Gruntwork Newsletter, November 2020

Published in

Gruntwork

28 min readNov 10, 2020

Once a month, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made in the last month, news in the DevOps industry, and important security updates. Note that many of the links below go to private repos in the Gruntwork Infrastructure as Code Library and Reference Architecture that are only accessible to customers.

Hello Grunts,

In the last couple months, we been busy with a number of upgrades for the Gruntwork Infrastructure as Code Library: we’ve updated the entire library to be compatible with version 3.x of the AWS Provider for Terraform, updated all but a handful of repos to work with version 0.13.x of Terraform, and began a project to update our Gruntwork Compliance offering to be compatible with the CIS AWS Foundations Benchmark v1.3. We’ve also released a new Commercial Support offering for Terragrunt and Terratest, created a new module that makes it easier to manage IAM to RBAC mapping in EKS, added a new module for creating and managing private S3 buckets, released a blog post on how to protect your GitHub identity, and made a huge number of other bug fixes and improvements. Finally, we’ll be taking a holiday break for two weeks in December as usual, so please plan accordingly!

As always, if you have any questions or need help, email us at support@gruntwork.io!

Gruntwork Updates
DevOps News
Security Updates

Gruntwork Updates

AWS Provider 3.x upgrade

Motivation: A few months ago, AWS released version 3.0.0 of the AWS Provider for Terraform. It brought lots of new features, but also included a large number of backwards incompatible changes that made upgrading difficult.

Solution: We’ve updated our entire Infrastructure as Code Library to work with AWS Provider 3.0.0. Here’s a snapshot of the compatibility table so you have a sense of what it takes to upgrade and test everything:

What to do about it: We’ve released a dedicated guide with instructions, a version compatibility table, and commits that show an example upgrade of the Acme Reference Architecture: How to update to version 3 of the Terraform AWS Provider. Please follow the steps in this guide to upgrade all your code ASAP!

Terraform 0.13.x upgrade

Motivation: A few months ago, HashiCorp released version 0.13.0 of Terraform. It brought lots of new features, but also included several backwards incompatible changes that made upgrading difficult.

Solution: We are currently working on testing and upgrading all of our repos to be compatible with Terraform 0.13.0. All repos have been upgraded except the following:

terraform-aws-eks: This repo was significantly affected by the backwards incompatible changes in 0.13.0, so some parts need to be rewritten, which will take some work. You can follow issue 221 for progress.
GCP repos: We have been focusing on AWS first and have not yet started updating the Google Cloud Platform repos yet.

Here’s a snapshot of the compatibility table so you have a sense of what it takes to upgrade and test everything:

What to do about it: We recommend waiting to upgrade until (a) we finish the last remaining AWS repo and (b) publish a migration guide. However, if you’re not using terraform-aws-eks, and wish to upgrade immediately, you can check out the Gruntwork Terraform 0.13 Compatibility Table to see what version numbers you need to upgrade to.

CIS AWS Foundations Benchmark v1.3

Motivation: A few months ago, the Center for Internet Security (CIS) released version 1.3.0 of the AWS Foundations Benchmark. This introduced several new controls that we needed to incorporate into our Gruntwork Compliance for CIS product.

Solution: We are currently working on incorporating the new controls introduced in 1.3.0. Here’s a snapshot of the work in progress:

What to do about it: For now, sit tight! We will announce when everything has been upgraded and tested to be compatible with 1.3.0, and publish a migration guide to help you update.

Introducing: Commercial support for Terragrunt and Terratest

Motivation: Two of our open source projects, Terragrunt and Terratest, are growing more and more popular each month, with more and more companies relying on them in production, but the team that maintains them is still quite small.

Solution: We are now offering commercial support for Terragrunt and Terratest! This includes support via email, chat, and phone/video, code reviews, prioritized bug fixes, and prioritized feature development. If your company relies on Terragrunt or Terratest in production, you can now get help directly from the team that created these tools, and make sure you’re never blocked. And as a wonderful side benefit, we use your funds to support these open source tools and make them better for everyone.

What to do about it: Check out the Terragrunt Commercial Support and Terratest Commercial Support pages for more details, including the available pricing plans and SLAs. If you’re interested in more info, please contact us at info@gruntwork.io!

New EKS module: aws-auth-merger

Motivation: Managing authentication and authorization for the Kubernetes API is one of the most basic operations you need to accomplish for EKS clusters. The official way to manage access to the Kubernetes API is to manage mappings from IAM roles and users to Kubernetes RBAC users and groups in a single, central ConfigMap. The central nature of the ConfigMap poses a challenge for certain use cases, especially when managing access with Terraform as there is no way to dynamically update the ConfigMap across multiple modules.

