feat!: Update default values for security posture improvement (#369)

BREAKING CHANGES:

- Support for Terraform `<=v0.12.x` has been dropped; `v0.13.1` is now the minimum supported version
- Terraform AWS provider minimum version is now `v4.0.0` in order to support the replacement of `var.name`(deprecated) for `var.db_name`
- Separate RDS instance resource for MSSQL/SQLServer has been removed - all engines are supported under one resource
- `storage_encrypted` is now set to `true` by default; was previously `false`
- `create_random_password` is now set to `true` by default; was previously `false`
- `create_db_subnet_group` is now set to `false` by default; was previously `true`; typically a shared DB subnet group will be used, most likely from the VPC module
- `random_password_length` is now set to `16` by default, was previously `10`
- Random provider minimum version supported is now `v3.1.0`
- `final_snapshot_identifier` no longer coalesces `var.final_snapshot_identifier` and instead relies on `var.final_snapshot_identifier_prefix` with a random suffix to avoid name collisions

Author: bryantbiggs

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.62.3
+    rev: v1.64.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

README.md

@@ -0,0 +1,108 @@
+# Upgrade from v3.x to v4.x
+
+If you have any questions regarding this upgrade process, please consult the [`examples/`](https://github.com/terraform-aws-modules/terraform-aws-rds/tree/master/examples) projects:
+
+If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- Support for Terraform `<=v0.12.x` has been dropped; `v0.13.1` is now the minimum supported version
+- Terraform AWS provider minimum version is now `v4.0.0` in order to support the replacement of `var.name`(deprecated) for `var.db_name`
+- Separate RDS instance resource for MSSQL/SQLServer has been removed - all engines are supported under one resource
+- `storage_encrypted` is now set to `true` by default; was previously `false`
+- `create_random_password` is now set to `true` by default; was previously `false`
+- `create_db_subnet_group` is now set to `false` by default; was previously `true`; typically a shared DB subnet group will be used, most likely from the VPC module
+- `random_password_length` is now set to `16` by default, was previously `10`
+- Random provider minimum version supported is now `v3.1.0`
+- `final_snapshot_identifier` no longer coalesces `var.final_snapshot_identifier` and instead relies on `var.final_snapshot_identifier_prefix` with a random suffix to avoid name collisions
+
+## Additional changes
+
+### Added
+
+- `latest_restorable_time` added to ignored changes
+- `replica_mode` support added to DB instance
+
+### Modified
+
+- `username`, `password`, and `engine` are set to `null` when  a `replicate_source_db` or `snapshot_identifier` is provided; these values are already provided in the respective source
+- `engine_version` is set to `null` when a value is provided for `replicate_source_db`
+- `db_subnet_group_name` has been updated to use full name when prefix is enabled
+- `Name` tag removed from instance resource; name is set via `identifier` and not through tags; users can add back into the tags they provide if desired
+- Outputs have been updated to use `try()` syntax; local variable usage has been removed within outputs
+- `engine`, `major_engine_version`, `family`, `password`, `db_subnet_group_name`,`db_subnet_group_description`,`parameter_group_name`,
+`parameter_group_description`, `option_group_name`, `option_group_description` is now set to `null` by default; was previously `""`
+- `timeouts` is now set to `{}` by default; was previously a copy+paste of default value used by provider. This is a no-op but will show up in plans as a diff
+
+### Variable and output changes
+
+1. Removed variables:
+
+    - `final_snapshot_identifier`
+
+2. Renamed variables:
+
+    - `name` (deprecated) -> `db_name`
+
+3. Added variables:
+
+    - `replica_mode`
+
+4. Removed outputs:
+
+    - None
+
+5. Renamed outputs:
+
+    - None
+
+6. Added outputs:
+
+    - None
+
+## Upgrade Migrations
+
+The following examples demonstrate some of the changes that users can elect to make to avoid any potential disruptions when upgrading.
+
+### Before 3.x Example
+
+```hcl
+module "rds" {
+  source  = "terraform-aws-modules/rds/aws"
+  version = "~> 3.0"
+
+  master_password = "MySuperStrongPassword!"
+
+  # Previously on read-replicas or restored from snapshot instances you needed to explicitly set these to null
+  # These can now be safely removed and instead on the module to resolve these appropriately
+  username = null
+  password = null
+  engine   = null
+}
+```
+
+### After 4.x Example
+
+```hcl
+module "asg" {
+  source  = "terraform-aws-modules/rds/aws"
+  version = "~> 4.0"
+
+  master_password        = "MySuperStrongPassword!"
+  # Set random password creation to false if providing your own password as input
+  create_random_password = false
+
+  # If you did not have storage encrypted in `v3.x`, you can explicitly disable in `v4.x` to avoid disruption
+  storage_encrypted = false
+}
+```
+
+#### MSSQL/SQLServer
+
+For MSSSQL/SQLServer, users will want to rename the resource in their Terraform state to align with the flattened DB instance resource module in v4.x:
+
+```bash
+terraform state mv 'module.<module-name>.module.db_instance.aws_db_instance.this_mssql[0]' 'module.<module-name>.module.db_instance.aws_db_instance.this[0]'
+```
+
+Where `<module-name>` is the name of your module definition.

