Updates for TF15

* Updates account_standards_c2 to use `[]` instead of deprecated `list()`
* Replaces map() functions to use {}
* Marks sensitive outputs as 'sensitive'.
* Updates provider blocks in dns entries to be required_provider blocks due to deprecation warning. (This has wideranging impact)

To be tagged v1.24.0

base/account_standards_c2/config_bucket.tf

@@ -3,7 +3,7 @@ module "xdr_config_logging_bucket" {
   source = "../../thirdparty/terraform-aws-s3logging-bucket"
 
   bucket_name = "xdr-config-${var.environment}-access-logs"
-  lifecycle_rules = list(
+  lifecycle_rules = [
     {
       id                            = "expire-old-logs"
       enabled                       = true
@@ -11,7 +11,8 @@ module "xdr_config_logging_bucket" {
       expiration                    = 30
       noncurrent_version_expiration = 30
       abort_incomplete_multipart_upload_days = 7
-  })
+    }
+  ]
   tags = merge(var.standard_tags, var.tags)
   versioning_enabled = true
 }

base/account_standards_c2/elb_bucket.tf

@@ -5,7 +5,7 @@ module "elb_logging_logging_bucket" {
   source = "../../thirdparty/terraform-aws-s3logging-bucket"
 
   bucket_name = "xdr-elb-${var.environment}-access-logs"
-  lifecycle_rules = list(
+  lifecycle_rules = [
     {
       id                            = "expire-old-logs"
       enabled                       = true
@@ -13,7 +13,8 @@ module "elb_logging_logging_bucket" {
       expiration                    = 30
       noncurrent_version_expiration = 30
       abort_incomplete_multipart_upload_days = 7
-  })
+    }
+  ]
   tags = merge(var.standard_tags, var.tags, { "Note" = "ELB Logging Does Not Support SSE-KMS. Only SSE-S3 is supported." } )
   versioning_enabled = true
 }

base/account_standards_c2/iam.moose-hf.tf

@@ -37,6 +37,7 @@ output access_keys {
       "aws_secret_access_key": aws_iam_access_key.moose-hf-v0.secret
     }
   }
+  sensitive = true
 }
 
 ######################

base/account_standards_c2/main.tf

@@ -3,7 +3,7 @@ module "s3_logging_bucket" {
   source = "../../thirdparty/terraform-aws-s3logging-bucket"
 
   bucket_name = "xdr-cloudtrail-logs-${var.environment}-access-logs"
-  lifecycle_rules = list(
+  lifecycle_rules = [
     {
       id                            = "expire-old-logs"
       enabled                       = true
@@ -11,7 +11,8 @@ module "s3_logging_bucket" {
       expiration                    = 30
       noncurrent_version_expiration = 30
       abort_incomplete_multipart_upload_days = 7
-  })
+    }
+  ]
   tags = merge(var.standard_tags, var.tags)
   versioning_enabled = true
 }
@@ -24,7 +25,7 @@ module "cloudtrail_logging_bucket" {
   logging_bucket = module.s3_logging_bucket.s3_bucket_name
   region = var.aws_region
   tags = merge(var.standard_tags, var.tags)
-  lifecycle_rules = list(
+  lifecycle_rules = [
     {
       id                            = "expire-old-logs"
       enabled                       = true
@@ -32,7 +33,8 @@ module "cloudtrail_logging_bucket" {
       expiration                    = 30
       noncurrent_version_expiration = 30
       abort_incomplete_multipart_upload_days = 7
-  })
+    }
+  ]
 }
 
 resource "aws_s3_bucket_notification" "on_new_object" {

base/mailrelay/ses.tf

@@ -36,6 +36,7 @@ output ses_user_smtp_username {
 
 output ses_user_smtp_password { 
   value = aws_iam_access_key.ses_access_key-v3.ses_smtp_password_v4
+  sensitive = true
 }
 
 
@@ -71,6 +72,7 @@ output dps_portal_smtp_username {
 
 output dps_portal_smtp_password { 
   value = aws_iam_access_key.dps_portal_key-v3.ses_smtp_password_v4
+  sensitive = true
 }
 
 ######################

base/salt_master_inventory_role/user.tf

@@ -37,6 +37,7 @@ output access_keys {
         "aws_secret_access_key": aws_iam_access_key.salt-master-v0[0].secret
       }
     }
+  sensitive = true
 }
 
