Terraform module that provision an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
This PR add support for the attribute deletion_protection_enabled
in the DynamoDB ressource
To address an issue https://github.com/cloudposse/terraform-aws-tfstate-backend/issues/143 To present or force DynamoDB table deletion
To address an issue https://github.com/cloudposse/terraform-aws-tfstate-backend/issues/143 https://aws.amazon.com/about-aws/whats-new/2023/03/amazon-dynamodb-table-deletion-protection/
The following step was returning an error:
terraform init -force-copy
Initializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
Terraform encountered problems during initialisation, including problems
with the configuration, described below.
The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
β·
β Error: Argument or block definition required
β
β on backend.tf line 9, in terraform:
β 9: assume_role.role_arn = ""
β
β An argument or block definition is required here. To set an argument, use the equals sign "=" to introduce the argument value.
β΅
Improve TF formatting when a DynamoDB table is not specified.
As our CI pipeline checks formatting and we don't use a DynamoDB for locking, we keep committing changes made to the backend file which is handled by this module.
N/A
This parameter allows the user to specify policies that are applied to the S3 bucket with the policies defined by this module.
We want to add policies that forbid non admin users to access the bucket containing tfstates.
This commit allow us to specify a policy that implement these restriction without clobbering the policies put in place by this module.
Note that I have no problem to change the name of this new parameter if you want another.
Closes: #115
aws_s3_bucket
resource was updated some time ago to deprecate access policies, encryption and logging as arguments, instead preferring separate terraform resources. tfsec incorrectly highlights the aws_s3_bucket
resource are CRITICALly vulnerable.Rebuild github dir from the template
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/s3-log-storage/aws (source) | module | minor | 1.1.0 -> 1.3.1 |
v1.3.1
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/s3-bucket/aws (source) | module | patch | 3.1.0 -> 3.1.1 |
v3.1.1
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/s3-bucket/aws (source) | module | patch | 3.1.0 -> 3.1.1 |
v3.1.1
v1.3.0
lifecycle_configuration_rules
to be fully defined with optional membersv1.2.0
: Support new AWS S3 defaults (ACL prohibited)This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/s3-bucket/aws (source) | module | minor | 3.0.0 -> 3.1.0 |
v3.1.0
aws_s3_bucket_accelerate_configuration
and aws_s3_bucket_versioning
resources even when the feature is disabled, to enable drift detectionaws_s3_bucket_versioning
resource to track changes made to bucket versioning configurationaws_s3_bucket_versioning
, the expectation is that the bucket versioning is disabled/suspend for the bucket. If bucket versioning is turned on outside of terraform (e.g. through the console), the change is not detected by terraform unless the aws_s3_bucket_versioning
resource exists.This is an auto-generated PR that updates the README.md and docs
To have most recent changes of README.md and doc from origin templates
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/s3-log-storage/aws (source) | module | major | 0.26.0 -> 1.1.0 |
v1.1.0
Adding "object_lock_configuration" variable which is used in module "cloudposse/s3-bucket/aws"
Must be able to use the Object Lock option for S3 in this module
v1.0.0
bucket_key_enabled
flag defaults to false
for backward compatibility. At one point we recommend setting it to true for significant savings on KMS usage, but since bucket keys are only reused within a user session, it is not clear if it provides any savings at all. See AWS docs for more information.lifecycle_configuration_rules
input replaces the now deprecated individual inputs for individual settings of a single lifecycle rule. See the terraform-aws-s3-bucket documentation for details on how to specify lifecycles using lifecycle_configuration_rules
. This mechanism is much more flexible and closely follows the Terraform aws_s3_bucket_lifecycle_configuration
resource.source_policy_documents
input replaces the now deprecated policy
input to match changes to the aws_iam_policy_document
resourcenull
force_destroy
at its default value of false
, and if you have it set to true
but want extra safety against the S3 bucket being destroyed, set it to false
before upgrading).force_destroy_enabled
flag introduced in v0.27.0 has been removedlifecycle_configuration_rules
input was introduced. In that version, you would continue to get the old default lifecycle rule even if you supplied new rules via lifecycle_configuration_rules
. Now, the default behavior is to ignore all the deprecated lifecycle inputs when the lifecycle_configuration_rules
input is not empty, unless you explicitly set lifecycle_rule_enabled
to true.moved
block functionality introduced in Terraform 1.3.0nullable = false
for module input variables which have a default value and where null is not a sensible/handled value for the variable.null
, closes #β63
v0.28.3
: Not recommended, use v0.26.0 or v1.x insteadWith the release of version 1.0.0 of this module, use of this version is no longer recommended. When you are able to use Terraform v1.3.0 or later and Terraform AWS provider v4.9.0 or later, upgrade directly to v1.0.0 or later of this module.
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/s3-bucket/aws (source) | module | major | 2.0.1 -> 3.0.0 |
v0.28.2
: Action required if updating from prior to v0.28.0With the release of version 1.0.0 of this module, use of this version is no longer recommended. When you are able to use Terraform v1.3.0 or later and Terraform AWS provider v4.9.0 or later, upgrade directly to v1.0.0 or later of this module.
v0.28.0 introduced breaking changes with high risk of permanent data loss. See release notes there. This is only a safe upgrade if upgrading from v0.28.0.
We will convert to semantic versioning (incrementing the major version number for breaking changes), but having missed the opportunity to do that for earlier versions of this module, we are waiting for the next major change, expected to be soon after Terraform v1.3 is released.
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/s3-bucket/aws (source) | module | patch | 2.0.0 -> 2.0.1 |
v0.28.1
: accidental release, do not usev0.28.0 introduced breaking changes with high risk of permanent data loss. See release notes there. This is only a safe upgrade if upgrading from v0.28.0.
We will convert to semantic versioning (incrementing the major version number for breaking changes), but having missed the opportunity to do that for earlier versions of this module, we are waiting for the next major change, expected to be soon after Terraform v1.3 is released.
Change all references to git.io/build-harness
into cloudposse.tools/build-harness
, since git.io
redirects will stop working on April 29th, 2022.
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/s3-bucket/aws (source) | module | major | 0.49.0 -> 2.0.3 |
v0.28.0
: (Action Needed) Support AWS v4 providernull-label
force_destroy_enabled
v0.27.0
: (WARNING: Potential Data Loss) Prepare for AWS provider v4With the release of version 1.0.0 of this module, use of this version is no longer recommended. When you are able to use Terraform v1.3.0 or later and Terraform AWS provider v4.9.0 or later, upgrade directly to v1.0.0 or later of this module.
This release is a refactoring in preparation for supporting Terraform AWS Provider v4. One feature was removed, but otherwise there are no changes to inputs or behavior. However, the Terraform "addresses" of resources have changed, so you are need to run several terraform state mv
commands.
Warning: failure to run the required terraform state mv
commands will cause Terraform to delete your existing S3 bucket and create a new one, deleting all the data stored in the bucket in the process.
Details on how to safely upgrade are in this repository's Wiki here
In #β54 a contributor added support for MFA delete via the versioning_mfa_delete_enabled
. In AWS provider version 3.x this argument was documented with the caveat
This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS.
With AWS provider version 4.0, this argument now does toggle the setting. Unfortunately, that adds the requirement then when it is enabled, you must supply a current MFA token every time you run terraform apply
. That is not compatible with automation, and therefore we have no intention to support it and have removed the versioning_mfa_delete_enabled
input.
mfa_delete
< 4.0
and disable Renovate bot, closes #β64mfa_delete
enabled requires entering an MFA token for every Terraform operation, which is incompatible with automation. Users requiring mfa_delete
should either not use Terraform or create their own fork.This is the first of 2 upgrade releases to get this module to support Terraform AWS Provider v4. We are breaking it into 2 releases so that users have the option of upgrading step-by-step rather than all at once. Upgrade instructions are here.
force_destroy
is true
force_destroy
is true
then an automated, unattended process could cause the S3 bucket to be deleted and all data in it irretrievably lostCloses Renovate PRs:
This PR introduces breaking changes to the module.
Previous versions shortened some names where AWS imposes length restrictions of 63 or 64 characters by simply truncating them. This module now uses null-label
to shorten generated names when necessary. It shortens names by replacing the last characters of the string with a hash of them. This reduces the likelihood of name collisions while enforcing length limits.
If this module previously truncated a generated name, the name will now change, and Terraform will try to destroy and replace existing resources. If this happens to your S3 bucket, you can specify the existing name in s3_bucket_name
. If this happens in the replication role or policy name, you can safely let Terraform make the change.
logging_bucket_enabled
has been removedThe input logging_bucket_enabled
has been removed, and this module no longer creates an S3 bucket to receive logs. This is because configuring an S3 bucket, particularly lifecycle rules, is too complex to be included in this module.
If you previously had logging_bucket_enabled = true
, upgrading to this version will cause Terraform to attempt to delete the logging bucket previously created. You will need to use terraform state rm
to remove the S3 bucket from the state in order to keep Terraform from trying to delete it. You can use a module like s3-log-storage
or s3-bucket
to continue to manage the bucket, just import the bucket into the state using terraform import
.
logging
input type has changedThe logging
input type has changed from an object to a list of objects. This is the new Cloud Posse standard for optional inputs that are used to determine count
, in order to avoid problems evaluating dynamic values during the planning phase. If you are providing a value, just put it in a list. If you are not providing a value, accept the default or pass in an empty list ([]
). Do not pass in null
.
AWS S3 buckets and DynamoDB tables are now always encrypted at rest, with no option to leave them unencrypted. Therefore the enable_server_side_encryption
input has been removed. If you had set enable_server_side_encryption = false
, then use terraform state mv
to move ...aws_dynamodb_table.without_server_side_encryption[0]
to ...aws_dynamodb_table.with_server_side_encryption[0]
or else Terraform will delete your existing DynamoDB table and create a new one, causing a complete loss of DynamoDB table data.
Note that all the DynamoDB table data is only advisory, so a complete data loss will not cause a significant problem, but you still probably want to avoid it.
Due to both the low traffic in normal operations and the potentially high traffic in certain automated operations, the default billing mode has changed from "provisioned" to "pay per request". You can retain the previous mode by setting billing_mode = "PROVISIONED"
, which will also restore the previous read and write capacity defaults.
BucketOwnerEnforced
AWS now recommends (and takes as default) setting "bucket object ownership" to BucketOwnerEnforced
, which overrides and disables ACLs. This module now defaults to the same setting. You can continue to use ACLs by setting the new input bucket_ownership_enforced_enabled
to false
, but it is not recommended.
The generation of a backend configuration file is deprecated and will be removed in a future release. Meanwhile, the default for terraform_version
, which sets, in the generated backend configuration file, the value of the minimum version of Terraform to be allowed, has been changed to 1.0.0.
null-label
inputslogging_bucket_enabled
has been removedlogging
was changed from an object type to a list of the same object typeenable_server_side_encryption
has been removed (encryption cannot be disabled)BucketOwnerEnforced
terraform_version
has changed to "1.0.0"This is my first PR to Cloudposse projects. Thanks for all the good contributions and please let me know if there's any adjustments needed.
release-drafter
auto-publishes, it sets the release as "latest", which is not what we want for updates to release branches.