feat!: Update dependencies, replace Dependabot with Renovate, and simplify S3 architecture (#14)

Author: zahorniak

.github/dependabot.yml

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":semanticCommits"
+  ],
+  "enabledManagers": [
+    "github-actions",
+    "terraform"
+  ],
+  "reviewersFromCodeOwners": true,
+  "dependencyDashboard": true,
+  "commitMessageLowerCase": "never",
+  "minimumReleaseAge": "30 days"
+}

.github/renovate.json

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.90.0
+    rev: v1.105.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

.pre-commit-config.yaml

@@ -0,0 +1,61 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Terraform module that deploys Plex Media Server on AWS using EC2 Spot Instances with S3-backed media storage (s3fs-fuse) and Docker. Runs Plex as a systemd-managed Docker container on Amazon Linux 2.
+
+## Common Commands
+
+```bash
+# Format all Terraform files
+terraform fmt -recursive
+
+# Validate configuration
+terraform validate
+
+# Run all pre-commit hooks (formatting, validation, docs, linting)
+pre-commit run -a
+
+# Generate/update README documentation tables
+terraform-docs markdown . --lockfile=false
+```
+
+There are no automated tests. Validation is done via `terraform validate` and `tflint` through pre-commit hooks.
+
+## Architecture
+
+The module provisions a complete single-instance Plex deployment:
+
+- **VPC** (`vpc.tf`): `10.0.0.0/16` CIDR (stored as `local.vpc_cidr`), 3 public subnets only
+- **EC2** (`autoscaling.tf`): Single Spot instance via ASG with rolling refresh, Amazon Linux 2 AMI
+- **Storage** (`s3.tf`): Single S3 storage bucket with folder-based library prefixes + one DB backup bucket, all using INTELLIGENT_TIERING
+- **IAM** (`iam.tf`): Instance profile with S3 and SSM access
+- **Security** (`sg.tf`): Port 32400 open for Plex access
+- **Secrets** (`ssm.tf`): Plex claim token stored as SecureString in SSM Parameter Store
+- **Bootstrap** (`templates/userdata.sh`): Installs Docker/s3fs, mounts S3 buckets, starts Plex container as systemd service
+
+Subnet CIDRs are computed directly in `vpc.tf` using `cidrsubnets()`. VPC CIDR is defined once in `locals.tf`.
+
+## Key Dependencies
+
+- **Terraform**: `>= 1.5.7`
+- **AWS Provider**: `>= 6.29`
+- **Public modules**: `terraform-aws-modules/vpc/aws ~> 6.6`, `terraform-aws-modules/autoscaling/aws ~> 9.2`, `terraform-aws-modules/s3-bucket/aws ~> 5.10`
+
+## Conventions
+
+- **Commits**: Conventional Commits format required. Allowed types: `fix`, `feat`, `docs`, `ci`, `chore`, `revert`. Subject must start with uppercase.
+- **Releases**: Semantic Release on `master` branch, triggered by pushes to `.tf`, `.py`, `.tpl` files.
+- **PR titles**: Must follow Conventional Commits (enforced by CI). Scopes: `deps`, plus Jira-style project keys.
+- **Pre-commit hooks**: `terraform_fmt`, `terraform_validate`, `terraform_docs`, `terraform_tflint` (via `antonbabenko/pre-commit-terraform`).
+- **Code ownership**: `@zahorniak` is default CODEOWNER.
+
+## Coding Guidelines
+
+- Don't specify Terraform/AWS defaults explicitly (e.g., gp3 baseline IOPS, `protect_from_scale_in = false`). Only set values that differ from defaults.
+- `templates/userdata.sh` uses Terraform `templatefile()` variables — never hardcode values available as variables (e.g., region).
+- IMDSv2 is enforced (`http_tokens = "required"`). Userdata already uses v2 token flow.
+- The `plex_claim_token` variable is marked `sensitive = true`.
+- The module has no `outputs.tf` — it currently exposes no outputs.

CLAUDE.md

@@ -30,28 +30,28 @@ To avoid scanning of the files in the S3 bucket (meaning additional S3 api reque
    * Remove old cache files every week
    * Upgrade media analysis during maintenance
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.30 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.29 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.30 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.29 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_plex_autoscaling"></a> [plex\_autoscaling](#module\_plex\_autoscaling) | terraform-aws-modules/autoscaling/aws | ~> 7.7 |
-| <a name="module_s3_plex_db"></a> [s3\_plex\_db](#module\_s3\_plex\_db) | terraform-aws-modules/s3-bucket/aws | ~> 3.3 |
-| <a name="module_s3_plex_storage"></a> [s3\_plex\_storage](#module\_s3\_plex\_storage) | terraform-aws-modules/s3-bucket/aws | ~> 3.3 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.9 |
+| <a name="module_plex_autoscaling"></a> [plex\_autoscaling](#module\_plex\_autoscaling) | terraform-aws-modules/autoscaling/aws | ~> 9.2 |
+| <a name="module_s3_plex_db"></a> [s3\_plex\_db](#module\_s3\_plex\_db) | terraform-aws-modules/s3-bucket/aws | ~> 5.10 |
+| <a name="module_s3_plex_storage"></a> [s3\_plex\_storage](#module\_s3\_plex\_storage) | terraform-aws-modules/s3-bucket/aws | ~> 5.10 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.6 |
 
