cloudposse · nitrocode · Nov 10, 2021 · Jul 5, 2021 · Jul 5, 2021 · Jul 5, 2021
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -15,8 +15,8 @@
 
 # Cloud Posse must review any changes to standard context definition,
 # but some changes can be rubber-stamped.
-**/*.tf       @cloudposse/engineering @cloudposse/approvers
-README.yaml   @cloudposse/engineering @cloudposse/approvers
+**/*.tf       @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+README.yaml   @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 README.md     @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 docs/*.md     @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 

diff --git a/.github/auto-release.yml b/.github/auto-release.yml
@@ -17,6 +17,7 @@ version-resolver:
     - 'bugfix'
     - 'bug'
     - 'hotfix'
+    - 'no-release'
   default: 'minor'
 
 categories:
@@ -46,7 +47,7 @@ template: |
 
 replacers:
 # Remove irrelevant information from Renovate bot
-- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm'
+- search: '/(?<=---\s+)+^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
   replace: ''
 # Remove Renovate bot banner image
 - search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'

diff --git a/.github/mergify.yml b/.github/mergify.yml
@@ -56,3 +56,10 @@ pull_request_rules:
       changes_requested: true
       approved: true
       message: "This Pull Request has been updated, so we're dismissing all reviews."
+
+- name: "close Pull Requests without files changed"
+  conditions:
+    - "#files=0"
+  actions:
+    close:
+      message: "This pull request has been automatically closed by Mergify because there are no longer any changes."
diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml
@@ -6,7 +6,7 @@ on:
 jobs:
   auto-format:
     runs-on: ubuntu-latest
-    container: cloudposse/build-harness:slim-latest
+    container: cloudposse/build-harness:latest
     steps:
     # Checkout the pull request branch
     #  "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using
@@ -29,6 +29,8 @@ jobs:
     - name: Auto Format
       if: github.event.pull_request.state == 'open'
       shell: bash
+      env:
+        GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
       run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host
 
     # Commit changes (if any) to the PR branch

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
@@ -3,17 +3,24 @@ name: auto-release
 on:
   push:
     branches:
-    - master
+      - main
+      - master
+      - production
 
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-    # Drafts your next Release notes as Pull Requests are merged into "master"
-    - uses: release-drafter/release-drafter@v5
-      with:
-        publish: true
-        prerelease: false
-        config-name: auto-release.yml
-      env:
-        GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+      # Get PR from merged commit to master
+      - uses: actions-ecosystem/action-get-merged-pull-request@v1
+        id: get-merged-pull-request
+        with:
+          github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+      # Drafts your next Release notes as Pull Requests are merged into "main"
+      - uses: release-drafter/release-drafter@v5
+        with:
+          publish: ${{ !contains(steps.get-merged-pull-request.outputs.labels, 'no-release') }}
+          prerelease: false
+          config-name: auto-release.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
@@ -1,5 +1,7 @@
 name: Validate Codeowners
 on:
+  workflow_dispatch:
+
   pull_request:
 
 jobs:

diff --git a/README.md b/README.md
diff --git a/README.yaml b/README.yaml
@@ -41,6 +41,9 @@ related:
 # Short description of this project
 description: |-
   Terraform module to provision an AWS [`EFS`](https://aws.amazon.com/efs/) Network File System.
+
+  **NOTE**: Release `0.32.0` contains breaking changes. To preserve the SG, follow the instructions in the [0.30.1 to 0.32.x+ migration path](./docs/migration-0.30.1-0.32.x+.md).
+
 # How to use this project
 usage: |-
   Include this repository as a module in your existing terraform code:
@@ -51,14 +54,15 @@ usage: |-
     # Cloud Posse recommends pinning every module to a specific version
     # version     = "x.x.x"
 
