From 81c7085bd8b9af7da517936c5655bd251089e56a Mon Sep 17 00:00:00 2001
From: "docs-sourcer[bot]"
<99042413+docs-sourcer[bot]@users.noreply.github.com>
Date: Thu, 2 Apr 2026 23:14:28 +0000
Subject: [PATCH 1/2] Updated with the [latest
changes](https://github.com/gruntwork-io/terraform-aws-service-catalog/pull/2366)
from the `terraform-aws-service-catalog@fix/rds-provider-v6-support` source
branch.
---
.../app-orchestration/amazon-ecs-cluster.md | 19 +-
.../amazon-eks-core-services.md | 66 +--
.../app-orchestration/amazon-eks-workers.md | 80 ++--
.../services/app-orchestration/amazon-eks.md | 389 +++++++++++++-----
.../app-orchestration/ec-2-instance.md | 33 +-
.../services/app-orchestration/lambda.md | 36 +-
.../services/data-storage/amazon-aurora.md | 92 +----
.../amazon-elasti-cache-for-memcached.md | 29 +-
.../amazon-elasti-cache-for-redis.md | 29 +-
.../data-storage/amazon-elasticsearch.md | 33 +-
.../data-storage/amazon-rds-replica.md | 38 +-
.../services/data-storage/amazon-rds.md | 240 +++++++----
.../networking/elastic-load-balancer-elb.md | 17 +-
.../services/networking/management-vpc.md | 23 +-
.../networking/route-53-hosted-zones.md | 8 +-
.../services/networking/sns-topics.md | 127 +-----
.../networking/virtual-private-cloud-vpc.md | 23 +-
17 files changed, 569 insertions(+), 713 deletions(-)
diff --git a/docs/reference/services/app-orchestration/amazon-ecs-cluster.md b/docs/reference/services/app-orchestration/amazon-ecs-cluster.md
index ebc732272..ba48b377a 100644
--- a/docs/reference/services/app-orchestration/amazon-ecs-cluster.md
+++ b/docs/reference/services/app-orchestration/amazon-ecs-cluster.md
@@ -287,10 +287,6 @@ module "ecs_cluster" {
# Instances. Can be one of standard, gp2, gp3, io1, io2, sc1 or st1.
cluster_instance_root_volume_type = "gp2"
- # When set, name the IAM role for the ECS cluster using this variable. When
- # null, the IAM role name will be derived from var.cluster_name.
- custom_iam_role_name = null
-
# A list of custom tags to apply to the EC2 Instances in this ASG. Each item
# in this list should be a map with the parameters key, value, and
# propagate_at_launch.
@@ -592,10 +588,6 @@ inputs = {
# Instances. Can be one of standard, gp2, gp3, io1, io2, sc1 or st1.
cluster_instance_root_volume_type = "gp2"
- # When set, name the IAM role for the ECS cluster using this variable. When
- # null, the IAM role name will be derived from var.cluster_name.
- custom_iam_role_name = null
-
# A list of custom tags to apply to the EC2 Instances in this ASG. Each item
# in this list should be a map with the parameters key, value, and
# propagate_at_launch.
@@ -1050,15 +1042,6 @@ The volume type for the root volume for each of the ECS Cluster's EC2 Instances.
-
-
-
-When set, name the IAM role for the ECS cluster using this variable. When null, the IAM role name will be derived from cluster_name.
-
-
-
-
-
@@ -1506,6 +1489,6 @@ The CloudWatch Dashboard metric widget for the ECS cluster workers' Memory utili
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/ecs-cluster/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "3359d1456500f7677f7ded726c154227"
+ "hash": "a9a4cfd64bce6cf9a7690691d91d5bf1"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/app-orchestration/amazon-eks-core-services.md b/docs/reference/services/app-orchestration/amazon-eks-core-services.md
index 3e6ebacf8..ea7c47b4c 100644
--- a/docs/reference/services/app-orchestration/amazon-eks-core-services.md
+++ b/docs/reference/services/app-orchestration/amazon-eks-core-services.md
@@ -177,11 +177,6 @@ module "eks_core_services" {
# The key is the tag name and the value is the tag value.
alb_ingress_controller_eks_fargate_profile_tags = {}
- # Additional container arguments for the AWS Load Balancer Controller. For
- # example, use this to pass feature gates like
- # --feature-gates=NLBGatewayAPI=true,ALBGatewayAPI=true.
- alb_ingress_controller_extra_args = {}
-
# A map of custom tags to apply to the Controller IAM Policies if enabled. The
# key is the tag name and the value is the tag value.
alb_ingress_controller_iam_policy_tags = {}
@@ -347,7 +342,7 @@ module "eks_core_services" {
# major/minor version (e.g., v1.20) of your Kubernetes Installation. See
# https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases
# for a list of versions.
- cluster_autoscaler_version = "v1.33.0"
+ cluster_autoscaler_version = "v1.32.0"
# When set to true, create a new dedicated IAM Role for the cluster
# autoscaler. When set to true, var.iam_role_for_service_accounts_config is
@@ -712,10 +707,20 @@ module "eks_core_services" {
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround. The aws CLI is used to fetch tokens,
- # and must be installed and on your PATH.
+ # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
+ # input variable to control whether kubergrunt or aws is used to fetch tokens.
use_exec_plugin_for_auth = true
+ # EKS clusters use short-lived authentication tokens that can expire in the
+ # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
+ # plugin to fetch an up-to-date token. If this variable is set to true, we'll
+ # use kubergrunt to fetch the token (in which case, kubergrunt must be
+ # installed and on PATH); if this variable is set to false, we'll use the aws
+ # CLI to fetch the token (in which case, aws must be installed and on PATH).
+ # Note this functionality is only enabled if use_exec_plugin_for_auth is set
+ # to true.
+ use_kubergrunt_to_fetch_token = true
+
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -810,11 +815,6 @@ inputs = {
# The key is the tag name and the value is the tag value.
alb_ingress_controller_eks_fargate_profile_tags = {}
- # Additional container arguments for the AWS Load Balancer Controller. For
- # example, use this to pass feature gates like
- # --feature-gates=NLBGatewayAPI=true,ALBGatewayAPI=true.
- alb_ingress_controller_extra_args = {}
-
# A map of custom tags to apply to the Controller IAM Policies if enabled. The
# key is the tag name and the value is the tag value.
alb_ingress_controller_iam_policy_tags = {}
@@ -980,7 +980,7 @@ inputs = {
# major/minor version (e.g., v1.20) of your Kubernetes Installation. See
# https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases
# for a list of versions.
- cluster_autoscaler_version = "v1.33.0"
+ cluster_autoscaler_version = "v1.32.0"
# When set to true, create a new dedicated IAM Role for the cluster
# autoscaler. When set to true, var.iam_role_for_service_accounts_config is
@@ -1345,10 +1345,20 @@ inputs = {
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround. The aws CLI is used to fetch tokens,
- # and must be installed and on your PATH.
+ # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
+ # input variable to control whether kubergrunt or aws is used to fetch tokens.
use_exec_plugin_for_auth = true
+ # EKS clusters use short-lived authentication tokens that can expire in the
+ # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
+ # plugin to fetch an up-to-date token. If this variable is set to true, we'll
+ # use kubergrunt to fetch the token (in which case, kubergrunt must be
+ # installed and on PATH); if this variable is set to false, we'll use the aws
+ # CLI to fetch the token (in which case, aws must be installed and on PATH).
+ # Note this functionality is only enabled if use_exec_plugin_for_auth is set
+ # to true.
+ use_kubergrunt_to_fetch_token = true
+
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -1497,15 +1507,6 @@ A map of custom tags to apply to the Controller Fargate Profile if enabled. The
-
-
-
-Additional container arguments for the AWS Load Balancer Controller. For example, use this to pass feature gates like --feature-gates=NLBGatewayAPI=true,ALBGatewayAPI=true.
-
-
-
-
-
@@ -2156,7 +2157,7 @@ The name of the service account to create for the cluster autoscaler.
Which version of the cluster autoscaler to install. This should match the major/minor version (e.g., v1.20) of your Kubernetes Installation. See https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases for a list of versions.
-
+
@@ -5450,7 +5451,16 @@ map(object({
-If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. The aws CLI is used to fetch tokens, and must be installed and on your PATH.
+If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens.
+
+
+
+
+
+
+
+
+EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true.
@@ -5495,6 +5505,6 @@ A list of names of Kubernetes PriorityClass objects created by this module.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/eks-core-services/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "69184e101f982fa2915f90294caf6918"
+ "hash": "e005100df99f9a4df8b5ffcb3b48e4cf"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/app-orchestration/amazon-eks-workers.md b/docs/reference/services/app-orchestration/amazon-eks-workers.md
index b6e04197b..fbb0a5c8e 100644
--- a/docs/reference/services/app-orchestration/amazon-eks-workers.md
+++ b/docs/reference/services/app-orchestration/amazon-eks-workers.md
@@ -96,12 +96,6 @@ If you want to deploy this repo in production, check out the following resources
## Manage
-### Migrating from AL2 to AL2023
-
-**IMPORTANT**: Starting with EKS 1.33, this module defaults to Amazon Linux 2023 (AL2023) instead of Amazon Linux 2 (AL2). If you have existing clusters using AL2, see the [AL2 to AL2023 Migration Guide](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/eks-workers/AL2-TO-AL2023-MIGRATION.md) for detailed migration instructions.
-
-### Worker Management
-
For information on registering the worker IAM role to the EKS control plane, refer to the
[IAM Roles and Kubernetes API Access](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/eks-workers/core-concepts.md#iam-roles-and-kubernetes-api-access) section of the documentation.
@@ -200,7 +194,7 @@ module "eks_workers" {
# Default value for asg_ami_type field of autoscaling_group_configurations.
# See the AWS documentation for valid values. Docs:
# https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
- asg_default_ami_type = "AL2023_x86_64_STANDARD"
+ asg_default_ami_type = "AL2_x86_64"
# Default value for enable_detailed_monitoring field of
# autoscaling_group_configurations.
@@ -495,12 +489,6 @@ module "eks_workers" {
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
high_worker_memory_utilization_treat_missing_data = "missing"
- # Whether to attach the default IAM policies (AmazonEKSWorkerNodePolicy,
- # AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly) to the Managed
- # Node Group IAM role. Set to false if your existing IAM role already has
- # these policies attached.
- managed_node_group_attach_default_iam_policies = true
-
# Whether or not to create an AWS Security Group for the Managed Node Groups.
# By default this is created.
managed_node_group_create_security_group = true
@@ -526,7 +514,7 @@ module "eks_workers" {
# Default value for ami_type field of managed_node_group_configurations. See
# the AWS documentation for valid values. Docs:
# https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
- node_group_default_ami_type = "AL2023_x86_64_STANDARD"
+ node_group_default_ami_type = "AL2_x86_64"
# Default value for capacity_type field of managed_node_group_configurations.
node_group_default_capacity_type = "ON_DEMAND"
@@ -653,8 +641,8 @@ module "eks_workers" {
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround. The aws CLI is used to fetch tokens,
- # and must be installed and on your PATH.
+ # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
+ # input variable to control whether kubergrunt or aws is used to fetch tokens.
use_exec_plugin_for_auth = true
# Set this variable to true to enable the use of Instance Metadata Service
@@ -664,6 +652,16 @@ module "eks_workers" {
# IMDSv1.
use_imdsv1 = false
+ # EKS clusters use short-lived authentication tokens that can expire in the
+ # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
+ # plugin to fetch an up-to-date token. If this variable is set to true, we'll
+ # use kubergrunt to fetch the token (in which case, kubergrunt must be
+ # installed and on PATH); if this variable is set to false, we'll use the aws
+ # CLI to fetch the token (in which case, aws must be installed and on PATH).
+ # Note this functionality is only enabled if use_exec_plugin_for_auth is set
+ # to true.
+ use_kubergrunt_to_fetch_token = true
+
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -778,7 +776,7 @@ inputs = {
# Default value for asg_ami_type field of autoscaling_group_configurations.
# See the AWS documentation for valid values. Docs:
# https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
- asg_default_ami_type = "AL2023_x86_64_STANDARD"
+ asg_default_ami_type = "AL2_x86_64"
# Default value for enable_detailed_monitoring field of
# autoscaling_group_configurations.
@@ -1073,12 +1071,6 @@ inputs = {
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
high_worker_memory_utilization_treat_missing_data = "missing"
- # Whether to attach the default IAM policies (AmazonEKSWorkerNodePolicy,
- # AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly) to the Managed
- # Node Group IAM role. Set to false if your existing IAM role already has
- # these policies attached.
- managed_node_group_attach_default_iam_policies = true
-
# Whether or not to create an AWS Security Group for the Managed Node Groups.
# By default this is created.
managed_node_group_create_security_group = true
@@ -1104,7 +1096,7 @@ inputs = {
# Default value for ami_type field of managed_node_group_configurations. See
# the AWS documentation for valid values. Docs:
# https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
- node_group_default_ami_type = "AL2023_x86_64_STANDARD"
+ node_group_default_ami_type = "AL2_x86_64"
# Default value for capacity_type field of managed_node_group_configurations.
node_group_default_capacity_type = "ON_DEMAND"
@@ -1231,8 +1223,8 @@ inputs = {
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround. The aws CLI is used to fetch tokens,
- # and must be installed and on your PATH.
+ # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
+ # input variable to control whether kubergrunt or aws is used to fetch tokens.
use_exec_plugin_for_auth = true
# Set this variable to true to enable the use of Instance Metadata Service
@@ -1242,6 +1234,16 @@ inputs = {
# IMDSv1.
use_imdsv1 = false
+ # EKS clusters use short-lived authentication tokens that can expire in the
+ # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
+ # plugin to fetch an up-to-date token. If this variable is set to true, we'll
+ # use kubergrunt to fetch the token (in which case, kubergrunt must be
+ # installed and on PATH); if this variable is set to false, we'll use the aws
+ # CLI to fetch the token (in which case, aws must be installed and on PATH).
+ # Note this functionality is only enabled if use_exec_plugin_for_auth is set
+ # to true.
+ use_kubergrunt_to_fetch_token = true
+
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -1663,7 +1665,7 @@ Custom name for the IAM role for the Self-managed workers. When null, a default
Default value for asg_ami_type field of autoscaling_group_configurations. See the AWS documentation for valid values. Docs: https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
-
+
@@ -2507,15 +2509,6 @@ Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on
-
-
-
-Whether to attach the default IAM policies (AmazonEKSWorkerNodePolicy, AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly) to the Managed Node Group IAM role. Set to false if your existing IAM role already has these policies attached.
-
-
-
-
-
@@ -2558,7 +2551,7 @@ ARN of the IAM role to use if iam_role_already_exists = true. When null, uses ma
Default value for ami_type field of managed_node_group_configurations. See the AWS documentation for valid values. Docs: https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
-
+
@@ -2814,7 +2807,7 @@ The tenancy of the servers in the self-managed worker ASG. Must be one of: defau
-If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. The aws CLI is used to fetch tokens, and must be installed and on your PATH.
+If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens.
@@ -2829,6 +2822,15 @@ Set this variable to true to enable the use of Instance Metadata Service Version
+
+
+
+EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true.
+
+
+
+
+
@@ -2999,6 +3001,6 @@ The list of names of the ASGs that were deployed to act as EKS workers.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/eks-workers/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "254be00e7e86a29aeddd3b7a118ea91f"
+ "hash": "2ac6dd6f83d679a3380aa8b71a8374db"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/app-orchestration/amazon-eks.md b/docs/reference/services/app-orchestration/amazon-eks.md
index c33e4e7e9..ecc7fbe6e 100644
--- a/docs/reference/services/app-orchestration/amazon-eks.md
+++ b/docs/reference/services/app-orchestration/amazon-eks.md
@@ -347,12 +347,6 @@ module "eks_cluster" {
# use the key `default`.
cloud_init_parts = {}
- # ARN of an existing IAM role to use for the EKS cluster. When null, a new
- # role will be created. WARNING: This can ONLY be set during initial cluster
- # creation. Changing this value on an existing cluster will DESTROY and
- # RECREATE the cluster (destructive operation).
- cluster_iam_role_arn = null
-
# ARN of permissions boundary to apply to the cluster IAM role - the IAM role
# created for the EKS cluster.
cluster_iam_role_permissions_boundary = null
@@ -394,15 +388,6 @@ module "eks_cluster" {
# cluster to be created.
cluster_network_config_service_ipv4_cidr = null
- # ID of an existing security group to use for the EKS cluster control plane.
- # When null or empty, a new security group will be created. This is the
- # primary cluster security group; additional security groups can be provided
- # via the additional_security_groups_for_control_plane variable.
- cluster_security_group_id = null
-
- # Specify the log class of the cloudwatch log group
- control_plane_cloudwatch_log_group_class = "STANDARD"
-
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting log data in the CloudWatch log group for EKS control plane logs.
control_plane_cloudwatch_log_group_kms_key_id = null
@@ -592,18 +577,15 @@ module "eks_cluster" {
# When set to true, the module configures EKS add-ons
# (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html)
- # specified with `eks_addons`.
+ # specified with `eks_addons`. VPC CNI configurations with
+ # `use_vpc_cni_customize_script` isn't fully supported with addons, as the
+ # automated add-on lifecycles could potentially undo the configuration
+ # changes.
enable_eks_addons = false
# Enable fail2ban to block brute force log in attempts. Defaults to true.
enable_fail2ban = true
- # Set to true to enable several basic CloudWatch alarms around CPU usage,
- # memory usage, and disk space usage for worker ASGs. If set to true, make
- # sure to specify SNS topics to send notifications to using
- # var.alarms_sns_topic_arn.
- enable_worker_cloudwatch_alarms = true
-
# Set to true to send worker system logs to CloudWatch. This is useful in
# combination with
# https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts
@@ -689,10 +671,16 @@ module "eks_cluster" {
# the user.
iam_user_to_rbac_group_mapping = {}
+ # The URL from which to download Kubergrunt if it's not installed already. Use
+ # to specify a version of kubergrunt that is compatible with your specified
+ # kubernetes version. Ex.
+ # 'https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_'
+ kubergrunt_download_url = "https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_"
+
# Version of Kubernetes to use. Refer to EKS docs for list of available
# versions
# (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html).
- kubernetes_version = "1.33"
+ kubernetes_version = "1.32"
# Configure one or more Node Groups to manage the EC2 instances in this
# cluster. Set to empty object ({}) if you do not wish to configure managed
@@ -807,8 +795,8 @@ module "eks_cluster" {
num_worker_vpc_subnet_ids = null
# When true, configures control plane services to run on Fargate so that the
- # cluster can run without worker nodes. If true, requires
- # create_default_fargate_iam_role be set to true.
+ # cluster can run without worker nodes. If true, requires kubergrunt to be
+ # available on the system, and create_default_fargate_iam_role be set to true.
schedule_control_plane_services_on_fargate = false
# ARN for KMS Key to use for envelope encryption of Kubernetes Secrets. By
@@ -840,12 +828,33 @@ module "eks_cluster" {
# The tenancy of this server. Must be one of: default, dedicated, or host.
tenancy = "default"
+ # When set to true, the sync-core-components command will skip updating
+ # coredns. This variable is ignored if `use_kubergrunt_sync_components` is
+ # false.
+ upgrade_cluster_script_skip_coredns = false
+
+ # When set to true, the sync-core-components command will skip updating
+ # kube-proxy. This variable is ignored if `use_kubergrunt_sync_components` is
+ # false.
+ upgrade_cluster_script_skip_kube_proxy = false
+
+ # When set to true, the sync-core-components command will skip updating
+ # aws-vpc-cni. This variable is ignored if `use_kubergrunt_sync_components` is
+ # false.
+ upgrade_cluster_script_skip_vpc_cni = false
+
+ # When set to true, the sync-core-components command will wait until the new
+ # versions are rolled out in the cluster. This variable is ignored if
+ # `use_kubergrunt_sync_components` is false.
+ upgrade_cluster_script_wait_for_rollout = true
+
# If this variable is set to true, then use an exec-based plugin to
# authenticate and fetch tokens for EKS. This is useful because EKS clusters
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround.
+ # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
+ # input variable to control whether kubergrunt or aws is used to fetch tokens.
use_exec_plugin_for_auth = true
# Set this variable to true to enable the use of Instance Metadata Service
@@ -855,6 +864,26 @@ module "eks_cluster" {
# IMDSv1.
use_imdsv1 = false
+ # When set to true, this will enable kubergrunt based component syncing. This
+ # step ensures that the core EKS components that are installed are upgraded to
+ # a matching version everytime the cluster's Kubernetes version is updated.
+ use_kubergrunt_sync_components = true
+
+ # EKS clusters use short-lived authentication tokens that can expire in the
+ # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
+ # plugin to fetch an up-to-date token. If this variable is set to true, we'll
+ # use kubergrunt to fetch the token (in which case, kubergrunt must be
+ # installed and on PATH); if this variable is set to false, we'll use the aws
+ # CLI to fetch the token (in which case, aws must be installed and on PATH).
+ # Note this functionality is only enabled if use_exec_plugin_for_auth is set
+ # to true.
+ use_kubergrunt_to_fetch_token = true
+
+ # When set to true, this will enable kubergrunt verification to wait for the
+ # Kubernetes API server to come up before completing. If false, reverts to a
+ # 30 second timed wait instead.
+ use_kubergrunt_verification = true
+
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -862,13 +891,37 @@ module "eks_cluster" {
# when targeting compliance with various security standards.
use_managed_iam_policies = true
- # When true, assumes prefix delegation mode is in use for the AWS VPC CNI
- # component of the EKS cluster when computing max pods allowed on the node. In
- # prefix delegation mode, each ENI will be allocated 16 IP addresses (/28)
- # instead of 1, allowing you to pack more Pods per node. This should be set to
- # true when the vpc-cni EKS addon is configured with
- # ENABLE_PREFIX_DELEGATION=true.
- use_prefix_mode_to_calculate_max_pods = false
+ # When set to true, this will enable management of the aws-vpc-cni
+ # configuration options using kubergrunt running as a local-exec provisioner.
+ # If you set this to false, the vpc_cni_* variables will be ignored.
+ use_vpc_cni_customize_script = true
+
+ # When true, enable prefix delegation mode for the AWS VPC CNI component of
+ # the EKS cluster. In prefix delegation mode, each ENI will be allocated 16 IP
+ # addresses (/28) instead of 1, allowing you to pack more Pods per node. Note
+ # that by default, AWS VPC CNI will always preallocate 1 full prefix - this
+ # means that you can potentially take up 32 IP addresses from the VPC network
+ # space even if you only have 1 Pod on the node. You can tweak this behavior
+ # by configuring the var.vpc_cni_warm_ip_target input variable.
+ vpc_cni_enable_prefix_delegation = true
+
+ # The minimum number of IP addresses (free and used) each node should start
+ # with. When null, defaults to the aws-vpc-cni application setting (currently
+ # 16 as of version 1.9.0). For example, if this is set to 25, every node will
+ # allocate 2 prefixes (32 IP addresses). On the other hand, if this was set to
+ # the default value, then each node will allocate only 1 prefix (16 IP
+ # addresses).
+ vpc_cni_minimum_ip_target = null
+
+ # The number of free IP addresses each node should maintain. When null,
+ # defaults to the aws-vpc-cni application setting (currently 16 as of version
+ # 1.9.0). In prefix delegation mode, determines whether the node will
+ # preallocate another full prefix. For example, if this is set to 5 and a node
+ # is currently has 9 Pods scheduled, then the node will NOT preallocate a new
+ # prefix block of 16 IP addresses. On the other hand, if this was set to the
+ # default value, then the node will allocate a new block when the first pod is
+ # scheduled.
+ vpc_cni_warm_ip_target = null
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting worker system log data. Only used if
@@ -1156,12 +1209,6 @@ inputs = {
# use the key `default`.
cloud_init_parts = {}
- # ARN of an existing IAM role to use for the EKS cluster. When null, a new
- # role will be created. WARNING: This can ONLY be set during initial cluster
- # creation. Changing this value on an existing cluster will DESTROY and
- # RECREATE the cluster (destructive operation).
- cluster_iam_role_arn = null
-
# ARN of permissions boundary to apply to the cluster IAM role - the IAM role
# created for the EKS cluster.
cluster_iam_role_permissions_boundary = null
@@ -1203,15 +1250,6 @@ inputs = {
# cluster to be created.
cluster_network_config_service_ipv4_cidr = null
- # ID of an existing security group to use for the EKS cluster control plane.
- # When null or empty, a new security group will be created. This is the
- # primary cluster security group; additional security groups can be provided
- # via the additional_security_groups_for_control_plane variable.
- cluster_security_group_id = null
-
- # Specify the log class of the cloudwatch log group
- control_plane_cloudwatch_log_group_class = "STANDARD"
-
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting log data in the CloudWatch log group for EKS control plane logs.
control_plane_cloudwatch_log_group_kms_key_id = null
@@ -1401,18 +1439,15 @@ inputs = {
# When set to true, the module configures EKS add-ons
# (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html)
- # specified with `eks_addons`.
+ # specified with `eks_addons`. VPC CNI configurations with
+ # `use_vpc_cni_customize_script` isn't fully supported with addons, as the
+ # automated add-on lifecycles could potentially undo the configuration
+ # changes.
enable_eks_addons = false
# Enable fail2ban to block brute force log in attempts. Defaults to true.
enable_fail2ban = true
- # Set to true to enable several basic CloudWatch alarms around CPU usage,
- # memory usage, and disk space usage for worker ASGs. If set to true, make
- # sure to specify SNS topics to send notifications to using
- # var.alarms_sns_topic_arn.
- enable_worker_cloudwatch_alarms = true
-
# Set to true to send worker system logs to CloudWatch. This is useful in
# combination with
# https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts
@@ -1498,10 +1533,16 @@ inputs = {
# the user.
iam_user_to_rbac_group_mapping = {}
+ # The URL from which to download Kubergrunt if it's not installed already. Use
+ # to specify a version of kubergrunt that is compatible with your specified
+ # kubernetes version. Ex.
+ # 'https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_'
+ kubergrunt_download_url = "https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_"
+
# Version of Kubernetes to use. Refer to EKS docs for list of available
# versions
# (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html).
- kubernetes_version = "1.33"
+ kubernetes_version = "1.32"
# Configure one or more Node Groups to manage the EC2 instances in this
# cluster. Set to empty object ({}) if you do not wish to configure managed
@@ -1616,8 +1657,8 @@ inputs = {
num_worker_vpc_subnet_ids = null
# When true, configures control plane services to run on Fargate so that the
- # cluster can run without worker nodes. If true, requires
- # create_default_fargate_iam_role be set to true.
+ # cluster can run without worker nodes. If true, requires kubergrunt to be
+ # available on the system, and create_default_fargate_iam_role be set to true.
schedule_control_plane_services_on_fargate = false
# ARN for KMS Key to use for envelope encryption of Kubernetes Secrets. By
@@ -1649,12 +1690,33 @@ inputs = {
# The tenancy of this server. Must be one of: default, dedicated, or host.
tenancy = "default"
+ # When set to true, the sync-core-components command will skip updating
+ # coredns. This variable is ignored if `use_kubergrunt_sync_components` is
+ # false.
+ upgrade_cluster_script_skip_coredns = false
+
+ # When set to true, the sync-core-components command will skip updating
+ # kube-proxy. This variable is ignored if `use_kubergrunt_sync_components` is
+ # false.
+ upgrade_cluster_script_skip_kube_proxy = false
+
+ # When set to true, the sync-core-components command will skip updating
+ # aws-vpc-cni. This variable is ignored if `use_kubergrunt_sync_components` is
+ # false.
+ upgrade_cluster_script_skip_vpc_cni = false
+
+ # When set to true, the sync-core-components command will wait until the new
+ # versions are rolled out in the cluster. This variable is ignored if
+ # `use_kubergrunt_sync_components` is false.
+ upgrade_cluster_script_wait_for_rollout = true
+
# If this variable is set to true, then use an exec-based plugin to
# authenticate and fetch tokens for EKS. This is useful because EKS clusters
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround.
+ # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
+ # input variable to control whether kubergrunt or aws is used to fetch tokens.
use_exec_plugin_for_auth = true
# Set this variable to true to enable the use of Instance Metadata Service
@@ -1664,6 +1726,26 @@ inputs = {
# IMDSv1.
use_imdsv1 = false
+ # When set to true, this will enable kubergrunt based component syncing. This
+ # step ensures that the core EKS components that are installed are upgraded to
+ # a matching version everytime the cluster's Kubernetes version is updated.
+ use_kubergrunt_sync_components = true
+
+ # EKS clusters use short-lived authentication tokens that can expire in the
+ # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
+ # plugin to fetch an up-to-date token. If this variable is set to true, we'll
+ # use kubergrunt to fetch the token (in which case, kubergrunt must be
+ # installed and on PATH); if this variable is set to false, we'll use the aws
+ # CLI to fetch the token (in which case, aws must be installed and on PATH).
+ # Note this functionality is only enabled if use_exec_plugin_for_auth is set
+ # to true.
+ use_kubergrunt_to_fetch_token = true
+
+ # When set to true, this will enable kubergrunt verification to wait for the
+ # Kubernetes API server to come up before completing. If false, reverts to a
+ # 30 second timed wait instead.
+ use_kubergrunt_verification = true
+
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -1671,13 +1753,37 @@ inputs = {
# when targeting compliance with various security standards.
use_managed_iam_policies = true
- # When true, assumes prefix delegation mode is in use for the AWS VPC CNI
- # component of the EKS cluster when computing max pods allowed on the node. In
- # prefix delegation mode, each ENI will be allocated 16 IP addresses (/28)
- # instead of 1, allowing you to pack more Pods per node. This should be set to
- # true when the vpc-cni EKS addon is configured with
- # ENABLE_PREFIX_DELEGATION=true.
- use_prefix_mode_to_calculate_max_pods = false
+ # When set to true, this will enable management of the aws-vpc-cni
+ # configuration options using kubergrunt running as a local-exec provisioner.
+ # If you set this to false, the vpc_cni_* variables will be ignored.
+ use_vpc_cni_customize_script = true
+
+ # When true, enable prefix delegation mode for the AWS VPC CNI component of
+ # the EKS cluster. In prefix delegation mode, each ENI will be allocated 16 IP
+ # addresses (/28) instead of 1, allowing you to pack more Pods per node. Note
+ # that by default, AWS VPC CNI will always preallocate 1 full prefix - this
+ # means that you can potentially take up 32 IP addresses from the VPC network
+ # space even if you only have 1 Pod on the node. You can tweak this behavior
+ # by configuring the var.vpc_cni_warm_ip_target input variable.
+ vpc_cni_enable_prefix_delegation = true
+
+ # The minimum number of IP addresses (free and used) each node should start
+ # with. When null, defaults to the aws-vpc-cni application setting (currently
+ # 16 as of version 1.9.0). For example, if this is set to 25, every node will
+ # allocate 2 prefixes (32 IP addresses). On the other hand, if this was set to
+ # the default value, then each node will allocate only 1 prefix (16 IP
+ # addresses).
+ vpc_cni_minimum_ip_target = null
+
+ # The number of free IP addresses each node should maintain. When null,
+ # defaults to the aws-vpc-cni application setting (currently 16 as of version
+ # 1.9.0). In prefix delegation mode, determines whether the node will
+ # preallocate another full prefix. For example, if this is set to 5 and a node
+ # is currently has 9 Pods scheduled, then the node will NOT preallocate a new
+ # prefix block of 16 IP addresses. On the other hand, if this was set to the
+ # default value, then the node will allocate a new block when the first pod is
+ # scheduled.
+ vpc_cni_warm_ip_target = null
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting worker system log data. Only used if
@@ -2431,15 +2537,6 @@ map(object({
-
-
-
-ARN of an existing IAM role to use for the EKS cluster. When null, a new role will be created. WARNING: This can ONLY be set during initial cluster creation. Changing this value on an existing cluster will DESTROY and RECREATE the cluster (destructive operation).
-
-
-
-
-
@@ -2535,24 +2632,6 @@ The CIDR block to assign Kubernetes pod and service IP addresses from. If you do
-
-
-
-ID of an existing security group to use for the EKS cluster control plane. When null or empty, a new security group will be created. This is the primary cluster security group; additional security groups can be provided via the additional_security_groups_for_control_plane variable.
-
-
-
-
-
-
-
-
-Specify the log class of the cloudwatch log group
-
-
-
-
-
@@ -3301,7 +3380,7 @@ When set to true, the module configures and install the EBS CSI Driver as an EKS
-When set to true, the module configures EKS add-ons (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) specified with `eks_addons`.
+When set to true, the module configures EKS add-ons (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) specified with `eks_addons`. VPC CNI configurations with `use_vpc_cni_customize_script` isn't fully supported with addons, as the automated add-on lifecycles could potentially undo the configuration changes.
@@ -3316,15 +3395,6 @@ Enable fail2ban to block brute force log in attempts. Defaults to true.
-
-
-
-Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage for worker ASGs. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn.
-
-
-
-
-
@@ -3540,13 +3610,22 @@ map(list(string))
+
+
+
+The URL from which to download Kubergrunt if it's not installed already. Use to specify a version of kubergrunt that is compatible with your specified kubernetes version. Ex. 'https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_<platform>'
+
+
+
+
+
Version of Kubernetes to use. Refer to EKS docs for list of available versions (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html).
-
+
@@ -3901,7 +3980,7 @@ Number of subnets provided in the worker_
-When true, configures control plane services to run on Fargate so that the cluster can run without worker nodes. If true, requires create_default_fargate_iam_role be set to true.
+When true, configures control plane services to run on Fargate so that the cluster can run without worker nodes. If true, requires kubergrunt to be available on the system, and create_default_fargate_iam_role be set to true.
@@ -3952,10 +4031,46 @@ The tenancy of this server. Must be one of: default, dedicated, or host.
+
+
+
+When set to true, the sync-core-components command will skip updating coredns. This variable is ignored if `use_kubergrunt_sync_components` is false.
+
+
+
+
+
+
+
+
+When set to true, the sync-core-components command will skip updating kube-proxy. This variable is ignored if `use_kubergrunt_sync_components` is false.
+
+
+
+
+
+
+
+
+When set to true, the sync-core-components command will skip updating aws-vpc-cni. This variable is ignored if `use_kubergrunt_sync_components` is false.
+
+
+
+
+
+
+
+
+When set to true, the sync-core-components command will wait until the new versions are rolled out in the cluster. This variable is ignored if `use_kubergrunt_sync_components` is false.
+
+
+
+
+
-If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround.
+If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens.
@@ -3970,6 +4085,33 @@ Set this variable to true to enable the use of Instance Metadata Service Version
+
+
+
+When set to true, this will enable kubergrunt based component syncing. This step ensures that the core EKS components that are installed are upgraded to a matching version everytime the cluster's Kubernetes version is updated.
+
+
+
+
+
+
+
+
+EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true.
+
+
+
+
+
+
+
+
+When set to true, this will enable kubergrunt verification to wait for the Kubernetes API server to come up before completing. If false, reverts to a 30 second timed wait instead.
+
+
+
+
+
@@ -3979,13 +4121,40 @@ When true, all IAM policies will be managed as dedicated policies rather than in
-
+
-When true, assumes prefix delegation mode is in use for the AWS VPC CNI component of the EKS cluster when computing max pods allowed on the node. In prefix delegation mode, each ENI will be allocated 16 IP addresses (/28) instead of 1, allowing you to pack more Pods per node. This should be set to true when the vpc-cni EKS addon is configured with ENABLE_PREFIX_DELEGATION=true.
+When set to true, this will enable management of the aws-vpc-cni configuration options using kubergrunt running as a local-exec provisioner. If you set this to false, the vpc_cni_* variables will be ignored.
-
+
+
+
+
+
+
+When true, enable prefix delegation mode for the AWS VPC CNI component of the EKS cluster. In prefix delegation mode, each ENI will be allocated 16 IP addresses (/28) instead of 1, allowing you to pack more Pods per node. Note that by default, AWS VPC CNI will always preallocate 1 full prefix - this means that you can potentially take up 32 IP addresses from the VPC network space even if you only have 1 Pod on the node. You can tweak this behavior by configuring the vpc_cni_warm_ip_target input variable.
+
+
+
+
+
+
+
+
+The minimum number of IP addresses (free and used) each node should start with. When null, defaults to the aws-vpc-cni application setting (currently 16 as of version 1.9.0). For example, if this is set to 25, every node will allocate 2 prefixes (32 IP addresses). On the other hand, if this was set to the default value, then each node will allocate only 1 prefix (16 IP addresses).
+
+
+
+
+
+
+
+
+The number of free IP addresses each node should maintain. When null, defaults to the aws-vpc-cni application setting (currently 16 as of version 1.9.0). In prefix delegation mode, determines whether the node will preallocate another full prefix. For example, if this is set to 5 and a node is currently has 9 Pods scheduled, then the node will NOT preallocate a new prefix block of 16 IP addresses. On the other hand, if this was set to the default value, then the node will allocate a new block when the first pod is scheduled.
+
+
+
@@ -4217,6 +4386,6 @@ The ID of the AWS Security Group associated with the self-managed EKS workers.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/eks-cluster/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "8c159cad61f033cc8f7a47270594fdd0"
+ "hash": "a36e160ac30356e6b483828d3cde34b5"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/app-orchestration/ec-2-instance.md b/docs/reference/services/app-orchestration/ec-2-instance.md
index e91f56913..dae86783f 100644
--- a/docs/reference/services/app-orchestration/ec-2-instance.md
+++ b/docs/reference/services/app-orchestration/ec-2-instance.md
@@ -272,9 +272,6 @@ module "ec_2_instance" {
# 'ubuntu'.
default_user = "ubuntu"
- # If true, enables EC2 Instance Termination Protection.
- disable_api_termination = false
-
# DNS Time To Live in seconds.
dns_ttl = 300
@@ -412,11 +409,8 @@ module "ec_2_instance" {
# If set to true, the root volume will be encrypted. Default is set to false
root_volume_encrypted = false
- # The ID of the KMS key to use for encrypting the root volume. Only used if
- # root_volume_encrypted is true. If null, the default EBS encryption key for
- # the account will be used. See
- # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id
- # for more information.
+ # Optional Amazon Resource Name (ARN) of the KMS Key to use when encrypting
+ # the volume
root_volume_kms_key_id = null
# The size of the root volume, in gigabytes.
@@ -637,9 +631,6 @@ inputs = {
# 'ubuntu'.
default_user = "ubuntu"
- # If true, enables EC2 Instance Termination Protection.
- disable_api_termination = false
-
# DNS Time To Live in seconds.
dns_ttl = 300
@@ -777,11 +768,8 @@ inputs = {
# If set to true, the root volume will be encrypted. Default is set to false
root_volume_encrypted = false
- # The ID of the KMS key to use for encrypting the root volume. Only used if
- # root_volume_encrypted is true. If null, the default EBS encryption key for
- # the account will be used. See
- # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id
- # for more information.
+ # Optional Amazon Resource Name (ARN) of the KMS Key to use when encrypting
+ # the volume
root_volume_kms_key_id = null
# The size of the root volume, in gigabytes.
@@ -1187,15 +1175,6 @@ The default OS user for the EC2 instance AMI. For AWS Ubuntu AMIs, which is what
-
-
-
-If true, enables EC2 Instance Termination Protection.
-
-
-
-
-
@@ -1478,7 +1457,7 @@ If set to true, the root volume will be encrypted. Default is set to false
-The ID of the KMS key to use for encrypting the root volume. Only used if root_volume_encrypted is true. If null, the default EBS encryption key for the account will be used. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id for more information.
+Optional Amazon Resource Name (ARN) of the KMS Key to use when encrypting the volume
@@ -1659,6 +1638,6 @@ The input parameters for the EBS volumes.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/ec2-instance/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "91ec6db49146ed181236467b637c34f7"
+ "hash": "e52ac09afcee8e8f726d118eab96634d"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/app-orchestration/lambda.md b/docs/reference/services/app-orchestration/lambda.md
index ff088e407..74a726f2a 100644
--- a/docs/reference/services/app-orchestration/lambda.md
+++ b/docs/reference/services/app-orchestration/lambda.md
@@ -254,10 +254,6 @@ module "lambda" {
# with Service Accounts.
iam_policy = null
- # The name to use for the IAM role created for the lambda function. If null,
- # default to the function name (var.name).
- iam_role_name = null
-
# The ECR image URI containing the function's deployment package. Example:
# 01234501234501.dkr.ecr.us-east-1.amazonaws.com/image_name:image_tag
image_uri = null
@@ -275,10 +271,6 @@ module "lambda" {
# can have a maximum of 5 Layers attached to each function.
layers = []
- # Time to wait after creating managed policy, to avoid AWS eventual
- # consistency racing. Default: 60s.
- managed_policy_waiting_time = "60s"
-
# The name for the alarm's associated metric.
metric_name = "Errors"
@@ -567,10 +559,6 @@ inputs = {
# with Service Accounts.
iam_policy = null
- # The name to use for the IAM role created for the lambda function. If null,
- # default to the function name (var.name).
- iam_role_name = null
-
# The ECR image URI containing the function's deployment package. Example:
# 01234501234501.dkr.ecr.us-east-1.amazonaws.com/image_name:image_tag
image_uri = null
@@ -588,10 +576,6 @@ inputs = {
# can have a maximum of 5 Layers attached to each function.
layers = []
- # Time to wait after creating managed policy, to avoid AWS eventual
- # consistency racing. Default: 60s.
- managed_policy_waiting_time = "60s"
-
# The name for the alarm's associated metric.
metric_name = "Errors"
@@ -1041,15 +1025,6 @@ map(object({
-
-
-
-The name to use for the IAM role created for the lambda function. If null, default to the function name (name).
-
-
-
-
-
@@ -1086,15 +1061,6 @@ The list of Lambda Layer Version ARNs to attach to your Lambda Function. You can
-
-
-
-Time to wait after creating managed policy, to avoid AWS eventual consistency racing. Default: 60s.
-
-
-
-
-
@@ -1462,6 +1428,6 @@ Latest published version of your Lambda Function
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/lambda/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "adeb1607a04291caf629527ff439a743"
+ "hash": "958797470d670a26e13cff1899219515"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-aurora.md b/docs/reference/services/data-storage/amazon-aurora.md
index 916b1e27f..4f3a70c9f 100644
--- a/docs/reference/services/data-storage/amazon-aurora.md
+++ b/docs/reference/services/data-storage/amazon-aurora.md
@@ -135,12 +135,6 @@ module "aurora" {
# database to be reachable.
allow_connections_from_cidr_blocks = []
- # The list of IPv6 CIDR blocks to allow network access to Aurora from for
- # dual-stack configurations. In the standard Gruntwork VPC setup with
- # dual-stack enabled, these should be the IPv6 CIDR blocks of the private app
- # subnets, plus the private subnets in the mgmt VPC.
- allow_connections_from_ipv6_cidr_blocks = []
-
# The list of IDs or Security Groups to allow network access to Aurora from.
# All security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -280,11 +274,6 @@ module "aurora" {
# value in db_config_secrets_manager_id.
db_name = null
- # If true, delete all automated backups when the DB cluster is deleted. If
- # false, automated backups are retained until the retention period expires.
- # Defaults to true.
- delete_automated_backups = null
-
# Set to true to enable several basic CloudWatch alarms around CPU usage,
# memory usage, and disk space usage. If set to true, make sure to specify SNS
# topics to send notifications to using var.alarms_sns_topic_arn.
@@ -298,10 +287,6 @@ module "aurora" {
# database cannot be deleted.
enable_deletion_protection = false
- # If true, enables the HTTP endpoint used for Data API. Only valid when
- # engine_mode is set to serverless.
- enable_http_endpoint = null
-
# Set to true to enable alarms related to performance, such as read and write
# latency alarms. Set to false to disable those alarms if you aren't sure what
# would be reasonable perf numbers for your RDS set up or if those numbers are
@@ -324,11 +309,7 @@ module "aurora" {
# value here overrides the value in db_config_secrets_manager_id.
engine = null
- # The DB engine mode of the DB cluster: either provisioned or serverless. Note
- # that serverless (v1) is deprecated and no longer available for new clusters.
- # For Aurora Serverless v2, use provisioned with
- # scaling_configuration_min_capacity_V2 and
- # scaling_configuration_max_capacity_V2.
+ # The version of aurora to run - provisioned or serverless.
engine_mode = "provisioned"
# The Amazon Aurora DB engine version for the selected engine and engine_mode.
@@ -496,11 +477,6 @@ module "aurora" {
# https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_PIT.html
restore_source_cluster_identifier = null
- # Only used if 'restore_source_cluster_identifier' is non-empty. Date and time
- # in UTC format to restore the database cluster to (e.g,
- # 2009-09-07T23:45:00Z). When null, the latest restorable time will be used.
- restore_to_time = null
-
# Only used if 'restore_source_cluster_identifier' is non-empty. Type of
# restore to be performed. Valid options are 'full-copy' and 'copy-on-write'.
# https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Clone.html
@@ -629,12 +605,6 @@ inputs = {
# database to be reachable.
allow_connections_from_cidr_blocks = []
- # The list of IPv6 CIDR blocks to allow network access to Aurora from for
- # dual-stack configurations. In the standard Gruntwork VPC setup with
- # dual-stack enabled, these should be the IPv6 CIDR blocks of the private app
- # subnets, plus the private subnets in the mgmt VPC.
- allow_connections_from_ipv6_cidr_blocks = []
-
# The list of IDs or Security Groups to allow network access to Aurora from.
# All security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -774,11 +744,6 @@ inputs = {
# value in db_config_secrets_manager_id.
db_name = null
- # If true, delete all automated backups when the DB cluster is deleted. If
- # false, automated backups are retained until the retention period expires.
- # Defaults to true.
- delete_automated_backups = null
-
# Set to true to enable several basic CloudWatch alarms around CPU usage,
# memory usage, and disk space usage. If set to true, make sure to specify SNS
# topics to send notifications to using var.alarms_sns_topic_arn.
@@ -792,10 +757,6 @@ inputs = {
# database cannot be deleted.
enable_deletion_protection = false
- # If true, enables the HTTP endpoint used for Data API. Only valid when
- # engine_mode is set to serverless.
- enable_http_endpoint = null
-
# Set to true to enable alarms related to performance, such as read and write
# latency alarms. Set to false to disable those alarms if you aren't sure what
# would be reasonable perf numbers for your RDS set up or if those numbers are
@@ -818,11 +779,7 @@ inputs = {
# value here overrides the value in db_config_secrets_manager_id.
engine = null
- # The DB engine mode of the DB cluster: either provisioned or serverless. Note
- # that serverless (v1) is deprecated and no longer available for new clusters.
- # For Aurora Serverless v2, use provisioned with
- # scaling_configuration_min_capacity_V2 and
- # scaling_configuration_max_capacity_V2.
+ # The version of aurora to run - provisioned or serverless.
engine_mode = "provisioned"
# The Amazon Aurora DB engine version for the selected engine and engine_mode.
@@ -990,11 +947,6 @@ inputs = {
# https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_PIT.html
restore_source_cluster_identifier = null
- # Only used if 'restore_source_cluster_identifier' is non-empty. Date and time
- # in UTC format to restore the database cluster to (e.g,
- # 2009-09-07T23:45:00Z). When null, the latest restorable time will be used.
- restore_to_time = null
-
# Only used if 'restore_source_cluster_identifier' is non-empty. Type of
# restore to be performed. Valid options are 'full-copy' and 'copy-on-write'.
# https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Clone.html
@@ -1129,15 +1081,6 @@ The list of network CIDR blocks to allow network access to Aurora from. One of <
-
-
-
-The list of IPv6 CIDR blocks to allow network access to Aurora from for dual-stack configurations. In the standard Gruntwork VPC setup with dual-stack enabled, these should be the IPv6 CIDR blocks of the private app subnets, plus the private subnets in the mgmt VPC.
-
-
-
-
-
@@ -1755,15 +1698,6 @@ The name for your database of up to 8 alpha-numeric characters. If you do not pr
-
-
-
-If true, delete all automated backups when the DB cluster is deleted. If false, automated backups are retained until the retention period expires. Defaults to true.
-
-
-
-
-
@@ -1791,15 +1725,6 @@ Enable deletion protection on the database instance. If this is enabled, the dat
-
-
-
-If true, enables the HTTP endpoint used for Data API. Only valid when engine_mode is set to serverless.
-
-
-
-
-
@@ -1839,7 +1764,7 @@ The name of the database engine to be used for this DB cluster. Valid Values: au
-The DB engine mode of the DB cluster: either provisioned or serverless. Note that serverless (v1) is deprecated and no longer available for new clusters. For Aurora Serverless v2, use provisioned with scaling_configuration_min_capacity_V2 and scaling_configuration_max_capacity_V2.
+The version of aurora to run - provisioned or serverless.
@@ -2206,15 +2131,6 @@ If non-empty, the Aurora cluster will be restored from the given source cluster
-
-
-
-Only used if 'restore_source_cluster_identifier' is non-empty. Date and time in UTC format to restore the database cluster to (e.g, 2009-09-07T23:45:00Z). When null, the latest restorable time will be used.
-
-
-
-
-
@@ -2527,6 +2443,6 @@ The ARN of the AWS Lambda Function used for sharing manual snapshots with second
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/aurora/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "d33e57d740cb6335cb383695e5abbdf7"
+ "hash": "3159d14d1ec582ca545dfc6ada08f9f1"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md b/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md
index d9d8c9399..9208e8966 100644
--- a/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md
+++ b/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md
@@ -131,13 +131,7 @@ module "memcached" {
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_high_cpu_utilization_treat_missing_data = "missing"
-
- # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
- # Based on
- # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
- # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_low_memory_available_treat_missing_data = "missing"
+ alarm_treat_missing_data = "missing"
# The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and
# disk space usage) should send notifications.
@@ -236,13 +230,7 @@ inputs = {
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_high_cpu_utilization_treat_missing_data = "missing"
-
- # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
- # Based on
- # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
- # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_low_memory_available_treat_missing_data = "missing"
+ alarm_treat_missing_data = "missing"
# The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and
# disk space usage) should send notifications.
@@ -351,16 +339,7 @@ The ID of the VPC in which to deploy RDS.
### Optional
-
-
-
-Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
-
-
-
-
-
-
+
Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
@@ -495,6 +474,6 @@ The configuration endpoint to allow host discovery.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/memcached/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "37ccb84cd13233db25c08cf6eaca816b"
+ "hash": "27e29eefc1f0ebb346c25010a2db486c"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md b/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md
index 4701a3a3e..daf7940fb 100644
--- a/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md
+++ b/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md
@@ -135,12 +135,6 @@ module "redis" {
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
- # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
- # Based on
- # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
- # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_high_cpu_utilization_treat_missing_data = "missing"
-
# Trigger an alarm if the amount of free memory, in Bytes, on the node drops
# below this threshold
alarm_low_memory_available_threshold = 100000000
@@ -149,7 +143,7 @@ module "redis" {
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_low_memory_available_treat_missing_data = "missing"
+ alarm_treat_missing_data = "missing"
# The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and
# disk space usage) should send notifications.
@@ -320,12 +314,6 @@ inputs = {
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
- # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
- # Based on
- # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
- # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_high_cpu_utilization_treat_missing_data = "missing"
-
# Trigger an alarm if the amount of free memory, in Bytes, on the node drops
# below this threshold
alarm_low_memory_available_threshold = 100000000
@@ -334,7 +322,7 @@ inputs = {
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_low_memory_available_treat_missing_data = "missing"
+ alarm_treat_missing_data = "missing"
# The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and
# disk space usage) should send notifications.
@@ -522,15 +510,6 @@ The ID of the VPC in which to deploy RDS.
### Optional
-
-
-
-Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
-
-
-
-
-
@@ -552,7 +531,7 @@ Trigger an alarm if the amount of free memory, in Bytes, on the node drops below
-
+
Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
@@ -860,6 +839,6 @@ Security Group ID used for redis cluster.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/redis/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "50fa4b80f6095485eb25648a181bb2e2"
+ "hash": "1b11a4dcce821d77493dfb765954954b"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-elasticsearch.md b/docs/reference/services/data-storage/amazon-elasticsearch.md
index 0bcb02e87..1c1ee7136 100644
--- a/docs/reference/services/data-storage/amazon-elasticsearch.md
+++ b/docs/reference/services/data-storage/amazon-elasticsearch.md
@@ -128,7 +128,7 @@ module "elasticsearch" {
volume_size =
# The type of EBS volumes to use in the cluster. Must be one of: standard,
- # gp2, gp3, io1, sc1, or st1. For a comparison of EBS volume types, see
+ # gp2, io1, sc1, or st1. For a comparison of EBS volume types, see
# https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html.
volume_type =
@@ -345,7 +345,8 @@ module "elasticsearch" {
internal_user_database_enabled = false
# The baseline input/output (I/O) performance of EBS volumes attached to data
- # nodes. Applicable only if var.volume_type is gp3 or io1.
+ # nodes. Must be between 1000 and 4000. Applicable only if var.volume_type is
+ # io1.
iops = null
# Whether the cluster is publicly accessible.
@@ -437,10 +438,6 @@ module "elasticsearch" {
# first one is used.
subnet_ids = []
- # The throughput (in MiB/s) of EBS volumes attached to data nodes. Valid
- # values are between 125 and 1000. Applicable only if var.volume_type is gp3.
- throughput = null
-
# The name of the TLS security policy that needs to be applied to the HTTPS
# endpoint. Valid values are Policy-Min-TLS-1-0-2019-07 and
# Policy-Min-TLS-1-2-2019-07. Terraform performs drift detection if this is
@@ -508,7 +505,7 @@ inputs = {
volume_size =
# The type of EBS volumes to use in the cluster. Must be one of: standard,
- # gp2, gp3, io1, sc1, or st1. For a comparison of EBS volume types, see
+ # gp2, io1, sc1, or st1. For a comparison of EBS volume types, see
# https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html.
volume_type =
@@ -725,7 +722,8 @@ inputs = {
internal_user_database_enabled = false
# The baseline input/output (I/O) performance of EBS volumes attached to data
- # nodes. Applicable only if var.volume_type is gp3 or io1.
+ # nodes. Must be between 1000 and 4000. Applicable only if var.volume_type is
+ # io1.
iops = null
# Whether the cluster is publicly accessible.
@@ -817,10 +815,6 @@ inputs = {
# first one is used.
subnet_ids = []
- # The throughput (in MiB/s) of EBS volumes attached to data nodes. Valid
- # values are between 125 and 1000. Applicable only if var.volume_type is gp3.
- throughput = null
-
# The name of the TLS security policy that needs to be applied to the HTTPS
# endpoint. Valid values are Policy-Min-TLS-1-0-2019-07 and
# Policy-Min-TLS-1-2-2019-07. Terraform performs drift detection if this is
@@ -891,7 +885,7 @@ The size in GiB of the EBS volume for each node in the cluster (e.g. 10, or 512)
-The type of EBS volumes to use in the cluster. Must be one of: standard, gp2, gp3, io1, sc1, or st1. For a comparison of EBS volume types, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html.
+The type of EBS volumes to use in the cluster. Must be one of: standard, gp2, io1, sc1, or st1. For a comparison of EBS volume types, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html.
@@ -1314,7 +1308,7 @@ Whether the internal user database is enabled. Enable this to use master account
-The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only if volume_type is gp3 or io1.
+The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Must be between 1000 and 4000. Applicable only if volume_type is io1.
@@ -1500,15 +1494,6 @@ Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on
-
-
-
-The throughput (in MiB/s) of EBS volumes attached to data nodes. Valid values are between 125 and 1000. Applicable only if volume_type is gp3.
-
-
-
-
-
@@ -1598,6 +1583,6 @@ Domain-specific endpoint for Kibana without https scheme.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/elasticsearch/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "9f6e589fba1fc067230d5d1cac51858a"
+ "hash": "02154d701be6a08bb3a3527a48530af4"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-rds-replica.md b/docs/reference/services/data-storage/amazon-rds-replica.md
index 8ee65be59..1bbd269b9 100644
--- a/docs/reference/services/data-storage/amazon-rds-replica.md
+++ b/docs/reference/services/data-storage/amazon-rds-replica.md
@@ -80,11 +80,6 @@ module "rds_replica" {
# database to be reachable.
allow_connections_from_cidr_blocks = []
- # The list of IPv6 CIDR blocks to allow network access to RDS read replicas
- # from for dual-stack configurations. If not set, read replica instances will
- # use the same security group as the master instance.
- allow_connections_from_ipv6_cidr_blocks = []
-
# The list of IDs or Security Groups to allow network access to RDS from. All
# security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -291,6 +286,10 @@ module "rds_replica" {
# allocated_storage or 0 to disable Storage Autoscaling.
max_allocated_storage = 0
+ # The network type of the DB instance. Valid values: IPV4, DUAL. Use DUAL for
+ # dual-stack mode with IPv4 and IPv6 support.
+ network_type = null
+
# The number of read replicas to deploy
num_read_replicas = 0
@@ -390,11 +389,6 @@ inputs = {
# database to be reachable.
allow_connections_from_cidr_blocks = []
- # The list of IPv6 CIDR blocks to allow network access to RDS read replicas
- # from for dual-stack configurations. If not set, read replica instances will
- # use the same security group as the master instance.
- allow_connections_from_ipv6_cidr_blocks = []
-
# The list of IDs or Security Groups to allow network access to RDS from. All
# security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -601,6 +595,10 @@ inputs = {
# allocated_storage or 0 to disable Storage Autoscaling.
max_allocated_storage = 0
+ # The network type of the DB instance. Valid values: IPV4, DUAL. Use DUAL for
+ # dual-stack mode with IPv4 and IPv6 support.
+ network_type = null
+
# The number of read replicas to deploy
num_read_replicas = 0
@@ -712,15 +710,6 @@ The list of network CIDR blocks to allow network access to RDS from. One of
-
-
-
-The list of IPv6 CIDR blocks to allow network access to RDS read replicas from for dual-stack configurations. If not set, read replica instances will use the same security group as the master instance.
-
-
-
-
-
@@ -1471,6 +1460,15 @@ When configured, the upper limit to which Amazon RDS can automatically scale the
+
+
+
+The network type of the DB instance. Valid values: IPV4, DUAL. Use DUAL for dual-stack mode with IPv4 and IPv6 support.
+
+
+
+
+
@@ -1692,6 +1690,6 @@ A list of IDs of the RDS DB instance's read replicas.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/rds-replica/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "d7ebd922ad72c31bebe2d939a634b43f"
+ "hash": "2ee950bfbae1794fbc960e140bbcbaa6"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-rds.md b/docs/reference/services/data-storage/amazon-rds.md
index 67241732a..555878e23 100644
--- a/docs/reference/services/data-storage/amazon-rds.md
+++ b/docs/reference/services/data-storage/amazon-rds.md
@@ -142,16 +142,6 @@ module "rds" {
# database to be reachable.
allow_connections_from_cidr_blocks = []
- # The list of IPv6 CIDR blocks to allow network access to RDS from for
- # dual-stack configurations. Should typically be the IPv6 CIDR blocks of the
- # private app subnet in this VPC plus the private subnet in the mgmt VPC.
- allow_connections_from_ipv6_cidr_blocks = []
-
- # The list of IPv6 CIDR blocks to allow network access to RDS read replicas
- # from for dual-stack configurations. If not set, read replica instances will
- # use the same security group as the master instance.
- allow_connections_from_ipv6_cidr_blocks_to_read_replicas = []
-
# The list of IDs or Security Groups to allow network access to RDS from. All
# security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -289,6 +279,11 @@ module "rds" {
# dashboard.
dashboard_write_latency_widget_parameters = {"height":6,"period":60,"width":8}
+ # The mode of Database Insights to enable for the DB instance. Valid options
+ # are 'standard' or 'advanced'. This replaces Performance Insights which is
+ # deprecated June 30, 2026.
+ database_insights_mode = null
+
# The friendly name or ARN of an AWS Secrets Manager secret that contains
# database configuration information in the format outlined by this document:
# https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html.
@@ -307,6 +302,14 @@ module "rds" {
# description of db_config_secrets_manager_id.
db_name = null
+ # Use a dedicated log volume (DLV) for the DB instance. A DLV moves database
+ # transaction logs onto a separate storage volume, which can improve database
+ # write performance. Only supported for Provisioned IOPS storage types
+ # (io1/io2) — gp3 is NOT supported. Engine version requirements: MariaDB
+ # 10.6.7+, MySQL 8.0.28+, PostgreSQL 13.10+/14.7+/15.2+. A reboot is required
+ # after enabling/disabling on an existing instance.
+ dedicated_log_volume = null
+
# Specifies whether to remove automated backups immediately after the DB
# instance is deleted
delete_automated_backups = true
@@ -314,6 +317,12 @@ module "rds" {
# Timeout for DB deleting
deleting_timeout = "60m"
+ # Enable blue/green deployment to minimize down time due to changes made to
+ # the RDS Instance. See
+ # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/blue-green-deployments-overview.html
+ # for more detailed information.
+ enable_blue_green_update = false
+
# Set to true to enable several basic CloudWatch alarms around CPU usage,
# memory usage, and disk space usage. If set to true, make sure to specify SNS
# topics to send notifications to using var.alarms_sns_topic_arn.
@@ -348,6 +357,13 @@ module "rds" {
# Manager. See the description of db_config_secrets_manager_id.
engine = null
+ # The life cycle type for this DB instance. This setting applies to RDS for
+ # MySQL and RDS for PostgreSQL. Valid values are
+ # 'open-source-rds-extended-support' and
+ # 'open-source-rds-extended-support-disabled'. Controls enrollment in RDS
+ # Extended Support and associated costs.
+ engine_lifecycle_support = null
+
# The number of datapoints in CloudWatch Metric statistic, which triggers the
# alarm. Setting this as null (the default) will make it equal to the
# evaluation period
@@ -382,12 +398,6 @@ module "rds" {
# taken per disk I/O operation), in seconds, is above this threshold.
high_read_latency_threshold = 5
- # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
- # Based on
- # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
- # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- high_read_latency_treat_missing_data = "missing"
-
# The period, in seconds, over which to measure the write latency.
high_write_latency_period = 60
@@ -395,12 +405,6 @@ module "rds" {
# taken per disk I/O operation), in seconds, is above this threshold.
high_write_latency_threshold = 5
- # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
- # Based on
- # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
- # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- high_write_latency_treat_missing_data = "missing"
-
# The ID of the Route 53 hosted zone into which the Route 53 DNS record should
# be written
hosted_zone_id = null
@@ -468,6 +472,11 @@ module "rds" {
# db_config_secrets_manager_id.
master_password = null # SENSITIVE
+ # The Amazon Web Services KMS key identifier used to encrypt the secret for
+ # the master user password. Only used when manage_master_user_password is
+ # true.
+ master_user_secret_kms_key_id = null
+
# The value to use for the master username of the database. This can also be
# provided via AWS Secrets Manager. See the description of
# db_config_secrets_manager_id.
@@ -504,6 +513,10 @@ module "rds" {
# zone. If the primary fails, this instance will automatically take over.
multi_az = false
+ # The network type of the DB instance. Valid values: IPV4, DUAL. Use DUAL for
+ # dual-stack mode with IPv4 and IPv6 support.
+ network_type = null
+
# The number of read replicas to deploy
num_read_replicas = 0
@@ -544,6 +557,12 @@ module "rds" {
# database.
replica_domain_name = null
+ # A configuration block for restoring a DB instance to an arbitrary point in
+ # time. Refer to
+ # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#restore-to-point-in-time
+ # for more details
+ restore_to_point_in_time = null
+
# The maximum number of snapshots to keep around for the purpose of cross
# account sharing. Once this number is exceeded, a lambda function will delete
# the oldest snapshots. Only used if var.share_snapshot_with_another_account
@@ -687,16 +706,6 @@ inputs = {
# database to be reachable.
allow_connections_from_cidr_blocks = []
- # The list of IPv6 CIDR blocks to allow network access to RDS from for
- # dual-stack configurations. Should typically be the IPv6 CIDR blocks of the
- # private app subnet in this VPC plus the private subnet in the mgmt VPC.
- allow_connections_from_ipv6_cidr_blocks = []
-
- # The list of IPv6 CIDR blocks to allow network access to RDS read replicas
- # from for dual-stack configurations. If not set, read replica instances will
- # use the same security group as the master instance.
- allow_connections_from_ipv6_cidr_blocks_to_read_replicas = []
-
# The list of IDs or Security Groups to allow network access to RDS from. All
# security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -834,6 +843,11 @@ inputs = {
# dashboard.
dashboard_write_latency_widget_parameters = {"height":6,"period":60,"width":8}
+ # The mode of Database Insights to enable for the DB instance. Valid options
+ # are 'standard' or 'advanced'. This replaces Performance Insights which is
+ # deprecated June 30, 2026.
+ database_insights_mode = null
+
# The friendly name or ARN of an AWS Secrets Manager secret that contains
# database configuration information in the format outlined by this document:
# https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html.
@@ -852,6 +866,14 @@ inputs = {
# description of db_config_secrets_manager_id.
db_name = null
+ # Use a dedicated log volume (DLV) for the DB instance. A DLV moves database
+ # transaction logs onto a separate storage volume, which can improve database
+ # write performance. Only supported for Provisioned IOPS storage types
+ # (io1/io2) — gp3 is NOT supported. Engine version requirements: MariaDB
+ # 10.6.7+, MySQL 8.0.28+, PostgreSQL 13.10+/14.7+/15.2+. A reboot is required
+ # after enabling/disabling on an existing instance.
+ dedicated_log_volume = null
+
# Specifies whether to remove automated backups immediately after the DB
# instance is deleted
delete_automated_backups = true
@@ -859,6 +881,12 @@ inputs = {
# Timeout for DB deleting
deleting_timeout = "60m"
+ # Enable blue/green deployment to minimize down time due to changes made to
+ # the RDS Instance. See
+ # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/blue-green-deployments-overview.html
+ # for more detailed information.
+ enable_blue_green_update = false
+
# Set to true to enable several basic CloudWatch alarms around CPU usage,
# memory usage, and disk space usage. If set to true, make sure to specify SNS
# topics to send notifications to using var.alarms_sns_topic_arn.
@@ -893,6 +921,13 @@ inputs = {
# Manager. See the description of db_config_secrets_manager_id.
engine = null
+ # The life cycle type for this DB instance. This setting applies to RDS for
+ # MySQL and RDS for PostgreSQL. Valid values are
+ # 'open-source-rds-extended-support' and
+ # 'open-source-rds-extended-support-disabled'. Controls enrollment in RDS
+ # Extended Support and associated costs.
+ engine_lifecycle_support = null
+
# The number of datapoints in CloudWatch Metric statistic, which triggers the
# alarm. Setting this as null (the default) will make it equal to the
# evaluation period
@@ -927,12 +962,6 @@ inputs = {
# taken per disk I/O operation), in seconds, is above this threshold.
high_read_latency_threshold = 5
- # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
- # Based on
- # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
- # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- high_read_latency_treat_missing_data = "missing"
-
# The period, in seconds, over which to measure the write latency.
high_write_latency_period = 60
@@ -940,12 +969,6 @@ inputs = {
# taken per disk I/O operation), in seconds, is above this threshold.
high_write_latency_threshold = 5
- # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
- # Based on
- # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
- # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- high_write_latency_treat_missing_data = "missing"
-
# The ID of the Route 53 hosted zone into which the Route 53 DNS record should
# be written
hosted_zone_id = null
@@ -1013,6 +1036,11 @@ inputs = {
# db_config_secrets_manager_id.
master_password = null # SENSITIVE
+ # The Amazon Web Services KMS key identifier used to encrypt the secret for
+ # the master user password. Only used when manage_master_user_password is
+ # true.
+ master_user_secret_kms_key_id = null
+
# The value to use for the master username of the database. This can also be
# provided via AWS Secrets Manager. See the description of
# db_config_secrets_manager_id.
@@ -1049,6 +1077,10 @@ inputs = {
# zone. If the primary fails, this instance will automatically take over.
multi_az = false
+ # The network type of the DB instance. Valid values: IPV4, DUAL. Use DUAL for
+ # dual-stack mode with IPv4 and IPv6 support.
+ network_type = null
+
# The number of read replicas to deploy
num_read_replicas = 0
@@ -1089,6 +1121,12 @@ inputs = {
# database.
replica_domain_name = null
+ # A configuration block for restoring a DB instance to an arbitrary point in
+ # time. Refer to
+ # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#restore-to-point-in-time
+ # for more details
+ restore_to_point_in_time = null
+
# The maximum number of snapshots to keep around for the purpose of cross
# account sharing. Once this number is exceeded, a lambda function will delete
# the oldest snapshots. Only used if var.share_snapshot_with_another_account
@@ -1248,24 +1286,6 @@ The list of network CIDR blocks to allow network access to RDS from. One of
-
-
-
-The list of IPv6 CIDR blocks to allow network access to RDS from for dual-stack configurations. Should typically be the IPv6 CIDR blocks of the private app subnet in this VPC plus the private subnet in the mgmt VPC.
-
-
-
-
-
-
-
-
-The list of IPv6 CIDR blocks to allow network access to RDS read replicas from for dual-stack configurations. If not set, read replica instances will use the same security group as the master instance.
-
-
-
-
-
@@ -1873,6 +1893,15 @@ object({
+
+
+
+The mode of Database Insights to enable for the DB instance. Valid options are 'standard' or 'advanced'. This replaces Performance Insights which is deprecated June 30, 2026.
+
+
+
+
+
@@ -1891,6 +1920,15 @@ The name for your database of up to 8 alpha-numeric characters. If you do not pr
+
+
+
+Use a dedicated log volume (DLV) for the DB instance. A DLV moves database transaction logs onto a separate storage volume, which can improve database write performance. Only supported for Provisioned IOPS storage types (io1/io2) — gp3 is NOT supported. Engine version requirements: MariaDB 10.6.7+, MySQL 8.0.28+, PostgreSQL 13.10+/14.7+/15.2+. A reboot is required after enabling/disabling on an existing instance.
+
+
+
+
+
@@ -1909,6 +1947,15 @@ Timeout for DB deleting
+
+
+
+Enable blue/green deployment to minimize down time due to changes made to the RDS Instance. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/blue-green-deployments-overview.html for more detailed information.
+
+
+
+
+
@@ -1972,6 +2019,15 @@ The DB engine to use (e.g. mysql). This can also be provided via AWS Secrets Man
+
+
+
+The life cycle type for this DB instance. This setting applies to RDS for MySQL and RDS for PostgreSQL. Valid values are 'open-source-rds-extended-support' and 'open-source-rds-extended-support-disabled'. Controls enrollment in RDS Extended Support and associated costs.
+
+
+
+
+
@@ -2044,15 +2100,6 @@ Trigger an alarm if the DB instance read latency (average amount of time taken p
-
-
-
-Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
-
-
-
-
-
@@ -2071,15 +2118,6 @@ Trigger an alarm if the DB instance write latency (average amount of time taken
-
-
-
-Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
-
-
-
-
-
@@ -2239,6 +2277,15 @@ The value to use for the master password of the database. This can also be provi
+
+
+
+The Amazon Web Services KMS key identifier used to encrypt the secret for the master user password. Only used when manage_master_user_password is true.
+
+
+
+
+
@@ -2302,6 +2349,15 @@ Specifies if a standby instance should be deployed in another availability zone.
+
+
+
+The network type of the DB instance. Valid values: IPV4, DUAL. Use DUAL for dual-stack mode with IPv4 and IPv6 support.
+
+
+
+
+
@@ -2383,6 +2439,28 @@ The domain name to create a route 53 record for the read replicas of the RDS dat
+
+
+
+A configuration block for restoring a DB instance to an arbitrary point in time. Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#restore-to-point-in-time for more details
+
+
+
+
+```hcl
+map(object({
+ restore_time = string
+ source_db_instance_identifier = string
+ source_db_instance_automated_backups_arn = string
+ source_dbi_resource_id = string
+ use_latest_restorable_time = string
+ }))
+```
+
+
+
+
+
@@ -2723,6 +2801,6 @@ The ID of the Security Group that controls access to the RDS DB instance.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/rds/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "44a522919418b6191155245f2a8fd27c"
+ "hash": "a3058ea1ece5047d40ad12b66ee24c27"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/networking/elastic-load-balancer-elb.md b/docs/reference/services/networking/elastic-load-balancer-elb.md
index e89fdd5a6..b39245e0f 100644
--- a/docs/reference/services/networking/elastic-load-balancer-elb.md
+++ b/docs/reference/services/networking/elastic-load-balancer-elb.md
@@ -136,9 +136,6 @@ module "alb" {
# Valid values are AMAZON_ISSUED and IMPORTED.
acm_cert_types = ["AMAZON_ISSUED","IMPORTED"]
- # Add additional security groups to the ALB
- additional_security_group_ids = []
-
# List of additional SSL certs (non-ACM and ACM) to bind to the given listener
# port. Note that this must not overlap with the certificates defined in
# var.https_listener_ports_and_ssl_certs and
@@ -348,9 +345,6 @@ inputs = {
# Valid values are AMAZON_ISSUED and IMPORTED.
acm_cert_types = ["AMAZON_ISSUED","IMPORTED"]
- # Add additional security groups to the ALB
- additional_security_group_ids = []
-
# List of additional SSL certs (non-ACM and ACM) to bind to the given listener
# port. Note that this must not overlap with the certificates defined in
# var.https_listener_ports_and_ssl_certs and
@@ -601,15 +595,6 @@ When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_cer
-
-
-
-Add additional security groups to the ALB
-
-
-
-
-
@@ -1060,6 +1045,6 @@ The AWS-managed DNS name assigned to the ALB.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/networking/alb/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "ac619e7e084bb3f5d9c5863d4d519e1e"
+ "hash": "23c01365e679738aa098337d1f586274"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/networking/management-vpc.md b/docs/reference/services/networking/management-vpc.md
index 5bc7fd372..62c0dc31e 100644
--- a/docs/reference/services/networking/management-vpc.md
+++ b/docs/reference/services/networking/management-vpc.md
@@ -221,12 +221,6 @@ module "vpc_mgmt" {
# If set to false, the default security groups will NOT be created.
enable_default_security_group = false
- # The list of ports to exclude from the inbound allow all rules in Network
- # ACLs. This is useful for adhering to certain compliance standards like CIS
- # or SOC2 that explicitly deny any allow rule for administrative ports (22,
- # 3389).
- exclude_ports_from_inbound_all = []
-
# Specifies the number of days you want to retain log events. Possible values
# are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096,
# 1827, 2192, 2557, 2922, 3288, 3653, and 0. If you select 0, the events in
@@ -452,12 +446,6 @@ inputs = {
# If set to false, the default security groups will NOT be created.
enable_default_security_group = false
- # The list of ports to exclude from the inbound allow all rules in Network
- # ACLs. This is useful for adhering to certain compliance standards like CIS
- # or SOC2 that explicitly deny any allow rule for administrative ports (22,
- # 3389).
- exclude_ports_from_inbound_all = []
-
# Specifies the number of days you want to retain log events. Possible values
# are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096,
# 1827, 2192, 2557, 2922, 3288, 3653, and 0. If you select 0, the events in
@@ -825,15 +813,6 @@ If set to false, the default security groups will NOT be created.
-
-
-
-The list of ports to exclude from the inbound allow all rules in Network ACLs. This is useful for adhering to certain compliance standards like CIS or SOC2 that explicitly deny any allow rule for administrative ports (22, 3389).
-
-
-
-
-
@@ -1113,6 +1092,6 @@ Indicates whether or not the VPC has finished creating
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/networking/vpc-mgmt/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "5961c626daf81d5ea0cf5a9b7a9bfa9b"
+ "hash": "e6ad5636213ff546f42c58530551bb60"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/networking/route-53-hosted-zones.md b/docs/reference/services/networking/route-53-hosted-zones.md
index ee859eeb9..480bd8903 100644
--- a/docs/reference/services/networking/route-53-hosted-zones.md
+++ b/docs/reference/services/networking/route-53-hosted-zones.md
@@ -515,12 +515,6 @@ Any types represent complex values of variable type. For details, please consult
Whether or not to create ACM TLS certificates for the domain. When true, Route53 certificates will automatically be
created for the root domain. Defaults to true.
provision_certificates = bool
-
- Whether or not the certificate can be exported. Valid values are "ENABLED" or "DISABLED".
- This setting is immutable after creation - changing it forces certificate replacement.
- Note: exportable public certificates incur additional AWS charges.
- Requires AWS provider >= 6.4.0.
- export = string
```
@@ -632,6 +626,6 @@ A map of domains to resource arns and hosted zones of the created Service Discov
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/networking/route53/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "1ac293aaf55480b913574b87ef441bb2"
+ "hash": "e637a304277def66c4262cd1d2511c78"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/networking/sns-topics.md b/docs/reference/services/networking/sns-topics.md
index 936bb2f00..4026ce43a 100644
--- a/docs/reference/services/networking/sns-topics.md
+++ b/docs/reference/services/networking/sns-topics.md
@@ -112,22 +112,12 @@ module "sns_topics" {
# A list of protocols that can be used to subscribe to the SNS topic.
allow_subscribe_protocols = ["http","https","email","email-json","sms","sqs","application","lambda"]
- # **Requires `enable_fifo = true`.** Flag to enable content-based
- # deduplication for the SNS topic. If set to true, messages with identical
- # content will be treated as duplicates and only delivered once. For more see
- # the [Amazon
- # Docs](https://docs.aws.amazon.com/sns/latest/dg/fifo-message-dedup.html)
- content_based_deduplication = null
-
# Set to false to have this module create no resources. This weird parameter
# exists solely because Terraform does not support conditional modules.
# Therefore, this is a hack to allow you to conditionally decide if the
# resources should be created or not.
create_resources = true
- # Delivery policy for sns topic.
- delivery_policy = null
-
# The display name of the SNS topic
display_name = ""
@@ -135,36 +125,15 @@ module "sns_topics" {
# This will use the CloudWatchNotification class for richer messages.
enable_advanced_formatting = false
- # Flag to indicate if the SNS topic is FIFO. This will append `.fifo` to the
- # name of the topic.
- enable_fifo = false
-
- # ARN of the http failure feedback role - when using delivery policy for sns
- # topic.
- http_failure_feedback_role_arn = null
-
- # ARN of the http success feedback role - when using delivery policy for sns
- # topic.
- http_success_feedback_role_arn = null
-
# The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a
# custom CMK
kms_master_key_id = "alias/aws/sns"
- # **Requires `enable_fifo = true`.** The number of days (up to 365) for Amazon
- # SNS to retain messages. This will be used to create the archive policy for
- # the SNS topic. For more see the [Amazon
- # Docs](https://docs.aws.amazon.com/sns/latest/dg/message-archiving-and-replay-topic-owner.html)
- message_retention_period = null
-
# The ARN of a Secrets Manager entry that contains the Slack Webhook URL
# (e.g., https://hooks.slack.com/services/FOO/BAR/BAZ) that SNS messages are
# sent to.
slack_webhook_url_secrets_manager_arn = null
- # A map of key value pairs to apply as tags to the SNS topic.
- tags = {}
-
}
@@ -211,22 +180,12 @@ inputs = {
# A list of protocols that can be used to subscribe to the SNS topic.
allow_subscribe_protocols = ["http","https","email","email-json","sms","sqs","application","lambda"]
- # **Requires `enable_fifo = true`.** Flag to enable content-based
- # deduplication for the SNS topic. If set to true, messages with identical
- # content will be treated as duplicates and only delivered once. For more see
- # the [Amazon
- # Docs](https://docs.aws.amazon.com/sns/latest/dg/fifo-message-dedup.html)
- content_based_deduplication = null
-
# Set to false to have this module create no resources. This weird parameter
# exists solely because Terraform does not support conditional modules.
# Therefore, this is a hack to allow you to conditionally decide if the
# resources should be created or not.
create_resources = true
- # Delivery policy for sns topic.
- delivery_policy = null
-
# The display name of the SNS topic
display_name = ""
@@ -234,36 +193,15 @@ inputs = {
# This will use the CloudWatchNotification class for richer messages.
enable_advanced_formatting = false
- # Flag to indicate if the SNS topic is FIFO. This will append `.fifo` to the
- # name of the topic.
- enable_fifo = false
-
- # ARN of the http failure feedback role - when using delivery policy for sns
- # topic.
- http_failure_feedback_role_arn = null
-
- # ARN of the http success feedback role - when using delivery policy for sns
- # topic.
- http_success_feedback_role_arn = null
-
# The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a
# custom CMK
kms_master_key_id = "alias/aws/sns"
- # **Requires `enable_fifo = true`.** The number of days (up to 365) for Amazon
- # SNS to retain messages. This will be used to create the archive policy for
- # the SNS topic. For more see the [Amazon
- # Docs](https://docs.aws.amazon.com/sns/latest/dg/message-archiving-and-replay-topic-owner.html)
- message_retention_period = null
-
# The ARN of a Secrets Manager entry that contains the Slack Webhook URL
# (e.g., https://hooks.slack.com/services/FOO/BAR/BAZ) that SNS messages are
# sent to.
slack_webhook_url_secrets_manager_arn = null
- # A map of key value pairs to apply as tags to the SNS topic.
- tags = {}
-
}
@@ -343,15 +281,6 @@ A list of protocols that can be used to subscribe to the SNS topic.
-
-
-
-**Requires `enable_fifo = true`.** Flag to enable content-based deduplication for the SNS topic. If set to true, messages with identical content will be treated as duplicates and only delivered once. For more see the [Amazon Docs](https://docs.aws.amazon.com/sns/latest/dg/fifo-message-dedup.html)
-
-
-
-
-
@@ -361,15 +290,6 @@ Set to false to have this module create no resources. This weird parameter exist
-
-
-
-Delivery policy for sns topic.
-
-
-
-
-
@@ -388,33 +308,6 @@ Set to true to enable advanced formatting for CloudWatch alarms in Slack. This w
-
-
-
-Flag to indicate if the SNS topic is FIFO. This will append `.fifo` to the name of the topic.
-
-
-
-
-
-
-
-
-ARN of the http failure feedback role - when using delivery policy for sns topic.
-
-
-
-
-
-
-
-
-ARN of the http success feedback role - when using delivery policy for sns topic.
-
-
-
-
-
@@ -424,15 +317,6 @@ The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CM
-
-
-
-**Requires `enable_fifo = true`.** The number of days (up to 365) for Amazon SNS to retain messages. This will be used to create the archive policy for the SNS topic. For more see the [Amazon Docs](https://docs.aws.amazon.com/sns/latest/dg/message-archiving-and-replay-topic-owner.html)
-
-
-
-
-
@@ -442,15 +326,6 @@ The ARN of a Secrets Manager entry that contains the Slack Webhook URL (e.g., ht
-
-
-
-A map of key value pairs to apply as tags to the SNS topic.
-
-
-
-
-
@@ -473,6 +348,6 @@ The ARN of the SNS topic.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/networking/sns-topics/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "1a74db2b240dec01683d099168c7feeb"
+ "hash": "ae9e705dd0ab60e13cd93d6b0dfee5fd"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/networking/virtual-private-cloud-vpc.md b/docs/reference/services/networking/virtual-private-cloud-vpc.md
index dae25a492..c6bc0cb22 100644
--- a/docs/reference/services/networking/virtual-private-cloud-vpc.md
+++ b/docs/reference/services/networking/virtual-private-cloud-vpc.md
@@ -384,12 +384,6 @@ module "vpc" {
# 'var.create_transit_subnets = true'. Defaults false.
enable_private_nat = false
- # The list of ports to exclude from the inbound allow all rules in Network
- # ACLs. This is useful for adhering to certain compliance standards like CIS
- # or SOC2 that explicitly deny any allow rule for administrative ports (22,
- # 3389).
- exclude_ports_from_inbound_all = []
-
# Additional IAM policies to apply to the S3 bucket to store flow logs. You
# can use this to grant read/write access beyond what is provided to the VPC.
# This should be a map, where each key is a unique statement ID (SID), and
@@ -1149,12 +1143,6 @@ inputs = {
# 'var.create_transit_subnets = true'. Defaults false.
enable_private_nat = false
- # The list of ports to exclude from the inbound allow all rules in Network
- # ACLs. This is useful for adhering to certain compliance standards like CIS
- # or SOC2 that explicitly deny any allow rule for administrative ports (22,
- # 3389).
- exclude_ports_from_inbound_all = []
-
# Additional IAM policies to apply to the S3 bucket to store flow logs. You
# can use this to grant read/write access beyond what is provided to the VPC.
# This should be a map, where each key is a unique statement ID (SID), and
@@ -2228,15 +2216,6 @@ If set to false, the default security groups will NOT be created.
-
-
-
-The list of ports to exclude from the inbound allow all rules in Network ACLs. This is useful for adhering to certain compliance standards like CIS or SOC2 that explicitly deny any allow rule for administrative ports (22, 3389).
-
-
-
-
-
@@ -3638,6 +3617,6 @@ Indicates whether or not the VPC has finished creating
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/networking/vpc/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "7704a5a5ec0ab3fd2ba6b5f9101ec283"
+ "hash": "45a94739f030a882f78d22cc7f9159c6"
}
##DOCS-SOURCER-END -->
From 0ecbd15b655767f514765443348e8ada3655a57e Mon Sep 17 00:00:00 2001
From: "docs-sourcer[bot]"
<99042413+docs-sourcer[bot]@users.noreply.github.com>
Date: Thu, 2 Apr 2026 23:16:23 +0000
Subject: [PATCH 2/2] Updated with the [latest
changes](https://github.com/gruntwork-io/terraform-aws-service-catalog/compare/47485ae84e51...9b50b0cfa5bb)
from the `terraform-aws-service-catalog@fix/rds-provider-v6-support` source
branch.
---
.../app-orchestration/amazon-ecs-cluster.md | 19 +-
.../amazon-eks-core-services.md | 66 ++-
.../app-orchestration/amazon-eks-workers.md | 80 ++--
.../services/app-orchestration/amazon-eks.md | 389 +++++-------------
.../app-orchestration/ec-2-instance.md | 33 +-
.../services/app-orchestration/lambda.md | 36 +-
.../services/data-storage/amazon-aurora.md | 92 ++++-
.../amazon-elasti-cache-for-memcached.md | 29 +-
.../amazon-elasti-cache-for-redis.md | 29 +-
.../data-storage/amazon-elasticsearch.md | 33 +-
.../data-storage/amazon-rds-replica.md | 21 +-
.../services/data-storage/amazon-rds.md | 82 +++-
.../networking/elastic-load-balancer-elb.md | 17 +-
.../services/networking/management-vpc.md | 23 +-
.../networking/route-53-hosted-zones.md | 8 +-
.../services/networking/sns-topics.md | 127 +++++-
.../networking/virtual-private-cloud-vpc.md | 23 +-
17 files changed, 713 insertions(+), 394 deletions(-)
diff --git a/docs/reference/services/app-orchestration/amazon-ecs-cluster.md b/docs/reference/services/app-orchestration/amazon-ecs-cluster.md
index ba48b377a..ebc732272 100644
--- a/docs/reference/services/app-orchestration/amazon-ecs-cluster.md
+++ b/docs/reference/services/app-orchestration/amazon-ecs-cluster.md
@@ -287,6 +287,10 @@ module "ecs_cluster" {
# Instances. Can be one of standard, gp2, gp3, io1, io2, sc1 or st1.
cluster_instance_root_volume_type = "gp2"
+ # When set, name the IAM role for the ECS cluster using this variable. When
+ # null, the IAM role name will be derived from var.cluster_name.
+ custom_iam_role_name = null
+
# A list of custom tags to apply to the EC2 Instances in this ASG. Each item
# in this list should be a map with the parameters key, value, and
# propagate_at_launch.
@@ -588,6 +592,10 @@ inputs = {
# Instances. Can be one of standard, gp2, gp3, io1, io2, sc1 or st1.
cluster_instance_root_volume_type = "gp2"
+ # When set, name the IAM role for the ECS cluster using this variable. When
+ # null, the IAM role name will be derived from var.cluster_name.
+ custom_iam_role_name = null
+
# A list of custom tags to apply to the EC2 Instances in this ASG. Each item
# in this list should be a map with the parameters key, value, and
# propagate_at_launch.
@@ -1042,6 +1050,15 @@ The volume type for the root volume for each of the ECS Cluster's EC2 Instances.
+
+
+
+When set, name the IAM role for the ECS cluster using this variable. When null, the IAM role name will be derived from cluster_name.
+
+
+
+
+
@@ -1489,6 +1506,6 @@ The CloudWatch Dashboard metric widget for the ECS cluster workers' Memory utili
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/ecs-cluster/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "a9a4cfd64bce6cf9a7690691d91d5bf1"
+ "hash": "3359d1456500f7677f7ded726c154227"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/app-orchestration/amazon-eks-core-services.md b/docs/reference/services/app-orchestration/amazon-eks-core-services.md
index ea7c47b4c..3e6ebacf8 100644
--- a/docs/reference/services/app-orchestration/amazon-eks-core-services.md
+++ b/docs/reference/services/app-orchestration/amazon-eks-core-services.md
@@ -177,6 +177,11 @@ module "eks_core_services" {
# The key is the tag name and the value is the tag value.
alb_ingress_controller_eks_fargate_profile_tags = {}
+ # Additional container arguments for the AWS Load Balancer Controller. For
+ # example, use this to pass feature gates like
+ # --feature-gates=NLBGatewayAPI=true,ALBGatewayAPI=true.
+ alb_ingress_controller_extra_args = {}
+
# A map of custom tags to apply to the Controller IAM Policies if enabled. The
# key is the tag name and the value is the tag value.
alb_ingress_controller_iam_policy_tags = {}
@@ -342,7 +347,7 @@ module "eks_core_services" {
# major/minor version (e.g., v1.20) of your Kubernetes Installation. See
# https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases
# for a list of versions.
- cluster_autoscaler_version = "v1.32.0"
+ cluster_autoscaler_version = "v1.33.0"
# When set to true, create a new dedicated IAM Role for the cluster
# autoscaler. When set to true, var.iam_role_for_service_accounts_config is
@@ -707,20 +712,10 @@ module "eks_core_services" {
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
- # input variable to control whether kubergrunt or aws is used to fetch tokens.
+ # exec-based provider as a workaround. The aws CLI is used to fetch tokens,
+ # and must be installed and on your PATH.
use_exec_plugin_for_auth = true
- # EKS clusters use short-lived authentication tokens that can expire in the
- # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
- # plugin to fetch an up-to-date token. If this variable is set to true, we'll
- # use kubergrunt to fetch the token (in which case, kubergrunt must be
- # installed and on PATH); if this variable is set to false, we'll use the aws
- # CLI to fetch the token (in which case, aws must be installed and on PATH).
- # Note this functionality is only enabled if use_exec_plugin_for_auth is set
- # to true.
- use_kubergrunt_to_fetch_token = true
-
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -815,6 +810,11 @@ inputs = {
# The key is the tag name and the value is the tag value.
alb_ingress_controller_eks_fargate_profile_tags = {}
+ # Additional container arguments for the AWS Load Balancer Controller. For
+ # example, use this to pass feature gates like
+ # --feature-gates=NLBGatewayAPI=true,ALBGatewayAPI=true.
+ alb_ingress_controller_extra_args = {}
+
# A map of custom tags to apply to the Controller IAM Policies if enabled. The
# key is the tag name and the value is the tag value.
alb_ingress_controller_iam_policy_tags = {}
@@ -980,7 +980,7 @@ inputs = {
# major/minor version (e.g., v1.20) of your Kubernetes Installation. See
# https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases
# for a list of versions.
- cluster_autoscaler_version = "v1.32.0"
+ cluster_autoscaler_version = "v1.33.0"
# When set to true, create a new dedicated IAM Role for the cluster
# autoscaler. When set to true, var.iam_role_for_service_accounts_config is
@@ -1345,20 +1345,10 @@ inputs = {
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
- # input variable to control whether kubergrunt or aws is used to fetch tokens.
+ # exec-based provider as a workaround. The aws CLI is used to fetch tokens,
+ # and must be installed and on your PATH.
use_exec_plugin_for_auth = true
- # EKS clusters use short-lived authentication tokens that can expire in the
- # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
- # plugin to fetch an up-to-date token. If this variable is set to true, we'll
- # use kubergrunt to fetch the token (in which case, kubergrunt must be
- # installed and on PATH); if this variable is set to false, we'll use the aws
- # CLI to fetch the token (in which case, aws must be installed and on PATH).
- # Note this functionality is only enabled if use_exec_plugin_for_auth is set
- # to true.
- use_kubergrunt_to_fetch_token = true
-
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -1507,6 +1497,15 @@ A map of custom tags to apply to the Controller Fargate Profile if enabled. The
+
+
+
+Additional container arguments for the AWS Load Balancer Controller. For example, use this to pass feature gates like --feature-gates=NLBGatewayAPI=true,ALBGatewayAPI=true.
+
+
+
+
+
@@ -2157,7 +2156,7 @@ The name of the service account to create for the cluster autoscaler.
Which version of the cluster autoscaler to install. This should match the major/minor version (e.g., v1.20) of your Kubernetes Installation. See https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases for a list of versions.
-
+
@@ -5451,16 +5450,7 @@ map(object({
-If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens.
-
-
-
-
-
-
-
-
-EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true.
+If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. The aws CLI is used to fetch tokens, and must be installed and on your PATH.
@@ -5505,6 +5495,6 @@ A list of names of Kubernetes PriorityClass objects created by this module.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/eks-core-services/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "e005100df99f9a4df8b5ffcb3b48e4cf"
+ "hash": "69184e101f982fa2915f90294caf6918"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/app-orchestration/amazon-eks-workers.md b/docs/reference/services/app-orchestration/amazon-eks-workers.md
index fbb0a5c8e..b6e04197b 100644
--- a/docs/reference/services/app-orchestration/amazon-eks-workers.md
+++ b/docs/reference/services/app-orchestration/amazon-eks-workers.md
@@ -96,6 +96,12 @@ If you want to deploy this repo in production, check out the following resources
## Manage
+### Migrating from AL2 to AL2023
+
+**IMPORTANT**: Starting with EKS 1.33, this module defaults to Amazon Linux 2023 (AL2023) instead of Amazon Linux 2 (AL2). If you have existing clusters using AL2, see the [AL2 to AL2023 Migration Guide](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/eks-workers/AL2-TO-AL2023-MIGRATION.md) for detailed migration instructions.
+
+### Worker Management
+
For information on registering the worker IAM role to the EKS control plane, refer to the
[IAM Roles and Kubernetes API Access](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/eks-workers/core-concepts.md#iam-roles-and-kubernetes-api-access) section of the documentation.
@@ -194,7 +200,7 @@ module "eks_workers" {
# Default value for asg_ami_type field of autoscaling_group_configurations.
# See the AWS documentation for valid values. Docs:
# https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
- asg_default_ami_type = "AL2_x86_64"
+ asg_default_ami_type = "AL2023_x86_64_STANDARD"
# Default value for enable_detailed_monitoring field of
# autoscaling_group_configurations.
@@ -489,6 +495,12 @@ module "eks_workers" {
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
high_worker_memory_utilization_treat_missing_data = "missing"
+ # Whether to attach the default IAM policies (AmazonEKSWorkerNodePolicy,
+ # AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly) to the Managed
+ # Node Group IAM role. Set to false if your existing IAM role already has
+ # these policies attached.
+ managed_node_group_attach_default_iam_policies = true
+
# Whether or not to create an AWS Security Group for the Managed Node Groups.
# By default this is created.
managed_node_group_create_security_group = true
@@ -514,7 +526,7 @@ module "eks_workers" {
# Default value for ami_type field of managed_node_group_configurations. See
# the AWS documentation for valid values. Docs:
# https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
- node_group_default_ami_type = "AL2_x86_64"
+ node_group_default_ami_type = "AL2023_x86_64_STANDARD"
# Default value for capacity_type field of managed_node_group_configurations.
node_group_default_capacity_type = "ON_DEMAND"
@@ -641,8 +653,8 @@ module "eks_workers" {
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
- # input variable to control whether kubergrunt or aws is used to fetch tokens.
+ # exec-based provider as a workaround. The aws CLI is used to fetch tokens,
+ # and must be installed and on your PATH.
use_exec_plugin_for_auth = true
# Set this variable to true to enable the use of Instance Metadata Service
@@ -652,16 +664,6 @@ module "eks_workers" {
# IMDSv1.
use_imdsv1 = false
- # EKS clusters use short-lived authentication tokens that can expire in the
- # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
- # plugin to fetch an up-to-date token. If this variable is set to true, we'll
- # use kubergrunt to fetch the token (in which case, kubergrunt must be
- # installed and on PATH); if this variable is set to false, we'll use the aws
- # CLI to fetch the token (in which case, aws must be installed and on PATH).
- # Note this functionality is only enabled if use_exec_plugin_for_auth is set
- # to true.
- use_kubergrunt_to_fetch_token = true
-
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -776,7 +778,7 @@ inputs = {
# Default value for asg_ami_type field of autoscaling_group_configurations.
# See the AWS documentation for valid values. Docs:
# https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
- asg_default_ami_type = "AL2_x86_64"
+ asg_default_ami_type = "AL2023_x86_64_STANDARD"
# Default value for enable_detailed_monitoring field of
# autoscaling_group_configurations.
@@ -1071,6 +1073,12 @@ inputs = {
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
high_worker_memory_utilization_treat_missing_data = "missing"
+ # Whether to attach the default IAM policies (AmazonEKSWorkerNodePolicy,
+ # AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly) to the Managed
+ # Node Group IAM role. Set to false if your existing IAM role already has
+ # these policies attached.
+ managed_node_group_attach_default_iam_policies = true
+
# Whether or not to create an AWS Security Group for the Managed Node Groups.
# By default this is created.
managed_node_group_create_security_group = true
@@ -1096,7 +1104,7 @@ inputs = {
# Default value for ami_type field of managed_node_group_configurations. See
# the AWS documentation for valid values. Docs:
# https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
- node_group_default_ami_type = "AL2_x86_64"
+ node_group_default_ami_type = "AL2023_x86_64_STANDARD"
# Default value for capacity_type field of managed_node_group_configurations.
node_group_default_capacity_type = "ON_DEMAND"
@@ -1223,8 +1231,8 @@ inputs = {
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
- # input variable to control whether kubergrunt or aws is used to fetch tokens.
+ # exec-based provider as a workaround. The aws CLI is used to fetch tokens,
+ # and must be installed and on your PATH.
use_exec_plugin_for_auth = true
# Set this variable to true to enable the use of Instance Metadata Service
@@ -1234,16 +1242,6 @@ inputs = {
# IMDSv1.
use_imdsv1 = false
- # EKS clusters use short-lived authentication tokens that can expire in the
- # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
- # plugin to fetch an up-to-date token. If this variable is set to true, we'll
- # use kubergrunt to fetch the token (in which case, kubergrunt must be
- # installed and on PATH); if this variable is set to false, we'll use the aws
- # CLI to fetch the token (in which case, aws must be installed and on PATH).
- # Note this functionality is only enabled if use_exec_plugin_for_auth is set
- # to true.
- use_kubergrunt_to_fetch_token = true
-
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -1665,7 +1663,7 @@ Custom name for the IAM role for the Self-managed workers. When null, a default
Default value for asg_ami_type field of autoscaling_group_configurations. See the AWS documentation for valid values. Docs: https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
-
+
@@ -2509,6 +2507,15 @@ Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on
+
+
+
+Whether to attach the default IAM policies (AmazonEKSWorkerNodePolicy, AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly) to the Managed Node Group IAM role. Set to false if your existing IAM role already has these policies attached.
+
+
+
+
+
@@ -2551,7 +2558,7 @@ ARN of the IAM role to use if iam_role_already_exists = true. When null, uses ma
Default value for ami_type field of managed_node_group_configurations. See the AWS documentation for valid values. Docs: https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType
-
+
@@ -2807,7 +2814,7 @@ The tenancy of the servers in the self-managed worker ASG. Must be one of: defau
-If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens.
+If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. The aws CLI is used to fetch tokens, and must be installed and on your PATH.
@@ -2822,15 +2829,6 @@ Set this variable to true to enable the use of Instance Metadata Service Version
-
-
-
-EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true.
-
-
-
-
-
@@ -3001,6 +2999,6 @@ The list of names of the ASGs that were deployed to act as EKS workers.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/eks-workers/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "2ac6dd6f83d679a3380aa8b71a8374db"
+ "hash": "254be00e7e86a29aeddd3b7a118ea91f"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/app-orchestration/amazon-eks.md b/docs/reference/services/app-orchestration/amazon-eks.md
index ecc7fbe6e..c33e4e7e9 100644
--- a/docs/reference/services/app-orchestration/amazon-eks.md
+++ b/docs/reference/services/app-orchestration/amazon-eks.md
@@ -347,6 +347,12 @@ module "eks_cluster" {
# use the key `default`.
cloud_init_parts = {}
+ # ARN of an existing IAM role to use for the EKS cluster. When null, a new
+ # role will be created. WARNING: This can ONLY be set during initial cluster
+ # creation. Changing this value on an existing cluster will DESTROY and
+ # RECREATE the cluster (destructive operation).
+ cluster_iam_role_arn = null
+
# ARN of permissions boundary to apply to the cluster IAM role - the IAM role
# created for the EKS cluster.
cluster_iam_role_permissions_boundary = null
@@ -388,6 +394,15 @@ module "eks_cluster" {
# cluster to be created.
cluster_network_config_service_ipv4_cidr = null
+ # ID of an existing security group to use for the EKS cluster control plane.
+ # When null or empty, a new security group will be created. This is the
+ # primary cluster security group; additional security groups can be provided
+ # via the additional_security_groups_for_control_plane variable.
+ cluster_security_group_id = null
+
+ # Specify the log class of the cloudwatch log group
+ control_plane_cloudwatch_log_group_class = "STANDARD"
+
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting log data in the CloudWatch log group for EKS control plane logs.
control_plane_cloudwatch_log_group_kms_key_id = null
@@ -577,15 +592,18 @@ module "eks_cluster" {
# When set to true, the module configures EKS add-ons
# (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html)
- # specified with `eks_addons`. VPC CNI configurations with
- # `use_vpc_cni_customize_script` isn't fully supported with addons, as the
- # automated add-on lifecycles could potentially undo the configuration
- # changes.
+ # specified with `eks_addons`.
enable_eks_addons = false
# Enable fail2ban to block brute force log in attempts. Defaults to true.
enable_fail2ban = true
+ # Set to true to enable several basic CloudWatch alarms around CPU usage,
+ # memory usage, and disk space usage for worker ASGs. If set to true, make
+ # sure to specify SNS topics to send notifications to using
+ # var.alarms_sns_topic_arn.
+ enable_worker_cloudwatch_alarms = true
+
# Set to true to send worker system logs to CloudWatch. This is useful in
# combination with
# https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts
@@ -671,16 +689,10 @@ module "eks_cluster" {
# the user.
iam_user_to_rbac_group_mapping = {}
- # The URL from which to download Kubergrunt if it's not installed already. Use
- # to specify a version of kubergrunt that is compatible with your specified
- # kubernetes version. Ex.
- # 'https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_'
- kubergrunt_download_url = "https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_"
-
# Version of Kubernetes to use. Refer to EKS docs for list of available
# versions
# (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html).
- kubernetes_version = "1.32"
+ kubernetes_version = "1.33"
# Configure one or more Node Groups to manage the EC2 instances in this
# cluster. Set to empty object ({}) if you do not wish to configure managed
@@ -795,8 +807,8 @@ module "eks_cluster" {
num_worker_vpc_subnet_ids = null
# When true, configures control plane services to run on Fargate so that the
- # cluster can run without worker nodes. If true, requires kubergrunt to be
- # available on the system, and create_default_fargate_iam_role be set to true.
+ # cluster can run without worker nodes. If true, requires
+ # create_default_fargate_iam_role be set to true.
schedule_control_plane_services_on_fargate = false
# ARN for KMS Key to use for envelope encryption of Kubernetes Secrets. By
@@ -828,33 +840,12 @@ module "eks_cluster" {
# The tenancy of this server. Must be one of: default, dedicated, or host.
tenancy = "default"
- # When set to true, the sync-core-components command will skip updating
- # coredns. This variable is ignored if `use_kubergrunt_sync_components` is
- # false.
- upgrade_cluster_script_skip_coredns = false
-
- # When set to true, the sync-core-components command will skip updating
- # kube-proxy. This variable is ignored if `use_kubergrunt_sync_components` is
- # false.
- upgrade_cluster_script_skip_kube_proxy = false
-
- # When set to true, the sync-core-components command will skip updating
- # aws-vpc-cni. This variable is ignored if `use_kubergrunt_sync_components` is
- # false.
- upgrade_cluster_script_skip_vpc_cni = false
-
- # When set to true, the sync-core-components command will wait until the new
- # versions are rolled out in the cluster. This variable is ignored if
- # `use_kubergrunt_sync_components` is false.
- upgrade_cluster_script_wait_for_rollout = true
-
# If this variable is set to true, then use an exec-based plugin to
# authenticate and fetch tokens for EKS. This is useful because EKS clusters
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
- # input variable to control whether kubergrunt or aws is used to fetch tokens.
+ # exec-based provider as a workaround.
use_exec_plugin_for_auth = true
# Set this variable to true to enable the use of Instance Metadata Service
@@ -864,26 +855,6 @@ module "eks_cluster" {
# IMDSv1.
use_imdsv1 = false
- # When set to true, this will enable kubergrunt based component syncing. This
- # step ensures that the core EKS components that are installed are upgraded to
- # a matching version everytime the cluster's Kubernetes version is updated.
- use_kubergrunt_sync_components = true
-
- # EKS clusters use short-lived authentication tokens that can expire in the
- # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
- # plugin to fetch an up-to-date token. If this variable is set to true, we'll
- # use kubergrunt to fetch the token (in which case, kubergrunt must be
- # installed and on PATH); if this variable is set to false, we'll use the aws
- # CLI to fetch the token (in which case, aws must be installed and on PATH).
- # Note this functionality is only enabled if use_exec_plugin_for_auth is set
- # to true.
- use_kubergrunt_to_fetch_token = true
-
- # When set to true, this will enable kubergrunt verification to wait for the
- # Kubernetes API server to come up before completing. If false, reverts to a
- # 30 second timed wait instead.
- use_kubergrunt_verification = true
-
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -891,37 +862,13 @@ module "eks_cluster" {
# when targeting compliance with various security standards.
use_managed_iam_policies = true
- # When set to true, this will enable management of the aws-vpc-cni
- # configuration options using kubergrunt running as a local-exec provisioner.
- # If you set this to false, the vpc_cni_* variables will be ignored.
- use_vpc_cni_customize_script = true
-
- # When true, enable prefix delegation mode for the AWS VPC CNI component of
- # the EKS cluster. In prefix delegation mode, each ENI will be allocated 16 IP
- # addresses (/28) instead of 1, allowing you to pack more Pods per node. Note
- # that by default, AWS VPC CNI will always preallocate 1 full prefix - this
- # means that you can potentially take up 32 IP addresses from the VPC network
- # space even if you only have 1 Pod on the node. You can tweak this behavior
- # by configuring the var.vpc_cni_warm_ip_target input variable.
- vpc_cni_enable_prefix_delegation = true
-
- # The minimum number of IP addresses (free and used) each node should start
- # with. When null, defaults to the aws-vpc-cni application setting (currently
- # 16 as of version 1.9.0). For example, if this is set to 25, every node will
- # allocate 2 prefixes (32 IP addresses). On the other hand, if this was set to
- # the default value, then each node will allocate only 1 prefix (16 IP
- # addresses).
- vpc_cni_minimum_ip_target = null
-
- # The number of free IP addresses each node should maintain. When null,
- # defaults to the aws-vpc-cni application setting (currently 16 as of version
- # 1.9.0). In prefix delegation mode, determines whether the node will
- # preallocate another full prefix. For example, if this is set to 5 and a node
- # is currently has 9 Pods scheduled, then the node will NOT preallocate a new
- # prefix block of 16 IP addresses. On the other hand, if this was set to the
- # default value, then the node will allocate a new block when the first pod is
- # scheduled.
- vpc_cni_warm_ip_target = null
+ # When true, assumes prefix delegation mode is in use for the AWS VPC CNI
+ # component of the EKS cluster when computing max pods allowed on the node. In
+ # prefix delegation mode, each ENI will be allocated 16 IP addresses (/28)
+ # instead of 1, allowing you to pack more Pods per node. This should be set to
+ # true when the vpc-cni EKS addon is configured with
+ # ENABLE_PREFIX_DELEGATION=true.
+ use_prefix_mode_to_calculate_max_pods = false
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting worker system log data. Only used if
@@ -1209,6 +1156,12 @@ inputs = {
# use the key `default`.
cloud_init_parts = {}
+ # ARN of an existing IAM role to use for the EKS cluster. When null, a new
+ # role will be created. WARNING: This can ONLY be set during initial cluster
+ # creation. Changing this value on an existing cluster will DESTROY and
+ # RECREATE the cluster (destructive operation).
+ cluster_iam_role_arn = null
+
# ARN of permissions boundary to apply to the cluster IAM role - the IAM role
# created for the EKS cluster.
cluster_iam_role_permissions_boundary = null
@@ -1250,6 +1203,15 @@ inputs = {
# cluster to be created.
cluster_network_config_service_ipv4_cidr = null
+ # ID of an existing security group to use for the EKS cluster control plane.
+ # When null or empty, a new security group will be created. This is the
+ # primary cluster security group; additional security groups can be provided
+ # via the additional_security_groups_for_control_plane variable.
+ cluster_security_group_id = null
+
+ # Specify the log class of the cloudwatch log group
+ control_plane_cloudwatch_log_group_class = "STANDARD"
+
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting log data in the CloudWatch log group for EKS control plane logs.
control_plane_cloudwatch_log_group_kms_key_id = null
@@ -1439,15 +1401,18 @@ inputs = {
# When set to true, the module configures EKS add-ons
# (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html)
- # specified with `eks_addons`. VPC CNI configurations with
- # `use_vpc_cni_customize_script` isn't fully supported with addons, as the
- # automated add-on lifecycles could potentially undo the configuration
- # changes.
+ # specified with `eks_addons`.
enable_eks_addons = false
# Enable fail2ban to block brute force log in attempts. Defaults to true.
enable_fail2ban = true
+ # Set to true to enable several basic CloudWatch alarms around CPU usage,
+ # memory usage, and disk space usage for worker ASGs. If set to true, make
+ # sure to specify SNS topics to send notifications to using
+ # var.alarms_sns_topic_arn.
+ enable_worker_cloudwatch_alarms = true
+
# Set to true to send worker system logs to CloudWatch. This is useful in
# combination with
# https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts
@@ -1533,16 +1498,10 @@ inputs = {
# the user.
iam_user_to_rbac_group_mapping = {}
- # The URL from which to download Kubergrunt if it's not installed already. Use
- # to specify a version of kubergrunt that is compatible with your specified
- # kubernetes version. Ex.
- # 'https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_'
- kubergrunt_download_url = "https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_"
-
# Version of Kubernetes to use. Refer to EKS docs for list of available
# versions
# (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html).
- kubernetes_version = "1.32"
+ kubernetes_version = "1.33"
# Configure one or more Node Groups to manage the EC2 instances in this
# cluster. Set to empty object ({}) if you do not wish to configure managed
@@ -1657,8 +1616,8 @@ inputs = {
num_worker_vpc_subnet_ids = null
# When true, configures control plane services to run on Fargate so that the
- # cluster can run without worker nodes. If true, requires kubergrunt to be
- # available on the system, and create_default_fargate_iam_role be set to true.
+ # cluster can run without worker nodes. If true, requires
+ # create_default_fargate_iam_role be set to true.
schedule_control_plane_services_on_fargate = false
# ARN for KMS Key to use for envelope encryption of Kubernetes Secrets. By
@@ -1690,33 +1649,12 @@ inputs = {
# The tenancy of this server. Must be one of: default, dedicated, or host.
tenancy = "default"
- # When set to true, the sync-core-components command will skip updating
- # coredns. This variable is ignored if `use_kubergrunt_sync_components` is
- # false.
- upgrade_cluster_script_skip_coredns = false
-
- # When set to true, the sync-core-components command will skip updating
- # kube-proxy. This variable is ignored if `use_kubergrunt_sync_components` is
- # false.
- upgrade_cluster_script_skip_kube_proxy = false
-
- # When set to true, the sync-core-components command will skip updating
- # aws-vpc-cni. This variable is ignored if `use_kubergrunt_sync_components` is
- # false.
- upgrade_cluster_script_skip_vpc_cni = false
-
- # When set to true, the sync-core-components command will wait until the new
- # versions are rolled out in the cluster. This variable is ignored if
- # `use_kubergrunt_sync_components` is false.
- upgrade_cluster_script_wait_for_rollout = true
-
# If this variable is set to true, then use an exec-based plugin to
# authenticate and fetch tokens for EKS. This is useful because EKS clusters
# use short-lived authentication tokens that can expire in the middle of an
# 'apply' or 'destroy', and since the native Kubernetes provider in Terraform
# doesn't have a way to fetch up-to-date tokens, we recommend using an
- # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token
- # input variable to control whether kubergrunt or aws is used to fetch tokens.
+ # exec-based provider as a workaround.
use_exec_plugin_for_auth = true
# Set this variable to true to enable the use of Instance Metadata Service
@@ -1726,26 +1664,6 @@ inputs = {
# IMDSv1.
use_imdsv1 = false
- # When set to true, this will enable kubergrunt based component syncing. This
- # step ensures that the core EKS components that are installed are upgraded to
- # a matching version everytime the cluster's Kubernetes version is updated.
- use_kubergrunt_sync_components = true
-
- # EKS clusters use short-lived authentication tokens that can expire in the
- # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based
- # plugin to fetch an up-to-date token. If this variable is set to true, we'll
- # use kubergrunt to fetch the token (in which case, kubergrunt must be
- # installed and on PATH); if this variable is set to false, we'll use the aws
- # CLI to fetch the token (in which case, aws must be installed and on PATH).
- # Note this functionality is only enabled if use_exec_plugin_for_auth is set
- # to true.
- use_kubergrunt_to_fetch_token = true
-
- # When set to true, this will enable kubergrunt verification to wait for the
- # Kubernetes API server to come up before completing. If false, reverts to a
- # 30 second timed wait instead.
- use_kubergrunt_verification = true
-
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
@@ -1753,37 +1671,13 @@ inputs = {
# when targeting compliance with various security standards.
use_managed_iam_policies = true
- # When set to true, this will enable management of the aws-vpc-cni
- # configuration options using kubergrunt running as a local-exec provisioner.
- # If you set this to false, the vpc_cni_* variables will be ignored.
- use_vpc_cni_customize_script = true
-
- # When true, enable prefix delegation mode for the AWS VPC CNI component of
- # the EKS cluster. In prefix delegation mode, each ENI will be allocated 16 IP
- # addresses (/28) instead of 1, allowing you to pack more Pods per node. Note
- # that by default, AWS VPC CNI will always preallocate 1 full prefix - this
- # means that you can potentially take up 32 IP addresses from the VPC network
- # space even if you only have 1 Pod on the node. You can tweak this behavior
- # by configuring the var.vpc_cni_warm_ip_target input variable.
- vpc_cni_enable_prefix_delegation = true
-
- # The minimum number of IP addresses (free and used) each node should start
- # with. When null, defaults to the aws-vpc-cni application setting (currently
- # 16 as of version 1.9.0). For example, if this is set to 25, every node will
- # allocate 2 prefixes (32 IP addresses). On the other hand, if this was set to
- # the default value, then each node will allocate only 1 prefix (16 IP
- # addresses).
- vpc_cni_minimum_ip_target = null
-
- # The number of free IP addresses each node should maintain. When null,
- # defaults to the aws-vpc-cni application setting (currently 16 as of version
- # 1.9.0). In prefix delegation mode, determines whether the node will
- # preallocate another full prefix. For example, if this is set to 5 and a node
- # is currently has 9 Pods scheduled, then the node will NOT preallocate a new
- # prefix block of 16 IP addresses. On the other hand, if this was set to the
- # default value, then the node will allocate a new block when the first pod is
- # scheduled.
- vpc_cni_warm_ip_target = null
+ # When true, assumes prefix delegation mode is in use for the AWS VPC CNI
+ # component of the EKS cluster when computing max pods allowed on the node. In
+ # prefix delegation mode, each ENI will be allocated 16 IP addresses (/28)
+ # instead of 1, allowing you to pack more Pods per node. This should be set to
+ # true when the vpc-cni EKS addon is configured with
+ # ENABLE_PREFIX_DELEGATION=true.
+ use_prefix_mode_to_calculate_max_pods = false
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting worker system log data. Only used if
@@ -2537,6 +2431,15 @@ map(object({
+
+
+
+ARN of an existing IAM role to use for the EKS cluster. When null, a new role will be created. WARNING: This can ONLY be set during initial cluster creation. Changing this value on an existing cluster will DESTROY and RECREATE the cluster (destructive operation).
+
+
+
+
+
@@ -2632,6 +2535,24 @@ The CIDR block to assign Kubernetes pod and service IP addresses from. If you do
+
+
+
+ID of an existing security group to use for the EKS cluster control plane. When null or empty, a new security group will be created. This is the primary cluster security group; additional security groups can be provided via the additional_security_groups_for_control_plane variable.
+
+
+
+
+
+
+
+
+Specify the log class of the cloudwatch log group
+
+
+
+
+
@@ -3380,7 +3301,7 @@ When set to true, the module configures and install the EBS CSI Driver as an EKS
-When set to true, the module configures EKS add-ons (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) specified with `eks_addons`. VPC CNI configurations with `use_vpc_cni_customize_script` isn't fully supported with addons, as the automated add-on lifecycles could potentially undo the configuration changes.
+When set to true, the module configures EKS add-ons (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) specified with `eks_addons`.
@@ -3395,6 +3316,15 @@ Enable fail2ban to block brute force log in attempts. Defaults to true.
+
+
+
+Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage for worker ASGs. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn.
+
+
+
+
+
@@ -3610,22 +3540,13 @@ map(list(string))
-
-
-
-The URL from which to download Kubergrunt if it's not installed already. Use to specify a version of kubergrunt that is compatible with your specified kubernetes version. Ex. 'https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_<platform>'
-
-
-
-
-
Version of Kubernetes to use. Refer to EKS docs for list of available versions (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html).
-
+
@@ -3980,7 +3901,7 @@ Number of subnets provided in the worker_
-When true, configures control plane services to run on Fargate so that the cluster can run without worker nodes. If true, requires kubergrunt to be available on the system, and create_default_fargate_iam_role be set to true.
+When true, configures control plane services to run on Fargate so that the cluster can run without worker nodes. If true, requires create_default_fargate_iam_role be set to true.
@@ -4031,46 +3952,10 @@ The tenancy of this server. Must be one of: default, dedicated, or host.
-
-
-
-When set to true, the sync-core-components command will skip updating coredns. This variable is ignored if `use_kubergrunt_sync_components` is false.
-
-
-
-
-
-
-
-
-When set to true, the sync-core-components command will skip updating kube-proxy. This variable is ignored if `use_kubergrunt_sync_components` is false.
-
-
-
-
-
-
-
-
-When set to true, the sync-core-components command will skip updating aws-vpc-cni. This variable is ignored if `use_kubergrunt_sync_components` is false.
-
-
-
-
-
-
-
-
-When set to true, the sync-core-components command will wait until the new versions are rolled out in the cluster. This variable is ignored if `use_kubergrunt_sync_components` is false.
-
-
-
-
-
-If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens.
+If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround.
@@ -4085,33 +3970,6 @@ Set this variable to true to enable the use of Instance Metadata Service Version
-
-
-
-When set to true, this will enable kubergrunt based component syncing. This step ensures that the core EKS components that are installed are upgraded to a matching version everytime the cluster's Kubernetes version is updated.
-
-
-
-
-
-
-
-
-EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true.
-
-
-
-
-
-
-
-
-When set to true, this will enable kubergrunt verification to wait for the Kubernetes API server to come up before completing. If false, reverts to a 30 second timed wait instead.
-
-
-
-
-
@@ -4121,40 +3979,13 @@ When true, all IAM policies will be managed as dedicated policies rather than in
-
+
-When set to true, this will enable management of the aws-vpc-cni configuration options using kubergrunt running as a local-exec provisioner. If you set this to false, the vpc_cni_* variables will be ignored.
+When true, assumes prefix delegation mode is in use for the AWS VPC CNI component of the EKS cluster when computing max pods allowed on the node. In prefix delegation mode, each ENI will be allocated 16 IP addresses (/28) instead of 1, allowing you to pack more Pods per node. This should be set to true when the vpc-cni EKS addon is configured with ENABLE_PREFIX_DELEGATION=true.
-
-
-
-
-
-
-When true, enable prefix delegation mode for the AWS VPC CNI component of the EKS cluster. In prefix delegation mode, each ENI will be allocated 16 IP addresses (/28) instead of 1, allowing you to pack more Pods per node. Note that by default, AWS VPC CNI will always preallocate 1 full prefix - this means that you can potentially take up 32 IP addresses from the VPC network space even if you only have 1 Pod on the node. You can tweak this behavior by configuring the vpc_cni_warm_ip_target input variable.
-
-
-
-
-
-
-
-
-The minimum number of IP addresses (free and used) each node should start with. When null, defaults to the aws-vpc-cni application setting (currently 16 as of version 1.9.0). For example, if this is set to 25, every node will allocate 2 prefixes (32 IP addresses). On the other hand, if this was set to the default value, then each node will allocate only 1 prefix (16 IP addresses).
-
-
-
-
-
-
-
-
-The number of free IP addresses each node should maintain. When null, defaults to the aws-vpc-cni application setting (currently 16 as of version 1.9.0). In prefix delegation mode, determines whether the node will preallocate another full prefix. For example, if this is set to 5 and a node is currently has 9 Pods scheduled, then the node will NOT preallocate a new prefix block of 16 IP addresses. On the other hand, if this was set to the default value, then the node will allocate a new block when the first pod is scheduled.
-
-
-
+
@@ -4386,6 +4217,6 @@ The ID of the AWS Security Group associated with the self-managed EKS workers.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/eks-cluster/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "a36e160ac30356e6b483828d3cde34b5"
+ "hash": "8c159cad61f033cc8f7a47270594fdd0"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/app-orchestration/ec-2-instance.md b/docs/reference/services/app-orchestration/ec-2-instance.md
index dae86783f..e91f56913 100644
--- a/docs/reference/services/app-orchestration/ec-2-instance.md
+++ b/docs/reference/services/app-orchestration/ec-2-instance.md
@@ -272,6 +272,9 @@ module "ec_2_instance" {
# 'ubuntu'.
default_user = "ubuntu"
+ # If true, enables EC2 Instance Termination Protection.
+ disable_api_termination = false
+
# DNS Time To Live in seconds.
dns_ttl = 300
@@ -409,8 +412,11 @@ module "ec_2_instance" {
# If set to true, the root volume will be encrypted. Default is set to false
root_volume_encrypted = false
- # Optional Amazon Resource Name (ARN) of the KMS Key to use when encrypting
- # the volume
+ # The ID of the KMS key to use for encrypting the root volume. Only used if
+ # root_volume_encrypted is true. If null, the default EBS encryption key for
+ # the account will be used. See
+ # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id
+ # for more information.
root_volume_kms_key_id = null
# The size of the root volume, in gigabytes.
@@ -631,6 +637,9 @@ inputs = {
# 'ubuntu'.
default_user = "ubuntu"
+ # If true, enables EC2 Instance Termination Protection.
+ disable_api_termination = false
+
# DNS Time To Live in seconds.
dns_ttl = 300
@@ -768,8 +777,11 @@ inputs = {
# If set to true, the root volume will be encrypted. Default is set to false
root_volume_encrypted = false
- # Optional Amazon Resource Name (ARN) of the KMS Key to use when encrypting
- # the volume
+ # The ID of the KMS key to use for encrypting the root volume. Only used if
+ # root_volume_encrypted is true. If null, the default EBS encryption key for
+ # the account will be used. See
+ # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id
+ # for more information.
root_volume_kms_key_id = null
# The size of the root volume, in gigabytes.
@@ -1175,6 +1187,15 @@ The default OS user for the EC2 instance AMI. For AWS Ubuntu AMIs, which is what
+
+
+
+If true, enables EC2 Instance Termination Protection.
+
+
+
+
+
@@ -1457,7 +1478,7 @@ If set to true, the root volume will be encrypted. Default is set to false
-Optional Amazon Resource Name (ARN) of the KMS Key to use when encrypting the volume
+The ID of the KMS key to use for encrypting the root volume. Only used if root_volume_encrypted is true. If null, the default EBS encryption key for the account will be used. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id for more information.
@@ -1638,6 +1659,6 @@ The input parameters for the EBS volumes.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/ec2-instance/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "e52ac09afcee8e8f726d118eab96634d"
+ "hash": "91ec6db49146ed181236467b637c34f7"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/app-orchestration/lambda.md b/docs/reference/services/app-orchestration/lambda.md
index 74a726f2a..ff088e407 100644
--- a/docs/reference/services/app-orchestration/lambda.md
+++ b/docs/reference/services/app-orchestration/lambda.md
@@ -254,6 +254,10 @@ module "lambda" {
# with Service Accounts.
iam_policy = null
+ # The name to use for the IAM role created for the lambda function. If null,
+ # default to the function name (var.name).
+ iam_role_name = null
+
# The ECR image URI containing the function's deployment package. Example:
# 01234501234501.dkr.ecr.us-east-1.amazonaws.com/image_name:image_tag
image_uri = null
@@ -271,6 +275,10 @@ module "lambda" {
# can have a maximum of 5 Layers attached to each function.
layers = []
+ # Time to wait after creating managed policy, to avoid AWS eventual
+ # consistency racing. Default: 60s.
+ managed_policy_waiting_time = "60s"
+
# The name for the alarm's associated metric.
metric_name = "Errors"
@@ -559,6 +567,10 @@ inputs = {
# with Service Accounts.
iam_policy = null
+ # The name to use for the IAM role created for the lambda function. If null,
+ # default to the function name (var.name).
+ iam_role_name = null
+
# The ECR image URI containing the function's deployment package. Example:
# 01234501234501.dkr.ecr.us-east-1.amazonaws.com/image_name:image_tag
image_uri = null
@@ -576,6 +588,10 @@ inputs = {
# can have a maximum of 5 Layers attached to each function.
layers = []
+ # Time to wait after creating managed policy, to avoid AWS eventual
+ # consistency racing. Default: 60s.
+ managed_policy_waiting_time = "60s"
+
# The name for the alarm's associated metric.
metric_name = "Errors"
@@ -1025,6 +1041,15 @@ map(object({
+
+
+
+The name to use for the IAM role created for the lambda function. If null, default to the function name (name).
+
+
+
+
+
@@ -1061,6 +1086,15 @@ The list of Lambda Layer Version ARNs to attach to your Lambda Function. You can
+
+
+
+Time to wait after creating managed policy, to avoid AWS eventual consistency racing. Default: 60s.
+
+
+
+
+
@@ -1428,6 +1462,6 @@ Latest published version of your Lambda Function
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/services/lambda/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "958797470d670a26e13cff1899219515"
+ "hash": "adeb1607a04291caf629527ff439a743"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-aurora.md b/docs/reference/services/data-storage/amazon-aurora.md
index 4f3a70c9f..916b1e27f 100644
--- a/docs/reference/services/data-storage/amazon-aurora.md
+++ b/docs/reference/services/data-storage/amazon-aurora.md
@@ -135,6 +135,12 @@ module "aurora" {
# database to be reachable.
allow_connections_from_cidr_blocks = []
+ # The list of IPv6 CIDR blocks to allow network access to Aurora from for
+ # dual-stack configurations. In the standard Gruntwork VPC setup with
+ # dual-stack enabled, these should be the IPv6 CIDR blocks of the private app
+ # subnets, plus the private subnets in the mgmt VPC.
+ allow_connections_from_ipv6_cidr_blocks = []
+
# The list of IDs or Security Groups to allow network access to Aurora from.
# All security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -274,6 +280,11 @@ module "aurora" {
# value in db_config_secrets_manager_id.
db_name = null
+ # If true, delete all automated backups when the DB cluster is deleted. If
+ # false, automated backups are retained until the retention period expires.
+ # Defaults to true.
+ delete_automated_backups = null
+
# Set to true to enable several basic CloudWatch alarms around CPU usage,
# memory usage, and disk space usage. If set to true, make sure to specify SNS
# topics to send notifications to using var.alarms_sns_topic_arn.
@@ -287,6 +298,10 @@ module "aurora" {
# database cannot be deleted.
enable_deletion_protection = false
+ # If true, enables the HTTP endpoint used for Data API. Only valid when
+ # engine_mode is set to serverless.
+ enable_http_endpoint = null
+
# Set to true to enable alarms related to performance, such as read and write
# latency alarms. Set to false to disable those alarms if you aren't sure what
# would be reasonable perf numbers for your RDS set up or if those numbers are
@@ -309,7 +324,11 @@ module "aurora" {
# value here overrides the value in db_config_secrets_manager_id.
engine = null
- # The version of aurora to run - provisioned or serverless.
+ # The DB engine mode of the DB cluster: either provisioned or serverless. Note
+ # that serverless (v1) is deprecated and no longer available for new clusters.
+ # For Aurora Serverless v2, use provisioned with
+ # scaling_configuration_min_capacity_V2 and
+ # scaling_configuration_max_capacity_V2.
engine_mode = "provisioned"
# The Amazon Aurora DB engine version for the selected engine and engine_mode.
@@ -477,6 +496,11 @@ module "aurora" {
# https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_PIT.html
restore_source_cluster_identifier = null
+ # Only used if 'restore_source_cluster_identifier' is non-empty. Date and time
+ # in UTC format to restore the database cluster to (e.g,
+ # 2009-09-07T23:45:00Z). When null, the latest restorable time will be used.
+ restore_to_time = null
+
# Only used if 'restore_source_cluster_identifier' is non-empty. Type of
# restore to be performed. Valid options are 'full-copy' and 'copy-on-write'.
# https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Clone.html
@@ -605,6 +629,12 @@ inputs = {
# database to be reachable.
allow_connections_from_cidr_blocks = []
+ # The list of IPv6 CIDR blocks to allow network access to Aurora from for
+ # dual-stack configurations. In the standard Gruntwork VPC setup with
+ # dual-stack enabled, these should be the IPv6 CIDR blocks of the private app
+ # subnets, plus the private subnets in the mgmt VPC.
+ allow_connections_from_ipv6_cidr_blocks = []
+
# The list of IDs or Security Groups to allow network access to Aurora from.
# All security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -744,6 +774,11 @@ inputs = {
# value in db_config_secrets_manager_id.
db_name = null
+ # If true, delete all automated backups when the DB cluster is deleted. If
+ # false, automated backups are retained until the retention period expires.
+ # Defaults to true.
+ delete_automated_backups = null
+
# Set to true to enable several basic CloudWatch alarms around CPU usage,
# memory usage, and disk space usage. If set to true, make sure to specify SNS
# topics to send notifications to using var.alarms_sns_topic_arn.
@@ -757,6 +792,10 @@ inputs = {
# database cannot be deleted.
enable_deletion_protection = false
+ # If true, enables the HTTP endpoint used for Data API. Only valid when
+ # engine_mode is set to serverless.
+ enable_http_endpoint = null
+
# Set to true to enable alarms related to performance, such as read and write
# latency alarms. Set to false to disable those alarms if you aren't sure what
# would be reasonable perf numbers for your RDS set up or if those numbers are
@@ -779,7 +818,11 @@ inputs = {
# value here overrides the value in db_config_secrets_manager_id.
engine = null
- # The version of aurora to run - provisioned or serverless.
+ # The DB engine mode of the DB cluster: either provisioned or serverless. Note
+ # that serverless (v1) is deprecated and no longer available for new clusters.
+ # For Aurora Serverless v2, use provisioned with
+ # scaling_configuration_min_capacity_V2 and
+ # scaling_configuration_max_capacity_V2.
engine_mode = "provisioned"
# The Amazon Aurora DB engine version for the selected engine and engine_mode.
@@ -947,6 +990,11 @@ inputs = {
# https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_PIT.html
restore_source_cluster_identifier = null
+ # Only used if 'restore_source_cluster_identifier' is non-empty. Date and time
+ # in UTC format to restore the database cluster to (e.g,
+ # 2009-09-07T23:45:00Z). When null, the latest restorable time will be used.
+ restore_to_time = null
+
# Only used if 'restore_source_cluster_identifier' is non-empty. Type of
# restore to be performed. Valid options are 'full-copy' and 'copy-on-write'.
# https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Clone.html
@@ -1081,6 +1129,15 @@ The list of network CIDR blocks to allow network access to Aurora from. One of <
+
+
+
+The list of IPv6 CIDR blocks to allow network access to Aurora from for dual-stack configurations. In the standard Gruntwork VPC setup with dual-stack enabled, these should be the IPv6 CIDR blocks of the private app subnets, plus the private subnets in the mgmt VPC.
+
+
+
+
+
@@ -1698,6 +1755,15 @@ The name for your database of up to 8 alpha-numeric characters. If you do not pr
+
+
+
+If true, delete all automated backups when the DB cluster is deleted. If false, automated backups are retained until the retention period expires. Defaults to true.
+
+
+
+
+
@@ -1725,6 +1791,15 @@ Enable deletion protection on the database instance. If this is enabled, the dat
+
+
+
+If true, enables the HTTP endpoint used for Data API. Only valid when engine_mode is set to serverless.
+
+
+
+
+
@@ -1764,7 +1839,7 @@ The name of the database engine to be used for this DB cluster. Valid Values: au
-The version of aurora to run - provisioned or serverless.
+The DB engine mode of the DB cluster: either provisioned or serverless. Note that serverless (v1) is deprecated and no longer available for new clusters. For Aurora Serverless v2, use provisioned with scaling_configuration_min_capacity_V2 and scaling_configuration_max_capacity_V2.
@@ -2131,6 +2206,15 @@ If non-empty, the Aurora cluster will be restored from the given source cluster
+
+
+
+Only used if 'restore_source_cluster_identifier' is non-empty. Date and time in UTC format to restore the database cluster to (e.g, 2009-09-07T23:45:00Z). When null, the latest restorable time will be used.
+
+
+
+
+
@@ -2443,6 +2527,6 @@ The ARN of the AWS Lambda Function used for sharing manual snapshots with second
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/aurora/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "3159d14d1ec582ca545dfc6ada08f9f1"
+ "hash": "d33e57d740cb6335cb383695e5abbdf7"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md b/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md
index 9208e8966..d9d8c9399 100644
--- a/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md
+++ b/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md
@@ -131,7 +131,13 @@ module "memcached" {
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_treat_missing_data = "missing"
+ alarm_high_cpu_utilization_treat_missing_data = "missing"
+
+ # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
+ # Based on
+ # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
+ # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+ alarm_low_memory_available_treat_missing_data = "missing"
# The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and
# disk space usage) should send notifications.
@@ -230,7 +236,13 @@ inputs = {
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_treat_missing_data = "missing"
+ alarm_high_cpu_utilization_treat_missing_data = "missing"
+
+ # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
+ # Based on
+ # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
+ # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+ alarm_low_memory_available_treat_missing_data = "missing"
# The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and
# disk space usage) should send notifications.
@@ -339,7 +351,16 @@ The ID of the VPC in which to deploy RDS.
### Optional
-
+
+
+
+Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+
+
+
+
+
+
Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
@@ -474,6 +495,6 @@ The configuration endpoint to allow host discovery.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/memcached/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "27e29eefc1f0ebb346c25010a2db486c"
+ "hash": "37ccb84cd13233db25c08cf6eaca816b"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md b/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md
index daf7940fb..4701a3a3e 100644
--- a/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md
+++ b/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md
@@ -135,6 +135,12 @@ module "redis" {
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
+ # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
+ # Based on
+ # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
+ # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+ alarm_high_cpu_utilization_treat_missing_data = "missing"
+
# Trigger an alarm if the amount of free memory, in Bytes, on the node drops
# below this threshold
alarm_low_memory_available_threshold = 100000000
@@ -143,7 +149,7 @@ module "redis" {
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_treat_missing_data = "missing"
+ alarm_low_memory_available_treat_missing_data = "missing"
# The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and
# disk space usage) should send notifications.
@@ -314,6 +320,12 @@ inputs = {
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
+ # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
+ # Based on
+ # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
+ # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+ alarm_high_cpu_utilization_treat_missing_data = "missing"
+
# Trigger an alarm if the amount of free memory, in Bytes, on the node drops
# below this threshold
alarm_low_memory_available_threshold = 100000000
@@ -322,7 +334,7 @@ inputs = {
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
- alarm_treat_missing_data = "missing"
+ alarm_low_memory_available_treat_missing_data = "missing"
# The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and
# disk space usage) should send notifications.
@@ -510,6 +522,15 @@ The ID of the VPC in which to deploy RDS.
### Optional
+
+
+
+Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+
+
+
+
+
@@ -531,7 +552,7 @@ Trigger an alarm if the amount of free memory, in Bytes, on the node drops below
-
+
Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
@@ -839,6 +860,6 @@ Security Group ID used for redis cluster.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/redis/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "1b11a4dcce821d77493dfb765954954b"
+ "hash": "50fa4b80f6095485eb25648a181bb2e2"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-elasticsearch.md b/docs/reference/services/data-storage/amazon-elasticsearch.md
index 1c1ee7136..0bcb02e87 100644
--- a/docs/reference/services/data-storage/amazon-elasticsearch.md
+++ b/docs/reference/services/data-storage/amazon-elasticsearch.md
@@ -128,7 +128,7 @@ module "elasticsearch" {
volume_size =
# The type of EBS volumes to use in the cluster. Must be one of: standard,
- # gp2, io1, sc1, or st1. For a comparison of EBS volume types, see
+ # gp2, gp3, io1, sc1, or st1. For a comparison of EBS volume types, see
# https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html.
volume_type =
@@ -345,8 +345,7 @@ module "elasticsearch" {
internal_user_database_enabled = false
# The baseline input/output (I/O) performance of EBS volumes attached to data
- # nodes. Must be between 1000 and 4000. Applicable only if var.volume_type is
- # io1.
+ # nodes. Applicable only if var.volume_type is gp3 or io1.
iops = null
# Whether the cluster is publicly accessible.
@@ -438,6 +437,10 @@ module "elasticsearch" {
# first one is used.
subnet_ids = []
+ # The throughput (in MiB/s) of EBS volumes attached to data nodes. Valid
+ # values are between 125 and 1000. Applicable only if var.volume_type is gp3.
+ throughput = null
+
# The name of the TLS security policy that needs to be applied to the HTTPS
# endpoint. Valid values are Policy-Min-TLS-1-0-2019-07 and
# Policy-Min-TLS-1-2-2019-07. Terraform performs drift detection if this is
@@ -505,7 +508,7 @@ inputs = {
volume_size =
# The type of EBS volumes to use in the cluster. Must be one of: standard,
- # gp2, io1, sc1, or st1. For a comparison of EBS volume types, see
+ # gp2, gp3, io1, sc1, or st1. For a comparison of EBS volume types, see
# https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html.
volume_type =
@@ -722,8 +725,7 @@ inputs = {
internal_user_database_enabled = false
# The baseline input/output (I/O) performance of EBS volumes attached to data
- # nodes. Must be between 1000 and 4000. Applicable only if var.volume_type is
- # io1.
+ # nodes. Applicable only if var.volume_type is gp3 or io1.
iops = null
# Whether the cluster is publicly accessible.
@@ -815,6 +817,10 @@ inputs = {
# first one is used.
subnet_ids = []
+ # The throughput (in MiB/s) of EBS volumes attached to data nodes. Valid
+ # values are between 125 and 1000. Applicable only if var.volume_type is gp3.
+ throughput = null
+
# The name of the TLS security policy that needs to be applied to the HTTPS
# endpoint. Valid values are Policy-Min-TLS-1-0-2019-07 and
# Policy-Min-TLS-1-2-2019-07. Terraform performs drift detection if this is
@@ -885,7 +891,7 @@ The size in GiB of the EBS volume for each node in the cluster (e.g. 10, or 512)
-The type of EBS volumes to use in the cluster. Must be one of: standard, gp2, io1, sc1, or st1. For a comparison of EBS volume types, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html.
+The type of EBS volumes to use in the cluster. Must be one of: standard, gp2, gp3, io1, sc1, or st1. For a comparison of EBS volume types, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html.
@@ -1308,7 +1314,7 @@ Whether the internal user database is enabled. Enable this to use master account
-The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Must be between 1000 and 4000. Applicable only if volume_type is io1.
+The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only if volume_type is gp3 or io1.
@@ -1494,6 +1500,15 @@ Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on
+
+
+
+The throughput (in MiB/s) of EBS volumes attached to data nodes. Valid values are between 125 and 1000. Applicable only if volume_type is gp3.
+
+
+
+
+
@@ -1583,6 +1598,6 @@ Domain-specific endpoint for Kibana without https scheme.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/elasticsearch/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "02154d701be6a08bb3a3527a48530af4"
+ "hash": "9f6e589fba1fc067230d5d1cac51858a"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-rds-replica.md b/docs/reference/services/data-storage/amazon-rds-replica.md
index 1bbd269b9..6277a0598 100644
--- a/docs/reference/services/data-storage/amazon-rds-replica.md
+++ b/docs/reference/services/data-storage/amazon-rds-replica.md
@@ -80,6 +80,11 @@ module "rds_replica" {
# database to be reachable.
allow_connections_from_cidr_blocks = []
+ # The list of IPv6 CIDR blocks to allow network access to RDS read replicas
+ # from for dual-stack configurations. If not set, read replica instances will
+ # use the same security group as the master instance.
+ allow_connections_from_ipv6_cidr_blocks = []
+
# The list of IDs or Security Groups to allow network access to RDS from. All
# security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -389,6 +394,11 @@ inputs = {
# database to be reachable.
allow_connections_from_cidr_blocks = []
+ # The list of IPv6 CIDR blocks to allow network access to RDS read replicas
+ # from for dual-stack configurations. If not set, read replica instances will
+ # use the same security group as the master instance.
+ allow_connections_from_ipv6_cidr_blocks = []
+
# The list of IDs or Security Groups to allow network access to RDS from. All
# security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -710,6 +720,15 @@ The list of network CIDR blocks to allow network access to RDS from. One of
+
+
+
+The list of IPv6 CIDR blocks to allow network access to RDS read replicas from for dual-stack configurations. If not set, read replica instances will use the same security group as the master instance.
+
+
+
+
+
@@ -1690,6 +1709,6 @@ A list of IDs of the RDS DB instance's read replicas.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/rds-replica/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "2ee950bfbae1794fbc960e140bbcbaa6"
+ "hash": "8c16a1db23a05ec10c8bc1b950713ff3"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/data-storage/amazon-rds.md b/docs/reference/services/data-storage/amazon-rds.md
index 555878e23..5a9b874da 100644
--- a/docs/reference/services/data-storage/amazon-rds.md
+++ b/docs/reference/services/data-storage/amazon-rds.md
@@ -142,6 +142,16 @@ module "rds" {
# database to be reachable.
allow_connections_from_cidr_blocks = []
+ # The list of IPv6 CIDR blocks to allow network access to RDS from for
+ # dual-stack configurations. Should typically be the IPv6 CIDR blocks of the
+ # private app subnet in this VPC plus the private subnet in the mgmt VPC.
+ allow_connections_from_ipv6_cidr_blocks = []
+
+ # The list of IPv6 CIDR blocks to allow network access to RDS read replicas
+ # from for dual-stack configurations. If not set, read replica instances will
+ # use the same security group as the master instance.
+ allow_connections_from_ipv6_cidr_blocks_to_read_replicas = []
+
# The list of IDs or Security Groups to allow network access to RDS from. All
# security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -398,6 +408,12 @@ module "rds" {
# taken per disk I/O operation), in seconds, is above this threshold.
high_read_latency_threshold = 5
+ # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
+ # Based on
+ # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
+ # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+ high_read_latency_treat_missing_data = "missing"
+
# The period, in seconds, over which to measure the write latency.
high_write_latency_period = 60
@@ -405,6 +421,12 @@ module "rds" {
# taken per disk I/O operation), in seconds, is above this threshold.
high_write_latency_threshold = 5
+ # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
+ # Based on
+ # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
+ # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+ high_write_latency_treat_missing_data = "missing"
+
# The ID of the Route 53 hosted zone into which the Route 53 DNS record should
# be written
hosted_zone_id = null
@@ -706,6 +728,16 @@ inputs = {
# database to be reachable.
allow_connections_from_cidr_blocks = []
+ # The list of IPv6 CIDR blocks to allow network access to RDS from for
+ # dual-stack configurations. Should typically be the IPv6 CIDR blocks of the
+ # private app subnet in this VPC plus the private subnet in the mgmt VPC.
+ allow_connections_from_ipv6_cidr_blocks = []
+
+ # The list of IPv6 CIDR blocks to allow network access to RDS read replicas
+ # from for dual-stack configurations. If not set, read replica instances will
+ # use the same security group as the master instance.
+ allow_connections_from_ipv6_cidr_blocks_to_read_replicas = []
+
# The list of IDs or Security Groups to allow network access to RDS from. All
# security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
@@ -962,6 +994,12 @@ inputs = {
# taken per disk I/O operation), in seconds, is above this threshold.
high_read_latency_threshold = 5
+ # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
+ # Based on
+ # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
+ # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+ high_read_latency_treat_missing_data = "missing"
+
# The period, in seconds, over which to measure the write latency.
high_write_latency_period = 60
@@ -969,6 +1007,12 @@ inputs = {
# taken per disk I/O operation), in seconds, is above this threshold.
high_write_latency_threshold = 5
+ # Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
+ # Based on
+ # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
+ # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+ high_write_latency_treat_missing_data = "missing"
+
# The ID of the Route 53 hosted zone into which the Route 53 DNS record should
# be written
hosted_zone_id = null
@@ -1286,6 +1330,24 @@ The list of network CIDR blocks to allow network access to RDS from. One of
+
+
+
+The list of IPv6 CIDR blocks to allow network access to RDS from for dual-stack configurations. Should typically be the IPv6 CIDR blocks of the private app subnet in this VPC plus the private subnet in the mgmt VPC.
+
+
+
+
+
+
+
+
+The list of IPv6 CIDR blocks to allow network access to RDS read replicas from for dual-stack configurations. If not set, read replica instances will use the same security group as the master instance.
+
+
+
+
+
@@ -2100,6 +2162,15 @@ Trigger an alarm if the DB instance read latency (average amount of time taken p
+
+
+
+Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+
+
+
+
+
@@ -2118,6 +2189,15 @@ Trigger an alarm if the DB instance write latency (average amount of time taken
+
+
+
+Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
+
+
+
+
+
@@ -2801,6 +2881,6 @@ The ID of the Security Group that controls access to the RDS DB instance.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/data-stores/rds/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "a3058ea1ece5047d40ad12b66ee24c27"
+ "hash": "808b40e70c388133e7ffd5a5a295c315"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/networking/elastic-load-balancer-elb.md b/docs/reference/services/networking/elastic-load-balancer-elb.md
index b39245e0f..e89fdd5a6 100644
--- a/docs/reference/services/networking/elastic-load-balancer-elb.md
+++ b/docs/reference/services/networking/elastic-load-balancer-elb.md
@@ -136,6 +136,9 @@ module "alb" {
# Valid values are AMAZON_ISSUED and IMPORTED.
acm_cert_types = ["AMAZON_ISSUED","IMPORTED"]
+ # Add additional security groups to the ALB
+ additional_security_group_ids = []
+
# List of additional SSL certs (non-ACM and ACM) to bind to the given listener
# port. Note that this must not overlap with the certificates defined in
# var.https_listener_ports_and_ssl_certs and
@@ -345,6 +348,9 @@ inputs = {
# Valid values are AMAZON_ISSUED and IMPORTED.
acm_cert_types = ["AMAZON_ISSUED","IMPORTED"]
+ # Add additional security groups to the ALB
+ additional_security_group_ids = []
+
# List of additional SSL certs (non-ACM and ACM) to bind to the given listener
# port. Note that this must not overlap with the certificates defined in
# var.https_listener_ports_and_ssl_certs and
@@ -595,6 +601,15 @@ When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_cer
+
+
+
+Add additional security groups to the ALB
+
+
+
+
+
@@ -1045,6 +1060,6 @@ The AWS-managed DNS name assigned to the ALB.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/networking/alb/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "23c01365e679738aa098337d1f586274"
+ "hash": "ac619e7e084bb3f5d9c5863d4d519e1e"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/networking/management-vpc.md b/docs/reference/services/networking/management-vpc.md
index 62c0dc31e..5bc7fd372 100644
--- a/docs/reference/services/networking/management-vpc.md
+++ b/docs/reference/services/networking/management-vpc.md
@@ -221,6 +221,12 @@ module "vpc_mgmt" {
# If set to false, the default security groups will NOT be created.
enable_default_security_group = false
+ # The list of ports to exclude from the inbound allow all rules in Network
+ # ACLs. This is useful for adhering to certain compliance standards like CIS
+ # or SOC2 that explicitly deny any allow rule for administrative ports (22,
+ # 3389).
+ exclude_ports_from_inbound_all = []
+
# Specifies the number of days you want to retain log events. Possible values
# are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096,
# 1827, 2192, 2557, 2922, 3288, 3653, and 0. If you select 0, the events in
@@ -446,6 +452,12 @@ inputs = {
# If set to false, the default security groups will NOT be created.
enable_default_security_group = false
+ # The list of ports to exclude from the inbound allow all rules in Network
+ # ACLs. This is useful for adhering to certain compliance standards like CIS
+ # or SOC2 that explicitly deny any allow rule for administrative ports (22,
+ # 3389).
+ exclude_ports_from_inbound_all = []
+
# Specifies the number of days you want to retain log events. Possible values
# are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096,
# 1827, 2192, 2557, 2922, 3288, 3653, and 0. If you select 0, the events in
@@ -813,6 +825,15 @@ If set to false, the default security groups will NOT be created.
+
+
+
+The list of ports to exclude from the inbound allow all rules in Network ACLs. This is useful for adhering to certain compliance standards like CIS or SOC2 that explicitly deny any allow rule for administrative ports (22, 3389).
+
+
+
+
+
@@ -1092,6 +1113,6 @@ Indicates whether or not the VPC has finished creating
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/networking/vpc-mgmt/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "e6ad5636213ff546f42c58530551bb60"
+ "hash": "5961c626daf81d5ea0cf5a9b7a9bfa9b"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/networking/route-53-hosted-zones.md b/docs/reference/services/networking/route-53-hosted-zones.md
index 480bd8903..ee859eeb9 100644
--- a/docs/reference/services/networking/route-53-hosted-zones.md
+++ b/docs/reference/services/networking/route-53-hosted-zones.md
@@ -515,6 +515,12 @@ Any types represent complex values of variable type. For details, please consult
Whether or not to create ACM TLS certificates for the domain. When true, Route53 certificates will automatically be
created for the root domain. Defaults to true.
provision_certificates = bool
+
+ Whether or not the certificate can be exported. Valid values are "ENABLED" or "DISABLED".
+ This setting is immutable after creation - changing it forces certificate replacement.
+ Note: exportable public certificates incur additional AWS charges.
+ Requires AWS provider >= 6.4.0.
+ export = string
```
@@ -626,6 +632,6 @@ A map of domains to resource arns and hosted zones of the created Service Discov
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/networking/route53/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "e637a304277def66c4262cd1d2511c78"
+ "hash": "1ac293aaf55480b913574b87ef441bb2"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/networking/sns-topics.md b/docs/reference/services/networking/sns-topics.md
index 4026ce43a..936bb2f00 100644
--- a/docs/reference/services/networking/sns-topics.md
+++ b/docs/reference/services/networking/sns-topics.md
@@ -112,12 +112,22 @@ module "sns_topics" {
# A list of protocols that can be used to subscribe to the SNS topic.
allow_subscribe_protocols = ["http","https","email","email-json","sms","sqs","application","lambda"]
+ # **Requires `enable_fifo = true`.** Flag to enable content-based
+ # deduplication for the SNS topic. If set to true, messages with identical
+ # content will be treated as duplicates and only delivered once. For more see
+ # the [Amazon
+ # Docs](https://docs.aws.amazon.com/sns/latest/dg/fifo-message-dedup.html)
+ content_based_deduplication = null
+
# Set to false to have this module create no resources. This weird parameter
# exists solely because Terraform does not support conditional modules.
# Therefore, this is a hack to allow you to conditionally decide if the
# resources should be created or not.
create_resources = true
+ # Delivery policy for sns topic.
+ delivery_policy = null
+
# The display name of the SNS topic
display_name = ""
@@ -125,15 +135,36 @@ module "sns_topics" {
# This will use the CloudWatchNotification class for richer messages.
enable_advanced_formatting = false
+ # Flag to indicate if the SNS topic is FIFO. This will append `.fifo` to the
+ # name of the topic.
+ enable_fifo = false
+
+ # ARN of the http failure feedback role - when using delivery policy for sns
+ # topic.
+ http_failure_feedback_role_arn = null
+
+ # ARN of the http success feedback role - when using delivery policy for sns
+ # topic.
+ http_success_feedback_role_arn = null
+
# The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a
# custom CMK
kms_master_key_id = "alias/aws/sns"
+ # **Requires `enable_fifo = true`.** The number of days (up to 365) for Amazon
+ # SNS to retain messages. This will be used to create the archive policy for
+ # the SNS topic. For more see the [Amazon
+ # Docs](https://docs.aws.amazon.com/sns/latest/dg/message-archiving-and-replay-topic-owner.html)
+ message_retention_period = null
+
# The ARN of a Secrets Manager entry that contains the Slack Webhook URL
# (e.g., https://hooks.slack.com/services/FOO/BAR/BAZ) that SNS messages are
# sent to.
slack_webhook_url_secrets_manager_arn = null
+ # A map of key value pairs to apply as tags to the SNS topic.
+ tags = {}
+
}
@@ -180,12 +211,22 @@ inputs = {
# A list of protocols that can be used to subscribe to the SNS topic.
allow_subscribe_protocols = ["http","https","email","email-json","sms","sqs","application","lambda"]
+ # **Requires `enable_fifo = true`.** Flag to enable content-based
+ # deduplication for the SNS topic. If set to true, messages with identical
+ # content will be treated as duplicates and only delivered once. For more see
+ # the [Amazon
+ # Docs](https://docs.aws.amazon.com/sns/latest/dg/fifo-message-dedup.html)
+ content_based_deduplication = null
+
# Set to false to have this module create no resources. This weird parameter
# exists solely because Terraform does not support conditional modules.
# Therefore, this is a hack to allow you to conditionally decide if the
# resources should be created or not.
create_resources = true
+ # Delivery policy for sns topic.
+ delivery_policy = null
+
# The display name of the SNS topic
display_name = ""
@@ -193,15 +234,36 @@ inputs = {
# This will use the CloudWatchNotification class for richer messages.
enable_advanced_formatting = false
+ # Flag to indicate if the SNS topic is FIFO. This will append `.fifo` to the
+ # name of the topic.
+ enable_fifo = false
+
+ # ARN of the http failure feedback role - when using delivery policy for sns
+ # topic.
+ http_failure_feedback_role_arn = null
+
+ # ARN of the http success feedback role - when using delivery policy for sns
+ # topic.
+ http_success_feedback_role_arn = null
+
# The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a
# custom CMK
kms_master_key_id = "alias/aws/sns"
+ # **Requires `enable_fifo = true`.** The number of days (up to 365) for Amazon
+ # SNS to retain messages. This will be used to create the archive policy for
+ # the SNS topic. For more see the [Amazon
+ # Docs](https://docs.aws.amazon.com/sns/latest/dg/message-archiving-and-replay-topic-owner.html)
+ message_retention_period = null
+
# The ARN of a Secrets Manager entry that contains the Slack Webhook URL
# (e.g., https://hooks.slack.com/services/FOO/BAR/BAZ) that SNS messages are
# sent to.
slack_webhook_url_secrets_manager_arn = null
+ # A map of key value pairs to apply as tags to the SNS topic.
+ tags = {}
+
}
@@ -281,6 +343,15 @@ A list of protocols that can be used to subscribe to the SNS topic.
+
+
+
+**Requires `enable_fifo = true`.** Flag to enable content-based deduplication for the SNS topic. If set to true, messages with identical content will be treated as duplicates and only delivered once. For more see the [Amazon Docs](https://docs.aws.amazon.com/sns/latest/dg/fifo-message-dedup.html)
+
+
+
+
+
@@ -290,6 +361,15 @@ Set to false to have this module create no resources. This weird parameter exist
+
+
+
+Delivery policy for sns topic.
+
+
+
+
+
@@ -308,6 +388,33 @@ Set to true to enable advanced formatting for CloudWatch alarms in Slack. This w
+
+
+
+Flag to indicate if the SNS topic is FIFO. This will append `.fifo` to the name of the topic.
+
+
+
+
+
+
+
+
+ARN of the http failure feedback role - when using delivery policy for sns topic.
+
+
+
+
+
+
+
+
+ARN of the http success feedback role - when using delivery policy for sns topic.
+
+
+
+
+
@@ -317,6 +424,15 @@ The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CM
+
+
+
+**Requires `enable_fifo = true`.** The number of days (up to 365) for Amazon SNS to retain messages. This will be used to create the archive policy for the SNS topic. For more see the [Amazon Docs](https://docs.aws.amazon.com/sns/latest/dg/message-archiving-and-replay-topic-owner.html)
+
+
+
+
+
@@ -326,6 +442,15 @@ The ARN of a Secrets Manager entry that contains the Slack Webhook URL (e.g., ht
+
+
+
+A map of key value pairs to apply as tags to the SNS topic.
+
+
+
+
+
@@ -348,6 +473,6 @@ The ARN of the SNS topic.
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/networking/sns-topics/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "ae9e705dd0ab60e13cd93d6b0dfee5fd"
+ "hash": "1a74db2b240dec01683d099168c7feeb"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/services/networking/virtual-private-cloud-vpc.md b/docs/reference/services/networking/virtual-private-cloud-vpc.md
index c6bc0cb22..dae25a492 100644
--- a/docs/reference/services/networking/virtual-private-cloud-vpc.md
+++ b/docs/reference/services/networking/virtual-private-cloud-vpc.md
@@ -384,6 +384,12 @@ module "vpc" {
# 'var.create_transit_subnets = true'. Defaults false.
enable_private_nat = false
+ # The list of ports to exclude from the inbound allow all rules in Network
+ # ACLs. This is useful for adhering to certain compliance standards like CIS
+ # or SOC2 that explicitly deny any allow rule for administrative ports (22,
+ # 3389).
+ exclude_ports_from_inbound_all = []
+
# Additional IAM policies to apply to the S3 bucket to store flow logs. You
# can use this to grant read/write access beyond what is provided to the VPC.
# This should be a map, where each key is a unique statement ID (SID), and
@@ -1143,6 +1149,12 @@ inputs = {
# 'var.create_transit_subnets = true'. Defaults false.
enable_private_nat = false
+ # The list of ports to exclude from the inbound allow all rules in Network
+ # ACLs. This is useful for adhering to certain compliance standards like CIS
+ # or SOC2 that explicitly deny any allow rule for administrative ports (22,
+ # 3389).
+ exclude_ports_from_inbound_all = []
+
# Additional IAM policies to apply to the S3 bucket to store flow logs. You
# can use this to grant read/write access beyond what is provided to the VPC.
# This should be a map, where each key is a unique statement ID (SID), and
@@ -2216,6 +2228,15 @@ If set to false, the default security groups will NOT be created.
+
+
+
+The list of ports to exclude from the inbound allow all rules in Network ACLs. This is useful for adhering to certain compliance standards like CIS or SOC2 that explicitly deny any allow rule for administrative ports (22, 3389).
+
+
+
+
+
@@ -3617,6 +3638,6 @@ Indicates whether or not the VPC has finished creating
"https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.2.0/modules/networking/vpc/outputs.tf"
],
"sourcePlugin": "service-catalog-api",
- "hash": "45a94739f030a882f78d22cc7f9159c6"
+ "hash": "7704a5a5ec0ab3fd2ba6b5f9101ec283"
}
##DOCS-SOURCER-END -->