feat: make module complaint with terraform 1.3 (#5)

Author: SweetOps

.github/workflows/docs.yml

@@ -1,26 +1,27 @@
+name: Generate terraform docs
 on:
   pull_request:
 
 jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-      with:
-        ref: ${{ github.event.pull_request.head.ref }}
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
 
-    - name: Render terraform docs inside the examples/basic/README.md
-      uses: terraform-docs/[email protected]
-      with:
-        working-dir: ./examples/basic/
-        git-push: "false"
-        output-file: README.md
-        config-file: ".terraform-docs.yml"
+      - name: Render terraform docs inside the examples/basic/README.md
+        uses: terraform-docs/[email protected]
+        with:
+          working-dir: ./examples/basic/
+          git-push: "false"
+          output-file: README.md
+          config-file: ".terraform-docs.yml"
 
-    - name: Render terraform docs inside the README.md
-      uses: terraform-docs/[email protected]
-      with:
-        working-dir: .
-        git-push: "true"
-        output-file: README.md
-        config-file: ".terraform-docs.yml"
+      - name: Render terraform docs inside the README.md
+        uses: terraform-docs/[email protected]
+        with:
+          working-dir: .
+          git-push: "true"
+          output-file: README.md
+          config-file: ".terraform-docs.yml"

.github/workflows/pr-lint.yml

@@ -9,7 +9,7 @@ jobs:
 
     steps:
       - name: Lint PR
-        uses: aslafy-z/conventional-pr-title-action@master
+        uses: aslafy-z/conventional-pr-title-action@v2.4.1
         with:
           preset: conventional-changelog-angular@^5.0.6
         env:

.github/workflows/terraform.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: 1.0.4
+          terraform_version: 1.3.0
 
       - name: Ensure Terraform code is formated
         run: terraform fmt -check
@@ -24,4 +24,3 @@ jobs:
 
       - name: Validate Terraform code
         run: terraform validate -no-color
-

.github/workflows/tflint.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: 1.0.4
+          terraform_version: 1.3.0
 
       - name: Terraform Init
         run: terraform init

.github/workflows/tfsec.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: 1.0.4
+          terraform_version: 1.3.0
 
       - name: Terraform Init
         run: terraform init

README.md

@@ -45,7 +45,7 @@ module "secrets" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
 
