From 970cff0e3fa7a1e8a9f8b00d7b44667ab6300d8b Mon Sep 17 00:00:00 2001 From: gruntwork-ci Date: Fri, 1 May 2026 08:32:05 +0000 Subject: [PATCH] Update Gruntwork releases as of 2026-04-30 --- docs/guides/stay-up-to-date/index.md | 4 +- .../stay-up-to-date/releases/2026-03/index.md | 77 +- .../stay-up-to-date/releases/2026-04/index.md | 1160 +++++++++++++++++ docs/guides/stay-up-to-date/releases/index.md | 5 +- 4 files changed, 1241 insertions(+), 5 deletions(-) create mode 100644 docs/guides/stay-up-to-date/releases/2026-04/index.md diff --git a/docs/guides/stay-up-to-date/index.md b/docs/guides/stay-up-to-date/index.md index d27471399..83848458d 100644 --- a/docs/guides/stay-up-to-date/index.md +++ b/docs/guides/stay-up-to-date/index.md @@ -17,6 +17,7 @@ import CardGroup from "/src/components/CardGroup" + @@ -31,7 +32,6 @@ import CardGroup from "/src/components/CardGroup" - @@ -115,6 +115,6 @@ href="/guides/stay-up-to-date/cis/cis-1.5.0" diff --git a/docs/guides/stay-up-to-date/releases/2026-03/index.md b/docs/guides/stay-up-to-date/releases/2026-03/index.md index 7e5f382eb..28bd0b51e 100644 --- a/docs/guides/stay-up-to-date/releases/2026-03/index.md +++ b/docs/guides/stay-up-to-date/releases/2026-03/index.md @@ -19,6 +19,7 @@ Here are the repos that were updated: - [terraform-aws-load-balancer](#terraform-aws-load-balancer) - [terraform-aws-security](#terraform-aws-security) - [terraform-aws-service-catalog](#terraform-aws-service-catalog) +- [terraform-aws-vpc](#terraform-aws-vpc) ## boilerplate @@ -187,6 +188,23 @@ The validation package is now exported directly, so consumers of Boilerplate as ## pipelines-credentials +### [v1.3.1](https://github.com/gruntwork-io/pipelines-credentials/releases/tag/v1.3.1) + +

+ Published: 3/31/2026 | Release notes +

+ +
+ + * Update error text when pipelines are paused due to usage limit by @oredavids in https://github.com/gruntwork-io/pipelines-credentials/pull/24 + +* @oredavids made their first contribution in https://github.com/gruntwork-io/pipelines-credentials/pull/24 + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-credentials/compare/v1.3.0...v1.3.1 + +
+ + ### [v1.3.0](https://github.com/gruntwork-io/pipelines-credentials/releases/tag/v1.3.0)

@@ -224,6 +242,22 @@ The validation package is now exported directly, so consumers of Boilerplate as ## pipelines-workflows +### [v4.10.2](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.10.2) + +

+ Published: 3/31/2026 | Release notes +

+ +
+ + * Bump pipelines credentials actions ref to v1.3.1 by @oredavids in https://github.com/gruntwork-io/pipelines-workflows/pull/199 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.10.2 + +
+ + ### [v4.10.1](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.10.1)

@@ -372,6 +406,26 @@ The validation package is now exported directly, so consumers of Boilerplate as ## terraform-aws-security +### [v1.4.1](https://github.com/gruntwork-io/terraform-aws-security/releases/tag/v1.4.1) + +

+ Published: 3/31/2026 | Modules affected: custom-iam-entity | Release notes +

+ +
+ + + +- `custom-iam-entity`: add tags to IAM role +- test fixes: improved tagging and cleanup (no functional change from this) + + + + + +
+ + ### [v1.4.0](https://github.com/gruntwork-io/terraform-aws-security/releases/tag/v1.4.0)

@@ -497,11 +551,32 @@ The validation package is now exported directly, so consumers of Boilerplate as - https://github.com/gruntwork-io/terraform-aws-eks/releases/tag/v4.0.0 + + + + +## terraform-aws-vpc + + +### [v0.28.12](https://github.com/gruntwork-io/terraform-aws-vpc/releases/tag/v0.28.12) + +

+ Published: 3/31/2026 | Modules affected: vpc-peering-cross-accounts-accepter, vpc-peering-cross-accounts-requester, vpc-peering-external, vpc-peering | Release notes +

+ +
+ + + +- Added VPC Peering Support for multiple CIDR blocks + + +
diff --git a/docs/guides/stay-up-to-date/releases/2026-04/index.md b/docs/guides/stay-up-to-date/releases/2026-04/index.md new file mode 100644 index 000000000..e4d015cd6 --- /dev/null +++ b/docs/guides/stay-up-to-date/releases/2026-04/index.md @@ -0,0 +1,1160 @@ + +# Gruntwork release 2026-04 + +