-    namespace       = "eg"
-    stage           = "test"
-    name            = "app"
-    region          = "us-west-1"
-    vpc_id          = var.vpc_id
-    subnets         = var.private_subnets
-    security_groups = [var.security_group_id]
-    zone_id         = var.aws_route53_dns_zone_id
+    namespace = "eg"
+    stage     = "test"
+    name      = "app"
+    region    = "us-west-1"
+    vpc_id    = var.vpc_id
+    subnets   = var.private_subnets
+    zone_id   = [var.aws_route53_dns_zone_id]
+
+    allowed_security_group_ids = [var.security_group_id]
   }
   ```
 
@@ -82,3 +86,5 @@ contributors:
     github: "joshmyers"
   - name: "Vladimir Syromyatnikov"
     github: "SweetOps"
+  - name: "RB"
+    github: "nitrocode"
diff --git a/docs/migration-0.30.1-0.32.x+.md b/docs/migration-0.30.1-0.32.x+.md
@@ -0,0 +1,60 @@
+# Migration from 0.30.1 to 0.32.x+
+
+NOTE: This is not a migration guide from the pre-release versions 0.31.0 and 0.31.1
+
+Version `0.32.0` of this module introduces changes that, without taking additional precautions, will cause the security group created by this module to be replaced with a new one. Note that the EFS file system will not be affected, all that will change is that the EFS mount targets will be moved to a new security group and there may be a brief period (likely only a few seconds) during which all connectivity is lost. 
+
+This is because of the newer version's reliance on the [terraform-aws-security-group](https://github.com/cloudposse/terraform-aws-security-group)
+module for managing the module's security group. This changes the Terraform resource address.
+
+To circumvent this, after bumping the module version to the newer version, make note of these changes.
+
+* `transition_to_ia` is now a `list(string)` so pass in the single value as a list.
+* `zone_id` is now a `list(string)` so pass in the single value as a list.
+* `security_groups` is deprecated. Use `allowed_security_group_ids` instead.
+
+For more information on why we use a `list(string)` instead of `string` for strings vars, see the SG 4.0 releae notes "Optional Inputs" section linked below.
+
+Run a `terraform plan` to retrieve the resource addresses of the SG that Terraform would like to destroy, and the resource address of the SG which Terraform would like to create.
+
+Make sure that the following variables are set since the original SG name had the suffix `-efs`.
+
+* Setting `security_group_create_before_destroy = false` prevents using `name_prefix` on the SG resource
+* Setting `security_group_name` to its "legacy" value will keep the Security Group from being replaced, and hence the underlying resource.
+
+```hcl
+security_group_create_before_destroy = false
+
+# if not using context
+security_group_name = ["<existing-sg-name>"]
+
+# if using context
+security_group_name = ["${module.this.context}-efs"]
+```
+
+Finally, change the resource address of the existing Security Group. The resources' source and destination addresses will vary based on how this module is used.
+
+If the module's name is `efs`, here is an example set of `terraform state mv` commands to get started.
+
+```bash
+# required - move the security group resource
+terraform state mv \
+  'module.efs.aws_security_group.efs[0]' \
+  'module.efs.module.security_group.aws_security_group.default[0]'
+# optional - move the security group rules (may be different depending on usage)
+terraform state mv \
+  'module.efs.aws_security_group_rule.ingress_security_groups[0]' \
+  'module.efs.module.security_group.aws_security_group_rule.keyed["_m[0]#[0]#sg#0"]'
+terraform state mv \
+  'module.efs.aws_security_group_rule.egress[0]' \
+  'module.efs.module.security_group.aws_security_group_rule.keyed["_allow_all_egress_"]'
+```
+
+This will result in an plan that will only destroy SG Rules, but not the Security Group itself.
+
+Please run a `terraform plan` to make sure there aren't other unexpected breaking changes.
+
+## References
+
+* https://github.com/cloudposse/terraform-aws-security-group/blob/c6e4156696ee28cad0cd927c82377fbd73156199/exports/security_group_inputs.tf#L71-L72
+* https://github.com/cloudposse/terraform-aws-security-group/releases/tag/0.4.0