Solution: To support use cases where you want to break down the management of the aws-auth mapping ConfigMap, we implemented the eks-aws-auth-merger! This module allows you to break up the central ConfigMap across multiple, separate ConfigMaps each configuring a subset of the mappings you ultimately want to use, allowing you to update entries in the ConfigMap in isolated modules (e.g., when you add a new IAM role in a separate module from the EKS cluster). The aws-auth-merger watches for aws-auth compatible ConfigMaps that can be merged to manage the aws-auth authentication ConfigMap for EKS, and merges them together into the central ConfigMap everytime it detects a change.

What to do about it: Check out the deployment docs and take the aws-auth-mergerfor a spin!

New module: `private-s3-bucket`

Motivation: Gruntwork customers have been asking for a reusable module for creating an S3 bucket that implements best practices to keep the contents of the bucket secure and private.

Solution: We’ve created a new private-s3-bucket module that can be used to create an Amazon S3 bucket that enforces best practices for private access:

No public access: all public access is completely blocked.
Encryption at rest: server-side encryption is enabled, optionally with a custom KMS key.
Encryption in transit: the bucket can only be accessed over TLS.

The module couldn’t be simpler to use:

module "s3_bucket" {
  source = "git::git@github.com:gruntwork-io/module-security.git//modules/private-s3-bucket?ref=v0.40.1"  name = "my-example-bucket-name"
}

What to do about it: Give the private-s3-bucket module a shot and let us know what you think!

New module: `ebs-encryption-multi-region`

Motivation: It’s easy to enable encryption on Elastic Block Store volumes, but it’s just as easy to forget to do it. We want to make it easy to do the secure thing by default.

Solution: We’ve added a new ebs-encryption-multi-region module to module-security! This module will enable EBS encryption by default in all regions (or, optionally, a subset of regions). We’ve also incorporated EBS encryption by default in to the account-baseline-* modules in the Gruntwork Landing Zone.

What to do about it: Check out the ebs-encryption-multi-region example to get started.

How to Spoof Any User on Github…and What to Do to Prevent It

Motivation: While implementing a solution to improve the integrity of our GitHub code, we discovered a disturbing flaw in GitHub’s design that allows you to spoof any GitHub user when committing code.

Solution: Here’s the short version:

By default, GitHub does no validation of commit authors, so by running git config user.name and git config user.email, you can pretend to be any user you want!
To protect against this, you can sign your Git commits with a GPG key, and configure GitHub to require all commits to be signed.

For the full details, see our blog post.

What to do about it: Read the How to Spoof Any User on Github…and What to Do to Prevent It to learn how to sign your commits and considering configuring your GitHub org to require it!

Winter break, 2020

Motivation: At Gruntwork, we are a human-friendly company, and we believe employees should be able to take time off to spend time with their friends and families, away from work.

Solution: The entire Gruntwork team will be on vacation December 21st — January 1st. During this time, there may not be anyone around to respond to support inquiries, so please plan accordingly.

What to do about it: We hope you’re able to relax and enjoy some time off as well. Happy holidays!

Open Source Updates

Terragrunt

v0.23.38: A further optimization is made to the dependency fetch optimization routine, where plugin installs are skipped.
v0.23.39: This fixes dependency config loading for Windows.
v0.23.40: We’ve added a new aws-provider-patch command that can be used to override attributes in nested provider blocks. Refer to the command docs for more info.
v0.24.0: The lock_table attribute for the s3 remote state backend is now marked as deprecated and terragrunt will automatically convert it to the preferred dynamodb_table attribute. This means that existing configurations using the lock_table attribute will need to be reinitialized.
v0.24.1: Terragrunt will now automatically retry commands if it gets a “429 Too Many Requests” error from app.terraform.io.
v0.24.2: Terragrunt will now automatically retry on several different flavors of the "429 Too Many Requests" error from app.terraform.io.
v0.24.3: Terragrunt will now use the terragrunt download directory for setting up shallow dependency fetching as described in the dependency optimization documentation.
v0.24.4: When creating an S3 bucket for state storage, Terragrunt will now add an IAM policy that only allows the S3 bucket to be accessed via TLS. You can disable this policy (NOT recommended!) via the skip_bucket_enforced_tls setting.
v0.25.0: Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform 0.13.x!
v0.25.1: The sops_decrypt_file will now cache decrypted files in memory while Terragrunt runs. This can lead to a significant speed up, as it ensures that each unique file path is decrypted at most once per run.
v0.25.2: Previously, Terragrunt logged detailed information about changes in the config for the remote_state block, which could include secrets. Now these detailed change logs have been demoted to debug level and will only be logged if debug logging is enabled (environment variable TG_LOG=debug).
v0.25.3: You can now create your custom retryable errors via the retryable_errors configuration attribute.
v0.25.4: The aws-provider-patch command now allows you to override attributes in nested blocks: e.g., override the role_arn attribute in an assume_role { ... } block. This is to work around yet another Terraform bug with import.
v0.25.5: This release fixes a bug in the auto S3 bucket creation routine, where it will ignore the skip_ flags under certain circumstances where the backend configuration is modified (e.g., modifying the bucket name or object key location).
v0.26.0: This release contains a breaking change for the terragrunt configuration options affecting the logging ability for the remote state S3 bucket. It fixes a bug in the Auto Init routine for creating S3 buckets to store the terraform state, causing the logs to be generated and created by the same bucket in a constant loop, ending in noisy logs & potentially higher S3 costs.

