v1.0.0

Serverless support @tdinunzio-trayport (#132)

## what Add support for DocumentDB serverless clusters - new module variable - updated dependencies to releases supporting serverless - added new example and test for serverless

why

Serverless instance support have been added to documentdb, as well as in the aws terraform provider. This PR makes it configurable via this module.

references

https://aws.amazon.com/about-aws/whats-new/2025/07/amazon-documentdb-serverless/
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v6.8.0
https://github.com/aws/aws-sdk-go-v2/blob/release-2025-07-30/service/docdb/CHANGELOG.md#v1430-2025-07-30

🤖 Automatic Updates

chore(deps): update terraform cloudposse/vpc/aws to v2.3.0 @[renovate[bot]](https://github.com/apps/renovate) (#133)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/vpc/aws (source)	module	minor	2.1.1 -> 2.3.0

---

Release Notes

cloudposse/terraform-aws-vpc (cloudposse/vpc/aws)

v2.3.0

Compare Source

Fixes "Error: no association of default Security Group (sg-XXX) with VPC Endpoint (vpce-YYY)" @​j4zzcat (#​158)

This PR updates the `vpc-endpoints` module to prevent recurring no association of default Security Group (...) with VPC Endpoint (...) errors when managing Interface VPC Endpoints. See also https://github.com/cloudposse-terraform-components/aws-vpc/issues/49.

The issue occurred because AWS automatically attaches the default VPC security group to an Interface endpoint when no SGs are specified at creation. The module previously relied on replace_default_association to swap it out for the desired SG. This worked only on the first run - subsequent runs failed because the default SG was no longer attached.

Changes

1. Attach first SG at creation time
   • Added security_group_ids to aws_vpc_endpoint.interface_endpoint with the first SG from var.interface_vpc_endpoints.
   • Prevents AWS from attaching the default SG and removes the need for replace_default_association.
2. Limit SG associations to index > 0
   • Updated security_group_associations_list and security_group_associations_map locals to only include SGs beyond the first one.
   • Ensures Terraform doesn’t try to re-attach the already-attached first SG.
3. Remove replace_default_association
   • Association resources now only attach additional SGs.
   • Eliminates fragile “replace default” logic that failed on repeated applies.

Benefits

• Idempotent applies — no more failing after the first run.
• Simpler logic — no special-case handling for the default SG.
• Clean AWS state — the default SG is never attached in the first place.

Testing

• Applied changes in a test environment with multiple endpoints and SGs.
• Verified that:
  • First SG is attached at endpoint creation.
  • Additional SGs are attached via association resources.
  • No errors occur on repeated terraform apply runs.

v2.2.0

Compare Source

🚀 Enhancements

feat(internet-gateways): add better tagging for naming visibility @​oycyc (#​157)

what

1. Add additional label for set the attribute which sets the final "Name" tag for IGW and EIGW.

• @​gberenice made a good comment below. This does not replace the resource. Only updates in place by updating the tags. See screenshot in comments. No actual AWS physical infra updated. Only tag/naming.

2. This also fixes TF test errors - VPC endpoint security sroup association "OperationInProgress" errors

• Problem: VPC endpoint tests were failing with "api error OperationInProgress: VpcEndpoint modify operation in progress" because multiple security group associations were attempting to modify the same VPC endpoint simultaneously.
• Root Cause: The module was using separate aws_vpc_endpoint_security_group_association resources with for_each, causing concurrent API calls that AWS doesn't allow.
• Solution: Replaced separate security group association resources with the built-in security_group_ids parameter on aws_vpc_endpoint. This approach eliminates concurrent modification conflicts and follows AWS Provider best practices.

why

1. Screenshot redacted. For IGW and EIGW, there's no name attribute. So on the AWS console UI, the name is determined by the "Name" tag. Without "igw", when looking at the resource map of the VPC, it looks very off when the subnets -> route tables -> network connection is all the same name.

