diff --git a/README.md b/README.md
index b8d2c54..31a5e21 100644
--- a/README.md
+++ b/README.md
@@ -162,14 +162,14 @@ Available targets:
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 2.0 |
+| [aws](#requirement\_aws) | >= 4.7.0 |
| [null](#requirement\_null) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.0 |
+| [aws](#provider\_aws) | >= 4.7.0 |
| [null](#provider\_null) | >= 2.0 |
## Modules
@@ -295,6 +295,7 @@ Available targets:
| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
| [user\_data](#input\_user\_data) | The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; use `user_data_base64` instead | `string` | `null` | no |
| [user\_data\_base64](#input\_user\_data\_base64) | Can be used instead of `user_data` to pass base64-encoded binary data directly. Use this instead of `user_data` whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption | `string` | `null` | no |
+| [user\_data\_replace\_on\_change](#input\_user\_data\_replace\_on\_change) | When used in combination with user\_data or user\_data\_base64 will trigger a destroy and recreate when set to true. | `bool` | `false` | no |
| [volume\_tags\_enabled](#input\_volume\_tags\_enabled) | Whether or not to copy instance tags to root and EBS volumes | `bool` | `true` | no |
| [vpc\_id](#input\_vpc\_id) | The ID of the VPC that the instance security group belongs to | `string` | n/a | yes |
diff --git a/docs/terraform.md b/docs/terraform.md
index ea5b853..6f60f74 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -4,14 +4,14 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 2.0 |
+| [aws](#requirement\_aws) | >= 4.7.0 |
| [null](#requirement\_null) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.0 |
+| [aws](#provider\_aws) | >= 4.7.0 |
| [null](#provider\_null) | >= 2.0 |
## Modules
@@ -137,6 +137,7 @@
| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
| [user\_data](#input\_user\_data) | The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; use `user_data_base64` instead | `string` | `null` | no |
| [user\_data\_base64](#input\_user\_data\_base64) | Can be used instead of `user_data` to pass base64-encoded binary data directly. Use this instead of `user_data` whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption | `string` | `null` | no |
+| [user\_data\_replace\_on\_change](#input\_user\_data\_replace\_on\_change) | When used in combination with user\_data or user\_data\_base64 will trigger a destroy and recreate when set to true. | `bool` | `false` | no |
| [volume\_tags\_enabled](#input\_volume\_tags\_enabled) | Whether or not to copy instance tags to root and EBS volumes | `bool` | `true` | no |
| [vpc\_id](#input\_vpc\_id) | The ID of the VPC that the instance security group belongs to | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
index 6b2f9be..c6d2894 100644
--- a/main.tf
+++ b/main.tf
@@ -103,6 +103,7 @@ resource "aws_iam_role" "default" {
resource "aws_instance" "default" {
#bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew supports conditional evaluation. See https://github.com/bridgecrewio/checkov/issues/793
+ #bridgecrew:skip=BC_AWS_GENERAL_68: Skipping ebs_optimized check for `true`
#bridgecrew:skip=BC_AWS_NETWORKING_47: Skiping `Ensure AWS EC2 instance is configured with VPC` because it is incorrectly flagging that this instance does not belong to a VPC even though subnet_id is configured.
count = local.instance_count
ami = local.ami
@@ -112,7 +113,8 @@ resource "aws_instance" "default" {
disable_api_termination = var.disable_api_termination
user_data = var.user_data
user_data_base64 = var.user_data_base64
- iam_instance_profile = var.instance_profile_enabled ? local.instance_profile : ""
+ user_data_replace_on_change = var.user_data_replace_on_change
+ iam_instance_profile = local.instance_profile
instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior
associate_public_ip_address = var.external_network_interface_enabled ? null : var.associate_public_ip_address
key_name = var.ssh_key_pair
diff --git a/variables.tf b/variables.tf
index 494cbec..98ac4b7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -28,6 +28,12 @@ variable "user_data_base64" {
default = null
}
+variable "user_data_replace_on_change" {
+ type = bool
+ description = "When used in combination with user_data or user_data_base64 will trigger a destroy and recreate when set to true."
+ default = false
+}
+
variable "instance_type" {
type = string
description = "The type of the instance"
diff --git a/versions.tf b/versions.tf
index b56bd24..9aa1a69 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 2.0"
+ version = ">= 4.7.0"
}
null = {
source = "hashicorp/null"