Guides / Update Guides / Releases / 2026-04

+ +This page is lists all the updates to the [Gruntwork Infrastructure as Code +Library](https://gruntwork.io/infrastructure-as-code-library/) that were released in 2026-04. For instructions +on how to use these updates in your code, check out the [updating +documentation](/library/stay-up-to-date/updating). + +Here are the repos that were updated: + +- [pipelines-actions](#pipelines-actions) +- [pipelines-cli](#pipelines-cli) +- [pipelines-credentials](#pipelines-credentials) +- [pipelines-workflows](#pipelines-workflows) +- [terraform-aws-architecture-catalog](#terraform-aws-architecture-catalog) +- [terraform-aws-cis-service-catalog](#terraform-aws-cis-service-catalog) +- [terraform-aws-control-tower](#terraform-aws-control-tower) +- [terraform-aws-data-storage](#terraform-aws-data-storage) +- [terraform-aws-eks](#terraform-aws-eks) +- [terraform-aws-lambda](#terraform-aws-lambda) +- [terraform-aws-openvpn](#terraform-aws-openvpn) +- [terraform-aws-security](#terraform-aws-security) +- [terraform-aws-service-catalog](#terraform-aws-service-catalog) +- [terraform-aws-vpc](#terraform-aws-vpc) + + +## pipelines-actions + + +### [v4.8.0](https://github.com/gruntwork-io/pipelines-actions/releases/tag/v4.8.0) + +

+ Published: 4/28/2026 | Release notes +

+ +
+ + * Mise 2026.4.11 by @Resonance1584 in https://github.com/gruntwork-io/pipelines-actions/pull/156 +* DEV-1441 Add orchestrate error comments by @Resonance1584 in https://github.com/gruntwork-io/pipelines-actions/pull/158 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-actions/compare/v4.7.0...v4.8.0 + +
+ + +### [v4.7.0](https://github.com/gruntwork-io/pipelines-actions/releases/tag/v4.7.0) + +

+ Published: 4/16/2026 | Release notes +

+ +
+ + * add new post access control action by @odgrim in https://github.com/gruntwork-io/pipelines-actions/pull/157 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-actions/compare/v4.6.0...v4.7.0 + +
+ + +### [v4.6.0](https://github.com/gruntwork-io/pipelines-actions/releases/tag/v4.6.0) + +

+ Published: 4/13/2026 | Release notes +

+ +
+ + * Add job and account_names inputs by @Resonance1584 in https://github.com/gruntwork-io/pipelines-actions/pull/155 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-actions/compare/v4.5.1...v4.6.0 + +
+ + +### [v4.5.2](https://github.com/gruntwork-io/pipelines-actions/releases/tag/v4.5.2) + +

+ Published: 4/13/2026 | Release notes +

+ +
+ + Upgrade mise to 2026.4.11 + +
+ + +### [v4.5.1](https://github.com/gruntwork-io/pipelines-actions/releases/tag/v4.5.1) + +

+ Published: 4/7/2026 | Release notes +

+ +
+ + * Speed up preflight by @Resonance1584 in https://github.com/gruntwork-io/pipelines-actions/pull/154 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-actions/compare/v4.5.0...v4.5.1 + +
+ + +### [v4.5.0](https://github.com/gruntwork-io/pipelines-actions/releases/tag/v4.5.0) + +

+ Published: 4/2/2026 | Release notes +

+ +
+ + * 2026 04 01 fix node warnings by @Resonance1584 in https://github.com/gruntwork-io/pipelines-actions/pull/153 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-actions/compare/v4.4.0...v4.5.0 + +
+ + + +## pipelines-cli + + +### [v0.53.1](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.53.1) + +

+ Published: 4/29/2026 | Release notes +

+ +
+ + * [DEV-1429] Reflect output-only changes in plan summary by @odgrim in https://github.com/gruntwork-io/pipelines/pull/562 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.53.0...v0.53.1 + + +
+ + +### [v0.53.0](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.53.0) + +

+ Published: 4/28/2026 | Release notes +

+ +
+ + * Dont update deploy branch unless on a PR by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/568 +* Pin architecture catalog version in tests by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/570 +* Fix architecture details by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/569 +* DEV-1441 Add PIPELINES_FEATURE_VALIDATE_DAG_ON_DELETE by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/567 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.52.1...v0.53.0 + + +
+ + +### [v0.52.1](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.52.1) + +

+ Published: 4/23/2026 | Release notes +

+ +
+ + * chore: Use `stack generate` with `--filters-file` when possible by @yhakbar in https://github.com/gruntwork-io/pipelines/pull/566 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.52.0...v0.52.1 + + +
+ + +### [v0.52.0](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.52.0) + +

+ Published: 4/23/2026 | Release notes +

+ +
+ + * DEV-1460 Accurate apply vs destroy feedback in PR comments by @oredavids in https://github.com/gruntwork-io/pipelines/pull/561 +* Arch doc by @ZachGoldberg in https://github.com/gruntwork-io/pipelines/pull/565 +* Support custom CI config file name and location (DEV-1425) by @oredavids in https://github.com/gruntwork-io/pipelines/pull/563 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.51.0...v0.52.0 + + +
+ + +### [v0.51.0](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.51.0) + +

+ Published: 4/20/2026 | Release notes +

+ +
+ + * Gruntwork Claude marketplace config by @ZachGoldberg in https://github.com/gruntwork-io/pipelines/pull/557 +* Fix RepoBaseURL parameter by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/558 +* Add account_factory.pr_create_token_name hcl config by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/559 +* Fix pipelines_workflow_location by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/560 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.50.0...v0.51.0 + + +
+ + +### [v0.50.0](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.50.0) + +

+ Published: 4/13/2026 | Release notes +

+ +
+ + * Add pipelines config get +* Add pipelines account-factory execute-via-control-tower +* Add pipelines account-factory get-account-request-field + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.49.1...v0.50.0 + + +
+ + +### [v0.49.1](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.49.1) + +

+ Published: 4/10/2026 | Release notes +

+ +
+ + * Regenerate test-fixtures by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/550 +* fix govcloud regions, add missing regions by @odgrim in https://github.com/gruntwork-io/pipelines/pull/551 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.49.0...v0.49.1 + + +
+ + +### [v0.49.0](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.49.0) + +

+ Published: 4/9/2026 | Release notes +

+ +
+ + * DEV-1433 - Comment consolidation by @ZachGoldberg in https://github.com/gruntwork-io/pipelines/pull/547 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.48.5...v0.49.0 + + +
+ + +### [v0.48.5](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.48.5) + +

+ Published: 4/8/2026 | Release notes +

+ +
+ + * Decrease binary size by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/546 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.48.4...v0.48.5 + + +
+ + +### [v0.48.4](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.48.4) + +

+ Published: 4/8/2026 | Release notes +

+ +
+ + * Remove PIPELINES_READ_TOKEN preflight checks by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/544 +* Preflight children checks run in parallel by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/545 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.48.3...v0.48.4 + + +
+ + +### [v0.48.3](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.48.3) + +

+ Published: 4/2/2026 | Release notes +

+ +
+ + * Run preflight checks in parallel by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/543 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.48.2...v0.48.3 + + +
+ + +### [v0.48.2](https://github.com/gruntwork-io/pipelines-cli/releases/tag/v0.48.2) + +

+ Published: 4/1/2026 | Release notes +

+ +
+ + * Wrap git operations in retry by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/541 +* Fix whitespace in unit paths causing separate args to terragrunt by @Resonance1584 in https://github.com/gruntwork-io/pipelines/pull/542 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines/compare/v0.48.1...v0.48.2 + + +
+ + + +## pipelines-credentials + + +### [v2.0.0](https://github.com/gruntwork-io/pipelines-credentials/releases/tag/v2.0.0) + +

+ Published: 4/7/2026 | Release notes +

+ +
+ + * Refactor to fetch tokens in parallel by @Resonance1584 in https://github.com/gruntwork-io/pipelines-credentials/pull/25 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-credentials/compare/v1.3.1...v2.0.0 + +
+ + + +## pipelines-workflows + + +### [v4.16.1](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.16.1) + +

+ Published: 4/30/2026 | Release notes +

+ +
+ + + +Previously, Terragrunt plans that only changed Terraform outputs (no resource adds, changes, or destroys) rendered as `Plan Summary: 0 to add, 0 to change, 0 to destroy`, which was misleading. + +Plan summaries now include per-action output counts and (in the GitHub formatter) a `Changed Outputs` list of changed output names. For example: + +`Plan Summary: 0 to add, 0 to change, 0 to destroy, 0 outputs to add, 1 outputs to change, 0 outputs to destroy` + +* Pipelines CLI v0.53.1 by @oredavids in https://github.com/gruntwork-io/pipelines-workflows/pull/215 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.16.0...v4.16.1 + +
+ + +### [v4.16.0](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.16.0) + +

+ Published: 4/28/2026 | Release notes +

+ +
+ + + + +Pipelines can now fail a pull request when it deletes a Terragrunt unit (or a file read by a unit) that is still referenced elsewhere in the [DAG](https://docs.terragrunt.com/getting-started/terminology#directed-acyclic-graph-dag). + +When enabled, orchestrate runs `terragrunt find` against the target ref and cross-references each deleted path against every Pipelines unit's `dependencies` and `mark_as_read` entries. + +If any Pipelines unit still references a deleted path, the run fails on pull request events with a comment listing the offending references; on other events the violation is logged as a warning and the run continues. + +This is an opt-in feature, disabled by default. Enable it by setting `PIPELINES_FEATURE_VALIDATE_DAG_ON_DELETE=true` in your repository's environment configuration. + +To enable a feature flag, add it to the `env` block of `repository` in `.gruntwork/repository.hcl`: + +```hcl +repository { + env { + PIPELINES_FEATURE_VALIDATE_DAG_ON_DELETE = "true" + } +} +``` + +Validation of `mark_as_read` entries requires Terragrunt newer than v0.91.3; older versions only validate `dependencies`. + +See [the feature flag reference](https://docs.gruntwork.io/2.0/reference/pipelines/feature-flags#pipelines_feature_validate_dag_on_delete) for full details. + + + +Fixed a race where a Push event to the deploy branch could compute a changeset against a newer deploy-branch tip than the one that triggered the run if another pull request merged in between; the comparison only ever moved forward in history, never backward. + +Pipelines no longer touches the local deploy branch on Push events; the runner's checkout already provides the correct state for the trigger commit. Pull request events are unchanged. + +We recommend enabling "Require branches to be up to date before merging" in your repository's branch protection rules. That requirement prevents the wider class of races where two pull requests land against the same deploy-branch tip without either one seeing the other's changes. + + +mise version used in the preflight action lagged the version used in workflows (2025.10.0 -> 2026.4.11) + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.15.1...v4.16.0 + +
+ + +### [v4.15.1](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.15.1) + +