I should easily be able to tell what network connection it is, igw, eigw, or NAT (which does have this): https://github.com/cloudposse/terraform-aws-dynamic-subnets/blob/main/nat-gateway.tf#L1

2. Tests were failing.
   

🤖 Automatic Updates

Fix go version in tests @​osterman (#​155)

what

• Update go 1.24

why

• Error loading shared library libresolv.so.2 in Go 1.20

References

• https://sweetops.slack.com/archives/G014YEKDH4K/p1746672149263629
• https://github.com/golang/go/issues/59305#issuecomment-1488478737
• https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/pull/294/#issuecomment-2859195553

Replace Makefile with atmos.yaml @​osterman (#​154)

what

• Remove Makefile
• Add atmos.yaml

why

• Replace build-harness with atmos for readme genration

References

• DEV-3229 Migrate from build-harness to atmos

Migrate new test account @​osterman (#​150)

what

• Update .github/settings.yml
• Update .github/chatops.yml files

why

• Re-apply .github/settings.yml from org level to get terratest environment
• Migrate to new test account

References

• DEV-388 Automate clean up of test account in new organization
• DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
• DEV-386 Update terratest to use new testing account with GitHub OIDC

Update .github/settings.yml @​osterman (#​149)

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update .github/settings.yml @​osterman (#​148)

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update release workflow to allow pull-requests: write @​osterman (#​147)

what

• Update workflow (.github/workflows/release.yaml) to have permission to comment on PR

why

• So we can support commenting on PRs with a link to the release

Update GitHub Workflows to use shared workflows from '.github' repo @​osterman (#​146)

what

• Update workflows (.github/workflows) to use shared workflows from .github repo

why

• Reduce nested levels of reusable workflows

Update GitHub Workflows to Fix ReviewDog TFLint Action @​osterman (#​145)

what

• Update workflows (.github/workflows) to add issue: write permission needed by ReviewDog tflint action

why

• The ReviewDog action will comment with line-level suggestions based on linting failures

Update GitHub workflows @​osterman (#​144)

what

• Update workflows (.github/workflows/settings.yaml)

why

• Support new readme generation workflow.
• Generate banners

Use GitHub Action Workflows from `cloudposse/.github` Repo @​osterman (#​141)

what

• Install latest GitHub Action Workflows

why

• Use shared workflows from cldouposse/.github repository
• Simplify management of workflows from centralized hub of configuration

Bump golang.org/x/crypto from 0.0.0-20220926161630-eccd6366d1be to 0.17.0 in /test/src @​[dependabot[bot]](https://redirect.github.com/apps/dependabot) (#​132)

Bumps [golang.org/x/crypto](https://redirect.github.com/golang/crypto) from 0.0.0-20220926161630-eccd6366d1be to 0.17.0.

v0.30.2

🚀 Enhancements

fix: adjust logic to address `manage_master_user_password` variable bugs @RoseSecurity (#131)

## what and why

• This PR fixes critical bugs created when the manage_master_user_password variable was introduced. The first bug caused a Terraform error where the master_password output attempted to join a null value when AWS was managing the password, failing with "Invalid function argument: cannot concatenate null values."
• These fixes ensure that when manage_master_user_password = null (default), random passwords are created and stored in SSM as expected, and when manage_master_user_password = true, AWS manages the password without attempting to expose it in Terraform outputs or store it in SSM, maintaining both backward compatibility and the intended security

bug

│ Error: Invalid function argument
│ 
│   on .terraform/modules/documentdb/outputs.tf line 7, in output "master_password":
│    7:   value       = var.manage_master_user_password != null ? join("", aws_docdb_cluster.default[*].master_password) : null
│     ├────────────────
│     │ while calling join(separator, lists...)
│     │ aws_docdb_cluster.default is tuple with 1 element
│ 
│ Invalid value for "lists" parameter: element 0 is null; cannot concatenate null values.

