feat!: Upgrade min AWS provider and Terraform versions to 6.5 and 1.5.7 respectively

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.99.5
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

examples/complete/README.md

@@ -22,14 +22,14 @@ Note that this example may create resources which will incur monetary charges on
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.2 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.5 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.2 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.5 |
 
 ## Modules
 
@@ -39,7 +39,7 @@ Note that this example may create resources which will incur monetary charges on
 | <a name="module_network_firewall_disabled"></a> [network\_firewall\_disabled](#module\_network\_firewall\_disabled) | ../.. | n/a |
 | <a name="module_network_firewall_rule_group_stateful"></a> [network\_firewall\_rule\_group\_stateful](#module\_network\_firewall\_rule\_group\_stateful) | ../../modules/rule-group | n/a |
 | <a name="module_network_firewall_rule_group_stateless"></a> [network\_firewall\_rule\_group\_stateless](#module\_network\_firewall\_rule\_group\_stateless) | ../../modules/rule-group | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 

examples/complete/main.tf

@@ -187,7 +187,7 @@ module "network_firewall_rule_group_stateless" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
 
   name = local.name
   cidr = local.vpc_cidr

examples/complete/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.2"
+      version = ">= 6.5"
     }
   }
 }

examples/separate/README.md

@@ -23,14 +23,14 @@ Note that this example may create resources which will incur monetary charges on
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.2 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.5 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.2 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.5 |
 
 ## Modules
 
@@ -43,7 +43,7 @@ Note that this example may create resources which will incur monetary charges on
 | <a name="module_network_firewall_rule_group_disabled"></a> [network\_firewall\_rule\_group\_disabled](#module\_network\_firewall\_rule\_group\_disabled) | ../../modules/rule-group | n/a |
 | <a name="module_network_firewall_rule_group_stateful"></a> [network\_firewall\_rule\_group\_stateful](#module\_network\_firewall\_rule\_group\_stateful) | ../../modules/rule-group | n/a |
 | <a name="module_network_firewall_rule_group_stateless"></a> [network\_firewall\_rule\_group\_stateless](#module\_network\_firewall\_rule\_group\_stateless) | ../../modules/rule-group | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 

examples/separate/main.tf

@@ -209,7 +209,7 @@ module "network_firewall_rule_group_disabled" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
 
   name = local.name
   cidr = local.vpc_cidr

examples/separate/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.2"
+      version = ">= 6.5"
     }
   }
 }

main.tf

@@ -6,17 +6,22 @@ module "firewall" {
   source = "./modules/firewall"
 
   create = var.create
+  region = var.region
 
   # Firewall
-  delete_protection                 = var.delete_protection
-  description                       = var.description
-  encryption_configuration          = var.encryption_configuration
-  firewall_policy_arn               = var.create_policy ? module.policy.arn : var.firewall_policy_arn
-  firewall_policy_change_protection = var.firewall_policy_change_protection
-  name                              = var.name
-  subnet_change_protection          = var.subnet_change_protection
-  subnet_mapping                    = var.subnet_mapping
-  vpc_id                            = var.vpc_id
+  availability_zone_change_protection = var.availability_zone_change_protection
+  availability_zone_mapping           = var.availability_zone_mapping
+  delete_protection                   = var.delete_protection
+  description                         = var.description
+  enabled_analysis_types              = var.enabled_analysis_types
+  encryption_configuration            = var.encryption_configuration
+  firewall_policy_arn                 = var.create_policy ? module.policy.arn : var.firewall_policy_arn
+  firewall_policy_change_protection   = var.firewall_policy_change_protection
+  name                                = var.name
+  subnet_change_protection            = var.subnet_change_protection
+  subnet_mapping                      = var.subnet_mapping
+  transit_gateway_id                  = var.transit_gateway_id
+  vpc_id                              = var.vpc_id
 
   # Logging
   create_logging_configuration             = var.create_logging_configuration
@@ -33,10 +38,12 @@ module "policy" {
   source = "./modules/policy"
 
   create = var.create && var.create_policy
+  region = var.region
 
   # Policy
   description                        = var.policy_description
   encryption_configuration           = var.policy_encryption_configuration
+  policy_variables                   = var.policy_variables
   stateful_default_actions           = var.policy_stateful_default_actions
   stateful_engine_options            = var.policy_stateful_engine_options
   stateful_rule_group_reference      = var.policy_stateful_rule_group_reference

modules/firewall/README.md

@@ -62,14 +62,14 @@ module "network_firewall" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.2 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.5 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.2 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.5 |
 
