Skip to content

v1.0.0

Compare
Choose a tag to compare
@cloudpossebot cloudpossebot released this 24 Apr 16:31
73e86c7
Support AWS provider version 4 @Nuru (#129)

Breaking Changes

This PR introduces breaking changes to the module.

Different method of shortening names (RISK OF DATA LOSS)

Previous versions shortened some names where AWS imposes length restrictions of 63 or 64 characters by simply truncating them. This module now uses null-label to shorten generated names when necessary. It shortens names by replacing the last characters of the string with a hash of them. This reduces the likelihood of name collisions while enforcing length limits.

If this module previously truncated a generated name, the name will now change, and Terraform will try to destroy and replace existing resources. If this happens to your S3 bucket, you can specify the existing name in s3_bucket_name. If this happens in the replication role or policy name, you can safely let Terraform make the change.

Access Logging (RISK OF DATA LOSS)

The input logging_bucket_enabled has been removed

The input logging_bucket_enabled has been removed, and this module no longer creates an S3 bucket to receive logs. This is because configuring an S3 bucket, particularly lifecycle rules, is too complex to be included in this module.

If you previously had logging_bucket_enabled = true, upgrading to this version will cause Terraform to attempt to delete the logging bucket previously created. You will need to use terraform state rm to remove the S3 bucket from the state in order to keep Terraform from trying to delete it. You can use a module like s3-log-storage or s3-bucket to continue to manage the bucket, just import the bucket into the state using terraform import.

The logging input type has changed

The logging input type has changed from an object to a list of objects. This is the new Cloud Posse standard for optional inputs that are used to determine count, in order to avoid problems evaluating dynamic values during the planning phase. If you are providing a value, just put it in a list. If you are not providing a value, accept the default or pass in an empty list ([]). Do not pass in null.

Encryption no longer optional (RISK OF DATA LOSS)

AWS S3 buckets and DynamoDB tables are now always encrypted at rest, with no option to leave them unencrypted. Therefore the enable_server_side_encryption input has been removed. If you had set enable_server_side_encryption = false, then use terraform state mv to move ...aws_dynamodb_table.without_server_side_encryption[0] to ...aws_dynamodb_table.with_server_side_encryption[0] or else Terraform will delete your existing DynamoDB table and create a new one, causing a complete loss of DynamoDB table data.

Note that all the DynamoDB table data is only advisory, so a complete data loss will not cause a significant problem, but you still probably want to avoid it.

DynamoDB default billing mode changed from "provisioned" to "pay per request"

Due to both the low traffic in normal operations and the potentially high traffic in certain automated operations, the default billing mode has changed from "provisioned" to "pay per request". You can retain the previous mode by setting billing_mode = "PROVISIONED", which will also restore the previous read and write capacity defaults.

Bucket object ownership now defaults to BucketOwnerEnforced

AWS now recommends (and takes as default) setting "bucket object ownership" to BucketOwnerEnforced, which overrides and disables ACLs. This module now defaults to the same setting. You can continue to use ACLs by setting the new input bucket_ownership_enforced_enabled to false, but it is not recommended.

Generation of backend configuration file deprecated, default changed

The generation of a backend configuration file is deprecated and will be removed in a future release. Meanwhile, the default for terraform_version, which sets, in the generated backend configuration file, the value of the minimum version of Terraform to be allowed, has been changed to 1.0.0.

what

  • Updated to support and require AWS provider version 4 or later
  • Generate valid identifiers for replication resources when not providing null-label inputs
  • The input logging_bucket_enabled has been removed
  • The input logging was changed from an object type to a list of the same object type
  • The input enable_server_side_encryption has been removed (encryption cannot be disabled)
  • DynamoDB default billing mode changed from "provisioned" to "pay per request"
  • Bucket object ownership for the creates S3 bucket now defaults to BucketOwnerEnforced
  • The default value for input terraform_version has changed to "1.0.0"
  • Add tags to created IAM Policy and Role for replication
  • Add output of replication role ARN

why

  • Version 4.0 introduced breaking changes (reverted in 4.9.0) that will be reintroduced in announced version 5.0 (no release date given). This update removes the use of deprecated features and is expected to work with version 5.0 when it is released.
  • See details under "Breaking Changes" above.

references

  • Supersedes and closes #125
  • Supersedes and closes #124
  • Obsoletes and closes #123
  • Obsoletes and closes #121
  • Supersedes and closes #119
  • Closes #118
  • Supersedes and closes #114
  • Supersedes and closes #113
  • Closes #111
  • Closes #109
  • Supersedes and closes #108
  • Supersedes and closes #107
  • Obsoletes and closes #106