+ Published: 4/24/2026 | Release notes +

+ +
+ + + +Pipelines now calls a single `terragrunt stack generate` invocation with usage of the `--filters-file` flag when using a Terragrunt modern enough to support the `--filters-file` flag (>= `v0.97.0`) instead of calling `terragrunt stack generate` per stack being generated. + +This allows Terragrunt to synchronize stack generations more carefully with full awareness of the stacks being generated, reducing the likelihood of contention between different stack generations. + +* chore: Bumping Pipelines to `v0.52.1` by @yhakbar in https://github.com/gruntwork-io/pipelines-workflows/pull/213 + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.15.0...v4.15.1 + +
+ + +### [v4.15.0](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.15.0) + +

+ Published: 4/23/2026 | Release notes +

+ +
+ + * Bump pipelines CLI to v0.52.0 by @oredavids in https://github.com/gruntwork-io/pipelines-workflows/pull/212 (Accurate apply vs destroy feedback in PR comments) + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.15.0 + +
+ + +### [v4.14.0](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.14.0) + +

+ Published: 4/20/2026 | Release notes +

+ +
+ + + + +The following improvements affect Account Factory customers using [custom actions](https://docs.gruntwork.io/2.0/docs/pipelines/guides/extending-pipelines/) to extend Pipelines. + + +Added new optional inputs to pipelines-root, `pipelines_actions_customizations_repo` and `pipelines_actions_customizations_ref`. When set, custom-actions will be cloned from this repository instead of pipelines-actions. + + +A new custom action runs after provisioning access-control but before opening the pull request, allowing customization of the pull request contents. + + +Updated signatures of all custom actions with additional context. The `job` is the output from pipelines orchestrate, and `account_names` is a comma separate list of new accounts being created during account provisioning. + + +The pipelines-execute action inputs `infra_live_repo_branch`, `infra_live_repo`, and `infra_live_directory` are now deprecated. Use `ref` in place of `infra_live_repo_branch`. + + +Added the following commands to the pipelines CLI. These should be used in place for the deprecated pipelines-bootstrap context from v3 (no longer available in v4). + +- `pipelines config get --wd . <path_to.hcl_config_value>` +- `pipelines account-factory get-account-request-field --wd . --acount-name <account_name> <path_to.account_request_yaml>` +- `pipelines account-factory execute-via-control-tower --wd . --job ${{ inputs.job }} --terragrunt-command <command> --path <path_to_unit>` + + +These fixes work in tandem with template changes in terraform-aws-architecture-catalog [v4.5.0](https://github.com/gruntwork-io/terraform-aws-architecture-catalog/releases/tag/v4.5.0) + + +Value would incorrectly include https://, leading to invalid module sources like `git://https://` + + +Value was ignored, now correctly passed to delegated repository template + + +Similar to `pipelines_read_token_name` this value can be used to customize the secret name for `PR_CREATE_TOKEN` when templating a new repository + + +`pipelines_workflow_location` was previously being ignored. Fixed this and added `pipelines_workflow_ref`. + +Previously `pipelines_workflow_location` was documented as being the full path to a forked pipelines workflow e.g. `acme-org/pipelines-workflows/.github/workflows/pipelines.yml@X`. If migrating from pipelines YAML config, this value needs to be changed to the path up to but not including the workflow file name e.g. `acme-org/pipelines-workflows/.github/workflows`. This value is then used in the pipelines, unlock, and drift-detection workflows. + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4.13.0...v4.14.0 + +
+ + +### [v4.13.0](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.13.0) + +

+ Published: 4/13/2026 | Release notes +

+ +
+ + * Bump mise from 2025.10.0 to 2026.4.11 by @chrisbarrett in https://github.com/gruntwork-io/pipelines-workflows/pull/209 +* Mise 2026.4.11 by @Resonance1584 in https://github.com/gruntwork-io/pipelines-workflows/pull/210 + +* @chrisbarrett made their first contribution in https://github.com/gruntwork-io/pipelines-workflows/pull/209 + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.13.0 + +
+ + +### [v4.12.1](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.12.1) + +

+ Published: 4/10/2026 | Release notes +

+ +
+ + * :bug: Fix a bug preventing us-gov regions from being recognized by the unlock all workflow + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.12.1 + +
+ + +### [v4.12.0](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.12.0) + +