Terratest

v0.29.1: Add a new GetTargetAzureSubscription method to find the correct target Azure Subscription ID. Make a number of changes to the internals of this repo, including moving all Azure examples and tests under azure folders, and hooking up a test pipeline for Azure.
v0.30.0: We have verified that this repo is compatible with Terraform 0.13.x! From this release onward, we will only be running tests with Terraform 0.13.x against this repo, so we recommend updating to 0.13.x soon!
v0.30.1: Fix high severity vulnerability CVE-2020–14001 in github-pages site generator for terratest documentation website.
v0.30.2: This release introduces helper functions for getting ActionGroup resources in Azure: GetActionGroupResource and GetActionGroupResourceE.
v0.30.3: Add helper functions for getting and testing Availability Sets in Azure. Check out https://github.com/gruntwork-io/terratest/blob/master/modules/azure/availabilityset.go for the list of functions. Also add two new collections helper functions for strings sliced by a separator (GetSliceLastValueE, GetSliceIndexValueE).
v0.30.4: This release introduces helper functions for testing and working with Azure Network Security Groups. See modules/azure/nsg.go for the list of available functions.
v0.30.5: Adds helper functions to the aws package to create, get, and delete ECR repositories.
v0.30.6: This release adds helper functions for verifying network modules in Azure. Refer to modules/azure/networkinterface.go, modules/azure/publicaddress.go, and modules/azure/virtualnetwork.go for the list of new functions.
v0.30.7: Adds a new function for users of docker-compose run xxx to be able to output to stdout. Say you have a script that logs some output to stderr and some to stdout. If you only want to capture stdout in your consumer, perhaps to examine and run a comparison on a string that your script generated, now you can do that without also capturing all the other output. See the example usage in the test.
v0.30.8: Added a new GetEcsClusterWithInclude method you can use to fetch ECS cluster information and specify the data you wish the response to include (e.g., tags, settings, statistics, etc).
v0.30.9: This release adds helper functions for working with Azure SQL DB. Refer to https://github.com/gruntwork-io/terratest/blob/master/modules/azure/sql.go for the list of supported functions.
v0.30.10: Introduces k8s.NewTunnelWithLogger which can be used to customize the terratest Logger used with the Kubernetes tunneling capabilities.
v0.30.11: Added a GetDockerHost function that can be used to return the proper hostname to use for talking to services running in Docker. This is typically localhost, but it can be overridden with the DOCKER_HOST environment variable on some systems, which the GetDockerHost knows how to read and parse.
v0.30.12: This release adds helper functions for working with Azure VMs and Resource Groups. Refer to the following files for the list of supported functions: compute.go and disk.go and resourcegroup.go.
v0.30.13: This release adds helper functions for working with Azure Load Balancer. Refer to loadbalancer.go for the list of supported functions.
v0.30.14: Added new functions for checking DNS entries with terratest under the package dns-helper. Refer to dns_helper.go for the list of available functions that you can use.
v0.30.15: This release introduces a new helper, terraform.WithDefaultRetryableErrors to return a new terraform.Options struct with the retryable errors populated with a set of reasonable defaults. You can review the default list on the new var options.DefaultRetryableTerraformErrors.
v0.30.16: This release introduces additional support for Terraform plan testing. You can now run terraform plan and terraform show -json to introspect the plan. See the new terraform_aws_example_plan_test.go example test for an example of how to use the functionality.
v0.30.17: Fix a bug where the Clone method in terraform.Options was not properly handling the SshAgent and Logger fields within the struct. We now shallow clone these values, as it doesn't make sense to deep clone a channel or logger, respectively.
v0.30.18: Added a new k8s.WaitUntilSecretAvailable method that you can use to have your test code wait until a Kubernetes secret is present on the cluster. This is useful in cases where the secrets are not immediately available, as they are being provisioned asynchronously: e.g., when using ClusterIssuer to request a certificate.
v0.30.19: Fix an infinite loop in the String() methods of two error structs in the terraform package: TgInvalidBinary and OutputKeyNotFound.
v0.30.20: This release adds helper functions for working with Azure MySQL DB. Refer to mysql.go for the list of supported functions.
v0.30.21: Fix deployment process so binaries are created on every release.

