Terraform aws provider v5 fixes for terraform modules (#15159)

2024-11-06 00:45:19 +00:00 · 2023-11-15 23:50:38 -06:00 · 2023-11-15 23:50:38 -06:00 · 7b1ea9cdf1
commit 7b1ea9cdf1
parent 7ae2a659cb
10 changed files with 42 additions and 42 deletions
--- a/terraform/README.md
+++ b/terraform/README.md
--- a/terraform/addons/logging-alb/README.md
+++ b/terraform/addons/logging-alb/README.md
@ -52,14 +52,14 @@ No requirements.

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.25.0 |

 ## Modules

 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_athena-s3-bucket"></a> [athena-s3-bucket](#module\_athena-s3-bucket) | terraform-aws-modules/s3-bucket/aws | 3.11.0 |
-| <a name="module_s3_bucket_for_logs"></a> [s3\_bucket\_for\_logs](#module\_s3\_bucket\_for\_logs) | terraform-aws-modules/s3-bucket/aws | 3.11.0 |
+| <a name="module_athena-s3-bucket"></a> [athena-s3-bucket](#module\_athena-s3-bucket) | terraform-aws-modules/s3-bucket/aws | 3.15.1 |
+| <a name="module_s3_bucket_for_logs"></a> [s3\_bucket\_for\_logs](#module\_s3\_bucket\_for\_logs) | terraform-aws-modules/s3-bucket/aws | 3.15.1 |

 ## Resources

--- a/terraform/addons/logging-alb/main.tf
+++ b/terraform/addons/logging-alb/main.tf
@ -126,7 +126,7 @@ resource "aws_kms_alias" "logs_alias" {

 module "s3_bucket_for_logs" {
  source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "3.11.0"
+  version = "3.15.1"

  bucket = "${var.prefix}-alb-logs"

@ -146,6 +146,9 @@ module "s3_bucket_for_logs" {
  server_side_encryption_configuration = {
    rule = {
      bucket_key_enabled = true
+      apply_server_side_encryption_by_default = {
+        sse_algorithm = "AES256"
+      }
    }
  }
  lifecycle_rule = [
@ -161,7 +164,8 @@ module "s3_bucket_for_logs" {
      ]
      expiration = {
        days                         = var.s3_expiration_days
-        expired_object_delete_marker = true
+        # Always resets to false anyhow showing terraform changes constantly
+        expired_object_delete_marker = false
      }
      noncurrent_version_expiration = {
        newer_noncurrent_versions = var.s3_newer_noncurrent_versions
@ -180,7 +184,7 @@ resource "aws_athena_database" "logs" {
 module "athena-s3-bucket" {
  count   = var.enable_athena == true ? 1 : 0
  source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "3.11.0"
+  version = "3.15.1"

  bucket = "${var.prefix}-alb-logs-athena"

@ -218,7 +222,8 @@ module "athena-s3-bucket" {
      ]
      expiration = {
        days                         = var.s3_expiration_days
-        expired_object_delete_marker = true
+        # Always resets to false anyhow showing terraform changes constantly
+        expired_object_delete_marker = false
      }
      noncurrent_version_expiration = {
        newer_noncurrent_versions = var.s3_newer_noncurrent_versions
--- a/terraform/addons/logging-destination-firehose/README.md
+++ b/terraform/addons/logging-destination-firehose/README.md
@ -9,7 +9,7 @@ No requirements.

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.49.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.25.0 |

 ## Modules

@ -19,6 +19,7 @@ No modules.

 | Name | Type |
 |------|------|
+| [aws_iam_policy.firehose-logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.firehose-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.firehose-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.firehose-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@ -29,14 +30,13 @@ No modules.
 | [aws_kinesis_firehose_delivery_stream.osquery_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
 | [aws_s3_bucket.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_acl.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_acl.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_lifecycle_configuration.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_public_access_block.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_public_access_block.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.osquery-results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.osquery-status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_iam_policy_document.firehose-logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.osquery_firehose_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.osquery_results_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.osquery_status_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@ -46,11 +46,12 @@ No modules.

