feat: enhanced region support

README.md

@@ -274,6 +274,7 @@ for example.
 | <a name="input_otel"></a> [otel](#input\_otel) | Configuration for (optional) AWS Distro für OpenTelemetry sidecar. | <pre>object({<br/>    container_definition = optional(any, {})<br/>    enabled              = optional(bool, false)<br/>  })</pre> | `{}` | no |
 | <a name="input_platform_version"></a> [platform\_version](#input\_platform\_version) | The platform version on which to run your service. Defaults to LATEST. | `string` | `"LATEST"` | no |
 | <a name="input_policy_document"></a> [policy\_document](#input\_policy\_document) | AWS Policy JSON describing the permissions required for this service. | `string` | `""` | no |
+| <a name="input_region"></a> [region](#input\_region) | Alternative region used in all region-aware resources. If not set, the provider's region will be used. | `string` | `null` | no |
 | <a name="input_requires_compatibilities"></a> [requires\_compatibilities](#input\_requires\_compatibilities) | The launch type the task is using. This enables a check to ensure that all of the parameters used in the task definition meet the requirements of the launch type. | `set(string)` | <pre>[<br/>  "EC2",<br/>  "FARGATE"<br/>]</pre> | no |
 | <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | A list of security group ids that will be attached additionally to the ecs deployment. | `list(string)` | `[]` | no |
 | <a name="input_service_discovery_dns_namespace"></a> [service\_discovery\_dns\_namespace](#input\_service\_discovery\_dns\_namespace) | The ID of a Service Discovery private DNS namespace. If provided, the module will create a Route 53 Auto Naming Service to enable service discovery using Cloud Map. | `string` | `""` | no |

alb.tf

@@ -5,6 +5,8 @@
 resource "aws_alb_target_group" "main" {
   count = length(var.target_groups)
 
+  region = var.region
+
   name        = lookup(var.target_groups[count.index], "name", null)
   name_prefix = lookup(var.target_groups[count.index], "name_prefix", null)
 
@@ -47,6 +49,8 @@ resource "aws_alb_target_group" "main" {
 resource "aws_alb_listener_rule" "public" {
   count = length(var.https_listener_rules)
 
+  region = var.region
+
   listener_arn = lookup(var.https_listener_rules[count.index], "listener_arn", null)
   priority     = lookup(var.https_listener_rules[count.index], "priority", null)
 

cloudwatch_logs.tf

@@ -1,6 +1,8 @@
 resource "aws_cloudwatch_log_group" "containers" {
   count = var.cloudwatch_logs.enabled && var.cloudwatch_logs.name == "" ? 1 : 0
 
+  region = var.region
+
   name              = var.cloudwatch_logs.name == "" ? "/aws/ecs/${var.service_name}" : var.cloudwatch_logs.name
   retention_in_days = var.cloudwatch_logs.retention_in_days
   tags              = var.tags

data.tf

@@ -1,2 +1,5 @@
-data "aws_region" "current" {}
+data "aws_region" "current" {
+  region = var.region
+}
+
 data "aws_caller_identity" "current" {}

examples/fixtures/context/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12-alpine
+FROM python:3.13-alpine
 
 RUN addgroup -S app && adduser -S app -G app
 WORKDIR /home/app

main.tf

@@ -60,6 +60,8 @@ data "aws_subnets" "selected" {
   }
 }
 
+// FIXME: the module is currently not upgraded to aws 6.x and doesn't support the `region` variable, see https://github.com/terraform-aws-modules/terraform-aws-security-group/issues/341
+// update the complete example using a different region as soon as the module is fixed
 module "sg" {
   count   = var.create_ingress_security_group && length(local.ingress_targets) > 0 ? 1 : 0
   source  = "registry.terraform.io/terraform-aws-modules/security-group/aws"
@@ -73,7 +75,10 @@ module "sg" {
 }
 
 resource "aws_vpc_security_group_egress_rule" "trusted_egress_attachment" {
-  depends_on                   = [data.aws_lb.public]
+  depends_on = [data.aws_lb.public]
+
+  region = var.region
+
   for_each                     = { for route in local.ingress_targets : "${route["prefix"]}-${route["protocol"]}-${route["from_port"]}-${route["to_port"]}" => route }
   from_port                    = each.value["from_port"]
   to_port                      = each.value["to_port"]
@@ -84,6 +89,8 @@ resource "aws_vpc_security_group_egress_rule" "trusted_egress_attachment" {
 }
 
