Releases: cloudposse/terraform-aws-ssm-patch-manager
v1.0.2
Use `t3.micro` for tests @goruha (#66)
## what * Use `t3.micro` for testsWhy
- Cloudposse test infrastructure denied
Non Nitro
instances
References
🚀 Enhancements
fix: if `bucket_id` is given, do not create log bucket @AdamTylerLynch (#55)
## whatFixed a bug. Properly evaluate if bucket provided, do not create bucket
why
references
Closes #44
🐛 Bug Fixes
fix: if `bucket_id` is given, do not create log bucket @AdamTylerLynch (#55)
## whatFixed a bug. Properly evaluate if bucket provided, do not create bucket
why
references
Closes #44
🤖 Automatic Updates
Migrate new test account @osterman (#65)
## what - Update `.github/settings.yml` - Update `.github/chatops.yml` fileswhy
- Re-apply
.github/settings.yml
from org level to getterratest
environment - Migrate to new
test
account
References
- DEV-388 Automate clean up of test account in new organization
- DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
- DEV-386 Update terratest to use new testing account with GitHub OIDC
Update .github/settings.yml @osterman (#64)
## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` fileswhy
- Re-apply
.github/settings.yml
from org level - Use organization level auto-release settings
references
- DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update .github/settings.yml @osterman (#63)
## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` fileswhy
- Re-apply
.github/settings.yml
from org level - Use organization level auto-release settings
references
- DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update .github/settings.yml @osterman (#61)
## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` fileswhy
- Re-apply
.github/settings.yml
from org level - Use organization level auto-release settings
references
- DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update release workflow to allow pull-requests: write @osterman (#60)
## what - Update workflow (`.github/workflows/release.yaml`) to have permission to comment on PRwhy
- So we can support commenting on PRs with a link to the release
Update GitHub Workflows to use shared workflows from '.github' repo @osterman (#59)
## what - Update workflows (`.github/workflows`) to use shared workflows from `.github` repowhy
- Reduce nested levels of reusable workflows
Update GitHub Workflows to Fix ReviewDog TFLint Action @osterman (#58)
## what - Update workflows (`.github/workflows`) to add `issue: write` permission needed by ReviewDog `tflint` actionwhy
- The ReviewDog action will comment with line-level suggestions based on linting failures
Update GitHub workflows @osterman (#57)
## what - Update workflows (`.github/workflows/settings.yaml`)why
- Support new readme generation workflow.
- Generate banners
Use GitHub Action Workflows from `cloudposse/.github` Repo @osterman (#56)
## what- Install latest GitHub Action Workflows
why
- Use shared workflows from
cldouposse/.github
repository - Simplify management of workflows from centralized hub of configuration
Add GitHub Settings @osterman (#52)
## what - Install a repository config (`.github/settings.yaml`)why
- Programmatically manage GitHub repo settings
chore(deps): update terraform cloudposse/dynamic-subnets/aws to v2.4.2 @renovate (#47)
This PR contains the following updates:Package | Type | Update | Change |
---|---|---|---|
cloudposse/dynamic-subnets/aws (source) | module | patch | 2.4.1 -> 2.4.2 |
Release Notes
cloudposse/terraform-aws-dynamic-subnets (cloudposse/dynamic-subnets/aws)
v2.4.2
🚀 Enhancements
chore(deps): update terraform cloudposse/utils/aws to v1.4.0 (main) @renovate (#191)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/utils/aws (source) | module | minor | 1.3.0 -> 1.4.0 |
Release Notes
cloudposse/terraform-aws-utils (cloudposse/utils/aws)
v1.4.0
Add il-central-1 region @​jasonmk (#​31)
what
Add new Tel Aviv (il-central-1) region
why
Provide full coverage
references
Sync github @​max-lobur (#​27)
Rebuild github dir from the template
🤖 Automatic Updates
chore(deps): update terraform cloudposse/utils/aws to v1.4.0 (main) @renovate (#191)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/utils/aws (source) | module | minor | 1.3.0 -> 1.4.0 |
Release Notes
cloudposse/terraform-aws-utils (cloudposse/utils/aws)
v1.4.0
Add il-central-1 region @​jasonmk (#​31)
what
Add new Tel Aviv (il-central-1) region
why
Provide full coverage
references
Sync github @​max-lobur (#​27)
Rebuild github dir from the template
Update README.md and docs @cloudpossebot (#189)
what
This is an auto-generated PR that updates the README.md and docs
why
To have most recent changes of README.md and doc from origin templates
v1.0.1
Add cloudwatch logging options for runCommand patch manager tasks @gpapakyriakopoulos (#48)
Based on AWS documentation [1] runCommand executions support directly logging to cloudwatch instead of an S3 bucket.
To that end we introduce 3 extra module variables, the first 2 (cloudwatch_log_output_enabled
& cloudwatch_log_group_name
) to configure whether cloudwatch logging is enabled and whether a custom cloudwatch log group name should be provided (if not a default is created, see [2]). The 3rd variable (s3_log_output_enabled
) is introduced to optionally disable supplying an S3 bucket for logging, since cloudwatch logging should be enough for some use cases.
[1] https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-rc-setting-up-cwlogs.html
[2] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_maintenance_window_task#cloudwatch_log_group_name
🤖 Automatic Updates
Update README.md and docs @cloudpossebot (#49)
what
This is an auto-generated PR that updates the README.md and docs
why
To have most recent changes of README.md and doc from origin templates
v1.0.0
🚀 Enhancements
fix!: various issues / cleanup + adds approve_until_date support @Gowiem (#42)
what
- Converts
bucket_id
variable tolist(string)
- Removes
region
variable - Cleans up some potential
enabled = false
issues inoutputs.tf
they were dependent on resources existing - Fixes typo in scan logs bucket prefix
- Adds
s3_bucket_prefix_scan_logs
variable - Adds
approve_until_date
support topatch_baseline_approval_rules
variable
why
- #41 shows that passing in a
bucket_id
results in a known issue: hashicorp/terraform#28962. We've seen this internally before and our suggested pattern is to switch tolist(string)
as the type and check thelength
.- (BREAKING CHANGE)
- Features
- Adds support for passing a custom prefix for scan logs.
- Adds support the ability to patch on a timeline via
approve_until_date
- General cleanup of issues that I saw for this module:
- region variable not used, so needed to be removed (BREAKING CHANGE)
- Bumps s3-module to latest
- Typo
- Updates example to an actual use-case where patching would occur
- Removes an unnecessary label
- Avoids issues with outputs not working in the case that a user passed
enabled = false
since outputs were dependent on resources being at position 0 via list access.
references
🐛 Bug Fixes
fix!: various issues / cleanup + adds approve_until_date support @Gowiem (#42)
what
- Converts
bucket_id
variable tolist(string)
- Removes
region
variable - Cleans up some potential
enabled = false
issues inoutputs.tf
they were dependent on resources existing - Fixes typo in scan logs bucket prefix
- Adds
s3_bucket_prefix_scan_logs
variable - Adds
approve_until_date
support topatch_baseline_approval_rules
variable
why
- #41 shows that passing in a
bucket_id
results in a known issue: hashicorp/terraform#28962. We've seen this internally before and our suggested pattern is to switch tolist(string)
as the type and check thelength
.- (BREAKING CHANGE)
- Features
- Adds support for passing a custom prefix for scan logs.
- Adds support the ability to patch on a timeline via
approve_until_date
- General cleanup of issues that I saw for this module:
- region variable not used, so needed to be removed (BREAKING CHANGE)
- Bumps s3-module to latest
- Typo
- Updates example to an actual use-case where patching would occur
- Removes an unnecessary label
- Avoids issues with outputs not working in the case that a user passed
enabled = false
since outputs were dependent on resources being at position 0 via list access.
references
🤖 Automatic Updates
chore(deps): update terraform cloudposse/vpc/aws to v2.1.1 @renovate (#33)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/vpc/aws (source) | module | patch | 2.1.0 -> 2.1.1 |
Release Notes
cloudposse/terraform-aws-vpc (cloudposse/vpc/aws)
v2.1.1
Add support for network address usage metrics @lanzrein (#124)
what
This PR adds support for Network Address Usage Metrics on the VPC.
AWS documentation : https://docs.aws.amazon.com/vpc/latest/userguide/network-address-usage.html
Terraform documentation : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#enable_network_address_usage_metrics
why
Network Address Usage metrics can help monitor the growth of a VPC and would be useful for any user.
Enable this after creating a VPC does not trigger recreation of the VPC.
references
closes #115
Sync github @max-lobur (#120)
Rebuild github dir from the template
🤖 Automatic Updates
Update README.md and docs @cloudpossebot (#125)
what
This is an auto-generated PR that updates the README.md and docs
why
To have most recent changes of README.md and doc from origin templates
v0.6.0
🤖 Automatic Updates
chore(deps): update terraform cloudposse/s3-bucket/aws to v4 (main) - abandoned @renovate (#30)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/s3-bucket/aws (source) | module | major | 2.0.0 -> 4.0.0 |
Release Notes
cloudposse/terraform-aws-s3-bucket (cloudposse/s3-bucket/aws)
v4.0.0
Bug fixes and enhancements combined into a single breaking release @aknysh (#202)
Breaking Changes
Terraform version 1.3.0 or later is now required.
policy
input removed
The deprecated policy
input has been removed. Use source_policy_documents
instead.
Convert from
policy = data.aws_iam_policy_document.log_delivery.json
to
source_policy_documents = [data.aws_iam_policy_document.log_delivery.json]
Do not use list modifiers like sort
, compact
, or distinct
on the list, or it will trigger an Error: Invalid count argument
. The length of the list must be known at plan time.
Logging configuration converted to list
To fix #182, the logging
input has been converted to a list. If you have a logging configuration, simply surround it with brackets.
Replication rules brought into alignment with Terraform resource
Previously, the s3_replication_rules
input had some deviations from the aws_s3_bucket_replication_configuration Terraform resource. Via the use of optional attributes, the input now closely matches the resource while providing backward compatibility, with a few exceptions.
- Replication
source_selection_criteria.sse_kms_encrypted_objects
was documented as an object with one member,enabled
, of typebool
. However, it only worked when set to thestring
"Enabled". It has been replaced with the resource's choice ofstatus
of type String. - Previously, Replication Time Control could not be set directly. It was implicitly enabled by enabling Replication Metrics. We preserve that behavior even though we now add a configuration block for
replication_time
. To enable Metrics without Replication Time Control, you must setreplication_time.status = "Disabled"
.
These are not changes, just continued deviations from the resources:
existing_object_replication
cannot be set.token
to allow replication to be enabled on an Object Lock-enabled bucket cannot be set.
what
- Remove local
local.source_policy_documents
and deprecated variablepolicy
(because of that, pump the module to a major version) - Convert
lifecycle_configuration_rules
ands3_replication_rules
from loosely typed objects to fully typed objects with optional attributes. - Use local
bucket_id
variable - Remove comments suppressing Bridgecrew rules
- Update tests to Golang 1.20
why
- The number of policy documents needs to be known at plan time. Default value of
policy
was empty, meaning it had to be removed based on content, which would not be known at plan time if thepolicy
input was being generated. - Closes #167, supersedes and closes #163, and generally makes these inputs easier to deal with, since they now have type checking and partial defaults, meaning the inputs can be much smaller.
- Incorporates and closes #197. Thank you @nikpivkin
- Suppressing Bridgecrew rules Cloud Posse does not like should be done via external configuration so that users of this module can have the option of having those rules enforced.
- Security and bug fixes
explanation
Any list manipulation functions should not be used in count
since it can lead to the error:
│ Error: Invalid count argument
│
│ on ./modules/s3_bucket/main.tf line 462, in resource "aws_s3_bucket_policy" "default":
│ 462: count = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || length(var.privileged_principal_arns) > 0 || length(local.source_policy_documents) > 0) ? 1 : 0
│
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to
│ first apply only the resources that the count depends on.
Using the local like this
source_policy_documents = var.policy != "" && var.policy != null ? concat([var.policy], var.source_policy_documents) : var.source_policy_documents
would not work either if var.policy
depends on apply-time resources from other TF modules.
General rules:
-
When using
for_each
, the map keys have to be known at plan time (the map values are not required to be know at plan time) -
When using
count
, the length of the list must be know at plan time, the items inside the list are not. That does not mean that the list must be static with the length known in advance, the list can be dynamic and come from a remote state or data sources which Terraform evaluates first during plan, it just can’t come from other resources (which are only known after apply) -
When using
count
, no list manipulating functions can be used incount
- it will lead to theThe "count" value depends on resource attributes that cannot be determined until apply
error in some cases
v3.1.3
Unfortunately, this change makes count
unknown at plan time in certain situations. In general, you cannot use the output of compact()
in count
.
The solution is to stop using the deprecated policy
input and revert to 3.1.2 or upgrade to 4.0.
🚀 Enhancements
Fix `source_policy_documents` combined with `var.policy` being ignored @johncblandii (#201)
what
- Changed
var.source_policy_documents
tolocal.source_policy_documents
sovar.policy
usage was still supported
why
- The ternary check uses
var,source_policy_documents
sovar.policy
being combined withvar.source_policy_documents
intolocal.source_policy_documents
does not providetrue
for the ternary to execute
references
v3.1.2
: Fix Public Bucket Creation
What's Changed
- Remove reference to TF_DATA_DIR retained by mistake in #40 by @Nuru in https://github.com/cloudposse/terraform-aws-s3-bucket/pull/181
- Sync .github by @max-lobur in https://github.com/cloudposse/terraform-aws-s3-bucket/pull/183
- Fix linters / Retest on AWS provider V5 by @max-lobur in https://github.com/cloudposse/terraform-aws-s3-bucket/pull/188
- Fix Public Bucket Creation by @rankin-tr in https://github.com/cloudposse/terraform-aws-s3-bucket/pull/194
New Contributors
- @rankin-tr made their first contribution in https://github.com/cloudposse/terraform-aws-s3-bucket/pull/194
Full Changelog: cloudposse/terraform-aws-s3-bucket@3.1.1...3.1.2
v3.1.1
🐛 Bug Fixes
Revert change to Transfer Acceleration from #178 @Nuru (#180)
what
- Revert change to Transfer Acceleration from #178
why
- Transfer Acceleration is not available in every region, and the change in #178 (meant to detect and correct drift) does not work (throws API errors) in regions where Transfer Acceleration is not supported
v3.1.0
: Support new AWS S3 defaults (ACL prohibited)
Note: this version introduced drift detection and correction for Transfer Acceleration. Unfortunately, that change prevents deployment of buckets in r...
v0.5.0
Support AWS Provider V5 @max-lobur (#28)
what
Support AWS Provider V5
Linter fixes
why
Maintenance
references
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.0.0
Sync github @max-lobur (#25)
Rebuild github dir from the template
v0.4.0
- No changes
v0.3.3
🚀 Enhancements
update(ssm_log_bucket): use source_policy_documents @mikedizon (#22)
what
- using
source_policy_documents
for bucket policy
why
- bucket was created, but no policy was applied
references
- Use
closes #21
#21
v0.3.2
git.io->cloudposse.tools update @dylanbannon (#13)
what and why
Change all references to git.io/build-harness
into cloudposse.tools/build-harness
, since git.io
redirects will stop working on April 29th, 2022.
References
- DEV-143
🚀 Enhancements
Remove unused providers @nitrocode (#17)
what
- Remove unused providers
why
- arm support
references
N/A
v0.3.1
🤖 Automatic Updates
Update Terraform cloudposse/s3-bucket/aws to v2 @renovate (#12)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/s3-bucket/aws (source) | module | major | 0.49.0 -> 2.0.0 |
Release Notes
cloudposse/terraform-aws-s3-bucket
v2.0.0
Version 2.0 of terraform-aws-s3-bucket is the same as v0.49.0 except for the addition of 2 small bug fixes (see #147). It is labeled v2.0 as part of Cloud Posse's transition to production Semantic Versioning conventions, and to indicate significant changes as compared to v1.0 (essentially version 0.47.1). There are some quirks to be aware of:
- NO ACTION IS NEEDED to upgrade directly from v0.49.0 to v2.0.0
- Version 1.0 derives from and is compatible with version 0.47.1. Follow the upgrade instructions if upgrading from one of these versions.
- Version 0.48.0 was an interim release that is not recommended for anyone to use. It has incompatibilities with every other version. If you are on v0.48.0, you can upgrade directly to v2.0.0 and if Terraform gives you no complaints, then you are good to go. See the release notes for v0.48.0 and v0.49.0 for information about how to fix any breakage.
Bug fixes @Nuru (#147)
##### what && why - Require AWS provider v4.9.0 or later, resolves #137 - Properly consider `source_policy_documents` input, fixes #145v1.0.0
Version 1.0.0 is part of Cloud Posse's conversion to production Semantic Versioning, part of Cloud Posse's general policy to convert to production versioning as we make updates to relatively mature modules, especially those where we see breaking changes coming in the near future. In the case of this module, the breaking changes have already been released as v2.0.0. This is a quirk due to not previously using production Semantic Versioning.
TAKE NOTE:
- Despite the 1.0 version designation, it is actually not compatible with the latest previous release (v0.49.0) or the current recommended release (v2.0.0). Because of that, this version is only recommended for people currently using v0.47.1 or earlier.
- This release is the same as v0.47.1 except for additional version pinning allowing it to work with AWS provider v4.
- No maintenance is planned for v1. With the release of AWS provider v4.9.0, the upgrade to v2.0 of this module requires no manual intervention as long as you meet the prerequisites (AWS provider v4.9.0 or later, Terraform v1.0.0 or later). So we recommend upgrading to v2.0 to get any bug fixes or new features.
v0.3.0 (Action needed) Migrate to AWS provider v4.x
In order to support AWS provider v4.x, this module has upgraded its use of the s3-bucket
module from v0.38.0 to v0.49.0. Please see the S3 bucket migration documentation for guidance about how to upgrade this module.