Releases: cloudposse/terraform-aws-config
v1.5.2
🤖 Automatic Updates
Update README.md and docs @cloudpossebot (#92)
what
This is an auto-generated PR that updates the README.md and docs
why
To have most recent changes of README.md and doc from origin templates
Update Terraform cloudposse/iam-role/aws to v0.19.0 @renovate (#89)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/iam-role/aws (source) | module | minor | 0.15.0 -> 0.19.0 |
Release Notes
cloudposse/terraform-aws-iam-role (cloudposse/iam-role/aws)
v0.19.0
IAM Role name length limit @goruha (#58)
what
- Fix IAM role name length limit
why
- Fix IAM role name length limited to 64
Sync github @max-lobur (#54)
Rebuild github dir from the template
v0.18.0
- No changes
v0.17.0
Update main.tf @karinatitov (#50)
have a chance to configure the name of the policy
what
- With this change i want to have an ability to provide a custom name for the policy
why
- the resources i'm working with were not created in the same way this module assumes
- to have a chance to configure the name of the policy
git.io->cloudposse.tools update @dylanbannon (#46)
what and why
Change all references to git.io/build-harness
into cloudposse.tools/build-harness
, since git.io
redirects will stop working on April 29th, 2022.
References
- DEV-143
v0.16.2
🚀 Enhancements
Add enabled check to data source @nitrocode (#45)
what
- Add enabled check to data source
- Add TestExamplesCompleteDisabled check
why
- Prevent creation if enabled is false
references
v0.16.1
🚀 Enhancements
Disabling all tags in all iam resources @jamengual (#44)
what
- In https://github.com/cloudposse/terraform-aws-iam-role/pull/43 I added the option to disable role tags but in environments where roles are created under very strict controls, the policy tags for the roles sometimes can't be tagged. This change disable tags for all IAM related resources.
why
- to disable tags for role-related things. Use one variable instead of two.
references
v0.16.0
Making tags for roles optional @jamengual (#43)
what
- Make role tags optional
why
- Restrictive policy boundaries do not allow tag roles in highly secure environments.
v1.5.1
🚀 Enhancements
resolve deprecation warning in conformance_pack sub-module @gpetras (#76)
what
When using the conformance pack module via examples/hipaa
I get the following deprecation warning:
$ terraform plan -var-file=fixtures.us-east-2.tfvars
[snip]
Plan: 16 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ config_recorder_id = (known after apply)
+ storage_bucket_arn = (known after apply)
+ storage_bucket_id = (known after apply)
╷
│ Warning: Deprecated attribute
│
│ on ../../modules/conformance-pack/main.tf line 12, in resource "aws_config_conformance_pack" "default":
│ 12: template_body = data.http.conformance_pack.body
│
│ The attribute "body" is deprecated. Refer to the provider documentation for details.
╵
why
The body parameter in the Terraform http
data resource has been deprecated in favor of request_body
references
https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http
🤖 Automatic Updates
Update Terraform cloudposse/config/yaml to v1.0.2 @renovate (#88)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/config/yaml (source) | module | patch | 1.0.1 -> 1.0.2 |
Release Notes
cloudposse/terraform-yaml-config (cloudposse/config/yaml)
v1.0.2
git.io->cloudposse.tools update @dylanbannon (#21)
what and why
Change all references to git.io/build-harness
into cloudposse.tools/build-harness
, since git.io
redirects will stop working on April 29th, 2022.
References
- DEV-143
🚀 Enhancements
Use cloudposse/template provider @nitrocode (#25)
what
- Use cloudposse/template provider
why
- The new cloudposse/template provider has a darwin arm binary for M1 laptops
references
v1.5.0
added recording_mode{} attribute @AdamTylerLynch (#87)
what
Added recording_mode block.
Requesting maintainer guidance on properly defining the inputs as a practitioner would expect. The way it is defined now feels odd, requiring a variable assignment and then a list for recording_mode_override.
