Terraform 0.11
Terraform 0.12
Update aws_alb_listener_rule resources to use new condition syntax as this moved from warning to error.
# from..
condition {
field = "host-header"
values = ["my-hostname"]
}
# to..
condition {
host_header {
values = ["my-hostname"]
}
}Update typo in port_mappings for services/tasks/quartet
Introduce ecs/container_definition and ecs/task_definition modules. These will allow more granular control over container and task than is currently in /services/tasks.
Rewrite VPC module. Allows greater control of what is created by having submodules. Avoid need to specify all CIDRs and only supporting 2 subnets.
Remove basic cluster and added standard. Standard has no config for samba, elastic-search or private dockerhub and allows folders created to be specified by caller.
Delete logging + dns module as they only created a single resource.
Update services/tasks/ modules:
- Create "env-vars" module to replace "environment-variable", gradually phase out needing to specify environment-var length in calling modules.
- Update "ulimits" and "port-mappings" to no longer require length to be set.
- Allow "secret_environment_variables" to be specified for tasks. note - execution tasks are not configured in these modules so this needs extra work
Fix how secret keys are calculated for secret_reference
Remove last usages of legacy interpolation syntax
Add min_size and max_size to bastion module. This will allow setting to 0 to have a default 'off' bastion host.
Add /ecs/ec2_capacity_provider, /ecs/web_fargate and /ecs/web_ec2 modules.
Added /load-balancing/target module use from above /web_* modules.
Allow 'hostname' to be specified in bastion module.
Add links parameter to container_definition module
hostname and zone_id are optional for ecs/web_* modules.
Allow data volume to be specified for /ecs/ec2_capacity_provider.
Add ephemeral_storage to /ecs/task_definition.
Add /ecs/autoscaling/scheduled module.
Removed services/base/worker and services/base/web-basic modules.
Ignore changes to desired_count for web_fargate and web_ecs.
Fix SQS module to use topic_arn for aws:SourceArn condition, rather than topic_name
Update SQS module to allow setting of raw_message_delivery on SNS subscription.
Remove "Project" tag from everywhere with exception of ASG creation. Expectation is that default_tags will be used to set project from calling modules.
Add "resourceRequirements" to ecs/container_definition.
Add "ulimits" variable to ECS container_definition module. Provided as a map:
ulimits = {
"name" = "softLimit:hardLimit"
"nofile" = "32768:65536"
}
Add /ecs/ec2_capacity_provider_abs module for creating ECS capacity provider with attribute based instance selection.
Allow base to be set for capacity provider strategy in web_ec2 ecs module.
Alter device_names use for capacity providers. Latest AMI's used 1 volume (/dev/xvda) for both OS and Docker, rather than previous approach of Docker having a separate volume.
Allow min_size to set for capacity provider ASG
Add /vpc/legacy module. This was removed in 3.0 in favour of much more flexible vpc module.
Re-adding to allow estates that already use it to leverage default_tags without TF always detecting changes.
Output instance_role_name from /ecs/ec2_capacity_provider* modules - this will allow adding further permissions as required.
Adding in a filter_policy variable to the sqs module that allows a filter policy to be set on an SNS subscription to a queue
Updates to bastion module:
- Remove use of default SG
- Default to
t3a.microinstance - Default to Amazon Linux 2023 ami if not specified
- Update to use IMDSv2 for getting public IP
- Switch from launch-configuration to launch-template
- Output bastion role
Updates to vpc module:
- Remove deprecated syntax in
aws_eip
Update load-balancer module to output id of attached security group
Update to add filter_policy_scope to sns
Allow retention to be specified for DLQ in SQS module
Update wildcard-alb module to optionall add access_logs.
Allow stickiness to be specified for ecs/web_ec2 and load-balancing/target
Bugfix for above - correct variable name
Add default_tags to ASG resources for ecs/ec2_capacity_provider and ecs/ec2_capacity_provider_abs, as per this workaround
Update stickiness to allow for choosing whether to use lb_cookie or app_cookie and extend to ecs/web_fargate
Allow deployment min/max percent to be set for ECS services in ecs/web_fargate and ecs/web_ec2.
Allow load-balancing algorithm to be controlled in load-balancing/target (extended to ecs/web_fargate and ecs/web_ec2)
Add data/alb and data/cloudfront modules.
Fix issue in load-balancing/target, ecs/web_fargate and ecs/web_ec2 that prevented stickiness being removed.
Add default_tags to ASG resources for bastion, same as was done for capacity-providers in v3.28
Various updates, driven by changes to conform to SecurityHub standards:
bastion- addassociate_public_ip_address = trueto avoid confusion if newvpc.map_public_ips_on_launchis set tofalseecs/container_definition- addedread_only_filesystemvarload-balancing/wildcard-alb- addeddrop_invalid_headersandenable_deletion_protectionvarss3/ssl-only- new module to generate bucket policy for denying non-SSL traffic single resource only - generally not ideal but saves boiler platevpc- module now acceptsmap_public_ips_on_launchto opt out of auto-assigning for public subnets
ecs/web_fargate and ecs/web_ec2 and load-balancing/target modules gain health_check_port var.
load-balancing/wildcard-alb module gains client_keep_alive var.
Fix legacy/vpc module for later versions of TF. vpc = true is now deprecated in favour of domain = "vpc". Non functional change.
Update secrets modules. data.aws_region.*.name is deprecated, updated to use .region attribute
Allow force_new_deployment for ecs/web_fargate and ecs/web_ec2 modules.
Required for certain changes (e.g. capacity_provider)
bastion module autoscaling. Default shutsdown Bastion host for 30mins on first of month.
Most uses of Bastion module will use AMI data-source so applies could have updated the launch-template without affecting instance. Minimum monthly restart ensures we're on latest
/services/tasks/scheduled module gains var.network_configuration, var.launch_type and additional required IAM permissions.
Allows control of ecs_target > network_configuration element to allow for scheduled FARGATE services
Add data/waf module for querying WAF logs via Athena.
Add additional_topic_names var to /messaging/sqs.
This is optional and allows consumers to provide further topic names to subsribe to queue.
ecs/ec2_capacity_provider and ecs/ec2_capacity_provider_abs output ASG arn.
ecs/ec2_capacity_provider, ecs/ec2_capacity_provider_abs and bastion default AMI updated to AmazonLinux 2023.
ecs/ec2_capacity_provider and bastion changes from using data "aws_ami" to using "resolve:ssm:* style syntax.
This means that on startup the ASG will read the latest AMI from that location, there's no need to apply TF to update
the latest image.
ecs/ec2_capacity_provider_abs continues to lookup AMI as it uses a mixed_instances_policy, this is a constraint
of AWS as it needs to evaluate the AMI to find appropriate types so needs to know up front.
Warning
User-data may need changing as this uses AL2023 and previous used and AL2.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/al2-to-al2023-ami-transition.html
Add missing partition_key element for data/alb module.