 ## Modules
 
@@ -86,19 +86,24 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_availability_zone_change_protection"></a> [availability\_zone\_change\_protection](#input\_availability\_zone\_change\_protection) | A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones | `bool` | `null` | no |
+| <a name="input_availability_zone_mapping"></a> [availability\_zone\_mapping](#input\_availability\_zone\_mapping) | Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall | <pre>list(object({<br/>    availability_zone_id = string<br/>  }))</pre> | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created | `bool` | `true` | no |
 | <a name="input_create_logging_configuration"></a> [create\_logging\_configuration](#input\_create\_logging\_configuration) | Controls if a Logging Configuration should be created | `bool` | `false` | no |
 | <a name="input_delete_protection"></a> [delete\_protection](#input\_delete\_protection) | A boolean flag indicating whether it is possible to delete the firewall. Defaults to `true` | `bool` | `true` | no |
-| <a name="input_description"></a> [description](#input\_description) | A friendly description of the firewall | `string` | `""` | no |
-| <a name="input_encryption_configuration"></a> [encryption\_configuration](#input\_encryption\_configuration) | KMS encryption configuration settings | `any` | `{}` | no |
+| <a name="input_description"></a> [description](#input\_description) | A friendly description of the firewall | `string` | `null` | no |
+| <a name="input_enabled_analysis_types"></a> [enabled\_analysis\_types](#input\_enabled\_analysis\_types) | Set of types for which to collect analysis metrics. Valid values: `TLS_SNI`, `HTTP_HOST`. Defaults to `[]` | `list(string)` | `[]` | no |
+| <a name="input_encryption_configuration"></a> [encryption\_configuration](#input\_encryption\_configuration) | KMS encryption configuration settings | <pre>object({<br/>    key_id = optional(string)<br/>    type   = string<br/>  })</pre> | `null` | no |
 | <a name="input_firewall_policy_arn"></a> [firewall\_policy\_arn](#input\_firewall\_policy\_arn) | The ARN of the Firewall Policy to use | `string` | `""` | no |
 | <a name="input_firewall_policy_change_protection"></a> [firewall\_policy\_change\_protection](#input\_firewall\_policy\_change\_protection) | A boolean flag indicating whether it is possible to change the associated firewall policy. Defaults to `false` | `bool` | `null` | no |
-| <a name="input_logging_configuration_destination_config"></a> [logging\_configuration\_destination\_config](#input\_logging\_configuration\_destination\_config) | A list of min 1, max 2 configuration blocks describing the destination for the logging configuration | `any` | `[]` | no |
+| <a name="input_logging_configuration_destination_config"></a> [logging\_configuration\_destination\_config](#input\_logging\_configuration\_destination\_config) | A list of min 1, max 2 configuration blocks describing the destination for the logging configuration | <pre>list(object({<br/>    log_destination      = map(string)<br/>    log_destination_type = string<br/>    log_type             = string<br/>  }))</pre> | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | A friendly name of the firewall | `string` | `""` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_subnet_change_protection"></a> [subnet\_change\_protection](#input\_subnet\_change\_protection) | A boolean flag indicating whether it is possible to change the associated subnet(s). Defaults to `true` | `bool` | `true` | no |
-| <a name="input_subnet_mapping"></a> [subnet\_mapping](#input\_subnet\_mapping) | Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet | `any` | `{}` | no |
+| <a name="input_subnet_mapping"></a> [subnet\_mapping](#input\_subnet\_mapping) | Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet | <pre>map(object({<br/>    ip_address_type = optional(string)<br/>    subnet_id       = string<br/>  }))</pre> | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
-| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The unique identifier of the VPC where AWS Network Firewall should create the firewall | `string` | `""` | no |
+| <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | The ID of the transit gateway to which the firewall is attached. Required when creating a transit gateway-attached firewall | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The unique identifier of the VPC where AWS Network Firewall should create the firewall | `string` | `null` | no |
 
 ## Outputs
 

modules/firewall/main.tf

@@ -5,14 +5,27 @@
 resource "aws_networkfirewall_firewall" "this" {
   count = var.create ? 1 : 0
 
