feat!: Refactor module to align with current standards, add missing addtional Redshift resources to module (#61)

Author: bryantbiggs

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.62.3
+    rev: v1.72.1
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
@@ -23,7 +23,7 @@ repos:
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.1.0
+    rev: v4.3.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer

README.md

@@ -0,0 +1,242 @@
+# Upgrade from v3.x to v4.x
+
+Please consult the `examples` directory for reference example configurations. If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- Minimum supported version of Terraform AWS provider updated to v4.17 to support latest resources
+- Minimum supported version of Terraform updated to v1.0
+- `create` variable added to control whether all resources are created or not. This means that all resources now use the zeroth index `[0]` in the resource name
+
+## Additional changes
+
+### Added
+
+- Support for generating a random password for the `master_password`
+- `aws_redshift_snapshot_schedule` resource including the variables and outputs used to support it
+- `aws_redshift_snapshot_schedule_association` resource including the variables and outputs used to support it
+- `aws_redshift_scheduled_action` resource including support for creating the IAM role and policies plus the associated variables and outputs to support
+- `aws_redshift_usage_limit` resource including the variables and outputs used to support it
+- `aws_redshift_authentication_profile` resource including the variables and outputs used to support it
+- `aws_redshift_cluster_iam_roles` resource including the variables and outputs used to support it
+
+### Modified
+
+- `number_of_nodes` default value of `3` changed to `1`
+- `cluster_version` default value of `"1.0"` changed to `null`
+- `master_username` default value of `"awsuser"` added
+- `encrypted` default value changed to `true`
+- By default, a randomly generated password of length `16` is used for the `master_password`
+- `master_password` variable marked as `sensitive`
+
+### Removed
+
+- None
+
+### Variable and output changes
+
+1. Removed variables:
+
+  - Parameter Group
+    - `wlm_json_configuration`, `require_ssl`, `use_fips_ssl`, `enable_user_activity_logging`, `max_concurrency_scaling_clusters`, `enable_case_sensitive_identifier` have been replaced by the use of `parameter_group_parameters` where any/all of these values can be set as well as others not listed here.
+
+2. Renamed variables:
+
+  - Cluster
+    - Cluster variables that per the AWS provider do not start with `cluster_` have been renamed to remove the `cluster_` prefix.
+    - `enable_logging`, `logging_bucket_name`, and `logging_s3_key_prefix` have been replaced with the top level variable `logging` where their equivalent parameters `enable`, `bucket_name`, and `s3_key_prefix` are set, and support for new parameters `log_destination_type`, and `log_exports` have been added.
+    - `snapshot_copy_destination_region`, `automated_snapshot_retention_period`, `snapshot_copy_grant_name` have been replaced with the top level variable `snapshot_copy` where their equivalent parameters `destination_region`, `retention_period`, and `grant_name` are set.
+    - `iam_roles` has been renamed to `iam_role_arns` to match API of `aws_redshift_cluster_iam_roles` resource now used
+
+  - Parameter Group
+    - `cluster_parameter_group` ->`parameter_group_family`
+
+  - Subnet Group
+    - `redshift_subnet_group_name` -> `subnet_group_name`: Note: this was not previously used in the manner it was intended. The `cluster_identifier` was used as the name of the subnet group. This has now been corrected
+    - `subnets` -> `subnet_ids` to match AWS provider
+
+3. Added variables:
+
+  ## Cluster
+    - `create` which affects all resources
+    - `create_random_password` and `random_password_length` to support generating a random password for the `master_password`
+    - `apply_immediately`
+    - `aqua_configuration_status`
+    - `availability_zone`
+    - `availability_zone_relocation_enabled`
+    - `default_iam_role_arn`
+    - `maintenance_track_name`
+    - `manual_snapshot_retention_period`
+    - `cluster_timeouts` to support setting `create`, `update`, and `delete` timeout durations
+
+  - Parameter Group
+    - `create_parameter_group` was added to replace `length(var.parameter_group_name) > 0` logic
+    - `parameter_group_name`
+    - `parameter_group_parameters` which allows users to set any number of parameters, replacing the previously hardcoed parameters
+    - `parameter_group_tags`
+
+  - Subnet Group
+    - `create_subnet_group` was added to replace `var.redshift_subnet_group_name == ""` logic
+    - `subnet_group_description` was added to replace the hardcoded description used previously
+    - `subnet_group_tags`
+
+4. Removed outputs:
+
+    - None
+
+5. Renamed outputs:
+
+    - The preceding `redshift_` prefix has been removed from all outputs
+
+6. Added outputs:
+
+    - `cluster_dns_name`
+    - `parameter_group_arn`
+    - `subnet_group_arn`
+
+## Upgrade Migrations
+
+### Before v3.x Example
+
+```hcl
+module "redshift" {
+  source  = "terraform-aws-modules/redshift/aws"
+  version = "3.4.1"
+
+  cluster_identifier      = local.name
+  cluster_node_type       = "dc2.large"
+  cluster_number_of_nodes = 1
+
+  cluster_database_name   = "mydb"
+  cluster_master_username = "mydbuser"
+  cluster_master_password = "MySecretPassw0rd"
+
+  subnets                = module.vpc.redshift_subnets
+  vpc_security_group_ids = [module.sg.security_group_id]
+}
+```
+
+### After v4.x Example
+
+```hcl
+module "redshift" {
+  source  = "terraform-aws-modules/redshift/aws"
+  version = "4.0.0"
+
+  cluster_identifier = local.name
+  node_type          = "dc2.large"
+  number_of_nodes    = 1
+
+  database_name   = "mydb"
+  master_username = "mydbuser"
+  master_password = "MySecretPassw0rd"
+
+  subnet_ids             = module.vpc.redshift_subnets
+  vpc_security_group_ids = [module.sg.security_group_id]
+
+  # Maintain v3.x settings
+  encrypted                           = false
+  automated_snapshot_retention_period = 0
+  parameter_group_name                = "${local.name}-redshift-1-0-custom-params"
+  parameter_group_parameters = {
+    wlm_json_configuration = {
+      name = "wlm_json_configuration"
+      value = jsonencode([
+        {
+          query_concurrency = 5
+        }
+      ])
+    }
+    require_ssl = {
+      name  = "require_ssl"
+      value = false
+    }
+    use_fips_ssl = {
+      name  = "use_fips_ssl"
+      value = false
+    }
+    enable_user_activity_logging = {
+      name  = "enable_user_activity_logging"
+      value = false
+    }
+    max_concurrency_scaling_clusters = {
+      name  = "max_concurrency_scaling_clusters"
+      value = 1
+    }
+    enable_case_sensitive_identifier = {
+      name  = "enable_case_sensitive_identifier"
+      value = false
+    }
+  }
+  subnet_group_description = "Redshift subnet group of ${local.name}"
+  create_random_password   = false
+}
+```
+
+### Diff of Before vs After
+
+```diff
+module "redshift" {
+  source  = "terraform-aws-modules/redshift/aws"
+- version = "3.4.1"
++ version = "4.0.0"
+
+  cluster_identifier       = local.name
+-  cluster_node_type       = "dc2.large"
++  node_type               = "dc2.large"
+-  cluster_number_of_nodes = 1
++  number_of_nodes         = 1
+
+-  cluster_database_name   = "mydb"
++  database_name           = "mydb"
+-  cluster_master_username = "mydbuser"
++  master_username         = "mydbuser"
+-  cluster_master_password = "MySecretPassw0rd"
++  master_password         = "MySecretPassw0rd"
+
+-  subnets               = module.vpc.redshift_subnets
++  subnet_ids            = module.vpc.redshift_subnets
+  vpc_security_group_ids = [module.sg.security_group_id]
+
++  # Maintain v3.x settings
++  encrypted                           = false
++  automated_snapshot_retention_period = 0
++  parameter_group_name                = "${local.name}-redshift-1-0-custom-params"
++  parameter_group_parameters = {
++    wlm_json_configuration = {
++      name = "wlm_json_configuration"
++      value = jsonencode([
++        {
++          query_concurrency = 5
++        }
++      ])
++    }
++    require_ssl = {
++      name  = "require_ssl"
++      value = false
++    }
++    use_fips_ssl = {
++      name  = "use_fips_ssl"
++      value = false
++    }
++    enable_user_activity_logging = {
++      name  = "enable_user_activity_logging"
++      value = false
++    }
++    max_concurrency_scaling_clusters = {
++      name  = "max_concurrency_scaling_clusters"
++      value = 1
++    }
++    enable_case_sensitive_identifier = {
++      name  = "enable_case_sensitive_identifier"
++      value = false
++    }
++  }
++  subnet_group_description = "Redshift subnet group of ${local.name}"
++  create_random_password   = false
+}
+```
+
+### State Move Commands
+
+None required

