Skip to content

Commit

Permalink
Merge pull request #75 from trussworks/aws-4
Browse files Browse the repository at this point in the history
Provide an upgrade path to AWS provider 4.0
  • Loading branch information
carterjones authored May 12, 2022
2 parents d87e3ef + 81d7ed2 commit 31f84ac
Show file tree
Hide file tree
Showing 5 changed files with 75 additions and 15 deletions.
14 changes: 7 additions & 7 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
repos:
- repo: git://github.com/pre-commit/pre-commit-hooks
rev: v3.4.0
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.2.0
hooks:
- id: check-merge-conflict
- id: check-yaml
- id: detect-private-key
- id: trailing-whitespace

- repo: git://github.com/igorshubovych/markdownlint-cli
rev: v0.27.1
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.31.1
hooks:
- id: markdownlint

- repo: git://github.com/antonbabenko/pre-commit-terraform
rev: v1.48.0
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.71.0
hooks:
- id: terraform_fmt
- id: terraform_fmt
44 changes: 44 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,50 @@ terraform {

## Upgrade Path

### Release v3.0.0

Version 3.x.x enables the use of version 4 of the AWS provider. Terraform provided [an upgrade path](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade) for this. To support the upgrade path, this module now includes the following additional resources:

* `module.terraform_state_bucket.aws_s3_bucket_policy.private_bucket`
* `module.terraform_state_bucket.aws_s3_bucket_acl.private_bucket`
* `module.terraform_state_bucket.aws_s3_bucket_versioning.private_bucket`
* `module.terraform_state_bucket.aws_s3_bucket_lifecycle_configuration.private_bucket`
* `module.terraform_state_bucket.aws_s3_bucket_logging.private_bucket`
* `module.terraform_state_bucket.aws_s3_bucket_server_side_encryption_configuration.private_bucket`
* `module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs`
* `module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs`
* `module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs`
* `module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs`
* `module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs`
* `module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs`

This module version changes the `log_bucket_versioning` variable from a boolean to a string. There are three possible values for this variable: `Enabled`, `Disabled`, and `Suspended`. If at one point versioning was enabled on your bucket, but has since been turned off, you will need to set `log_bucket_versioning` to `Suspended` rather than `Disabled`.

Additionally, this version of the module requires a minimum AWS provider version of 3.75, so that you can remain on the 3.x AWS provider while still gaining the ability to utilize the new S3 resources introduced in the 4.x AWS provider.

There are two general approaches to performing this upgrade:

1. Upgrade the module version and run `terraform plan` followed by `terraform apply`, which will create the new Terraform resources.
1. Perform `terraform import` commands, which accomplishes the same thing without running `terraform apply`. This is the more cautious route.

If you choose to take the route of running `terraform import`, you will need to perform the following imports. Replace `example` with the name you're using when calling this module and replace `your-bucket-name-here` with the name of your bucket (as opposed to an S3 bucket ARN). Replace `your-logging-bucket-name-here` with the name of your logging bucket. Also note the inclusion of `,private` when importing the new `module.terraform_state_bucket.aws_s3_bucket_acl.private_bucket` Terraform resource and the inclusion of `,log-delivery-write` when importing the new `module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs` Terraform resource.

```sh
terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_policy.private_bucket your-bucket-name-here
terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_acl.private_bucket your-bucket-name-here,private
terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_versioning.private_bucket your-bucket-name-here
terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_lifecycle_configuration.private_bucket your-bucket-name-here
terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_server_side_encryption_configuration.private_bucket your-bucket-name-here
terraform import 'module.example.module.terraform_state_bucket.aws_s3_bucket_logging.private_bucket[0]' your-bucket-name-here
terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs your-logging-bucket-name-here
terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs your-logging-bucket-name-here,log-delivery-write
terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs your-logging-bucket-name-here
terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs your-logging-bucket-name-here
terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs your-logging-bucket-name-here
```

After this, you will need to run a `terraform plan` and `terraform apply` to apply some non-functional changes to lifecycle rule IDs.

### Release v2.0.0

When upgrading from v1.6.1 to v2.0.0 the terraform state must be modified to move the account alias resource:
Expand Down
14 changes: 10 additions & 4 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,19 @@ resource "aws_iam_account_alias" "alias" {

module "terraform_state_bucket" {
source = "trussworks/s3-private-bucket/aws"
version = "~> 3.7.0"
version = "~> 4.0.0"

bucket = local.state_bucket
logging_bucket = module.terraform_state_bucket_logs.aws_logs_bucket
logging_bucket = local.logging_bucket

use_account_alias_prefix = false

enable_s3_public_access_block = var.enable_s3_public_access_block
tags = var.state_bucket_tags

depends_on = [
module.terraform_state_bucket_logs
]
}

#
Expand All @@ -31,12 +35,14 @@ module "terraform_state_bucket" {

module "terraform_state_bucket_logs" {
source = "trussworks/logs/aws"
version = "~> 11.0.0"
version = "~> 13.0.0"

s3_bucket_name = local.logging_bucket
default_allow = false
s3_log_bucket_retention = var.log_retention
enable_versioning = var.log_bucket_versioning
versioning_status = var.log_bucket_versioning

tags = var.log_bucket_tags
}

#
Expand Down
16 changes: 13 additions & 3 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,13 @@ variable "log_name" {
}

variable "log_bucket_versioning" {
description = "Bool for toggling versioning for log bucket"
type = bool
default = false
description = "A string that indicates the versioning status for the log bucket."
default = "Disabled"
type = string
validation {
condition = contains(["Enabled", "Disabled", "Suspended"], var.log_bucket_versioning)
error_message = "Valid values for versioning_status are Enabled, Disabled, or Suspended."
}
}

variable "state_bucket_tags" {
Expand All @@ -53,6 +57,12 @@ variable "state_bucket_tags" {
description = "Tags to associate with the bucket storing the Terraform state files"
}

variable "log_bucket_tags" {
type = map(string)
default = { Automation : "Terraform" }
description = "Tags to associate with the bucket storing the Terraform state bucket logs"
}

variable "enable_s3_public_access_block" {
description = "Bool for toggling whether the s3 public access block resource should be enabled."
type = bool
Expand Down
2 changes: 1 addition & 1 deletion versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@ terraform {
required_version = ">= 0.13.0"

required_providers {
aws = ">= 3.0, < 4.0"
aws = ">= 3.75.0"
}
}

0 comments on commit 31f84ac

Please sign in to comment.