+ Published: 4/9/2026 | Release notes +

+ +
+ + +:sparkles: Added a new `status_update` configuration block for the `repository` block. This allows you to control how Pipelines posts status comments on pull/merge requests. + +By default, Pipelines creates a new comment for every push to a PR branch. You can now set `new_comment_per_push = false` to have Pipelines update a single comment in-place instead. On GitHub, previous plan outputs are preserved in the comment's edit history. On GitLab, previous outputs are overwritten since GitLab does not support comment edit history. + +```hcl +repository { + status_update { + new_comment_per_push = false + } +} +``` + +Read more in [the docs](https://docs.gruntwork.io/2.0/reference/pipelines/configurations-as-code/api#new_comment_per_push) + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.12.0 + +
+ + +### [v4.11.0](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.11.0) + +

+ Published: 4/9/2026 | Release notes +

+ +
+ + +- :sparkles: Added support for `PIPELINES_GRUNTWORK_READ_TOKEN` and `PIPELINES_CUSTOMER_ORG_READ_TOKEN` as fallback secrets. These optional fallback secrets take precedence over `PIPELINES_READ_TOKEN` and can be used in situations where a single PAT cannot access both the gruntwork-io organization and the customer organization. Read the full docs [here](https://docs.gruntwork.io/2.0/docs/pipelines/installation/viamachineusers/#pipelines_gruntwork_read_token) +- :zap: pipelines-credentials now fetches tokens from the Gruntwork Dev portal in parallel, saving a few seconds of overhead per job. + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.11.0 + +
+ + +### [v4.10.3](https://github.com/gruntwork-io/pipelines-workflows/releases/tag/v4.10.3) + +

+ Published: 4/8/2026 | Release notes +

+ +
+ + +* :bug: Fix issues with whitespace in unit paths causing separate args to be passed to `terragrunt run --all` +* :bug: Remove invalid PIPELINES_READ_TOKEN preflight checks +* :gear: Updated actions to remove deprecated node version warnings +* :zap: Some small speed improvements to job overheads by parallelizing some tasks, in our tests this can save anywhere from 1 to 20 seconds per job + + +**Full Changelog**: https://github.com/gruntwork-io/pipelines-workflows/compare/v4...v4.10.3 + +
+ + + +## terraform-aws-architecture-catalog + + +### [v5.0.0](https://github.com/gruntwork-io/terraform-aws-architecture-catalog/releases/tag/v5.0.0) + +

+ Published: 4/28/2026 | Release notes +

+ +
+ + * Updated the architecture catalog from CIS AWS Foundations Benchmark v1.5.0 to v3.0.0 and restructures CloudTrail implementation to use a single organization trail instead of per-account trails + + +- New required boilerplate variables: Users re-running boilerplate generation will now be prompted for SecurityContactName, SecurityContactEmail, SecurityContactPhone, and SecurityContactTitle + - These have no defaults and must be provided. + - Users running `--non-interactive` must add `--var SecurityContactName=...` `--var SecurityContactEmail=...` etc. to their commands. +- CloudTrail migration to organization trail: Existing deployments that have per-account CloudTrail trails will be migrated to a single organization trail: + - The management account trail becomes an org trail; This requires the management account to have `organizations:ListAccounts` and `organizations:DescribeOrganization` permissions + - Sub-account baselines disable their individual CloudTrail trails (`enable_cloudtrail = false`); Users must apply the management account changes first (to enable the org trail) before applying sub-account changes (which disable their individual trails), or there will be a window with no CloudTrail coverage +- AWS provider constraint tightened: The minimum AWS provider version moves from ~> 6.0 to ~> 6.25 +- KMS key policy change in shared account: The addition of `allow_manage_key_permissions_with_iam = true` to both KMS keys changes how key access is managed; Existing key policies will be updated on the next apply +- New Terragrunt units: The following new units must be applied: + - `account-security-contact` (all accounts) + - `default-vpc-hardening` (all accounts; gracefully skips if no default VPC exists) + - `ebs-encryption` (management account only) + - `s3-account-public-access-block` (all accounts) + - `s3-tls-enforcement-scp` (management account only) + - `iam-groups` (management account only) + + +**Full Changelog**: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/compare/v4.5.0...v5.0.0 + +
+ + +### [v4.5.0](https://github.com/gruntwork-io/terraform-aws-architecture-catalog/releases/tag/v4.5.0) + +

+ Published: 4/20/2026 | Release notes +

+ +
+ + * chore: bump cloud-nuke to v0.49.0 by @james00012 in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1193 +* chore: run cloud-nuke cleanup across all regions by @james00012 in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1194 +* Fix access control PR by @Resonance1584 in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1195 +* Fix root.hcl invalid merge by @Resonance1584 in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1196 +* Fix delegated update workflow by @Resonance1584 in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1197 +* Fix catalog tags yamldecode by @Resonance1584 in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1198 +* Fix pipelines_read_token_name, add pr_create_token_name by @Resonance1584 in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1200 +* Update terragrunt to 1.01 and opentofu to 1.11.6 in delegated repositories by @Resonance1584 in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1199 +* Add PipelinesWorkflowLocation to templates by @Resonance1584 in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1201 + + +**Full Changelog**: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/compare/v4.4.0...v4.5.0 + +
+ + +### [v4.4.0](https://github.com/gruntwork-io/terraform-aws-architecture-catalog/releases/tag/v4.4.0) + +

