docs: Add UPGRADE guide

bryantbiggs · bryantbiggs · commit de14c8922085 · 2025-08-26T15:48:24.000-05:00
diff --git a/README.md b/README.md
diff --git a/docs/UPGRADE-10.0.md b/docs/UPGRADE-10.0.md
@@ -0,0 +1,103 @@
+# Upgrade from v9.x to v10.x
+
+Please consult the `examples` directory for reference example configurations. If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- Terraform `v1.5.7` is now minimum supported version
+- AWS provider `v6.5` is now minimum supported version
+
+## Additional changes
+
+### Added
+
+- Support for `region` parameter to specify the AWS region for the resources created if different from the provider region.
+
+### Modified
+
+- Variable definitions now contain detailed `object` types in place of the previously used any type.
+- Security group rules now use a default naming scheme of `<security-group-name>-<map-key>` unless a more specific rule name is provided.
+- `rule.actions.type` has been replaced with `rule.actions.<type>`. See before/after below for more details.
+- `query_string` supports a list of key:value pairs; type definition updated to support this (i.e. was `map(string)` and is now `list(map(string))`)
+
+### Removed
+
+- None
+
+### Variable and output changes
+
+1. Removed variables:
+
+   - None
+
+2. Renamed variables:
+
+   - None
+
+3. Added variables:
+
+   - None
+
+4. Removed outputs:
+
+   - None
+
+5. Renamed outputs:
+
+   - None
+
+6. Added outputs:
+
+   - None
+
+## Upgrade Migrations
+
+### Diff of Before vs After
+
+```hcl
+ module "alb" {
+   source  = "terraform-aws-modules/alb/aws"
+-  version = "9.17.0"
++  version = "10.0.0"
+
+  listeners = {
+    ex-http-https-redirect = {
+      port     = 80
+      protocol = "HTTP"
+      redirect = {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+      }
+
+      rules = {
+        ex-fixed-response = {
+          priority = 3
+          actions = [{
+            # Same for all action types, not just `fixed_response`
+-            type         = "fixed-response"
++            fixed_response = {
+               content_type = "text/plain"
+               status_code  = 200
+               message_body = "This is a fixed response"
++            }
+          }]
+
+          conditions = [{
+-            query_string = {
++            query_string = [{
+              key   = "weighted"
+              value = "true"
+-            }
++            }]
+          }]
+        }
+      }
+    }
+  }
+}
+```
+
+## Terraform State Moves
+
+None required
diff --git a/docs/patterns.md b/docs/patterns.md
@@ -226,12 +226,12 @@ module "alb" {
       weighted_forward = {
         target_groups = [
           {
-            target_group_key = "ex-lambda-with-trigger"
-            weight           = 60
+            key    = "ex-lambda-with-trigger"
+            weight = 60
           },
           {
-            target_group_key = "ex-lambda-without-trigger"
-            weight           = 40
+            key    = "ex-lambda-without-trigger"
+            weight = 40
           }
         ]
       }
@@ -257,7 +257,7 @@ module "alb" {
 
 module "lambda_with_allowed_triggers" {
   source  = "terraform-aws-modules/lambda/aws"
-  version = "~> 6.0"
+  version = "~> 8.0"
 
   # Truncated for brevity ...
 
@@ -271,7 +271,7 @@ module "lambda_with_allowed_triggers" {
 
 module "lambda_without_allowed_triggers" {
   source  = "terraform-aws-modules/lambda/aws"
-  version = "~> 6.0"
+  version = "~> 8.0"
 
   # Truncated for brevity ...
 
diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md
@@ -64,7 +64,7 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The domain name for which the certificate should be issued | `string` | `"terraform-aws-modules.modules.tf"` | no |
+| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The domain name for which the certificate should be issued | `string` | `"sharedservices.clowd.haus"` | no |
 
 ## Outputs
 
diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf
@@ -67,10 +67,6 @@ module "alb" {
     prefix  = "connection-logs"
   }
 
