v0.82.4

🤖 Automatic Updates

chore(deps): update terraform cloudposse/iam-role/aws to v0.16.0 @renovate (#227)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/iam-role/aws (source)	module	minor	0.15.0 -> 0.16.0

---

Release Notes

cloudposse/terraform-aws-iam-role

v0.16.0

Compare Source

Making tags for roles optional @​jamengual (#​43)

#### what * Make role tags optional * #### why * Restrictive policy boundaries do not allow tag roles in highly secure environments.

---

v0.82.3

🚀 Enhancements

Update versions.tf @rusowyler (#218)

what

• Restrict AWS provider version

why

• >= 3.64 because response_headers_policy_id first appeared on version: 3.64.0 (November 04, 2021)
• < 4.0.0 many breaking changes affect this module.

references

• https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#3640-november-04-2021
• https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#400-february-10-2022

v0.82.2

🤖 Automatic Updates

Update Terraform cloudposse/route53-alias/aws to v0.13.0 @renovate (#216)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/route53-alias/aws (source)	module	minor	0.12.1 -> 0.13.0

---

Release Notes

cloudposse/terraform-aws-route53-alias

v0.13.0

Compare Source

BREAKING CHANGE: Because this release changes resource addresses, it will result in Terraform destroying and recreating some resources. Please consider removing aws_route53_record from the state and importing them to the new resource addresses if you do not with for any destructive changes.

Fix: Add BridgeCrew Suppressions @​korenyoni (#​39)

#### what

• Add BridgeCrew suppressions

why

Add suppressions appearing in #​37

#### references * #​37

Chore: Run 'make github/init' @​korenyoni (#​38)

#### what * Run `make github/init` #### why * Updates GHA-workflow-related files to their latest distribution in https://github.com/cloudposse/build-harness * Allows using `no-release` label for consolidating multiple PRs into a single release. #### references * N/A

#### 🐛 Bug Fixes

Fix: create records using `for_each` instead of `count` @​1david5 (#​37)

#### what * Modify `default` and `ipv6` `aws_route53_record` resources to use `for_each` instead of `count`. #### why * Prevent destroying and recreating DNS records when removing elements from `aliases` list.

---

v0.82.1

🚀 Enhancements

fix: handle viewer_certificate.ssl_support_method with CF default certificate @syphernl (#213)

what

• Sets ssl_support_method to null when default certificate is being used instead of setting it to sni-only in all cases.

why

• Setting this to an explicit value (sni-only) in conjunction with the "default certificate" results in the state not being idempotent.

references

• #208

🐛 Bug Fixes

[main.tf] Updated conditions with included cache_policy_id variable @eboboshka (#210)

what

• Fixed conditions when using cache_policy_id

why

• When using cache_policy_id, the module tries to change ttl values from zero to the default values.

      ~ default_cache_behavior {
          ~ default_ttl            = 0 -> 60
          ~ max_ttl                = 0 -> 31536000
            # (10 unchanged attributes hidden)

            # (1 unchanged block hidden)
        }

• There is no need to use the mandatory ARN lambda in Cusom Behavior.

references

• #188

fix: handle viewer_certificate.ssl_support_method with CF default certificate @syphernl (#213)

what

• Sets ssl_support_method to null when default certificate is being used instead of setting it to sni-only in all cases.

why

• Setting this to an explicit value (sni-only) in conjunction with the "default certificate" results in the state not being idempotent.

references

• #208

🤖 Automatic Updates

Update Terraform cloudposse/iam-role/aws to v0.15.0 @renovate (#215)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/iam-role/aws (source)	module	minor	0.14.1 -> 0.15.0

---

Release Notes

cloudposse/terraform-aws-iam-role

v0.15.0

Compare Source

allow to set role and policy path @​1david5 (#​40)

#### what * Add `path` argument to role and policy resources #### why * Allow users to set path for role and policy

---

Update Terraform cloudposse/iam-role/aws to v0.14.1 @renovate (#206)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/iam-role/aws (source)	module	patch	0.14.0 -> 0.14.1

---

Release Notes

cloudposse/terraform-aws-iam-role

v0.14.1

Compare Source

Fix: Fix Variable Description Typo for `var.use_fullname` @​korenyoni (#​36)

#### what * Fix variable description typo introduced in #​35 for `var.use_fullname` #### why * Minor typo (unmatched right bracket). #### references * #​35

Drop unused null provider @​Xerkus (#​34)

#### what * Drop `hashicorp/null` provider from dependencies #### why * As far as I can tell the null provider is not used and I do not think it is needed for any kind of indirect dependency * I think it was needed at some point for terraform-null-label #### references * Closes #​31

Fix: fix variable description for `var.use_fullname`, run `make github/init` @​korenyoni (#​35)

#### what - Fix variable description for `var.use_fullname`. - Run `make github/init`. #### why - The `var.use_fullname` variable description is incorrect and refers to ECR repositories instead of IAM roles. - Running `make github/init` will update GHA-workflow related files (and CODEOWNERS), the former of which is required for the `no-release` label (which allows for consolidating multiple small PRs such as this into one release). #### references * N/A

#### 🚀 Enhancements

Add tags to policy @​nitrocode (#​37)

#### what * Add tags to policy #### why * Tag it all #### references N/A

---

v0.82.0

Added new response_headers_policy_id argument for a block with Custom behavior @eboboshka (#211)

[main.tf, variables.tf]

what

• Added new response_headers_policy_id argument for a block with Custom behavior

why

• They just forgot about the cusom block ordered_cache_behavior

references

• #192

v0.81.0

Feat: Add Support for S3 Object Ownership Controls @korenyoni (#209)

what

• Add support for S3 object ownership controls.
• Misc: add BridgeCrew exceptions.

why

S3 object ownership controls should be configurable for the origin bucket behind the CloudFront distribution. If the origin bucket is used within CI pipelines, cross-account writes to the bucket will result in the object being owned by that account. This can result in 403's when attempting to access content in the CF distribution, unless the S3 object ownership setting is set to BucketOwnerEnforced.

By default, when another AWS account uploads an object to your S3 bucket, that account (the object writer) owns the object, has access to it, and can grant other users access to it through ACLs.

The new S3 object ownership variable has as a default value that has the same effect if the new s3_bucket_ownership_controls were not to exist at all. Thus, this is a backwards-compatible release.

references

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
• cloudposse/terraform-aws-s3-bucket#109

fix: set viewer_certificate.ssl_support_method to a non-empty value @syphernl (#208)

what

• Sets the viewer_certificate.ssl_support_method to a non-empty value

why

• Since AWS Provider 3.71.0 the viewer_certificate.ssl_support_method is being validated on plan-time and can no longer be an empty string but must be sni-only or vip (of which the latter incurs costs)

references

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#ssl_support_method

v0.80.0

🚀 Enhancements

Feat: `lambda@edge` submodule @korenyoni (#204)

what

• Add submodule for creating Lambda@Edge functions
• Add test for Lambda@Edge submodule
• Ensure all tests run in parallel.
• Fix versions.tf in examples/complete according to TFLint

why

• Lambda@Edge are a potentially common use case for this repo, and a submodule for creating Lambda@Edge functions for use with the root module should be created.

references

• N/A

notes

Please note that a side effect of this change is that the test suite will now take ~30 minutes to run.

v0.79.0

🚀 Enhancements

Feat: Add `external_aliases` Which Will Not Have CNAMEs Created for Them @mburns (#199)

what

• Allow for aliases in CloudFront which do not get the corresponding CNAME record created in Route53.
• Misc: add BridgeCrew suppressions.

why

• Not all CloudFront domains are managed in Route53
• This is similar to dns_alias_enabled, but allows for a mixture of DNS providers for a single CloudFront Distribution
• Some new false positives were raised by BridgeCrew, hence requiring some suppressions.

Fix: Do Not Hardcode AWS Partition @korenyoni (#203)

what

• Do not hardcode AWS partition.

why

• Adds support for partitions other than aws, such as aws-us-gov.

references

• closes #200

Chore: Bump Dependency Module Versions @korenyoni (#201)

what

• Bump route53-alias module version to latest.
• Bump s3-log-storage module to latest.

why

• Dependency modules do not currently support tenant label (they are not at the version which supports it).
• General module hygiene: keep dependency modules up to date.

references

• https://github.com/cloudposse/terraform-null-label/releases/tag/0.25.0
• Supersedes and closes #187

🐛 Bug Fixes

Chore: Update `auto-release` (`release-drafter`) GHA workflow to latest distribution; fix Terratest @korenyoni (#202)

what

• Update auto-release (release-drafter) GHA workflow to latest distribution from build-harness.
• Fix Terratest by ensuring IAM roles created by examples/complete are unique for each run (also increase test timeout).

why

• The latest distribution of the auto-release GHA workflow from https://github.com/cloudposse/build-harness allows merged PRs to be accumulated in a draft release when the no-release label is used. This allows PRs to be consolidated rather than each given their own release — as renovatebot will cause a rippling series of module updates across all repositories that use this module, and all repositories that use those modules, etc.
• This is a subset of make github/init, which will update all GHA-related files to the latest build-harness distribution. However, changing CODEOWNERS will require admin approval and this is a blocker.
• Terratest was failing because examples/complete was creating IAM roles whose names did not make the use of module.this.attributes (which contains a random seed in each run). Also, the test timeout was not sufficiently long to complete all tests.

references

• cloudposse/build-harness#296
• #201

v0.78.0

feat: add origin_request_policy_id variable for default cache behavior @bartelemi (#193)

what

Add origin_request_policy_id input variable for setting this param in default cache behavior.

why

This param is missing from the module.

references

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin_request_policy_id

v0.77.0

Added support for forward_cookies_whitelisted_names @rafaljanicki (#198)

what

I've added support for whitelisted_names (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#whitelisted_names) if forward_cookies is set to "whitelist"

why

Currently, the only option to forward cookies is to set it to "all" which isn't perfect

references

• I've used naming and approach from another Cloudposse module - https://github.com/cloudposse/terraform-aws-cloudfront-cdn/blob/master/variables.tf