+ Published: 4/10/2026 | Release notes +

+ +
+ + * chore: Removing usage of `pull_request_target` by @yhakbar in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1186 +* feat: add gw: namespaced tagging and scheduled cloud-nuke cleanup by @james00012 in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1188 +* DEV-1433 Catalog updates for new status update config value by @ZachGoldberg in https://github.com/gruntwork-io/terraform-aws-architecture-catalog/pull/1190 + + +**Full Changelog**: https://github.com/gruntwork-io/terraform-aws-architecture-catalog/compare/v4.3.2...v4.4.0 + +
+ + + +## terraform-aws-cis-service-catalog + + +### [v1.2.1](https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v1.2.1) + +

+ Published: 4/20/2026 | Modules affected: observability | Release notes +

+ +
+ + + +- Updated `observability/cloudtrail` with a new data-events-only mode to disable logging management events if Control Tower is already capturing them + + + + + +
+ + +### [v1.2.0](https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases/tag/v1.2.0) + +

+ Published: 4/3/2026 | Modules affected: data-stores, landingzone, networking, observability | Release notes +

+ +
+ + + +- Add IPv6 CIDR block support for dual-stack networking +- CIS AWS Foundations Benchmark v3.0.0 support +- Test fixes/improvements + + + + + +
+ + + +## terraform-aws-control-tower + + +### [v2.0.2](https://github.com/gruntwork-io/terraform-aws-control-tower/releases/tag/v2.0.2) + +

+ Published: 4/22/2026 | Modules affected: landingzone | Release notes +

+ +
+ + + +- feat: CT Role Description variable + + + +
+ + +### [v2.0.1](https://github.com/gruntwork-io/terraform-aws-control-tower/releases/tag/v2.0.1) + +

+ Published: 4/21/2026 | Modules affected: landingzone | Release notes +

+ +
+ + + +chore: bump cloud-nuke to v0.49.0 +chore: run cloud-nuke cleanup across all regions +plumb through enable_default_standards in security hub + + + +
+ + +### [v2.0.0](https://github.com/gruntwork-io/terraform-aws-control-tower/releases/tag/v2.0.0) + +

+ Published: 4/9/2026 | Modules affected: landingzone | Release notes +

+ +
+ + + +- CIS AWS Foundations Benchmark v3.0.0 support + + + + + +
+ + + +## terraform-aws-data-storage + + +### [v1.0.0](https://github.com/gruntwork-io/terraform-aws-data-storage/releases/tag/v1.0.0) + +

+ Published: 4/10/2026 | Modules affected: aurora, rds, rds-replicas, rds-proxy | Release notes +

+ +
+ + +- `aurora` +- `rds` +- `rds-replicas` +- `rds-proxy` +- `redshift` +- `opensearch` +- `backup-plan` +- `backup-vault` +- `dms` +- `efs` +- `org-backup-policy` +- `lambda-create-snapshot` **(REMOVED)** +- `lambda-share-snapshot` **(REMOVED)** +- `lambda-copy-shared-snapshot` **(REMOVED)** +- `lambda-cleanup-snapshots` **(REMOVED)** + + + +**Lambda snapshot modules removed.** The following modules have been deleted in favor of AWS Backup's native capabilities (#580): + +- `lambda-create-snapshot` → Use `backup-plan` with a cron schedule +- `lambda-share-snapshot` → Use `copy_action` in backup plan rule +- `lambda-copy-shared-snapshot` → Use `copy_action` with automatic KMS re-encryption +- `lambda-cleanup-snapshots` → Use `lifecycle { delete_after }` on source and destination + +See the [backup-rds-cross-account example](/examples/backup-rds-cross-account) for a full end-to-end replacement. + + +- **RDS**: Add `multi_az` support for read replicas (#575) +- **Aurora/RDS**: Replace `local-exec` sleep provisioners with `time_sleep` resources, replace `element(concat(...))` with `one()`, add output descriptions (#578) +- **All modules**: Standardize Terraform (`>= 1.3.0`) and AWS provider (`>= 5.0.0, < 7.0.0`) version constraints (#577) +- **CI**: Add `gw:` namespaced tagging for test resources, scheduled cloud-nuke cleanup (#582, #583) + + +- **Aurora**: Fix cross-region replica example — add explicit KMS key, fix parameter group attachment bug (#573) +- **Tests**: Restrict all tests to known-good AWS regions to avoid quota issues (#576) + + +- Resolve 8 Dependabot alerts: upgrade pgx/v4→v5, grpc (critical auth bypass), go-getter, logrus, x/oauth2, x/crypto, ulikunitz/xz (#584) + + +- Update module READMEs with new feature entries, typo fixes, maturity notes (#579) +- Align all examples to `required_version >= 1.3.0`, remove OpenSearch rough-edges warning, clean up skipped tests (#584) + + +Special thanks to the following users for their contribution! + +- @mkiss-apr + + +- https://github.com/gruntwork-io/terraform-aws-data-storage/pull/580 +- https://github.com/gruntwork-io/terraform-aws-data-storage/pull/578 +- https://github.com/gruntwork-io/terraform-aws-data-storage/pull/577 +- https://github.com/gruntwork-io/terraform-aws-data-storage/pull/575 +- https://github.com/gruntwork-io/terraform-aws-data-storage/pull/573 +- https://github.com/gruntwork-io/terraform-aws-data-storage/pull/582 +- https://github.com/gruntwork-io/terraform-aws-data-storage/pull/583 +- https://github.com/gruntwork-io/terraform-aws-data-storage/pull/579 +- https://github.com/gruntwork-io/terraform-aws-data-storage/pull/576 +- https://github.com/gruntwork-io/terraform-aws-data-storage/pull/584 + +
+ + + +## terraform-aws-eks + + +### [v4.5.0](https://github.com/gruntwork-io/terraform-aws-eks/releases/tag/v4.5.0) + +

