v0.10.5

🤖 Automatic Updates

Update Terraform cloudposse/cloudwatch-logs/aws to v0.6.3 @renovate (#26)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/cloudwatch-logs/aws (source)	module	patch	0.6.2 -> 0.6.3

---

Release Notes

cloudposse/terraform-aws-cloudwatch-logs

v0.6.3

Compare Source

🤖 Automatic Updates

Update Terraform cloudposse/iam-role/aws to v0.14.1 @​renovate (#​28)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/iam-role/aws (source)	module	patch	0.14.0 -> 0.14.1

---

Release Notes

cloudposse/terraform-aws-iam-role

##### [`v0.14.1`](https://togithub.com/cloudposse/terraform-aws-iam-role/releases/0.14.1)

Compare Source

Fix: Fix Variable Description Typo for `var.use_fullname` @​&#​8203;korenyoni (#&#​8203;36)

##### what * Fix variable description typo introduced in #&#​8203;35 for `var.use_fullname` ##### why * Minor typo (unmatched right bracket). ##### references * #&#​8203;35

Drop unused null provider @​&#​8203;Xerkus (#&#​8203;34)

##### what * Drop `hashicorp/null` provider from dependencies ##### why * As far as I can tell the null provider is not used and I do not think it is needed for any kind of indirect dependency * I think it was needed at some point for terraform-null-label ##### references * Closes #&#​8203;31

Fix: fix variable description for `var.use_fullname`, run `make github/init` @​&#​8203;korenyoni (#&#​8203;35)

##### what - Fix variable description for `var.use_fullname`. - Run `make github/init`. ##### why - The `var.use_fullname` variable description is incorrect and refers to ECR repositories instead of IAM roles. - Running `make github/init` will update GHA-workflow related files (and CODEOWNERS), the former of which is required for the `no-release` label (which allows for consolidating multiple small PRs such as this into one release). ##### references * N/A

##### 🚀 Enhancements

Add tags to policy @​&#​8203;nitrocode (#&#​8203;37)

##### what * Add tags to policy ##### why * Tag it all ##### references N/A

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

v0.10.4

🤖 Automatic Updates

Update Terraform cloudposse/security-group/aws to v0.4.3 @renovate (#25)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/security-group/aws (source)	module	patch	0.4.2 -> 0.4.3

---

Release Notes

cloudposse/terraform-aws-security-group

v0.4.3

Compare Source

Update recommended inputs and outputs @​Nuru (#​26)

#### what - Update recommended inputs and outputs #### why - Changes based on experience implementing several modules

#### 🚀 Enhancements

Rename the exported `security_group_inputs.tf` file to `security-group-inputs.tf` @​aknysh (#​30)

#### what * Rename the exported `security_group_inputs.tf` file to `security-group-inputs.tf` * Update GitHub workflows and LICENSE #### why * Our naming convention is to use `kebab-case` for all files. Having a file in `snake_case` (after adding it to a repo) together with all the other files in `kebab-case` in the same repo does not look correct * Keep up to date

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

v0.10.3

🤖 Automatic Updates

Update Terraform cloudposse/cloudwatch-logs/aws to v0.6.2 @renovate (#23)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/cloudwatch-logs/aws (source)	module	patch	0.6.1 -> 0.6.2

---

Release Notes

cloudposse/terraform-aws-cloudwatch-logs

v0.6.2

Compare Source

🤖 Automatic Updates

Update Terraform cloudposse/iam-role/aws to v0.14.0 @​renovate (#​27)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/iam-role/aws (source)	module	minor	0.13.0 -> 0.14.0

---

Release Notes

cloudposse/terraform-aws-iam-role

##### [`v0.14.0`](https://togithub.com/cloudposse/terraform-aws-iam-role/releases/0.14.0)

Compare Source

Add assume role policy conditions and managed iam policies @​&#​8203;sebastianmacarescu (#&#​8203;33)

##### what * option to attach AWS Managed IAM policies to created role * option to add conditions to trust policy ##### why * we should be able to use aws managed policies (or any other policies) and not create new ones dedicated for this role * we should be able to add conditions on who can assume this role (mfa enabled, be part of organization, specific session name, etc) ##### references * closes #&#​8203;24 * documentation for conditions: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document * documentation for conditions in trust role policies: https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

v0.10.2

Add sg 4.x best practices and egress-all sg rule added @nitrocode (#22)

what

• Add sg 4.x best practices (separate inputs, deprecation, allow additional rules)
• Added egress-all rule to sg

why

• More flexibility
• Sane defaults

references

• Followed best practices from https://github.com/cloudposse/terraform-aws-efs

commands

terraform plan

  # module.ec2_client_vpn.aws_ec2_client_vpn_network_association.default[0] will be updated in-place
  ~ resource "aws_ec2_client_vpn_network_association" "default" {
        id                     = "cvpn-assoc-snip"
      ~ security_groups        = [
          - "sg-snip",
          - "sg-snip",
        ] -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.ec2_client_vpn.aws_ec2_client_vpn_network_association.default[1] will be updated in-place
  ~ resource "aws_ec2_client_vpn_network_association" "default" {
        id                     = "cvpn-assoc-snip"
      ~ security_groups        = [
          - "sg-snip",
          - "sg-snip",
        ] -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.ec2_client_vpn.aws_ec2_client_vpn_network_association.default[2] will be updated in-place
  ~ resource "aws_ec2_client_vpn_network_association" "default" {
        id                     = "cvpn-assoc-snip"
      ~ security_groups        = [
          - "sg-snip",
          - "sg-snip",
        ] -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.ec2_client_vpn.module.vpn_security_group.aws_security_group.cbd[0] will be created
  + resource "aws_security_group" "cbd" {
      + arn                    = (known after apply)
      + description            = "Managed by Terraform"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = (known after apply)
      + name_prefix            = "snip-ec2-client-vpn-"
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "Environment" = "use2"
          + "Name"        = "snip-ec2-client-vpn"
          + "Namespace"   = "snip"
          + "Stage"       = "snip"
          + "Tenant"      = "snip"
        }
      + tags_all               = {
          + "Environment" = "use2"
          + "Name"        = "snip-ec2-client-vpn"
          + "Namespace"   = "snip"
          + "Stage"       = "snip"
          + "Tenant"      = "snip"
        }
      + vpc_id                 = "vpc-snip"

      + timeouts {
          + create = "10m"
          + delete = "15m"
        }
    }

  # module.ec2_client_vpn.module.vpn_security_group.aws_security_group.default[0] will be destroyed
  - resource "aws_security_group" "default" {
      - arn                    = "arn:aws:ec2:us-east-2:snip:security-group/sg-snip" -> null
      - description            = "Managed by Terraform" -> null
      - egress                 = [] -> null
      - id                     = "sg-snip" -> null
      - ingress                = [
          - {
              - cidr_blocks      = []
              - description      = "Allow self access only by default"
              - from_port        = 0
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "-1"
              - security_groups  = []
              - self             = true
              - to_port          = 0
            },
        ] -> null
      - name                   = "snip-ec2-client-vpn" -> null
      - owner_id               = "snip" -> null
      - revoke_rules_on_delete = false -> null
      - tags                   = {
          - "Environment" = "use2"
          - "Name"        = "snip-ec2-client-vpn"
          - "Namespace"   = "snip"
          - "Stage"       = "snip"
          - "Tenant"      = "snip"
        } -> null
      - tags_all               = {
          - "Environment" = "use2"
          - "Name"        = "snip-ec2-client-vpn"
          - "Namespace"   = "snip"
          - "Stage"       = "snip"
          - "Tenant"      = "snip"
        } -> null
      - vpc_id                 = "vpc-snip" -> null

      - timeouts {
          - create = "10m" -> null
          - delete = "15m" -> null
        }
    }

  # module.ec2_client_vpn.module.vpn_security_group.aws_security_group_rule.keyed["_allow_all_egress_"] will be created
  + resource "aws_security_group_rule" "keyed" {
      + cidr_blocks              = [
          + "0.0.0.0/0",
        ]
      + description              = "Allow all egress"
      + from_port                = 0
      + id                       = (known after apply)
      + ipv6_cidr_blocks         = [
          + "::/0",
        ]
      + prefix_list_ids          = []
      + protocol                 = "-1"
      + security_group_id        = (known after apply)
      + self                     = false
      + source_security_group_id = (known after apply)
      + to_port                  = 0
      + type                     = "egress"
    }

  # module.ec2_client_vpn.module.vpn_security_group.aws_security_group_rule.keyed["_m[0]#vpn-self#self"] will be created
  + resource "aws_security_group_rule" "keyed" {
      + description              = "Allow all ingress to listed security groups"
      + from_port                = 0
      + id                       = (known after apply)
      + prefix_list_ids          = []
      + protocol                 = "-1"
      + security_group_id        = (known after apply)
      + self                     = true
      + source_security_group_id = (known after apply)
      + to_port                  = 0
      + type                     = "ingress"
    }

  # module.ec2_client_vpn.module.vpn_security_group.aws_security_group_rule.keyed["vpn-self"] will be destroyed
  - resource "aws_security_group_rule" "keyed" {
      - cidr_blocks              = [] -> null
      - description              = "Allow self access only by default" -> null
      - from_port                = 0 -> null
      - id                       = "sgrule-3220596061" -> null
      - ipv6_cidr_blocks         = [] -> null
      - prefix_list_ids          = [] -> null
      - protocol                 = "-1" -> null
      - security_group_id        = "sg-snip" -> null
      - self                     = true -> null
      - source_security_group_id = "sg-snip" -> null
      - to_port                  = 0 -> null
      - type                     = "ingress" -> null
    }

Plan: 3 to add, 3 to change, 2 to destroy.

Fix readme release @nitrocode (#20)

what

• Point to this module's releases

why

• Show this module's releases instead of from where this repo was forked from (terraform-example-module)

references

N/A

v0.10.1

🚀 Enhancements

Export client cert when mutual @nitrocode (#21)

what

• Export client cert when mutual

why

• No point in exporting client cert if mutual is not enabled because module.self_signed_cert_root is only activated when mutual is enabled

references

N/A

v0.10.0

Small fixes (region removal, formatting, docs) @nitrocode (#19)

what

• Small fixes (region removal, formatting, docs)
• Removed unused providers
• Removed unused variables
• Use retention_in_logs in cloudwatch logs
• Appropriate tagging
• Enabled logic set to false will disable module

why

• Best practices

references

N/A

commands

⨠ cd examples/complete
⨠ terraform plan -var-file=fixtures.us-east-2.tfvars -var="enabled=false"

Changes to Outputs:

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

v0.9.2

🤖 Automatic Updates

Update Terraform cloudposse/cloudwatch-logs/aws to v0.6.1 @renovate (#18)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/cloudwatch-logs/aws (source)	module	patch	0.6.0 -> 0.6.1

---

Release Notes

cloudposse/terraform-aws-cloudwatch-logs

v0.6.1

Compare Source

Docs: Fix usage snippet (missing source attribute) @​korenyoni (#​25)

#### what * Fix usage snippet (missing source attribute) * Fix module block name in usage snippet (does not match module name) #### why * The usage snippet is incorrect (missing source attribute and does not match module name) #### references * N/A

#### 🚀 Enhancements

Allow slash in log group names @​nitrocode (#​26)

#### what * Custom label for cloudwatch log group name #### why * Allow slash in log group names #### references * https://sweetops.slack.com/archives/CB6GHNLG0/p1636985722167300 #### test

provider "aws" {
  region = "us-east-2"
}

module "cloudwatch_logs" {
  source = "github.com/cloudposse/terraform-aws-cloudwatch-logs?ref=allow-slash-log-group-names"

  name = "/aws/kinesisfirehose/aws-waf-logs-dev-app"
}

results in

### module.cloudwatch_logs.aws_cloudwatch_log_group.default[0] will be created
  + resource "aws_cloudwatch_log_group" "default" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + name              = "/aws/kinesisfirehose/aws-waf-logs-dev-app"
      + retention_in_days = 30
      + tags              = {
          + "Name" = "/aws/kinesisfirehose/aws-waf-logs-dev-app"
        }
      + tags_all          = {
          + "Name" = "/aws/kinesisfirehose/aws-waf-logs-dev-app"
        }
    }

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

v0.9.1

🚀 Enhancements

Fix for DNS Server Validation @r351574nc3 (#17)

what

• Add validation check for dns_servers to verify they are indeed ip addresses

why

• Currently, it's just free-form string.
• Can cause problems for values that are not ip addresses

references

• N/A

v0.9.0

Add Split Tunnel and DNS Servers Options @r351574nc3 (#16)

what

• Add new variables options to examples and to the main module

why

• Some customers require the option to specify their own dns servers
• Some customers require the option to not route all traffic through the VPN

references

N/A

v0.8.1

🚀 Enhancements

Fix Issue with SAML Document for IDP @r351574nc3 (#15)

what

• Switching from join to list notation when choosing default for saml_provider_arn

why

• join results in empty string which forces try block to succeed on first try each time
  • the try block is broken and never really works

references

N/A