Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Terraform cloudposse/lambda-function/aws to v0.6.1 #268

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Terraform cloudposse/lambda-function/aws to v0.6.1 #268

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 3, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
cloudposse/lambda-function/aws (source) module minor 0.5.1 -> 0.6.1

Release Notes

cloudposse/terraform-aws-lambda-function (cloudposse/lambda-function/aws)

v0.6.1

Compare Source

🐛 Bug Fixes

Bugfix: Revert Breaking Change in v0.6.0 @​milldr (#​79)

what

  • Revert changes from #​74
  • Pass only module.this.tags to cloudwatch module, not module.this.context
  • Add tests and necessary output to catch this going forward

why

  • If we pass everything then the resources created in the cloudwatch module will have new names!

references

  • Resolves #​78

🤖 Automatic Updates

Update .github/settings.yml @​osterman (#​77)

what

  • Update .github/settings.yml
  • Drop .github/auto-release.yml files

why

  • Re-apply .github/settings.yml from org level
  • Use organization level auto-release settings

references

  • DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update .github/settings.yml @​osterman (#​76)

what

  • Update .github/settings.yml
  • Drop .github/auto-release.yml files

why

  • Re-apply .github/settings.yml from org level
  • Use organization level auto-release settings

references

  • DEV-1242 Add protected tags with Repository Rulesets on GitHub

v0.6.0

Compare Source

Change cloudwatch submodule to pass context @​nnsense (#​74)

what

A patch to pass the context instead of just vars to the CloudWatch submodule.

why

This module is only setting the context vars instead of the whole context inside the Cloudwatch submodule, leaving up to the submodule to set its own contex.

module "cloudwatch_log_group" {
  source  = "cloudposse/cloudwatch-logs/aws"
  version = "0.6.6"

  enabled = module.this.enabled

  iam_role_enabled  = false
  kms_key_arn       = var.cloudwatch_logs_kms_key_arn
  retention_in_days = var.cloudwatch_logs_retention_in_days
  name              = "/aws/lambda/${var.function_name}"
  tags              = module.this.tags
}

By settings the context (as advised by cloudposse) the root deployment are passed to the submodule, and an upper/camel/pascal case function_name will be consistent with the Cloudwatch group name.

references

v0.5.6

Compare Source

Add support for declaring simple lambda permissions in-module @​jpalomaki (#​69)

what

Allow lambda configuration author to optionally declare lambda:InvokeFunction lambda permissions directly in this module.

More complex permissions configurations could still be done outside of this module.

why

This co-locates permissions related to the lambda in the module configuration (where we also declare lambda IAM role permissions), which can help a reader understand where the lambda is invoked from, e.g. in cases where the actual event sources are declared in a different root configuration.

In our specific use case, we use terragrunt to deploy the lambda function (straight from terraform registry module), so this feature would also help us avoid having to create a wrapper module just to add the necessary permission resources.

questions

  1. Because we support terraform 0.14+ (no default value support for optionals), we scope this to just the specific action lambda:InvokeFunction and keep the number of attributes a user has to fill in, small. Does this look like a sane approach (looks like it could cover a lot of ground already, judging by examples)?
  2. Because we support terraform 0.14+, we can't do replace_triggered_by. Not entirely sure if that is a problem though, since we just attach the permission to the function itself (and not an alias or version)
  3. The resource for_each is keyed by list index, which isn't ideal, since it would force recreations if items are shuffled/inserted

references

Slack discussion, cc/ @​osterman

🤖 Automatic Updates

Update .github/settings.yml @​osterman (#​70)

what

  • Update .github/settings.yml
  • Drop .github/auto-release.yml files

why

  • Re-apply .github/settings.yml from org level
  • Use organization level auto-release settings

references

  • DEV-1242 Add protected tags with Repository Rulesets on GitHub

v0.5.5

Compare Source

Add lambda role name option @​gadzooks (#​66)

what

  • Adds an option to set role name for lambda function

why

  • Enable module consumers to set custom lamdba role names as per any additional requirements or naming standards

references

🤖 Automatic Updates

chore(deps): bump the go_modules group in /test/src with 6 updates @​dependabot (#​67)

Bumps the go_modules group in /test/src with 6 updates:

Package From To
github.com/hashicorp/go-getter 1.6.1 1.7.5
golang.org/x/crypto 0.0.0-20210513164829-c07d793c2f9a 0.0.0-20210921155107-089bfa567519
golang.org/x/net 0.0.0-20220127200216-cd36cc0744dd 0.1.0
golang.org/x/text 0.3.7 0.4.0
google.golang.org/grpc 1.38.0 1.50.1
google.golang.org/protobuf 1.26.0 1.28.1

Updates github.com/hashicorp/go-getter from 1.6.1 to 1.7.5

Release notes

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.5

What's Changed

New Contributors

Full Changelog: https://github.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5

v1.7.4

What's Changed

Full Changelog: https://github.com/hashicorp/go-getter/compare/v1.7.3...v1.7.4

v1.7.3

What's Changed

New Contributors

Full Changelog: https://github.com/hashicorp/go-getter/compare/v1.7.2...v1.7.3

v1.7.2

What's Changed

Full Changelog: https://github.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2

v1.7.1

No release notes provided.

v1.7.0

What's Changed

New Contributors

... (truncated)

Commits
  • 5a63fd9 Merge pull request #​497 from hashicorp/fix-git-update
  • 5b7ec5f fetch tags on update and fix tests
  • 9906874 recreate git config during update to prevent config alteration
  • 268c11c escape user provide string to git (#​483)
  • 975961f Merge pull request #​433 from adrian-bl/netrc-fix
  • 0298a22 Merge pull request #​459 from hashicorp/jbardin/setup-git-env
  • c70d9c9 don't change GIT_SSH_COMMAND if there's no keyfile
  • 3d5770f Merge pull request #​458 from hashicorp/tsccr-auto-pinning/trusted/2023-09-18
  • 0688979 Result of tsccr-helper -log-level=info -pin-all-workflows .
  • e66f244 Merge pull request #​454 from hashicorp/tsccr-auto-pinning/trusted/2023-09-11
  • Additional commits viewable in compare view

Updates golang.org/x/crypto from 0.0.0-20210513164829-c07d793c2f9a to 0.0.0-20210921155107-089bfa567519

Commits

Updates golang.org/x/net from 0.0.0-20220127200216-cd36cc0744dd to 0.1.0

Commits

Updates golang.org/x/text from 0.3.7 to 0.4.0

Commits
  • 1bdb400 language: remove compatibility with go < 1.2
  • 252bee0 go.mod: ignore cyclic dependency for tagging
  • ecab6e5 go.mod: ignore cyclic dependency for tagging
  • 369c86b all: fix a few function names on comments
  • 434eadc language: reject excessively large Accept-Language strings
  • 23407e7 go.mod: ignore cyclic dependency for tagging
  • b18d3dd secure/precis: replace bytes.Compare with bytes.Equal
  • 795e854 all: replace io/ioutil with io and os package
  • b0ca10f internal/language: bump script types to uint16 and update registry
  • ba9b0e1 go.mod: update x/tools to HEAD
  • Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.38.0 to 1.50.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.50.1

New Features

  • gcp/observability: support new configuration defined in public preview user guide

Release 1.50.0

Behavior Changes

  • client: use proper "@​" semantics for connecting to abstract unix sockets. (#​5678)
    • This is technically a bug fix; the result is that the address was including a trailing NULL byte, which it should not have. This may break users creating the socket in Go by prefixing a NULL instead of an "@​", though, so calling it out as a behavior change.

New Features

Bug Fixes

  • client: fix deadlock in transport caused by GOAWAY racing with stream creation (#​5652)
    • This should only occur with an HTTP/2 server that does not follow best practices of an advisory GOAWAY (not a grpc-go server).
  • xds/xdsclient: fix a bug which was causing routes with cluster_specifier_plugin set to be NACKed when GRPC_EXPERIMENTAL_XDS_RLS_LB was off (#​5670)
  • xds/xdsclient: NACK cluster resource if config_source_specifier in lrs_server is not self (#​5613)
  • xds/ringhash: fix a bug which sometimes prevents the LB policy from retrying connection attempts (#​5601)
  • xds/ringhash: do nothing when asked to exit IDLE instead of falling back on the default channel behavior of connecting to all addresses (#​5614)
  • xds/rls: fix a bug which was causing the channel to be stuck in IDLE (#​5656)
  • alts: fix a bug which was setting WaitForReady on handshaker service RPCs, thereby delaying fallback when required (#​5620)
  • gcp/observability: fix End() to cleanup global state correctly (#​5623)

Release 1.49.0

New Features

  • gcp/observability: add support for Environment Variable GRPC_CONFIG_OBSERVABILITY_JSON (#​5525)
  • gcp/observability: add support for custom tags (#​5565)

Behavior Changes

  • server: reduce log level from Warning to Info for early connection establishment errors (#​5524)

Bug Fixes

  • client: fix race in flow control that could lead to unexpected EOF errors (#​5494)
  • client: fix a race that could cause RPCs to time out instead of failing more quickly with UNAVAILABLE (#​5503)
  • client & server: fix a panic caused by passing a nil stats handler to grpc.WithStatsHandler or grpc.StatsHandler (#​5543)
  • transport/server: fix a race that could cause a stray header to be sent (#​5513)
  • balancer: give precedence to IDLE over TRANSIENT_FAILURE when aggregating connectivity state (#​5473)
  • xds/xdsclient: request correct resource name when user specifies a new style resource name with empty authority (#​5488)

... (truncated)

Commits
  • 4c776ec Cherry-pick observability changes from master to v1.50.x and update version t...
  • 6576007 Change version to 1.50.1-dev (#​5686)
  • c1d7d7a Change version to 1.50.0 (#​5685)
  • 1451c62 internal/transport: optimize grpc-message encoding/decoding (#​5654)
  • be4b63b test: minor test cleanup (#​5679)
  • d83070e Changed Outlier Detection Env Var to default true (#​5673)
  • 54521b2 client: remove trailing null from unix abstract socket address (#​5678)
  • 36e4810 orca: cleanup old code, and get grpc package to use new code (#​5627)
  • e8866a8 build: harden GitHub Workflow permissions (#​5660)
  • 8458251 xdsclient: ignore routes with cluster_specifier_plugin when GRPC_EXPERIMENTAL...
  • Additional commits viewable in compare view

Updates google.golang.org/protobuf from 1.26.0 to 1.28.1

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

v0.5.4

Compare Source

Add support for inline IAM policy @​jpalomaki (#​68)

what

Adds support for attaching an inline IAM policy to the function IAM role.

why

Useful for defining a (simple) IAM policy that is declared, and deployed, in-tandem with the Lambda function itself.

Our use case: we use terragrunt to deploy a simple function using this module (straight out of terraform registry), so we'd like to avoid having to create a wrapper module or a separate customer-managed policy, for adding some necessary (but simple) permissions.

references

No related GitHub issue (but I can create one if needed).

🐛 Bug Fixes

Use runtime node20 @​kevcube (#​58)

Node14 no longer supported, tests fail because of this

🤖 Automatic Updates

Update release workflow to allow pull-requests: write @​osterman (#​65)

what

  • Update workflow (.github/workflows/release.yaml) to have permission to comment on PR

why

  • So we can support commenting on PRs with a link to the release
Update GitHub Workflows to use shared workflows from '.github' repo @​osterman (#​63)

what

  • Update workflows (.github/workflows) to use shared workflows from .github repo

why

  • Reduce nested levels of reusable workflows
Update GitHub Workflows to Fix ReviewDog TFLint Action @​osterman (#​61)

what

  • Update workflows (.github/workflows) to add issue: write permission needed by ReviewDog tflint action

why

  • The ReviewDog action will comment with line-level suggestions based on linting failures
Update GitHub workflows @​osterman (#​60)

what

  • Update workflows (.github/workflows/settings.yaml)

why

  • Support new readme generation workflow.
  • Generate banners
Use GitHub Action Workflows from `cloudposse/.github` Repo @​osterman (#​56)

what

  • Install latest GitHub Action Workflows

why

  • Use shared workflows from cldouposse/.github repository
  • Simplify management of workflows from centralized hub of configuration
Add GitHub Settings @​osterman (#​51)

what

  • Install a repository config (.github/settings.yaml)

why

  • Programmatically manage GitHub repo settings
Update Scaffolding @​osterman (#​49)

what

  • Reran make readme to rebuild README.md from README.yaml
  • Migrate to square badges
  • Add scaffolding for repo settings and Mergify

why

  • Upstream template changed in the .github repo
  • Work better with repository rulesets
  • Modernize look & feel

v0.5.3

Compare Source

fix: Allow for custom_iam_policy_arns that are unknown at apply @​natemccurdy (#​46)

what

Replace the toset() in the aws_iam_role_policy_attachment resource's for_each attribute with a map of name:ARN pairs.

