Terraform Aws Tfstate Backend Versions Save

Terraform module that provision an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.

1.4.1

2 months ago
feature: Add support for deletion_protection_enabled attribute for DynamoDB @Hamza-Aziz (#156)

what

This PR add support for the attribute deletion_protection_enabled in the DynamoDB ressource

why

To address an issue https://github.com/cloudposse/terraform-aws-tfstate-backend/issues/143 To present or force DynamoDB table deletion

references

To address an issue https://github.com/cloudposse/terraform-aws-tfstate-backend/issues/143 https://aws.amazon.com/about-aws/whats-new/2023/03/amazon-dynamodb-table-deletion-protection/

chore: points to correct issue in README link @Gowiem (#154)

what

  • Fixes link in README that was pointing to wrong issue

why

  • We don't want to lead people astray πŸ‘

references

  • This is a redo of #153 by @tripplilley. Fame, fortune, and internet points go to him πŸ˜„

πŸ€– Automatic Updates

Update README.md and docs @cloudpossebot (#155)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

Update README.md and docs @cloudpossebot (#152)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

1.4.0

4 months ago
fix: s3 backend deprecated role_arn field @basvandijk (#151)

what

The following step was returning an error:

terraform init -force-copy

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
Terraform encountered problems during initialisation, including problems
with the configuration, described below.

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
β•·
β”‚ Error: Argument or block definition required
β”‚
β”‚   on backend.tf line 9, in terraform:
β”‚    9:     assume_role.role_arn = ""
β”‚
β”‚ An argument or block definition is required here. To set an argument, use the equals sign "=" to introduce the argument value.
β•΅

πŸ€– Automatic Updates

Update README.md and docs @cloudpossebot (#150)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

1.3.0

6 months ago
fix: Better TF formating when dynamodb_table is empty when creating backend template file @SMontiel (#149)

what

Improve TF formatting when a DynamoDB table is not specified.

why

As our CI pipeline checks formatting and we don't use a DynamoDB for locking, we keep committing changes made to the backend file which is handled by this module. image

references

N/A

1.2.0

6 months ago
feat: add user_policy_document parameter @dod38fr (#142)

what

This parameter allows the user to specify policies that are applied to the S3 bucket with the policies defined by this module.

why

We want to add policies that forbid non admin users to access the bucket containing tfstates.

This commit allow us to specify a policy that implement these restriction without clobbering the policies put in place by this module.

Note that I have no problem to change the name of this new parameter if you want another.

references

Closes: #115

1.1.1

11 months ago
tfsec ignores added @davenicoll (#136)

what

  • added tfsec ignores to false positives

why

  • the terraform aws_s3_bucket resource was updated some time ago to deprecate access policies, encryption and logging as arguments, instead preferring separate terraform resources. tfsec incorrectly highlights the aws_s3_bucket resource are CRITICALly vulnerable.

references

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#argument-reference

Sync github @max-lobur (#138)

Rebuild github dir from the template

πŸ› Bug Fixes

Always require TLS connection to S3 bucket @Nuru (#139)

what

  • Always require TLS connection to S3 bucket

why

  • Restores intended behavior
  • Fixes crash. Supersedes and closes #135. Thank you @dod38fr

0.40.1

1 year ago

πŸ€– Automatic Updates

Update Terraform cloudposse/s3-log-storage/aws to v1.3.1 (release/v0) @renovate (#134)

This PR contains the following updates:

Package Type Update Change
cloudposse/s3-log-storage/aws (source) module minor 1.1.0 -> 1.3.1

Release Notes

cloudposse/terraform-aws-s3-log-storage

v1.3.1

Compare Source

πŸš€ Enhancements

Update Terraform cloudposse/s3-bucket/aws to v3.1.1 (master) @​renovate (#​88)

This PR contains the following updates:

Package Type Update Change
cloudposse/s3-bucket/aws (source) module patch 3.1.0 -> 3.1.1
Release Notes
cloudposse/terraform-aws-s3-bucket
v3.1.1

Compare Source

πŸ› Bug Fixes
Revert change to Transfer Acceleration from #​8203;178 @​​8203;Nuru (#​8203;180)
what
  • Revert change to Transfer Acceleration from #​178
why
  • Transfer Acceleration is not available in every region, and the change in #​178 (meant to detect and correct drift) does not work (throws API errors) in regions where Transfer Acceleration is not supported

πŸ€– Automatic Updates

Update Terraform cloudposse/s3-bucket/aws to v3.1.1 (master) @​renovate (#​88)

This PR contains the following updates:

Package Type Update Change
cloudposse/s3-bucket/aws (source) module patch 3.1.0 -> 3.1.1
Release Notes
cloudposse/terraform-aws-s3-bucket
v3.1.1

Compare Source

πŸ› Bug Fixes
Revert change to Transfer Acceleration from #​8203;178 @​​8203;Nuru (#​8203;180)
what
  • Revert change to Transfer Acceleration from #​178
why
  • Transfer Acceleration is not available in every region, and the change in #​178 (meant to detect and correct drift) does not work (throws API errors) in regions where Transfer Acceleration is not supported

v1.3.0

Compare Source

πŸš€ Enhancements

Enhance lifecycle object with optionals, limit length of bucket name @​Nuru (#​87)

what

  • Limit length of auto-generated bucket name to match AWS-imposed limit
  • Enhance lifecycle_configuration_rules to be fully defined with optional members

why

  • Avoid situation where module fails because auto-generated bucket name is too long
  • Make it easier to build a list of rules

references

v1.2.0: Support new AWS S3 defaults (ACL prohibited)

Compare Source

πŸ€– Automatic Updates

Update Terraform cloudposse/s3-bucket/aws to v3.1.0 @​renovate (#​85)

This PR contains the following updates:

Package Type Update Change
cloudposse/s3-bucket/aws (source) module minor 3.0.0 -> 3.1.0
Release Notes
cloudposse/terraform-aws-s3-bucket
v3.1.0

Compare Source

Make compatible with new S3 defaults. Add user permissions boundary. @​​8203;Nuru (#​8203;178)
what
  • Make compatible with new S3 defaults by setting S3 Object Ownership before setting ACL and disabling ACL if Ownership is "BucketOwnerEnforced"
  • Add optional permissions boundary input for IAM user created by this module
  • Create aws_s3_bucket_accelerate_configuration and aws_s3_bucket_versioning resources even when the feature is disabled, to enable drift detection
why
  • S3 buckets with ACLs were failing to be provisioned because the ACL was set before the bucket ownership was changed
  • Requested feature
  • See #​171
references
Always include `aws_s3_bucket_versioning` resource @​​8203;mviamari (#​8203;172)
what
  • Always create an aws_s3_bucket_versioning resource to track changes made to bucket versioning configuration
why
  • When there is no aws_s3_bucket_versioning, the expectation is that the bucket versioning is disabled/suspend for the bucket. If bucket versioning is turned on outside of terraform (e.g. through the console), the change is not detected by terraform unless the aws_s3_bucket_versioning resource exists.
references
  • Closes #​171
Add support for permission boundaries on replication IAM role @​​8203;mchristopher (#​8203;170)
what
why
  • Our AWS environment enforces permission boundaries on all IAM roles to follow AWS best practices with security.
references
πŸ€– Automatic Updates
Update README.md and docs @​​8203;cloudpossebot (#​8203;164)
what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

0.40.0

1 year ago

πŸš€ Enhancements

notes

  • Terraform minimum version is now 1.1.0
  • AWS provider minimum version is now 4.9.0

This PR contains the following updates:

Package Type Update Change
cloudposse/s3-log-storage/aws (source) module major 0.26.0 -> 1.1.0

Release Notes

cloudposse/terraform-aws-s3-log-storage

v1.1.0

Compare Source

Adding "object_lock_configuration" variable @​ramses999 (#​84)

what

Adding "object_lock_configuration" variable which is used in module "cloudposse/s3-bucket/aws"

why

Must be able to use the Object Lock option for S3 in this module

references

https://github.com/cloudposse/terraform-aws-s3-bucket/blob/6837ed7b2f2460043d6be3981f16ed90563fd12a/main.tf#L5