+ Published: 4/7/2026 | Modules affected: eks-aws-auth-merger, eks-cluster-control-plane, eks-ebs-csi-driver, eks-k8s-cluster-autoscaler | Release notes +

+ +
+ + + +- `eks-aws-auth-merger` +- `eks-cluster-control-plane` +- `eks-ebs-csi-driver` +- `eks-k8s-cluster-autoscaler` + + +Default EKS version is 1.34 with this release! Please see the links below for full details of the EKS 1.34 release including new features and any API changes. + +**Kubernetes 1.34 ("Of Wind & Will") highlights:** +- Dynamic Resource Allocation (DRA) core functionality graduated to GA +- VolumeAttributesClass (VAC) graduated to GA (storage.k8s.io/v1) +- 23 enhancements graduating to stable, including Direct Service Return (DSR) for Windows kube-proxy +- No deprecated APIs or removed features — safe upgrade path + +[Official AWS EKS 1.34 Announcement](https://aws.amazon.com/about-aws/whats-new/2025/10/amazon-eks-distro-kubernetes-version-1-34/) +[Amazon EKS Distro Docs](https://distro.eks.amazonaws.com/) +[Kubernetes 1.34 Announcement](https://kubernetes.io/blog/2025/08/27/kubernetes-v1-34-release/) +[Kubernetes 1.34 Release Notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.34.md) + + +No breaking changes. The default EKS version has been updated to `1.34`. Users pinning a specific version via the `kubernetes_version` variable are unaffected. + + +- https://github.com/gruntwork-io/terraform-aws-eks/pull/809 + + +
+ + +### [v4.4.0](https://github.com/gruntwork-io/terraform-aws-eks/releases/tag/v4.4.0) + +

+ Published: 4/3/2026 | Modules affected: eks-alb-ingress-controller | Release notes +

+ +
+ + + +- Add `gw:` namespaced tagging and scheduled cloud-nuke cleanup +- Expose all remaining `aws-load-balancer-controller` helm chart values (v1.4.6) as Terraform variables for the `eks-alb-ingress-controller` module. This includes resource requests/limits, node scheduling (nodeSelector, topologySpreadConstraints, podDisruptionBudget), AWS feature toggles (WAF, Shield, WAFv2, EndpointSlices), webhook configuration, observability settings, and more. All new variables default to the chart's defaults to ensure no breaking changes. + + +
+ + + +## terraform-aws-lambda + + +### [v1.3.1](https://github.com/gruntwork-io/terraform-aws-lambda/releases/tag/v1.3.1) + +

+ Published: 4/29/2026 | Modules affected: - lambda-alias, - lambda-function-url, - api-gateway-account-settings, - api-gateway-proxy | Release notes +

+ +
+ + + +- feat: Add `gw:`-namespaced default tagging and scheduled cloud-nuke cleanup workflow (#282) +- fix: Make CORS configuration optional in `lambda-function-url` (#284) +- docs: Update module documentation (#285) +- chore: Bump cloud-nuke to v0.49.0 (#286) +- chore: Run cloud-nuke cleanup across all regions (#287) +- feat: Propagate `custom_tags` to the `api-gateway-proxy` stage (#288) +- fix: Harden cloud-nuke cleanup CI and bump cloud-nuke to v0.50.0 (#289) + + + +
+ + + +## terraform-aws-openvpn + + +### [v1.0.0](https://github.com/gruntwork-io/terraform-aws-openvpn/releases/tag/v1.0.0) + +

+ Published: 4/24/2026 | Modules affected: init-openvpn, install-openvpn, openvpn-server | Release notes +

+ +
+ + + +- feat: add gw: namespaced tagging and scheduled cloud-nuke cleanup +- chore: bump cloud-nuke to v0.49.0 +- chore: run cloud-nuke cleanup across all regions +- Base Image upgrades + + + +
+ + + +## terraform-aws-security + + +### [v1.5.0](https://github.com/gruntwork-io/terraform-aws-security/releases/tag/v1.5.0) + +

