Merge pull request #75 from trussworks/aws-4

Provide an upgrade path to AWS provider 4.0

Author: carterjones

.pre-commit-config.yaml

@@ -1,18 +1,18 @@
 repos:
-  - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v3.4.0
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.2.0
     hooks:
       - id: check-merge-conflict
       - id: check-yaml
       - id: detect-private-key
       - id: trailing-whitespace
 
-  - repo: git://github.com/igorshubovych/markdownlint-cli
-    rev: v0.27.1
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.31.1
     hooks:
       - id: markdownlint
 
-  - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.48.0
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.71.0
     hooks:
-      - id: terraform_fmt
+      - id: terraform_fmt

README.md

@@ -138,6 +138,50 @@ terraform {
 
 ## Upgrade Path
 
+### Release v3.0.0
+
+Version 3.x.x enables the use of version 4 of the AWS provider. Terraform provided [an upgrade path](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade) for this. To support the upgrade path, this module now includes the following additional resources:
+
+* `module.terraform_state_bucket.aws_s3_bucket_policy.private_bucket`
+* `module.terraform_state_bucket.aws_s3_bucket_acl.private_bucket`
+* `module.terraform_state_bucket.aws_s3_bucket_versioning.private_bucket`
+* `module.terraform_state_bucket.aws_s3_bucket_lifecycle_configuration.private_bucket`
+* `module.terraform_state_bucket.aws_s3_bucket_logging.private_bucket`
+* `module.terraform_state_bucket.aws_s3_bucket_server_side_encryption_configuration.private_bucket`
+* `module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs`
+* `module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs`
+* `module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs`
+* `module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs`
+* `module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs`
+* `module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs`
+
+This module version changes the `log_bucket_versioning` variable from a boolean to a string. There are three possible values for this variable: `Enabled`, `Disabled`, and `Suspended`. If at one point versioning was enabled on your bucket, but has since been turned off, you will need to set `log_bucket_versioning` to `Suspended` rather than `Disabled`.
+
+Additionally, this version of the module requires a minimum AWS provider version of 3.75, so that you can remain on the 3.x AWS provider while still gaining the ability to utilize the new S3 resources introduced in the 4.x AWS provider.
+
+There are two general approaches to performing this upgrade:
+
+1. Upgrade the module version and run `terraform plan` followed by `terraform apply`, which will create the new Terraform resources.
+1. Perform `terraform import` commands, which accomplishes the same thing without running `terraform apply`. This is the more cautious route.
+
+If you choose to take the route of running `terraform import`, you will need to perform the following imports. Replace `example` with the name you're using when calling this module and replace `your-bucket-name-here` with the name of your bucket (as opposed to an S3 bucket ARN). Replace `your-logging-bucket-name-here` with the name of your logging bucket. Also note the inclusion of `,private` when importing the new `module.terraform_state_bucket.aws_s3_bucket_acl.private_bucket` Terraform resource and the inclusion of `,log-delivery-write` when importing the new `module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs` Terraform resource.
+
+```sh
+terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_policy.private_bucket your-bucket-name-here
+terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_acl.private_bucket your-bucket-name-here,private
+terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_versioning.private_bucket your-bucket-name-here
+terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_lifecycle_configuration.private_bucket your-bucket-name-here
+terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_server_side_encryption_configuration.private_bucket your-bucket-name-here
+terraform import 'module.example.module.terraform_state_bucket.aws_s3_bucket_logging.private_bucket[0]' your-bucket-name-here
+terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs your-logging-bucket-name-here
+terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs your-logging-bucket-name-here,log-delivery-write
+terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs your-logging-bucket-name-here
+terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs your-logging-bucket-name-here
+terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs your-logging-bucket-name-here
+```
+
+After this, you will need to run a `terraform plan` and `terraform apply` to apply some non-functional changes to lifecycle rule IDs.
+
 ### Release v2.0.0
 
 When upgrading from v1.6.1 to v2.0.0 the terraform state must be modified to move the account alias resource:

main.tf

@@ -14,15 +14,19 @@ resource "aws_iam_account_alias" "alias" {
 
 module "terraform_state_bucket" {
   source  = "trussworks/s3-private-bucket/aws"
-  version = "~> 3.7.0"
+  version = "~> 4.0.0"
 
   bucket         = local.state_bucket
-  logging_bucket = module.terraform_state_bucket_logs.aws_logs_bucket
+  logging_bucket = local.logging_bucket
 
   use_account_alias_prefix = false
 
   enable_s3_public_access_block = var.enable_s3_public_access_block
   tags                          = var.state_bucket_tags
+
+  depends_on = [
+    module.terraform_state_bucket_logs
+  ]
 }
 
 #
@@ -31,12 +35,14 @@ module "terraform_state_bucket" {
 
 module "terraform_state_bucket_logs" {
   source  = "trussworks/logs/aws"
-  version = "~> 11.0.0"
+  version = "~> 13.0.0"
 
   s3_bucket_name          = local.logging_bucket
   default_allow           = false
   s3_log_bucket_retention = var.log_retention
-  enable_versioning       = var.log_bucket_versioning
+  versioning_status       = var.log_bucket_versioning
+
+  tags = var.log_bucket_tags
 }
 
 #

variables.tf

@@ -42,9 +42,13 @@ variable "log_name" {
 }
 
 variable "log_bucket_versioning" {
-  description = "Bool for toggling versioning for log bucket"
-  type        = bool
-  default     = false
+  description = "A string that indicates the versioning status for the log bucket."
+  default     = "Disabled"
+  type        = string
+  validation {
+    condition     = contains(["Enabled", "Disabled", "Suspended"], var.log_bucket_versioning)
+    error_message = "Valid values for versioning_status are Enabled, Disabled, or Suspended."
+  }
 }
 
 variable "state_bucket_tags" {
@@ -53,6 +57,12 @@ variable "state_bucket_tags" {
   description = "Tags to associate with the bucket storing the Terraform state files"
 }
 
+variable "log_bucket_tags" {
+  type        = map(string)
+  default     = { Automation : "Terraform" }
+  description = "Tags to associate with the bucket storing the Terraform state bucket logs"
+}
+
 variable "enable_s3_public_access_block" {
   description = "Bool for toggling whether the s3 public access block resource should be enabled."
   type        = bool

versions.tf

@@ -2,6 +2,6 @@ terraform {
   required_version = ">= 0.13.0"
 
   required_providers {
-    aws = ">= 3.0, < 4.0"
+    aws = ">= 3.75.0"
   }
 }