 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_osquery_results_s3_bucket"></a> [osquery\_results\_s3\_bucket](#input\_osquery\_results\_s3\_bucket) | n/a | `string` | `"fleet-osquery-results-archive"` | no |
-| <a name="input_osquery_status_s3_bucket"></a> [osquery\_status\_s3\_bucket](#input\_osquery\_status\_s3\_bucket) | n/a | `string` | `"fleet-osquery-status-archive"` | no |
+| <a name="input_osquery_results_s3_bucket"></a> [osquery\_results\_s3\_bucket](#input\_osquery\_results\_s3\_bucket) | n/a | <pre>object({<br>    name         = optional(string, "fleet-osquery-results-archive")<br>    expires_days = optional(number, 1)<br>  })</pre> | <pre>{<br>  "expires_days": 1,<br>  "name": "fleet-osquery-results-archive"<br>}</pre> | no |
+| <a name="input_osquery_status_s3_bucket"></a> [osquery\_status\_s3\_bucket](#input\_osquery\_status\_s3\_bucket) | n/a | <pre>object({<br>    name         = optional(string, "fleet-osquery-status-archive")<br>    expires_days = optional(number, 1)<br>  })</pre> | <pre>{<br>  "expires_days": 1,<br>  "name": "fleet-osquery-status-archive"<br>}</pre> | no |

 ## Outputs

 | Name | Description |
 |------|-------------|
-| <a name="output_fleet-extra-env-variables"></a> [fleet-extra-env-variables](#output\_fleet-extra-env-variables) | n/a |
+| <a name="output_fleet_extra_environment_variables"></a> [fleet\_extra\_environment\_variables](#output\_fleet\_extra\_environment\_variables) | n/a |
+| <a name="output_fleet_extra_iam_policies"></a> [fleet\_extra\_iam\_policies](#output\_fleet\_extra\_iam\_policies) | n/a |
--- a/terraform/addons/logging-destination-firehose/main.tf
+++ b/terraform/addons/logging-destination-firehose/main.tf
@ -11,11 +11,6 @@ resource "aws_s3_bucket" "osquery-results" { #tfsec:ignore:aws-s3-encryption-cus
  bucket = var.osquery_results_s3_bucket.name
 }

-resource "aws_s3_bucket_acl" "osquery-results" {
-  bucket = aws_s3_bucket.osquery-results.bucket
-  acl    = "private"
-}
-
 resource "aws_s3_bucket_lifecycle_configuration" "osquery-results" {
  bucket = aws_s3_bucket.osquery-results.bucket
  rule {
@ -54,11 +49,6 @@ resource "aws_s3_bucket" "osquery-status" { #tfsec:ignore:aws-s3-encryption-cust
  bucket = var.osquery_status_s3_bucket.name
 }

-resource "aws_s3_bucket_acl" "osquery-status" {
-  bucket = aws_s3_bucket.osquery-status.bucket
-  acl    = "private"
-}
-
 resource "aws_s3_bucket_lifecycle_configuration" "osquery-status" {
  bucket = aws_s3_bucket.osquery-status.bucket
  rule {
@ -158,9 +148,9 @@ data "aws_iam_policy_document" "osquery_firehose_assume_role" {

 resource "aws_kinesis_firehose_delivery_stream" "osquery_results" {
  name        = var.osquery_results_s3_bucket.name
-  destination = "s3"
+  destination = "extended_s3"

-  s3_configuration {
+  extended_s3_configuration {
    role_arn   = aws_iam_role.firehose-results.arn
    bucket_arn = aws_s3_bucket.osquery-results.arn
  }
@ -168,9 +158,9 @@ resource "aws_kinesis_firehose_delivery_stream" "osquery_results" {

 resource "aws_kinesis_firehose_delivery_stream" "osquery_status" {
  name        = var.osquery_status_s3_bucket.name
-  destination = "s3"
+  destination = "extended_s3"