-  minimum_load_balancer_capacity = {
-    capacity_units = 10
-  }
-
   client_keep_alive = 7200
 
   listeners = {
@@ -165,12 +161,12 @@ module "alb" {
       weighted_forward = {
         target_groups = [
           {
-            key    = "ex-lambda-with-trigger"
-            weight = 60
+            target_group_key = "ex-lambda-with-trigger"
+            weight           = 60
           },
           {
-            key    = "ex-instance"
-            weight = 40
+            target_group_key = "ex-instance"
+            weight           = 40
           }
         ]
       }
@@ -248,12 +244,12 @@ module "alb" {
             weighted_forward = {
               target_groups = [
                 {
-                  key    = "ex-instance"
-                  weight = 2
+                  target_group_key = "ex-instance"
+                  weight           = 2
                 },
                 {
-                  key    = "ex-lambda-with-trigger"
-                  weight = 1
+                  target_group_key = "ex-lambda-with-trigger"
+                  weight           = 1
                 }
               ]
               stickiness = {
@@ -375,53 +371,6 @@ module "alb" {
         target_group_key = "ex-instance"
       }
     }
-
-    ex-response-headers = {
-      port            = "443"
-      protocol        = "HTTPS"
-      ssl_policy      = "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"
-      certificate_arn = module.acm.acm_certificate_arn
-
-      fixed_response = {
-        content_type = "text/plain"
-        message_body = "Fixed message"
-        status_code  = "200"
-      }
-
-      routing_http_response_server_enabled                                = false
-      routing_http_response_strict_transport_security_header_value        = "max-age=31536000; includeSubDomains; preload"
-      routing_http_response_access_control_allow_origin_header_value      = "https://example.com"
-      routing_http_response_access_control_allow_methods_header_value     = "TRACE,GET"
-      routing_http_response_access_control_allow_headers_header_value     = "Accept-Language,Content-Language"
-      routing_http_response_access_control_allow_credentials_header_value = "true"
-      routing_http_response_access_control_expose_headers_header_value    = "Cache-Control"
-      routing_http_response_access_control_max_age_header_value           = 86400
-      routing_http_response_content_security_policy_header_value          = "*"
-      routing_http_response_x_content_type_options_header_value           = "nosniff"
-      routing_http_response_x_frame_options_header_value                  = "SAMEORIGIN"
-    }
-
-    ex-request-headers = {
-      port            = "443"
-      protocol        = "HTTPS"
-      ssl_policy      = "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"
-      certificate_arn = module.acm.acm_certificate_arn
-
-      fixed_response = {
-        content_type = "text/plain"
-        message_body = "Fixed message"
-        status_code  = "200"
-      }
-
-      routing_http_request_x_amzn_tls_version_header_name                   = "X-Amzn-Tls-Version-Custom"
-      routing_http_request_x_amzn_tls_cipher_suite_header_name              = "X-Amzn-Tls-Cipher-Suite-Custom"
-      routing_http_request_x_amzn_mtls_clientcert_header_name               = "X-Amzn-Mtls-Clientcert-Custom"
-      routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name = "X-Amzn-Mtls-Clientcert-Serial-Number-Custom"
-      routing_http_request_x_amzn_mtls_clientcert_issuer_header_name        = "X-Amzn-Mtls-Clientcert-Issuer-Custom"
-      routing_http_request_x_amzn_mtls_clientcert_subject_header_name       = "X-Amzn-Mtls-Clientcert-Subject-Custom"
-      routing_http_request_x_amzn_mtls_clientcert_validity_header_name      = "X-Amzn-Mtls-Clientcert-Validity-Custom"
-      routing_http_request_x_amzn_mtls_clientcert_leaf_header_name          = "X-Amzn-Mtls-Clientcert-Leaf-Custom"
-    }
   }
 
   target_groups = {
@@ -598,16 +547,22 @@ module "acm" {
   source  = "terraform-aws-modules/acm/aws"
   version = "~> 6.0"
 
-  domain_name = var.domain_name
-  zone_id     = data.aws_route53_zone.this.id
+  domain_name       = var.domain_name
+  zone_id           = data.aws_route53_zone.this.id
+  validation_method = "DNS"
+
+  tags = local.tags
 }
 
 module "wildcard_cert" {
   source  = "terraform-aws-modules/acm/aws"
   version = "~> 6.0"
 