UPGRADE-4.0.md

@@ -0,0 +1,8 @@
+# Examples
+
+Please note - the examples provided serve two primary means:
+
+1. Show users working examples of the various ways in which the module can be configured and features supported
+2. A means of testing/validating module changes
+
+Please do not mistake the examples provided as "best practices". It is up to users to consult the AWS service documentation for best practices, usage recommendations, etc.

examples/README.md

@@ -1,6 +1,10 @@
 # Complete Redshift example
 
-Configuration in this directory creates VPC with Redshift subnet, security group and Redshift cluster itself.
+Configuration in this directory creates AWS Redshift clusters with demonstrating the various methods of configuring/customizing:
+
+- A disabled cluster
+- A default, "out of the box" Redshift cluster
+- A "complete" cluster demonstrating the broad array of configurations including the use of snapshot copy grants. NOTE: the term "complete" here is used to denote the "compete array of configurations offered" and is not representative of recommended/best practices for provisioning a Redshift cluster. Users should refer to the AWS documenation for recommended practices for provisioning a Redshift cluster.
 
 ## Usage
 
@@ -19,24 +23,40 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.31 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.25 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.17 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.17 |
+| <a name="provider_aws.us_east_1"></a> [aws.us\_east\_1](#provider\_aws.us\_east\_1) | >= 4.17 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_default"></a> [default](#module\_default) | ../../ | n/a |
+| <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../ | n/a |
 | <a name="module_redshift"></a> [redshift](#module\_redshift) | ../../ | n/a |
-| <a name="module_sg"></a> [sg](#module\_sg) | terraform-aws-modules/security-group/aws//modules/redshift | ~> 4.0 |
+| <a name="module_s3_logs"></a> [s3\_logs](#module\_s3\_logs) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
+| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws//modules/redshift | ~> 4.0 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_kms_key.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_kms_key.redshift_us_east_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_redshift_snapshot_copy_grant.useast1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_snapshot_copy_grant) | resource |
+| [aws_redshift_subnet_group.endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_subnet_group) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_iam_policy_document.s3_redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_redshift_service_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/redshift_service_account) | data source |
 
 ## Inputs
 
@@ -46,10 +66,41 @@ No inputs.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_redshift_cluster_endpoint"></a> [redshift\_cluster\_endpoint](#output\_redshift\_cluster\_endpoint) | Redshift endpoint |
-| <a name="output_redshift_cluster_hostname"></a> [redshift\_cluster\_hostname](#output\_redshift\_cluster\_hostname) | Redshift hostname |
-| <a name="output_redshift_cluster_id"></a> [redshift\_cluster\_id](#output\_redshift\_cluster\_id) | The availability zone of the RDS instance |
-| <a name="output_redshift_cluster_port"></a> [redshift\_cluster\_port](#output\_redshift\_cluster\_port) | Redshift port |
-| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | The ID of the security group |
-| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+| <a name="output_authentication_profiles"></a> [authentication\_profiles](#output\_authentication\_profiles) | Map of authentication profiles created and their associated attributes |
+| <a name="output_cluster_arn"></a> [cluster\_arn](#output\_cluster\_arn) | The Redshift cluster ARN |
+| <a name="output_cluster_automated_snapshot_retention_period"></a> [cluster\_automated\_snapshot\_retention\_period](#output\_cluster\_automated\_snapshot\_retention\_period) | The backup retention period |
+| <a name="output_cluster_availability_zone"></a> [cluster\_availability\_zone](#output\_cluster\_availability\_zone) | The availability zone of the Cluster |
+| <a name="output_cluster_database_name"></a> [cluster\_database\_name](#output\_cluster\_database\_name) | The name of the default database in the Cluster |
+| <a name="output_cluster_dns_name"></a> [cluster\_dns\_name](#output\_cluster\_dns\_name) | The DNS name of the cluster |
+| <a name="output_cluster_encrypted"></a> [cluster\_encrypted](#output\_cluster\_encrypted) | Whether the data in the cluster is encrypted |
+| <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | The connection endpoint |
+| <a name="output_cluster_hostname"></a> [cluster\_hostname](#output\_cluster\_hostname) | The hostname of the Redshift cluster |
+| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | The Redshift cluster ID |
+| <a name="output_cluster_identifier"></a> [cluster\_identifier](#output\_cluster\_identifier) | The Redshift cluster identifier |
+| <a name="output_cluster_node_type"></a> [cluster\_node\_type](#output\_cluster\_node\_type) | The type of nodes in the cluster |
+| <a name="output_cluster_nodes"></a> [cluster\_nodes](#output\_cluster\_nodes) | The nodes in the cluster. Each node is a map of the following attributes: `node_role`, `private_ip_address`, and `public_ip_address` |
+| <a name="output_cluster_parameter_group_name"></a> [cluster\_parameter\_group\_name](#output\_cluster\_parameter\_group\_name) | The name of the parameter group to be associated with this cluster |
+| <a name="output_cluster_port"></a> [cluster\_port](#output\_cluster\_port) | The port the cluster responds on |
+| <a name="output_cluster_preferred_maintenance_window"></a> [cluster\_preferred\_maintenance\_window](#output\_cluster\_preferred\_maintenance\_window) | The backup window |
+| <a name="output_cluster_public_key"></a> [cluster\_public\_key](#output\_cluster\_public\_key) | The public key for the cluster |
+| <a name="output_cluster_revision_number"></a> [cluster\_revision\_number](#output\_cluster\_revision\_number) | The specific revision number of the database in the cluster |
+| <a name="output_cluster_security_groups"></a> [cluster\_security\_groups](#output\_cluster\_security\_groups) | The security groups associated with the cluster |
+| <a name="output_cluster_subnet_group_name"></a> [cluster\_subnet\_group\_name](#output\_cluster\_subnet\_group\_name) | The name of a cluster subnet group to be associated with this cluster |
+| <a name="output_cluster_type"></a> [cluster\_type](#output\_cluster\_type) | The Redshift cluster type |
+| <a name="output_cluster_version"></a> [cluster\_version](#output\_cluster\_version) | The version of Redshift engine software |
+| <a name="output_cluster_vpc_security_group_ids"></a> [cluster\_vpc\_security\_group\_ids](#output\_cluster\_vpc\_security\_group\_ids) | The VPC security group ids associated with the cluster |
+| <a name="output_endpoint_access_address"></a> [endpoint\_access\_address](#output\_endpoint\_access\_address) | The DNS address of the endpoint |
+| <a name="output_endpoint_access_id"></a> [endpoint\_access\_id](#output\_endpoint\_access\_id) | The Redshift-managed VPC endpoint name |
+| <a name="output_endpoint_access_port"></a> [endpoint\_access\_port](#output\_endpoint\_access\_port) | The port number on which the cluster accepts incoming connections |
+| <a name="output_endpoint_access_vpc_endpoint"></a> [endpoint\_access\_vpc\_endpoint](#output\_endpoint\_access\_vpc\_endpoint) | The connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below |
+| <a name="output_parameter_group_arn"></a> [parameter\_group\_arn](#output\_parameter\_group\_arn) | Amazon Resource Name (ARN) of the parameter group created |
+| <a name="output_parameter_group_id"></a> [parameter\_group\_id](#output\_parameter\_group\_id) | The name of the Redshift parameter group created |
+| <a name="output_scheduled_action_iam_role_arn"></a> [scheduled\_action\_iam\_role\_arn](#output\_scheduled\_action\_iam\_role\_arn) | Scheduled actions IAM role ARN |
+| <a name="output_scheduled_action_iam_role_name"></a> [scheduled\_action\_iam\_role\_name](#output\_scheduled\_action\_iam\_role\_name) | Scheduled actions IAM role name |
+| <a name="output_scheduled_action_iam_role_unique_id"></a> [scheduled\_action\_iam\_role\_unique\_id](#output\_scheduled\_action\_iam\_role\_unique\_id) | Stable and unique string identifying the scheduled action IAM role |
+| <a name="output_scheduled_actions"></a> [scheduled\_actions](#output\_scheduled\_actions) | A map of maps containing scheduled action details |
+| <a name="output_snapshot_schedule_arn"></a> [snapshot\_schedule\_arn](#output\_snapshot\_schedule\_arn) | Amazon Resource Name (ARN) of the Redshift Snapshot Schedule |
+| <a name="output_subnet_group_arn"></a> [subnet\_group\_arn](#output\_subnet\_group\_arn) | Amazon Resource Name (ARN) of the Redshift subnet group created |
+| <a name="output_subnet_group_id"></a> [subnet\_group\_id](#output\_subnet\_group\_id) | The ID of Redshift Subnet group created |
+| <a name="output_usage_limits"></a> [usage\_limits](#output\_usage\_limits) | Map of usage limits created and their associated attributes |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->