 ## Providers
@@ -82,7 +82,7 @@ module "secrets" {
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
-| <a name="input_kms_key"></a> [kms\_key](#input\_kms\_key) | enabled:<br>    Whether to create KSM key.<br>description:<br>    The description of the key as viewed in AWS console.<br>alias:<br>    The display name of the alias. The name must start with the word alias followed by a forward slash. <br>    If not specified, the alias name will be auto-generated.<br>deletion\_window\_in\_days:<br>    Duration in days after which the key is deleted after destruction of the resource<br>enable\_key\_rotation:<br>    Specifies whether key rotation is enabled. | <pre>object({<br>    enabled                 = optional(bool)<br>    description             = optional(string)<br>    alias                   = optional(string)<br>    deletion_window_in_days = optional(number)<br>    enable_key_rotation     = optional(bool)<br>  })</pre> | <pre>{<br>  "deletion_window_in_days": 30,<br>  "description": "Managed by Terraform",<br>  "enable_key_rotation": true,<br>  "enabled": true<br>}</pre> | no |
+| <a name="input_kms_key"></a> [kms\_key](#input\_kms\_key) | enabled:<br>    Whether to create KSM key.<br>description:<br>    The description of the key as viewed in AWS console.<br>alias:<br>    The display name of the alias. The name must start with the word alias followed by a forward slash. <br>    If not specified, the alias name will be auto-generated.<br>deletion\_window\_in\_days:<br>    Duration in days after which the key is deleted after destruction of the resource<br>enable\_key\_rotation:<br>    Specifies whether key rotation is enabled. | <pre>object({<br>    enabled                 = optional(bool, true)<br>    description             = optional(string, "Managed by Terraform")<br>    alias                   = optional(string)<br>    deletion_window_in_days = optional(number, 30)<br>    enable_key_rotation     = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | ARN or Id of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. <br>If you don't specify this value, then Secrets Manager defaults to using the AWS account's default CMK (the one named `aws/secretsmanager`). | `string` | `null` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
@@ -93,8 +93,8 @@ module "secrets" {
 | <a name="input_policy"></a> [policy](#input\_policy) | Valid JSON document representing a resource policy. | `string` | `null` | no |
 | <a name="input_recovery_window_in_days"></a> [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Valid JSON document representing a resource policy. | `number` | `30` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
-| <a name="input_rotation"></a> [rotation](#input\_rotation) | enabled:<br>    Whether to create secret rotation rule. <br>    Default value: `false`<br>lambda\_arn:<br>    Specifies the ARN of the Lambda function that can rotate the secret.<br>automatically\_after\_days:<br>    Specifies the number of days between automatic scheduled rotations of the secret. | <pre>object({<br>    enabled                  = optional(bool)<br>    lambda_arn               = string<br>    automatically_after_days = number<br>  })</pre> | <pre>{<br>  "automatically_after_days": 0,<br>  "lambda_arn": ""<br>}</pre> | no |
-| <a name="input_secret_version"></a> [secret\_version](#input\_secret\_version) | enabled:<br>    Whether to create secret version. <br>    Default value: `false`<br>secret\_string:<br>    Specifies text data that you want to encrypt and store in this version of the secret. <br>    This is required if `secret_binary` is not set.<br>secret\_binary:<br>    Specifies binary data that you want to encrypt and store in this version of the secret. <br>    This is required if `secret_string` is not set. <br>    Needs to be encoded to base64. | <pre>object({<br>    enabled       = optional(bool)<br>    secret_string = optional(string)<br>    secret_binary = optional(string)<br>  })</pre> | `{}` | no |
+| <a name="input_rotation"></a> [rotation](#input\_rotation) | enabled:<br>    Whether to create secret rotation rule. <br>    Default value: `false`<br>lambda\_arn:<br>    Specifies the ARN of the Lambda function that can rotate the secret.<br>automatically\_after\_days:<br>    Specifies the number of days between automatic scheduled rotations of the secret. | <pre>object({<br>    enabled                  = optional(bool, false)<br>    lambda_arn               = string<br>    automatically_after_days = number<br>  })</pre> | <pre>{<br>  "automatically_after_days": 0,<br>  "lambda_arn": ""<br>}</pre> | no |
+| <a name="input_secret_version"></a> [secret\_version](#input\_secret\_version) | enabled:<br>    Whether to create secret version. <br>    Default value: `false`<br>secret\_string:<br>    Specifies text data that you want to encrypt and store in this version of the secret. <br>    This is required if `secret_binary` is not set.<br>secret\_binary:<br>    Specifies binary data that you want to encrypt and store in this version of the secret. <br>    This is required if `secret_string` is not set. <br>    Needs to be encoded to base64. | <pre>object({<br>    enabled       = optional(bool, true)<br>    secret_string = optional(string)<br>    secret_binary = optional(string)<br>  })</pre> | `{}` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |

examples/basic/README.md

@@ -45,7 +45,7 @@ module "secrets" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
 
 ## Providers

examples/basic/versions.tf

@@ -1,6 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
-  experiments      = [module_variable_optional_attrs]
+  required_version = ">= 1.3"
 
   required_providers {
     aws = {

main.tf

@@ -4,41 +4,20 @@ locals {
   secret_id               = one(aws_secretsmanager_secret.default[*].id)
   secret_arn              = one(aws_secretsmanager_secret.default[*].arn)
   version_id              = one(aws_secretsmanager_secret_version.default[*].version_id)
-  secret_version          = defaults(var.secret_version, local.secret_version_default)
-  secret_version_enabled  = local.enabled && local.secret_version["enabled"]
-  secret_string           = local.secret_version_enabled && length(local.secret_version["secret_string"]) > 0 ? local.secret_version["secret_string"] : null
-  secret_binary           = local.secret_version_enabled && length(local.secret_version["secret_binary"]) > 0 ? local.secret_version["secret_binary"] : null
-  secret_rotation         = defaults(var.rotation, local.secret_rotation_default)
-  secret_rotation_enabled = local.enabled && local.secret_rotation["enabled"]
-  kms_key                 = defaults(var.kms_key, local.kms_key_default)
-  kms_key_enabled         = local.enabled && local.kms_key["enabled"]
-  kms_key_id              = local.kms_key["enabled"] ? module.kms_key.key_id : var.kms_key_id
-
-  kms_key_default = {
-    deletion_window_in_days = 30
-    description             = "Managed by Terraform"
-    enable_key_rotation     = true
-    enabled                 = true
-  }
-  secret_version_default = {
-    secret_string = ""
-    secret_binary = ""
-    enabled       = false
-  }
-
-  secret_rotation_default = {
-    enabled = false
-  }
+  secret_version_enabled  = local.enabled && var.secret_version["enabled"]
+  secret_rotation_enabled = local.enabled && var.rotation["enabled"]
+  kms_key_enabled         = local.enabled && var.kms_key["enabled"]
+  kms_key_id              = var.kms_key["enabled"] ? module.kms_key.key_id : var.kms_key_id
 }
 
 module "kms_key" {
   source  = "cloudposse/kms-key/aws"
   version = "0.12.1"
 
-  description             = local.kms_key["description"]
-  deletion_window_in_days = local.kms_key["deletion_window_in_days"]
-  enable_key_rotation     = local.kms_key["enable_key_rotation"]
-  alias                   = lookup(local.kms_key, "alias", format("secretsmanager/%s", module.this.id))
+  description             = var.kms_key["description"]
+  deletion_window_in_days = var.kms_key["deletion_window_in_days"]
+  enable_key_rotation     = var.kms_key["enable_key_rotation"]
+  alias                   = lookup(var.kms_key, "alias", format("secretsmanager/%s", module.this.id))
 
   enabled = local.kms_key_enabled
   context = module.this.context
@@ -59,8 +38,8 @@ resource "aws_secretsmanager_secret_version" "default" {
   count = local.secret_version_enabled ? 1 : 0
 
   secret_id     = local.secret_id
-  secret_string = local.secret_string
-  secret_binary = local.secret_binary
+  secret_string = var.secret_version["secret_string"]
+  secret_binary = var.secret_version["secret_binary"]
 }
 
 resource "aws_secretsmanager_secret_rotation" "default" {

variables.tf

@@ -27,18 +27,13 @@ variable "kms_key_id" {
 
 variable "kms_key" {
   type = object({
-    enabled                 = optional(bool)
-    description             = optional(string)
+    enabled                 = optional(bool, true)
+    description             = optional(string, "Managed by Terraform")
     alias                   = optional(string)
-    deletion_window_in_days = optional(number)
-    enable_key_rotation     = optional(bool)
+    deletion_window_in_days = optional(number, 30)
+    enable_key_rotation     = optional(bool, true)
   })
-  default = {
-    deletion_window_in_days = 30
-    description             = "Managed by Terraform"
-    enable_key_rotation     = true
-    enabled                 = true
-  }
+  default     = {}
   description = <<-DOC
     enabled:
         Whether to create KSM key.
@@ -56,7 +51,7 @@ variable "kms_key" {
 
 variable "secret_version" {
   type = object({
-    enabled       = optional(bool)
+    enabled       = optional(bool, true)
     secret_string = optional(string)
     secret_binary = optional(string)
   })
@@ -78,7 +73,7 @@ variable "secret_version" {
 
 variable "rotation" {
   type = object({
-    enabled                  = optional(bool)
+    enabled                  = optional(bool, false)
     lambda_arn               = string
     automatically_after_days = number
   })

versions.tf

@@ -1,6 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
-  experiments      = [module_variable_optional_attrs]
+  required_version = ">= 1.3"
 
   required_providers {
     aws = {