v1.0.0
Support AWS provider version 4 @Nuru (#129)
Breaking Changes
This PR introduces breaking changes to the module.
Different method of shortening names (RISK OF DATA LOSS)
Previous versions shortened some names where AWS imposes length restrictions of 63 or 64 characters by simply truncating them. This module now uses null-label
to shorten generated names when necessary. It shortens names by replacing the last characters of the string with a hash of them. This reduces the likelihood of name collisions while enforcing length limits.
If this module previously truncated a generated name, the name will now change, and Terraform will try to destroy and replace existing resources. If this happens to your S3 bucket, you can specify the existing name in s3_bucket_name
. If this happens in the replication role or policy name, you can safely let Terraform make the change.
Access Logging (RISK OF DATA LOSS)
The input logging_bucket_enabled
has been removed
The input logging_bucket_enabled
has been removed, and this module no longer creates an S3 bucket to receive logs. This is because configuring an S3 bucket, particularly lifecycle rules, is too complex to be included in this module.
If you previously had logging_bucket_enabled = true
, upgrading to this version will cause Terraform to attempt to delete the logging bucket previously created. You will need to use terraform state rm
to remove the S3 bucket from the state in order to keep Terraform from trying to delete it. You can use a module like s3-log-storage
or s3-bucket
to continue to manage the bucket, just import the bucket into the state using terraform import
.
The logging
input type has changed
The logging
input type has changed from an object to a list of objects. This is the new Cloud Posse standard for optional inputs that are used to determine count
, in order to avoid problems evaluating dynamic values during the planning phase. If you are providing a value, just put it in a list. If you are not providing a value, accept the default or pass in an empty list ([]
). Do not pass in null
.
Encryption no longer optional (RISK OF DATA LOSS)
AWS S3 buckets and DynamoDB tables are now always encrypted at rest, with no option to leave them unencrypted. Therefore the enable_server_side_encryption
input has been removed. If you had set enable_server_side_encryption = false
, then use terraform state mv
to move ...aws_dynamodb_table.without_server_side_encryption[0]
to ...aws_dynamodb_table.with_server_side_encryption[0]
or else Terraform will delete your existing DynamoDB table and create a new one, causing a complete loss of DynamoDB table data.
Note that all the DynamoDB table data is only advisory, so a complete data loss will not cause a significant problem, but you still probably want to avoid it.
DynamoDB default billing mode changed from "provisioned" to "pay per request"
Due to both the low traffic in normal operations and the potentially high traffic in certain automated operations, the default billing mode has changed from "provisioned" to "pay per request". You can retain the previous mode by setting billing_mode = "PROVISIONED"
, which will also restore the previous read and write capacity defaults.
Bucket object ownership now defaults to BucketOwnerEnforced
AWS now recommends (and takes as default) setting "bucket object ownership" to BucketOwnerEnforced
, which overrides and disables ACLs. This module now defaults to the same setting. You can continue to use ACLs by setting the new input bucket_ownership_enforced_enabled
to false
, but it is not recommended.
Generation of backend configuration file deprecated, default changed
The generation of a backend configuration file is deprecated and will be removed in a future release. Meanwhile, the default for terraform_version
, which sets, in the generated backend configuration file, the value of the minimum version of Terraform to be allowed, has been changed to 1.0.0.
what
- Updated to support and require AWS provider version 4 or later
- Generate valid identifiers for replication resources when not providing
null-label
inputs - The input
logging_bucket_enabled
has been removed - The input
logging
was changed from an object type to a list of the same object type - The input
enable_server_side_encryption
has been removed (encryption cannot be disabled) - DynamoDB default billing mode changed from "provisioned" to "pay per request"
- Bucket object ownership for the creates S3 bucket now defaults to
BucketOwnerEnforced
- The default value for input
terraform_version
has changed to "1.0.0" - Add tags to created IAM Policy and Role for replication
- Add output of replication role ARN
why
- Version 4.0 introduced breaking changes (reverted in 4.9.0) that will be reintroduced in announced version 5.0 (no release date given). This update removes the use of deprecated features and is expected to work with version 5.0 when it is released.
- See details under "Breaking Changes" above.
references
- Supersedes and closes #125
- Supersedes and closes #124
- Obsoletes and closes #123
- Obsoletes and closes #121
- Supersedes and closes #119
- Closes #118
- Supersedes and closes #114
- Supersedes and closes #113
- Closes #111
- Closes #109
- Supersedes and closes #108
- Supersedes and closes #107
- Obsoletes and closes #106