 ## Resources
 
@@ -72,10 +72,10 @@ To avoid scanning of the files in the S3 bucket (meaning additional S3 api reque
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Force destroy the S3 bucket | `bool` | `false` | no |
 | <a name="input_instance_storage_size"></a> [instance\_storage\_size](#input\_instance\_storage\_size) | Size for EC2 EBS root volume | `number` | `30` | no |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | Type of EC2 instance | `string` | `"t3a.micro"` | no |
-| <a name="input_plex_claim_token"></a> [plex\_claim\_token](#input\_plex\_claim\_token) | Token to claim your plex media server.  You can get this by going to https://www.plex.tv/claim. | `string` | n/a | yes |
-| <a name="input_plex_libraries"></a> [plex\_libraries](#input\_plex\_libraries) | List of Plex libraries | `list(string)` | n/a | yes |
+| <a name="input_plex_claim_token"></a> [plex\_claim\_token](#input\_plex\_claim\_token) | Token to claim your plex media server. You can get this by going to https://www.plex.tv/claim. | `string` | n/a | yes |
+| <a name="input_plex_libraries"></a> [plex\_libraries](#input\_plex\_libraries) | List of Plex library folder names (created as prefixes inside a single S3 storage bucket) | `list(string)` | n/a | yes |
 
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

README.md

@@ -1,26 +1,21 @@
 module "plex_autoscaling" {
   source  = "terraform-aws-modules/autoscaling/aws"
-  version = "~> 7.7"
-
-  name                                 = "plex"
-  use_name_prefix                      = true
-  ignore_desired_capacity_changes      = true
-  min_size                             = 1
-  max_size                             = 1
-  desired_capacity                     = 1
-  wait_for_capacity_timeout            = 0
-  health_check_type                    = "EC2"
-  vpc_zone_identifier                  = module.vpc.public_subnets
-  instance_initiated_shutdown_behavior = "terminate"
-  protect_from_scale_in                = false
+  version = "~> 9.2"
 
+  name                            = "plex"
+  use_name_prefix                 = true
+  ignore_desired_capacity_changes = true
+  min_size                        = 1
+  max_size                        = 1
+  desired_capacity                = 1
+  wait_for_capacity_timeout       = 0
+  health_check_type               = "EC2"
+  vpc_zone_identifier             = module.vpc.public_subnets
   instance_refresh = {
     strategy = "Rolling"
     preferences = {
-      checkpoint_delay       = 600
-      checkpoint_percentages = [35, 70, 100]
       instance_warmup        = 30
-      min_healthy_percentage = 50
+      min_healthy_percentage = 0
     }
   }
 
@@ -32,9 +27,11 @@ module "plex_autoscaling" {
 
   user_data = base64encode(templatefile("${path.module}/templates/userdata.sh",
     {
-      BUCKETS             = local.buckets,
-      BUCKET_FSTAB_STRING = local.bucket_fstab_string
-      CONFIG_BUCKET       = module.s3_plex_db.s3_bucket_id
+      STORAGE_BUCKET     = module.s3_plex_storage.s3_bucket_id
+      CONFIG_BUCKET      = module.s3_plex_db.s3_bucket_id
+      LIBRARIES          = var.plex_libraries
+      AWS_REGION         = var.aws_region
+      CLAIM_TOKEN_SHA256 = sha256(var.plex_claim_token)
     }
   ))
 
@@ -51,8 +48,6 @@ module "plex_autoscaling" {
         encrypted             = true
         volume_size           = var.instance_storage_size
         volume_type           = "gp3"
-        iops                  = 3000
-        throughput            = 125
       }
     }
   ]
@@ -62,27 +57,18 @@ module "plex_autoscaling" {
   iam_role_path               = "/ec2/"
 
   iam_role_policies = {
-    AmazonSSMManagedInstanceCore        = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
-    AmazonEC2ContainerServiceforEC2Role = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
-    S3Access                            = aws_iam_policy.plex_server.arn
-  }
-
-  capacity_reservation_specification = {
-    capacity_reservation_preference = "open"
+    AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
+    S3Access                     = aws_iam_policy.plex_server.arn
   }
 
   instance_market_options = {
     market_type = "spot"
   }
 
-  maintenance_options = {
-    auto_recovery = "default"
-  }
-
   metadata_options = {
     http_endpoint               = "enabled"
-    http_tokens                 = "optional"
-    http_put_response_hop_limit = 32
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 2
     instance_metadata_tags      = "enabled"
   }
 

autoscaling.tf

@@ -7,13 +7,7 @@ data "aws_ami" "plex" {
   owners      = ["amazon"]
 
   filter {
-    name = "name"
-    #     values = ["${var.packer_ami_prefix}-*"]
+    name   = "name"
     values = ["amzn2-ami-hvm-*-x86_64-ebs"]
   }
-
-  filter {
-    name   = "architecture"
-    values = ["x86_64"]
-  }
 }

data.tf

@@ -1,6 +1,6 @@
 module "plex" {
   source           = "../../"
-  plex_libraries   = var.plex_libraries
-  plex_claim_token = var.plex_claim_token
+  plex_libraries   = ["movies", "tv"]
+  plex_claim_token = "claim-KL7s1QvWn_5xdhx4uyJv"
   force_destroy    = true
 }

examples/complete/main.tf

@@ -1,9 +1,9 @@
 terraform {
-  required_version = ">= 1.3.7"
+  required_version = ">= 1.5.7"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.30"
+      version = ">= 6.29"
     }
   }
 }