From a8a32149c4c3c5e0ea6058b602209d3f450dbbd7 Mon Sep 17 00:00:00 2001 From: Brandon Metcalf Date: Sun, 24 Mar 2024 23:17:58 -0500 Subject: [PATCH] Add user_data_replace_on_change (#188) * Add user_data_replace_on_change * Skip check * rebuild readme * Update readme --------- Co-authored-by: Joe Niland --- README.md | 5 +++-- docs/terraform.md | 5 +++-- main.tf | 4 +++- variables.tf | 6 ++++++ versions.tf | 2 +- 5 files changed, 16 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b8d2c54..31a5e21 100644 --- a/README.md +++ b/README.md @@ -162,14 +162,14 @@ Available targets: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 2.0 | +| [aws](#requirement\_aws) | >= 4.7.0 | | [null](#requirement\_null) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 2.0 | +| [aws](#provider\_aws) | >= 4.7.0 | | [null](#provider\_null) | >= 2.0 | ## Modules @@ -295,6 +295,7 @@ Available targets: | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | | [user\_data](#input\_user\_data) | The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; use `user_data_base64` instead | `string` | `null` | no | | [user\_data\_base64](#input\_user\_data\_base64) | Can be used instead of `user_data` to pass base64-encoded binary data directly. Use this instead of `user_data` whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption | `string` | `null` | no | +| [user\_data\_replace\_on\_change](#input\_user\_data\_replace\_on\_change) | When used in combination with user\_data or user\_data\_base64 will trigger a destroy and recreate when set to true. | `bool` | `false` | no | | [volume\_tags\_enabled](#input\_volume\_tags\_enabled) | Whether or not to copy instance tags to root and EBS volumes | `bool` | `true` | no | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC that the instance security group belongs to | `string` | n/a | yes | diff --git a/docs/terraform.md b/docs/terraform.md index ea5b853..6f60f74 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -4,14 +4,14 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 2.0 | +| [aws](#requirement\_aws) | >= 4.7.0 | | [null](#requirement\_null) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 2.0 | +| [aws](#provider\_aws) | >= 4.7.0 | | [null](#provider\_null) | >= 2.0 | ## Modules @@ -137,6 +137,7 @@ | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | | [user\_data](#input\_user\_data) | The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; use `user_data_base64` instead | `string` | `null` | no | | [user\_data\_base64](#input\_user\_data\_base64) | Can be used instead of `user_data` to pass base64-encoded binary data directly. Use this instead of `user_data` whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption | `string` | `null` | no | +| [user\_data\_replace\_on\_change](#input\_user\_data\_replace\_on\_change) | When used in combination with user\_data or user\_data\_base64 will trigger a destroy and recreate when set to true. | `bool` | `false` | no | | [volume\_tags\_enabled](#input\_volume\_tags\_enabled) | Whether or not to copy instance tags to root and EBS volumes | `bool` | `true` | no | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC that the instance security group belongs to | `string` | n/a | yes | diff --git a/main.tf b/main.tf index 6b2f9be..c6d2894 100644 --- a/main.tf +++ b/main.tf @@ -103,6 +103,7 @@ resource "aws_iam_role" "default" { resource "aws_instance" "default" { #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew supports conditional evaluation. See https://github.com/bridgecrewio/checkov/issues/793 + #bridgecrew:skip=BC_AWS_GENERAL_68: Skipping ebs_optimized check for `true` #bridgecrew:skip=BC_AWS_NETWORKING_47: Skiping `Ensure AWS EC2 instance is configured with VPC` because it is incorrectly flagging that this instance does not belong to a VPC even though subnet_id is configured. count = local.instance_count ami = local.ami @@ -112,7 +113,8 @@ resource "aws_instance" "default" { disable_api_termination = var.disable_api_termination user_data = var.user_data user_data_base64 = var.user_data_base64 - iam_instance_profile = var.instance_profile_enabled ? local.instance_profile : "" + user_data_replace_on_change = var.user_data_replace_on_change + iam_instance_profile = local.instance_profile instance_initiated_shutdown_behavior = var.instance_initiated_shutdown_behavior associate_public_ip_address = var.external_network_interface_enabled ? null : var.associate_public_ip_address key_name = var.ssh_key_pair diff --git a/variables.tf b/variables.tf index 494cbec..98ac4b7 100644 --- a/variables.tf +++ b/variables.tf @@ -28,6 +28,12 @@ variable "user_data_base64" { default = null } +variable "user_data_replace_on_change" { + type = bool + description = "When used in combination with user_data or user_data_base64 will trigger a destroy and recreate when set to true." + default = false +} + variable "instance_type" { type = string description = "The type of the instance" diff --git a/versions.tf b/versions.tf index b56bd24..9aa1a69 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.0" + version = ">= 4.7.0" } null = { source = "hashicorp/null"