Pump terraform required version and remove experiments

Author: Igor J. Santos

.github/workflows/docs.yml

@@ -5,7 +5,7 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         ref: ${{ github.head_ref }}
 

.github/workflows/lint.yml

@@ -7,34 +7,36 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
-      - name: TFLint
-        uses: docker://wata727/tflint
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
+        with:
+          path: ~/.tflint.d/plugins
+          key: tflint-${{ hashFiles('.tflint.hcl') }}
+      - uses: terraform-linters/setup-tflint@v3
+      - run: tflint --version
+      - run: tflint --init
+      - run: tflint -f compact
 
   fmt:
     name: Code Format
     runs-on: ubuntu-latest
     container:
       image: hashicorp/terraform:latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v3
       - run: terraform fmt --recursive -check=true
 
   validate:
     name: Validate
     runs-on: ubuntu-latest
     container:
-      image: hashicorp/terraform:0.14.0
+      image: hashicorp/terraform:1.5.1
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v3
       - name: Validate Code
         env:
           AWS_REGION: 'us-east-1'
           TF_WARN_OUTPUT_ERRORS: 1
-          TF_VAR_vpc_id: 'vpc-123456'
-          TF_VAR_subnets: '["subnet-12345a"]'
-          TF_VAR_workers_ami_id: 'ami-123456'
-          TF_VAR_cluster_name: 'test_cluster'
         run: |
           terraform init
           terraform validate
@@ -51,14 +53,14 @@ jobs:
     name: Minimum version check
     runs-on: ubuntu-latest
     container:
-      image: hashicorp/terraform:0.14.0
+      image: hashicorp/terraform:1.5.1
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v3
       - name: Validate Code
         env:
           AWS_REGION: 'us-east-1'
           TF_WARN_OUTPUT_ERRORS: 1
         run: |
           sed -i -e 's/>=/=/' -e 's/ \(\d\+\.\d\+\)"/ \1.0"/' versions.tf
           terraform init
-          terraform validate -var "region=${AWS_REGION}" -var "vpc_id=vpc-123456" -var "subnets=[\"subnet-12345a\"]" -var "workers_ami_id=ami-123456" -var "cluster_ingress_cidrs=[]" -var "cluster_name=test_cluster"
+          terraform validate