terraform-aws-nomad

v0.6.5: Set default values for availability_zones and subnet_ids to null in nomad-cluster. As of AWS Provider 3.x, only one of these parameters may be set at a time on an Auto Scaling Group, so we now have to use null rather than empty list as our default.
v0.6.6: The nomad-cluster module now sets the ignore_changes lifecycle setting on load_balancers and target_group_arns attributes.
v0.6.7: The nomad-cluster module now provides output variables with information about the IAM instance profile: iam_instance_profile_arn, iam_instance_profile_id, and iam_instance_profile_name.

terraform-aws-consul

v0.7.8: Fix shellcheck warnings in install-consul, install-dnsmasq, and run-consul.
v0.7.9: Added a new --verify-server-hostname flag to run-consul that, when set, enables server hostname verification as part of RPC encryption.
v0.7.10: For compatibility with AWS Provider 3.x, the consul-cluster module now sets the ignore_changes lifecycle setting on load_balancers and target_group_arns attributes.
v0.7.11: You can now specify a custom IP address for dnsmasq to listen on using the new --dnsmasq-listen-address option.
v0.8.0: We have verified that this repo is compatible with Terraform 0.13.x!

terraform-aws-vault

v0.13.9: Update this repo to work with AWS Provider 3.x. This includes defaulting subnet_ids and availability_zones to null instead of an empty list, as AWS Provider 3.x only allows one or the other of these parameters to be set.
v0.13.10: The vault-cluster module now provides output variables with information about the IAM instance profile: iam_instance_profile_arn, iam_instance_profile_id, and iam_instance_profile_name.
v0.13.11: The vault-cluster module now sets the ignore_changes lifecycle setting on load_balancers and target_group_arns attributes.
v0.14.0: We have verified that this repo is compatible with Terraform 0.13.x!

terraform-aws-influx

v0.1.3: The modules in this repo are now compatible with AWS provider v3.

terraform-google-consul

v0.5.0: This is a major release that adds support for rolling cluster updates, Consul 1.8.3 and a bunch of minor improvements.

terraform-google-gke

v0.5.0: This release upgrades the examples and tests to use Helm 3 instead of Helm 2 with Tiller. It also adds support for adding resource labels to GKE clusters and fixes a bug where setting var.enable_network_policy to false was causing the cluster creation to fail.

helm-kubernetes-services

v0.1.3: You can now set additional labels on the Deployment and Pod using the additionalDeploymentLabels and additionalPodLabels inputs.

bash-commons

v0.1.3: Introduce a new helper script that can be used to wait for apt locks to be released. This is useful in infrastructure setup scripts (e.g. packer) where the nodes may start updating the packages as it is booting, preventing you from interacting with apt.

terraform-aws-couchbase

v0.3.0: Updated this repo to work with the latest versions of Couchbase (6.x), Sync Gateway (2.x), and the Terraform AWS Provider (3.x).
v0.4.0: We have verified that this repo is compatible with Terraform 0.13.x!

Kubergrunt

v0.6.0: The helm subcommand was removed in this release, now that Helm v2 is scheduled for end of life.
v0.6.1: This introduces kubergrunt eks sync-core-components, which can be used to roll out updates to the core components of an EKS cluster after upgrading the Kubernetes version. Refer to the AWS docs on the topic for more details.
v0.6.2: The VPC CNI version that kubergrunt eks sync-core-components will upgrade to has been bumped to the latest version recommended by AWS (v1.7.5).
v0.6.3: eks sync-core-components now supports Kubernetes version 1.18.
v0.6.4: eks verify used to assume kubergrunt was installed in a location included in the PATH environment variable. Now it will use the currently executing kubergrunt location.

cloud-nuke

v0.1.21: The nuke routine for s3 has been optimized for memory efficiency. Previously the routine was paging in and storing all objects in the bucket in memory before starting the deletion routine. Now the routine will delete as objects are paged in.
v0.1.22: This introduces the ability to nuke ecscluster resources using cloud-nuke and choose whether to apply the age filtering or not as described in the cloud-nuke docs.
v0.1.23: This extends the ability to nuke ecscluster resources to only target & nuke ECS clusters in an ACTIVE state.

fetch

v0.3.11: fetch will now log the file count after extraction. It will also skip Git tags that don't follow SemVer. This allows you to use it with repos that use both SemVer and non-SemVer tags.

