v1.0.0

Support AWS provider version 4 @Nuru (#129)

Breaking Changes

This PR introduces breaking changes to the module.

Different method of shortening names (RISK OF DATA LOSS)

Previous versions shortened some names where AWS imposes length restrictions of 63 or 64 characters by simply truncating them. This module now uses null-label to shorten generated names when necessary. It shortens names by replacing the last characters of the string with a hash of them. This reduces the likelihood of name collisions while enforcing length limits.

If this module previously truncated a generated name, the name will now change, and Terraform will try to destroy and replace existing resources. If this happens to your S3 bucket, you can specify the existing name in s3_bucket_name. If this happens in the replication role or policy name, you can safely let Terraform make the change.

Access Logging (RISK OF DATA LOSS)

The input logging_bucket_enabled has been removed

The input logging_bucket_enabled has been removed, and this module no longer creates an S3 bucket to receive logs. This is because configuring an S3 bucket, particularly lifecycle rules, is too complex to be included in this module.

If you previously had logging_bucket_enabled = true, upgrading to this version will cause Terraform to attempt to delete the logging bucket previously created. You will need to use terraform state rm to remove the S3 bucket from the state in order to keep Terraform from trying to delete it. You can use a module like s3-log-storage or s3-bucket to continue to manage the bucket, just import the bucket into the state using terraform import.

The logging input type has changed

The logging input type has changed from an object to a list of objects. This is the new Cloud Posse standard for optional inputs that are used to determine count, in order to avoid problems evaluating dynamic values during the planning phase. If you are providing a value, just put it in a list. If you are not providing a value, accept the default or pass in an empty list ([]). Do not pass in null.

Encryption no longer optional (RISK OF DATA LOSS)

AWS S3 buckets and DynamoDB tables are now always encrypted at rest, with no option to leave them unencrypted. Therefore the enable_server_side_encryption input has been removed. If you had set enable_server_side_encryption = false, then use terraform state mv to move ...aws_dynamodb_table.without_server_side_encryption[0] to ...aws_dynamodb_table.with_server_side_encryption[0] or else Terraform will delete your existing DynamoDB table and create a new one, causing a complete loss of DynamoDB table data.

Note that all the DynamoDB table data is only advisory, so a complete data loss will not cause a significant problem, but you still probably want to avoid it.

DynamoDB default billing mode changed from "provisioned" to "pay per request"

Due to both the low traffic in normal operations and the potentially high traffic in certain automated operations, the default billing mode has changed from "provisioned" to "pay per request". You can retain the previous mode by setting billing_mode = "PROVISIONED", which will also restore the previous read and write capacity defaults.

Bucket object ownership now defaults to BucketOwnerEnforced

AWS now recommends (and takes as default) setting "bucket object ownership" to BucketOwnerEnforced, which overrides and disables ACLs. This module now defaults to the same setting. You can continue to use ACLs by setting the new input bucket_ownership_enforced_enabled to false, but it is not recommended.

Generation of backend configuration file deprecated, default changed

The generation of a backend configuration file is deprecated and will be removed in a future release. Meanwhile, the default for terraform_version, which sets, in the generated backend configuration file, the value of the minimum version of Terraform to be allowed, has been changed to 1.0.0.

what

• Updated to support and require AWS provider version 4 or later
• Generate valid identifiers for replication resources when not providing null-label inputs
• The input logging_bucket_enabled has been removed
• The input logging was changed from an object type to a list of the same object type
• The input enable_server_side_encryption has been removed (encryption cannot be disabled)
• DynamoDB default billing mode changed from "provisioned" to "pay per request"
• Bucket object ownership for the creates S3 bucket now defaults to BucketOwnerEnforced
• The default value for input terraform_version has changed to "1.0.0"
• Add tags to created IAM Policy and Role for replication
• Add output of replication role ARN

why

• Version 4.0 introduced breaking changes (reverted in 4.9.0) that will be reintroduced in announced version 5.0 (no release date given). This update removes the use of deprecated features and is expected to work with version 5.0 when it is released.
• See details under "Breaking Changes" above.

references

• Supersedes and closes #125
• Supersedes and closes #124
• Obsoletes and closes #123
• Obsoletes and closes #121
• Supersedes and closes #119
• Closes #118
• Supersedes and closes #114
• Supersedes and closes #113
• Closes #111
• Closes #109
• Supersedes and closes #108
• Supersedes and closes #107
• Obsoletes and closes #106

v0.39.0

Adding support for setting permissions boundary on IAM-role @jannyg (#117)

This is my first PR to Cloudposse projects. Thanks for all the good contributions and please let me know if there's any adjustments needed.

what

• This will add support for setting a permission boundary for the IAM role
• This is needed for master payer accounts through resellers that restricts access to the master payer accunt.
• The value is optional

why

• This is needed for master payer accounts through resellers that restricts access to the master payer account and require the permissions boundary to be set on all new IAM roles to restrict access to certain resources.

references

• AWS documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
• https://registry.terraform.io/providers/hashicorp/aws%20%20/latest/docs/resources/iam_role#permissions_boundary

Do not auto-publish from release branches @Nuru (#127)

what

• Do not auto-publish from release branches

why

• When release-drafter auto-publishes, it sets the release as "latest", which is not what we want for updates to release branches.

Update workflows and other framework @Nuru (#126)

what

• Update workflows and other framework to current versions

why

• Add support for release branches

git.io->cloudposse.tools and test fixes @dylanbannon (#116)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

• DEV-143

v0.38.1

🚀 Enhancements

Fix logic for optional dynamodb table @thiagoalmeidasa (#103)

Fixed some template logic and locals that didn't work out of the box with the optional DynamoDB table creation.

v0.38.0

Add support for a log bucket @johncblandii (#104)

what

• Add support for access logs bucket

why

• Consumers will not be required to create their own buckets anymore

references

N/A

v0.37.1

🚀 Enhancements

Removed unused depedency on hashicorp/template @joepjoosten (#102)

Fix for #101

v0.37.0

Dynamodb table name @nitrocode (#97)

what

• Add dynamodb table name override

why

• It's required to have a unique s3 bucket name but not a unique dynamodb table name so it doesn't make sense to force the dynamodb table to use the same name as the s3 bucket if that's undesired

references

• closes #87

v0.36.2

🚀 Enhancements

Fix: support `tenant` label by updating version of null-label module for `aws_dynamodb_table` @korenyoni (#99)

what

• Bump null-label module for aws_dynamodb_table resource to 0.25.0 in order to support tenant label.

why

• context.tf in this module supports tenant because its instantiation of null-label has been auto-updated to 0.25.0, but the instantiation of null-label module for the aws_dynamodb_table resource has not been updated.

references

• https://github.com/cloudposse/terraform-null-label/releases/tag/0.25.0

v0.36.1

🤖 Automatic Updates

Update context.tf @cloudpossebot (#98)

what

This is an auto-generated PR that updates the context.tf file to the latest version from cloudposse/terraform-null-label

why

To support all the features of the context interface.

v0.36.0

Remove lifecycle args on dynamodb @nitrocode (#96)

what

• Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?)
• Remove the lifecycle ignore changes for billing and read/write units

why

• We're not using autoscaling so why ignore these arguments

references

• Closes #89

v0.35.1

🚀 Enhancements

Upgrade dynamodb label to `0.24.1` @nitrocode (#93)

what

• Upgrade dynamodb label to 0.24.1
  • Bumped context for dynamodb from 0.22.0 to 0.24.1 which forced us to re-arrange var.attributes and ["lock"] due to the change in 0.22.1

why

• Latest version of context label

references

• https://github.com/cloudposse/terraform-null-label/releases/tag/0.22.1
• https://github.com/cloudposse/terraform-null-label/releases/tag/0.24.1
• 0.24.1 context pr #82
• Closes #91