From 06de8d90c09b6037338403a2f3af08c637fe9c67 Mon Sep 17 00:00:00 2001 From: Moritz Zimmer Date: Wed, 23 Jul 2025 08:55:25 +0200 Subject: [PATCH 1/3] feat: upgraded to aws provider 6.x and terraform 1.5.7 --- alb.tf | 4 ++++ cloudwatch_logs.tf | 2 ++ data.tf | 6 +++++- examples/fixtures/context/Dockerfile | 2 +- main.tf | 16 ++++++++++++++++ modules/deployment/code_build.tf | 4 ++++ modules/deployment/code_pipeline.tf | 2 ++ modules/deployment/data.tf | 4 +++- modules/deployment/notification.tf | 5 +++++ modules/deployment/s3.tf | 4 +++- modules/deployment/trigger.tf | 2 ++ modules/deployment/variables.tf | 6 ++++++ modules/ecr/main.tf | 6 ++++++ modules/ecr/variables.tf | 6 ++++++ route53.tf | 2 ++ variables.tf | 6 ++++++ 16 files changed, 73 insertions(+), 4 deletions(-) diff --git a/alb.tf b/alb.tf index c4a98ee..6e54bdf 100644 --- a/alb.tf +++ b/alb.tf @@ -5,6 +5,8 @@ resource "aws_alb_target_group" "main" { count = length(var.target_groups) + region = var.region + name = lookup(var.target_groups[count.index], "name", null) name_prefix = lookup(var.target_groups[count.index], "name_prefix", null) @@ -47,6 +49,8 @@ resource "aws_alb_target_group" "main" { resource "aws_alb_listener_rule" "public" { count = length(var.https_listener_rules) + region = var.region + listener_arn = lookup(var.https_listener_rules[count.index], "listener_arn", null) priority = lookup(var.https_listener_rules[count.index], "priority", null) diff --git a/cloudwatch_logs.tf b/cloudwatch_logs.tf index 27ff21f..dd8b3bc 100644 --- a/cloudwatch_logs.tf +++ b/cloudwatch_logs.tf @@ -1,6 +1,8 @@ resource "aws_cloudwatch_log_group" "containers" { count = var.cloudwatch_logs.enabled && var.cloudwatch_logs.name == "" ? 1 : 0 + region = var.region + name = var.cloudwatch_logs.name == "" ? "/aws/ecs/${var.service_name}" : var.cloudwatch_logs.name retention_in_days = var.cloudwatch_logs.retention_in_days tags = var.tags diff --git a/data.tf b/data.tf index f0e9d01..9143fb9 100644 --- a/data.tf +++ b/data.tf @@ -1,2 +1,6 @@ -data "aws_region" "current" {} +data "aws_region" "current" { + region = var.region +} + data "aws_caller_identity" "current" {} +data "aws_partition" "current" {} diff --git a/examples/fixtures/context/Dockerfile b/examples/fixtures/context/Dockerfile index b348627..aebb069 100644 --- a/examples/fixtures/context/Dockerfile +++ b/examples/fixtures/context/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12-alpine +FROM python:3.13-alpine RUN addgroup -S app && adduser -S app -G app WORKDIR /home/app diff --git a/main.tf b/main.tf index 1480830..a20dc6c 100644 --- a/main.tf +++ b/main.tf @@ -60,6 +60,7 @@ data "aws_subnets" "selected" { } } +// FIXME: the module is currently not upgraded to aws 6.x and doesn't support the `region` variable module "sg" { count = var.create_ingress_security_group && length(local.ingress_targets) > 0 ? 1 : 0 source = "registry.terraform.io/terraform-aws-modules/security-group/aws" @@ -74,6 +75,9 @@ module "sg" { resource "aws_vpc_security_group_egress_rule" "trusted_egress_attachment" { depends_on = [data.aws_lb.public] + + region = var.region + for_each = { for route in local.ingress_targets : "${route["prefix"]}-${route["protocol"]}-${route["from_port"]}-${route["to_port"]}" => route } from_port = each.value["from_port"] to_port = each.value["to_port"] @@ -84,6 +88,8 @@ resource "aws_vpc_security_group_egress_rule" "trusted_egress_attachment" { } resource "aws_ecs_service" "this" { + region = var.region + availability_zone_rebalancing = var.availability_zone_rebalancing cluster = var.cluster_id deployment_maximum_percent = var.deployment_maximum_percent @@ -164,6 +170,8 @@ resource "aws_ecs_task_definition" "this" { aws_iam_role.ecs_task_role ] + region = var.region + container_definitions = local.container_definitions_string cpu = var.cpu execution_role_arn = var.task_execution_role_arn == "" ? aws_iam_role.task_execution_role[0].arn : var.task_execution_role_arn @@ -236,6 +244,8 @@ module "ecr" { source = "./modules/ecr" count = var.create_ecr_repository ? 