Other updates

terraform-aws-eks

v0.22.1: Starting this release we will no longer use kubergrunt to get the OIDC provider thumbprint, and instead rely on terraform native functionality.
v0.22.2: The eks-cluster-wokers module can now be configured to take in the external dependencies as variables instead of looking the info up dynamically.
v0.23.0: This release introduces the eks-aws-auth-merger, which is an alternative to eks-k8s-role-mapping for managing IAM role to RBAC group mappings. This module uses the aws-auth-merger tool to watch for ConfigMaps in a specified namespace, and merge them together into the aws-auth ConfigMap at runtime. You can learn more about it in the module docs.
v0.23.1: You can now adjust the namespace where the core services are deployed into (eks-cluster-control-plane, eks-alb-ingress-controller, eks-cloudwatch-container-logs, eks-k8s-cluster-autoscaler).
v0.23.2: The eks-cluster-workers module will now gracefully handle situations where the IAM role is externally deleted.
v0.23.3: You can now optionally turn off the eks-aws-auth-merger module using the create_resources variable.
v0.23.4: Bump the executable-dependency module version so that the kubergrunt binary that is downloaded properly has 744 permissions.
v0.24.0: Variables and outputs have been renamed in this release. Refer to the release notes for more info.
v0.25.0: Switch to using the new location for the cluster-autoscaler helm chart so that the module continues to work after the stable and incubator repos are decommissioned in November.
v0.26.0: The automatic upgrade cluster feature now uses kubergrunt eks sync-core-components instead of an embedded script. This allows you to independently upgrade to newer EKS cluster versions as they are released without updating the module version.
v0.26.1: You can now configure the triggerLoopOnEvent setting on the external-dns service.
v0.27.0: The fluentd based log shipping module (eks-cloudwatch-container-logs) has been deprecated and replaced by a new module based on fluent-bit. This supports additional targets such as Firehose and Kinesis in addition to Cloudwatch, while also being more efficient in terms of underlying resource usage. Refer to the migration guide for information on how to update. Additionally, the default Kubernetes version used by the module has been updated to 1.18. Note that you will kubergrunt v0.6.3 or newer if you wish to upgrade your existing EKS clusters to Kubernetes version 1.18.
v0.27.1: Gracefully handle use_existing_cluster_config = false and use_cluster_security_group = true.
v0.27.2: Fix a bug in the eks-container-logs where Elasticsearch output was being enabled by default. This also fixes a bug where the boolean encoding in the helm chart values were incorrect. Also expose the ability to configure pod_resources for the DaemonSet in eks-container-logs.

module-ecs

v0.21.2: Set a default_capacity_provider_strategy when providing capacity providers for the ECS cluster.
v0.21.3: You can now use the cluster_asg_metrics_enabled variable to specify the metrics to collect for the ASG deployed via the ecs-cluster module.
v0.21.4: You can now specify the launch type for the ecs-daemon-service module via the new launch_type input variable.
v0.21.5: Fix bug in the deployment check scripts that made it incompatible with awsvpc networking mode on EC2 based ECS clusters.
v0.21.6: Update comment and readme for to reflect current roll-out-ecs-cluster-update.py functionality.
v0.22.0: When updating this repo to work with AWS Provider 3.x in v0.21.0, we missed a required_provider constraint in the ecs-daemon-service module, so it was still pinned to AWS Provider 2.x. This release fixes that.
v0.23.0: We have verified that this repo is compatible with Terraform 0.13.x!

module-ci

v0.27.3:build-packer-artifact now supports a new --idempotent flag. When set as true (e.g. --idempotent true), the build-packer-artifact script will search your AWS account for an AMI that matches the template, and if it exists, will not attempt to build a new AMI. This is useful for preserving the integrity of AMI versions in CI/CD workflows.
v0.28.0: You can now specify repo restrictions as regex using allowed_repos_regex and infrastructure_live_repositories_regex input variables.
v0.28.1: This release fixes a major regression bug identified in the previous release (v0.28.0), where omitting allowed_repos_regex for the ami_builder in the ecs-deploy-runner-standard-configuration module would inadvertently allow building from any repo.
v0.28.2: Adds a new flag, --idempotent, to the build-docker-image tool in the Kaniko image of the ecs-deploy-runner. Invoking the build-docker-image tool with the flag will cause it to check for the existence of an image before building and pushing.
v0.28.3: Updated setup-minikube to support newer minikube versions and kubernetes versions.
v0.28.4: infrastructure-deploy-script now supports running the refresh command.
v0.28.5: This is a maintenance release that exports some test helper functions for the ecs-deploy-runner as a new package under test/edrhelpers. This allows the helpers to be used by other projects.
v0.29.0: We have verified that this repo is compatible with Terraform 0.13.x!
v0.29.1: You can now configure the ECS deploy runner with repository credentials for pulling down the images using the new repository_credentials_secrets_manager_arn input var.

cis-compliance-aws

v0.6.0: Starting this release, tests are run against v3.x series of the AWS provider. Note that this release is backwards compatible with v2.x of the AWS provider. However, there is no guarantee that backwards compatibility with v2.x of the AWS provider will be maintained going forward.
v0.7.0: This release has a critical vulnerability where the cloudtrail logs will lose encryption for cross account setups. Use v0.7.1 instead. Updates the cross-account-iam-roles module to include a support role, which is necessary for compliance with the CIS AWS Foundations Benchmark. Also removes the aws_account_id variable from the cloudtrail module and updates that module to use the latest version from module-security.
v0.7.1: Expose ability to specify an existing KMS key for encrypting cloudtrail logs. This fixes a critical vulnerability with v0.7.0 where you lose the configured KMS key encryption when shipping logs to an external account.
v0.8.0: Switch the aws-securityhub module from using a Python script to associate new member accounts to using the new aws_securityhub_member resource.
v0.8.1: Bumps the custom-iam-entity module to use the latest version from module-security, which includes an improvement to MFA support for IAM roles.
v0.9.0: We have verified that this repo is compatible with Terraform 0.13.x! Note that as of this release, the aws-securityhub module will no longer automatically clean up associations with master accounts when you run destroy.

package-openvpn

v0.11.1: We now enable server-side encryption by default and add explicit rules to deny any possible public access for the backup S3 bucket.
v0.12.0: We have verified that this repo is compatible with Terraform 0.13.x!

terraform-aws-vpc

v0.9.4: This is a minor update that fixes a perpetual diff in the vpc-flow-logs module caused by the new AWS provider v3 chopping the :* off the CloudWatch Logs Group ARN.
v0.10.0: We have verified that this repo is compatible with Terraform 0.13.x!
v0.10.1: The VPC modules now gracefully handles num_availability_zones values that are greater than the number of AZs in the region.
v0.10.2: Add DynamoDB VPC endpoints to the vpc-mgmt module. We already had these endpoints in vpc-app, but somehow must've forgotten to add them to vpc-mgmt. Propagate the tags from the custom_tags input variable in vpc-app and vpc-mgmt to all VPC endpoints. This ensures more consistent tagging for all resources created by these modules.

module-security

v0.36.5: Fix regression bug in aws-auth where the command broke for MFA token session retrieval without role assume.
v0.36.6: Fixes the ARN for the AmazonSSMManagedInstanceCore managed policy, which was previously incorrect.
v0.36.7: Fix a bug in the outputs for aws-config-rules introduced by v0.36.0.
v0.36.8: Adds the rds:Download* permission to the Read Only policy in the iam-policies module.
v0.36.9: This release removes the CloudTrail S3 bucket policy from the aws_s3_bucket resources. The policy is already attached via a separate aws_s3_bucket_policy resource, hence the attachment in the aws_s3_bucket was redundant.
v0.36.10: Adds `eks:Describe*` and `eks:List*` permissions to the Read Only IAM policy.
v0.37.0: We have verified that this repo is compatible with Terraform 0.13.x!
v0.37.1: The configure-fail2ban-cloudwatch.sh script will now restart fail2ban after configuring the cloudwatch metrics actions.
v0.38.0: This is a cleanup release that removes several unused variables and fixes a few other small issues.
v0.38.1: Updates the AWSConfigRole managed policy in the aws-config and aws-config-multi-region modules to the new AWS_ConfigRole managed policy due to a deprecation notice from AWS.
v0.38.2: The account-baseline-xxx modules now allow you to configure the IAM password policy settings of allowing users to change their own password and whether password expiration requires an admin reset using the new input variables iam_password_policy_allow_users_to_change_password and iam_password_policy_hard_expiry, respectively.
v0.38.3: Fix bug where fail2ban cloudwatch configuration script used the incorrect command for restarting fail2ban on Amazon Linux 1.
v0.38.4: You can now specify tags to apply to CloudTrail and IAM Role resources created by the account-baseline-xxx modules using the new input variables cloudtrail_tags and iam_role_tags, respectively.
v0.39.0: Fix a bug where account-baseline-root did not work correctly if none of the accounts in child_accounts had is_logs_account set to true.
v0.39.1: Updates the recently released private-s3-bucket module to allow the bucket ACL to be configurable, and updates custom-iam-entity to enforce MFA on the trust policy when creating custom roles.
v0.39.2: The private-s3-bucket module had a bug that made it impossible to configure bucket replication. This release fixes the bug.
v0.40.0: The cloudtrail-bucket module has been refactored to use the private-s3-bucket module under the hood to configure the cloudtrail S3 bucket. In the process, the module has been updated so that it will now configure the bucket to default to encrypting objects with the newly created KMS key, or the provided KMS key if it already exists.
v0.40.1: Updates the recently released private-s3-bucket module to allow the server side encryption algorithm to be configurable
v0.40.2: Adds the new ebs-encryption-multi-region module mentioned above.
v0.41.0: The aws-organizations and account-baseline-root modules now output organization_root_id. The aws-config-multi-region module can now configure default AWS Config rules (those defined by the aws-config-rules module) in every region AWS Config is enabled. The aws-config-rules module can now separately apply rules related to global resources such as IAM using the new enable_global_resource_rules variable. Additional parameters for managing aws-config-rules are now exposed in the account baseline modules.
v0.41.1: Fix bug where the default value for ebs_kms_key_name must be "", not null for the account-baseline-security module.