references

• Closes #126
• Closes #127
• Closes #128

🐛 Bug Fixes

fix: adjust logic to address `manage_master_user_password` variable bugs @RoseSecurity (#131)

## what and why

• This PR fixes critical bugs created when the manage_master_user_password variable was introduced. The first bug caused a Terraform error where the master_password output attempted to join a null value when AWS was managing the password, failing with "Invalid function argument: cannot concatenate null values."
• These fixes ensure that when manage_master_user_password = null (default), random passwords are created and stored in SSM as expected, and when manage_master_user_password = true, AWS manages the password without attempting to expose it in Terraform outputs or store it in SSM, maintaining both backward compatibility and the intended security

bug

│ Error: Invalid function argument
│ 
│   on .terraform/modules/documentdb/outputs.tf line 7, in output "master_password":
│    7:   value       = var.manage_master_user_password != null ? join("", aws_docdb_cluster.default[*].master_password) : null
│     ├────────────────
│     │ while calling join(separator, lists...)
│     │ aws_docdb_cluster.default is tuple with 1 element
│ 
│ Invalid value for "lists" parameter: element 0 is null; cannot concatenate null values.

references

• Closes #126
• Closes #127
• Closes #128

v0.30.1

Managed Admin Password for DocumentDb @Benbentwo (#124)

refactor: improve master password management logic and validation in DocumentDB cluster

what

• Updated create_password local to check for null
• Enforced manage_master_user_password to be true or null (required by resource)
  • moved variable up closer to master_password

---

This pull request refines the handling of the master_password and manage_master_user_password variables within the Terraform module for AWS DocumentDB clusters. It introduces better logic for password management, adds validation for the new variable, and updates the module configuration accordingly.

Password Management Updates:

• main.tf: Updated the logic for create_password to account for cases where both var.master_password and var.manage_master_user_password are null. This ensures a random password is created when necessary. Additionally, simplified the handling of master_password and manage_master_user_password in the aws_docdb_cluster resource configuration. [1] [2]

Variable Refinements:

• variables.tf: Added a new manage_master_user_password variable with validation to ensure it is either true or null. This replaces the previous implementation and provides clearer control over managing the master user password via AWS Secrets Manager.
• variables.tf: Removed the old definition of manage_master_user_password to avoid redundancy and potential conflicts.

🤖 Automatic Updates

Fix go version in tests @osterman (#122)

## what - Update go `1.24`

why

• Error loading shared library libresolv.so.2 in Go 1.20

References

• https://sweetops.slack.com/archives/G014YEKDH4K/p1746672149263629
• golang/go#59305 (comment)
• cloudposse/terraform-aws-cloudfront-s3-cdn#294

Replace Makefile with atmos.yaml @osterman (#121)

## what - Remove `Makefile` - Add `atmos.yaml`

why

• Replace build-harness with atmos for readme genration

References

• DEV-3229 Migrate from build-harness to atmos

v0.30.0

• No changes

v0.29.0

Revert "chore: Replace Makefile with atmos.yaml" @goruha (#120)

Reverts #119

v0.28.0

chore: Replace Makefile with atmos.yaml @osterman (#119)

## what - deprecate build-harness

v0.27.0

fix: address invalid count bug @RoseSecurity (#118)

## what and why

• If a data.aws_ssm_parameter.password.value is passed to this module, it is tagged as a sensitive in the AWS provider, and that tag travels with the value all the way into the module. Because we don’t mark variable master_password as sensitive = true, the value is off-limits to functions like length() or to meta-arguments like count. Terraform refuses to evaluate them → “invalid count argument”.

v0.26.3

🚀 Enhancements

feat: consolidate enable parameters to locals and fix invalid count bug @RoseSecurity (#117)

## what

• Move enabled logic into locals
• Added a local: local.enabled && length(var.master_password) == 0

[!NOTE]
length() returns an integer, so the result is always plan-time-known, even when the underlying string is deferred

