Rebuild github dir from the template

🤖 Automatic Updates

This PR contains the following updates:

Release Notes

v0.13.0

Compare Source

what

• Unfortunately, we have to add the overwrite argument back due to the confusion of its deprecation:

Lastly, and unfortunately, configurations expecting the standard update flow will need to keep overwrite = true set until this becomes the default behavior in v6.0.0. Removing it in v5.X will result in the default value of false, preventing the parameter value from being updated, causing persistent differences.

why

• Prevent undesired behaviour.

references

• https://github.com/hashicorp/terraform-provider-aws/issues/25636#issuecomment-1623661159

v0.12.0

Compare Source

fixes #​51

Rebuild github dir from the template

v0.11.0

Compare Source

• No changes

• No changes

│ Error: Invalid function argument
│ 
│   on .terraform/modules/service_codefresh_serverless/outputs.tf line 41, in output "ses_smtp_password_v4":
│   41:   value       = local.ssm_enabled ? null : join("", aws_iam_access_key.default.*.ses_smtp_password_v4)
│     ├────────────────
│     │ while calling join(separator, lists...)
│     │ aws_iam_access_key.default is tuple with 1 element
│ 
│ Invalid value for "lists" parameter: element 0 is null; cannot concatenate null values.

Remove expiring keys and awsutils provider, fix bugs @Nuru (#70)

note

Starting with version 0.23.0 of this module, AWS Access Keys created by this module expired in 30 days by default. This release removes the ability to create expiring keys, and non-expiring keys are created by default. This release also defaults to storing the keys in AWS SSM Parameter store and not passing them as outputs, because the outputs are stored unencrypted in the Terraform state file.

We recommend authenticating via an OIDC provider rather than using AWS Access Keys.

what

• Remove iam_access_key_max_age and the ability to create AWS Access Keys of predefined lifetime
• Output secrets only when not using SSM Parameter Store
• Enhance testing

why

• We are removing this feature due to the confusion to the community of our terraform users that has been caused by requiring the cloudposse/awsutils Terraform provider to provide the feature. The error messages stemming from the missing provider block configuration are causing more of a support headache than it is worth. Since we implemented this feature, most CI/CD providers have implemented a better way to obtain short-lived CI/CD credentials (e.g. GitHub Actions and CircleCI both support OIDC with AWS, GCP, Azure, etc)
• Secrets that are output from a module, even if marked sensitive, are still stored in plaintext in the Terraform state file, which makes them less secure than AWS Parameter Store.
• Prevent regression of fixed bugs

references

• Closes #54
• Closes #62
• Closes #67
• Supersedes and closes #68

what

• Add option to change the SSM base path under which credentials are stored
• Store ses_smtp_password_v4 in SSM

why

• Even if the IAM users are global per account often times there is a need to separeate them per environment (dev, staging). By adding the ssm_base_path parameter we can have a better SSM hierarchy. Example: /dev/system_user/tc-dev-s3 and /staging/system_user/tc-staging-ses
• Also having the ses_smtp_password_v4 stored in SSM will allow better integration with CI systems when deploying applications (rather than having a script to generate the password or read the terraform state)

references

• Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow).
• closes #60
• Copy of #61, Closes #61

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

• DEV-143

🤖 Automatic Updates

This PR contains the following updates:

Release Notes

v0.9.1

Compare Source

🚀 Enhancements

v0.9.0

Compare Source

v0.8.5

Compare Source

🚀 Enhancements

Change default parameter type from SecretString to SecureString.

SecretString is a term from AWS Secrets Manager, and is not valid with SSM Parameter Store. The corresponding type is "SecureString".

🤖 Automatic Updates

This PR contains the following updates:

Release Notes

v0.8.4

Compare Source

🚀 Enhancements

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

This release introduces a minor breaking change. It now requires the cloudposse/awsutils provider, which in turn requires a region argument to set the AWS region to work in, just like the Hashicorp AWS provider does. So, if you currently have this:

provider "aws" {
  region = var.region
}

you should update it to this:

provider "aws" {
  region = var.region
}

provider "awsutils" {
  region = var.region
}

and you should also update terraform.required_providers to include

    awsutils = {
      source  = "cloudposse/awsutils"
      version = ">= 0.11.0"
    }

what

• By default, when the create_iam_access_key variable is true, create an IAM Access Key that will expire after 30 days.
• After the iam_access_key_max_age have elapsed, running terraform plan and terraform apply again will produce a new secret access key.

why

• Security best practices dictate that you should rotate your password/credentials on a periodic basis

references

• awsutils_expiring_iam_access_key

🤖 Automatic Updates

This PR contains the following updates:

Release Notes

v0.8.3

Compare Source

🚀 Enhancements

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

🚀 Enhancements

Setting the create_iam_access_key parameter to false throws an error when running terraform plan.

references

• Closes #55

🤖 Automatic Updates

This PR contains the following updates:

Release Notes

v0.8.2

Compare Source

🚀 Enhancements

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

🚀 Enhancements

what

• Run make github/init.
• Bump module dependencies.

why

• Updates GHA-workflow-related files to their latest distribution.
• Old module dependencies do not use the latest distribution of context.tf, meaning some features such as the tenant label are not present.

references

• https://github.com/cloudposse/terraform-null-label/releases/tag/0.25.0

🤖 Automatic Updates

what

This is an auto-generated PR that updates the context.tf file to the latest version from cloudposse/terraform-null-label

why

To support all the features of the context interface.

what

• enable attaching permissions_boundary to user

why

• security / governance improvement by supporting permissions_boundary

references

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

what

• Adds writing the created access key ID and secret access key to SSM Parameter Store

why

• There is no great way of getting these values out of this module outside of utilizing them in an output block in the root module. This is inconvenient and I believe it's preferable to lookup these values from parameter store instead of writing them to output (even as sensitive) all the time.

references

• N/A

🚀 Enhancements

what

• Tolerate Terraform states where the ses_smtp_password_v4 attribute is missing

why

• In some scenarios, this attribute may be missing from the state. One example, taken from the official documentation, is: "Resource attributes such as encrypted_secret, key_fingerprint, pgp_key, secret, and ses_smtp_password_v4 are not available for imported resources as this information cannot be read from the IAM API."

references

• closes #39
• Terraform iam_access_key documentation

🤖 Automatic Updates

what

• update context.tf to v0.24.1
• minimum required Terraform version bumped to 0.13.0
• readme updated, Bridgecrew compliance badges added

why

• It allows for setting the letter case of tag names and labels, back compatibility with context v0.22.0 and below
• we have dropped support for Terraform 0.12
• To be able see and fix the recommendations from Bridgecrew so we can position our modules as standards compliant

what

• adds create_iam_access_key boolean variable to conditionally create aws_iam_access_key.
• defaults to true which aligns with current expected behavior

why

• We would prefer to not create access keys that are stored in terraform state

references

• https://github.com/cloudposse/terraform-aws-iam-system-user/issues/44

You guys and your modules rock!

🤖 Automatic Updates

what

This is an auto-generated PR that updates the context.tf file to the latest version from cloudposse/terraform-null-label

why

To support all the features of the context interface.

what

• update context.tf to v0.23.0
• minimum required Terraform version bumped to 0.13.0
• readme updated, Bridgecrew compliance badges added

why

• It allows for setting the letter case of tag names and labels
• we have dropped support for Terraform 0.12
• To be able see and fix the recommendations from Bridgecrew so we can position our modules as standards compliant

what

• Upgrade to support Terraform 0.14 and bring up to current Cloud Posse standard

why

• Support Terraform 0.14