Gruntwork Newsletter, March 2023
Every few months, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made since the last newsletter and news from the DevOps industry. Note that many of the links below go to private repos in the Gruntwork Infrastructure as Code Library and Reference Architecture that are only accessible to customers.
Hello Grunts,
In the last few months, we released Gruntwork Patcher, a new tool to help you keep your infrastructure code up to date automatically, even with breaking changes; added new module and usage examples to our docs site; added a new Gruntwork Pipelines example and video; and made many other bug fixes and improvements.
As always, if you have any questions or need help, email us at support@gruntwork.io!
Gruntwork Updates
Patcher announcement
We’re happy to announce the beta release of Gruntwork Patcher, a tool to automatically keep your infrastructure code up-to-date, even with breaking changes!
This first release of Patcher allows Gruntwork Compliance customers to upgrade their Reference Architecture from version 1.4 to 1.5 of the CIS AWS Foundations Benchmark, pulling in over 200 changes, and fixing 3 breaking changes — automatically. In our subsequent releases, our goal is to automate just about all upgrades for users of the Gruntwork Infrastructure as Code Library: e.g., you’ll be able to use Patcher to keep your infrastructure up-to-date with the latest version of all the tools and services you use (e.g., new releases of EKS / Kubernetes, Terraform, Terraform providers, Docker, Packer), as well as the latest bug fixes, security patches, tooling updates, and new best practices — automatically.
Check out the announcement blog post for a walkthrough of Patcher. If you’re interested in trying Patcher out, please contact the Gruntwork sales team.
New module and usage examples in docs
A number of customers have requested an easier way to find the full list of the modules and services in the Infrastructure as Code Library and how to use them. We’ve now updated our docs site with a first class reference for:
This reference shows all of our modules and services, their documentation, their full API (input and output variables), and sample usage code that you can copy & paste to get started in seconds.
New Gruntwork Pipelines example
Gruntwork Pipelines offers the most secure way to do CI / CD for app and infrastructure code, but it can be complicated to use. To make it simpler, and help you get started faster, we’ve added:
- A new Pipelines example you can copy & paste directly to get started.
- A walkthrough video showing the new Pipelines example in action.
Give these a shot and let us know if they work for you!
All other Gruntwork Releases
A few months ago, we added new dedicated pages to track all Gruntwork releases, month by month! You can find details on every single update we do in the Gruntwork Releases page of our docs site.
Here are the dedicated pages for new Gruntwork releases since the last newsletter:
DevOps News
Restrict where IAM roles can be used from with new global condition context keys
AWS has launched two new global condition context keys that allow you to create SCPs and IAM policies that limit where an IAM role can be used from. For example, you can now create an SCP that only allows an IAM role to be assumed from EC2 instances in a specific VPC:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:ec2InstanceSourceVPC": "${aws:SourceVpc}"
},
"Null": {
"ec2:SourceInstanceARN": "false"
},
"BoolIfExists": {
"aws:ViaAWSService": "false"
}
}
},
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:ec2InstanceSourcePrivateIPv4": "${aws:VpcSourceIp}"
},
"Null": {
"ec2:SourceInstanceARN": "false"
},
"BoolIfExists": {
"aws:ViaAWSService": "false"
}
}
}
]
}This makes it much less likely that a malicious actor can abuse an IAM role with powerful permissions.
Improved S3 security
AWS has updated the defaults for S3 buckets to be more secure: all new objects in S3 will now be encrypted by default and all buckets created after April, 2023, will automatically block public access and disable access control lists.
TerraCurl: backfill missing Terraform resources
HashiCorp has released a new TerraCurl provider that offers an “escape hatch” for making RESTful API calls yourself to backfill a Terraform resource or data source that doesn’t exist yet. Here’s a rough example:
resource "terracurl_request" "example" {
name = "example"
# The API call to make to create the resource
url = "http://example.com/some/api"
method = "POST"
response_codes = [200,201]
headers = {
Token = "some-api-token"
}
request_body = <<EOF
{
"foo": "bar,
}
EOF
# The API call to make to destroy the resource
destroy_url = "http://example.com/some/api"
destroy_method = "DELETE"
destroy_response_codes = [204]
destroy_headers = {
Token = "some-api-token"
}
}Lambda SnapStart
One of the big issues with Lambda is cold starts: e.g., executing Java code in a Lambda function the very first time — going through the init phase — can take up to 10 seconds. AWS has launched new functionality called SnapStart that takes your lambda function code right after you upload it, runs it through the init phase, and stores an encrypted snapshot of the disk and memory after initialization. When your lambda function actually gets executed, it runs against this snapshot, so it doesn’t have to do the init phase, which can reduce cold starts by 90%. Currently, AWS only support SnapStart for Java code, but they will be adding support for other languages in the future.
