(firewall-manager-shield_advanced): add missing attributes

.github/renovate.json

@@ -1,13 +1,14 @@
 {
   "extends": [
     "config:base",
-    ":preserveSemverRanges"
+    ":preserveSemverRanges",
+    ":rebaseStalePrs"
   ],
-  "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"],
+  "baseBranches": ["main"],
   "labels": ["auto-update"],
   "dependencyDashboardAutoclose": true,
   "enabledManagers": ["terraform"],
   "terraform": {
-    "ignorePaths": ["**/context.tf", "examples/**"]
+    "ignorePaths": ["**/context.tf"]
   }
 }

.github/workflows/release-branch.yml

@@ -10,6 +10,7 @@ on:
       - 'docs/**'
       - 'examples/**'
       - 'test/**'
+      - 'README.*'
 
 permissions:
   contents: write

.github/workflows/release-published.yml

@@ -11,4 +11,4 @@ permissions:
 
 jobs:
   terraform-module:
-    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main
+    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main

README.md

@@ -308,7 +308,7 @@ Available targets:
 | <a name="input_security_groups_common_policies"></a> [security\_groups\_common\_policies](#input\_security\_groups\_common\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  revert\_manual\_security\_group\_changes:<br>    Whether to revert manual Security Group changes.<br>    Defaults to `false`.<br>  exclusive\_resource\_security\_group\_management:<br>    Wheter to exclusive resource Security Group management.<br>    Defaults to `false`.<br>  apply\_to\_all\_ec2\_instance\_enis:<br>    Whether to apply to all EC2 instance ENIs.<br>    Defaults to `false`.<br>  security\_groups:<br>    A list of Security Group IDs. | `list(any)` | `[]` | no |
 | <a name="input_security_groups_content_audit_policies"></a> [security\_groups\_content\_audit\_policies](#input\_security\_groups\_content\_audit\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  security\_group\_action:<br>    For `ALLOW`, all in-scope security group rules must be within the allowed range of the policy's security group rules.<br>    For `DENY`, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.<br>    Possible values: `ALLOW`, `DENY`.<br>  security\_groups:<br>    A list of Security Group IDs. | `list(any)` | `[]` | no |
 | <a name="input_security_groups_usage_audit_policies"></a> [security\_groups\_usage\_audit\_policies](#input\_security\_groups\_usage\_audit\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  delete\_unused\_security\_groups:<br>    Whether to delete unused Security Groups.<br>    Defaults to `false`.<br>  coalesce\_redundant\_security\_groups:<br>    Whether to coalesce redundant Security Groups.<br>    Defaults to `false`. | `list(any)` | n/a | yes |
-| <a name="input_shield_advanced_policies"></a> [shield\_advanced\_policies](#input\_shield\_advanced\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>delete\_unused\_fm\_managed\_resources:<br>  If true, Firewall Manager will automatically remove protections from resources that leave the policy scope.<br>  Defaults to `false`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy. | `list(any)` | `[]` | no |
+| <a name="input_shield_advanced_policies"></a> [shield\_advanced\_policies](#input\_shield\_advanced\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>delete\_unused\_fm\_managed\_resources:<br>  If true, Firewall Manager will automatically remove protections from resources that leave the policy scope.<br>  Defaults to `false`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  automatic\_response\_status:<br>    Status of shield automatic response.<br>    Possible values: ENABLED\|IGNORED\|DISABLED.<br>    Default is IGNORED.<br>  automatic\_response\_action:<br>    The automatic response action.<br>    Possible values: BLOCK\|COUNT.<br>    Default is null.<br>  override\_customer\_webacl\_classic:<br>    Whether to replace AWS WAF Classic web ACLs with this policy's AWS WAF v2 web ACLs where possible.<br>    Possible values: true\|false<br>    Default is false. | `list(any)` | `[]` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |

docs/terraform.md

@@ -74,7 +74,7 @@
 | <a name="input_security_groups_common_policies"></a> [security\_groups\_common\_policies](#input\_security\_groups\_common\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  revert\_manual\_security\_group\_changes:<br>    Whether to revert manual Security Group changes.<br>    Defaults to `false`.<br>  exclusive\_resource\_security\_group\_management:<br>    Wheter to exclusive resource Security Group management.<br>    Defaults to `false`.<br>  apply\_to\_all\_ec2\_instance\_enis:<br>    Whether to apply to all EC2 instance ENIs.<br>    Defaults to `false`.<br>  security\_groups:<br>    A list of Security Group IDs. | `list(any)` | `[]` | no |
 | <a name="input_security_groups_content_audit_policies"></a> [security\_groups\_content\_audit\_policies](#input\_security\_groups\_content\_audit\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  security\_group\_action:<br>    For `ALLOW`, all in-scope security group rules must be within the allowed range of the policy's security group rules.<br>    For `DENY`, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.<br>    Possible values: `ALLOW`, `DENY`.<br>  security\_groups:<br>    A list of Security Group IDs. | `list(any)` | `[]` | no |
 | <a name="input_security_groups_usage_audit_policies"></a> [security\_groups\_usage\_audit\_policies](#input\_security\_groups\_usage\_audit\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  delete\_unused\_security\_groups:<br>    Whether to delete unused Security Groups.<br>    Defaults to `false`.<br>  coalesce\_redundant\_security\_groups:<br>    Whether to coalesce redundant Security Groups.<br>    Defaults to `false`. | `list(any)` | n/a | yes |
-| <a name="input_shield_advanced_policies"></a> [shield\_advanced\_policies](#input\_shield\_advanced\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>delete\_unused\_fm\_managed\_resources:<br>  If true, Firewall Manager will automatically remove protections from resources that leave the policy scope.<br>  Defaults to `false`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy. | `list(any)` | `[]` | no |
+| <a name="input_shield_advanced_policies"></a> [shield\_advanced\_policies](#input\_shield\_advanced\_policies) | name:<br>  The friendly name of the AWS Firewall Manager Policy.<br>delete\_all\_policy\_resources:<br>  Whether to perform a clean-up process.<br>  Defaults to `true`.<br>delete\_unused\_fm\_managed\_resources:<br>  If true, Firewall Manager will automatically remove protections from resources that leave the policy scope.<br>  Defaults to `false`.<br>exclude\_resource\_tags:<br>  A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.<br>  If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.<br>  Defaults to `false`.<br>remediation\_enabled:<br>  A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.<br>  Defaults to `false`.<br>resource\_type\_list:<br>  A list of resource types to protect. Conflicts with `resource_type`.<br>resource\_type:<br>  A resource type to protect. Conflicts with `resource_type_list`.<br>resource\_tags:<br>  A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.<br>exclude\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.<br>include\_account\_ids:<br>  A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.<br>policy\_data:<br>  automatic\_response\_status:<br>    Status of shield automatic response.<br>    Possible values: ENABLED\|IGNORED\|DISABLED.<br>    Default is IGNORED.<br>  automatic\_response\_action:<br>    The automatic response action.<br>    Possible values: BLOCK\|COUNT.<br>    Default is null.<br>  override\_customer\_webacl\_classic:<br>    Whether to replace AWS WAF Classic web ACLs with this policy's AWS WAF v2 web ACLs where possible.<br>    Possible values: true\|false<br>    Default is false. | `list(any)` | `[]` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |