Merge commit '972a5568d474fd3c8531490872251ad5909c028d' into release

Author: github-actions[bot]

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 ## [Unreleased]
 
+## [0.12.0] - 2022-04-07
+
+- Ensure compatibility with AWS Provider Version 4 ([#286](https://github.com/milliHQ/terraform-aws-next-js/issues/286), [#291](https://github.com/milliHQ/terraform-aws-next-js/pull/291))
+- Add switch for attaching additional policy documents ([#276](https://github.com/milliHQ/terraform-aws-next-js/pull/276))
+
 ## [0.11.5] - 2022-04-02
 
 - Adds support for route-manifest v4 ([#292](https://github.com/milliHQ/terraform-aws-next-js/pull/292))  

README.md

@@ -113,7 +113,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = "~> 4.0"
     }
   }
 }
@@ -199,13 +199,13 @@ You can create a `.terraformignore` in the root of your project and add the foll
 | Name | Version |
 |------|---------|
 | terraform | >= 0.15 |
-| aws | >= 3.64.0 |
+| aws | >= 4.8 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.64.0 |
+| aws | >= 4.8 |
 
 ## Inputs
 
@@ -227,6 +227,7 @@ You can create a `.terraformignore` in the root of your project and add the foll
 | deployment\_name | Identifier for the deployment group (only lowercase alphanumeric characters and hyphens are allowed). | `string` | `"tf-next"` | no |
 | expire\_static\_assets | Number of days after which static assets from previous deployments should be removed from S3. Set to -1 to disable expiration. | `number` | `30` | no |
 | image\_optimization\_lambda\_memory\_size | Amount of memory in MB the worker Lambda Function for image optimization can use. Valid value between 128 MB to 10,240 MB, in 1 MB increments. | `number` | `2048` | no |
+| lambda\_attach\_policy\_json | Whether to deploy additional lambda JSON policies. If false, lambda\_policy\_json will not be attached to the lambda function. (Necessary since policy strings are only known after apply when using Terraforms data.aws\_iam\_policy\_document) | `bool` | `false` | no |
 | lambda\_attach\_to\_vpc | Set to true if the Lambda functions should be attached to a VPC. Use this setting if VPC resources should be accessed by the Lambda functions. When setting this to true, use vpc\_security\_group\_ids and vpc\_subnet\_ids to specify the VPC networking. Note that attaching to a VPC would introduce a delay on to cold starts | `bool` | `false` | no |
 | lambda\_environment\_variables | Map that defines environment variables for the Lambda Functions in Next.js. | `map(string)` | `{}` | no |
 | lambda\_memory\_size | Amount of memory in MB a Lambda Function can use at runtime. Valid value between 128 MB to 10,240 MB, in 1 MB increments. | `number` | `1024` | no |

examples/complete/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = "~> 4.0"
     }
   }
 }

examples/next-image/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = "~> 4.0"
     }
   }
 }

examples/static/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = "~> 4.0"
     }
   }
 }

examples/with-custom-domain/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = "~> 4.0"
     }
   }
 }

examples/with-existing-cloudfront/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = "~> 4.0"
     }
   }
 }

iam.tf

@@ -83,7 +83,7 @@ resource "aws_iam_role_policy_attachment" "lambda_vpc" {
 ####################################
 
 resource "aws_iam_policy" "additional_json" {
-  count = var.lambda_policy_json != null ? 1 : 0
+  count = var.lambda_attach_policy_json ? 1 : 0
 
   description = "Managed by Terraform Next.js"
   policy      = var.lambda_policy_json
@@ -92,7 +92,7 @@ resource "aws_iam_policy" "additional_json" {
 }
 
 resource "aws_iam_role_policy_attachment" "additional_json" {
-  for_each = var.lambda_policy_json != null ? local.lambdas : {}
+  for_each = var.lambda_attach_policy_json ? local.lambdas : {}
 
   role       = aws_iam_role.lambda[each.key].name
   policy_arn = aws_iam_policy.additional_json[0].arn

main.tf

@@ -148,7 +148,7 @@ module "next_image" {
   count = var.create_image_optimization ? 1 : 0
 
   source  = "milliHQ/next-js-image-optimization/aws"
-  version = "~> 12.0.10"
+  version = ">= 12.1.0"
 
   cloudfront_create_distribution = false
 

modules/cloudfront-proxy-config/main.tf

@@ -10,11 +10,15 @@ locals {
 
 resource "aws_s3_bucket" "proxy_config_store" {
   bucket_prefix = "${var.deployment_name}-tfn-config"
-  acl           = "private"
   force_destroy = true
   tags          = merge(var.tags, var.tags_s3_bucket)
 }
 