-  delete_protection = var.delete_protection
-  description       = var.description
+  region = var.region
+
+  availability_zone_change_protection = var.availability_zone_change_protection
+
+  dynamic "availability_zone_mapping" {
+    for_each = var.availability_zone_mapping != null ? var.availability_zone_mapping : []
+
+    content {
+      availability_zone_id = availability_zone_mapping.value.availability_zone_id
+    }
+  }
+
+  delete_protection      = var.delete_protection
+  description            = var.description
+  enabled_analysis_types = var.enabled_analysis_types
 
   dynamic "encryption_configuration" {
-    for_each = length(var.encryption_configuration) > 0 ? [var.encryption_configuration] : []
+    for_each = var.encryption_configuration != null ? [var.encryption_configuration] : []
 
     content {
-      key_id = try(encryption_configuration.value.key_id, null)
+      key_id = encryption_configuration.value.key_id
       type   = encryption_configuration.value.type
     }
   }
@@ -23,15 +36,16 @@ resource "aws_networkfirewall_firewall" "this" {
   subnet_change_protection          = var.subnet_change_protection
 
   dynamic "subnet_mapping" {
-    for_each = var.subnet_mapping
+    for_each = var.subnet_mapping != null ? var.subnet_mapping : {}
 
     content {
-      ip_address_type = try(subnet_mapping.value.ip_address_type, null)
+      ip_address_type = subnet_mapping.value.ip_address_type
       subnet_id       = subnet_mapping.value.subnet_id
     }
   }
 
-  vpc_id = var.vpc_id
+  transit_gateway_id = var.transit_gateway_id
+  vpc_id             = var.vpc_id
 
   tags = var.tags
 }
@@ -43,12 +57,15 @@ resource "aws_networkfirewall_firewall" "this" {
 resource "aws_networkfirewall_logging_configuration" "this" {
   count = var.create && var.create_logging_configuration ? 1 : 0
 
+  region = var.region
+
   firewall_arn = aws_networkfirewall_firewall.this[0].arn
 
   logging_configuration {
     # At least one config, at most, only two blocks can be specified; one for `FLOW` logs and one for `ALERT` logs.
     dynamic "log_destination_config" {
-      for_each = var.logging_configuration_destination_config
+      for_each = var.logging_configuration_destination_config != null ? var.logging_configuration_destination_config : []
+
       content {
         log_destination      = log_destination_config.value.log_destination
         log_destination_type = log_destination_config.value.log_destination_type

modules/firewall/variables.tf

@@ -2,6 +2,13 @@ variable "create" {
   description = "Controls if resources should be created"
   type        = bool
   default     = true
+  nullable    = false
+}
+
+variable "region" {
+  description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+  type        = string
+  default     = null
 }
 
 variable "tags" {
@@ -14,22 +21,47 @@ variable "tags" {
 # Firewall
 ################################################################################
 
+variable "availability_zone_change_protection" {
+  description = " A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones"
+  type        = bool
+  default     = null
+}
+
+variable "availability_zone_mapping" {
+  description = "Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall"
+  type = list(object({
+    availability_zone_id = string
+  }))
+  default = null
+}
+
 variable "delete_protection" {
   description = "A boolean flag indicating whether it is possible to delete the firewall. Defaults to `true`"
   type        = bool
   default     = true
+  nullable    = false
 }
 
 variable "description" {
   description = "A friendly description of the firewall"
   type        = string
-  default     = ""
+  default     = null
+}
+
+variable "enabled_analysis_types" {
+  description = "Set of types for which to collect analysis metrics. Valid values: `TLS_SNI`, `HTTP_HOST`. Defaults to `[]`"
+  type        = list(string)
+  default     = []
+  nullable    = false
 }
 
 variable "encryption_configuration" {
   description = "KMS encryption configuration settings"
-  type        = any
-  default     = {}
+  type = object({
+    key_id = optional(string)
+    type   = string
+  })
+  default = null
 }
 
 variable "firewall_policy_arn" {
@@ -58,14 +90,23 @@ variable "subnet_change_protection" {
 
 variable "subnet_mapping" {
   description = "Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet"
-  type        = any
-  default     = {}
+  type = map(object({
+    ip_address_type = optional(string)
+    subnet_id       = string
+  }))
+  default = null
+}
+
+variable "transit_gateway_id" {
+  description = "The ID of the transit gateway to which the firewall is attached. Required when creating a transit gateway-attached firewall"
+  type        = string
+  default     = null
 }
 
 variable "vpc_id" {
   description = "The unique identifier of the VPC where AWS Network Firewall should create the firewall"
   type        = string
-  default     = ""
+  default     = null
 }
 
 ################################################################################
@@ -76,10 +117,15 @@ variable "create_logging_configuration" {
   description = "Controls if a Logging Configuration should be created"
   type        = bool
   default     = false
+  nullable    = false
 }
 
 variable "logging_configuration_destination_config" {
   description = "A list of min 1, max 2 configuration blocks describing the destination for the logging configuration"
-  type        = any
-  default     = []
+  type = list(object({
+    log_destination      = map(string)
+    log_destination_type = string
+    log_type             = string
+  }))
+  default = null
 }

modules/firewall/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.2"
+      version = ">= 6.5"
     }
   }
 }