 resource "aws_ecs_service" "this" {
+  region = var.region
+
   availability_zone_rebalancing      = var.availability_zone_rebalancing
   cluster                            = var.cluster_id
   deployment_maximum_percent         = var.deployment_maximum_percent
@@ -164,6 +171,8 @@ resource "aws_ecs_task_definition" "this" {
     aws_iam_role.ecs_task_role
   ]
 
+  region = var.region
+
   container_definitions    = local.container_definitions_string
   cpu                      = var.cpu
   execution_role_arn       = var.task_execution_role_arn == "" ? aws_iam_role.task_execution_role[0].arn : var.task_execution_role_arn
@@ -236,6 +245,8 @@ module "ecr" {
   source = "./modules/ecr"
   count  = var.create_ecr_repository ? 1 : 0
 
+  region = var.region
+
   custom_lifecycle_policy         = var.ecr_custom_lifecycle_policy
   enable_default_lifecycle_policy = var.ecr_enable_default_lifecycle_policy
   force_delete                    = var.ecr_force_delete
@@ -249,6 +260,8 @@ module "code_deploy" {
   source = "./modules/deployment"
   count  = var.create_deployment_pipeline && (var.create_ecr_repository || var.ecr_repository_name != "") ? 1 : 0
 
+  region = var.region
+
   cluster_name                            = var.cluster_id
   container_name                          = local.container_name
   code_build_environment_compute_type     = var.code_build_environment_compute_type
@@ -279,6 +292,8 @@ module "code_deploy" {
 resource "aws_appautoscaling_target" "ecs" {
   count = var.appautoscaling_settings != null ? 1 : 0
 
+  region = var.region
+
   max_capacity       = lookup(var.appautoscaling_settings, "max_capacity", var.desired_count)
   min_capacity       = lookup(var.appautoscaling_settings, "min_capacity", var.desired_count)
   resource_id        = "service/${var.cluster_id}/${aws_ecs_service.this.name}"
@@ -289,6 +304,8 @@ resource "aws_appautoscaling_target" "ecs" {
 resource "aws_appautoscaling_policy" "ecs" {
   count = var.appautoscaling_settings != null ? 1 : 0
 
+  region = var.region
+
   name               = "${var.service_name}-auto-scaling"
   policy_type        = "TargetTrackingScaling"
   resource_id        = aws_appautoscaling_target.ecs[count.index].resource_id

modules/deployment/code_build.tf

@@ -1,4 +1,6 @@
 resource "aws_cloudwatch_log_group" "this" {
+  region = var.region
+
   name              = "/aws/codebuild/${var.service_name}-deployment"
   retention_in_days = var.code_build_log_retention_in_days
 
@@ -8,6 +10,8 @@ resource "aws_cloudwatch_log_group" "this" {
 }
 
 resource "aws_codebuild_project" "this" {
+  region = var.region
+
   name         = "${var.service_name}-deployment"
   service_role = var.code_build_role == "" ? aws_iam_role.code_build_role[0].arn : data.aws_iam_role.code_build[0].arn
 

modules/deployment/code_pipeline.tf

@@ -1,4 +1,6 @@
 resource "aws_codepipeline" "codepipeline" {
+  region = var.region
+
   name          = var.service_name
   pipeline_type = var.code_pipeline_type
   role_arn      = var.code_pipeline_role == "" ? aws_iam_role.code_pipeline_role[0].arn : data.aws_iam_role.code_pipeline[0].arn

modules/deployment/data.tf

@@ -1,5 +1,7 @@
 data "aws_caller_identity" "current" {}
-data "aws_region" "current" {}
+data "aws_region" "current" {
+  region = var.region
+}
 
 data "aws_iam_role" "code_build" {
   count = var.code_build_role != "" ? 1 : 0

modules/deployment/notification.tf

@@ -14,6 +14,7 @@ data "aws_iam_policy_document" "sns_codestar_policy" {
 }
 
 resource "aws_codestarnotifications_notification_rule" "notification" {
+  region = var.region
 
   detail_type    = var.codestar_notifications_detail_type
   event_type_ids = var.codestar_notifications_event_type_ids
@@ -32,6 +33,8 @@ resource "aws_codestarnotifications_notification_rule" "notification" {
 resource "aws_sns_topic" "notifications" {
   count = var.codestar_notifications_target_arn == "" ? 1 : 0
 