1 : 0 + region = var.region + custom_lifecycle_policy = var.ecr_custom_lifecycle_policy enable_default_lifecycle_policy = var.ecr_enable_default_lifecycle_policy force_delete = var.ecr_force_delete @@ -249,6 +259,8 @@ module "code_deploy" { source = "./modules/deployment" count = var.create_deployment_pipeline && (var.create_ecr_repository || var.ecr_repository_name != "") ? 1 : 0 + region = var.region + cluster_name = var.cluster_id container_name = local.container_name code_build_environment_compute_type = var.code_build_environment_compute_type @@ -279,6 +291,8 @@ module "code_deploy" { resource "aws_appautoscaling_target" "ecs" { count = var.appautoscaling_settings != null ? 1 : 0 + region = var.region + max_capacity = lookup(var.appautoscaling_settings, "max_capacity", var.desired_count) min_capacity = lookup(var.appautoscaling_settings, "min_capacity", var.desired_count) resource_id = "service/${var.cluster_id}/${aws_ecs_service.this.name}" @@ -289,6 +303,8 @@ resource "aws_appautoscaling_target" "ecs" { resource "aws_appautoscaling_policy" "ecs" { count = var.appautoscaling_settings != null ? 1 : 0 + region = var.region + name = "${var.service_name}-auto-scaling" policy_type = "TargetTrackingScaling" resource_id = aws_appautoscaling_target.ecs[count.index].resource_id diff --git a/modules/deployment/code_build.tf b/modules/deployment/code_build.tf index c838da4..805e96c 100644 --- a/modules/deployment/code_build.tf +++ b/modules/deployment/code_build.tf @@ -1,4 +1,6 @@ resource "aws_cloudwatch_log_group" "this" { + region = var.region + name = "/aws/codebuild/${var.service_name}-deployment" retention_in_days = var.code_build_log_retention_in_days @@ -8,6 +10,8 @@ resource "aws_cloudwatch_log_group" "this" { } resource "aws_codebuild_project" "this" { + region = var.region + name = "${var.service_name}-deployment" service_role = var.code_build_role == "" ? aws_iam_role.code_build_role[0].arn : data.aws_iam_role.code_build[0].arn diff --git a/modules/deployment/code_pipeline.tf b/modules/deployment/code_pipeline.tf index 7faf23f..2e2b722 100644 --- a/modules/deployment/code_pipeline.tf +++ b/modules/deployment/code_pipeline.tf @@ -1,4 +1,6 @@ resource "aws_codepipeline" "codepipeline" { + region = var.region + name = var.service_name pipeline_type = var.code_pipeline_type role_arn = var.code_pipeline_role == "" ? aws_iam_role.code_pipeline_role[0].arn : data.aws_iam_role.code_pipeline[0].arn diff --git a/modules/deployment/data.tf b/modules/deployment/data.tf index f55ea98..b9daeea 100644 --- a/modules/deployment/data.tf +++ b/modules/deployment/data.tf @@ -1,5 +1,7 @@ data "aws_caller_identity" "current" {} -data "aws_region" "current" {} +data "aws_region" "current" { + region = var.region +} data "aws_iam_role" "code_build" { count = var.code_build_role != "" ? 1 : 0 diff --git a/modules/deployment/notification.tf b/modules/deployment/notification.tf index 6a8b138..cbceebb 100644 --- a/modules/deployment/notification.tf +++ b/modules/deployment/notification.tf @@ -14,6 +14,7 @@ data "aws_iam_policy_document" "sns_codestar_policy" { } resource "aws_codestarnotifications_notification_rule" "notification" { + region = var.region detail_type = var.codestar_notifications_detail_type event_type_ids = var.codestar_notifications_event_type_ids @@ -32,6 +33,8 @@ resource "aws_codestarnotifications_notification_rule" "notification" { resource "aws_sns_topic" "notifications" { count = var.codestar_notifications_target_arn == "" ? 