UPGRADE-4.0.md

@@ -19,23 +19,23 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.49 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.49 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_db"></a> [db](#module\_db) | ../../ | n/a |
 | <a name="module_db_disabled"></a> [db\_disabled](#module\_db\_disabled) | ../../ | n/a |
-| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2 |
+| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 
 ## Resources
 

examples/complete-mssql/README.md

@@ -17,7 +17,7 @@ locals {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2"
+  version = "~> 3.0"
 
   name = local.name
   cidr = "10.99.0.0/18"
@@ -34,7 +34,7 @@ module "vpc" {
 
 module "security_group" {
   source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4"
+  version = "~> 4.0"
 
   name        = local.name
   description = "Complete SqlServer example security group"
@@ -116,20 +116,16 @@ module "db" {
   identifier = local.name
 
   engine               = "sqlserver-ex"
-  engine_version       = "15.00.4073.23.v1"
+  engine_version       = "15.00.4153.1.v1"
   family               = "sqlserver-ex-15.0" # DB parameter group
   major_engine_version = "15.00"             # DB option group
   instance_class       = "db.t3.large"
 
   allocated_storage     = 20
   max_allocated_storage = 100
-  storage_encrypted     = false
 
-  name                   = null
-  username               = "complete_mssql"
-  create_random_password = true
-  random_password_length = 12
-  port                   = 1433
+  username = "complete_mssql"
+  port     = 1433
 
   domain               = aws_directory_service_directory.demo.id
   domain_iam_role_name = aws_iam_role.rds_ad_auth.name
@@ -166,7 +162,6 @@ module "db_disabled" {
   identifier = "${local.name}-disabled"
 
   create_db_instance        = false
-  create_db_subnet_group    = false
   create_db_parameter_group = false
   create_db_option_group    = false
 }

examples/complete-mssql/main.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.12.26"
+  required_version = ">= 0.13.1"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 2.49"
+      version = ">= 4.0"
     }
   }
 }

examples/complete-mssql/versions.tf

@@ -19,8 +19,8 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.49 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
 
 ## Providers
 
@@ -33,8 +33,8 @@ No providers.
 | <a name="module_db"></a> [db](#module\_db) | ../../ | n/a |
 | <a name="module_db_default"></a> [db\_default](#module\_db\_default) | ../../ | n/a |
 | <a name="module_db_disabled"></a> [db\_disabled](#module\_db\_disabled) | ../../ | n/a |
-| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2 |
+| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 
 ## Resources
 

examples/complete-mysql/README.md

@@ -17,7 +17,7 @@ locals {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2"
+  version = "~> 3.0"
 
   name = local.name
   cidr = "10.99.0.0/18"
@@ -34,7 +34,7 @@ module "vpc" {
 
 module "security_group" {
   source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4"
+  version = "~> 4.0"
 
   name        = local.name
   description = "Complete MySQL example security group"
@@ -65,18 +65,16 @@ module "db" {
 
   # All available versions: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt
   engine               = "mysql"
-  engine_version       = "8.0.20"
+  engine_version       = "8.0.27"
   family               = "mysql8.0" # DB parameter group
   major_engine_version = "8.0"      # DB option group
-  instance_class       = "db.t3.large"
+  instance_class       = "db.t3a.large"
 
   allocated_storage     = 20
   max_allocated_storage = 100
-  storage_encrypted     = false
 
-  name     = "completeMysql"
+  db_name  = "completeMysql"
   username = "complete_mysql"
-  password = "YourPwdShouldBeLongAndSecure!"
   port     = 3306
 
   multi_az               = true
@@ -132,18 +130,16 @@ module "db_default" {
 
   # All available versions: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt
   engine               = "mysql"
-  engine_version       = "8.0.20"
+  engine_version       = "8.0.27"
   family               = "mysql8.0" # DB parameter group
   major_engine_version = "8.0"      # DB option group
-  instance_class       = "db.t3.large"
+  instance_class       = "db.t3a.large"
 
   allocated_storage = 20
 
-  name                   = "completeMysql"
-  username               = "complete_mysql"
-  create_random_password = true
-  random_password_length = 12
-  port                   = 3306
+  db_name  = "completeMysql"
+  username = "complete_mysql"
+  port     = 3306
 
   subnet_ids             = module.vpc.database_subnets
   vpc_security_group_ids = [module.security_group.security_group_id]
@@ -162,7 +158,6 @@ module "db_disabled" {
   identifier = "${local.name}-disabled"
 
   create_db_instance        = false
-  create_db_subnet_group    = false
   create_db_parameter_group = false
   create_db_option_group    = false
 }

examples/complete-mysql/main.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.12.26"
+  required_version = ">= 0.13.1"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 2.49"
+      version = ">= 4.0"
     }
   }
 }

examples/complete-mysql/versions.tf

@@ -19,8 +19,8 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.49 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
 
 ## Providers
 
@@ -32,8 +32,8 @@ No providers.
 |------|--------|---------|
 | <a name="module_db"></a> [db](#module\_db) | ../../ | n/a |
 | <a name="module_db_disabled"></a> [db\_disabled](#module\_db\_disabled) | ../../ | n/a |
-| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2 |
+| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 
 ## Resources
 

examples/complete-oracle/README.md

@@ -17,7 +17,7 @@ locals {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2"
+  version = "~> 3.0"
 
   name = local.name
   cidr = "10.99.0.0/18"
@@ -34,7 +34,7 @@ module "vpc" {
 
 module "security_group" {
   source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4"
+  version = "~> 4.0"
 
   name        = local.name
   description = "Complete Oracle example security group"
@@ -64,22 +64,19 @@ module "db" {
   identifier = "demodb-oracle"
 
   engine               = "oracle-ee"
-  engine_version       = "12.1.0.2.v8"
-  family               = "oracle-ee-12.1" # DB parameter group
-  major_engine_version = "12.1"           # DB option group
+  engine_version       = "19.0.0.0.ru-2021-10.rur-2021-10.r1"
+  family               = "oracle-ee-19.0" # DB parameter group
+  major_engine_version = "19.0"           # DB option group
   instance_class       = "db.t3.large"
   license_model        = "bring-your-own-license"
 
   allocated_storage     = 20
   max_allocated_storage = 100
-  storage_encrypted     = false
 
   # Make sure that database name is capitalized, otherwise RDS will try to recreate RDS instance every time
-  name                   = "COMPLETEORACLE"
-  username               = "complete_oracle"
-  create_random_password = true
-  random_password_length = 12
-  port                   = 1521
+  db_name  = "COMPLETEORACLE"
+  username = "complete_oracle"
+  port     = 1521
 
   multi_az               = true
   subnet_ids             = module.vpc.database_subnets
@@ -109,7 +106,6 @@ module "db_disabled" {
   identifier = "${local.name}-disabled"
 
   create_db_instance        = false
-  create_db_subnet_group    = false
   create_db_parameter_group = false
   create_db_option_group    = false
 }