Once a month, we send out a newsletter to all Gruntwork customers that describes all the updates we’ve made in the last month, news in the DevOps industry, and important security updates. Note that many of the links below go to private repos in the Gruntwork Infrastructure as Code Library and Reference Architecture that are only accessible to customers.
Hello Grunts,
In the last month, Terraform 0.12 beta1 and terraform-aws-provider 2.0.0 came out, both of which have great new features, but also significant backwards incompatibilities; details on our upgrade plans below. Also, we started expanding our terraform-aws-influx module with support for the entire TICK stack (Telegraf, InfluxDB, Chronograf, and Kapacitor), added OAuth support to Gruntwork Houston, updated Terratest with support for testing Helm charts, updated Terragrunt’s security and access logging, and made many other updates and fixes.
As always, if you have any questions or need help, email us at support@gruntwork.io!
Motivation: In the last week or so, there were two major releases:
Both of these contain some great new features, but they also include significant backwards incompatibilities and they will NOT work with some of the repos in the Infrastructure as Code Library, as well as the code in your repos!
Solution: Here are our plans for these two new releases:
module-ecs and package-static-assets. Until the upgrade is done, the best workaround is for you to pin the AWS provider version in all your modules (e.g., in your infrastructure-modules repo) as follows:provider "aws" {
# Provider version 2.X series is the latest, but has
# breaking changes with 1.X series, so we pin to 1.X.
version = "~> 1.60.0"region = "us-east-1"
# ... the rest of your code
}See this commit for the upgrade we did to the Acme Reference Architecture examples to pin all the modules.
What to do about it: For now, your best bet is to pin your AWS provider to 1.X. We’ll let you know as soon as our AWS Provider 2.0.0 upgrade is complete, as well as the outcome of our Terraform 0.12 investigations.
Motivation: In December, we open sourced our modules for running InfluxDB Enterprise on AWS. We’ve now started working with the InfluxData team to expand these modules with support for their entire time-series platform, known as the TICK stack (Telegraf, InfluxDB, Chronograf, and Kapacitor).
Solution: We’ve updated the terraform-aws-influx module to include a set a reusable modules to deploy and run a TICK cluster in AWS. These modules can be combined configured in a variety of ways to meet your specific needs.
We’ve added modules to do the following:
What to do about it: All of this new code is in the terraform-aws-influx repo and fully open source! We also have some examples to help get you started.
Motivation: Authentication is a tricky beast on the best of days. Managing credentials for AWS console access, CLI access, SSHing to your servers, and requesting VPN certificates is far more difficult than it should be. We created Gruntwork Houston to allow you to manage all of this with your existing Identity Provider (e.g., Google, Active Directory, Okta, etc) via SAML, but it turns out that configuring SAML is far more difficult than it should be too!
Solution: We’ve updated Gruntwork Houston to be able to use OAuth authentication via GitHub. With this approach you and your entire team will now be able to get secure access to all your AWS accounts via web and CLI, ssh to your EC2 instances, and request VPN certificates from your VPN servers by just authenticating via your GitHub account:
We’ll also be adding OAuth via Google in the near future!
What to do about it: If you’re interested in trying out Gruntwork Houston with GitHub or Google OAuth, contact us at support@gruntwork.io!
Motivation: As we started developing our own helm charts, we realized that there wasn’t a clear standard on how you might test the charts. In the past two months, we have expanded our Kubernetes offerings in Terratest, Gruntwork’s swiss army knife for infrastructure testing. This month we added our initial support for helm charts.
Solution: We identified two tiers of testing in Helm: Template tests and Integration tests.
helm template with various input values and parse the yaml to validate any logic embedded in the templates (e.g by reading them in using client-go). Since templates are not statically typed, the goal of these tests is to promote fast cycle timeThis month we added support in Terratest to provide a framework for executing both kinds of tests against your charts.
What to do about it: Check out v0.14.2 and give it a spin. You can view examples/helm-basic-example for a helm chart and the corresponding tests (helm_basic_example_template_test.go and helm_basic_example_integration_test.go) for an example of how to use Terratest to run Helm Tests. Also checkout our blog post demonstrating the new capabilities.
