Upgraded terraform providers

BSick7 · BSick7 · commit 1a7022df7c3e · 2025-09-22T16:06:27.000-04:00
diff --git a/.nullstone/module.yml b/.nullstone/module.yml
@@ -11,3 +11,4 @@ subplatform: container
 type: ""
 appCategories: []
 is_public: true
+tool_name: "terraform"
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+# 0.5.0 (Sep 22, 2025)
+* Upgraded Terraform providers.
+
 # 0.4.16 (Feb 27, 2025)
 * Fixed `topics` usage from `event_sources` in capabilities.
 
diff --git a/app.tf b/app.tf
@@ -9,8 +9,8 @@ locals {
 }
 
 locals {
-  lambda_arn = "arn:aws:lambda:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:function:${local.resource_name}"
-  invoke_arn = "arn:aws:apigateway:${data.aws_region.this.name}:lambda:path/2015-03-31/functions/${local.lambda_arn}/invocations"
+  lambda_arn = "arn:aws:lambda:${data.aws_region.this.region}:${data.aws_caller_identity.this.account_id}:function:${local.resource_name}"
+  invoke_arn = "arn:aws:apigateway:${data.aws_region.this.region}:lambda:path/2015-03-31/functions/${local.lambda_arn}/invocations"
   app_metadata = tomap({
     // Inject app metadata into capabilities here (e.g. security_group_id, role_name)
     function_name = local.resource_name
diff --git a/bootstrap_image.tf b/bootstrap_image.tf
@@ -4,7 +4,7 @@ data "aws_ecr_authorization_token" "temporary" {
 
 provider "dockerless" {
   registry_auth = {
-    "${data.aws_caller_identity.this.account_id}.dkr.ecr.${data.aws_region.this.name}.amazonaws.com" = {
+    "${data.aws_caller_identity.this.account_id}.dkr.ecr.${data.aws_region.this.region}.amazonaws.com" = {
       username = data.aws_ecr_authorization_token.temporary.user_name
       password = data.aws_ecr_authorization_token.temporary.password
     }
diff --git a/capabilities.tf b/capabilities.tf
@@ -3,7 +3,8 @@
 locals {
   cap_modules = [
     {
-      id         = 0
+      name       = ""
+      tfId       = ""
       namespace  = ""
       env_prefix = ""
       outputs    = {}
@@ -50,7 +51,7 @@ locals {
       {
         logDriver = "awslogs"
         options = {
-          "awslogs-region"        = data.aws_region.this.name
+          "awslogs-region"        = data.aws_region.this.region
           "awslogs-group"         = module.logs.name
           "awslogs-stream-prefix" = local.block_name
         }
diff --git a/capabilities.tf.tmpl b/capabilities.tf.tmpl
@@ -1,7 +1,7 @@
 {{ range . -}}
 provider "ns" {
-  capability_id = {{ .Id }}
-  alias         = "cap_{{ .Id }}"
+  capability_name = "{{ .Name }}"
+  alias           = "{{ .TfModuleName }}"
 }
 
 module "{{ .TfModuleName }}" {
@@ -11,13 +11,12 @@ module "{{ .TfModuleName }}" {
   {{- end }}
 
   app_metadata = local.app_metadata
-  {{ range $key, $value := .Variables -}}
-  {{ if $value.HasValue -}}
+  {{ range $key, $value := .Variables -}}{{- if $value.HasValue }}
   {{ $key }} = jsondecode({{ $value.Value | to_json_string }})
-  {{- end }}
-  {{ end }}
+  {{- end -}}{{- end }}
+
   providers = {
-    ns = ns.cap_{{ .Id}}
+    ns = ns.{{ .TfModuleName }}
   }
 }
 {{ end }}
@@ -37,7 +36,8 @@ locals {
   cap_modules = [
 {{- range $index, $element := .ExceptNeedsDestroyed }}
     {{ if $index }}, {{ end }}{
-      id         = {{ $element.Id }}
+      name       = "{{ $element.Name }}"
+      tfId       = "{{ $element.TfId }}"
       namespace  = "{{ $element.Namespace }}"
       env_prefix = "{{ $element.EnvPrefix }}"
       outputs    = {{ $element.TfModuleAddr }}
@@ -55,7 +55,7 @@ locals {
 
