workflow fix

.github/workflows/documentation.yml

@@ -8,7 +8,10 @@ on:
       - '*.md'
       - '.github/workflows/documentation.yml'
 
-permissions: {}
+permissions: 
+  contents: write
+  pull-requests: write
+
 
 jobs:
   docs:
@@ -19,7 +22,7 @@ jobs:
         ref: ${{ github.event.pull_request.head.ref }}
 
     - name: Render terraform docs and push changes back to PR
-      uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # v1.0.0
+      uses: terraform-docs/gh-actions@18dc76d9b2e3c746cf6f8e073c7fa7df16dcf620 # v1.0.0
       with:
         working-dir: .
         output-file: README.md

README.md

@@ -60,7 +60,7 @@ If you're looking to raise an issue with this module, please create a new issue
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.9 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
 | <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | ~> 2.2.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | > 0.9.0 |
@@ -69,11 +69,10 @@ If you're looking to raise an issue with this module, please create a new issue
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.9 |
-| <a name="provider_aws.core-vpc"></a> [aws.core-vpc](#provider\_aws.core-vpc) | ~> 4.9 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+| <a name="provider_aws.core-vpc"></a> [aws.core-vpc](#provider\_aws.core-vpc) | ~> 5.0 |
 | <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | ~> 2.2.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
-| <a name="provider_time"></a> [time](#provider\_time) | > 0.9.0 |
 
 ## Modules
 
@@ -89,18 +88,21 @@ No modules.
 | [aws_eip_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip_association) | resource |
 | [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.asm_parameter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.secretsmanager_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.ssm_parameter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
 | [aws_route53_record.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.internal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_secretsmanager_secret.placeholder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_ssm_parameter.placeholder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_volume_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/volume_attachment) | resource |
 | [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
-| [time_offset.asm_parameter](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/offset) | resource |
 | [aws_ami.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ec2_instance_type.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_instance_type) | data source |
-| [aws_iam_policy_document.asm_parameter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ssm_parameter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_route53_zone.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 | [aws_route53_zone.internal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 | [cloudinit_config.this](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
@@ -115,22 +117,25 @@ No modules.
 | <a name="input_application_name"></a> [application\_name](#input\_application\_name) | The name of the application.  This will be name of the environment in Modernisation Platform | `string` | `"nomis"` | no |
 | <a name="input_availability_zone"></a> [availability\_zone](#input\_availability\_zone) | The availability zone in which to deploy the infrastructure | `string` | `"eu-west-2a"` | no |
 | <a name="input_business_unit"></a> [business\_unit](#input\_business\_unit) | This corresponds to the VPC in which the application resides | `string` | `"hmpps"` | no |
-| <a name="input_cloudwatch_metric_alarms"></a> [cloudwatch\_metric\_alarms](#input\_cloudwatch\_metric\_alarms) | Map of cloudwatch metric alarms. | <pre>map(object({<br>    comparison_operator = string<br>    evaluation_periods  = number<br>    metric_name         = string<br>    namespace           = string<br>    period              = number<br>    statistic           = string<br>    threshold           = number<br>    alarm_actions       = list(string)<br>    actions_enabled     = optional(bool, false)<br>    alarm_description   = optional(string)<br>    datapoints_to_alarm = optional(number)<br>    treat_missing_data  = optional(string, "missing")<br>    dimensions          = optional(map(string), {})<br>    tags                = optional(map(string))<br>  }))</pre> | `{}` | no |
+| <a name="input_cloudwatch_metric_alarms"></a> [cloudwatch\_metric\_alarms](#input\_cloudwatch\_metric\_alarms) | Map of cloudwatch metric alarms.  The alarm name is set to the ec2 instance name plus the map key. | <pre>map(object({<br>    comparison_operator = string<br>    evaluation_periods  = number<br>    metric_name         = string<br>    namespace           = string<br>    period              = number<br>    statistic           = string<br>    threshold           = number<br>    alarm_actions       = list(string)<br>    actions_enabled     = optional(bool, false)<br>    alarm_description   = optional(string)<br>    datapoints_to_alarm = optional(number)<br>    treat_missing_data  = optional(string, "missing")<br>    dimensions          = optional(map(string), {})<br>  }))</pre> | `{}` | no |
 | <a name="input_ebs_kms_key_id"></a> [ebs\_kms\_key\_id](#input\_ebs\_kms\_key\_id) | KMS Key to use for EBS volumes if not explicitly set in ebs\_volumes variable | `string` | `null` | no |
 | <a name="input_ebs_volume_config"></a> [ebs\_volume\_config](#input\_ebs\_volume\_config) | EC2 volume configurations, where key is a label, e.g. flash, which is assigned to the disk in ebs\_volumes.  All disks with same label have the same configuration.  If not specified, use values from the AMI.  If total\_size specified, the volume size is this divided by the number of drives with the given label | <pre>map(object({<br>    iops       = optional(number)<br>    throughput = optional(number)<br>    total_size = optional(number)<br>    type       = optional(string)<br>    kms_key_id = optional(string)<br>  }))</pre> | n/a | yes |
+| <a name="input_ebs_volume_tags"></a> [ebs\_volume\_tags](#input\_ebs\_volume\_tags) | Additional tags to apply to ebs volumes | `map(string)` | `{}` | no |
 | <a name="input_ebs_volumes"></a> [ebs\_volumes](#input\_ebs\_volumes) | EC2 volumes, see aws\_ebs\_volume for documentation.  key=volume name, value=ebs\_volume\_config key.  label is used as part of the Name tag | <pre>map(object({<br>    label       = optional(string)<br>    snapshot_id = optional(string)<br>    iops        = optional(number)<br>    throughput  = optional(number)<br>    size        = optional(number)<br>    type        = optional(string)<br>    kms_key_id  = optional(string)<br>  }))</pre> | n/a | yes |
 | <a name="input_ebs_volumes_copy_all_from_ami"></a> [ebs\_volumes\_copy\_all\_from\_ami](#input\_ebs\_volumes\_copy\_all\_from\_ami) | If true, ensure all volumes in AMI are also present in EC2.  If false, only create volumes specified in ebs\_volumes var | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Application environment - i.e. the terraform workspace | `string` | n/a | yes |
 | <a name="input_iam_resource_names_prefix"></a> [iam\_resource\_names\_prefix](#input\_iam\_resource\_names\_prefix) | Prefix IAM resources with this prefix, e.g. ec2-database | `string` | `"ec2"` | no |
-| <a name="input_instance"></a> [instance](#input\_instance) | EC2 instance settings, see aws\_instance documentation | <pre>object({<br>    associate_public_ip_address  = optional(bool, false)<br>    disable_api_termination      = bool<br>    instance_type                = string<br>    key_name                     = string<br>    metadata_endpoint_enabled    = optional(string, "enabled")<br>    metadata_options_http_tokens = optional(string, "required")<br>    monitoring                   = optional(bool, true)<br>    ebs_block_device_inline      = optional(bool, false)<br>    vpc_security_group_ids       = list(string)<br>    private_dns_name_options = optional(object({<br>      enable_resource_name_dns_aaaa_record = optional(bool)<br>      enable_resource_name_dns_a_record    = optional(bool)<br>      hostname_type                        = string<br>    }))<br>  })</pre> | n/a | yes |
+| <a name="input_instance"></a> [instance](#input\_instance) | EC2 instance settings, see aws\_instance documentation | <pre>object({<br>    associate_public_ip_address  = optional(bool, false)<br>    disable_api_termination      = bool<br>    instance_type                = string<br>    key_name                     = string<br>    metadata_endpoint_enabled    = optional(string, "enabled")<br>    metadata_options_http_tokens = optional(string, "required")<br>    monitoring                   = optional(bool, true)<br>    ebs_block_device_inline      = optional(bool, false)<br>    vpc_security_group_ids       = list(string)<br>    private_dns_name_options = optional(object({<br>      enable_resource_name_dns_aaaa_record = optional(bool)<br>      enable_resource_name_dns_a_record    = optional(bool)<br>      hostname_type                        = string<br>    }))<br>    tags = optional(map(string), {})<br>  })</pre> | n/a | yes |
 | <a name="input_instance_profile_policies"></a> [instance\_profile\_policies](#input\_instance\_profile\_policies) | A list of managed IAM policy document ARNs to be attached to the database instance profile | `list(string)` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Provide a unique name for the instance | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | Destination AWS Region for the infrastructure | `string` | `"eu-west-2"` | no |
 | <a name="input_route53_records"></a> [route53\_records](#input\_route53\_records) | Optionally create internal and external DNS records | <pre>object({<br>    create_internal_record = bool<br>    create_external_record = bool<br>  })</pre> | n/a | yes |
-| <a name="input_ssm_parameters"></a> [ssm\_parameters](#input\_ssm\_parameters) | A map of SSM parameters to create.  If parameters are manually created, set to {} so IAM role still created | <pre>map(object({<br>    random = object({<br>      length  = number<br>      special = bool<br>    })<br>    description = string<br>  }))</pre> | `null` | no |
+| <a name="input_secretsmanager_secrets"></a> [secretsmanager\_secrets](#input\_secretsmanager\_secrets) | A map of secretsmanager secrets to create. No value is created, add a value outside of terraform | <pre>map(object({<br>    description = optional(string)<br>    kms_key_id  = optional(string)<br>  }))</pre> | `{}` | no |
+| <a name="input_secretsmanager_secrets_prefix"></a> [secretsmanager\_secrets\_prefix](#input\_secretsmanager\_secrets\_prefix) | Optionally prefix secretsmanager secrets with this prefix.  Add a trailing / | `string` | `""` | no |
+| <a name="input_ssm_parameters"></a> [ssm\_parameters](#input\_ssm\_parameters) | A map of SSM parameters to create. Set a specific value or a randomly generated value.  If neither random or value are set, a placeholder value is created which can be updated outside of terraform | <pre>map(object({<br>    description = optional(string)<br>    type        = optional(string, "SecureString")<br>    kms_key_id  = optional(string)<br>    random = optional(object({<br>      length  = number<br>      special = optional(bool)<br>    }))<br>    value = optional(string)<br>  }))</pre> | `null` | no |
 | <a name="input_ssm_parameters_prefix"></a> [ssm\_parameters\_prefix](#input\_ssm\_parameters\_prefix) | Optionally prefix ssm parameters with this prefix.  Add a trailing / | `string` | `""` | no |
 | <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | The subnet id in which to deploy the infrastructure | `string` | n/a | yes |
-| <a name="input_tags"></a> [tags](#input\_tags) | Default tags to be applied to resources | `map(any)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Default tags to be applied to resources.  Additional tags can be added to EBS volumes or EC2s, see instance.tags and ebs\_volume\_tags variables. | `map(any)` | n/a | yes |
 | <a name="input_user_data_cloud_init"></a> [user\_data\_cloud\_init](#input\_user\_data\_cloud\_init) | Use this instead of user\_data\_raw to run multiple scripts using cloud\_init | <pre>object({<br>    args    = optional(map(string))<br>    scripts = optional(list(string))<br>    write_files = optional(map(object({<br>      path        = string<br>      owner       = string<br>      permissions = string<br>    })), {})<br>  })</pre> | `null` | no |
 | <a name="input_user_data_raw"></a> [user\_data\_raw](#input\_user\_data\_raw) | Base64 encoded user data, script or cloud formation template | `string` | `null` | no |