Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update terraform aws to v5 #255

Merged
merged 1 commit into from
Oct 23, 2023
Merged

Conversation

renovate-cds[bot]
Copy link
Contributor

@renovate-cds renovate-cds bot commented Oct 22, 2023

This PR contains the following updates:

Package Type Update Change
aws (source) required_provider major ~> 4.15 -> ~> 5.0

Review

  • Updates have been tested and work
  • If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

Release Notes

hashicorp/terraform-provider-aws (aws)

v5.22.0

Compare Source

FEATURES:

  • New Data Source: aws_media_convert_queue (#​27075)
  • New Resource: aws_elasticsearch_vpc_endpoint (#​33925)
  • New Resource: aws_msk_replicator (#​33973)

ENHANCEMENTS:

  • data-source/aws_ec2_client_vpn_endpoint: Add self_service_portal_url attribute (#​34007)
  • resource/aws_alb: Support import of name_prefix argument (#​33852)
  • resource/aws_alb_target_group: Support import of name_prefix argument (#​33852)
  • resource/aws_cloudfront_public_key: Support import of name_prefix argument (#​33852)
  • resource/aws_db_option_group: Support import of name_prefix argument (#​33852)
  • resource/aws_docdb_cluster: Support import of cluster_identifier_prefix argument (#​33852)
  • resource/aws_docdb_cluster_instance: Support import of identifier_prefix argument (#​33852)
  • resource/aws_docdb_cluster_parameter_group: Support import of name_prefix argument (#​33852)
  • resource/aws_docdb_subnet_group: Support import of name_prefix argument (#​33852)
  • resource/aws_ec2_client_vpn_endpoint: Add self_service_portal_url attribute (#​34007)
  • resource/aws_elb: Support import of name_prefix argument (#​33852)
  • resource/aws_emr_security_configuration: Support import of name_prefix argument (#​33852)
  • resource/aws_iam_group_policy: Support import of name_prefix argument (#​33852)
  • resource/aws_iam_role_policy: Support import of name_prefix argument (#​33852)
  • resource/aws_iam_user_policy: Support import of name_prefix argument (#​33852)
  • resource/aws_iot_provisioning_template: Add type attribute (#​33950)
  • resource/aws_lb: Support import of name_prefix argument (#​33852)
  • resource/aws_lb_target_group: Support import of name_prefix argument (#​33852)
  • resource/aws_neptune_cluster: Support import of cluster_identifier_prefix argument (#​33852)
  • resource/aws_neptune_cluster_instance: Support import of identifier_prefix argument (#​33852)
  • resource/aws_neptune_cluster_parameter_group: Support import of name_prefix argument (#​33852)
  • resource/aws_neptune_event_subscription: Support import of name_prefix argument (#​33852)
  • resource/aws_pinpoint_app: Support import of name_prefix argument (#​33852)
  • resource/aws_rds_cluster: Support import of cluster_identifier_prefix argument (#​33852)
  • resource/aws_rds_cluster_instance: Support import of identifier_prefix argument (#​33852)
  • resource/aws_signer_signing_profile: Support import of name_prefix argument (#​33852)
  • resource/aws_signer_signing_profile_permission: Add signer:SignPayload as a valid action value (#​33852)
  • resource/aws_signer_signing_profile_permission: Support import of statement_id_prefix argument (#​33852)
  • resource/aws_transfer_server: Change pre_authentication_login_banner and post_authentication_login_banner length limits to 4096 (#​33937)
  • resource/aws_wafv2_web_acl: Add ja3_fingerprint to field_to_match configuration blocks (#​33933)

BUG FIXES:

  • data-source/aws_dms_certificate: Fix crash when certificate not found (#​34012)
  • resource/aws_cloudformation_stack: Fix error when computed values are not set when there is no update (#​33969)
  • resource/aws_codecommit_repository: Doesn't force replacement when renaming (#​32207)
  • resource/aws_db_instance: Creating resource from snapshot or point-in-time recovery now handles manage_master_user_password and master_user_secret_kms_key_id attributes correctly (#​33699)
  • resource/aws_elasticache_replication_group: Fix error when switching engine_version from 6.x to a specific 6.<digit> version number (#​33954)
  • resource/aws_iam_role: Fix refreshing permission_boundary when deleted outside of Terraform (#​33963)
  • resource/aws_iam_user: Fix refreshing permission_boundary when deleted outside of Terraform (#​33963)
  • resource/aws_inspector2_enabler: Fix Value at 'resourceTypes' failed to satisfy constraint errors (#​33348)
  • resource/aws_neptune_cluster_instance: Remove ForceNew from engine_version (#​33487)
  • resource/aws_neptune_cluster_parameter_group: Fix condition where defined cluster parameters with system default values are seen as updates (#​33487)
  • resource/aws_s3_bucket_object_lock_configuration: Fix found resource errors on Delete (#​33966)

v5.21.0

Compare Source

FEATURES:

  • New Data Source: aws_servicequotas_templates (#​33871)
  • New Resource: aws_ec2_image_block_public_access (#​33810)
  • New Resource: aws_guardduty_organization_configuration_feature (#​33913)
  • New Resource: aws_servicequotas_template_association (#​33725)
  • New Resource: aws_verifiedaccess_group (#​33297)
  • New Resource: aws_verifiedaccess_instance_logging_configuration (#​33864)

ENHANCEMENTS:

  • data-source/aws_dms_endpoint: Add s3_settings.glue_catalog_generation attribute (#​33778)
  • data-source/aws_msk_cluster: Add cluster_uuid attribute (#​33805)
  • resource/aws_codedeploy_deployment_group: Add outdated_instances_strategy argument (#​33844)
  • resource/aws_dms_endpoint: Add s3_settings.glue_catalog_generation attribute (#​33778)
  • resource/aws_dms_s3_endpoint: Add glue_catalog_generation attribute (#​33778)
  • resource/aws_docdb_cluster: Add allow_major_version_upgrade argument (#​33790)
  • resource/aws_docdb_cluster_instance: Add copy_tags_to_snapshot argument (#​31022)
  • resource/aws_dynamodb_table: Add import_table configuration block (#​33802)
  • resource/aws_msk_cluster: Add cluster_uuid attribute (#​33805)
  • resource/aws_msk_serverless_cluster: Add cluster_uuid attribute (#​33805)
  • resource/aws_networkmanager_core_network: Add base_policy_document argument (#​33712)
  • resource/aws_redshiftserverless_workgroup: Allow require_ssl and use_fips_ssl config_parameters keys (#​33916)
  • resource/aws_s3_bucket: Use configurable timeout for resource Delete (#​33845)
  • resource/aws_verifiedaccess_instance: Add fips_enabled argument (#​33880)
  • resource/aws_vpclattice_target_group: Add config.lambda_event_structure_version argument (#​33804)
  • resource/aws_vpclattice_target_group: Make config.port, config.protocol and config.vpc_identifier optional (#​33804)
  • resource/aws_wafv2_web_acl: Add aws_managed_rules_acfp_rule_set to managed_rule_group_configs configuration block (#​33915)

BUG FIXES:

  • provider: Respect valid values for the AWS_S3_US_EAST_1_REGIONAL_ENDPOINT environment variable when configuring the S3 API client (#​33874)
  • resource/aws_appflow_connector_profile: Fix various crashes (#​33856)
  • resource/aws_db_parameter_group: Group names containing periods (.) no longer fail validation (#​33704)
  • resource/aws_opensearchserverless_collection: Fix crash when error is returned (#​33918)
  • resource/aws_rds_cluster_parameter_group: Group names containing periods (.) no longer fail validation (#​33704)

v5.20.1

Compare Source

NOTES:

v5.20.0

Compare Source

FEATURES:

  • New Resource: aws_guardduty_detector_feature (#​31463)
  • New Resource: aws_servicequotas_template (#​33688)
  • New Resource: aws_sesv2_account_vdm_attributes (#​33705)
  • New Resource: aws_verifiedaccess_instance_trust_provider_attachment (#​33734)

ENHANCEMENTS:

  • data-source/aws_guardduty_detector: Add features attribute (#​31463)
  • resource/aws_finspace_kx_cluster: Increase default creation timeout to 45 minutes, default deletion timeout to 60 minutes (#​33745)
  • resource/aws_finspace_kx_environment: Increase default deletion timeout to 45 minutes (#​33745)
  • resource/aws_guardduty_filter: Add plan-time validation of name (#​21030)
  • resource/aws_kinesis_firehose_delivery_stream: Add opensearchserverless_configuration and msk_source_configuration configuration blocks (#​33101)
  • resource/aws_kinesis_firehose_delivery_stream: Add opensearchserverless as a valid destination value (#​33101)

BUG FIXES:

  • data-source/aws_fsx_ontap_storage_virtual_machine: Fix crash when active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group is not configured (#​33800)
  • resource/aws_ec2_transit_gateway_route : Fix TGW route search filter to avoid routes being missed when more than 1,000 static routes are in a TGW route table (#​33765)
  • resource/aws_fsx_ontap_storage_virtual_machine: Fix crash when active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group is not configured (#​33800)
  • resource/aws_medialive_channel: Fix VPC settings flatten/expand/docs. (#​33558)
  • resource/aws_vpc_endpoint: Set dns_options.dns_record_ip_type to Computed to prevent diffs (#​33743)

v5.19.0

Compare Source

BREAKING CHANGES:

NOTES:

  • data-source/aws_s3_bucket_object: The metadata attribute's keys are now always returned in lowercase. Please modify configurations as necessary (#​33660)
  • data-source/aws_s3_object: The metadata attribute's keys are now always returned in lowercase. Please modify configurations as necessary (#​33660)
  • resource/aws_iam_*: This release introduces additional validation of IAM policy JSON arguments to detect duplicate keys. Previously, arguments with duplicated keys resulted in all but one of the key values being overwritten. Since this results in unexpected IAM policies being submitted to AWS, we have updated the validation logic to error in these cases. This may cause existing IAM policy arguments to fail validation, however, those policies are likely not what was originally intended. (#​33570)

FEATURES:

  • New Resource: aws_cleanrooms_configured_table (#​33602)
  • New Resource: aws_dms_replication_config (#​32908)
  • New Resource: aws_lexv2models_bot (#​33475)
  • New Resource: aws_rds_custom_db_engine_version (#​33285)

ENHANCEMENTS:

  • resource/aws_cloud9_environment_ec2: Add ubuntu-22.04-x86_64 and resolve:ssm:/aws/service/cloud9/amis/ubuntu-22.04-x86_64 as valid values for image_id (#​33662)
  • resource/aws_fsx_ontap_volume: Add bypass_snaplock_enterprise_retention argument and snaplock_configuration configuration block to support SnapLock (#​32530)
  • resource/aws_fsx_ontap_volume: Add copy_tags_to_backups and snapshot_policy arguments (#​32530)
  • resource/aws_fsx_openzfs_volume: Add delete_volume_options argument (#​32530)
  • resource/aws_lightsail_bucket: Add force_delete argument (#​33586)
  • resource/aws_opensearch_outbound_connection: Add connection_properties, connection_mode and accept_connection arguments (#​32990)
  • resource/aws_wafv2_rule_group: Add rate_based_statement.custom_key configuration block (#​33594)
  • resource/aws_wafv2_web_acl: Add rate_based_statement.custom_key configuration block (#​33594)

BUG FIXES:

  • resource/aws_batch_job_queue: Correctly validates elements of compute_environments as ARNs (#​33577)
  • resource/aws_cloudfront_continuous_deployment_policy: Fix IllegalUpdate errors when updating a staging aws_cloudfront_distribution that is part of continuous deployment (#​33578)
  • resource/aws_cloudfront_distribution: Fix IllegalUpdate errors when updating a staging distribution associated with an aws_cloudfront_continuous_deployment_policy (#​33578)
  • resource/aws_cloudfront_distribution: Fix PreconditionFailed errors when destroying a distribution associated with an aws_cloudfront_continuous_deployment_policy (#​33578)
  • resource/aws_cloudfront_distribution: Fix StagingDistributionInUse errors when destroying a distribution associated with an aws_cloudfront_continuous_deployment_policy (#​33578)
  • resource/aws_datasync_location_fsx_ontap_file_system: Correct handling of protocol.smb.domain, protocol.smb.user and protocol.smb.password (#​33641)
  • resource/aws_glacier_vault_lock: Fail validation if duplicated keys are found in policy (#​33570)
  • resource/aws_iam_group_policy: Fail validation if duplicated keys are found in policy (#​33570)
  • resource/aws_iam_policy: Fail validation if duplicated keys are found in policy (#​33570)
  • resource/aws_iam_role: Fail validation if duplicated keys are found in assume_role_policy (#​33570)
  • resource/aws_iam_role_policy: Fail validation if duplicated keys are found in policy (#​33570)
  • resource/aws_iam_user_policy: Fail validation if duplicated keys are found in policy (#​33570)
  • resource/aws_mediastore_container_policy: Fail validation if duplicated keys are found in policy (#​33570)
  • resource/aws_s3_bucket_policy: Fix intermittent couldn't find resource errors on resource Create (#​33537)
  • resource/aws_ssoadmin_permission_set_inline_policy: Fail validation if duplicated keys are found in inline_policy (#​33570)
  • resource/aws_transfer_access: Fail validation if duplicated keys are found in policy (#​33570)
  • resource/aws_transfer_user: Fail validation if duplicated keys are found in policy (#​33570)

v5.18.1

Compare Source

NOTES:

  • documentation: Duplicate CDKTF guides with differing file extensions have been removed to resolve failures in the provider release workflow. (#​33630)

v5.18.0

Compare Source

FEATURES:

  • New Data Source: aws_fsx_ontap_file_system (#​32503)
  • New Data Source: aws_fsx_ontap_storage_virtual_machine (#​32621)
  • New Data Source: aws_fsx_ontap_storage_virtual_machines (#​32624)
  • New Data Source: aws_organizations_organizational_unit (#​33408)
  • New Resource: aws_opensearch_package (#​33227)
  • New Resource: aws_opensearch_package_association (#​33227)

ENHANCEMENTS:

  • resource/aws_fsx_ontap_storage_virtual_machine: Remove ForceNew from active_directory_configuration.self_managed_active_directory_configuration.domain_name, active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group and active_directory_configuration.self_managed_active_directory_configuration.organizational_unit_distinguished_name allowing an SVM to join AD after creation (#​33466)

BUG FIXES:

  • data-source/aws_sesv2_email_identity: Mark dkim_signing_attributes.domain_signing_private_key as sensitive (#​33477)
  • resource/aws_db_instance: Fix so that storage_throughput can be changed when iops and allocated_storage are not changed (#​33529)
  • resource/aws_db_option_group: Avoid erroneous differences being reported when an option port and/or version is not set (#​33511)
  • resource/aws_fsx_ontap_storage_virtual_machine: Avoid recreating resource when active_directory_configuration.self_managed_active_directory_configuration.file_system_administrators_group is configured (#​33466)
  • resource/aws_fsx_ontap_storage_virtual_machine: Change file_system_id to ForceNew (#​32621)
  • resource/aws_s3_bucket_accelerate_configuration: Retry resource Delete on OperationAborted: A conflicting conditional operation is currently in progress against this resource errors (#​33531)
  • resource/aws_s3_bucket_policy: Retry resource Delete on OperationAborted: A conflicting conditional operation is currently in progress against this resource errors (#​33531)
  • resource/aws_s3_bucket_versioning: Retry resource Delete on OperationAborted: A conflicting conditional operation is currently in progress against this resource errors (#​33531)
  • resource/aws_sesv2_email_identity: Mark dkim_signing_attributes.domain_signing_private_key as sensitive (#​33477)

v5.17.0

Compare Source

NOTES:

  • data-source/aws_s3_object: Migration to AWS SDK for Go v2 means that the edge case of specifying a single / as the value for key is no longer supported (#​33358)

FEATURES:

  • New Resource: aws_shield_application_layer_automatic_response (#​33432)
  • New Resource: aws_verifiedaccess_instance (#​33459)

ENHANCEMENTS:

  • data-source/aws_s3_object: Add checksum_mode argument and checksum_crc32, checksum_crc32c, checksum_sha1 and checksum_sha256 attributes (#​33358)
  • data-source/aws_s3control_multi_region_access_point: Add details.region.bucket_account_id attribute (#​33416)
  • resource/aws_s3_object: Add checksum_algorithm argument and checksum_crc32, checksum_crc32c, checksum_sha1 and checksum_sha256 attributes (#​33358)
  • resource/aws_s3_object_copy: Add checksum_algorithm argument and checksum_crc32, checksum_crc32c, checksum_sha1 and checksum_sha256 attributes (#​33358)
  • resource/aws_s3control_multi_region_access_point: Add details.region.bucket_account_id argument to support cross-account Multi-Region Access Points (#​33416)
  • resource/aws_s3control_multi_region_access_point: Add details.region.region attribute (#​33416)
  • resource/aws_schemas_schema: Add JSONSchemaDraft4 schema type support (#​33442)
  • resource/aws_transfer_connector: Add sftp_config argument and make as2_config optional (#​32741)
  • resource/aws_wafv2_web_acl: Retry resource Update on WAFOptimisticLockException errors (#​33432)

BUG FIXES:

  • resource/aws_dms_replication_task: Fix error when replication_task_settings is nil (#​33456)
  • resource/aws_elasticache_cluster: Fix regression for redis engine types caused by the new transit_encryption_enabled argument (#​33451)
  • resource/aws_neptune_cluster: Fix ignored kms_key_arn on restore from DB cluster snapshot (#​33413)
  • resource/aws_servicecatalog_product: Allow import on provisioning_artifact_parameters attribute (#​33448)
  • resource/aws_subnet: Fix destroy error when there is a lingering ENI for DMS (#​33375)

v5.16.2

Compare Source

FEATURES:

  • New Data Source: aws_cognito_identity_pool (#​33053)
  • New Resource: aws_verifiedaccess_trust_provider (#​33195)

ENHANCEMENTS:

  • resource/aws_autoscaling_group: Change the default values of instance_refresh.preferences.scale_in_protected_instances and instance_refresh.preferences.standby_instances from Wait to the Amazon EC2 Auto Scaling console recommended value of Ignore (#​33382)
  • resource/aws_s3control_object_lambda_access_point: Add alias attribute (#​33388)

BUG FIXES:

  • resource/aws_autoscaling_group: Fix ValidationError errors when starting Auto Scaling group instance refresh (#​33382)
  • resource/aws_iot_topic_rule: Fix InvalidParameter errors on Update with Kafka destinations (#​33360)
  • resource/aws_lightsail_certificate: Fix validation of name (#​33405)
  • resource/aws_lightsail_database: Fix validation of name (#​33405)
  • resource/aws_lightsail_disk: Fix validation of name (#​33405)
  • resource/aws_lightsail_instance: Fix validation of name (#​33405)
  • resource/aws_lightsail_lb: Fix validation of lb_name (#​33405)
  • resource/aws_lightsail_lb_attachment: Fix validation of lb_name (#​33405)
  • resource/aws_lightsail_lb_certificate: Fix validation of lb_name (#​33405)
  • resource/aws_lightsail_lb_certificate_attachment: Fix validation of lb_name (#​33405)
  • resource/aws_lightsail_lb_https_redirection_policy: Fix validation of lb_name (#​33405)
  • resource/aws_lightsail_lb_stickiness_policy: Fix validation of lb_name (#​33405)

v5.16.1

Compare Source

BUG FIXES:

  • data-source/aws_efs_file_system: Fix Search returned 0 results errors when there are more than 101 file systems in the configured Region (#​33336)
  • resource/aws_db_instance_automated_backups_replication: Fix unexpected state errors on resource Create (#​33369)
  • resource/aws_glue_catalog_table: Fix removal of metadata_location and table_type parameters when updating Iceberg tables (#​33374)
  • resource/aws_service_discovery_instance: Fix validation error "expected to match regular expression" (#​33371)

v5.16.0

Compare Source

NOTES:

  • provider: Performance regression introduced in v5.14.0 should be largely mitigated (#​33317)

FEATURES:

  • New Resource: aws_shield_drt_access_log_bucket_association (#​33328)
  • New Resource: aws_shield_drt_access_role_arn_association (#​33328)

ENHANCEMENTS:

  • data-source/aws_api_gateway_api_key: Add customer_id attribute (#​33281)
  • data-source/aws_fsx_windows_file_system: Add disk_iops_configuration attribute (#​33303)
  • data-source/aws_opensearch_domain: Add software_update_options attribute (#​32234)
  • data-source/aws_s3_objects: Add request_payer argument and request_charged attribute (#​33304)
  • data-source/aws_s3_objects: Add plan-time validation of encoding_type (#​33304)
  • resource/aws_api_gateway_account: Add api_key_version and features attributes (#​33279)
  • resource/aws_api_gateway_api_key: Add customer_id argument (#​33281)
  • resource/aws_api_gateway_api_key: Allow updating name (#​33281)
  • resource/aws_autoscaling_group: Add scale_in_protected_instances and standby_instances attributes to instance_refresh.preferences configuration block (#​33310)
  • resource/aws_dms_endpoint: Add redshift-serverless as valid value for engine_name (#​33316)
  • resource/aws_elasticache_cluster: Add transit_encryption_enabled argument, enabling in-transit encryption for Memcached clusters inside a VPC (#​26987)
  • resource/aws_fsx_windows_file_system: Add disk_iops_configuration configuration block (#​33303)
  • resource/aws_glue_catalog_table: Add open_table_format_input configuration block to support open table formats such as Apache Iceberg (#​33274)
  • resource/aws_medialive_channel: Implement expand/flatten functions for automatic_input_failover_settings in input_attachments (#​33129)
  • resource/aws_opensearch_domain: Add software_update_options attribute (#​32234)
  • resource/aws_ssm_association: Add sync_compliance attribute (#​23515)

BUG FIXES:

  • data-source/aws_identitystore_group: Restore filter argument to prevent UnknownOperationException errors in certain Regions (#​33311)
  • data-source/aws_identitystore_user: Restore filter argument to prevent UnknownOperationException errors in certain Regions (#​33311)
  • data-source/aws_s3_objects: Respect configured max_keys value if it's greater than 1000 (#​33304)
  • resource/aws_api_gateway_account: Allow setting cloudwatch_role_arn to an empty value and set it correctly on Read, allowing its value to be determined on import (#​33279)
  • resource/aws_fsx_ontap_file_system: Increase maximum value of disk_iops_configuration.iops to 160000 (#​33263)
  • resource/aws_servicecatalog_principal_portfolio_association: Fix ResourceNotFoundException errors on resource Delete when configured principal_type is IAM_PATTERN (#​32243)

v5.15.0

Compare Source

ENHANCEMENTS:

  • data-source/aws_efs_file_system: Add name attribute (#​33243)
  • data-source/aws_lakeformation_data_lake_settings: Add read_only_admins attribute (#​33189)
  • data-source/aws_opensearch_domain: Add cluster_config.multi_az_with_standby_enabled attribute (#​33031)
  • resource/aws_cloudformation_stack_set: Support resource import with call_as = "DELEGATED_ADMIN" via StackSetName,CallAs syntax for import block or terraform import command (#​19092)
  • resource/aws_cloudformation_stack_set_instance: Support resource import with call_as = "DELEGATED_ADMIN" via StackSetName,AccountID,Region,CallAs syntax for import block or terraform import command (#​19092)
  • resource/aws_datasync_location_fsx_openzfs_file_system: Fix setting protocol: Invalid address to set errors (#​33225)
  • resource/aws_efs_file_system: Add name attribute (#​33243)
  • resource/aws_fsx_openzfs_file_system: Add endpoint_ip_address_range, preferred_subnet_id and route_table_ids arguments to support the Multi-AZ deployment type (#​33245)
  • resource/aws_lakeformation_data_lake_settings: Add read_only_admins argument (#​33189)
  • resource/aws_opensearch_domain: Add cluster_config.multi_az_with_standby_enabled argument (#​33031)
  • resource/aws_wafv2_rule_group: Add name_prefix argument (#​33206)
  • resource/aws_wafv2_web_acl: Add statement.managed_rule_group_statement.managed_rule_group_configs.aws_managed_rules_atp_rule_set.enable_regex_in_path argument (#​33217)

BUG FIXES:

  • provider: Correctly use old and new tag values when updating tags that are computed (#​33226)
  • resource/aws_appflow_connector_profile: Fix validation on oauth2 in custom_connector_profile (#​33192)
  • resource/aws_cloudformation_stack_set: Fix Can only set RetainStacksOnAccountRemoval if AutoDeployment is enabled errors (#​19092)
  • resource/aws_cloudwatch_event_bus_policy: Fix error during plan when the associated aws_cloudwatch_event_bus resource is manually deleted (#​33203)
  • resource/aws_codeartifact_domain: Change the type of asset_size_bytes to TypeString instead of TypeInt to prevent value out of range panic (#​33220)
  • resource/aws_efs_file_system_policy: Retry IAM eventual consistency errors (#​21734)
  • resource/aws_fsx_openzfs_file_system: Wait for administrative action completion when updating root volume (#​33245)
  • resource/aws_iot_thing_type: Fix error during plan when resource is manually deleted (#​33203)
  • resource/aws_kms_key: Fix tag propagation: timeout while waiting for state to become 'TRUE' errors when any tag value is empty ("") (#​33226)
  • resource/aws_wafv2_web_acl: Prevent deletion of the AWS-managed ShieldMitigationRuleGroup rule on resource Update (#​33216)

v5.14.0

Compare Source

NOTES:

  • data-source/aws_iam_policy_document: In some cases, statement.*.condition blocks with the same test and variable arguments were incorrectly handled by the provider. Since this results in unexpected IAM Policies being submitted to AWS, we have updated the logic to merge values lists in this case. This may cause existing IAM Policy documents to report a difference. However, those policies are likely not what was originally intended. (#​33093)

FEATURES:

  • New Resource: aws_datasync_location_azure_blob (#​32632)
  • New Resource: aws_datasync_location_fsx_ontap_file_system (#​32632)

ENHANCEMENTS:

  • data-source/aws_dms_endpoint: Fix crash when specified endpoint not found (#​33158)
  • data-source/aws_dms_replication_instance: Add network_type attribute (#​33158)
  • data-source/aws_ec2_network_insights_path: Add destination_arn and source_arn attributes (#​33168)
  • resource/aws_dms_replication_instance: Add network_type argument (#​33158)
  • resource/aws_ec2_network_insights_path: Add destination_arn and source_arn attributes (#​33168)
  • resource/aws_finspace_kx_environment: Add transit_gateway_configuration.*.attachment_network_acl_configuration argument. (#​33123)
  • resource/aws_medialive_channel: Updates schemas for selector_settings for audio_selector and selector_settings for caption_selector (#​32714)
  • resource/aws_ssoadmin_account_assignment: Add configurable timeouts (#​33121)
  • resource/aws_ssoadmin_customer_managed_policy_attachment: Add configurable timeouts (#​33121)
  • resource/aws_ssoadmin_managed_policy_attachment: Add configurable timeouts (#​33121)
  • resource/aws_ssoadmin_permission_set: Add configurable timeouts (#​33121)
  • resource/aws_ssoadmin_permission_set_inline_policy: Add configurable timeouts (#​33121)
  • resource/aws_ssoadmin_permissions_boundary_attachment: Add configurable timeouts (#​33121)

BUG FIXES:

  • data-source/aws_iam_policy_document: Fix inconsistent handling of condition blocks with duplicated test and variable arguments (#​33093)
  • resource/aws_ec2_host: Fixed a bug that caused resource recreation when specifying an outpost_arn without an asset_id (#​33142)
  • resource/aws_ec2_network_insights_analysis: Fix setting forward_path_components: Invalid address to set errors (#​33168)
  • resource/aws_ec2_network_insights_path: Avoid recreating resource when passing an ARN as source or destination (#​33168)
  • resource/aws_ec2_network_insights_path: Retry AnalysisExistsForNetworkInsightsPath errors on resource Delete (#​33168)
  • resource/aws_kms_key: Fix tag propagation: timeout while waiting for state to become 'TRUE' errors when ignore_tags has been configured (#​33167)
  • resource/aws_licensemanager_license_configuration: Surface InvalidParameterValueException errors during resource Delete (#​32845)
  • resource/aws_msk_cluster_policy: Fix Current cluster policy version needed for Update errors (#​33118)
  • resource/aws_quicksight_analysis: Change definition.*.parameter_declarations to a set type, preventing persistent differences (#​33120)
  • resource/aws_quicksight_analysis: Fixed a bug that caused errors related to the word_orientation argument when using word cloud visuals. (#​33122)
  • resource/aws_quicksight_analysis: Skip setting definition.*.parameter_declarations.*.*_parameter_declaration.static_values when empty, preventing persistent differences. (#​33161)
  • resource/aws_quicksight_dashboard: Change definition.*.parameter_declarations to a set type, preventing persistent differences (#​33120)
  • resource/aws_quicksight_dashboard: Fixed a bug that caused errors related to the word_orientation argument when using word cloud visuals. (#​33122)
  • resource/aws_quicksight_dashboard: Skip setting definition.*.parameter_declarations.*.*_parameter_declaration.static_values when empty, preventing persistent differences. (#​33161)
  • resource/aws_quicksight_template: Change definition.*.parameter_declarations to a set type, preventing persistent differences (#​33120)
  • resource/aws_quicksight_template: Fixed a bug that caused errors related to the word_orientation argument when using word cloud visuals. (#​33122)
  • resource/aws_quicksight_template: Skip setting definition.*.parameter_declarations.*.*_parameter_declaration.static_values when empty, preventing persistent differences. (#​33161)
  • resource/aws_route53_zone: Skip disabling DNS SEC in unsupported partitions (#​33103)
  • resource/aws_s3_object: Mark acl as Computed. This suppresses the diffs shown when migrating resources with no configured acl attribute value from v4.67.0 (or earlier) (#​33138)
  • resource/aws_s3_object_copy: Mark acl as Computed. This suppresses the diffs shown when migrating resources with no configured acl attribute value from v4.67.0 (or earlier) (#​33138)
  • resource/aws_securityhub_account: Remove default value (SECURITY_CONTROL) for control_finding_generator argument and mark as Computed (#​33095)

v5.13.1

Compare Source

BUG FIXES:

  • resource/aws_lambda_layer_version: Change source_code_hash back to ForceNew. This fixes doesn't support update errors (#​33097)
  • resource/aws_organizations_organization: Fix current Organization ID (o-xxxxxxxxxx) does not match errors on resource Read (#​33091)

v5.13.0

Compare Source

FEATURES:

  • New Resource: aws_msk_cluster_policy (#​32848)
  • New Resource: aws_opensearch_vpc_endpoint (#​32435)
  • New Resource: aws_ram_sharing_with_organization (#​25433)

ENHANCEMENTS:

  • data-source/aws_imagebuilder_image_pipeline: Add image_scanning_configuration attribute (#​33005)
  • data-source/aws_ram_resource_share: Add resource_arns attribute (#​22591)
  • provider: Adds the s3_us_east_1_regional_endpoint attribute to support using the regional S3 API endpoint in us-east-1. (#​33024)
  • resource/aws_appstream_fleet: Retry ConcurrentModificationException errors during creation (#​32958)
  • resource/aws_dms_endpoint: Add babelfish as an engine_name option (#​32975)
  • resource/aws_imagebuilder_image_pipeline: Add image_scanning_configuration configuration block (#​33005)
  • resource/aws_lb: Changes to security_groups for Network Load Balancers force a new resource if either the old or new set of security group IDs is empty (#​32987)
  • resource/aws_rds_global_cluster: Add plan-time validation of global_cluster_identifier (#​30996)

BUG FIXES:

  • data-source/aws_ecr_repository: Correctly set most_recent_image_tags when only a single image is found (#​31757)
  • resource/aws_budgets_budget_action: No longer times out when creating a non-triggered action (#​33015)
  • resource/aws_cloudformation_stack: Marks outputs as Computed when there are potential changes. (#​33059)
  • resource/aws_cloudwatch_event_rule: Fix ARN-based partner event bus rule ID parsing error (#​30293)
  • resource/aws_ecr_registry_scanning_configuration: Correctly delete rules on resource Update (#​31449)
  • resource/aws_lambda_layer_version: Fix bug causing new version to be created on every apply when source_code_hash is used but not changed (#​32535)
  • resource/aw

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@github-actions
Copy link

Test init-fail

❌   Terraform Init: failed
❌   Terraform Validate: failed
✅   Terraform Format: success
❌   Terraform Plan: failed
❌   Conftest: failed

Show Init results
Initializing the backend...

Initializing provider plugins...
- Finding latest version of foo/bar...

Error: Failed to query available provider packages

Could not retrieve the list of available versions for provider foo/bar:
provider registry registry.terraform.io does not have a provider named
registry.terraform.io/foo/bar

All modules should specify their required_providers so that external
consumers will get the correct providers when using a module. To see which
modules are currently depending on foo/bar, run the following command:
    terraform providers

Show Validate results
Error: Missing required provider

This configuration requires provider registry.terraform.io/foo/bar, but that
provider isn&#39;t available. You may be able to install it automatically by
running:
  terraform init
Show plan
Error: Inconsistent dependency lock file

The following dependency selections recorded in the lock file are
inconsistent with the current configuration:
  - provider registry.terraform.io/foo/bar: required by this configuration but no version is selected

To make the initial dependency selections that will initialize the dependency
lock file, run:
  terraform init

@github-actions
Copy link

Test validate-fail

✅   Terraform Init: success
❌   Terraform Validate: failed
✅   Terraform Format: success
❌   Terraform Plan: failed
❌   Conftest: failed

Show Validate results
Error: Reference to undeclared input variable

  on validate-fail.tf line 4, in resource &quot;random_id&quot; &quot;foo&quot;:
   4:     foo = var.bar

An input variable with the name &quot;bar&quot; has not been declared. This variable
can be declared with a variable &quot;bar&quot; {} block.
Show plan
Error: Reference to undeclared input variable

  on validate-fail.tf line 4, in resource "random_id" "foo":
   4:     foo = var.bar

An input variable with the name "bar" has not been declared. This variable
can be declared with a variable "bar" {} block.

@github-actions
Copy link

Test skip-plan

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success

@github-actions
Copy link

Test skip-conftest

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success

Plan: 1 to add, 0 to change, 0 to destroy
Show summary
CHANGE NAME
add random_id.id
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # random_id.id will be created
  + resource "random_id" "id" {
      + b64_std     = (known after apply)
      + b64_url     = (known after apply)
      + byte_length = 8
      + dec         = (known after apply)
      + hex         = (known after apply)
      + id          = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + id = (known after apply)

Warning: Duplicate required provider

  on skip-conftest.tf line 11:
  11: resource "random_id" "id" {

Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

@github-actions
Copy link

Test invalid

✅   Terraform Init: success
❌   Terraform Validate: failed
❌   Terraform Format: failed
❌   Terraform Plan: failed
❌   Conftest: failed

Show Validate results
Warning: Duplicate required provider

  on invalid.tf line 11:
  11: resource &quot;random_id&quot; &quot;id&quot; {

Provider &quot;registry.terraform.io/hashicorp/random&quot; was implicitly required via
resource &quot;random_id.id&quot;, but listed in required_providers as &quot;test&quot;. Either
the local name in required_providers must match the resource name, or the
&quot;test&quot; provider must be assigned within the resource block.

Error: Missing required argument

  on invalid.tf line 11, in resource &quot;random_id&quot; &quot;id&quot;:
  11: resource &quot;random_id&quot; &quot;id&quot; {

The argument &quot;byte_length&quot; is required, but no definition was found.

Error: Unsupported argument

  on invalid.tf line 12, in resource &quot;random_id&quot; &quot;id&quot;:
  12:     muffin = &quot;blueberry&quot;

An argument named &quot;muffin&quot; is not expected here.

🧹   Format: run terraform fmt to fix the following:

invalid.tf
Show plan
Warning: Duplicate required provider

  on invalid.tf line 11:
  11: resource "random_id" "id" {

Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.

Error: Missing required argument

  on invalid.tf line 11, in resource "random_id" "id":
  11: resource "random_id" "id" {

The argument "byte_length" is required, but no definition was found.

Error: Unsupported argument

  on invalid.tf line 12, in resource "random_id" "id":
  12:     muffin = "blueberry"

An argument named "muffin" is not expected here.

@github-actions
Copy link

Test changes

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 1 to add, 0 to change, 0 to destroy
Show summary
CHANGE NAME
add random_id.id
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # random_id.id will be created
  + resource "random_id" "id" {
      + b64_std     = (known after apply)
      + b64_url     = (known after apply)
      + byte_length = 8
      + dec         = (known after apply)
      + hex         = (known after apply)
      + id          = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + id = (known after apply)

Warning: Duplicate required provider

  on changes.tf line 11:
  11: resource "random_id" "id" {

Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
18 tests, 18 passed, 0 warnings, 0 failures, 0 exceptions

@github-actions
Copy link

Test format-error

✅   Terraform Init: success
✅   Terraform Validate: success
❌   Terraform Format: failed
✅   Terraform Plan: success
✅   Conftest: success

🧹   Format: run terraform fmt to fix the following:

format-error.tf
Plan: 1 to add, 0 to change, 0 to destroy
Show summary
CHANGE NAME
add random_id.id
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # random_id.id will be created
  + resource "random_id" "id" {
      + b64_std     = (known after apply)
      + b64_url     = (known after apply)
      + byte_length = 8
      + dec         = (known after apply)
      + hex         = (known after apply)
      + id          = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Warning: Duplicate required provider

  on format-error.tf line 11:
  11: resource "random_id" "id" {

Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
18 tests, 18 passed, 0 warnings, 0 failures, 0 exceptions

@github-actions
Copy link

Test conftest-deny

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
❌   Conftest: failed

Plan: 50 to add, 0 to change, 0 to destroy
Show summary
CHANGE NAME
add module.rds.aws_cloudwatch_log_group.log_exports[&quot;postgresql&quot;]
module.rds.aws_cloudwatch_log_group.proxy
module.rds.aws_db_proxy.proxy
module.rds.aws_db_proxy_default_target_group.this
module.rds.aws_db_proxy_target.target
module.rds.aws_db_subnet_group.rds
module.rds.aws_iam_policy.read_connection_string
module.rds.aws_iam_role.rds_proxy
module.rds.aws_iam_role_policy_attachment.read_connection_string
module.rds.aws_rds_cluster.cluster
module.rds.aws_rds_cluster_instance.instances[0]
module.rds.aws_rds_cluster_instance.instances[1]
module.rds.aws_rds_cluster_instance.instances[2]
module.rds.aws_secretsmanager_secret.connection_string
module.rds.aws_secretsmanager_secret.proxy_connection_string
module.rds.aws_secretsmanager_secret_version.connection_string
module.rds.aws_secretsmanager_secret_version.proxy_connection_string
module.rds.aws_security_group.rds_proxy
module.rds.random_string.random
module.vpc.aws_default_network_acl.default
module.vpc.aws_default_route_table.default
module.vpc.aws_default_security_group.default
module.vpc.aws_internet_gateway.gw
module.vpc.aws_nat_gateway.nat_gw[0]
module.vpc.aws_nat_gateway.nat_gw[1]
module.vpc.aws_nat_gateway.nat_gw[2]
module.vpc.aws_network_acl.main
module.vpc.aws_network_acl_rule.block_rdp[0]
module.vpc.aws_network_acl_rule.block_ssh[0]
module.vpc.aws_route.private_nat_gateway[0]
module.vpc.aws_route.private_nat_gateway[1]
module.vpc.aws_route.private_nat_gateway[2]
module.vpc.aws_route.public_internet_gateway
module.vpc.aws_route_table.private[0]
module.vpc.aws_route_table.private[1]
module.vpc.aws_route_table.private[2]
module.vpc.aws_route_table.public
module.vpc.aws_route_table_association.private[0]
module.vpc.aws_route_table_association.private[1]
module.vpc.aws_route_table_association.private[2]
module.vpc.aws_route_table_association.public[0]
module.vpc.aws_route_table_association.public[1]
module.vpc.aws_route_table_association.public[2]
module.vpc.aws_subnet.private[0]
module.vpc.aws_subnet.private[1]
module.vpc.aws_subnet.private[2]
module.vpc.aws_subnet.public[0]
module.vpc.aws_subnet.public[1]
module.vpc.aws_subnet.public[2]
module.vpc.aws_vpc.main

✂   Warning: plan has been truncated! See the full plan in the logs.