   cap_secrets = merge([
     for mod in local.cap_modules : {
-      for item in lookup(mod.outputs, "secrets", []) : "${mod.env_prefix}${item.name}" => item.value
+      for item in lookup(mod.outputs, "secrets", []) : "${mod.env_prefix}${item.name}" => sensitive(item.value)
     }
   ]...)
 }
diff --git a/encryption.tf b/encryption.tf
@@ -36,13 +36,13 @@ data "aws_iam_policy_document" "encryption_key" {
 
     principals {
       type        = "Service"
-      identifiers = ["logs.${data.aws_region.this.name}.amazonaws.com"]
+      identifiers = ["logs.${data.aws_region.this.region}.amazonaws.com"]
     }
 
     condition {
       test     = "ArnEquals"
       variable = "kms:EncryptionContext:aws:logs:arn"
-      values   = ["arn:aws:logs:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:*"]
+      values   = ["arn:aws:logs:${data.aws_region.this.region}:${data.aws_caller_identity.this.account_id}:*"]
     }
   }
 
diff --git a/env_vars.tf b/env_vars.tf
@@ -28,19 +28,25 @@ locals {
     NULLSTONE_PUBLIC_HOSTS  = join(",", local.public_hosts)
     NULLSTONE_PRIVATE_HOSTS = join(",", local.private_hosts)
   })
-
-  input_env_vars = merge(local.standard_env_vars, local.cap_env_vars, var.env_vars)
-  input_secrets  = merge(local.cap_secrets, var.secrets)
+  
+  input_env_vars    = merge(local.standard_env_vars, local.cap_env_vars, var.env_vars)
+  input_secrets     = merge(local.cap_secrets, var.secrets)
+  input_secret_keys = nonsensitive(concat(keys(local.cap_secrets), keys(var.secrets)))
 }
 
 data "ns_env_variables" "this" {
   input_env_variables = local.input_env_vars
   input_secrets       = local.input_secrets
 }
 
+// ns_secret_keys.this is used to calculate a set of secrets to add to aws secrets manager
+// The resulting "secret_keys" attribute must be known at plan time
+// This doesn't need to do a full interpolation because we only care about which inputs need to be added to aws secrets manager
+// ns_secret_keys.input_env_variables should contain only var.env_vars since they could contain interpolation that promotes them to sensitive
+// We exclude "local.cap_env_vars" because capabilities must use "cap_secrets" to create secrets
 data "ns_secret_keys" "this" {
   input_env_variables = var.env_vars
-  input_secret_keys   = nonsensitive(keys(local.input_secrets))
+  input_secret_keys   = local.input_secret_keys
 }
 
 locals {
diff --git a/outputs.tf b/outputs.tf
@@ -1,6 +1,6 @@
 output "region" {
   description = "string ||| The region the lambda was created."
-  value       = data.aws_region.this.name
+  value       = data.aws_region.this.region
 }
 
 output "deployer" {
@@ -84,11 +84,11 @@ output "image_pusher" {
 }
 
 output "private_urls" {
-  description = "list(string) ||| A list of URLs only accessible inside the network."
   value       = local.private_urls
+  description = "list(string) ||| A list of URLs only accessible inside the network"
 }
 
 output "public_urls" {
-  description = "list(string) ||| A list of URLs accessible to the public"
   value       = local.public_urls
+  description = "list(string) ||| A list of URLs accessible to the public"
 }
diff --git a/permissions.tf b/permissions.tf
@@ -1,7 +1,7 @@
 locals {
   permissions = merge(flatten([
     for mod in local.cap_modules : {
-      for item in lookup(mod.outputs, "permissions", []) : "${mod.id}_${item.sid_prefix}" => item
+      for item in lookup(mod.outputs, "permissions", []) : "${mod.tfId}_${item.sid_prefix}" => item
     }
   ])...)
 }
diff --git a/urls.tf b/urls.tf
@@ -3,7 +3,7 @@ locals {
   // Typically, they are created through capabilities attached to the application
   // If this module has URLs, add them here as list(string)
   additional_private_urls = []
-  additional_public_urls  = []
+  additional_public_urls = []
 
   private_urls = concat([for url in try(local.capabilities.private_urls, []) : url["url"]], local.additional_private_urls)
   public_urls  = concat([for url in try(local.capabilities.public_urls, []) : url["url"]], local.additional_public_urls)
@@ -16,7 +16,7 @@ locals {
 locals {
   authority_matcher = "^(?:(?P<user>[^@]*)@)?(?:(?P<host>[^:]*))(?:[:](?P<port>[\\d]*))?"
   // These tests are here to verify the authority_matcher regex above
-  // To verify, uncomment the following lines and issue `echo 'local.tests' | terraform console`
+  // To verify, uncomment the following lines and issue "echo 'local.tests' | terraform console"
   /*
   tests = tomap({
     "nullstone.io" : regex(local.authority_matcher, "nullstone.io"),

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ data "aws_ecr_authorization_token" "temporary" {`
`4`	`4`
`5`	`5`	`provider "dockerless" {`
`6`	`6`	`registry_auth = {`
`7`		`- "${data.aws_caller_identity.this.account_id}.dkr.ecr.${data.aws_region.this.name}.amazonaws.com" = {`
	`7`	`+ "${data.aws_caller_identity.this.account_id}.dkr.ecr.${data.aws_region.this.region}.amazonaws.com" = {`
`8`	`8`	`username = data.aws_ecr_authorization_token.temporary.user_name`
`9`	`9`	`password = data.aws_ecr_authorization_token.temporary.password`
`10`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,8 @@`
`3`	`3`	`locals {`
`4`	`4`	`cap_modules = [`
`5`	`5`	`{`
`6`		`- id = 0`
	`6`	`+ name = ""`
	`7`	`+ tfId = ""`
`7`	`8`	`namespace = ""`
`8`	`9`	`env_prefix = ""`
`9`	`10`	`outputs = {}`
`@@ -50,7 +51,7 @@ locals {`
`50`	`51`	`{`
`51`	`52`	`logDriver = "awslogs"`
`52`	`53`	`options = {`
`53`		`- "awslogs-region" = data.aws_region.this.name`
	`54`	`+ "awslogs-region" = data.aws_region.this.region`
`54`	`55`	`"awslogs-group" = module.logs.name`
`55`	`56`	`"awslogs-stream-prefix" = local.block_name`
`56`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,13 +36,13 @@ data "aws_iam_policy_document" "encryption_key" {`
`36`	`36`
`37`	`37`	`principals {`
`38`	`38`	`type = "Service"`
`39`		`- identifiers = ["logs.${data.aws_region.this.name}.amazonaws.com"]`
	`39`	`+ identifiers = ["logs.${data.aws_region.this.region}.amazonaws.com"]`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`condition {`
`43`	`43`	`test = "ArnEquals"`
`44`	`44`	`variable = "kms:EncryptionContext:aws:logs:arn"`
`45`		`- values = ["arn:aws:logs:${data.aws_region.this.name}:${data.aws_caller_identity.this.account_id}:*"]`
	`45`	`+ values = ["arn:aws:logs:${data.aws_region.this.region}:${data.aws_caller_identity.this.account_id}:*"]`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`output "region" {`
`2`	`2`	`description = "string \|\|\| The region the lambda was created."`
`3`		`- value = data.aws_region.this.name`
	`3`	`+ value = data.aws_region.this.region`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`output "deployer" {`
`@@ -84,11 +84,11 @@ output "image_pusher" {`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`output "private_urls" {`
`87`		`- description = "list(string) \|\|\| A list of URLs only accessible inside the network."`
`88`	`87`	`value = local.private_urls`
	`88`	`+ description = "list(string) \|\|\| A list of URLs only accessible inside the network"`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`output "public_urls" {`
`92`		`- description = "list(string) \|\|\| A list of URLs accessible to the public"`
`93`	`92`	`value = local.public_urls`
	`93`	`+ description = "list(string) \|\|\| A list of URLs accessible to the public"`
`94`	`94`	`}`