+ Published: 4/3/2026 | Modules affected: private-s3-bucket | Release notes +

+ +
+ + + +- Transition data source aws_region from name (deprecated) to region in output + + + + + +
+ + + +## terraform-aws-service-catalog + + +### [v2.5.0](https://github.com/gruntwork-io/terraform-aws-service-catalog/releases/tag/v2.5.0) + +

+ Published: 4/20/2026 | Modules affected: networking/vpc, services/eks-argocd, services/eks-cluster, services/eks-core-services | Release notes +

+ +
+ + + +- Bump cloud-nuke to v0.49.0 +- Run cloud-nuke cleanup across all regions +- Add Default Support for EKS 1.34 +- Bump `cluster-autoscaler` to `v1.34.0` (chart `9.56.0`) +- Bump `terraform-aws-eks` library module from `v4.4.0` → `v4.5.0` + +Default EKS version is 1.34 with this release! Please see the links below for full details of the EKS 1.34 release including new features and any API changes. + +[Official AWS EKS 1.34 Announcement](https://aws.amazon.com/about-aws/whats-new/2025/10/amazon-eks-kubernetes-version-1-34/) +[Amazon EKS Distro Docs](https://distro.eks.amazonaws.com/) +[Kubernetes 1.34 Announcement](https://kubernetes.io/blog/2025/08/27/kubernetes-v1-34-release/) +[Kubernetes 1.34 Release Notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.34.md) + + + +
+ + +### [v2.4.0](https://github.com/gruntwork-io/terraform-aws-service-catalog/releases/tag/v2.4.0) + +

+ Published: 4/4/2026 | Modules affected: networking/vpc, services/eks-argocd, services/eks-cluster, services/eks-core-services | Release notes +

+ +
+ + +- `networking/vpc` +- `services/eks-argocd` +- `services/eks-cluster` +- `services/eks-core-services` +- `services/eks-karpenter` +- `services/eks-workers` +- `services/helm-service` +- `services/k8s-service` + + +- Bump `terraform-aws-eks` to `v4.4.0` +- Replace `alb_ingress_controller_extra_args` with `alb_ingress_controller_feature_gates` (`map(bool)`) in `eks-core-services` +- Expose all remaining `aws-load-balancer-controller` helm chart values (v1.4.6) as Terraform variables in `eks-core-services`, including resource requests/limits, node scheduling, security contexts, WAF/Shield/WAFv2 toggles, webhook configuration, observability settings, and more + +> [!WARNING] +> #### Breaking Changes +> - `alb_ingress_controller_extra_args` has been removed and replaced with `alb_ingress_controller_feature_gates`. If you were using `extra_args` to pass feature gates, update your configuration: +> +> **Before:** +> ```hcl +> alb_ingress_controller_extra_args = { +> "feature-gates" = "NLBGatewayAPI=true,ALBGatewayAPI=true" +> } +> ``` +> +> **After:** +> ```hcl +> alb_ingress_controller_feature_gates = { +> NLBGatewayAPI = true +> ALBGatewayAPI = true +> } +> ``` + + +- https://github.com/gruntwork-io/terraform-aws-service-catalog/pull/2368 +- https://github.com/gruntwork-io/terraform-aws-eks/releases/tag/v4.4.0 + + +
+ + +### [v2.3.0](https://github.com/gruntwork-io/terraform-aws-service-catalog/releases/tag/v2.3.0) + +

+ Published: 4/3/2026 | Modules affected: base, data-stores, landingzone, mgmt | Release notes +

+ +
+ + + +- Updated all usage of terraform-aws-security to v1.4.1 and of terraform-aws-data-storage to v0.47.0 +- Replace Lambda Snapshot usage in data-stores modules with AWS Backup (requires migration, see below) + + + + + +
+ + + +## terraform-aws-vpc + + +### [v0.28.13](https://github.com/gruntwork-io/terraform-aws-vpc/releases/tag/v0.28.13) + +

+ Published: 4/23/2026 | Modules affected: vpc-app, transit-gateway-peering-attachment-accepter, vpc-app-lookup, vpc-flow-logs | Release notes +

+ +
+ + + +- chore: bump cloud-nuke to v0.49.0 +- chore: run cloud-nuke cleanup across all regions +- LIB-4871 Don't create EIP if using private NAT gateway +- Fix TGW accepter: skip data lookup when attachment ID is provided +- Remove deprecated attribute "name" for aws_region resource + + + +
+ + diff --git a/docs/guides/stay-up-to-date/releases/index.md b/docs/guides/stay-up-to-date/releases/index.md index 8ab53695a..2a05a7eef 100644 --- a/docs/guides/stay-up-to-date/releases/index.md +++ b/docs/guides/stay-up-to-date/releases/index.md @@ -11,7 +11,8 @@ Library](https://gruntwork.io/infrastructure-as-code-library/), grouped by month updates in your code, check out the [updating documentation](/library/stay-up-to-date/updating). - + + @@ -134,6 +135,6 @@ updates in your code, check out the [updating documentation](/library/stay-up-to