Skip to content

v6.0.0
Compare
Choose a tag to compare
@antonbabenko antonbabenko released this 13 Aug 19:51
· 8 commits to master since this release
v6.0.0
4d779a5

6.0.0 (2025-08-13)

⚠ BREAKING CHANGES

  • Upgrade AWS provider and min required Terraform version to 6.0 and 1.5.7 respectively (#585)

See docs/UPGRADE-6.0.md for further details

List of backwards incompatible changes

  • Terraform v1.5.7 is now minimum supported version

  • AWS provider v6.0.0 is now minimum supported version

  • The ability to allow roles to assume their own roles has been removed. This was previously added as part of helping users mitigate https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/. Going forward, users will need to mitigate this on the application side (i.e. - do not have a role assume itself), or update the trust policy in their implementation to continue using this behavior. It is strongly recommended to mitigate this by not having the role assume itself.

  • iam-account:

    • The aws_caller_identity data source and associated outputs have been removed. Users should instead use the data source directly in their configuration

  • iam-assumable-role has been renamed to iam-role

  • iam-assumable-role-with-oidc has been merged into iam-role

  • iam-assumable-role-with-saml has been merged into iam-role

  • iam-assumable-roles has been removed; iam-role should be used instead

  • iam-assumable-roles-with-saml has been removed; iam-role should be used instead

  • iam-github-oidc-provider has been renamed to iam-oidc-provider

  • iam-github-oidc-role has been merged into iam-role

  • iam-group-with-policies has been renamed to iam-group

  • iam-group-with-assumable-roles-policy has been merged into iam-group

  • iam-eks-role has been removed; iam-role-for-service-accounts or eks-pod-identity should be used instead

  • iam-role-for-service-accounts-eks has been renamed to iam-role-for-service-accounts

    • Individual policy creation and attachment has been consolidated under one policy creation and attachment
    • Default values that enable permissive permissions have been removed; users will need to be explicit about the scope of access (i.e. ARNs) they provide when enabling permissions
    • AppMesh policy support has been removed due to service reaching end of support

Additional changes

Modified

  • Variable definitions now contain detailed object types in place of the previously used any type

  • iam-group

    • Policy management has been updated to support extending the policy created by the sub-module, as well as adding additional policies that will be attached to the group
    • The role assumption permissions has been removed from the policy; users can extend the policy to add this if needed via permissions
    • Default create conditional is now true instead of false

  • iam-role

    • The use of individual variables to control/manipulate the assume role trust policy have been replaced by a generic trust_policy_permissions variable. This allows for any number of custom statements to be added to the role's trust policy.
    • custom_role_policy_arns has been renamed to policies and now accepts a map of name: policy-arn pairs; this allows for both existing policies and policies that will get created at the same time as the role. This also replaces the admin, readonly, and poweruser policy ARN variables and their associated attach_*_policy variables.
    • Default create conditional is now true instead of false
    • force_detach_policies has been removed; this is now always true
    • Support for inline policies has been added

  • iam-role-for-service-accounts

    • Support for inline policies has been added
Assets 2
Loading