Example:
##---------------------------------------------------
## AWS Config to monitor compliance
##---------------------------------------------------
module "config" {
source = "cloudposse/terraform-aws-config/aws"
name = "${local.name}-config-${data.aws_caller_identity.current.account_id}"
namespace = local.namespace
s3_bucket_id = module.log_storage.bucket_id
s3_bucket_arn = module.log_storage.bucket_arn
global_resource_collector_region = data.aws_region.current.name
create_iam_role = true
recording_mode = {
recording_frequency = "DAILY"
recording_mode_override = {
description = "Override for specific resource types"
recording_frequency = "CONTINUOUS"
resource_types = ["AWS::EC2::Instance"]
}
}
}
why
This feature allows for cost optimization. Adds the ability to leverage Periodic recording VS continious.
references
git.io->cloudposse.tools update @dylanbannon (#55)
what and why
Change all references to git.io/build-harness
into cloudposse.tools/build-harness
, since git.io
redirects will stop working on April 29th, 2022.
References
- DEV-143
v1.4.0
Add support for organization aggregator @IslamHeggy (#85)
what
- Extended the module functionality to include organization wide aggregator
- Add the ability to create/pass new IAM role for the organization aggregator
- Handled default IAM role cases vs organization aggregator IAM role. So they don't depend on each other
why
- The current default way is attaching accounts using account ids and there is no way to use organization wide aggregator and it's really hard to maintain large number of accounts when using organizations.
references
v1.3.0
This is done to avoid exposure as the data.http.id (which contains the URL) in the logs.
Added the MacOS .DS_Store files to .gitignore
what
- The access token is now passed in a http header
- Added the MacOS .DS_Store files to .gitignore
why
- This is done to avoid exposure as the data.http.id (which contains the URL) in the logs.
v1.2.0
Added the option to use access tokens @boris-dyga-SM (#80)
That feature allows to access private GitHub repos, where custom conformance packs could be stored
what
- updates to the conformance_pack submodule
- added the acess_token variable (defaults to empty string)
- when provided its value is implemented in the conformance pack URL allowing to access private GitHub repos
why
- sometimes customized conformance packs are stored in repos with restricted access
references
v1.1.0
v1.0.0
Support AWS Provider V5 @max-lobur (#72)
what
Support AWS Provider V5
Linter fixes
why
Maintenance
references
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.0.0
Sync github @max-lobur (#67)
Rebuild github dir from the template
v0.18.0
- No changes
v0.17.0
Make able to save the `aws_sns_topic_policy` creation, after upgrading from 0.13.0 to newer versions @MaxymVlasov (#63)
what
Make able to save the aws_sns_topic_policy
creation, after upgrading from 0.13.0 to newer versions
why
In 0.14.0 (diff), was made breaking change by updating cloudposse/sns-topic/aws
submodule from 0.15.0
to 0.20.1
.
Diff sns-topic show that for creation aws_sns_topic_policy
was introduced local.sns_topic_policy_enabled
.
sns_topic_policy_enabled = local.enabled && length(var.allowed_aws_services_for_sns_published) > 0 || length(var.allowed_iam_arns_for_sns_publish) > 0
data "aws_iam_policy_document" "aws_sns_topic_policy" {
count = local.sns_topic_policy_enabled ? 1 : 0
policy_id = "SNSTopicsPub"
So, if you try to update from 0.13.0
to a newer version and save aws_sns_topic_policy
, you need to provide to submodule allowed_aws_services_for_sns_published
or allowed_iam_arns_for_sns_publish
, but these vars not yet exist in module.
Usage:
module "aws_config" {
# source = "cloudposse/config/aws"
# version = "0.14.0"
source = "../../../../terraform-aws-config"
s3_bucket_id = local.s3_bucket.config_bucket_id
s3_bucket_arn = local.s3_bucket.config_bucket_arn
create_iam_role = local.create_iam_role
iam_role_arn = local.config_iam_role_arn
create_sns_topic = true
managed_rules = local.enabled_rules
global_resource_collector_region = var.global_resource_collector_region
central_resource_collector_account = local.central_resource_collector_account
child_resource_collector_accounts = local.delegated_accounts
sns_encryption_key_id = "alias/aws/sns"
context = module.this.context
allowed_aws_services_for_sns_published = ["cloudwatch.amazonaws.com"]
# allowed_iam_arns_for_sns_publish = []
}