1 : 0 + region = var.region + name = "${var.service_name}-notifications" kms_master_key_id = var.codestar_notification_kms_master_key_id tags = merge(var.tags, { @@ -42,6 +45,8 @@ resource "aws_sns_topic" "notifications" { resource "aws_sns_topic_policy" "notifications" { count = var.codestar_notifications_target_arn == "" ? 1 : 0 + region = var.region + arn = aws_sns_topic.notifications[count.index].arn policy = data.aws_iam_policy_document.sns_codestar_policy[count.index].json } diff --git a/modules/deployment/s3.tf b/modules/deployment/s3.tf index eea2e37..d3b28e2 100644 --- a/modules/deployment/s3.tf +++ b/modules/deployment/s3.tf @@ -1,8 +1,10 @@ module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "5.6.0" - create_bucket = var.artifact_bucket == "" ? true : false + region = var.region + + create_bucket = var.artifact_bucket == "" ? true : false bucket = "codepipeline-bucket-${var.service_name}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.region}" force_destroy = true diff --git a/modules/deployment/trigger.tf b/modules/deployment/trigger.tf index f72ab0e..3798b1f 100644 --- a/modules/deployment/trigger.tf +++ b/modules/deployment/trigger.tf @@ -1,4 +1,6 @@ resource "aws_cloudwatch_event_rule" "this" { + region = var.region + name = "${var.service_name}-ecr-trigger" description = "Capture ECR push events." diff --git a/modules/deployment/variables.tf b/modules/deployment/variables.tf index e9785fc..6e111a6 100644 --- a/modules/deployment/variables.tf +++ b/modules/deployment/variables.tf @@ -127,3 +127,9 @@ variable "ecr_image_tag" { description = "Tag of the new image pushed to the Amazon ECR repository to trigger the deployment pipeline." type = string } + +variable "region" { + description = "Alternative region used in all region-aware resources. If not set, the provider's region will be used." + default = null + type = string +} diff --git a/modules/ecr/main.tf b/modules/ecr/main.tf index d0bbe49..fcdf311 100644 --- a/modules/ecr/main.tf +++ b/modules/ecr/main.tf @@ -1,4 +1,6 @@ resource "aws_ecr_repository" "this" { + region = var.region + force_delete = var.force_delete image_tag_mutability = var.image_tag_mutability #tfsec:ignore:aws-ecr-enforce-immutable-repository name = var.name @@ -12,6 +14,8 @@ resource "aws_ecr_repository" "this" { resource "aws_ecr_lifecycle_policy" "custom_lifecycle_policy" { count = var.custom_lifecycle_policy != null && !var.enable_default_lifecycle_policy ? 1 : 0 + region = var.region + repository = aws_ecr_repository.this.name policy = var.custom_lifecycle_policy } @@ -19,6 +23,8 @@ resource "aws_ecr_lifecycle_policy" "custom_lifecycle_policy" { resource "aws_ecr_lifecycle_policy" "default_lifecycle_policy" { count = var.enable_default_lifecycle_policy ? 1 : 0 + region = var.region + repository = aws_ecr_repository.this.name policy = jsonencode({ rules : [ diff --git a/modules/ecr/variables.tf b/modules/ecr/variables.tf index 2c65093..76b2551 100644 --- a/modules/ecr/variables.tf +++ b/modules/ecr/variables.tf @@ -53,3 +53,9 @@ variable "tags" { description = "A mapping of tags to assign to the repository." type = map(string) } + +variable "region" { + description = "Alternative region used in all region-aware resources. If not set, the provider's region will be used." + default = null + type = string +} diff --git a/route53.tf b/route53.tf index 29863cf..9df6c53 100644 --- a/route53.tf +++ b/route53.tf @@ -1,6 +1,8 @@ resource "aws_service_discovery_service" "this" { count = var.service_discovery_dns_namespace != "" ? 1 : 0 + region = var.region + description = "Route 53 Auto Naming Service for ${var.service_name}" name = var.service_name diff --git a/variables.tf b/variables.tf index f0ca365..5d644cc 100644 --- a/variables.tf +++ b/variables.tf @@ -459,3 +459,9 @@ variable "task_role_arn" { description = "ARN of the IAM role that allows your Amazon ECS container task to make calls to other AWS services. If not specified, the default ECS task role created in this module will be used." type = string } + +variable "region" { + description = "Alternative region used in all region-aware resources. If not set, the provider's region will be used." + default = null + type = string +} From 0aafc07507424c6e69184da6af00e8a207ec8e80 Mon Sep 17 00:00:00 2001 From: Moritz Zimmer Date: Wed, 23 Jul 2025 09:21:03 +0200 Subject: [PATCH 2/3] linked comment --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index a20dc6c..40c6b89 100644 --- a/main.tf +++ b/main.tf @@ -60,7 +60,8 @@ data "aws_subnets" "selected" { } } -// FIXME: the module is currently not upgraded to aws 6.x and doesn't support the `region` variable +// FIXME: the module is currently not upgraded to aws 6.x and doesn't support the `region` variable, see https://github.com/terraform-aws-modules/terraform-aws-security-group/issues/341 +// update the complete example using a different region as soon as the module is fixed module "sg" { count = var.create_ingress_security_group && length(local.ingress_targets) > 0 ? 1 : 0 source = "registry.terraform.io/terraform-aws-modules/security-group/aws" From fd5216726b854ab4da4703130799db23a87bfe69 Mon Sep 17 00:00:00 2001 From: Moritz Zimmer Date: Mon, 25 Aug 2025 11:29:00 +0200 Subject: [PATCH 3/3] rebased changes from main --- README.md | 1 + data.tf | 1 - main.tf | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6b999ff..73f40b6 100644 --- a/README.md +++ b/README.md @@ -274,6 +274,7 @@ for example. | [otel](#input\_otel) | Configuration for (optional) AWS Distro für OpenTelemetry sidecar. | 
object({
    container_definition = optional(any, {})
    enabled              = optional(bool, false)
  })
| `{}` | no | | [platform\_version](#input\_platform\_version) | The platform version on which to run your service. Defaults to LATEST. | `string` | `"LATEST"` | no | | [policy\_document](#input\_policy\_document) | AWS Policy JSON describing the permissions required for this service. | `string` | `""` | no | +| [region](#input\_region) | Alternative region used in all region-aware resources. If not set, the provider's region will be used. | `string` | `null` | no | | [requires\_compatibilities](#input\_requires\_compatibilities) | The launch type the task is using. This enables a check to ensure that all of the parameters used in the task definition meet the requirements of the launch type. | `set(string)` | 
[
  "EC2",
  "FARGATE"
]
| no | | [security\_groups](#input\_security\_groups) | A list of security group ids that will be attached additionally to the ecs deployment. | `list(string)` | `[]` | no | | [service\_discovery\_dns\_namespace](#input\_service\_discovery\_dns\_namespace) | The ID of a Service Discovery private DNS namespace. If provided, the module will create a Route 53 Auto Naming Service to enable service discovery using Cloud Map. | `string` | `""` | no | diff --git a/data.tf b/data.tf index 9143fb9..b2dc9dc 100644 --- a/data.tf +++ b/data.tf @@ -3,4 +3,3 @@ data "aws_region" "current" { } data "aws_caller_identity" "current" {} -data "aws_partition" "current" {} diff --git a/main.tf b/main.tf index 40c6b89..b1420f5 100644 --- a/main.tf +++ b/main.tf @@ -75,7 +75,7 @@ module "sg" { } resource "aws_vpc_security_group_egress_rule" "trusted_egress_attachment" { - depends_on = [data.aws_lb.public] + depends_on = [data.aws_lb.public] region = var.region