.tflint.hcl

@@ -0,0 +1,3 @@
+rule "terraform_required_providers" {
+  enabled = false
+}

README.md

@@ -29,7 +29,7 @@ The following resources will be created:
 
 ```hcl
 module "network" {
-  source = "git::https://github.com/DNXLabs/terraform-aws-network.git?ref=0.0.3"
+  source = "git::https://github.com/DNXLabs/terraform-aws-network.git?ref=2.0.0"
 
   vpc_cidr              = "10.1.0.0/16"
   newbits               = 8             # will create /24 subnets
@@ -44,7 +44,7 @@ module "network" {
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.14.0 |
+| terraform | >= 1.5.1 |
 
 ## Providers
 
@@ -69,7 +69,7 @@ module "network" {
 | kubernetes\_clusters\_type | Use either 'owned' or 'shared' for kubernetes cluster tags | `string` | `"shared"` | no |
 | max\_az | Max number of AZs | `number` | `3` | no |
 | multi\_nat | Number of NAT Instances, 'true' will yield one per AZ while 'false' creates one NAT | `bool` | `false` | no |
-| name | Name prefix for the resources of this stack | `any` | n/a | yes |
+| name | Name prefix for the resources of this stack | `string` | n/a | yes |
 | name\_pattern | Name pattern to use for resources. Options: default, kebab | `string` | `"default"` | no |
 | name\_suffix | Adds a name suffix to all resources created | `string` | `""` | no |
 | nat | Deploy NAT instance(s) | `bool` | `true` | no |
@@ -88,28 +88,12 @@ module "network" {
 | transit\_nacl\_inbound\_udp\_ports | UDP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | `list(string)` | <pre>[<br>  "1194"<br>]</pre> | no |
 | transit\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `15` | no |
 | transit\_subnet | Create a transit subnet for VPC peering (only central account) | `bool` | `false` | no |
-| vpc\_cidr | Network CIDR for the VPC | `any` | n/a | yes |
+| vpc\_cidr | Network CIDR for the VPC | `string` | n/a | yes |
 | vpc\_cidr\_summ | Define cidr used to summarize subnets by tier | `string` | `"/0"` | no |
-| vpc\_cidr\_transit | Network CIDR for Transit subnets | `string` | `"10.255.255.0/24"` | no |
 | vpc\_endpoint\_dynamodb\_gateway | Enable or disable VPC Endpoint for DynamoDB (Gateway) | `bool` | `true` | no |
-| vpc\_endpoint\_dynamodb\_policy | A policy to attach to the endpoint that controls access to the service | `string` | `"    {
-        \"Statement\": [
-            {
-                \"Action\": \"*\",\"Effect\": \"Allow\",\"Resource\": \"*\",\"Principal\": \"*\"
-            }
-        ]
-    }
-"` | no |
 | vpc\_endpoint\_s3\_gateway | Enable or disable VPC Endpoint for S3 Gateway | `bool` | `true` | no |
-| vpc\_endpoint\_s3\_policy | A policy to attach to the endpoint that controls access to the service | `string` | `"    {
-        \"Statement\": [
-            {
-                \"Action\": \"*\",\"Effect\": \"Allow\",\"Resource\": \"*\",\"Principal\": \"*\"
-            }
-        ]
-    }
-"` | no |
-| vpc\_endpoints | AWS services to create a VPC endpoint on private subnets for (e.g: ssm, ec2, ecr.dkr) | <pre>list(object(<br>    {<br>      name          = string<br>      policy        = optional(string)<br>      allowed_cidrs = optional(list(string))<br>    }<br>  ))</pre> | `[]` | no |
+| vpc\_endpoint\_s3\_policy | A policy to attach to the endpoint that controls access to the service | `string` | <pre>"{<br>    \"Statement\": [<br>        {<br>            \"Action\": \"*\",<br>            \"Effect\": \"Allow\",<br>            \"Resource\": \"*\",\"Principal\": \"*\"<br>            }<br>        ]<br>    }"</pre> | no |
+| vpc\_endpoints | AWS services to create a VPC endpoint on private subnets for (e.g: ssm, ec2, ecr.dkr) | <pre>list(object(<br>  {<br>    name          = string<br>    policy        = optional(string)<br>    allowed_cidrs = optional(list(string))<br>  }<br>))</pre> | `[]` | no |
 | vpc\_flow\_logs | Enable or disable VPC Flow Logs | `bool` | `true` | no |
 | vpc\_flow\_logs\_retention | Retention in days for VPC Flow Logs CloudWatch Log Group | `number` | `365` | no |
 

_outputs.tf

@@ -14,47 +14,47 @@ output "internet_gateway_id" {
 }
 
 output "public_subnet_ids" {
-  value       = aws_subnet.public.*.id
+  value       = aws_subnet.public[*].id
   description = "List of public subnet IDs"
 }
 
 output "public_subnet_cidrs" {
-  value       = aws_subnet.public.*.cidr_block
+  value       = aws_subnet.public[*].cidr_block
   description = "List of public subnet CIDRs"
 }
 
 output "firewall_subnet_cidrs" {
-  value       = aws_subnet.firewall.*.cidr_block
+  value       = aws_subnet.firewall[*].cidr_block
   description = "List of firewall subnet CIDRs"
 }
 
 output "firewall_subnet_ids" {
-  value       = aws_subnet.firewall.*.id
+  value       = aws_subnet.firewall[*].id
   description = "List of firewall subnet IDs"
 }
 
 output "private_subnet_ids" {
-  value       = aws_subnet.private.*.id
+  value       = aws_subnet.private[*].id
   description = "List of private subnet IDs"
 }
 
 output "private_subnet_cidrs" {
-  value       = aws_subnet.private.*.cidr_block
+  value       = aws_subnet.private[*].cidr_block
   description = "List of private subnet CIDRs"
 }
 
 output "secure_subnet_ids" {
-  value       = aws_subnet.secure.*.id
+  value       = aws_subnet.secure[*].id
   description = "List of secure subnet IDs"
 }
 
 output "secure_subnet_cidrs" {
-  value       = aws_subnet.secure.*.cidr_block
+  value       = aws_subnet.secure[*].cidr_block
   description = "List of secure subnet CIDRs"
 }
 
 output "nat_gateway_ids" {