+resource "aws_s3_bucket_acl" "proxy_config_store" {
+  bucket = aws_s3_bucket.proxy_config_store.id
+  acl    = "private"
+}
+
 data "aws_iam_policy_document" "cf_access" {
   statement {
     actions   = ["s3:GetObject"]
@@ -36,7 +40,7 @@ resource "aws_s3_bucket_policy" "proxy_config_store_origin_access" {
 # Upload Proxy Config
 #####################
 
-resource "aws_s3_bucket_object" "config_json" {
+resource "aws_s3_object" "config_json" {
   bucket        = aws_s3_bucket.proxy_config_store.id
   key           = local.proxy_config_key
   content       = var.proxy_config_json

modules/cloudfront-proxy-config/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0"
+      version = ">= 4.0"
     }
   }
 }

modules/proxy/main.tf

@@ -15,7 +15,7 @@ module "proxy_package" {
 
 module "edge_proxy" {
   source  = "terraform-aws-modules/lambda/aws"
-  version = "2.4.0"
+  version = "3.1.0"
 
   lambda_at_edge = true
 

modules/proxy/variables.tf

@@ -4,7 +4,7 @@
 
 variable "proxy_module_version" {
   type    = string
-  default = "0.11.5"
+  default = "0.12.0"
 }
 
 variable "lambda_default_runtime" {

modules/statics-deploy/main.tf

@@ -9,17 +9,24 @@ locals {
 
 resource "aws_s3_bucket" "static_upload" {
   bucket_prefix = "${var.deployment_name}-tfn-deploy"
-  acl           = "private"
   force_destroy = true
 
-  # We are using versioning here to ensure that no file gets overridden at upload
-  versioning {
-    enabled = true
-  }
-
   tags = merge(var.tags, var.tags_s3_bucket)
 }
 
+resource "aws_s3_bucket_acl" "static_upload" {
+  bucket = aws_s3_bucket.static_upload.id
+  acl    = "private"
+}
+
+# We are using versioning here to ensure that no file gets overridden at upload
+resource "aws_s3_bucket_versioning" "static_upload" {
+  bucket = aws_s3_bucket.static_upload.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
 resource "aws_s3_bucket_notification" "on_create" {
   bucket = aws_s3_bucket.static_upload.id
 
@@ -35,23 +42,35 @@ resource "aws_s3_bucket_notification" "on_create" {
 
 resource "aws_s3_bucket" "static_deploy" {
   bucket_prefix = "${var.deployment_name}-tfn-static"
-  acl           = "private"
   force_destroy = true
 
-  lifecycle_rule {
-    id      = "Expire static assets"
-    enabled = var.expire_static_assets >= 0 # -1 disables the cleanup
+  tags = merge(var.tags, var.tags_s3_bucket)
+}
+
+resource "aws_s3_bucket_acl" "static_deploy" {
+  bucket = aws_s3_bucket.static_deploy.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "static_deploy" {
+  bucket = aws_s3_bucket.static_deploy.id
 
-    tags = {
-      "tfnextExpire" = "true"
-    }
+  rule {
+    id = "Expire static assets"
 
     expiration {
       days = var.expire_static_assets > 0 ? var.expire_static_assets : 0
     }
-  }
 
-  tags = merge(var.tags, var.tags_s3_bucket)
+    filter {
+      tag {
+        key   = "tfnextExpire"
+        value = "true"
+      }
+    }
+
+    status = var.expire_static_assets >= 0 ? "Enabled" : "Disabled" # -1 disables the cleanup
+  }
 }
 
 # CloudFront permissions for the bucket
@@ -172,7 +191,7 @@ module "lambda_content" {
 
 module "deploy_trigger" {
   source  = "terraform-aws-modules/lambda/aws"
-  version = "2.4.0"
+  version = "3.1.0"
 
   function_name             = "${var.deployment_name}_tfn-deploy"
   description               = "Managed by Terraform Next.js"

modules/statics-deploy/variables.tf

@@ -4,7 +4,7 @@ variable "static_files_archive" {
 
 variable "deploy_trigger_module_version" {
   type    = string
-  default = "0.11.5"
+  default = "0.12.0"
 }
 
 variable "expire_static_assets" {

variables.tf

@@ -64,6 +64,12 @@ variable "lambda_policy_json" {
   default     = null
 }
 
+variable "lambda_attach_policy_json" {
+  description = "Whether to deploy additional lambda JSON policies. If false, lambda_policy_json will not be attached to the lambda function. (Necessary since policy strings are only known after apply when using Terraforms data.aws_iam_policy_document)"
+  type        = bool
+  default     = false
+}
+
 variable "lambda_role_permissions_boundary" {
   type = string
   # https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = ">= 3.64.0"
+      version               = ">= 4.8"
       configuration_aliases = [aws.global_region]
     }
   }