terraform-aws-dynamic-subnets

🤖 Automatic Updates

This PR contains the following updates:

Release Notes

v0.22.1

Compare Source

Renovate configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

Breaking change

Despite the language in #42, which was closed by PR #86 which introduced existing_nat_ips, and the description of the existing_nat_ips variable, the previous behavior was that if you provide existing IPs, they are assumed to be connected to existing NAT gateways or instances. No new gateways are created. "existing_nat_ips" is interpreted to mean the IPs of existing NATs.

That behavior makes no sense. Nothing was done with the existing IPs, all that happened if you provided them was that no NATs were created. The same effect could be achieved by setting both nat_gateway_enabled and nat_instance_enabled to false.

This release renames existing_nat_ips to nat_elastic_ips, so that anyone using existing_nat_ips will be notified about the change in behavior, which otherwise could go unnoticed and be expensive. To retain the old behavior, set nat_elastic_ips to the same list you previously used to set existing_nat_ips, and set both nat_gateway_enabled and nat_instance_enabled to false.

The new behavior is that creation of NAT gateways and/or instances is controlled only by nat_gateway_enabled and nat_instance_enabled. If you supply nat_elastic_ips, you must supply at least enough IPs for all the created gateways/instances, and the provided IPs will be assigned to them. Otherwise, this module will allocate new elastic IPs for them.

what

• Removed check which caused NAT instances/gateways not to be created if existing Elastic IPs provided
• It's not clear why this check was added

why

• We need the ability to assign existing elastic IPs to NAT instances/gateways

references

• closes #101

🚀 Enhancements

what

tf14 upgrade

why

old version of context label provider

what

• Increase terraform min version to 0.12.26 due to new required_providers format
• Relax provider version requirements by using >= instead of ~>

why

• Provide greater compatibility with newer versions of providers

references

• https://github.com/cloudposse/terraform-aws-dynamic-subnets/pull/104#issuecomment-735945102

what

• Ignore 2 tfsec warnings

why

• We are okay with the CIDR block on the NAT instance's egress being 0.0.0.0/0
• We are okay with the the NAT instance having a public IP address (?)

references

Warning

This release will change the tags on many of your resources. Resources which are created for each availability zone rather than each region should have the availability zone appended to the end of the ID that is the value of the "Name" tag. Previously, the full AWS region code was used, with dashes replaced by the null-label delimiter (which is dash by default, so usually no changes were made). Now the AZ code used is selectable and by default is Cloud Posse's new "short" code, which uses only digits and lower case letters.

Usage note

Tags you specify as inputs to modules override any generated tags. This includes the "Name" tag. Some people are using code like this:

module "label" {
  source      = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0"
  ... 
  tags = var.tags
}
locals {
  # THIS IS MISGUIDED. Do not merge tags. Supply the new tags and the modules will merge them for you.
  tags = merge(module.label.tags, map(format("kubernetes.io/cluster/%s-%s-%s-eks-cluster", var.namespace, var.environment, var.stage), "shared"))
}
module "subnets" {
  source = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.22.0"
  ...
  tags = local.tags
}

Because of the merge, local.tags includes a Name tag which takes precedence over terraform-aws-dynamic-subnets generated tags, preventing the module from enhancing the the Name tag with additional disambiguation information. The merge is not required, and instead you should just use

locals {
   tags = map(format("kubernetes.io/cluster/%s-%s-%s-eks-cluster", var.namespace, var.environment, var.stage), "shared")
}

what

• When resources are tagged with names that have the Availability Zone appended, use Cloud Posse's new "short" AZ codes
• Update context.tf and null-label to v0.19.2

why

• Full Availability Zone (AZ) codes have 2 dashes in them (e.g. "us-east-2") and Cloud Posse's naming convention defaults to using dashes as token separators. Additionally, previous code replaced the dashes in the AZ codes with whatever delimiter was in use for labels. This means that the previous availability zone was treated as 3 tokens when it is more appropriately treated as 1 token. Cloud Posse's new short codes use only digits and lower case letters, ensuring they are always treated as a single token.
• Stay in sync with other modules

references

Cloud Posse's AWS AZ short codes

what

• Replaces var.delimiter with local.delimiter in nat-instance.tf

why

• After the changes done in #97 creating a NAT instance is failing because it tries to do a replace on a null value

references

• Refs #97

what

Update to current standards

• Update to context.tf
• Update to go modules
• Update .github files

why

Standardization and interoperability

what

• Fixing resource creation when enabled flag is = false

why

• Some resources were still created even when the enabled flag was false

closes https://github.com/cloudposse/terraform-aws-dynamic-subnets/issues/42

what

Allow use of existing AWS Elastic IPs by IP address (resolves to allocation id via data source).

why

Sometimes its important to keep IP addresses for example to allow business customers granting these IPs in firewalls, a third party tool is configured to only allow certain IPs or there is already an existing IP pool to use. See also referenced issue.

/cc @osterman maybe? :)

what

• Added NAT Gateway EIP to outputs

why

• So they can be read via remote state

what

• Add private_subnets_additional_tags and public_subnets_additional_tags variables
• Change AWS region for tests to us-east-2

why

• EKS requires tagging all subnets with kubernetes.io/cluster/<cluster-name>=shared tag, but at the same time it requires tagging subnets with additional tags that are different for public and private subnets:

  • Private Subnet Tagging Requirement for Internal Load Balancers:
    kubernetes.io/role/internal-elb=1

  • Public Subnet Tagging Option for External Load Balancers:
    kubernetes.io/role/elb

This is required because EKS can't detect the type of subnets automatically

• Change AWS region for tests to us-east-2 since we use it in all our tests and the us-west-1 region is very limited

references

• https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html

what

• gateway and instance now use same EIP module

why

• to avoid reassigning IPs in case of switch between gateway and instance types

what

• Fix public ip address

why

• EIP force that flag true