Show plan
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # module.rds.data.aws_iam_policy_document.read_connection_string will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "read_connection_string" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "secretsmanager:DescribeSecret",
              + "secretsmanager:GetResourcePolicy",
              + "secretsmanager:GetSecretValue",
              + "secretsmanager:ListSecretVersionIds",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "0"
        }
      + statement {
          + actions   = [
              + "secretsmanager:ListSecrets",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "1"
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "2"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "secretsmanager.ca-central-1.amazonaws.com",
                ]
              + variable = "kms:ViaService"
            }
        }
    }

  # module.rds.aws_cloudwatch_log_group.log_exports["postgresql"] will be created
  + resource "aws_cloudwatch_log_group" "log_exports" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + name              = "/aws/rds/cluster/test-rds-cluster/postgresql"
      + name_prefix       = (known after apply)
      + retention_in_days = 30
      + skip_destroy      = false
      + tags              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + tags_all          = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_cloudwatch_log_group.proxy will be created
  + resource "aws_cloudwatch_log_group" "proxy" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + name              = "/aws/rds/proxy/test-rds-proxy"
      + name_prefix       = (known after apply)
      + retention_in_days = 14
      + skip_destroy      = false
      + tags              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_proxy_logs"
          + "Terraform"  = "true"
        }
      + tags_all          = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_proxy_logs"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_db_proxy.proxy will be created
  + resource "aws_db_proxy" "proxy" {
      + arn                    = (known after apply)
      + debug_logging          = false
      + endpoint               = (known after apply)
      + engine_family          = "POSTGRESQL"
      + id                     = (known after apply)
      + idle_client_timeout    = 1800
      + name                   = "test-rds-proxy"
      + require_tls            = true
      + role_arn               = (known after apply)
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-rds-proxy"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-rds-proxy"
          + "Terraform"  = "true"
        }
      + vpc_security_group_ids = (known after apply)
      + vpc_subnet_ids         = (known after apply)

      + auth {
          + auth_scheme               = "SECRETS"
          + client_password_auth_type = (known after apply)
          + description               = "The database connection string"
          + iam_auth                  = "DISABLED"
          + secret_arn                = (known after apply)
        }
    }

  # module.rds.aws_db_proxy_default_target_group.this will be created
  + resource "aws_db_proxy_default_target_group" "this" {
      + arn           = (known after apply)
      + db_proxy_name = "test-rds-proxy"
      + id            = (known after apply)
      + name          = (known after apply)

      + connection_pool_config {
          + connection_borrow_timeout    = (known after apply)
          + init_query                   = (known after apply)
          + max_connections_percent      = (known after apply)
          + max_idle_connections_percent = (known after apply)
          + session_pinning_filters      = (known after apply)
        }
    }

  # module.rds.aws_db_proxy_target.target will be created
  + resource "aws_db_proxy_target" "target" {
      + db_cluster_identifier = (known after apply)
      + db_proxy_name         = "test-rds-proxy"
      + endpoint              = (known after apply)
      + id                    = (known after apply)
      + port                  = (known after apply)
      + rds_resource_id       = (known after apply)
      + target_arn            = (known after apply)
      + target_group_name     = (known after apply)
      + tracked_cluster_id    = (known after apply)
      + type                  = (known after apply)
    }

  # module.rds.aws_db_subnet_group.rds will be created
  + resource "aws_db_subnet_group" "rds" {
      + arn                     = (known after apply)
      + description             = "Managed by Terraform"
      + id                      = (known after apply)
      + name                    = "test-rds-subnet-group"
      + name_prefix             = (known after apply)
      + subnet_ids              = (known after apply)
      + supported_network_types = (known after apply)
      + tags                    = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-subnet-group"
          + "Terraform"  = "true"
        }
      + tags_all                = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-subnet-group"
          + "Terraform"  = "true"
        }
      + vpc_id                  = (known after apply)
    }

  # module.rds.aws_iam_policy.read_connection_string will be created
  + resource "aws_iam_policy" "read_connection_string" {
      + arn         = (known after apply)
      + id          = (known after apply)
      + name        = "test-rdsReadConnectionString"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags        = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all    = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_iam_role.rds_proxy will be created
  + resource "aws_iam_role" "rds_proxy" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "rds.amazonaws.com"
                        }
                      + Sid       = "RDSAssume"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "test-rds_rds_proxy"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all              = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = (known after apply)
          + policy = (known after apply)
        }
    }

  # module.rds.aws_iam_role_policy_attachment.read_connection_string will be created
  + resource "aws_iam_role_policy_attachment" "read_connection_string" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "test-rds_rds_proxy"
    }

  # module.rds.aws_rds_cluster.cluster will be created
  + resource "aws_rds_cluster" "cluster" {
      + allocated_storage               = (known after apply)
      + allow_major_version_upgrade     = false
      + apply_immediately               = false
      + arn                             = (known after apply)
      + availability_zones              = (known after apply)
      + backtrack_window                = 0
      + backup_retention_period         = 7
      + cluster_identifier              = "test-rds-cluster"
      + cluster_identifier_prefix       = (known after apply)
      + cluster_members                 = (known after apply)
      + cluster_resource_id             = (known after apply)
      + copy_tags_to_snapshot           = true
      + database_name                   = "foo"
      + db_cluster_parameter_group_name = (known after apply)
      + db_subnet_group_name            = "test-rds-subnet-group"
      + db_system_id                    = (known after apply)
      + deletion_protection             = true
      + enable_global_write_forwarding  = false
      + enable_http_endpoint            = false
      + enabled_cloudwatch_logs_exports = [
          + "postgresql",
        ]
      + endpoint                        = (known after apply)
      + engine                          = "aurora-postgresql"
      + engine_mode                     = "provisioned"
      + engine_version                  = "13.3"
      + engine_version_actual           = (known after apply)
      + final_snapshot_identifier       = (known after apply)
      + hosted_zone_id                  = (known after apply)
      + iam_roles                       = (known after apply)
      + id                              = (known after apply)
      + kms_key_id                      = (known after apply)
      + master_password                 = (sensitive value)
      + master_user_secret              = (known after apply)
      + master_user_secret_kms_key_id   = (known after apply)
      + master_username                 = "cal"
      + network_type                    = (known after apply)
      + port                            = (known after apply)
      + preferred_backup_window         = "07:00-09:00"
      + preferred_maintenance_window    = "sun:06:00-sun:07:00"
      + reader_endpoint                 = (known after apply)
      + skip_final_snapshot             = false
      + storage_encrypted               = true
      + storage_type                    = (known after apply)
      + tags                            = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + tags_all                        = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + vpc_security_group_ids          = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[0] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "13.3"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-0"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = false
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-0"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-0"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[1] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "13.3"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-1"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = false
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-1"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-1"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[2] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "13.3"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-2"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = false
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-2"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-2"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_secretsmanager_secret.connection_string will be created
  + resource "aws_secretsmanager_secret" "connection_string" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = (known after apply)
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags                           = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all                       = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }

      + replica {
          + kms_key_id         = (known after apply)
          + last_accessed_date = (known after apply)
          + region             = (known after apply)
          + status             = (known after apply)
          + status_message     = (known after apply)
        }
    }

  # module.rds.aws_secretsmanager_secret.proxy_connection_string will be created
  + resource "aws_secretsmanager_secret" "proxy_connection_string" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = (known after apply)
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags                           = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all                       = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }

      + replica {
          + kms_key_id         = (known after apply)
          + last_accessed_date = (known after apply)
          + region             = (known after apply)
          + status             = (known after apply)
          + status_message     = (known after apply)
        }
    }

  # module.rds.aws_secretsmanager_secret_version.connection_string will be created
  + resource "aws_secretsmanager_secret_version" "connection_string" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

  # module.rds.aws_secretsmanager_secret_version.proxy_connection_string will be created
  + resource "aws_secretsmanager_secret_version" "proxy_connection_string" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

  # module.rds.aws_security_group.rds_proxy will be created
  + resource "aws_security_group" "rds_proxy" {
      + arn                    = (known after apply)
      + description            = "The Security group that allows communication between the proxy and the database"
      + egress                 = [
          + {
              + cidr_blocks      = []
              + description      = ""
              + from_port        = 5432
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = true
              + to_port          = 5432
            },
        ]
      + id                     = (known after apply)
      + ingress                = [
          + {
              + cidr_blocks      = []
              + description      = ""
              + from_port        = 5432
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = true
              + to_port          = 5432
            },
        ]
      + name                   = "test-rds_rds_proxy_sg"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_rds_proxy_sg"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_rds_proxy_sg"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.rds.random_string.random will be created
  + resource "random_string" "random" {
      + id          = (known after apply)
      + length      = 6
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

  # module.vpc.aws_default_network_acl.default will be created
  + resource "aws_default_network_acl" "default" {
      + arn                    = (known after apply)
      + default_network_acl_id = (known after apply)
      + id                     = (known after apply)
      + owner_id               = (known after apply)
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_nacl"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_nacl"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_default_route_table.default will be created
  + resource "aws_default_route_table" "default" {
      + arn                    = (known after apply)
      + default_route_table_id = (known after apply)
      + id                     = (known after apply)
      + owner_id               = (known after apply)
      + route                  = []
      + tags                   = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
          + "name"       = "vpc_default_route_table"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
          + "name"       = "vpc_default_route_table"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_default_security_group.default will be created
  + resource "aws_default_security_group" "default" {
      + arn                    = (known after apply)
      + description            = (known after apply)
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = (known after apply)
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_sg"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_sg"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_internet_gateway.gw will be created
  + resource "aws_internet_gateway" "gw" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_internet_gateway"
          + "Terraform"  = "true"
        }
      + tags_all = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_internet_gateway"
          + "Terraform"  = "true"
        }
      + vpc_id   = (known after apply)
    }

  # module.vpc.aws_nat_gateway.nat_gw[0] will be created
  + resource "aws_nat_gateway" "nat_gw" {
      + association_id                     = (known after apply)
      + connectivity_type                  = "private"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-0"
          + "Terraform"  = "true"
        }
      + tags_all                           = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-0"
          + "Terraform"  = "true"
        }
    }

  # module.vpc.aws_nat_gateway.nat_gw[1] will be created
  + resource "aws_nat_gateway" "nat_gw" {
      + association_id                     = (known after apply)
      + connectivity_type                  = "private"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-1"
          + "Terraform"  = "true"
        }
      + tags_all                           = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-1"
          + "Terraform"  = "true"
        }
    }

  # module.vpc.aws_nat_gateway.nat_gw[2] will be created
  + resource "aws_nat_gateway" "nat_gw" {
      + association_id                     = (known after apply)
      + connectivity_type                  = "private"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      +...
Show Conftest results
FAIL - plan.json - main - Postgresql main password > 8 characters: ["module.rds.aws_rds_cluster.cluster"]

18 tests, 17 passed, 0 warnings, 1 failure, 0 exceptions

@github-actions
Copy link

Test truncate-plan

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 50 to add, 0 to change, 0 to destroy
Show summary
CHANGE NAME
add module.rds.aws_cloudwatch_log_group.log_exports[&quot;postgresql&quot;]
module.rds.aws_cloudwatch_log_group.proxy
module.rds.aws_db_proxy.proxy
module.rds.aws_db_proxy_default_target_group.this
module.rds.aws_db_proxy_target.target
module.rds.aws_db_subnet_group.rds
module.rds.aws_iam_policy.read_connection_string
module.rds.aws_iam_role.rds_proxy
module.rds.aws_iam_role_policy_attachment.read_connection_string
module.rds.aws_rds_cluster.cluster
module.rds.aws_rds_cluster_instance.instances[0]
module.rds.aws_rds_cluster_instance.instances[1]
module.rds.aws_rds_cluster_instance.instances[2]
module.rds.aws_secretsmanager_secret.connection_string
module.rds.aws_secretsmanager_secret.proxy_connection_string
module.rds.aws_secretsmanager_secret_version.connection_string
module.rds.aws_secretsmanager_secret_version.proxy_connection_string
module.rds.aws_security_group.rds_proxy
module.rds.random_string.random
module.vpc.aws_default_network_acl.default
module.vpc.aws_default_route_table.default
module.vpc.aws_default_security_group.default
module.vpc.aws_internet_gateway.gw
module.vpc.aws_nat_gateway.nat_gw[0]
module.vpc.aws_nat_gateway.nat_gw[1]
module.vpc.aws_nat_gateway.nat_gw[2]
module.vpc.aws_network_acl.main
module.vpc.aws_network_acl_rule.block_rdp[0]
module.vpc.aws_network_acl_rule.block_ssh[0]
module.vpc.aws_route.private_nat_gateway[0]
module.vpc.aws_route.private_nat_gateway[1]
module.vpc.aws_route.private_nat_gateway[2]
module.vpc.aws_route.public_internet_gateway
module.vpc.aws_route_table.private[0]
module.vpc.aws_route_table.private[1]
module.vpc.aws_route_table.private[2]
module.vpc.aws_route_table.public
module.vpc.aws_route_table_association.private[0]
module.vpc.aws_route_table_association.private[1]
module.vpc.aws_route_table_association.private[2]
module.vpc.aws_route_table_association.public[0]
module.vpc.aws_route_table_association.public[1]
module.vpc.aws_route_table_association.public[2]
module.vpc.aws_subnet.private[0]
module.vpc.aws_subnet.private[1]
module.vpc.aws_subnet.private[2]
module.vpc.aws_subnet.public[0]
module.vpc.aws_subnet.public[1]
module.vpc.aws_subnet.public[2]
module.vpc.aws_vpc.main

✂   Warning: plan has been truncated! See the full plan in the logs.

Show plan
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # module.rds.data.aws_iam_policy_document.read_connection_string will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "read_connection_string" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "secretsmanager:DescribeSecret",
              + "secretsmanager:GetResourcePolicy",
              + "secretsmanager:GetSecretValue",
              + "secretsmanager:ListSecretVersionIds",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "0"
        }
      + statement {
          + actions   = [
              + "secretsmanager:ListSecrets",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "1"
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "2"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "secretsmanager.ca-central-1.amazonaws.com",
                ]
              + variable = "kms:ViaService"
            }
        }
    }

  # module.rds.aws_cloudwatch_log_group.log_exports["postgresql"] will be created
  + resource "aws_cloudwatch_log_group" "log_exports" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + name              = "/aws/rds/cluster/test-rds-cluster/postgresql"
      + name_prefix       = (known after apply)
      + retention_in_days = 30
      + skip_destroy      = false
      + tags              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + tags_all          = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_cloudwatch_log_group.proxy will be created
  + resource "aws_cloudwatch_log_group" "proxy" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + name              = "/aws/rds/proxy/test-rds-proxy"
      + name_prefix       = (known after apply)
      + retention_in_days = 14
      + skip_destroy      = false
      + tags              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_proxy_logs"
          + "Terraform"  = "true"
        }
      + tags_all          = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_proxy_logs"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_db_proxy.proxy will be created
  + resource "aws_db_proxy" "proxy" {
      + arn                    = (known after apply)
      + debug_logging          = false
      + endpoint               = (known after apply)
      + engine_family          = "POSTGRESQL"
      + id                     = (known after apply)
      + idle_client_timeout    = 1800
      + name                   = "test-rds-proxy"
      + require_tls            = true
      + role_arn               = (known after apply)
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-rds-proxy"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-rds-proxy"
          + "Terraform"  = "true"
        }
      + vpc_security_group_ids = (known after apply)
      + vpc_subnet_ids         = (known after apply)

      + auth {
          + auth_scheme               = "SECRETS"
          + client_password_auth_type = (known after apply)
          + description               = "The database connection string"
          + iam_auth                  = "DISABLED"
          + secret_arn                = (known after apply)
        }
    }

  # module.rds.aws_db_proxy_default_target_group.this will be created
  + resource "aws_db_proxy_default_target_group" "this" {
      + arn           = (known after apply)
      + db_proxy_name = "test-rds-proxy"
      + id            = (known after apply)
      + name          = (known after apply)

      + connection_pool_config {
          + connection_borrow_timeout    = (known after apply)
          + init_query                   = (known after apply)
          + max_connections_percent      = (known after apply)
          + max_idle_connections_percent = (known after apply)
          + session_pinning_filters      = (known after apply)
        }
    }

  # module.rds.aws_db_proxy_target.target will be created
  + resource "aws_db_proxy_target" "target" {
      + db_cluster_identifier = (known after apply)
      + db_proxy_name         = "test-rds-proxy"
      + endpoint              = (known after apply)
      + id                    = (known after apply)
      + port                  = (known after apply)
      + rds_resource_id       = (known after apply)
      + target_arn            = (known after apply)
      + target_group_name     = (known after apply)
      + tracked_cluster_id    = (known after apply)
      + type                  = (known after apply)
    }

  # module.rds.aws_db_subnet_group.rds will be created
  + resource "aws_db_subnet_group" "rds" {
      + arn                     = (known after apply)
      + description             = "Managed by Terraform"
      + id                      = (known after apply)
      + name                    = "test-rds-subnet-group"
      + name_prefix             = (known after apply)
      + subnet_ids              = (known after apply)
      + supported_network_types = (known after apply)
      + tags                    = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-subnet-group"
          + "Terraform"  = "true"
        }
      + tags_all                = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-subnet-group"
          + "Terraform"  = "true"
        }
      + vpc_id                  = (known after apply)
    }

  # module.rds.aws_iam_policy.read_connection_string will be created
  + resource "aws_iam_policy" "read_connection_string" {
      + arn         = (known after apply)
      + id          = (known after apply)
      + name        = "test-rdsReadConnectionString"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = (known after apply)
      + policy_id   = (known after apply)
      + tags        = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all    = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_iam_role.rds_proxy will be created
  + resource "aws_iam_role" "rds_proxy" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "rds.amazonaws.com"
                        }
                      + Sid       = "RDSAssume"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "test-rds_rds_proxy"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all              = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = (known after apply)
          + policy = (known after apply)
        }
    }

  # module.rds.aws_iam_role_policy_attachment.read_connection_string will be created
  + resource "aws_iam_role_policy_attachment" "read_connection_string" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "test-rds_rds_proxy"
    }

  # module.rds.aws_rds_cluster.cluster will be created
  + resource "aws_rds_cluster" "cluster" {
      + allocated_storage               = (known after apply)
      + allow_major_version_upgrade     = false
      + apply_immediately               = false
      + arn                             = (known after apply)
      + availability_zones              = (known after apply)
      + backtrack_window                = 0
      + backup_retention_period         = 7
      + cluster_identifier              = "test-rds-cluster"
      + cluster_identifier_prefix       = (known after apply)
      + cluster_members                 = (known after apply)
      + cluster_resource_id             = (known after apply)
      + copy_tags_to_snapshot           = true
      + database_name                   = "foo"
      + db_cluster_parameter_group_name = (known after apply)
      + db_subnet_group_name            = "test-rds-subnet-group"
      + db_system_id                    = (known after apply)
      + deletion_protection             = true
      + enable_global_write_forwarding  = false
      + enable_http_endpoint            = false
      + enabled_cloudwatch_logs_exports = [
          + "postgresql",
        ]
      + endpoint                        = (known after apply)
      + engine                          = "aurora-postgresql"
      + engine_mode                     = "provisioned"
      + engine_version                  = "14.5"
      + engine_version_actual           = (known after apply)
      + final_snapshot_identifier       = (known after apply)
      + hosted_zone_id                  = (known after apply)
      + iam_roles                       = (known after apply)
      + id                              = (known after apply)
      + kms_key_id                      = (known after apply)
      + master_password                 = (sensitive value)
      + master_user_secret              = (known after apply)
      + master_user_secret_kms_key_id   = (known after apply)
      + master_username                 = "probably"
      + network_type                    = (known after apply)
      + port                            = (known after apply)
      + preferred_backup_window         = "07:00-09:00"
      + preferred_maintenance_window    = "sun:06:00-sun:07:00"
      + reader_endpoint                 = (known after apply)
      + skip_final_snapshot             = false
      + storage_encrypted               = true
      + storage_type                    = (known after apply)
      + tags                            = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + tags_all                        = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + vpc_security_group_ids          = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[0] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "14.5"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-0"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = false
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-0"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-0"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[1] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "14.5"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-1"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = false
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-1"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-1"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[2] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "14.5"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-2"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = false
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-2"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-2"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_secretsmanager_secret.connection_string will be created
  + resource "aws_secretsmanager_secret" "connection_string" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = (known after apply)
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags                           = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all                       = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }

      + replica {
          + kms_key_id         = (known after apply)
          + last_accessed_date = (known after apply)
          + region             = (known after apply)
          + status             = (known after apply)
          + status_message     = (known after apply)
        }
    }

  # module.rds.aws_secretsmanager_secret.proxy_connection_string will be created
  + resource "aws_secretsmanager_secret" "proxy_connection_string" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = (known after apply)
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags                           = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all                       = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }

      + replica {
          + kms_key_id         = (known after apply)
          + last_accessed_date = (known after apply)
          + region             = (known after apply)
          + status             = (known after apply)
          + status_message     = (known after apply)
        }
    }

  # module.rds.aws_secretsmanager_secret_version.connection_string will be created
  + resource "aws_secretsmanager_secret_version" "connection_string" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

  # module.rds.aws_secretsmanager_secret_version.proxy_connection_string will be created
  + resource "aws_secretsmanager_secret_version" "proxy_connection_string" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

  # module.rds.aws_security_group.rds_proxy will be created
  + resource "aws_security_group" "rds_proxy" {
      + arn                    = (known after apply)
      + description            = "The Security group that allows communication between the proxy and the database"
      + egress                 = [
          + {
              + cidr_blocks      = []
              + description      = ""
              + from_port        = 5432
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = true
              + to_port          = 5432
            },
        ]
      + id                     = (known after apply)
      + ingress                = [
          + {
              + cidr_blocks      = []
              + description      = ""
              + from_port        = 5432
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = true
              + to_port          = 5432
            },
        ]
      + name                   = "test-rds_rds_proxy_sg"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_rds_proxy_sg"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_rds_proxy_sg"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.rds.random_string.random will be created
  + resource "random_string" "random" {
      + id          = (known after apply)
      + length      = 6
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

  # module.vpc.aws_default_network_acl.default will be created
  + resource "aws_default_network_acl" "default" {
      + arn                    = (known after apply)
      + default_network_acl_id = (known after apply)
      + id                     = (known after apply)
      + owner_id               = (known after apply)
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_nacl"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_nacl"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_default_route_table.default will be created
  + resource "aws_default_route_table" "default" {
      + arn                    = (known after apply)
      + default_route_table_id = (known after apply)
      + id                     = (known after apply)
      + owner_id               = (known after apply)
      + route                  = []
      + tags                   = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
          + "name"       = "vpc_default_route_table"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
          + "name"       = "vpc_default_route_table"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_default_security_group.default will be created
  + resource "aws_default_security_group" "default" {
      + arn                    = (known after apply)
      + description            = (known after apply)
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = (known after apply)
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_sg"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_sg"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_internet_gateway.gw will be created
  + resource "aws_internet_gateway" "gw" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_internet_gateway"
          + "Terraform"  = "true"
        }
      + tags_all = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_internet_gateway"
          + "Terraform"  = "true"
        }
      + vpc_id   = (known after apply)
    }

  # module.vpc.aws_nat_gateway.nat_gw[0] will be created
  + resource "aws_nat_gateway" "nat_gw" {
      + association_id                     = (known after apply)
      + connectivity_type                  = "private"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-0"
          + "Terraform"  = "true"
        }
      + tags_all                           = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-0"
          + "Terraform"  = "true"
        }
    }

  # module.vpc.aws_nat_gateway.nat_gw[1] will be created
  + resource "aws_nat_gateway" "nat_gw" {
      + association_id                     = (known after apply)
      + connectivity_type                  = "private"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-1"
          + "Terraform"  = "true"
        }
      + tags_all                           = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-1"
          + "Terraform"  = "true"
        }
    }

  # module.vpc.aws_nat_gateway.nat_gw[2] will be created
  + resource "aws_nat_gateway" "nat_gw" {
      + association_id                     = (known after apply)
      + connectivity_type                  = "private"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
  ...
Show Conftest results
18 tests, 18 passed, 0 warnings, 0 failures, 0 exceptions

@patheard
Copy link
Member

@patheard patheard merged commit b4f6325 into main Oct 23, 2023
14 checks passed
@patheard patheard deleted the renovate-cds/aws-5.x branch October 23, 2023 12:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants