Skip to content

Releases: cloudposse/terraform-aws-ssm-patch-manager

v1.0.2

29 Sep 08:14
cd35819
Compare
Choose a tag to compare
Use `t3.micro` for tests @goruha (#66) ## what * Use `t3.micro` for tests

Why

  • Cloudposse test infrastructure denied Non Nitro instances

References

🚀 Enhancements

fix: if `bucket_id` is given, do not create log bucket @AdamTylerLynch (#55) ## what

Fixed a bug. Properly evaluate if bucket provided, do not create bucket

why

references

Closes #44

🐛 Bug Fixes

fix: if `bucket_id` is given, do not create log bucket @AdamTylerLynch (#55) ## what

Fixed a bug. Properly evaluate if bucket provided, do not create bucket

why

references

Closes #44

🤖 Automatic Updates

Migrate new test account @osterman (#65) ## what - Update `.github/settings.yml` - Update `.github/chatops.yml` files

why

  • Re-apply .github/settings.yml from org level to get terratest environment
  • Migrate to new test account

References

  • DEV-388 Automate clean up of test account in new organization
  • DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
  • DEV-386 Update terratest to use new testing account with GitHub OIDC
Update .github/settings.yml @osterman (#64) ## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

  • Re-apply .github/settings.yml from org level
  • Use organization level auto-release settings

references

  • DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update .github/settings.yml @osterman (#63) ## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

  • Re-apply .github/settings.yml from org level
  • Use organization level auto-release settings

references

  • DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update .github/settings.yml @osterman (#61) ## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

  • Re-apply .github/settings.yml from org level
  • Use organization level auto-release settings

references

  • DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update release workflow to allow pull-requests: write @osterman (#60) ## what - Update workflow (`.github/workflows/release.yaml`) to have permission to comment on PR

why

  • So we can support commenting on PRs with a link to the release
Update GitHub Workflows to use shared workflows from '.github' repo @osterman (#59) ## what - Update workflows (`.github/workflows`) to use shared workflows from `.github` repo

why

  • Reduce nested levels of reusable workflows
Update GitHub Workflows to Fix ReviewDog TFLint Action @osterman (#58) ## what - Update workflows (`.github/workflows`) to add `issue: write` permission needed by ReviewDog `tflint` action

why

  • The ReviewDog action will comment with line-level suggestions based on linting failures
Update GitHub workflows @osterman (#57) ## what - Update workflows (`.github/workflows/settings.yaml`)

why

  • Support new readme generation workflow.
  • Generate banners
Use GitHub Action Workflows from `cloudposse/.github` Repo @osterman (#56) ## what
  • Install latest GitHub Action Workflows

why

  • Use shared workflows from cldouposse/.github repository
  • Simplify management of workflows from centralized hub of configuration
Add GitHub Settings @osterman (#52) ## what - Install a repository config (`.github/settings.yaml`)

why

  • Programmatically manage GitHub repo settings
chore(deps): update terraform cloudposse/dynamic-subnets/aws to v2.4.2 @renovate (#47) This PR contains the following updates:
Package Type Update Change
cloudposse/dynamic-subnets/aws (source) module patch 2.4.1 -> 2.4.2

Release Notes

cloudposse/terraform-aws-dynamic-subnets (cloudposse/dynamic-subnets/aws)

v2.4.2

Compare Source

🚀 Enhancements
chore(deps): update terraform cloudposse/utils/aws to v1.4.0 (main) @​renovate (#​191)

This PR contains the following updates:

Package Type Update Change
cloudposse/utils/aws (source) module minor 1.3.0 -> 1.4.0

Release Notes
cloudposse/terraform-aws-utils (cloudposse/utils/aws)
v1.4.0

Compare Source

Add il-central-1 region @​&#​8203;jasonmk (#&#​8203;31)
what

Add new Tel Aviv (il-central-1) region

why

Provide full coverage

references
Sync github @​&#​8203;max-lobur (#&#​8203;27)

Rebuild github dir from the template


🤖 Automatic Updates
chore(deps): update terraform cloudposse/utils/aws to v1.4.0 (main) @​renovate (#​191)

This PR contains the following updates:

Package Type Update Change
cloudposse/utils/aws (source) module minor 1.3.0 -> 1.4.0

Release Notes
cloudposse/terraform-aws-utils (cloudposse/utils/aws)
v1.4.0

Compare Source

Add il-central-1 region @​&#​8203;jasonmk (#&#​8203;31)
what

Add new Tel Aviv (il-central-1) region

why

Provide full coverage

references
Sync github @​&#​8203;max-lobur (#&#​8203;27)

Rebuild github dir from the template


Update README.md and docs @​cloudpossebot (#​189)
what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates


v1.0.1

11 Mar 08:13
23d1a1f
Compare
Choose a tag to compare
Add cloudwatch logging options for runCommand patch manager tasks @gpapakyriakopoulos (#48)

Based on AWS documentation [1] runCommand executions support directly logging to cloudwatch instead of an S3 bucket.

To that end we introduce 3 extra module variables, the first 2 (cloudwatch_log_output_enabled & cloudwatch_log_group_name) to configure whether cloudwatch logging is enabled and whether a custom cloudwatch log group name should be provided (if not a default is created, see [2]). The 3rd variable (s3_log_output_enabled) is introduced to optionally disable supplying an S3 bucket for logging, since cloudwatch logging should be enough for some use cases.

[1] https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-rc-setting-up-cwlogs.html
[2] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window_task#cloudwatch_log_group_name

🤖 Automatic Updates

Update README.md and docs @cloudpossebot (#49)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

Update Scaffolding @osterman (#50)

what

  • Reran make readme to rebuild README.md from README.yaml
  • Migrate to square badges
  • Add scaffolding for repo settings and Mergify

why

  • Upstream template changed in the .github repo
  • Work better with repository rulesets
  • Modernize look & feel

v1.0.0

24 Feb 04:46
7e1f000
Compare
Choose a tag to compare

🚀 Enhancements

fix!: various issues / cleanup + adds approve_until_date support @Gowiem (#42)

what

  • Converts bucket_id variable to list(string)
  • Removes region variable
  • Cleans up some potential enabled = false issues in outputs.tf they were dependent on resources existing
  • Fixes typo in scan logs bucket prefix
  • Adds s3_bucket_prefix_scan_logs variable
  • Adds approve_until_date support to patch_baseline_approval_rules variable

why

  • #41 shows that passing in a bucket_id results in a known issue: hashicorp/terraform#28962. We've seen this internally before and our suggested pattern is to switch to list(string) as the type and check the length.
    • (BREAKING CHANGE)
  • Features
    • Adds support for passing a custom prefix for scan logs.
    • Adds support the ability to patch on a timeline via approve_until_date
  • General cleanup of issues that I saw for this module:
    • region variable not used, so needed to be removed (BREAKING CHANGE)
    • Bumps s3-module to latest
    • Typo
    • Updates example to an actual use-case where patching would occur
    • Removes an unnecessary label
    • Avoids issues with outputs not working in the case that a user passed enabled = false since outputs were dependent on resources being at position 0 via list access.

references

🐛 Bug Fixes

fix!: various issues / cleanup + adds approve_until_date support @Gowiem (#42)

what

  • Converts bucket_id variable to list(string)
  • Removes region variable
  • Cleans up some potential enabled = false issues in outputs.tf they were dependent on resources existing
  • Fixes typo in scan logs bucket prefix
  • Adds s3_bucket_prefix_scan_logs variable
  • Adds approve_until_date support to patch_baseline_approval_rules variable

why

  • #41 shows that passing in a bucket_id results in a known issue: hashicorp/terraform#28962. We've seen this internally before and our suggested pattern is to switch to list(string) as the type and check the length.
    • (BREAKING CHANGE)
  • Features
    • Adds support for passing a custom prefix for scan logs.
    • Adds support the ability to patch on a timeline via approve_until_date
  • General cleanup of issues that I saw for this module:
    • region variable not used, so needed to be removed (BREAKING CHANGE)
    • Bumps s3-module to latest
    • Typo
    • Updates example to an actual use-case where patching would occur
    • Removes an unnecessary label
    • Avoids issues with outputs not working in the case that a user passed enabled = false since outputs were dependent on resources being at position 0 via list access.

references

🤖 Automatic Updates

chore(deps): update terraform cloudposse/vpc/aws to v2.1.1 @renovate (#33)

This PR contains the following updates:

Package Type Update Change
cloudposse/vpc/aws (source) module patch 2.1.0 -> 2.1.1

Release Notes

cloudposse/terraform-aws-vpc (cloudposse/vpc/aws)

v2.1.1

Compare Source

Add support for network address usage metrics @​lanzrein (#​124)

what

This PR adds support for Network Address Usage Metrics on the VPC.
AWS documentation : https://docs.aws.amazon.com/vpc/latest/userguide/network-address-usage.html
Terraform documentation : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#enable_network_address_usage_metrics

why

Network Address Usage metrics can help monitor the growth of a VPC and would be useful for any user.
Enable this after creating a VPC does not trigger recreation of the VPC.

references

closes #​115

Sync github @​max-lobur (#​120)

Rebuild github dir from the template

🤖 Automatic Updates

Update README.md and docs @​cloudpossebot (#​125)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates


v0.6.0

10 Nov 13:49
40282ae
Compare
Choose a tag to compare

🤖 Automatic Updates

chore(deps): update terraform cloudposse/s3-bucket/aws to v4 (main) - abandoned @renovate (#30)

This PR contains the following updates:

Package Type Update Change
cloudposse/s3-bucket/aws (source) module major 2.0.0 -> 4.0.0

Release Notes

cloudposse/terraform-aws-s3-bucket (cloudposse/s3-bucket/aws)

v4.0.0

Compare Source

Bug fixes and enhancements combined into a single breaking release @​aknysh (#​202)

Breaking Changes

Terraform version 1.3.0 or later is now required.

policy input removed

The deprecated policy input has been removed. Use source_policy_documents instead.

Convert from

policy = data.aws_iam_policy_document.log_delivery.json

to

source_policy_documents = [data.aws_iam_policy_document.log_delivery.json]

Do not use list modifiers like sort, compact, or distinct on the list, or it will trigger an Error: Invalid count argument. The length of the list must be known at plan time.

Logging configuration converted to list

To fix #​182, the logging input has been converted to a list. If you have a logging configuration, simply surround it with brackets.

Replication rules brought into alignment with Terraform resource

Previously, the s3_replication_rules input had some deviations from the aws_s3_bucket_replication_configuration Terraform resource. Via the use of optional attributes, the input now closely matches the resource while providing backward compatibility, with a few exceptions.

  • Replication source_selection_criteria.sse_kms_encrypted_objects was documented as an object with one member, enabled, of type bool. However, it only worked when set to the string "Enabled". It has been replaced with the resource's choice of status of type String.
  • Previously, Replication Time Control could not be set directly. It was implicitly enabled by enabling Replication Metrics. We preserve that behavior even though we now add a configuration block for replication_time. To enable Metrics without Replication Time Control, you must set replication_time.status = "Disabled".

These are not changes, just continued deviations from the resources:

  • existing_object_replication cannot be set.
  • token to allow replication to be enabled on an Object Lock-enabled bucket cannot be set.

what

  • Remove local local.source_policy_documents and deprecated variable policy (because of that, pump the module to a major version)
  • Convert lifecycle_configuration_rules and s3_replication_rules from loosely typed objects to fully typed objects with optional attributes.
  • Use local bucket_id variable
  • Remove comments suppressing Bridgecrew rules
  • Update tests to Golang 1.20

why

  • The number of policy documents needs to be known at plan time. Default value of policy was empty, meaning it had to be removed based on content, which would not be known at plan time if the policy input was being generated.
  • Closes #​167, supersedes and closes #​163, and generally makes these inputs easier to deal with, since they now have type checking and partial defaults, meaning the inputs can be much smaller.
  • Incorporates and closes #​197. Thank you @​nikpivkin
  • Suppressing Bridgecrew rules Cloud Posse does not like should be done via external configuration so that users of this module can have the option of having those rules enforced.
  • Security and bug fixes

explanation

Any list manipulation functions should not be used in count since it can lead to the error:

│ Error: Invalid count argument

│   on ./modules/s3_bucket/main.tf line 462, in resource "aws_s3_bucket_policy" "default":
│  462:   count      = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || length(var.privileged_principal_arns) > 0 || length(local.source_policy_documents) > 0) ? 1 : 0

│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to
│ first apply only the resources that the count depends on.

Using the local like this

source_policy_documents = var.policy != "" && var.policy != null ? concat([var.policy], var.source_policy_documents) : var.source_policy_documents

would not work either if var.policy depends on apply-time resources from other TF modules.

General rules:

  • When using for_each, the map keys have to be known at plan time (the map values are not required to be know at plan time)

  • When using count, the length of the list must be know at plan time, the items inside the list are not. That does not mean that the list must be static with the length known in advance, the list can be dynamic and come from a remote state or data sources which Terraform evaluates first during plan, it just can’t come from other resources (which are only known after apply)

  • When using count, no list manipulating functions can be used in count - it will lead to the The "count" value depends on resource attributes that cannot be determined until apply error in some cases

v3.1.3

Compare Source

Unfortunately, this change makes count unknown at plan time in certain situations. In general, you cannot use the output of compact() in count.

The solution is to stop using the deprecated policy input and revert to 3.1.2 or upgrade to 4.0.

🚀 Enhancements

Fix `source_policy_documents` combined with `var.policy` being ignored @​johncblandii (#​201)

what

  • Changed var.source_policy_documents to local.source_policy_documents so var.policy usage was still supported

why

  • The ternary check uses var,source_policy_documents so var.policy being combined with var.source_policy_documents into local.source_policy_documents does not provide true for the ternary to execute

references

v3.1.2: Fix Public Bucket Creation

Compare Source

What's Changed

New Contributors

Full Changelog: cloudposse/terraform-aws-s3-bucket@3.1.1...3.1.2

v3.1.1

Compare Source

🐛 Bug Fixes

Revert change to Transfer Acceleration from #​178 @​Nuru (#​180)

what

  • Revert change to Transfer Acceleration from #​178

why

  • Transfer Acceleration is not available in every region, and the change in #​178 (meant to detect and correct drift) does not work (throws API errors) in regions where Transfer Acceleration is not supported

v3.1.0: Support new AWS S3 defaults (ACL prohibited)

Compare Source

Note: this version introduced drift detection and correction for Transfer Acceleration. Unfortunately, that change prevents deployment of buckets in r...

Read more

v0.5.0

10 Nov 13:30
0c20bf9
Compare
Choose a tag to compare
Support AWS Provider V5 @max-lobur (#28)

what

Support AWS Provider V5
Linter fixes

why

Maintenance

references

https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.0.0

Sync github @max-lobur (#25)

Rebuild github dir from the template

v0.4.0

17 May 09:05
627eeb6
Compare
Choose a tag to compare
  • No changes

v0.3.3

13 Dec 16:27
627eeb6
Compare
Choose a tag to compare

🚀 Enhancements

update(ssm_log_bucket): use source_policy_documents @mikedizon (#22)

what

  • using source_policy_documents for bucket policy

why

  • bucket was created, but no policy was applied

references

  • Use closes #21 #21

v0.3.2

13 Aug 23:04
a563679
Compare
Choose a tag to compare
git.io->cloudposse.tools update @dylanbannon (#13)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

  • DEV-143

🚀 Enhancements

Remove unused providers @nitrocode (#17)

what

  • Remove unused providers

why

  • arm support

references

N/A

v0.3.1

21 Apr 00:53
4991191
Compare
Choose a tag to compare

🤖 Automatic Updates

Update Terraform cloudposse/s3-bucket/aws to v2 @renovate (#12)

This PR contains the following updates:

Package Type Update Change
cloudposse/s3-bucket/aws (source) module major 0.49.0 -> 2.0.0

Release Notes

cloudposse/terraform-aws-s3-bucket

v2.0.0

Compare Source

Version 2.0 of terraform-aws-s3-bucket is the same as v0.49.0 except for the addition of 2 small bug fixes (see #​147). It is labeled v2.0 as part of Cloud Posse's transition to production Semantic Versioning conventions, and to indicate significant changes as compared to v1.0 (essentially version 0.47.1). There are some quirks to be aware of:

  • NO ACTION IS NEEDED to upgrade directly from v0.49.0 to v2.0.0
  • Version 1.0 derives from and is compatible with version 0.47.1. Follow the upgrade instructions if upgrading from one of these versions.
  • Version 0.48.0 was an interim release that is not recommended for anyone to use. It has incompatibilities with every other version. If you are on v0.48.0, you can upgrade directly to v2.0.0 and if Terraform gives you no complaints, then you are good to go. See the release notes for v0.48.0 and v0.49.0 for information about how to fix any breakage.
Bug fixes @​Nuru (#​147) ##### what && why - Require AWS provider v4.9.0 or later, resolves #​137 - Properly consider `source_policy_documents` input, fixes #​145

v1.0.0

Compare Source

Version 1.0.0 is part of Cloud Posse's conversion to production Semantic Versioning, part of Cloud Posse's general policy to convert to production versioning as we make updates to relatively mature modules, especially those where we see breaking changes coming in the near future. In the case of this module, the breaking changes have already been released as v2.0.0. This is a quirk due to not previously using production Semantic Versioning.

TAKE NOTE:

  • Despite the 1.0 version designation, it is actually not compatible with the latest previous release (v0.49.0) or the current recommended release (v2.0.0). Because of that, this version is only recommended for people currently using v0.47.1 or earlier.
  • This release is the same as v0.47.1 except for additional version pinning allowing it to work with AWS provider v4.
  • No maintenance is planned for v1. With the release of AWS provider v4.9.0, the upgrade to v2.0 of this module requires no manual intervention as long as you meet the prerequisites (AWS provider v4.9.0 or later, Terraform v1.0.0 or later). So we recommend upgrading to v2.0 to get any bug fixes or new features.

v0.3.0 (Action needed) Migrate to AWS provider v4.x

28 Mar 16:27
9f718ff
Compare
Choose a tag to compare

In order to support AWS provider v4.x, this module has upgraded its use of the s3-bucket module from v0.38.0 to v0.49.0. Please see the S3 bucket migration documentation for guidance about how to upgrade this module.

Upgrade to support AWS provider v4 @woz5999 (#11)

what

  • Upgrade to support AWS provider v4
  • Upgrade to latest s3 bucket module

why

  • This module is currently unusable in projects using AWS provider v4

references

  • closes #3