two weeks for the winter break. Happy holidays!
As always, if you have any questions or need help, email us at support@gruntwork.io!
Gruntwork Updates
[NEW] Account factory: multi-account, multi-team, full SDLC
Gruntwork’s Landing Zone solution now supports a self-service account factory that can automate the process of setting up a new multi-account structure and full SDLC (Software Development Life Cycle) workflow for your dev teams. Here’s a quick outline of how it works:
- Fill out the account request form. Your dev team fills out a web form (which you can customize to your needs), specifying the details of the account structure they need: e.g., team name, department, billing code, etc.
- Automated account creation in Control Tower. When they submit the form, this kicks off an automated account provisioning process that provisions new AWS accounts for that team—e.g.,
dev,stage, andprod—using Control Tower. This allows you to use Control Tower as your single pane of glass for all of your AWS accounts. - Automated baselining. The automated account provisioning process applies a secure baseline to every account, ensuring it is configured with CloudTrail, GuardDuty, Macie, IAM Access Analyzer, default EBS encryption, Security Hub, IAM roles, SSO access, OIDC providers, and all the other security, monitoring, and auth features you need.
- Automated networking. The automated account provisioning process configures networking in the new AWS account, including setting up a VPC, subnets, routes, Internet gateways, NAT gateways, and Transit Gateway (TGW) associations and routing.
- Automated repo scaffolding. The automated account provisioning process creates a new GitHub repo for the team that is pre-configured with Terraform and Terragrunt best-practices out of the box, including the recommended multi-account folder structure, backend configuration, automated testing practices, and more.
- Automated CI / CD. The automated account provisioning process sets up Gruntwork Pipelines inside the new GitHub repo, configuring a GitOps-driven CI / CD workflow that automatically runs
planandapply, automated tests, policy checks, and enforces ACLs on every commit and pull request. - Automated updates and promotion workflows. The automated account provisioning process sets up Patcher inside the new GitHub repo so that all dependencies are updated automatically via pull requests. These pull requests promote new versions of your dependencies to one environment at a time: e.g., Patcher will first automatically open a PR in
devto update you to the new version; once that is merged and deployed, Patcher will automatically open a PR instage; and finally, once that is merged and deployed, Patcher will automatically open a PR inprod.
To learn more, read the DevOps Foundations blog post. If you’re interested in a demo or getting access, please reach out to our sales team!
VPC updates: IPv6, IPAM, transit subnets, private NAT, and more
We’ve made a number of updates to our VPC modules, including adding support for:
- IPv6 support.
- Auto provisioning CIDR blocks from AWS IPAM.
- An optional fourth tier of subnets called “transit subnets”, which are useful for connecting to Transit Gateways.
- Deploying NATs into private subnets rather than public, which is also useful in conjunction with Transit Gateways.
- “Black hole” routes (using an ENI not connected to anything).
- A way to look up VPC data when the VPC code is managed in another repo (so you can’t use
dependencyblocks orterraform_remote_state).
Check out the vpc-app module, vpc service, and vpc-app-lookup module for the details!
The OpenTofu release candidate is here!
A small holidays gift for everyone: the OpenTofu release candidate is now available! If we find no major issues, this release candidate will become our first stable release on January 10th, 2024!
This is a huge milestone. In 4 months, we’ve gone from the OpenTofu manifesto to 1000+ PRs & issues, 60+ contributors, 50K+ stars (manifesto + OpenTofu), a brand new registry, alpha release, beta release, and now, a release candidate. Read the announcement blog post for the full details.
Give the OpenTofu release candidate a shot—it should be a drop-in replacement for Terraform—and let us know how it works for you. Installation instructions are here and can be as easy as brew install opentofu.
Winter break, 2023
As we do every year, the Gruntwork team will be taking some time off for the winter break. We will be officially closed December 25th — January 5th. We will not be handling support tickets or Slack inquiries during this time, so please plan accordingly.
Thank you for being a Gruntwork customer. We are deeply grateful that you’ve chosen to work with us, helping us make world-class infrastructure and DevOps practices accessible to everyone. We have some very exciting things planned for 2024 and can’t wait to share them with you!
All other Gruntwork releases and updates
You can find details on every single release and update we do in the Gruntwork Releases page of our docs site. And now, you can use Patcher to update your dependencies automatically! If you’re a Gruntwork customer and don’t have access to Patcher yet, please email support@gruntwork.io. If you’re not a Gruntwork customer, please contact our sales team.
Here are the dedicated pages for new Gruntwork releases since the last newsletter:
DevOps News
Amazon Aurora Limitless Database
AWS has announced Aurora Limitless:
Scale your Amazon Aurora clusters to millions of write transactions per second and manage petabytes of data. With this new capability, you can scale your relational database workloads on Aurora beyond the limits of a single Aurora writer instance without needing to create custom application logic or manage multiple databases.
If you’d be interested in support for this in our RDS modules, please file an enhancement request issue in the terraform-aws-data-storage repo.
AWS simplified authn and authz for EKS
AWS has made two improvements to authn and authz for EKS:
- Simplified EKS cluster access. In the past, to control access to an EKS cluster, AWS required you to use a
ConfigMapto map between IAM roles and EKS permissions, which was always a clunky and awkward experience. AWS has now launched a simpler way to manage access to your EKS clusters. - Simplified Pod IAM role access. AWS has also a feature called EKS Pod Identity which makes it easier to grant your EKS Pods access to IAM roles.
We will be looking to add support for both of these features in our EKS modules soon.
AWS Lambda functions now scale up to 12X faster
AWS has announced that Lambda functions will now scale up to 12x faster:
With this improvement each function can scale up to a rate of 1,000 concurrent executions every 10 seconds, up to your account concurrency limit.
The new scaling experience is already live and enabled by default for all functions.
Zero-ETL integrations with Amazon Redshift and OpenSearch
Amazon has announced zero-ETL integrations with Amazon Redshift and/or OpenSearch for several of their data stores:
