fix: Update examples to resolve CI errors for outdated modules

Author: bryantbiggs

examples/log-account-policy/README.md

@@ -21,27 +21,20 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_audit_destination_group"></a> [audit\_destination\_group](#module\_audit\_destination\_group) | ../../modules/log-group | n/a |
-| <a name="module_cw_logs_to_firehose"></a> [cw\_logs\_to\_firehose](#module\_cw\_logs\_to\_firehose) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.0 |
-| <a name="module_cw_logs_to_firehose_policy"></a> [cw\_logs\_to\_firehose\_policy](#module\_cw\_logs\_to\_firehose\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.0 |
+| <a name="module_cw_logs_to_firehose_iam_role"></a> [cw\_logs\_to\_firehose\_iam\_role](#module\_cw\_logs\_to\_firehose\_iam\_role) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
 | <a name="module_excluded_log_group"></a> [excluded\_log\_group](#module\_excluded\_log\_group) | ../../modules/log-group | n/a |
-| <a name="module_firehose_to_s3"></a> [firehose\_to\_s3](#module\_firehose\_to\_s3) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.0 |
-| <a name="module_firehose_to_s3_policy"></a> [firehose\_to\_s3\_policy](#module\_firehose\_to\_s3\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.0 |
+| <a name="module_firehose_to_s3_iam_role"></a> [firehose\_to\_s3\_iam\_role](#module\_firehose\_to\_s3\_iam\_role) | terraform-aws-modules/iam/aws//modules/iam-role | ~> 6.0 |
 | <a name="module_log_account_data_retention_policy"></a> [log\_account\_data\_retention\_policy](#module\_log\_account\_data\_retention\_policy) | ../../modules/log-account-policy | n/a |
 | <a name="module_log_account_subscription_filter_policy"></a> [log\_account\_subscription\_filter\_policy](#module\_log\_account\_subscription\_filter\_policy) | ../../modules/log-account-policy | n/a |
 | <a name="module_log_group"></a> [log\_group](#module\_log\_group) | ../../modules/log-group | n/a |
-| <a name="module_logs_bucket"></a> [logs\_bucket](#module\_logs\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 4.0 |
+| <a name="module_logs_bucket"></a> [logs\_bucket](#module\_logs\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_kinesis_firehose_delivery_stream.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.custom_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cw_logs_to_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.firehose_to_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 

examples/log-account-policy/main.tf

@@ -2,10 +2,6 @@ provider "aws" {
   region = "eu-west-1"
 }
 
-data "aws_region" "current" {}
-
-data "aws_caller_identity" "current" {}
-
 module "log_group" {
   source = "../../modules/log-group"
 
@@ -53,15 +49,13 @@ module "log_account_subscription_filter_policy" {
     {
       DestinationArn = aws_kinesis_firehose_delivery_stream.logs.arn
       FilterPattern  = "%test%"
-      RoleArn        = module.cw_logs_to_firehose.iam_role_arn
+      RoleArn        = module.cw_logs_to_firehose_iam_role.arn
     }
   )
   log_account_policy_selection_criteria = "LogGroupName NOT IN [\"${module.excluded_log_group.cloudwatch_log_group_name}\"]"
 
   depends_on = [
     aws_kinesis_firehose_delivery_stream.logs,
-    module.cw_logs_to_firehose,
-    module.cw_logs_to_firehose_policy
   ]
 }
 
@@ -75,7 +69,7 @@ resource "random_pet" "this" {
 
 module "logs_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"
 
   bucket_prefix = "${random_pet.this.id}-logs"
 
@@ -87,116 +81,82 @@ resource "aws_kinesis_firehose_delivery_stream" "logs" {
   destination = "extended_s3"
 
   extended_s3_configuration {
-    role_arn   = module.firehose_to_s3.iam_role_arn
+    role_arn   = module.firehose_to_s3_iam_role.arn
     bucket_arn = module.logs_bucket.s3_bucket_arn
     prefix     = "from-firehose-logs/"
   }
 }
 
-module "firehose_to_s3" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-  version = "~> 5.0"
-
-  trusted_role_services = [
-    "firehose.amazonaws.com"
-  ]
-
-  create_role = true
-
-  role_name_prefix  = "${random_pet.this.id}-firehose-to-s3-"
-  role_requires_mfa = false
-
-  custom_role_policy_arns = [
-    module.firehose_to_s3_policy.arn
-  ]
-}
-
-module "firehose_to_s3_policy" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "~> 5.0"
-
-  name        = "${random_pet.this.id}-firehose-to-s3"
-  path        = "/"
-  description = "Pipes logging firehose to s3 policy"
-
-  policy = data.aws_iam_policy_document.firehose_to_s3.json
-}
-
-data "aws_iam_policy_document" "firehose_to_s3" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "s3:AbortMultipartUpload",
-      "s3:GetBucketLocation",
-      "s3:GetObject",
-      "s3:ListBucket",
-      "s3:ListBucketMultipartUploads",
-      "s3:PutObject",
-    ]
-
-    resources = [
-      module.logs_bucket.s3_bucket_arn,
-      "${module.logs_bucket.s3_bucket_arn}/*",
-    ]
-  }
-}
-
-module "cw_logs_to_firehose" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-  version = "~> 5.0"
-
-  create_role = true
-
-  role_name_prefix                = "${random_pet.this.id}-cw-logs-to-firehose-"
-  role_requires_mfa               = false
-  create_custom_role_trust_policy = true
-  custom_role_trust_policy        = data.aws_iam_policy_document.custom_trust_policy.json
-
-  custom_role_policy_arns = [
-    module.cw_logs_to_firehose_policy.arn
-  ]
-}
-
-data "aws_iam_policy_document" "custom_trust_policy" {
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-
-    condition {
-      test     = "StringLike"
-      variable = "aws:SourceArn"
-      values   = ["arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:*"]
+module "firehose_to_s3_iam_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role"
+  version = "~> 6.0"
+
+  name = "${random_pet.this.id}-firehose-to-s3-"
+
+  trust_policy_permissions = {
+    TrustRoleAndServiceToAssume = {
+      actions = [
+        "sts:AssumeRole",
+        "sts:TagSession",
+      ]
+      principals = [{
+        type = "Service"
+        identifiers = [
+          "firehose.amazonaws.com"
+        ]
+      }]
     }
+  }
 
-    principals {
-      identifiers = ["logs.amazonaws.com"]
-      type        = "Service"
+  create_inline_policy = true
+  inline_policy_permissions = {
+    FirehoseToS3 = {
+      actions = [
+        "s3:AbortMultipartUpload",
+        "s3:GetBucketLocation",
+        "s3:GetObject",
+        "s3:ListBucket",
+        "s3:ListBucketMultipartUploads",
+        "s3:PutObject",
+      ]
+      resources = [
+        module.logs_bucket.s3_bucket_arn,
+        "${module.logs_bucket.s3_bucket_arn}/*",
+      ]
     }
   }
 }
 
-module "cw_logs_to_firehose_policy" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "~> 5.0"
-
-  name        = "${random_pet.this.id}-cw-logs-to-firehose"
-  path        = "/"
-  description = "Cloudwatch logs to firehose policy"
-
-  policy = data.aws_iam_policy_document.cw_logs_to_firehose.json
-}
-
-data "aws_iam_policy_document" "cw_logs_to_firehose" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "firehose:PutRecord",
-    ]
+module "cw_logs_to_firehose_iam_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role"
+  version = "~> 6.0"
+
+  name = "${random_pet.this.id}-cw-logs-to-firehose-"
+
+  trust_policy_permissions = {
+    TrustRoleAndServiceToAssume = {
+      actions = [
+        "sts:AssumeRole",
+        "sts:TagSession",
+      ]
+      principals = [{
+        type = "Service"
+        identifiers = [
+          "logs.amazonaws.com"
+        ]
+      }]
+    }
+  }
 
-    resources = [
-      aws_kinesis_firehose_delivery_stream.logs.arn,
-    ]
+  create_inline_policy = true
+  inline_policy_permissions = {
+    CwLogsToFirehose = {
+      actions = [
+        "firehose:PutRecord",
+      ]
+      resources = [
+        aws_kinesis_firehose_delivery_stream.logs.arn,
+      ]
+    }
   }
 }

examples/log-anomaly-detector/README.md

@@ -18,7 +18,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 1.0 |
+| <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 4.0 |
 | <a name="module_log_anomaly_detector"></a> [log\_anomaly\_detector](#module\_log\_anomaly\_detector) | ../../modules/log-anomaly-detector | n/a |
 | <a name="module_log_group"></a> [log\_group](#module\_log\_group) | ../../modules/log-group | n/a |
 

examples/log-anomaly-detector/main.tf

@@ -34,8 +34,9 @@ data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
 module "kms" {
-  source      = "terraform-aws-modules/kms/aws"
-  version     = "~> 1.0"
+  source  = "terraform-aws-modules/kms/aws"
+  version = "~> 4.0"
+
   description = "KMS key for log anomaly detection"
 
   key_owners = [data.aws_caller_identity.current.arn]