-  value       = aws_nat_gateway.nat_gw.*.id
+  value       = aws_nat_gateway.nat_gw[*].id
   description = "List of NAT Gateway IDs"
 }
 
@@ -67,15 +67,15 @@ output "public_route_table_id" {
 }
 
 output "private_route_table_id" {
-  value = aws_route_table.private.*.id
+  value = aws_route_table.private[*].id
 }
 
 output "secure_route_table_id" {
   value = aws_route_table.secure.id
 }
 
 output "transit_route_table_id" {
-  value = aws_route_table.transit.*.id
+  value = aws_route_table.transit[*].id
 }
 
 output "public_nacl_id" {
@@ -91,7 +91,7 @@ output "secure_nacl_id" {
 }
 
 output "transit_nacl_id" {
-  value = aws_network_acl.transit.*.id
+  value = aws_network_acl.transit[*].id
 }
 
 output "private_subnets" {

_variables.tf

@@ -1,41 +1,43 @@
 terraform {
-  experiments = [module_variable_optional_attrs]
+  required_version = ">= 1.5.1"
 }
 
 variable "max_az" {
+  type        = number
   default     = 3
   description = "Max number of AZs"
 }
 
 variable "name" {
+  type        = string
   description = "Name prefix for the resources of this stack"
 }
 
 variable "cf_export_name" {
+  type        = string
   default     = ""
   description = "Name prefix for the export resources of the cloud formation output"
 }
 
 variable "vpc_cidr" {
+  type        = string
   description = "Network CIDR for the VPC"
 }
 
-variable "vpc_cidr_transit" {
-  default     = "10.255.255.0/24"
-  description = "Network CIDR for Transit subnets"
-}
-
 variable "nat" {
+  type        = bool
   default     = true
   description = "Deploy NAT instance(s)"
 }
 
 variable "multi_nat" {
+  type        = bool
   default     = false
   description = "Number of NAT Instances, 'true' will yield one per AZ while 'false' creates one NAT"
 }
 
 variable "newbits" {
+  type        = number
   default     = 5
   description = "Number of bits to add to the vpc cidr when building subnets"
 }
@@ -53,26 +55,31 @@ variable "tags" {
 }
 
 variable "public_netnum_offset" {
+  type        = number
   default     = 0
   description = "Start with this subnet for public ones, plus number of AZs"
 }
 
 variable "private_netnum_offset" {
+  type        = number
   default     = 5
   description = "Start with this subnet for private ones, plus number of AZs"
 }
 
 variable "secure_netnum_offset" {
+  type        = number
   default     = 10
   description = "Start with this subnet for secure ones, plus number of AZs"
 }
 
 variable "transit_netnum_offset" {
+  type        = number
   default     = 15
   description = "Start with this subnet for secure ones, plus number of AZs"
 }
 
 variable "firewall_netnum_offset" {
+  type        = number
   default     = 14
   description = "Start with this subnet for secure ones, plus number of AZs"
 }
@@ -90,6 +97,7 @@ variable "firewall_custom_rule_arn" {
 }
 
 variable "transit_subnet" {
+  type        = bool
   default     = false
   description = "Create a transit subnet for VPC peering (only central account)"
 }
@@ -137,11 +145,13 @@ variable "transit_nacl_inbound_udp_ports" {
 }
 
 variable "vpc_flow_logs" {
+  type        = bool
   default     = true
   description = "Enable or disable VPC Flow Logs"
 }
 
 variable "vpc_flow_logs_retention" {
+  type        = number
   default     = 365
   description = "Retention in days for VPC Flow Logs CloudWatch Log Group"
 }
@@ -159,19 +169,7 @@ variable "vpc_endpoint_dynamodb_gateway" {
 }
 
 variable "vpc_endpoint_s3_policy" {
-  default     = <<POLICY
-    {
-        "Statement": [
-            {
-                "Action": "*","Effect": "Allow","Resource": "*","Principal": "*"
-            }
-        ]
-    }
-    POLICY
-  description = "A policy to attach to the endpoint that controls access to the service"
-}
-
-variable "vpc_endpoint_dynamodb_policy" {
+  type        = string
   default     = <<POLICY
     {
         "Statement": [

cf-exports.tf

@@ -6,13 +6,13 @@ resource "aws_cloudformation_stack" "tf_exports" {
       "VpcId"              = aws_vpc.default.id,
       "CidrBlock"          = aws_vpc.default.cidr_block,
       "InternetGatewayId"  = aws_internet_gateway.default.id,
-      "PublicSubnetIds"    = join(",", aws_subnet.public.*.id),
-      "PublicSubnetCidrs"  = join(",", aws_subnet.public.*.cidr_block),
-      "PrivateSubnetIds"   = join(",", aws_subnet.private.*.id),
-      "PrivateSubnetCidrs" = join(",", aws_subnet.private.*.cidr_block),
-      "SecureSubnetIds"    = join(",", aws_subnet.secure.*.id),
-      "SecureSubnetCidrs"  = join(",", aws_subnet.secure.*.cidr_block),
-      "NatGatewayIds"      = var.nat ? join(",", aws_nat_gateway.nat_gw.*.id) : "undefined",
+      "PublicSubnetIds"    = join(",", aws_subnet.public[*].id),
+      "PublicSubnetCidrs"  = join(",", aws_subnet.public[*].cidr_block),
+      "PrivateSubnetIds"   = join(",", aws_subnet.private[*].id),
+      "PrivateSubnetCidrs" = join(",", aws_subnet.private[*].cidr_block),
+      "SecureSubnetIds"    = join(",", aws_subnet.secure[*].id),
+      "SecureSubnetCidrs"  = join(",", aws_subnet.secure[*].cidr_block),
+      "NatGatewayIds"      = var.nat ? join(",", aws_nat_gateway.nat_gw[*].id) : "undefined",
       "DbSubnetGroupId"    = aws_db_subnet_group.secure.id
     }
   })

db-subnet.tf

@@ -1,6 +1,6 @@
 resource "aws_db_subnet_group" "secure" {
   name       = lower(format(local.names[var.name_pattern].db_subnet, var.name, local.name_suffix))
-  subnet_ids = aws_subnet.secure.*.id
+  subnet_ids = aws_subnet.secure[*].id
 
   tags = merge(
     var.tags,