chore(main): release 1.52.0

CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [1.52.0](https://github.com/nullplatform/tofu-modules/compare/v1.51.0...v1.52.0) (2026-04-07)
+
+
+### Features
+
+* **cert-manager:** add Azure Workload Identity support ([#272](https://github.com/nullplatform/tofu-modules/issues/272)) ([800249c](https://github.com/nullplatform/tofu-modules/commit/800249caad39e4728d293cd70ecf612b3a1c8cc5))
+
+
+### Bug Fixes
+
+* **security:** change gateway_port default from 8443 to 443 ([#281](https://github.com/nullplatform/tofu-modules/issues/281)) ([6c5fc5c](https://github.com/nullplatform/tofu-modules/commit/6c5fc5c7a755ece4bb4befe040d33028ec761d3a))
+
 ## [1.51.0](https://github.com/nullplatform/tofu-modules/compare/v1.50.0...v1.51.0) (2026-04-05)
 
 

infrastructure/aws/acm/README.md

@@ -18,7 +18,7 @@ The module creates an aws_acm_certificate resource with DNS validation, which is
 
 ```hcl
 module "acm" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/acm?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/acm?ref=v1.52.0"
 
   domain_name = "your-domain-name"
   zone_id     = "your-zone-id"

infrastructure/aws/aws_load_balancer_controller/README.md

@@ -18,7 +18,7 @@ This module creates a helm_release resource to deploy the AWS Load Balancer Cont
 
 ```hcl
 module "aws_load_balancer_controller" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v1.52.0"
 
   cluster_name = "your-cluster-name"
   vpc_id       = "your-vpc-id"

infrastructure/aws/backend/README.md

@@ -20,7 +20,7 @@ This module creates an S3 bucket with versioning and server-side encryption enab
 
 ```hcl
 module "backend" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/backend?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/backend?ref=v1.52.0"
 }
 ```
 

infrastructure/aws/dns/README.md

@@ -18,7 +18,7 @@ This module creates two aws_route53_zone resources, one for a public zone and on
 
 ```hcl
 module "dns" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v1.52.0"
 
   domain_name = "your-domain-name"
   vpc_id      = "your-vpc-id"

infrastructure/aws/eks/README.md

@@ -22,7 +22,7 @@ The module creates an EKS cluster using the terraform-aws-modules/eks/aws module
 
 ```hcl
 module "eks" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v1.52.0"
 
   aws_subnets_private_ids = "your-aws-subnets-private-ids"
   aws_vpc_vpc_id          = "your-aws-vpc-vpc-id"

infrastructure/aws/iam/agent/README.md

@@ -19,7 +19,7 @@ This module creates an IAM role for a Kubernetes service account using the terra
 
 ```hcl
 module "agent" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v1.52.0"
 
   agent_namespace                     = "your-agent-namespace"
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"

infrastructure/aws/iam/aws_load_balancer_controller_iam/README.md

@@ -19,7 +19,7 @@ This module creates an IAM role for the AWS Load Balancer Controller using the t
 
 ```hcl
 module "aws_load_balancer_controller_iam" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v1.52.0"
 
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
   cluster_name                        = "your-cluster-name"

infrastructure/aws/iam/cert_manager/README.md

@@ -18,7 +18,7 @@ This module creates an IAM role for a Kubernetes service account using the terra
 
 ```hcl
 module "cert_manager" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v1.52.0"
 
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
   cluster_name                        = "your-cluster-name"

infrastructure/aws/iam/external_dns/README.md

@@ -18,7 +18,7 @@ This module creates an IAM role with OIDC provider trust for a Kubernetes servic
 
 ```hcl
 module "external_dns" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v1.52.0"
 
   aws_iam_openid_connect_provider_arn = "your-aws-iam-openid-connect-provider-arn"
   cluster_name                        = "your-cluster-name"

infrastructure/aws/iam/s3/README.md

@@ -19,7 +19,7 @@ The module creates an aws_s3_bucket_policy resource attached to an existing S3 b
 
 ```hcl
 module "s3" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3?ref=v1.52.0"
 
   bucket_arn = "your-bucket-arn"
   bucket_id  = "your-bucket-id"

infrastructure/aws/ingress/README.md

@@ -18,7 +18,7 @@ This module creates two Kubernetes ingress resources, `kubernetes_ingress_v1`, o
 
 ```hcl
 module "ingress" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/ingress?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/ingress?ref=v1.52.0"
 
   certificate_arn = "your-certificate-arn"
 }

infrastructure/aws/security/README.md

@@ -2,24 +2,27 @@
 
 ## Description
 
-This module creates security groups for Istio gateways in an EKS cluster
+Creates AWS security groups for Istio public and private gateways with configurable ingress/egress rules for HTTPS traffic and health checks
 
 ## Architecture
 
-The module uses Terraform to create AWS security groups for public and private Istio gateways, deriving the VPC ID and CIDR block from the provided EKS cluster name. It configures ingress and egress rules for the security groups, allowing traffic from the internet or VPC CIDR block as needed. The module also creates ingress rules on the cluster's primary security group to allow traffic from the gateway security groups when the cluster security group ID is provided.
+The module queries aws_eks_cluster and aws_vpc data sources to derive VPC ID and CIDR block from the cluster name. It creates aws_security_group resources for public and private Istio gateways, each with multiple aws_vpc_security_group_ingress_rule and aws_vpc_security_group_egress_rule resources controlling traffic on port 443 (HTTPS) and port 15021 (health checks). When cluster_security_group_id is provided, additional ingress rules are created on the cluster security group to allow traffic from gateway security groups. Public gateway allows HTTPS from 0.0.0.0/0 while private gateway restricts HTTPS to VPC CIDR. Health check rules can be conditionally created and support additional CIDR blocks via for_each iteration.
 
 ## Features
 
-- Creates security groups for public and private Istio gateways
-- Configures ingress and egress rules for the security groups
-- Derives VPC ID and CIDR block from the provided EKS cluster name
-- Creates ingress rules on the cluster's primary security group to allow traffic from the gateway security groups
+- Creates security group for public Istio gateway with HTTPS open to internet and health checks restricted to VPC CIDR
+- Creates security group for private Istio gateway with all traffic restricted to VPC CIDR only
+- Derives VPC ID and CIDR block automatically from EKS cluster name via data sources
+- Supports additional CIDR blocks for health check and HTTPS ingress rules via for_each iteration
+- Creates optional ingress rules on EKS cluster security group to allow ALB-to-pod traffic on gateway and health check ports
+- Configures separate ingress rules for port 443 (HTTPS) and port 15021 (Istio health checks)
+- Supports overriding derived VPC ID and network CIDR with explicit variable values
 
 ## Basic Usage
 
 ```hcl
 module "security" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v1.52.0"
 
   cluster_name = "your-cluster-name"
 }
@@ -92,13 +95,16 @@ resource "example_resource" "this" {
 <!-- BEGIN_AI_METADATA
 {
   "name": "security",
-  "description": "This module creates security groups for Istio gateways in an EKS cluster",
-  "architecture": "The module uses Terraform to create AWS security groups for public and private Istio gateways, deriving the VPC ID and CIDR block from the provided EKS cluster name. It configures ingress and egress rules for the security groups, allowing traffic from the internet or VPC CIDR block as needed. The module also creates ingress rules on the cluster's primary security group to allow traffic from the gateway security groups when the cluster security group ID is provided.",
+  "description": "Creates AWS security groups for Istio public and private gateways with configurable ingress/egress rules for HTTPS traffic and health checks",
+  "architecture": "The module queries aws_eks_cluster and aws_vpc data sources to derive VPC ID and CIDR block from the cluster name. It creates aws_security_group resources for public and private Istio gateways, each with multiple aws_vpc_security_group_ingress_rule and aws_vpc_security_group_egress_rule resources controlling traffic on port 443 (HTTPS) and port 15021 (health checks). When cluster_security_group_id is provided, additional ingress rules are created on the cluster security group to allow traffic from gateway security groups. Public gateway allows HTTPS from 0.0.0.0/0 while private gateway restricts HTTPS to VPC CIDR. Health check rules can be conditionally created and support additional CIDR blocks via for_each iteration.",
   "features": [
-    "Creates security groups for public and private Istio gateways",
-    "Configures ingress and egress rules for the security groups",
-    "Derives VPC ID and CIDR block from the provided EKS cluster name",
-    "Creates ingress rules on the cluster's primary security group to allow traffic from the gateway security groups"
+    "Creates security group for public Istio gateway with HTTPS open to internet and health checks restricted to VPC CIDR",
+    "Creates security group for private Istio gateway with all traffic restricted to VPC CIDR only",
+    "Derives VPC ID and CIDR block automatically from EKS cluster name via data sources",
+    "Supports additional CIDR blocks for health check and HTTPS ingress rules via for_each iteration",
+    "Creates optional ingress rules on EKS cluster security group to allow ALB-to-pod traffic on gateway and health check ports",
+    "Configures separate ingress rules for port 443 (HTTPS) and port 15021 (Istio health checks)",
+    "Supports overriding derived VPC ID and network CIDR with explicit variable values"
   ],
   "inputs": [
     {
@@ -151,6 +157,6 @@ resource "example_resource" "this" {
     "public_gateway_security_group_id",
     "private_gateway_security_group_id"
   ],
-  "hash": "0c1052c11358ee84e8f79205e8a551e8"
+  "hash": "d053a12e693707e717ac589f29e43bf8"
 }
 END_AI_METADATA -->

infrastructure/aws/vpc/README.md

@@ -22,7 +22,7 @@ This module creates a terraform-aws-modules/vpc/aws module resource with DNS hos
 
 ```hcl
 module "vpc" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v1.52.0"
 
   account      = "your-account"
   organization = "your-organization"

infrastructure/azure/acr/README.md

@@ -18,7 +18,7 @@ The module uses the azurerm_container_registry resource to create the container
 
 ```hcl
 module "acr" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/acr?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/acr?ref=v1.52.0"
 
   containerregistry_name = "your-containerregistry-name"
   location               = "your-location"

infrastructure/azure/aks/README.md

@@ -20,7 +20,7 @@ The module creates an AKS cluster using the Azure/aks/azurerm Terraform module,
 
 ```hcl
 module "aks" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/aks?ref=v1.52.0"
 
   cluster_name        = "your-cluster-name"
   location            = "your-location"

infrastructure/azure/dns/README.md

@@ -18,7 +18,7 @@ This module creates an azurerm_dns_zone resource and configures it with the prov
 
 ```hcl
 module "dns" {
-  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/dns?ref=v1.51.0"
+  source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/azure/dns?ref=v1.52.0"
 
   domain_name         = "your-domain-name"
   resource_group_name = "your-resource-group-name"