FEATURES:
- terraform.sh: added multi-group support. The
-g/--groupflag (also--groups) now accepts comma-delimited values, e.g.-g dev,live, loading each group's tfvars file in order. Closes #41.
FEATURES:
- Lambda module: replaced external data source + Node.js script with native
aws_lambda_layer_versionfor CloudWatch Lambda Insights layer resolution. - Lambda module: added ADOT OpenTelemetry layer support via
adotvariable. - Lambda module: added SSM Parameters & Secrets extension layer support via
ssm_extensionvariable. - Lambda module: added memory usage CloudWatch alarm via
function_memoryvariable. - Lambda module: error alarm now supports percentage-based thresholds in
addition to count-based via
threshold_typeoption. - Lambda module: added destroy-time placeholder handling for S3 function source.
- Cognito module: SMS IAM role and configuration now gated on
sms_enabledvariable. - Cognito module: added
software_token_mfa_configurationsupport. - Cognito module: extracted
ui_customisationas standalone variable. - Cognito module: added
generate_secretvariable for cognito user pool client. - Cognito module: added
callback_urlsvariable withapp_fqdnfallback. - Cognito module: added
user_pool_domain_readyoutput. - terraform.sh: added edge lambda logging support.
BUG FIXES:
- Lambda module: added length guards on S3 bucket/key/version references to prevent errors when data source is empty during destroy.
- Cognito module: fixed recovery mechanism priority ordering (email first).
- Cognito module: fixed trailing whitespace in multiple files.
CHORES:
- S3bucket module: removed deprecated
expected_bucket_ownerfrom accelerate, CORS, and server-side encryption configurations. - S3bucket module: fixed
lifecycle_configuration_idoutput to returnrule[*].id. - S3bucket module: uncommented
ownership_controlsoutput. - Lambda module: removed
externalprovider dependency. - Regenerated terraform-docs READMEs for lambda, s3bucket, and cognito.
BREAKING CHANGES:
- Shebang changed from
#!/bin/bashto#!/usr/bin/env bashfor portability. set -uo pipefailnow enforced across all scripts. Unbound variable access will now cause failures rather than silent empty expansion.- Bootstrap tag keys changed from capitalised (
tfscaffold:Environment) to lowercase (tfscaffold:environment) for consistency with module conventions.
FEATURES:
error_and_dienow accepts an optional second argument for custom exit codes.TF_VAR_aws_account_idandTF_VAR_environmentare now exported automatically, making them available to Terraform without explicit variable passthrough.- S3 backend configuration now always includes
encrypt = true. - S3 backend configuration now injects
profilewhenAWS_PROFILEis set, enabling named profile support for state access. - Remote dynamic tfvars now supports multiple files: all
*.tfvarsand*.tfvars.jsonfiles under the environment's S3 prefix are downloaded, replacing the previous singledynamic.tfvarspattern. - New
outputaction for standalone terraform output retrieval, with optional JSON file output support. - IAM role module now supports
sts:ExternalIdconditions via optionalexternal_idfield on trusted principals. - SNS module now supports
content_based_deduplicationfor FIFO topics. - Lambda module now supports
reserved_concurrent_executions.
BUG FIXES:
- Fixed unquoted variable expansions throughout
terraform.sh(~20 instances), including two HIGH-severityrmcommands insidetrapstatements. - Fixed
set -usafety: alldeclarestatements now initialised, empty array access guarded, and${AWS_DEFAULT_REGION:-}defaulted. - Fixed cognito module
access_token_validitydefault key typo:validitycorrected tovalue. - Fixed KMS module
aliasvariable default from string"null"to HCLnull. - Fixed VPC module
force_destroyfrom string"true"to booleantrue. - Fixed missing semicolons throughout
terraform.shfor style consistency. - Fixed
lockfilevariable quoting in conditional test. - Fixed
-r/--regionflag not being authoritative over tfvars files (#37). Region is now passed as-var region=(highest precedence) and exported asTF_VAR_region(lowest precedence fallback).
CHORES:
- Removed dead code:
data.aws_iam_policy_document.default_assumerolefrom bootstrap (never referenced). - Removed duplicate
data.aws_iam_policy_document.xrayfrom lambda module (functionality already inlambda_core.tf). - Removed committed state files from bootstrap directory.
- Renamed
module.s3bucket_other.tftomodule.s3bucket_bestpractice.tfto match the module name it declares. - Replaced TODO comment on cognito SNS policy with explanation of why
sns:Publishon*is required for Cognito MFA/SMS. - Regenerated all terraform-docs README files.
- Added vim modelines to all shell scripts.
SECURITY:
- Updated
esbuildfrom 0.24.0 to ^0.25.0 (CVE: dev server request forgery, medium severity). - Updated
undicifrom 6.21.0 to >=6.21.1 (CVE: insufficiently random values, medium severity).
- Updated included modules to follow new standard and include other generics
BREAKING CHANGES:
- It is now possible, with a validation check, to destroy the bootstrap.
- Bootstrap and the example component have been completely rewritten.
.terraformandbackend_tfscaffold.tfno longer removed during bootstrap cleanup- Bootstrap and examples now configured to use terraform >= 1.10.0.
- Bootstrap and examples now require terraform > 1.0.0.
- Bootstrap and examples now require AWS Provider ~> 5.79.0.
- tfscaffold tagging default have changed to prefix tag keys with tfscaffold:
FEATURES:
- Bootstraps can now be fully and cleanly destroyed, however only interactively, requiring a manual text input to confirm.
- A DynamoDB lock table has been added to Bootstrap.
- Bootstrap now uses AWS Provider v4+ S3 Bucket property resources instead of declaring all configuration in a single bucket resource.
- The example component has been rewritten to reflect modern naming standards, and idempotency structures.
- An example module has been added, which is called from the example component.
- Example region changed to eu-west-2.
bin/docs.shhas been added to recursively apply terraform-docs (https://github.com/terraform-docs/terraform-docs) to all directories beneath the project root that contain a variables.tf file.- Remove unnecessary compatability log entry for auto-approve.
- Remove unnecessary non-current version transitions from the bootstrap bucket.
BUG FIXES:
- Do not write
.terraform.output.jsonafter a destroy. -compact-warningsis no longer passed toterraform init
CHORES:
.gitignoreupdated
BUG FIXES:
- Correct
terraform.output.jsonto.terraform.output.json
BUG FIXES:
- Add
**/terraform.output.jsonto the default .gitignore
FEATURES:
- Apply/Refresh/Destroy actions now output a terraform.output.json file containing the contents of terraform output -json -no-color. On by default, can be disabled.
- Ignore -w/--compact-warnings for commands that don't support it so the user can specify it all the time without worrying which commands support it.
BUG FIXES:
- Fix plugin-cache base directory from
$(pwd)to${base_path}so it is correctly located if terraform.sh is invoked from somewhere other than the project root.
CHORES:
- Fix inappropriate double-quoting of non-interpolated strings.
BUG FIXES:
- Correct selection of
lockfile_or_upgrade, thanks to @edmundcraske-bjss
FEATURES:
- New options:
- -l/--lockfile: Local lock file
- -t/--lock-table: Lock with DynamoDB Table
- Bootstrap:
- New multi-resource approach to S3 Bucket
- KMS Key Alias for S3 Bucket KMS Key, for easy data-sourcing elsewhere
- New tfscaffold: prefix for tfscaffold tags
- Updated the warning for duplicate input variables
BUG FIXES:
- Some alignment and ordering
- Merged into 1.9.0
- Explicitly declare and clear out, refresh and destroy in case someone exports them
- Added custom action
shell: a bash login shell between component init and cleanup
FEATURES:
- Added
-d/--detailed-exitcodeto propagate terraform exit codes to shell - Added
-n/--no-colorappends -co-color to all tf calls - Added
-w/--compact-warningsappends -compact-warnings to all terraform calls
BUG FIXES:
- Getopt fixes
- Various small fixes
NOTES:
- Support for early versions of terraform has been dropped (<0.11)
- Default backend bucket name has changed, pass in -b to overwrite
- Scaffold bootstrap updated
- Remove extraneous eval from secret parsing
- Remove deprecated/irrelevant module-depth parameter
- Add an init with -backend=false in bootstrap mode, otherwise providers are not downloaded
- Fix bootstrap output that was using a now deprecated bucket resource attribute
- Add an indicative .terraform-version file for tfenv support in bootstrap
- Remove
-upgradefrom init. Added prematurely. Can go back in when 0.9 support is dropped.
- Support terraform 0.10/0.11, bypassing new built-in approval mechanism.
- Explicitly cache plugin downloads.
- Set TF_IN_AUTOMATION.
- Change from error to warn on non-presence of requested group variables file
- Introduce the group variables file functionality
- Merge bootstrap functionality into the main script
- Global and Region scoped variables files
- Support the use of .terraform-version file in components when in the presence of tfenv
- Provide a case for import that requires the variable file parameters
- Fix 0.9.2+ support for bootstrap.sh
- Move from terraform-0.8 to terraform-0.9
- Change remote state from manual config to temporary-file "backend"
- Complain in the code comments about Hashicorp forcing my hand on this
- Don't push state any more; there's no persisted local copy to push
- Same change for bootstrap.sh (UNTESTED!)
- Bugfix: Duplicate variable warning conditional to presence of duplicates
- Add CHANGELOG.md
- Add version and help parameters to bin/terraform.sh
- Add optional unencrypted S3 parameters
- Move secrets S3 key path to more appropriate place
- Test and Warn on duplicate variables
- Support arbitrary terraform actions
- Additional comments