• Replaced the old count expression with count = module.this.enabled && local.is_master_password_empty ? 1 : 0.

why

• Root cause: the count = module.this.enabled && var.master_password == "" ? 1 : 0 expression referenced var.master_password, which, when wired to something like aws_ssm_parameter.db_password.value, is unknown until apply time

references

• Resolves:
  • #68
  • #71

🐛 Bug Fixes

feat: consolidate enable parameters to locals and fix invalid count bug @RoseSecurity (#117)

## what

• Move enabled logic into locals
• Added a local: local.enabled && length(var.master_password) == 0

[!NOTE]
length() returns an integer, so the result is always plan-time-known, even when the underlying string is deferred

• Replaced the old count expression with count = module.this.enabled && local.is_master_password_empty ? 1 : 0.

why

• Root cause: the count = module.this.enabled && var.master_password == "" ? 1 : 0 expression referenced var.master_password, which, when wired to something like aws_ssm_parameter.db_password.value, is unknown until apply time

references

• Resolves:
  • #68
  • #71

🤖 Automatic Updates

Migrate new test account @osterman (#110)

## what - Update `.github/settings.yml` - Update `.github/chatops.yml` files

why

• Re-apply .github/settings.yml from org level to get terratest environment
• Migrate to new test account

References

• DEV-388 Automate clean up of test account in new organization
• DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
• DEV-386 Update terratest to use new testing account with GitHub OIDC

v0.26.2

feat: added output cluster_members for resource aws_docdb_cluster @Faris96Hub (#107)

## what Added the Output "cluster_members" for the resource "aws_docdb_cluster".

why

Needed for monitoring reasons of the DocumentDB Cluster on a Node-level. Needed when creating a CloudWatch alarm on Node-level because the Dimesion of the alarm needs the cluster memebers.

references

https://docs.aws.amazon.com/documentdb/latest/developerguide/cloud_watch.html#:~:text=and%20ReadIOPS.-,Amazon%20DocumentDB%20dimensions,-The%20metrics%20for

🤖 Automatic Updates

Update .github/settings.yml @osterman (#109)

## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update .github/settings.yml @osterman (#108)

## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

v0.26.1

fix: upgrade aws provider to 5.29.0 to support storage_type @gmeligio (#103)

## what

• Upgrade terraform-aws-provider to 5.29.0
• Add variable for storage_type in the test.

why

• storage_type was released in 5.29.0 but the current minimum version is 5.21.0. This change corrects the minimum required version to 5.29.0

references

closes #86

• https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.29.0

🚀 Enhancements

chore(deps): bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5 in /test/src @dependabot (#102)

Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.7.4 to 1.7.5.

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.5

What's Changed

• Prevent Git Config Alteration on Git Update by @​dduzgun-security in hashicorp/go-getter#497

New Contributors

• @​dduzgun-security made their first contribution in hashicorp/go-getter#497

Full Changelog: hashicorp/go-getter@v1.7.4...v1.7.5

Commits

• 5a63fd9 Merge pull request #497 from hashicorp/fix-git-update
• 5b7ec5f fetch tags on update and fix tests
• 9906874 recreate git config during update to prevent config alteration
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

🤖 Automatic Updates

chore(deps): bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5 in /test/src @dependabot (#102)

Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.7.4 to 1.7.5.

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.5

What's Changed

• Prevent Git Config Alteration on Git Update by @​dduzgun-security in hashicorp/go-getter#497

New Contributors

• @​dduzgun-security made their first contribution in hashicorp/go-getter#497

Full Changelog: hashicorp/go-getter@v1.7.4...v1.7.5

Commits

• 5a63fd9 Merge pull request #497 from hashicorp/fix-git-update
• 5b7ec5f fetch tags on update and fix tests
• 9906874 recreate git config during update to prevent config alteration
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Update .github/settings.yml @osterman (#101)

## what - Update `.github/settings.yml` - Drop `.github/auto-release.yml` files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub