Update aws provider to v4.0+ (#22)

* Remove deprecated `aws_subnet_ids` data source * Fix error in `for_each` block * Update aws provider version * Update docs * Remove `aws_login_profile` from examples * Update docs regarding aws profile
Flaconi · Apr 25, 2022 · ad3039b · ad3039b
1 parent 81a1681
commit ad3039b
Show file tree

Hide file tree

Showing 21 changed files with 45 additions and 71 deletions.
diff --git a/README.md b/README.md
@@ -24,9 +24,15 @@ Support for VPN tunnels will be added soon.
 
 ### Credentials
 
-The module starts from the assumption that the `aws_login_profile` allows the
+The module starts from the assumption that your default aws profile allows the
 user to assume the necessary IAM roles, as required, to make the necessary
 changes (and in the case of the `satellite` module, cross-account).
+You can use profile of your need if you set `AWS_PROFILE` or `AWS_DEFAULT_PROFILE`, e.g.:
+
+```shell
+export AWS_DEFAULT_PROFILE=login
+```
+
 
 See [this example][4] to first make sure that the credentials you want to use
 allow for cross-account actions.
@@ -80,14 +86,14 @@ this fact.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.hub"></a> [aws.hub](#provider\_aws.hub) | >= 3 |
-| <a name="provider_aws.satellite"></a> [aws.satellite](#provider\_aws.satellite) | >= 3 |
+| <a name="provider_aws.hub"></a> [aws.hub](#provider\_aws.hub) | >= 4 |
+| <a name="provider_aws.satellite"></a> [aws.satellite](#provider\_aws.satellite) | >= 4 |
 
 ## Modules
 
@@ -112,8 +118,8 @@ No modules.
 | [aws_route_table.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
 | [aws_route_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
 | [aws_route_tables.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
-| [aws_subnet_ids.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
-| [aws_subnet_ids.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
+| [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs

diff --git a/data.tf b/data.tf
@@ -7,10 +7,14 @@ data "aws_vpc" "this" {
   }
 }
 
-data "aws_subnet_ids" "this" {
+data "aws_subnets" "this" {
   provider = aws.satellite
   count    = local.create ? 1 : 0
-  vpc_id   = data.aws_vpc.this[0].id
+
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.this[0].id]
+  }
 
   dynamic "filter" {
     for_each = var.attachment_subnet_filters
@@ -21,10 +25,14 @@ data "aws_subnet_ids" "this" {
   }
 }
 
-data "aws_subnet_ids" "private" {
+data "aws_subnets" "private" {
   provider = aws.satellite
   count    = local.create ? 1 : 0
-  vpc_id   = data.aws_vpc.this[0].id
+
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.this[0].id]
+  }
 
   dynamic "filter" {
     for_each = var.private_subnet_filters
@@ -43,7 +51,7 @@ data "aws_route_tables" "all" {
 
 data "aws_route_table" "all" {
   provider = aws.satellite
-  for_each = data.aws_route_tables.all[0].ids
+  for_each = toset(data.aws_route_tables.all[0].ids)
   vpc_id   = data.aws_vpc.this[0].id
 
   filter {

diff --git a/examples/satellite-all/README.md b/examples/satellite-all/README.md
@@ -25,7 +25,6 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id_hub"></a> [aws\_account\_id\_hub](#input\_aws\_account\_id\_hub) | AWS account number containing the TGW hub | `string` | n/a | yes |
 | <a name="input_aws_account_id_satellite"></a> [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | List of AWS account numbers representing the satellites of the TGW | `list(string)` | n/a | yes |
-| <a name="input_aws_login_profile"></a> [aws\_login\_profile](#input\_aws\_login\_profile) | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `string` | n/a | yes |
 | <a name="input_role_to_assume_hub"></a> [role\_to\_assume\_hub](#input\_role\_to\_assume\_hub) | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
 | <a name="input_role_to_assume_satellite"></a> [role\_to\_assume\_satellite](#input\_role\_to\_assume\_satellite) | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | n/a | yes |
 | <a name="input_attachment_subnet_filters"></a> [attachment\_subnet\_filters](#input\_attachment\_subnet\_filters) | List of maps selecting the subnet(s) where TGW will be attached | <pre>list(object({<br>    name   = string<br>    values = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "name": "tag:Name",<br>    "values": [<br>      "*private*"<br>    ]<br>  }<br>]</pre> | no |

diff --git a/examples/satellite-all/providers.tf b/examples/satellite-all/providers.tf
@@ -1,17 +1,15 @@
 provider "aws" {
-  alias   = "satellite"
-  region  = "eu-central-1"
-  profile = var.aws_login_profile
+  alias  = "satellite"
+  region = "eu-central-1"
   assume_role {
     role_arn     = "arn:aws:iam::${local.aws_account_id_satellite}:role/${var.role_to_assume_satellite}"
     session_name = "tf-tgw-module-satellite"
   }
 }
 
 provider "aws" {
-  alias   = "hub"
-  region  = "eu-central-1"
-  profile = var.aws_login_profile
+  alias  = "hub"
+  region = "eu-central-1"
   assume_role {
     role_arn     = "arn:aws:iam::${var.aws_account_id_hub}:role/${var.role_to_assume_hub}"
     session_name = "tf-tgw-module-satellite"

diff --git a/examples/satellite-all/variables.auto.tfvars b/examples/satellite-all/variables.auto.tfvars
@@ -1,7 +1,5 @@
 satellite_create = true
 
-aws_login_profile = "login"
-
 role_to_assume_hub       = "ASSUME-ENG-CI"
 role_to_assume_satellite = "ASSUME-ENG-CI"
 

diff --git a/examples/satellite-all/variables.tf b/examples/satellite-all/variables.tf
@@ -4,11 +4,6 @@ variable "satellite_create" {
   type        = bool
 }
 
-variable "aws_login_profile" {
-  description = "Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles"
-  type        = string
-}
-
 variable "aws_account_id_hub" {
   description = "AWS account number containing the TGW hub"
   type        = string

diff --git a/examples/satellite-default-route-all/README.md b/examples/satellite-default-route-all/README.md
@@ -25,7 +25,6 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id_hub"></a> [aws\_account\_id\_hub](#input\_aws\_account\_id\_hub) | AWS account number containing the TGW hub | `string` | n/a | yes |
 | <a name="input_aws_account_id_satellite"></a> [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | List of AWS account numbers representing the satellites of the TGW | `list(string)` | n/a | yes |
-| <a name="input_aws_login_profile"></a> [aws\_login\_profile](#input\_aws\_login\_profile) | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `string` | n/a | yes |
 | <a name="input_role_to_assume_hub"></a> [role\_to\_assume\_hub](#input\_role\_to\_assume\_hub) | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
 | <a name="input_role_to_assume_satellite"></a> [role\_to\_assume\_satellite](#input\_role\_to\_assume\_satellite) | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | n/a | yes |
 | <a name="input_attachment_subnet_filters"></a> [attachment\_subnet\_filters](#input\_attachment\_subnet\_filters) | List of maps selecting the subnet(s) where TGW will be attached | <pre>list(object({<br>    name   = string<br>    values = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "name": "tag:Name",<br>    "values": [<br>      "*private*"<br>    ]<br>  }<br>]</pre> | no |

diff --git a/examples/satellite-default-route-all/providers.tf b/examples/satellite-default-route-all/providers.tf
@@ -1,17 +1,15 @@
 provider "aws" {
-  alias   = "satellite"
-  region  = "eu-central-1"
-  profile = var.aws_login_profile
+  alias  = "satellite"
+  region = "eu-central-1"
   assume_role {
     role_arn     = "arn:aws:iam::${local.aws_account_id_satellite}:role/${var.role_to_assume_satellite}"
     session_name = "tf-tgw-module-satellite"
   }
 }
 
 provider "aws" {
-  alias   = "hub"
-  region  = "eu-central-1"
-  profile = var.aws_login_profile
+  alias  = "hub"
+  region = "eu-central-1"
   assume_role {
     role_arn     = "arn:aws:iam::${var.aws_account_id_hub}:role/${var.role_to_assume_hub}"
     session_name = "tf-tgw-module-satellite"

diff --git a/examples/satellite-default-route-all/variables.auto.tfvars b/examples/satellite-default-route-all/variables.auto.tfvars
@@ -1,7 +1,5 @@
 satellite_create = true
 
-aws_login_profile = "login"
-
 role_to_assume_hub       = "ASSUME-ENG-CI"
 role_to_assume_satellite = "ASSUME-ENG-CI"
 

diff --git a/examples/satellite-default-route-all/variables.tf b/examples/satellite-default-route-all/variables.tf
@@ -4,11 +4,6 @@ variable "satellite_create" {
   type        = bool
 }
 
-variable "aws_login_profile" {
-  description = "Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles"
-  type        = string
-}
-
 variable "aws_account_id_hub" {
   description = "AWS account number containing the TGW hub"
   type        = string

diff --git a/examples/satellite-default-route/README.md b/examples/satellite-default-route/README.md
@@ -25,7 +25,6 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id_hub"></a> [aws\_account\_id\_hub](#input\_aws\_account\_id\_hub) | AWS account number containing the TGW hub | `string` | n/a | yes |
 | <a name="input_aws_account_id_satellite"></a> [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | List of AWS account numbers representing the satellites of the TGW | `list(string)` | n/a | yes |
-| <a name="input_aws_login_profile"></a> [aws\_login\_profile](#input\_aws\_login\_profile) | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `string` | n/a | yes |
 | <a name="input_role_to_assume_hub"></a> [role\_to\_assume\_hub](#input\_role\_to\_assume\_hub) | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
 | <a name="input_role_to_assume_satellite"></a> [role\_to\_assume\_satellite](#input\_role\_to\_assume\_satellite) | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | n/a | yes |
 | <a name="input_attachment_subnet_filters"></a> [attachment\_subnet\_filters](#input\_attachment\_subnet\_filters) | List of maps selecting the subnet(s) where TGW will be attached | <pre>list(object({<br>    name   = string<br>    values = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "name": "tag:Name",<br>    "values": [<br>      "*private*"<br>    ]<br>  }<br>]</pre> | no |

diff --git a/examples/satellite-default-route/providers.tf b/examples/satellite-default-route/providers.tf
@@ -1,17 +1,15 @@
 provider "aws" {
-  alias   = "satellite"
-  region  = "eu-central-1"
-  profile = var.aws_login_profile
+  alias  = "satellite"
+  region = "eu-central-1"
   assume_role {
     role_arn     = "arn:aws:iam::${local.aws_account_id_satellite}:role/${var.role_to_assume_satellite}"
     session_name = "tf-tgw-module-satellite"
   }
 }
 
 provider "aws" {
-  alias   = "hub"
-  region  = "eu-central-1"
-  profile = var.aws_login_profile
+  alias  = "hub"
+  region = "eu-central-1"
   assume_role {
     role_arn     = "arn:aws:iam::${var.aws_account_id_hub}:role/${var.role_to_assume_hub}"
     session_name = "tf-tgw-module-satellite"

diff --git a/examples/satellite-default-route/variables.auto.tfvars b/examples/satellite-default-route/variables.auto.tfvars
@@ -1,7 +1,5 @@
 satellite_create = true
 
-aws_login_profile = "login"
-
 role_to_assume_hub       = "ASSUME-ENG-CI"
 role_to_assume_satellite = "ASSUME-ENG-CI"
 

diff --git a/examples/satellite-default-route/variables.tf b/examples/satellite-default-route/variables.tf
@@ -4,11 +4,6 @@ variable "satellite_create" {
   type        = bool
 }
 
-variable "aws_login_profile" {
-  description = "Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles"
-  type        = string
-}
-
 variable "aws_account_id_hub" {
   description = "AWS account number containing the TGW hub"
   type        = string

diff --git a/examples/satellite/README.md b/examples/satellite/README.md
@@ -25,7 +25,6 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id_hub"></a> [aws\_account\_id\_hub](#input\_aws\_account\_id\_hub) | AWS account number containing the TGW hub | `string` | n/a | yes |
 | <a name="input_aws_account_id_satellite"></a> [aws\_account\_id\_satellite](#input\_aws\_account\_id\_satellite) | List of AWS account numbers representing the satellites of the TGW | `list(string)` | n/a | yes |
-| <a name="input_aws_login_profile"></a> [aws\_login\_profile](#input\_aws\_login\_profile) | Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles | `string` | n/a | yes |
 | <a name="input_role_to_assume_hub"></a> [role\_to\_assume\_hub](#input\_role\_to\_assume\_hub) | IAM role name to assume in the AWS account containing the TGW hub (eg. ASSUME-ROLE-HUB) | `string` | n/a | yes |
 | <a name="input_role_to_assume_satellite"></a> [role\_to\_assume\_satellite](#input\_role\_to\_assume\_satellite) | IAM role name to assume in the AWS account containing the TGW satellite (eg. ASSUME-ROLE-SATELLITE) | `string` | n/a | yes |
 | <a name="input_attachment_subnet_filters"></a> [attachment\_subnet\_filters](#input\_attachment\_subnet\_filters) | List of maps selecting the subnet(s) where TGW will be attached | <pre>list(object({<br>    name   = string<br>    values = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "name": "tag:Name",<br>    "values": [<br>      "*private*"<br>    ]<br>  }<br>]</pre> | no |

diff --git a/examples/satellite/providers.tf b/examples/satellite/providers.tf
@@ -1,17 +1,15 @@
 provider "aws" {
-  alias   = "satellite"
-  region  = "eu-central-1"
-  profile = var.aws_login_profile
+  alias  = "satellite"
+  region = "eu-central-1"
   assume_role {
     role_arn     = "arn:aws:iam::${local.aws_account_id_satellite}:role/${var.role_to_assume_satellite}"
     session_name = "tf-tgw-module-satellite"
   }
 }
 
 provider "aws" {
-  alias   = "hub"
-  region  = "eu-central-1"
-  profile = var.aws_login_profile
+  alias  = "hub"
+  region = "eu-central-1"
   assume_role {
     role_arn     = "arn:aws:iam::${var.aws_account_id_hub}:role/${var.role_to_assume_hub}"
     session_name = "tf-tgw-module-satellite"

diff --git a/examples/satellite/variables.auto.tfvars b/examples/satellite/variables.auto.tfvars
@@ -1,7 +1,5 @@
 satellite_create = true
 
-aws_login_profile = "login"
-
 role_to_assume_hub       = "ASSUME-ENG-CI"
 role_to_assume_satellite = "ASSUME-ENG-CI"
 

diff --git a/examples/satellite/variables.tf b/examples/satellite/variables.tf
@@ -4,11 +4,6 @@ variable "satellite_create" {
   type        = bool
 }
 
-variable "aws_login_profile" {
-  description = "Name of the AWS login profile as seen under ~/.aws/config used for assuming cross-account roles"
-  type        = string
-}
-
 variable "aws_account_id_hub" {
   description = "AWS account number containing the TGW hub"
   type        = string

diff --git a/locals.tf b/locals.tf
@@ -29,6 +29,6 @@ locals {
 
   subnets_with_rt_associations = toset(flatten([for rt in data.aws_route_table.all : rt.associations[*].subnet_id]))
 
-  private_subnets_with_rt = setintersection(data.aws_subnet_ids.private[0].ids, local.subnets_with_rt_associations)
+  private_subnets_with_rt = setintersection(data.aws_subnets.private[0].ids, local.subnets_with_rt_associations)
 
 }
diff --git a/main.tf b/main.tf
@@ -1,7 +1,7 @@
 resource "aws_ec2_transit_gateway_vpc_attachment" "this" {
   provider           = aws.satellite
   count              = local.create ? 1 : 0
-  subnet_ids         = data.aws_subnet_ids.this[0].ids
+  subnet_ids         = data.aws_subnets.this[0].ids
   transit_gateway_id = local.transit_gateway_id
   vpc_id             = data.aws_vpc.this[0].id
 
@@ -56,7 +56,7 @@ resource "aws_network_acl" "private" {
   provider   = aws.satellite
   count      = local.create && var.private_subnets_strict_acl_rules ? 1 : 0
   vpc_id     = data.aws_vpc.this[0].id
-  subnet_ids = data.aws_subnet_ids.private[0].ids
+  subnet_ids = data.aws_subnets.private[0].ids
 }
 
 resource "aws_network_acl_rule" "private_default_egress" {

diff --git a/versions.tf b/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3"
+      version = ">= 4"
       configuration_aliases = [
         aws.hub,
         aws.satellite