package-zookeeper

v0.7.1: You can now specify the maximum number of retries during a rolling upgrade using the zookeeper-cluster module.
v0.6.8: You can now enable encryption for the root block device in zookeeper-cluster using the new root_block_device_encrypted input variable.
v0.6.9: You can now enable server-side encryption on the S3 bucket used by Exhibitor by setting shared_config_s3_bucket_encryption input variable to true and optionally providing a custom KMS CMK to use via the shared_config_s3_bucket_kms_key_arn input variable.

package-sam

v0.2.2: You can now set stage variables using the new stage_variables input variable, customize the lambda permission statement ID using the new xxx_lambda_permission_statement_id input variable, and set a qualifier on the lambda permission using the new xxx_lambda_qualifier input variable.
v0.2.3: gruntsam now supports OPTIONS requests.
v0.3.0: We have verified that this repo is compatible with Terraform 0.13.x!
v0.3.1: Added the create_before_destroy = true lifecycle setting to the aws_api_gateway_deployment resource to work around intermittent "BadRequestException: Active stages pointing to this deployment must be moved or deleted" errors.

terraform-aws-monitoring

v0.22.2: You can now enable server-side encryption for the S3 bucket used to store load balancer access logs using the new s3_bucket_encryption input variable.
v0.23.0: We have verified that this repo is compatible with Terraform 0.13.x!
v0.23.1: This updates install-cloudwatch-monitoring-scripts.sh to set cache removal on reboot so that any cached info about the instances are reset on every boot.
v0.23.2: Fix a bug in the alb-target-group-alarms module, switching the module to use "Seconds" instead of "Count" as the proper unit for the TargetResponseTime alarm.
v0.23.3: The rds-alarms module will now only create the replication error alarm if there is more than one RDS instance (that is, if there are actual replicas to alert about!).

package-elk

v0.6.0: This release updates the modules to be compatible with AWS provider 3.x. This release also updates the default Elasticsearch version to 6.8.12.
v0.7.0: We have verified that this repo is compatible with Terraform 0.13.x! Also, we fixed a bug with filebeat where it was trying to start before we had a chance to configure it with auto-discovery settings.

package-messaging

v0.3.5: The sns module now allows you to grant AWS Services (e.g., events.amazonaws.com) permissions to write to your SNS topic using the new allow_publish_services input variable. Also, fixed a bug where the topic_policy output variable used to only return default policy of the SNS topic. It will now return the full topic policy as created by the sns module.

package-terraform-utilities

v0.3.0: We have verified that this repo is compatible with Terraform 0.13.x! Note that due to the upgrade, the run-pex-as-resource module no longer supports running code on destroy.

module-server

v0.9.0: Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform 0.13.x!
v0.9.1: You can now specify the principals that will be allowed to assume the IAM role created by the single-server module. This can be useful, for example, to override the default from ["ec2.amazonaws.com"] to ["ec2.amazonaws.com.cn"] when using the AWS China region.
v0.9.2: Fixed CentOS attach-eni bug depending on the CentOS version and AWS instance type.
v0.9.3: You can now specify a custom private IP address for your EC2 instance using the new private_ip input parameter in the single-server module.

package-lambda

v0.9.0: Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform 0.13.x!
v0.9.1: You can now set the new source_code_hash input variable to the hash of the zip file you upload to S3 as a way to allow the lambda module to know when that Zip file has changed, and therefore, when the Lambda function needs to be redeployed.
v0.9.2: We’ve added an option to set an outbound rule in the Lambda security group that will permit outbound access from the function. To automatically create a rule allowing access to 0.0.0.0/0 , set should_create_outbound_rule=true when calling the lambda module.
v0.9.3: The lambda module now allows you to mount an EFS file system in your Lambda functions using the new mount_to_file_system, file_system_access_point_arn, and file_system_mount_path variables.

module-data-storage

v0.16.0: Terraform 0.13 upgrade: We have verified that this repo is compatible with Terraform 0.13.x!
v0.16.1: Add lifecycle block to ignore changes to snapshot_identifier so that restored DB clusters won't get destroyed during updates.
v0.16.2: You can now enable the HTTP endpoint for the Data API on Aurora Serverless using the new ‘enable_http_endpoint’ input variable.
v0.16.3: You can now configure IAM roles for the redshift module to use via the new iam_roles input variable.

module-cache

v0.10.1: You can now restore a Redis cluster from a snapshot using the new snapshot_name or snapshot_arn input variables.

package-beanstalk

v0.1.1: You can now specify the load balancer type to use in the elasticbeanstalk-environment module by using the new load_balancer_type input variable.

module-load-balancer

v0.23.2: Fix a bug in the alb-target-group-alarms module, switching the module to use "Seconds" instead of "Count" as the proper unit for the TargetResponseTime alarm.

DevOps News

Kubernetes updates: version 1.18 and the Load Balancer Controller

What happened: A couple updates for those of you using Kubernetes: first, EKS now supports Kubernetes 1.18. Second, AWS has renamed the ALB Ingress Controller to the Load Balancer Controller, which now supports the NLB as well.

Why it matters: Here are the highlights:

Kubernetes 1.18: This release incluldes the Topology Manager reaching beta status, a new beta of Server-side Apply, and a new IngressClass resource for the Ingress specification which makes it simpler to customize Ingress configuration. Additionally, you can now configure the behavior of horizontal pod autoscaling.
Load Balancer Controller: The new controller includes a number of improvements, including allowing you to manage ALBs or NLBs, allowing sharing a single ALB across multiple applications in your Kubernetes cluster, as well as using a NLBs with Fargate.

What to do about it: Check out the Kubernetes 1.18 and Load Balancer Controller announcement blog posts for more details. Note that we added support for Kubernetes 1.18 in our terraform-aws-eks repo in v0.27.0.

New HashiCorp tools: Boundary and Waypoint

What happened: HashiCorp has released two new open source projects: Boundary and Waypoint.

Why it matters: Here’s the short version of what these new tools offer:

Boundary: A tool for managing access to your servers based on existing identity providers. This is potentially an alternative to VPN and SSH software.
Waypoint: A tool for giving developers a consistent experience for building, deploying, and releasing code, via a single CLI API—waypoint up—that under the hood can work with a variety of tools, platforms, and workflows (e.g., Kubernetes, ECS, Docker Hub, ECR, CircleCi, GitHub Actions, etc).

What to do about it: Check out the Boundary and Waypoint announcement blog posts for all the details, give these new tools a shot, and let us know what you think of them!

Docker Hub Rate Limting

What happened: Docker has announced that they will now start rate limiting pulls from Docker Hub.

Why it matters: If you use docker pull or docker run (which uses docker pull under the hood) to pull an image from Docker Hub, Docker will now start enforcing a fairly low rate limit. According to the pricing page, you’re limited to just 100 pulls per 6 hour period for anonymous users, and 200 pulls per 6 hour period for authenticated users on the free plan.

What to do about it: This is most likely to affect CI servers, so look into your pipelines to see how often you’re pulling images, whether those images are being cached locally, and if you need to authenticate your machine user to Docker Hub, or even upgrade to a paid plan. Alternatively, Amazon has announced they will be working on a free, public registry, so you may consider switching to that when it’s available.

Security Updates

Below is a list of critical security updates that may impact your services. We notify Gruntwork customers of these vulnerabilities as soon as we know of them via the Gruntwork Security Alerts mailing list. It is up to you to scan this list and decide which of these apply and what to do about them, but most of these are severe vulnerabilities, and we recommend patching them ASAP.

Apple

Apple released a set of security patches for iOS, iPadOS, and macOS that protects against critical vulnerabilities that are known to be exploited in the wild. These vulnerabilities allow an attacker to do remote code execution on the platform if you installed a malicious font file or application. We strongle recommend updating your Apple devices to the latest versions of the OS. Refer to the iOS/iPadOS 14.2 security update notes and the macOS 10.15.7 security update notes for more details.

Github Actions

CVE-2020–15228: Github issued an advisory for an injection attack vulnerability with Github Actions. The vulnerability is in how Github Actions parses STDOUT of actions to look for and run workflow commands. This can be exploited to inject workflow actions such as set-env to modify the environment variable of the running action. For example, if you have a workflow action that outputs the contents of a Github issue title to STDOUT, an attacker can create an issue with a specially crafted title to inject workflow commands in the running action without modifying any code. We strongly recommend updating your Github Actions to avoid logging untrusted information. Refer to this blog post from Github on the options for remediating this vulnerability, including how to update your actions to still allow logging the information.

HashiCorp Vault

CVE-2020-16250: A critical vulnerability has been found in HashiCorp Vault, an open source tool used for managing secrets, such as passwords, API keys, and TLS certs. The vulnerability is in the IAM authentication methods for AWS and GCP and may allow an attacker to spoof arbitrary IAM identities, and access arbitrary secrets. Fixes are available in Vault versions 1.2.5, 1.3.8, 1.4.4 and 1.5.1. We strongly recommend updating immediately. For more details, see Enter the Vault: Authentication Issues in HashiCorp Vault, CVE-2020–16250, and the Vault CHANGELOG. We notified the Gruntwork Security Alerts mailing list about this vulnerability on October 8, 2020.