v1.0.0

Compare Source

Important Notes

  • Terraform version 1.3.0 and Terraform AWS version 4.9.0 or later are required
  • The new bucket_key_enabled flag defaults to false for backward compatibility. At one point we recommend setting it to true for significant savings on KMS usage, but since bucket keys are only reused within a user session, it is not clear if it provides any savings at all. See AWS docs for more information.
  • The new lifecycle_configuration_rules input replaces the now deprecated individual inputs for individual settings of a single lifecycle rule. See the terraform-aws-s3-bucket documentation for details on how to specify lifecycles using lifecycle_configuration_rules. This mechanism is much more flexible and closely follows the Terraform aws_s3_bucket_lifecycle_configuration resource.
  • The new source_policy_documents input replaces the now deprecated policy input to match changes to the aws_iam_policy_document resource
  • You can now select default values for (non-deprecated) inputs by setting them to null
  • With Terraform 1.3 the manual interventions documented for upgrading to this module's versions 0.27.0 and 0.28.0 are no longer needed. You can safely upgrade from any earlier version to this one (although we always recommend leaving force_destroy at its default value of false, and if you have it set to true but want extra safety against the S3 bucket being destroyed, set it to false before upgrading).
  • The force_destroy_enabled flag introduced in v0.27.0 has been removed
  • In version 0.28.0, old lifecycle rule variables were deprecated and the new lifecycle_configuration_rules input was introduced. In that version, you would continue to get the old default lifecycle rule even if you supplied new rules via lifecycle_configuration_rules. Now, the default behavior is to ignore all the deprecated lifecycle inputs when the lifecycle_configuration_rules input is not empty, unless you explicitly set lifecycle_rule_enabled to true.
Enhancements
Automate upgrade using `moved` blocks @​Nuru (#​81)

what

  • Automate the upgrade process from v0.26.0 or earlier by using moved block functionality introduced in Terraform 1.3.0
  • Add nullable = false for module input variables which have a default value and where null is not a sensible/handled value for the variable.

why

  • Safely upgrade without loss of data or manual intervention
  • Allow users to select default values by setting inputs to null, closes #​63

Compare Source

With the release of version 1.0.0 of this module, use of this version is no longer recommended. When you are able to use Terraform v1.3.0 or later and Terraform AWS provider v4.9.0 or later, upgrade directly to v1.0.0 or later of this module.

πŸ€– Automatic Updates

Update Terraform cloudposse/s3-bucket/aws to v3 @​renovate (#​78)

This PR contains the following updates:

Package Type Update Change
cloudposse/s3-bucket/aws (source) module major 2.0.1 -> 3.0.0

v0.28.2: Action required if updating from prior to v0.28.0

Compare Source

With the release of version 1.0.0 of this module, use of this version is no longer recommended. When you are able to use Terraform v1.3.0 or later and Terraform AWS provider v4.9.0 or later, upgrade directly to v1.0.0 or later of this module.

v0.28.0 introduced breaking changes with high risk of permanent data loss. See release notes there. This is only a safe upgrade if upgrading from v0.28.0.

We will convert to semantic versioning (incrementing the major version number for breaking changes), but having missed the opportunity to do that for earlier versions of this module, we are waiting for the next major change, expected to be soon after Terraform v1.3 is released.

πŸ€– Automatic Updates

Update Terraform cloudposse/s3-bucket/aws to v2.0.1 @​renovate (#​76)

This PR contains the following updates:

Package Type Update Change
cloudposse/s3-bucket/aws (source) module patch 2.0.0 -> 2.0.1

v0.28.1: accidental release, do not use

Compare Source

v0.28.0 introduced breaking changes with high risk of permanent data loss. See release notes there. This is only a safe upgrade if upgrading from v0.28.0.

We will convert to semantic versioning (incrementing the major version number for breaking changes), but having missed the opportunity to do that for earlier versions of this module, we are waiting for the next major change, expected to be soon after Terraform v1.3 is released.

git.io->cloudposse.tools update @​dylanbannon (#​73)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

  • DEV-143

πŸ€– Automatic Updates

Update Terraform cloudposse/s3-bucket/aws to v2 @​renovate (#​72)

This PR contains the following updates:

Package Type Update Change
cloudposse/s3-bucket/aws (source) module major 0.49.0 -> 2.0.3

v0.28.0: (Action Needed) Support AWS v4 provider

Compare Source

WARNING, DATA LOSS LIKELY if you do not follow upgrade instructions:

πŸš€ Enhancements

Support AWS v4 provider @​Nuru (#​71)

what

  • Migrate to AWS v4 Terraform provider
  • Add features
    • Allow full S3 storage lifecycle configuration
    • Allow multiple bucket policy documents
    • Allow specifying the bucket name directly, rather than requiring it to be generated by null-label
    • Allow specifying S3 object ownership
    • Allow enabling S3 bucket keys for encryption
  • Deprecate variable by variable specification of a single storage lifecycle rule
  • Add extra safety measure force_destroy_enabled

why

  • AWS v4 broke this module
  • Feature parity
  • Replaced with more power and more flexible input
  • Reduce the chance that automated upgrades will cause data loss

references

v0.27.0: (WARNING: Potential Data Loss) Prepare for AWS provider v4

Compare Source

With the release of version 1.0.0 of this module, use of this version is no longer recommended. When you are able to use Terraform v1.3.0 or later and Terraform AWS provider v4.9.0 or later, upgrade directly to v1.0.0 or later of this module.

Warning: Potential total data loss

This release is a refactoring in preparation for supporting Terraform AWS Provider v4. One feature was removed, but otherwise there are no changes to inputs or behavior. However, the Terraform "addresses" of resources have changed, so you are need to run several terraform state mv commands.

Warning: failure to run the required terraform state mv commands will cause Terraform to delete your existing S3 bucket and create a new one, deleting all the data stored in the bucket in the process.

Details on how to safely upgrade are in this repository's Wiki here

Support for "MFA delete" removed

In #​54 a contributor added support for MFA delete via the versioning_mfa_delete_enabled. In AWS provider version 3.x this argument was documented with the caveat

This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS.

With AWS provider version 4.0, this argument now does toggle the setting. Unfortunately, that adds the requirement then when it is enabled, you must supply a current MFA token every time you run terraform apply. That is not compatible with automation, and therefore we have no intention to support it and have removed the versioning_mfa_delete_enabled input.

πŸš€ Enhancements

Refactor to use s3-bucket module, update in general @​Nuru (#​66)

what

  • Refactor to use terraform-aws-s3-bucket
  • Remove support for mfa_delete
  • Pin AWS provider < 4.0 and disable Renovate bot, closes #​64
  • General updates

why

  • Simplify maintenance and standardize on single S3 bucket module, in preparation for upgrade to Terraform AWS provider v4
  • With Terraform AWS provider v4, having mfa_delete enabled requires entering an MFA token for every Terraform operation, which is incompatible with automation. Users requiring mfa_delete should either not use Terraform or create their own fork.
  • Current module does not work with AWS v4, but Renovate would try to update it anyway
  • Stay current with boilerplate and management tools

notes

This is the first of 2 upgrade releases to get this module to support Terraform AWS Provider v4. We are breaking it into 2 releases so that users have the option of upgrading step-by-step rather than all at once. Upgrade instructions are here.

Cleanups and safety checks for upgrade @​Nuru (#​70)

what

  • Add warning to README and error when force_destroy is true
  • Maintain rule name for lifecycle rule
  • Disable Renovate bot

why

  • If force_destroy is true then an automated, unattended process could cause the S3 bucket to be deleted and all data in it irretrievably lost
  • Remove an unwanted and unneeded source of changes created by upgrading
  • This version should not be updated, it is pinned for compability

references

Closes Renovate PRs:

1.1.0

1 year ago
  • No changes

1.0.0

1 year ago
Support AWS provider version 4 @Nuru (#129)

Breaking Changes

This PR introduces breaking changes to the module.

Different method of shortening names (RISK OF DATA LOSS)

Previous versions shortened some names where AWS imposes length restrictions of 63 or 64 characters by simply truncating them. This module now uses null-label to shorten generated names when necessary. It shortens names by replacing the last characters of the string with a hash of them. This reduces the likelihood of name collisions while enforcing length limits.

If this module previously truncated a generated name, the name will now change, and Terraform will try to destroy and replace existing resources. If this happens to your S3 bucket, you can specify the existing name in s3_bucket_name. If this happens in the replication role or policy name, you can safely let Terraform make the change.

Access Logging (RISK OF DATA LOSS)

The input logging_bucket_enabled has been removed

The input logging_bucket_enabled has been removed, and this module no longer creates an S3 bucket to receive logs. This is because configuring an S3 bucket, particularly lifecycle rules, is too complex to be included in this module.

