Support AWS Provider V5

.github/workflows/release-branch.yml

@@ -10,6 +10,7 @@ on:
       - 'docs/**'
       - 'examples/**'
       - 'test/**'
+      - 'README.*'
 
 permissions:
   contents: write

.github/workflows/release-published.yml

@@ -11,4 +11,4 @@ permissions:
 
 jobs:
   terraform-module:
-    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main
+    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main

README.md

@@ -88,10 +88,6 @@ We highly recommend that in your code you pin the version to the exact version y
 using so that your infrastructure remains stable, and update versions in a
 systematic way so that they do not catch you by surprise.
 
-Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)),
-the registry shows many of our inputs as required when in fact they are optional.
-The table below correctly indicates which inputs are required.
-
 
 
 For a complete example, see [examples/complete](examples/complete).
@@ -387,7 +383,7 @@ module "lambda_at_edge" {
         EOT
         filename = "index.js"
       }]
-      runtime      = "nodejs12.x"
+      runtime      = "nodejs16.x"
       handler      = "index.handler"
       event_type   = "origin-response"
       include_body = false
@@ -436,15 +432,15 @@ Available targets:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.2 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.7 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.2 |
 | <a name="provider_time"></a> [time](#provider\_time) | >= 0.7 |
 
@@ -453,7 +449,7 @@ Available targets:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_dns"></a> [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.13.0 |
-| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.26.0 |
+| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 1.4.2 |
 | <a name="module_origin_label"></a> [origin\_label](#module\_origin\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 

README.yaml

@@ -352,7 +352,7 @@ usage: |-
           EOT
           filename = "index.js"
         }]
-        runtime      = "nodejs12.x"
+        runtime      = "nodejs16.x"
         handler      = "index.handler"
         event_type   = "origin-response"
         include_body = false

docs/terraform.md

@@ -4,15 +4,15 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.2 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.7 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.2 |
 | <a name="provider_time"></a> [time](#provider\_time) | >= 0.7 |
 
@@ -21,7 +21,7 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_dns"></a> [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.13.0 |
-| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.26.0 |
+| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 1.4.2 |
 | <a name="module_origin_label"></a> [origin\_label](#module\_origin\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 

examples/complete/deployment.tf

@@ -7,7 +7,7 @@ locals {
   } : {}
 
   our_account_id            = local.enabled ? data.aws_caller_identity.current[0].account_id : ""
-  our_role_arn_prefix       = "arn:${join("", data.aws_partition.current.*.partition)}:iam::${local.our_account_id}:role"
+  our_role_arn_prefix       = "arn:${join("", data.aws_partition.current[*].partition)}:iam::${local.our_account_id}:role"
   role_names                = { for k, v in local.test_deployment_role_prefix_map : k => module.role_labels[k].id }
   deployment_principal_arns = { for k, v in local.role_names : format("%v/%v", local.our_role_arn_prefix, v) => local.test_deployment_role_prefix_map[k] }
 }

examples/complete/lambda-at-edge.tf

@@ -30,22 +30,22 @@ module "lambda_at_edge" {
         EOT
         filename = "index.js"
       }]
-      runtime      = "nodejs12.x"
+      runtime      = "nodejs16.x"
       handler      = "index.handler"
       event_type   = "viewer-request"
       include_body = false
     },
     # Add custom header to the response
     viewer_response = {
       source_dir   = "lib"
-      runtime      = "nodejs12.x"
+      runtime      = "nodejs16.x"
       handler      = "index.handler"
       event_type   = "viewer-response"
       include_body = false
     },
     origin_request = {
       source_zip   = "origin-request.zip"
-      runtime      = "nodejs12.x"
+      runtime      = "nodejs16.x"
       handler      = "index.handler"
       event_type   = "origin-request"
       include_body = false
@@ -77,7 +77,7 @@ module "lambda_at_edge" {
         EOT
         filename = "index.js"
       }]
-      runtime      = "nodejs12.x"
+      runtime      = "nodejs16.x"
       handler      = "index.handler"
       event_type   = "origin-response"
       include_body = false

examples/complete/main.tf

@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "document" {
 
     actions = ["s3:GetObject"]
     resources = [
-      "arn:${join("", data.aws_partition.current.*.partition)}:s3:::$${bucket_name}$${origin_path}testprefix/*"
+      "arn:${join("", data.aws_partition.current[*].partition)}:s3:::$${bucket_name}$${origin_path}testprefix/*"
     ]
 
     principals {
@@ -36,14 +36,15 @@ data "aws_canonical_user_id" "current" {
 
 module "s3_bucket" {
   source  = "cloudposse/s3-bucket/aws"
-  version = "0.36.0"
+  version = "3.1.2"
 
-  acl                = null
-  force_destroy      = true
-  user_enabled       = false
-  versioning_enabled = false
-  attributes         = ["existing-bucket"]
+  force_destroy       = true
+  user_enabled        = false
+  versioning_enabled  = false
+  block_public_policy = false
+  attributes          = ["existing-bucket"]
 
+  acl                 = null
   grants = [
     {
       id          = local.enabled ? data.aws_canonical_user_id.current[0].id : ""
@@ -81,6 +82,7 @@ module "cloudfront_s3_cdn" {
 
   cloudfront_access_logging_enabled = true
   cloudfront_access_log_prefix      = "logs/cf_access"
+  s3_object_ownership               = "BucketOwnerPreferred"
 
   additional_bucket_policy = local.enabled ? data.aws_iam_policy_document.document[0].json : ""
 
@@ -105,7 +107,7 @@ module "cloudfront_s3_cdn" {
   context = module.this.context
 }
 
-resource "aws_s3_bucket_object" "index" {
+resource "aws_s3_object" "index" {
   count = local.enabled ? 1 : 0
 
   bucket       = module.cloudfront_s3_cdn.s3_bucket

examples/complete/s3-origins.tf

@@ -29,10 +29,9 @@ locals {
 
 module "additional_s3_origin" {
   source  = "cloudposse/s3-bucket/aws"
-  version = "0.39.0"
+  version = "3.1.2"
   enabled = local.additional_s3_origins_enabled
 
-  acl                = "private"
   force_destroy      = true
   user_enabled       = false
   versioning_enabled = false
@@ -43,10 +42,9 @@ module "additional_s3_origin" {
 
 module "additional_s3_failover_origin" {
   source  = "cloudposse/s3-bucket/aws"
-  version = "0.39.0"
+  version = "3.1.2"
   enabled = local.additional_s3_origins_enabled
 
-  acl                = "private"
   force_destroy      = true
   user_enabled       = false
   versioning_enabled = false

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0"
+      version = ">= 4.9"
     }
   }
 }

main.tf

@@ -42,11 +42,6 @@ locals {
   }
   cf_access = local.cf_access_options[local.create_cloudfront_origin_access_identity ? "new" : "existing"]
 
-  # Pick the IAM policy document based on whether the origin is an S3 origin or a Website origin
-  iam_policy_document = local.enabled ? (
-    local.website_enabled ? data.aws_iam_policy_document.s3_website_origin[0].json : data.aws_iam_policy_document.s3_origin[0].json
-  ) : ""
-
   bucket             = local.origin_bucket.bucket
   bucket_domain_name = var.website_enabled ? local.origin_bucket.website_endpoint : local.origin_bucket.bucket_regional_domain_name
 
@@ -133,13 +128,13 @@ resource "random_password" "referer" {
 data "aws_iam_policy_document" "s3_origin" {
   count = local.s3_origin_enabled ? 1 : 0
 
-  override_json = local.override_policy
+  override_policy_documents = [local.override_policy]
 
   statement {
     sid = "S3GetObjectForCloudFront"
 
     actions   = ["s3:GetObject"]
-    resources = ["arn:${join("", data.aws_partition.current.*.partition)}:s3:::${local.bucket}${local.origin_path}*"]
+    resources = ["arn:${join("", data.aws_partition.current[*].partition)}:s3:::${local.bucket}${local.origin_path}*"]
 
     principals {
       type        = "AWS"
@@ -151,7 +146,7 @@ data "aws_iam_policy_document" "s3_origin" {
     sid = "S3ListBucketForCloudFront"
 
     actions   = ["s3:ListBucket"]
-    resources = ["arn:${join("", data.aws_partition.current.*.partition)}:s3:::${local.bucket}"]
+    resources = ["arn:${join("", data.aws_partition.current[*].partition)}:s3:::${local.bucket}"]
 
     principals {
       type        = "AWS"
@@ -163,13 +158,13 @@ data "aws_iam_policy_document" "s3_origin" {
 data "aws_iam_policy_document" "s3_website_origin" {
   count = local.website_enabled ? 1 : 0
 
-  override_json = local.override_policy
+  override_policy_documents = [local.override_policy]
 
   statement {
     sid = "S3GetObjectForCloudFront"
 
     actions   = ["s3:GetObject"]
-    resources = ["arn:${join("", data.aws_partition.current.*.partition)}:s3:::${local.bucket}${local.origin_path}*"]
+    resources = ["arn:${join("", data.aws_partition.current[*].partition)}:s3:::${local.bucket}${local.origin_path}*"]
 
     principals {
       type        = "AWS"
@@ -233,9 +228,9 @@ data "aws_iam_policy_document" "combined" {
   count = local.enabled ? 1 : 0
 
   source_policy_documents = compact(concat(
-    data.aws_iam_policy_document.s3_origin.*.json,
-    data.aws_iam_policy_document.s3_website_origin.*.json,
-    data.aws_iam_policy_document.s3_ssl_only.*.json,
+    data.aws_iam_policy_document.s3_origin[*].json,
+    data.aws_iam_policy_document.s3_website_origin[*].json,
+    data.aws_iam_policy_document.s3_ssl_only[*].json,
     values(data.aws_iam_policy_document.deployment)[*].json
   ))
 }
@@ -244,7 +239,7 @@ resource "aws_s3_bucket_policy" "default" {
   count = local.create_s3_origin_bucket || local.override_origin_bucket_policy ? 1 : 0
 
   bucket = local.origin_bucket.bucket
-  policy = join("", data.aws_iam_policy_document.combined.*.json)
+  policy = join("", data.aws_iam_policy_document.combined[*].json)
 }
 
 resource "aws_s3_bucket" "origin" {
@@ -277,7 +272,7 @@ resource "aws_s3_bucket" "origin" {
   }
 
   dynamic "logging" {
-    for_each = local.s3_access_log_bucket_name != "" ? [1] : []
+    for_each = local.s3_access_logging_enabled ? [1] : []
     content {
       target_bucket = local.s3_access_log_bucket_name
       target_prefix = coalesce(var.s3_access_log_prefix, "logs/${local.origin_id}/")
@@ -337,21 +332,39 @@ resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
   create_duration  = "30s"
   destroy_duration = "30s"
 
-  depends_on = [aws_s3_bucket_public_access_block.origin, aws_s3_bucket_policy.default]
+  depends_on = [
+    aws_s3_bucket_public_access_block.origin,
+    aws_s3_bucket_ownership_controls.origin,
+    aws_s3_bucket_policy.default
+  ]
 }
 
 module "logs" {
   source                   = "cloudposse/s3-log-storage/aws"
-  version                  = "0.26.0"
+  version                  = "1.4.2"
   enabled                  = local.create_cf_log_bucket
   attributes               = var.extra_logs_attributes
+  allow_ssl_requests_only  = true
   lifecycle_prefix         = local.cloudfront_access_log_prefix
   standard_transition_days = var.log_standard_transition_days
   glacier_transition_days  = var.log_glacier_transition_days
   expiration_days          = var.log_expiration_days
   force_destroy            = var.origin_force_destroy
   versioning_enabled       = var.log_versioning_enabled
 
+  # See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
+  s3_object_ownership = "BucketOwnerPreferred"
+  acl                 = null
+  grants = [
+    {
+      # Canonical ID for the awslogsdelivery account
+      id          = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
+      permissions = ["FULL_CONTROL"]
+      type        = "CanonicalUser"
+      uri         = null
+    },
+  ]
+
   context = module.this.context
 }
 
@@ -376,7 +389,7 @@ resource "aws_cloudfront_distribution" "default" {
   comment             = var.comment
   default_root_object = var.default_root_object
   price_class         = var.price_class
-  depends_on          = [aws_s3_bucket.origin]
+  depends_on          = [aws_s3_bucket.origin, time_sleep.wait_for_aws_s3_bucket_settings]
   http_version        = var.http_version
 
   dynamic "logging_config" {

modules/lambda@edge/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0"
+      version = ">= 5.0"
     }
     time = {
       source  = "hashicorp/time"

outputs.tf

@@ -34,7 +34,7 @@ output "cf_identity_iam_arn" {
 }
 
 output "cf_origin_groups" {
-  value       = try(flatten(aws_cloudfront_distribution.default.*.origin_group), [])
+  value       = try(flatten(aws_cloudfront_distribution.default[*].origin_group), [])
   description = "List of Origin Groups in the CloudFront distribution."
 }
 
@@ -44,7 +44,7 @@ output "cf_primary_origin_id" {
 }
 
 output "cf_origin_ids" {
-  value       = try(aws_cloudfront_distribution.default[0].origin.*.origin_id, [])
+  value       = try(aws_cloudfront_distribution.default[0].origin[*].origin_id, [])
   description = "List of Origin IDs in the CloudFront distribution."
 }
 
@@ -69,7 +69,7 @@ output "s3_bucket_arn" {
 }
 
 output "s3_bucket_policy" {
-  value       = join("", aws_s3_bucket_policy.default.*.policy)
+  value       = join("", aws_s3_bucket_policy.default[*].policy)
   description = "Final computed S3 bucket policy"
 }