-  s3_configuration {
+  extended_s3_configuration {
    role_arn   = aws_iam_role.firehose-status.arn
    bucket_arn = aws_s3_bucket.osquery-status.arn
  }
--- a/terraform/byo-vpc/.terraform.lock.hcl
+++ b/terraform/byo-vpc/.terraform.lock.hcl
@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/aws" {
  version     = "5.23.1"
  constraints = ">= 2.67.0, >= 3.0.0, >= 4.6.0, >= 4.18.0, >= 4.27.0, >= 4.30.0"
  hashes = [
+    "h1:keD9rGwuFbn70D1npMx486xFsSP/TtyNa6E0AgVJY1U=",
    "h1:s23thJVPJHUdS7ESZHoeMkxNcTeaqWvg2usv8ylFVL4=",
    "zh:024a188ad3c979a9ec0d7d898aaa90a3867a8839edc8d3543ea6155e6e010064",
    "zh:05b73a04c58534a7527718ef55040577d5c573ea704e16a813e7d1b18a7f4c26",
@ -28,6 +29,7 @@ provider "registry.terraform.io/hashicorp/random" {
  version     = "3.5.1"
  constraints = ">= 2.2.0"
  hashes = [
+    "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
--- a/terraform/byo-vpc/README.md
+++ b/terraform/byo-vpc/README.md
--- a/terraform/byo-vpc/example/main.tf
+++ b/terraform/byo-vpc/example/main.tf
@ -3,7 +3,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
    }
  }
 }
@ -18,6 +18,7 @@ provider "aws" {

 locals {
  fleet_image = "fleetdm/fleet:v4.40.0"
+  domain_name = "example.com"
 }

 resource "random_pet" "main" {}
@ -26,7 +27,7 @@ module "acm" {
  source  = "terraform-aws-modules/acm/aws"
  version = "4.3.1"

-  domain_name = "${random_pet.main.id}.example.com"
+  domain_name = "${random_pet.main.id}.${local.domain_name}"
  zone_id     = data.aws_route53_zone.main.id

  wait_for_validation = true
@ -34,7 +35,7 @@ module "acm" {

 resource "aws_route53_record" "main" {
  zone_id = data.aws_route53_zone.main.id
-  name    = "${random_pet.main.id}.example.com"
+  name    = "${random_pet.main.id}.${local.domain_name}"
  type    = "A"

  alias {
@ -45,12 +46,12 @@ resource "aws_route53_record" "main" {
 }

 data "aws_route53_zone" "main" {
-  name         = "example.com."
+  name         = "${local.domain_name}."
  private_zone = false
 }

 module "firehose-logging" {
-  source = "github.com/fleetdm/fleet//terraform/addons/logging-destination-firehose?ref=tf-mod-addon-logging-destination-firehose-v1.0.0"
+  source = "github.com/fleetdm/fleet//terraform/addons/logging-destination-firehose?ref=tf-mod-addon-logging-destination-firehose-v1.1.0"
  osquery_results_s3_bucket = {
    name = "${random_pet.main.id}-results"
  }
@ -61,7 +62,7 @@ module "firehose-logging" {

 module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
-  version = "3.18.1"
+  version = "5.1.2"

  name = random_pet.main.id
  cidr = "10.10.0.0/16"
@ -91,7 +92,7 @@ module "vpc" {
 }

 module "byo-vpc" {
-  source = "github.com/fleetdm/fleet//terraform/byo-vpc?ref=tf-mod-byo-vpc-v1.4.0"
+  source = "github.com/fleetdm/fleet//terraform/byo-vpc?ref=tf-mod-byo-vpc-v1.7.0"
  vpc_config = {
    vpc_id = module.vpc.vpc_id
    networking = {
@ -104,10 +105,11 @@ module "byo-vpc" {
    subnets        = module.vpc.database_subnets
  }
  redis_config = {
-    instance_size = "cache.m6g.large"
-    subnets       = module.vpc.elasticache_subnets
+    instance_size                 = "cache.m6g.large"
+    subnets                       = module.vpc.elasticache_subnets
    elasticache_subnet_group_name = module.vpc.elasticache_subnet_group_name
    availability_zones            = module.vpc.azs
+    allowed_cidrs                 = module.vpc.private_subnets_cidr_blocks
  }
  alb_config = {
    subnets         = module.vpc.public_subnets
--- a/terraform/byo-vpc/main.tf
+++ b/terraform/byo-vpc/main.tf
@ -72,7 +72,7 @@ data "aws_subnet" "redis" {

 module "redis" {
  source  = "cloudposse/elasticache-redis/aws"
-  version = "0.48.0"
+  version = "0.53.0"

  name                          = var.redis_config.name
  replication_group_id          = var.redis_config.replication_group_id == null ? var.redis_config.name : var.redis_config.replication_group_id
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -4,7 +4,7 @@ terraform {

 module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
-  version = "3.18.1"
+  version = "5.1.2"

  name = var.vpc.name
  cidr = var.vpc.cidr