feat!: Upgrade AWS provider and min required Terraform version to 6.21 and 1.11 respectively

docs/UPGRADE-6.0.md

@@ -115,6 +115,7 @@ module "redshift" {
       + snapshot_copy_grant_name         = "ex-complete-us-east-1"
     }
 ```
+
 The `aws_redshift_logging` can be applied or imported. If setting the `log_destination_type`, an apply following an import will be required to clear the remaining diff.
 The `aws_redshift_snapshot_copy` resource requires importing if an existing snapshot_copy configuration exists.
 

docs/UPGRADE-7.0.md

@@ -0,0 +1,207 @@
+# Upgrade from v6.x to v7.x
+
+Please consult the `examples` directory for reference example configurations. If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- Terraform `v1.11` is now minimum supported version to support write-only (`wo_*`) attributes.
+- AWS provider `v6.18` is now minimum supported version
+- The ability for the module to create a random password has been removed in order to ensure passwords are not stored in plain text within the state file. Users must now provide their own password via the `master_password_wo` variable.
+  - `master_password` is no longer supported and only the write-only equivalent is supported (`master_password_wo` and `master_password_wo_version`)
+  - `manage_master_password` default changed from `false` to `true` to ensure password rotation is managed by default.
+- The variable(s) used to create access endpoints has changed from creating a single endpoint to n-number of endpoints
+
+## Additional changes
+
+### Added
+
+- Support for `region` argument to specify the AWS region for the resources created if different from the provider region.
+- Support for creating a security group used by the cluster
+
+### Modified
+
+- Variable definitions now contain detailed `object` types in place of the previously used any type.
+- Default value for `parameter_group_family` changed from `redshift-1.0` to `redshift-2.0`
+- `manage_master_password` default changed from `false` to `true`
+
+### Removed
+
+- Support for generating random passwords has been removed.
+
+### Variable and output changes
+
+1. Removed variables:
+
+    - `create_random_password` removed along with support for generating a random password
+    - `random_password_length` removed along with support for generating a random password
+    - `aqua_configuration_status` argument was deprecated
+    - The variables for endpoint access have been nested under a single, top-level `endpoint_access` variable:
+        - `create_endpoint_access` removed - set `endpoint_access` to `null` or omit to disable
+        - `endpoint_name` -> `endpoint_access.name`
+        - `endpoint_resource_owner` -> `endpoint_access.resource_owner`
+        - `endpoint_subnet_group_name` -> `endpoint_access.subnet_group_name`
+        - `endpoint_vpc_security_group_ids` -> `endpoint_access.vpc_security_group_ids`
+    - The variables for snapshot schedule have been nested under a single, top-level `snapshot_schedule` variable:
+        - `create_snapshot_schedule` removed - set `snapshot_schedule` to `null` or omit to disable
+        - `snapshot_schedule_identifier` -> `snapshot_schedule.identifier`
+        - `use_snapshot_identifier_prefix` -> `snapshot_schedule.use_prefix`
+        - `snapshot_schedule_description` -> `snapshot_schedule.description`
+        - `snapshot_schedule_definitions` -> `snapshot_schedule.definitions`
+        - `snapshot_schedule_force_destroy` -> `snapshot_schedule.force_destroy`
+
+2. Renamed variables:
+
+    - `master_password` -> `master_password_wo`
+
+3. Added variables:
+
+    - `region`
+    - `create_security_group`
+    - `security_group_name`
+    - `security_group_use_name_prefix`
+    - `security_group_description`
+    - `vpc_id`
+    - `security_group_ingress_rules`
+    - `security_group_egress_rules`
+    - `master_password_wo_version`
+
+4. Removed outputs:
+
+    - `endpoint_access_address` -> see `endpoint_access` output
+    - `endpoint_access_port` -> see `endpoint_access` output
+    - `endpoint_access_id` -> see `endpoint_access` output
+    - `endpoint_access_vpc_endpoint` -> see `endpoint_access` output
+
+5. Renamed outputs:
+
+    - None
+
+6. Added outputs:
+
+    - None
+
+## Upgrade Migration
+
+### Before v6.x Example
+
+```hcl
+module "redshift" {
+  source  = "terraform-aws-modules/redshift/aws"
+  version = "~> 6.0"
+
+  # Only the affected attributes are shown
+
+  # Snapshot schedule
+  create_snapshot_schedule        = true
+  snapshot_schedule_identifier    = "example"
+  use_snapshot_identifier_prefix  = true
+  snapshot_schedule_description   = "Example snapshot schedule"
+  snapshot_schedule_definitions   = ["rate(12 hours)"]
+  snapshot_schedule_force_destroy = true
+
+  # Scheduled actions
+  create_scheduled_action_iam_role = true
+  scheduled_actions = {
+    pause = {
+      name          = "example-pause"
+      description   = "Pause cluster every night"
+      schedule      = "cron(0 22 * * ? *)"
+      pause_cluster = true
+    }
+    resize = {
+      name        = "example-resize"
+      description = "Resize cluster (demo only)"
+      schedule    = "cron(00 13 * * ? *)"
+      resize_cluster = {
+        node_type       = "ds2.xlarge"
+        number_of_nodes = 5
+      }
+    }
+    resume = {
+      name           = "example-resume"
+      description    = "Resume cluster every morning"
+      schedule       = "cron(0 12 * * ? *)"
+      resume_cluster = true
+    }
+  }
+
+  # Endpoint access - only available when using the ra3.x type
+  create_endpoint_access          = true
+  endpoint_name                   = "example"
+  endpoint_subnet_group_name      = "example"
+  endpoint_vpc_security_group_ids = ["sg-12345678"]
+}
+```
+
+### After v7.x Example
+
+```hcl
+module "redshift" {
+  source  = "terraform-aws-modules/redshift/aws"
+  version = "~> 7.0"
+
+  # Only the affected attributes are shown
+
+  # Security group
+  vpc_id = "vpc-1234556abcdef"
+
+  # Snapshot schedule
+  snapshot_schedule = {
+    identifier    = "example"
+    use_prefix    = true
+    description   = "Example snapshot schedule"
+    definitions   = ["rate(12 hours)"]
+    force_destroy = true
+  }
+
+  # Scheduled actions
+  create_scheduled_action_iam_role = true
+  scheduled_actions = {
+    pause = {
+      name        = "example-pause"
+      description = "Pause cluster every night"
+      schedule    = "cron(0 22 * * ? *)"
+      target_action = {
+        pause_cluster = true
+      }
+    }
+    resize = {
+      name        = "example-resize"
+      description = "Resize cluster (demo only)"
+      schedule    = "cron(00 13 * * ? *)"
+      target_action = {
+        resize_cluster = {
+          node_type       = "ds2.xlarge"
+          number_of_nodes = 5
+        }
+      }
+    }
+    resume = {
+      name        = "example-resume"
+      description = "Resume cluster every morning"
+      schedule    = "cron(0 12 * * ? *)"
+      target_action = {
+        resume_cluster = true
+      }
+    }
+  }
+
+  # Endpoint access - only available when using the ra3.x type
+  endpoint_access = {
+    example = {
+      name                   = "example"
+      subnet_group_name      = "example"
+      vpc_security_group_ids = ["sg-12345678"]
+    }
+  }
+
+  # Maintains backward compatibility, as needed
+  parameter_group_family = "redshift-1.0"
+}
+```
+
+### State Move Commands
+
+```sh
+terraform state mv 'module.redshift.aws_redshift_endpoint_access.this[0]' 'module.redshift.aws_redshift_endpoint_access.this["example"]'
+```

examples/complete/README.md

@@ -23,15 +23,14 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.45 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.11 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.21 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.45 |
-| <a name="provider_aws.us_east_1"></a> [aws.us\_east\_1](#provider\_aws.us\_east\_1) | >= 5.45 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.21 |
 
 ## Modules
 
@@ -40,9 +39,9 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_default"></a> [default](#module\_default) | ../../ | n/a |
 | <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../ | n/a |
 | <a name="module_redshift"></a> [redshift](#module\_redshift) | ../../ | n/a |
-| <a name="module_s3_logs"></a> [s3\_logs](#module\_s3\_logs) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
+| <a name="module_s3_logs"></a> [s3\_logs](#module\_s3\_logs) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
 | <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws//modules/redshift | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 | <a name="module_with_cloudwatch_logging"></a> [with\_cloudwatch\_logging](#module\_with\_cloudwatch\_logging) | ../../ | n/a |
 
 ## Resources
@@ -89,10 +88,7 @@ No inputs.
 | <a name="output_cluster_type"></a> [cluster\_type](#output\_cluster\_type) | The Redshift cluster type |
 | <a name="output_cluster_version"></a> [cluster\_version](#output\_cluster\_version) | The version of Redshift engine software |
 | <a name="output_cluster_vpc_security_group_ids"></a> [cluster\_vpc\_security\_group\_ids](#output\_cluster\_vpc\_security\_group\_ids) | The VPC security group ids associated with the cluster |
-| <a name="output_endpoint_access_address"></a> [endpoint\_access\_address](#output\_endpoint\_access\_address) | The DNS address of the endpoint |
-| <a name="output_endpoint_access_id"></a> [endpoint\_access\_id](#output\_endpoint\_access\_id) | The Redshift-managed VPC endpoint name |
-| <a name="output_endpoint_access_port"></a> [endpoint\_access\_port](#output\_endpoint\_access\_port) | The port number on which the cluster accepts incoming connections |
-| <a name="output_endpoint_access_vpc_endpoint"></a> [endpoint\_access\_vpc\_endpoint](#output\_endpoint\_access\_vpc\_endpoint) | The connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below |
+| <a name="output_endpoint_access"></a> [endpoint\_access](#output\_endpoint\_access) | A map of access endpoints created and their attributes |
 | <a name="output_master_password_secret_arn"></a> [master\_password\_secret\_arn](#output\_master\_password\_secret\_arn) | ARN of managed master password secret |
 | <a name="output_master_password_secretsmanager_secret_rotation_enabled"></a> [master\_password\_secretsmanager\_secret\_rotation\_enabled](#output\_master\_password\_secretsmanager\_secret\_rotation\_enabled) | Specifies whether automatic rotation is enabled for the secret |
 | <a name="output_parameter_group_arn"></a> [parameter\_group\_arn](#output\_parameter\_group\_arn) | Amazon Resource Name (ARN) of the parameter group created |