-  domain_name = "*.${var.domain_name}"
-  zone_id     = data.aws_route53_zone.this.id
+  domain_name       = "*.${var.domain_name}"
+  zone_id           = data.aws_route53_zone.this.id
+  validation_method = "DNS"
+
+  tags = local.tags
 }
 
 data "aws_ssm_parameter" "al2023" {
diff --git a/examples/complete-alb/variables.tf b/examples/complete-alb/variables.tf
@@ -1,5 +1,6 @@
 variable "domain_name" {
   description = "The domain name for which the certificate should be issued"
   type        = string
-  default     = "terraform-aws-modules.modules.tf"
+  # default     = "terraform-aws-modules.modules.tf"
+  default = "sharedservices.clowd.haus"
 }
diff --git a/examples/complete-nlb/README.md b/examples/complete-nlb/README.md
@@ -51,7 +51,7 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The domain name for which the certificate should be issued | `string` | `"terraform-aws-modules.modules.tf"` | no |
+| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The domain name for which the certificate should be issued | `string` | `"sharedservices.clowd.haus"` | no |
 
 ## Outputs
 
diff --git a/examples/complete-nlb/main.tf b/examples/complete-nlb/main.tf
@@ -197,8 +197,11 @@ module "acm" {
   source  = "terraform-aws-modules/acm/aws"
   version = "~> 6.0"
 
-  domain_name = var.domain_name
-  zone_id     = data.aws_route53_zone.this.id
+  domain_name       = var.domain_name
+  zone_id           = data.aws_route53_zone.this.id
+  validation_method = "DNS"
+
+  tags = local.tags
 }
 
 resource "aws_eip" "this" {
diff --git a/examples/complete-nlb/variables.tf b/examples/complete-nlb/variables.tf
@@ -1,5 +1,6 @@
 variable "domain_name" {
   description = "The domain name for which the certificate should be issued"
   type        = string
-  default     = "terraform-aws-modules.modules.tf"
+  # default     = "terraform-aws-modules.modules.tf"
+  default = "sharedservices.clowd.haus"
 }
diff --git a/examples/mutual-auth-alb/main.tf b/examples/mutual-auth-alb/main.tf
@@ -237,8 +237,11 @@ module "acm" {
   source  = "terraform-aws-modules/acm/aws"
   version = "~> 6.0"
 
-  domain_name = "*.${var.domain_name}"
-  zone_id     = data.aws_route53_zone.this.id
+  domain_name       = "*.${var.domain_name}"
+  zone_id           = data.aws_route53_zone.this.id
+  validation_method = "DNS"
+
+  tags = local.tags
 }
 
 resource "null_resource" "generate_crl" {
diff --git a/main.tf b/main.tf
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -226,12 +226,12 @@ module "alb" {`
`226`	`226`	`weighted_forward = {`
`227`	`227`	`target_groups = [`
`228`	`228`	`{`
`229`		`- target_group_key = "ex-lambda-with-trigger"`
`230`		`- weight = 60`
	`229`	`+ key = "ex-lambda-with-trigger"`
	`230`	`+ weight = 60`
`231`	`231`	`},`
`232`	`232`	`{`
`233`		`- target_group_key = "ex-lambda-without-trigger"`
`234`		`- weight = 40`
	`233`	`+ key = "ex-lambda-without-trigger"`
	`234`	`+ weight = 40`
`235`	`235`	`}`
`236`	`236`	`]`
`237`	`237`	`}`
`@@ -257,7 +257,7 @@ module "alb" {`
`257`	`257`
`258`	`258`	`module "lambda_with_allowed_triggers" {`
`259`	`259`	`source = "terraform-aws-modules/lambda/aws"`
`260`		`- version = "~> 6.0"`
	`260`	`+ version = "~> 8.0"`
`261`	`261`
`262`	`262`	`# Truncated for brevity ...`
`263`	`263`
`@@ -271,7 +271,7 @@ module "lambda_with_allowed_triggers" {`
`271`	`271`
`272`	`272`	`module "lambda_without_allowed_triggers" {`
`273`	`273`	`source = "terraform-aws-modules/lambda/aws"`
`274`		`- version = "~> 6.0"`
	`274`	`+ version = "~> 8.0"`
`275`	`275`
`276`	`276`	`# Truncated for brevity ...`
`277`	`277`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`variable "domain_name" {`
`2`	`2`	`description = "The domain name for which the certificate should be issued"`
`3`	`3`	`type = string`
`4`		`- default = "terraform-aws-modules.modules.tf"`
	`4`	`+ # default = "terraform-aws-modules.modules.tf"`
	`5`	`+ default = "sharedservices.clowd.haus"`
`5`	`6`	`}`