Other Terratest updates:
v0.35.1.terraform.Options now exposes a VarFiles field that you can use to pass variable files to your Terraform commands at test time (via the -var-file flag) and a Targets field that you can use to specify targets for your Terraform commands at test time (via the -target argument).helm .test_structure.SaveKubectlOptions and test_structure.LoadKubectlOptions).ClusterRole (GetClusterRole) and Role (GetRole) resources.k8s functions to take in KubectlOptions so that the kubeconfig path and context is configurable. This is a breaking change in the k8s module. See the release notes for more details.helm.Install now supports installing remote charts for testing purposes.Motivation: Some Terragrunt users wanted Terragrunt to have more secure settings when using Terragrunt to configure S3 buckets and DynamoDB tables for Terraform state storage.
Solution: Terragrunt now does the following:
enable_lock_table_ssencryption setting to true.What to do about it: If you’d like to take advantage of these new security settings, grab Terragrunt v0.18.0.
security_group_tags input parameter.fetch will automatically download all of them. You can also now pass in multiple checksums, only allowing the download if the computed checksum matches any of the provided ones.shellcheck pre-commit hook to only match *sh shebangs (e.g., sh, bash, zsh, etc). It used to (inadvertently) match a much broader range of files, such as bats tests.package-kafka and package-zookeeper and moved them to bash-commons. These include array_split, array_prepend, assert_exactly_one_of, file_replace_text_in_files, os_user_exists, os_create_user, os_change_dir_owner, and a number of AWS EC2 and ENI functions.iam-groups module now creates an additional IAM group that has the iam-user-self-mgmt IAM policy already attached to make it easier to associate the rules of that policy to an IAM user via the group.fail2ban module so it works properly on Amazon Linux 2. Update the ami-builder in os-hardening to support a new parallel_build param that lets you control whether the builds run in parallel and call udevadm settle in the partition-volume script to ensure all symlinks are in place before going on to subsequent steps (e.g., formatting).ecs-cluster module where it wouldn’t do the proper rollout in clusters with more than 10 instances.helm deploy, using the --tiller-image and --tiller-version flags. Additionally, helm configure now initializes the helm home directory with the stable repository.kubergrunt can now authenticate with GKE.k8s-namespace into its own submodule, k8s-namespace-roles. This allows you to create the same roles on a preexisting namespace (e.g default or kube-system).rbac_tiller_resource_access role that allows Tiller to manage PodDisruptionBudgets.error_404_response_code and error_500_response_code, respectively.run-logstash script via a new parameter --auto-fill-jvm (eg:--auto-fill-jvm '<__XMS__>=4g')gruntkms will now write errors to stderr instead of stdout.module-asg dependency to v0.6.25 to address skipped ALB/ELB health checks when using python3.module-asg dependency to v0.6.25 and package-zookeeper to v0.5.3 to address skipped ALB/ELB health checks when using python3.additional_security_group_ids input parameter.update-terraform-variable script now uses pipes (|) instead of slashes (/) in a sed call so that you don't get errors if the --value parameter contains a slash.kinesis -module now supports server-side encryption.What happened: Amazon DocumentDB has added a number of new features around auditing/logging and aggregations, arrays, and indexing.
Why it matters: Amazon recently launched DocumentDB as a hosted version of MongoDB. As usual with AWS launches, the initial version was fairly minimal, but several updates have been released that make the service more compelling:
$concat, $substr, $substrBytes, $substrCP, $strcasecmp), an array aggregation operator ($size), an aggregation group accumulator operator ($push), and aggregation stages ($redact and $indexStats) that allow you to compose powerful aggregations over your documents. Additionally, it also supports positional array operators ($[] and $[<identifier>]) for updating elements in an array and hint() for selecting an index.What to do about it: Check out the event auditing docs and this blog post for more info.
Below is a list of critical security updates that may impact your services. We notify Gruntwork customers of these vulnerabilities as soon as we know of them via the Gruntwork Security Alerts mailing list. It is up to you to scan this list and decide which of these apply and what to do about them, but most of these are severe vulnerabilities, and we recommend patching them ASAP.
runc engine that runs Docker containers. This means that a malicious container could run arbitrary code on the host computer. All it takes to exploit this vulnerability is for users to run the wrong Docker container. Therefore, we recommend immediately updating all version of Docker to at least v18.09.02. We notified the Security Alerts mailing list about this vulnerability on February 12th.