 ######################

base/splunk_servers/alsi/nlb-splunk.tf

@@ -5,12 +5,12 @@ resource "aws_eip" "alsi_splunk_nlb" {
   count = var.alsi_splunk_nlb ? 2 : 0
 
   vpc  = true
-  tags = merge(var.standard_tags, var.tags, map("Name","${var.prefix}-alsi-splunk" ))
+  tags = merge(var.standard_tags, var.tags, { "Name": "${var.prefix}-alsi-splunk" })
 }
 
 resource "aws_lb" "alsi_splunk_nlb" {
   count = var.alsi_splunk_nlb ? 1 : 0
-  tags               = merge(var.standard_tags, var.tags, map("Name","${var.prefix}-alsi-splunk" ))
+  tags               = merge(var.standard_tags, var.tags, { "Name": "${var.prefix}-alsi-splunk" })
   name               = "${var.prefix}-alsi-splunk-nlb"
   internal           = false
   load_balancer_type = "network"

base/splunk_servers/indexer_cluster/nlb-splunk-data.tf

@@ -5,7 +5,7 @@ resource "aws_eip" "nlb" {
   count = "3"
 
   vpc  = true
-  tags = merge(var.standard_tags, var.tags, map("Name","${var.prefix}-nlb" ))
+  tags = merge(var.standard_tags, var.tags, { "Name": "${var.prefix}-nlb" })
 }
 
 module "public_dns_record_nlb" {
@@ -21,7 +21,7 @@ module "public_dns_record_nlb" {
 }
 
 resource "aws_lb" "nlb" {
-  tags               = merge(var.standard_tags, var.tags, map("Name","${var.prefix}-splunk-indexers-nlb" ))
+  tags               = merge(var.standard_tags, var.tags, { "Name": "${var.prefix}-splunk-indexers-nlb" })
   name               = "${var.prefix}-splunk-indexers-nlb"
   internal           = false
   load_balancer_type = "network"

base/transit_gateway_interconnect_vpn/outputs.tf

@@ -19,6 +19,7 @@ output vpn_info {
           connection.tunnel1_vgw_inside_address,
           connection.tunnel2_vgw_inside_address
         ]
+        # This is sensitive, so terraform will redact the output. To get it anyway, do a `terragrunt output vpn_info`
         "preshared_key" = [
           connection.tunnel1_preshared_key,
           connection.tunnel2_preshared_key
@@ -27,6 +28,7 @@ output vpn_info {
         "cgw_bgp_asn" = var.interconnect_asn
       }
   ]
+  sensitive = true # We need the VPN keys
 }
 
 output yaml {
@@ -61,4 +63,5 @@ output yaml {
       ]
     }
   })
+  sensitive = true # We need the VPN keys
 }

base/vault/main.tf

@@ -139,8 +139,8 @@ resource "aws_instance" "instance" {
   
   #TODO switch to dynamic tag
   user_data = data.template_cloudinit_config.cloud_init_config[each.key].rendered
-  tags = merge( var.standard_tags, var.tags, map("Name", length(var.instance_count) > 1 ? "${var.instance_name}-${each.value}" : var.instance_name ))
-  volume_tags = merge( var.standard_tags, var.tags, map("Name", length(var.instance_count) > 1 ? "${var.instance_name}-${each.value}" : var.instance_name ))
+  tags = merge( var.standard_tags, var.tags, { "Name": length(var.instance_count) > 1 ? "${var.instance_name}-${each.value}" : var.instance_name })
+  volume_tags = merge( var.standard_tags, var.tags, { "Name": length(var.instance_count) > 1 ? "${var.instance_name}-${each.value}" : var.instance_name })
 }
 
 module "private_dns_record" {

submodules/dns/private_A_record/provider.tf

@@ -1,3 +1,9 @@
-provider "aws" {
-  alias = "c2"
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "= 3.37.0"
+      configuration_aliases = [ aws.c2 ]
+    }
+  }
 }

submodules/dns/private_CNAME_record/provider.tf

@@ -1,3 +1,9 @@
-provider "aws" {
-  alias = "c2"
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "= 3.37.0"
+      configuration_aliases = [ aws.c2 ]
+    }
+  }
 }

submodules/dns/public_ALIAS_record/provider.tf

@@ -1,3 +1,9 @@
-provider "aws" {
-  alias = "mdr-common-services-commercial"
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "= 3.37.0"
+      configuration_aliases = [ aws.mdr-common-services-commercial ]
+    }
+  }
 }

submodules/dns/public_A_record/provider.tf

@@ -1,3 +1,9 @@
-provider "aws" {
-  alias = "mdr-common-services-commercial"
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "= 3.37.0"
+      configuration_aliases = [ aws.mdr-common-services-commercial ]
+    }
+  }
 }