Releases: cloudposse/terraform-aws-cloudfront-s3-cdn
v0.82.4
🤖 Automatic Updates
chore(deps): update terraform cloudposse/iam-role/aws to v0.16.0 @renovate (#227)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/iam-role/aws (source) | module | minor | 0.15.0 -> 0.16.0 |
Release Notes
cloudposse/terraform-aws-iam-role
v0.16.0
Making tags for roles optional @jamengual (#43)
#### what * Make role tags optional * #### why * Restrictive policy boundaries do not allow tag roles in highly secure environments.v0.82.3
🚀 Enhancements
Update versions.tf @rusowyler (#218)
what
- Restrict AWS provider version
why
- >= 3.64 because response_headers_policy_id first appeared on version: 3.64.0 (November 04, 2021)
- < 4.0.0 many breaking changes affect this module.
references
v0.82.2
🤖 Automatic Updates
Update Terraform cloudposse/route53-alias/aws to v0.13.0 @renovate (#216)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/route53-alias/aws (source) | module | minor | 0.12.1 -> 0.13.0 |
Release Notes
cloudposse/terraform-aws-route53-alias
v0.13.0
BREAKING CHANGE: Because this release changes resource addresses, it will result in Terraform destroying and recreating some resources. Please consider removing
aws_route53_record
from the state and importing them to the new resource addresses if you do not with for any destructive changes.
Fix: Add BridgeCrew Suppressions @korenyoni (#39)
#### what- Add BridgeCrew suppressions
why
Add suppressions appearing in #37
#### references * #37Chore: Run 'make github/init' @korenyoni (#38)
#### what * Run `make github/init` #### why * Updates GHA-workflow-related files to their latest distribution in https://github.com/cloudposse/build-harness * Allows using `no-release` label for consolidating multiple PRs into a single release. #### references * N/AFix: create records using `for_each` instead of `count` @1david5 (#37)
#### what * Modify `default` and `ipv6` `aws_route53_record` resources to use `for_each` instead of `count`. #### why * Prevent destroying and recreating DNS records when removing elements from `aliases` list.v0.82.1
🚀 Enhancements
fix: handle viewer_certificate.ssl_support_method with CF default certificate @syphernl (#213)
what
- Sets
ssl_support_method
tonull
when default certificate is being used instead of setting it tosni-only
in all cases.
why
- Setting this to an explicit value (
sni-only
) in conjunction with the "default certificate" results in the state not being idempotent.
references
🐛 Bug Fixes
[main.tf] Updated conditions with included cache_policy_id variable @eboboshka (#210)
what
- Fixed conditions when using cache_policy_id
why
- When using
cache_policy_id
, the module tries to change ttl values from zero to the default values.
~ default_cache_behavior {
~ default_ttl = 0 -> 60
~ max_ttl = 0 -> 31536000
# (10 unchanged attributes hidden)
# (1 unchanged block hidden)
}
- There is no need to use the mandatory ARN lambda in Cusom Behavior.
references
fix: handle viewer_certificate.ssl_support_method with CF default certificate @syphernl (#213)
what
- Sets
ssl_support_method
tonull
when default certificate is being used instead of setting it tosni-only
in all cases.
why
- Setting this to an explicit value (
sni-only
) in conjunction with the "default certificate" results in the state not being idempotent.
references
🤖 Automatic Updates
Update Terraform cloudposse/iam-role/aws to v0.15.0 @renovate (#215)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/iam-role/aws (source) | module | minor | 0.14.1 -> 0.15.0 |
Release Notes
cloudposse/terraform-aws-iam-role
v0.15.0
allow to set role and policy path @1david5 (#40)
#### what * Add `path` argument to role and policy resources #### why * Allow users to set path for role and policyUpdate Terraform cloudposse/iam-role/aws to v0.14.1 @renovate (#206)
This PR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
cloudposse/iam-role/aws (source) | module | patch | 0.14.0 -> 0.14.1 |
Release Notes
cloudposse/terraform-aws-iam-role
v0.14.1
Fix: Fix Variable Description Typo for `var.use_fullname` @korenyoni (#36)
#### what * Fix variable description typo introduced in #35 for `var.use_fullname` #### why * Minor typo (unmatched right bracket). #### references * #35Drop unused null provider @Xerkus (#34)
#### what * Drop `hashicorp/null` provider from dependencies #### why * As far as I can tell the null provider is not used and I do not think it is needed for any kind of indirect dependency * I think it was needed at some point for terraform-null-label #### references * Closes #31Fix: fix variable description for `var.use_fullname`, run `make github/init` @korenyoni (#35)
#### what - Fix variable description for `var.use_fullname`. - Run `make github/init`. #### why - The `var.use_fullname` variable description is incorrect and refers to ECR repositories instead of IAM roles. - Running `make github/init` will update GHA-workflow related files (and CODEOWNERS), the former of which is required for the `no-release` label (which allows for consolidating multiple small PRs such as this into one release). #### references * N/AAdd tags to policy @nitrocode (#37)
#### what * Add tags to policy #### why * Tag it all #### references N/Av0.82.0
Added new response_headers_policy_id argument for a block with Custom behavior @eboboshka (#211)
[main.tf, variables.tf]
what
- Added new response_headers_policy_id argument for a block with Custom behavior
why
- They just forgot about the cusom block
ordered_cache_behavior
references
v0.81.0
Feat: Add Support for S3 Object Ownership Controls @korenyoni (#209)
what
- Add support for S3 object ownership controls.
- Misc: add BridgeCrew exceptions.
why
S3 object ownership controls should be configurable for the origin bucket behind the CloudFront distribution. If the origin bucket is used within CI pipelines, cross-account writes to the bucket will result in the object being owned by that account. This can result in 403's when attempting to access content in the CF distribution, unless the S3 object ownership setting is set to BucketOwnerEnforced
.
By default, when another AWS account uploads an object to your S3 bucket, that account (the object writer) owns the object, has access to it, and can grant other users access to it through ACLs.
The new S3 object ownership variable has as a default value that has the same effect if the new s3_bucket_ownership_controls
were not to exist at all. Thus, this is a backwards-compatible release.
references
fix: set viewer_certificate.ssl_support_method to a non-empty value @syphernl (#208)
what
- Sets the
viewer_certificate.ssl_support_method
to a non-empty value
why
- Since AWS Provider 3.71.0 the
viewer_certificate.ssl_support_method
is being validated on plan-time and can no longer be an empty string but must besni-only
orvip
(of which the latter incurs costs)
references
v0.80.0
🚀 Enhancements
Feat: `lambda@edge` submodule @korenyoni (#204)
what
- Add submodule for creating Lambda@Edge functions
- Add test for Lambda@Edge submodule
- Ensure all tests run in parallel.
- Fix
versions.tf
inexamples/complete
according to TFLint
why
- Lambda@Edge are a potentially common use case for this repo, and a submodule for creating Lambda@Edge functions for use with the root module should be created.
references
- N/A
notes
Please note that a side effect of this change is that the test suite will now take ~30 minutes to run.
v0.79.0
🚀 Enhancements
Feat: Add `external_aliases` Which Will Not Have CNAMEs Created for Them @mburns (#199)
what
- Allow for aliases in CloudFront which do not get the corresponding CNAME record created in Route53.
- Misc: add BridgeCrew suppressions.
why
- Not all CloudFront domains are managed in Route53
- This is similar to
dns_alias_enabled
, but allows for a mixture of DNS providers for a single CloudFront Distribution - Some new false positives were raised by BridgeCrew, hence requiring some suppressions.
Fix: Do Not Hardcode AWS Partition @korenyoni (#203)
what
- Do not hardcode AWS partition.
why
- Adds support for partitions other than
aws
, such asaws-us-gov
.
references
- closes #200
Chore: Bump Dependency Module Versions @korenyoni (#201)
what
- Bump
route53-alias
module version to latest. - Bump
s3-log-storage
module to latest.
why
- Dependency modules do not currently support
tenant
label (they are not at the version which supports it). - General module hygiene: keep dependency modules up to date.
references
- https://github.com/cloudposse/terraform-null-label/releases/tag/0.25.0
- Supersedes and closes #187
🐛 Bug Fixes
Chore: Update `auto-release` (`release-drafter`) GHA workflow to latest distribution; fix Terratest @korenyoni (#202)
what
- Update auto-release (release-drafter) GHA workflow to latest distribution from build-harness.
- Fix Terratest by ensuring IAM roles created by examples/complete are unique for each run (also increase test timeout).
why
- The latest distribution of the
auto-release
GHA workflow from https://github.com/cloudposse/build-harness allows merged PRs to be accumulated in a draft release when theno-release
label is used. This allows PRs to be consolidated rather than each given their own release — as renovatebot will cause a rippling series of module updates across all repositories that use this module, and all repositories that use those modules, etc. - This is a subset of
make github/init
, which will update all GHA-related files to the latest build-harness distribution. However, changing CODEOWNERS will require admin approval and this is a blocker. - Terratest was failing because
examples/complete
was creating IAM roles whose names did not make the use ofmodule.this.attributes
(which contains a random seed in each run). Also, the test timeout was not sufficiently long to complete all tests.
references
v0.78.0
feat: add origin_request_policy_id variable for default cache behavior @bartelemi (#193)
what
Add origin_request_policy_id
input variable for setting this param in default cache behavior.
why
This param is missing from the module.
references
v0.77.0
Added support for forward_cookies_whitelisted_names @rafaljanicki (#198)
what
I've added support for whitelisted_names (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#whitelisted_names) if forward_cookies is set to "whitelist"
why
Currently, the only option to forward cookies is to set it to "all" which isn't perfect
references
- I've used naming and approach from another Cloudposse module - https://github.com/cloudposse/terraform-aws-cloudfront-cdn/blob/master/variables.tf