If you previously had logging_bucket_enabled = true, upgrading to this version will cause Terraform to attempt to delete the logging bucket previously created. You will need to use terraform state rm to remove the S3 bucket from the state in order to keep Terraform from trying to delete it. You can use a module like s3-log-storage or s3-bucket to continue to manage the bucket, just import the bucket into the state using terraform import.

The logging input type has changed

The logging input type has changed from an object to a list of objects. This is the new Cloud Posse standard for optional inputs that are used to determine count, in order to avoid problems evaluating dynamic values during the planning phase. If you are providing a value, just put it in a list. If you are not providing a value, accept the default or pass in an empty list ([]). Do not pass in null.

Encryption no longer optional (RISK OF DATA LOSS)

AWS S3 buckets and DynamoDB tables are now always encrypted at rest, with no option to leave them unencrypted. Therefore the enable_server_side_encryption input has been removed. If you had set enable_server_side_encryption = false, then use terraform state mv to move ...aws_dynamodb_table.without_server_side_encryption[0] to ...aws_dynamodb_table.with_server_side_encryption[0] or else Terraform will delete your existing DynamoDB table and create a new one, causing a complete loss of DynamoDB table data.

Note that all the DynamoDB table data is only advisory, so a complete data loss will not cause a significant problem, but you still probably want to avoid it.

DynamoDB default billing mode changed from "provisioned" to "pay per request"

Due to both the low traffic in normal operations and the potentially high traffic in certain automated operations, the default billing mode has changed from "provisioned" to "pay per request". You can retain the previous mode by setting billing_mode = "PROVISIONED", which will also restore the previous read and write capacity defaults.

Bucket object ownership now defaults to BucketOwnerEnforced

AWS now recommends (and takes as default) setting "bucket object ownership" to BucketOwnerEnforced, which overrides and disables ACLs. This module now defaults to the same setting. You can continue to use ACLs by setting the new input bucket_ownership_enforced_enabled to false, but it is not recommended.

Generation of backend configuration file deprecated, default changed

The generation of a backend configuration file is deprecated and will be removed in a future release. Meanwhile, the default for terraform_version, which sets, in the generated backend configuration file, the value of the minimum version of Terraform to be allowed, has been changed to 1.0.0.

what

  • Updated to support and require AWS provider version 4 or later
  • Generate valid identifiers for replication resources when not providing null-label inputs
  • The input logging_bucket_enabled has been removed
  • The input logging was changed from an object type to a list of the same object type
  • The input enable_server_side_encryption has been removed (encryption cannot be disabled)
  • DynamoDB default billing mode changed from "provisioned" to "pay per request"
  • Bucket object ownership for the creates S3 bucket now defaults to BucketOwnerEnforced
  • The default value for input terraform_version has changed to "1.0.0"
  • Add tags to created IAM Policy and Role for replication
  • Add output of replication role ARN

why

  • Version 4.0 introduced breaking changes (reverted in 4.9.0) that will be reintroduced in announced version 5.0 (no release date given). This update removes the use of deprecated features and is expected to work with version 5.0 when it is released.
  • See details under "Breaking Changes" above.

references

  • Supersedes and closes #125
  • Supersedes and closes #124
  • Obsoletes and closes #123
  • Obsoletes and closes #121
  • Supersedes and closes #119
  • Closes #118
  • Supersedes and closes #114
  • Supersedes and closes #113
  • Closes #111
  • Closes #109
  • Supersedes and closes #108
  • Supersedes and closes #107
  • Obsoletes and closes #106

0.39.0

1 year ago
Adding support for setting permissions boundary on IAM-role @jannyg (#117)

This is my first PR to Cloudposse projects. Thanks for all the good contributions and please let me know if there's any adjustments needed.

what

  • This will add support for setting a permission boundary for the IAM role
  • This is needed for master payer accounts through resellers that restricts access to the master payer accunt.
  • The value is optional

why

  • This is needed for master payer accounts through resellers that restricts access to the master payer account and require the permissions boundary to be set on all new IAM roles to restrict access to certain resources.

references

Do not auto-publish from release branches @Nuru (#127)

what

  • Do not auto-publish from release branches

why

  • When release-drafter auto-publishes, it sets the release as "latest", which is not what we want for updates to release branches.
Update workflows and other framework @Nuru (#126)

what

  • Update workflows and other framework to current versions

why

  • Add support for release branches
git.io->cloudposse.tools and test fixes @dylanbannon (#116)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

  • DEV-143