+  region = var.region
+
   name              = "${var.service_name}-notifications"
   kms_master_key_id = var.codestar_notification_kms_master_key_id
   tags = merge(var.tags, {
@@ -42,6 +45,8 @@ resource "aws_sns_topic" "notifications" {
 resource "aws_sns_topic_policy" "notifications" {
   count = var.codestar_notifications_target_arn == "" ? 1 : 0
 
+  region = var.region
+
   arn    = aws_sns_topic.notifications[count.index].arn
   policy = data.aws_iam_policy_document.sns_codestar_policy[count.index].json
 }

modules/deployment/s3.tf

@@ -1,8 +1,10 @@
 module "s3_bucket" {
   source        = "terraform-aws-modules/s3-bucket/aws"
   version       = "5.6.0"
-  create_bucket = var.artifact_bucket == "" ? true : false
 
+  region = var.region
+
+  create_bucket = var.artifact_bucket == "" ? true : false
   bucket        = "codepipeline-bucket-${var.service_name}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.region}"
   force_destroy = true
 

modules/deployment/trigger.tf

@@ -1,4 +1,6 @@
 resource "aws_cloudwatch_event_rule" "this" {
+  region = var.region
+
   name        = "${var.service_name}-ecr-trigger"
   description = "Capture ECR push events."
 

modules/deployment/variables.tf

@@ -127,3 +127,9 @@ variable "ecr_image_tag" {
   description = "Tag of the new image pushed to the Amazon ECR repository to trigger the deployment pipeline."
   type        = string
 }
+
+variable "region" {
+  description = "Alternative region used in all region-aware resources. If not set, the provider's region will be used."
+  default     = null
+  type        = string
+}

modules/ecr/main.tf

@@ -1,4 +1,6 @@
 resource "aws_ecr_repository" "this" {
+  region = var.region
+
   force_delete         = var.force_delete
   image_tag_mutability = var.image_tag_mutability #tfsec:ignore:aws-ecr-enforce-immutable-repository
   name                 = var.name
@@ -12,13 +14,17 @@ resource "aws_ecr_repository" "this" {
 resource "aws_ecr_lifecycle_policy" "custom_lifecycle_policy" {
   count = var.custom_lifecycle_policy != null && !var.enable_default_lifecycle_policy ? 1 : 0
 
+  region = var.region
+
   repository = aws_ecr_repository.this.name
   policy     = var.custom_lifecycle_policy
 }
 
 resource "aws_ecr_lifecycle_policy" "default_lifecycle_policy" {
   count = var.enable_default_lifecycle_policy ? 1 : 0
 
+  region = var.region
+
   repository = aws_ecr_repository.this.name
   policy = jsonencode({
     rules : [

modules/ecr/variables.tf

@@ -53,3 +53,9 @@ variable "tags" {
   description = "A mapping of tags to assign to the repository."
   type        = map(string)
 }
+
+variable "region" {
+  description = "Alternative region used in all region-aware resources. If not set, the provider's region will be used."
+  default     = null
+  type        = string
+}

route53.tf

@@ -1,6 +1,8 @@
 resource "aws_service_discovery_service" "this" {
   count = var.service_discovery_dns_namespace != "" ? 1 : 0
 
+  region = var.region
+
   description = "Route 53 Auto Naming Service for ${var.service_name}"
   name        = var.service_name
 

variables.tf

@@ -459,3 +459,9 @@ variable "task_role_arn" {
   description = "ARN of the IAM role that allows your Amazon ECS container task to make calls to other AWS services. If not specified, the default ECS task role created in this module will be used."
   type        = string
 }
+
+variable "region" {
+  description = "Alternative region used in all region-aware resources. If not set, the provider's region will be used."
+  default     = null
+  type        = string
+}