why

Prior to this patch, specifying custom_iam_policy_arns for IAM Policies that do not exist yet and would be created in the same Terraform run that creates the Lambda Execution Role would cause the following error:

│ Error: Invalid for_each argument
│
│   on .terraform/modules/foo.test_lambda/iam-role.tf line 81, in resource "aws_iam_role_policy_attachment" "custom":
│   81:   for_each = local.enabled && length(var.custom_iam_policy_arns) > 0 ? var.custom_iam_policy_arns : toset([])
│     ├────────────────
│     │ local.enabled is true
│     │ var.custom_iam_policy_arns is set of string with 3 elements
│
│ The "for_each" set includes values derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to use a map value where the keys are defined statically in your configuration and where only the values contain apply-time results.
│
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge.

This is due to the ARN's of those policies not being known at apply time and the usage of toset() in the aws_iam_role_policy_attachment resource's for_each parameter. As the set's values are unknown at apply time, Terraform can't create a dependency graph.

references

Similar issues with similar fixes in other CloudPosse modules:

🚀 Enhancements

fix: Add null/label context tags to the aws_lambda_function resource @​natemccurdy (#​44)

What

Use tags = module.this.tags on the aws_lambda_function resource.

Why

Prior to this, the aws_lambda_function resource was not getting tagged at all
when passing just the null/label context into the module.

For example, this would end up with a completely untagged Lambda function even
though I am passing the context from a standard null/label declaration:

module "test" {
  source  = "cloudposse/lambda-function/aws"
  version = "0.5.1"

  function_name = "${module.this.id}-test"
  attributes    = ["foo"]
  description   = var.lambda_description
  s3_bucket     = var.lambda_s3_bucket
  s3_key        = var.lambda_s3_key
  runtime       = var.lambda_runtime
  handler       = var.lambda_handler
  context       = module.this.context
}

To get any tags on the lambda, the tags attribute must be used:

module "test" {
  source  = "cloudposse/lambda-function/aws"
  version = "0.5.1"

  function_name = "${module.this.id}-test"
  attributes    = ["foo"]
  description   = var.lambda_description
  s3_bucket     = var.lambda_s3_bucket
  s3_key        = var.lambda_s3_key
  runtime       = var.lambda_runtime
  handler       = var.lambda_handler
  context       = module.this.context
  tags          = module.this.tags
}

This has a couple of problems:

  1. The attributes list is missing from the resultant set of tags.
  2. The requirement of passing an explicit tags attribute is not how other CloudPosse modules work.

Outcome

  • The aws_lambda_function resource is tagged with the implicit tags passed in via context.
  • Tags from the tags variable are still present, but are now merged with the tags from context.
  • This module follows the convetion of other CloudPosse modules.
  • People used to CloudPosse modules will have an easier time using this module.

v0.5.2

Compare Source

🚀 Enhancements

fix: Add context tags to the IAM resources @​natemccurdy (#​45)

what

Add tags = module.this.tags to each of the IAM resources so that they use the tags determined by the null/label context or the tags input.

why

Prior to this, the aws_iam_role and the aws_iam_policy created by this module did not include any of the tags passed via tags or via context.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner January 3, 2025 17:59
@renovate renovate bot added the auto-update label Jan 3, 2025
@renovate renovate bot force-pushed the renovate/cloudposse-lambda-function-aws-0.x branch from b826cf1 to 56f8761 Compare January 3, 2025 18:24
@renovate renovate bot force-pushed the renovate/cloudposse-lambda-function-aws-0.x branch from 56f8761 to 6b1ac56 Compare January 3, 2025 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
auto-update terraform
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants