chore: Updates from testing and validating upgrade guide

Author: bryantbiggs

README.md

@@ -25,6 +25,7 @@ module "redshift" {
   encrypted   = true
   kms_key_arn = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
 
+  vpc_id                               = "vpc-1234556abcdef"
   enhanced_vpc_routing                 = true
   availability_zone_relocation_enabled = true
 

docs/UPGRADE-7.0.md

@@ -8,13 +8,14 @@ Please consult the `examples` directory for reference example configurations. If
 - AWS provider `v6.18` is now minimum supported version
 - The ability for the module to create a random password has been removed in order to ensure passwords are not stored in plain text within the state file. Users must now provide their own password via the `master_password_wo` variable.
   - `master_password` is no longer supported and only the write-only equivalent is supported (`master_password_wo` and `master_password_wo_version`)
+- The variable(s) used to create access endpoints has changed from creating a single endpoint to n-number of endpoints
 
 ## Additional changes
 
 ### Added
 
 - Support for `region` argument to specify the AWS region for the resources created if different from the provider region.
-- Support for creating security group
+- Support for creating a security group used by the cluster
 
 ### Modified
 
@@ -23,7 +24,7 @@ Please consult the `examples` directory for reference example configurations. If
 
 ### Removed
 
--
+- Support for generating random passwords has been removed.
 
 ### Variable and output changes
 
@@ -64,15 +65,18 @@ Please consult the `examples` directory for reference example configurations. If
 
 4. Removed outputs:
 
-    -
+    - `endpoint_access_address` -> see `endpoint_access` output
+    - `endpoint_access_port` -> see `endpoint_access` output
+    - `endpoint_access_id` -> see `endpoint_access` output
+    - `endpoint_access_vpc_endpoint` -> see `endpoint_access` output
 
 5. Renamed outputs:
 
-    -
+    - None
 
 6. Added outputs:
 
-    -
+    - None
 
 ## Upgrade Migration
 
@@ -121,9 +125,9 @@ module "redshift" {
 
   # Endpoint access - only available when using the ra3.x type
   create_endpoint_access          = true
-  endpoint_name                   = "example-example"
-  endpoint_subnet_group_name      = aws_redshift_subnet_group.endpoint.id
-  endpoint_vpc_security_group_ids = [module.security_group.security_group_id]
+  endpoint_name                   = "example"
+  endpoint_subnet_group_name      = "example"
+  endpoint_vpc_security_group_ids = ["sg-12345678"]
 }
 ```
 
@@ -136,6 +140,9 @@ module "redshift" {
 
   # Only the affected attributes are shown
 
+  # Security group
+  vpc_id = "vpc-1234556abcdef"
+
   # Snapshot schedule
   snapshot_schedule = {
     identifier    = "example"
@@ -180,14 +187,16 @@ module "redshift" {
   # Endpoint access - only available when using the ra3.x type
   endpoint_access = {
     example = {
-      name                   = "example-example"
-      subnet_group_name      = aws_redshift_subnet_group.endpoint.id
-      vpc_security_group_ids = [module.security_group.security_group_id]
+      name                   = "example"
+      subnet_group_name      = "example"
+      vpc_security_group_ids = ["sg-12345678"]
     }
   }
 }
 ```
 
 ### State Move Commands
 
-TBD
+```sh
+terraform state mv 'module.redshift.aws_redshift_endpoint_access.this[0]' 'module.redshift.aws_redshift_endpoint_access.this["example"]'
+```

examples/complete/main.tf

@@ -33,6 +33,9 @@ locals {
 module "redshift" {
   source = "../../"
 
+  # Maintains backward compatibility
+  parameter_group_family = "redshift-1.0"
+
   cluster_identifier    = local.name
   allow_version_upgrade = true
   node_type             = "ra3.xlplus"
@@ -51,6 +54,7 @@ module "redshift" {
   # Only available when using the ra3.x type
   availability_zone_relocation_enabled = true
   enhanced_vpc_routing                 = true
+  vpc_id      = module.vpc.vpc_id
 
   snapshot_copy = {
     destination_region = "us-east-1"
@@ -216,9 +220,13 @@ resource "aws_redshift_snapshot_copy_grant" "useast1" {
 module "with_cloudwatch_logging" {
   source = "../../"
 
+  # Maintains backward compatibility
+  parameter_group_family = "redshift-1.0"
+
   cluster_identifier = "${local.name}-with-cloudwatch-logging"
-  node_type          = "dc2.large"
+  node_type          = "ra3.large"
 
+  vpc_id      = module.vpc.vpc_id
   subnet_ids = module.vpc.redshift_subnets
 
   create_cloudwatch_log_group            = true
@@ -238,9 +246,13 @@ module "with_cloudwatch_logging" {
 module "default" {
   source = "../../"
 
+  # Maintains backward compatibility
+  parameter_group_family = "redshift-1.0"
+
   cluster_identifier = "${local.name}-default"
-  node_type          = "dc2.large"
+  node_type          = "ra3.large"
 
+  vpc_id      = module.vpc.vpc_id
   subnet_ids = module.vpc.redshift_subnets
 
   tags = local.tags

examples/complete/outputs.tf

@@ -115,6 +115,7 @@ output "cluster_namespace_arn" {
 output "cluster_master_password" {
   description = "The Redshift cluster master password"
   value       = module.redshift.cluster_master_password
+  sensitive   = true
 }
 
 output "cluster_master_username" {
@@ -187,24 +188,9 @@ output "scheduled_action_iam_role_unique_id" {
 # Endpoint Access
 ################################################################################
 
-output "endpoint_access_address" {
-  description = "The DNS address of the endpoint"
-  value       = module.redshift.endpoint_access_address
-}
-
-output "endpoint_access_id" {
-  description = "The Redshift-managed VPC endpoint name"
-  value       = module.redshift.endpoint_access_id
-}
-
-output "endpoint_access_port" {
-  description = "The port number on which the cluster accepts incoming connections"
-  value       = module.redshift.endpoint_access_port
-}
-
-output "endpoint_access_vpc_endpoint" {
-  description = "The connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below"
-  value       = module.redshift.endpoint_access_vpc_endpoint
+output "endpoint_access" {
+  description = "A map of access endpoints created and their attributes"
+  value       = module.redshift.endpoint_access
 }
 
 ################################################################################

main.tf

@@ -125,10 +125,6 @@ resource "aws_redshift_subnet_group" "this" {
 # Snapshot Schedule
 ################################################################################
 
-locals {
-  snapshot_schedule_identifier = try(coalesce(var.snapshot_schedule.identifier, var.cluster_identifier))
-}
-
 resource "aws_redshift_snapshot_schedule" "this" {
   count = var.create && var.snapshot_schedule != null ? 1 : 0
 
@@ -137,8 +133,8 @@ resource "aws_redshift_snapshot_schedule" "this" {
   definitions       = var.snapshot_schedule.definitions
   description       = var.snapshot_schedule.description
   force_destroy     = var.snapshot_schedule.force_destroy
-  identifier        = var.snapshot_schedule.use_prefix ? null : local.snapshot_schedule_identifier
-  identifier_prefix = var.snapshot_schedule.use_prefix ? "${local.snapshot_schedule_identifier}-" : null
+  identifier        = var.snapshot_schedule.use_prefix ? null : try(coalesce(var.snapshot_schedule.identifier, var.cluster_identifier), "")
+  identifier_prefix = var.snapshot_schedule.use_prefix ? "${try(coalesce(var.snapshot_schedule.identifier, var.cluster_identifier), "")}-" : null
 
   tags = merge(var.tags, var.snapshot_schedule.tags)
 }
@@ -178,15 +174,15 @@ resource "aws_redshift_scheduled_action" "this" {
 
     content {
       dynamic "pause_cluster" {
-        for_each = each.value.pause_cluster != null ? [1] : []
+        for_each = target_action.value.pause_cluster != null && target_action.value.pause_cluster ? [1] : []
 
         content {
           cluster_identifier = aws_redshift_cluster.this[0].id
         }
       }
 
       dynamic "resize_cluster" {
-        for_each = each.value.resize_cluster != null ? [1] : []
+        for_each = target_action.value.resize_cluster != null ? [target_action.value.resize_cluster] : []
 
         content {
           classic            = resize_cluster.value.classic
@@ -198,7 +194,7 @@ resource "aws_redshift_scheduled_action" "this" {
       }
 
       dynamic "resume_cluster" {
-        for_each = each.value.resume_cluster != null ? [each.value.resume_cluster] : []
+        for_each = target_action.value.resume_cluster != null && target_action.value.resume_cluster ? [target_action.value.resume_cluster] : []
 
         content {
           cluster_identifier = aws_redshift_cluster.this[0].id
@@ -317,7 +313,7 @@ resource "aws_redshift_authentication_profile" "this" {
 
   region = var.region
 
-  authentication_profile_name    = try(each.value.name, each.key)
+  authentication_profile_name    = try(coalesce(each.value.name, each.key))
   authentication_profile_content = jsonencode(each.value.content)
 }
 
@@ -342,7 +338,7 @@ resource "aws_redshift_logging" "this" {
 ################################################################################
 
 resource "aws_cloudwatch_log_group" "this" {
-  for_each = toset([for log in try(var.logging.log_exports, []) : log if var.create && var.create_cloudwatch_log_group])
+  for_each = var.create && var.create_cloudwatch_log_group && var.logging != null ? toset([for log in try(var.logging.log_exports, []) : log]) : toset([])
 
   region = var.region
 

outputs.tf

@@ -193,24 +193,9 @@ output "scheduled_action_iam_role_unique_id" {
 # Endpoint Access
 ################################################################################
 
-output "endpoint_access_address" {
-  description = "The DNS address of the endpoint"
-  value       = try(aws_redshift_endpoint_access.this[0].address, null)
-}
-
-output "endpoint_access_id" {
-  description = "The Redshift-managed VPC endpoint name"
-  value       = try(aws_redshift_endpoint_access.this[0].id, null)
-}
-
-output "endpoint_access_port" {
-  description = "The port number on which the cluster accepts incoming connections"
-  value       = try(aws_redshift_endpoint_access.this[0].port, null)
-}
-
-output "endpoint_access_vpc_endpoint" {
-  description = "The connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below"
-  value       = try(aws_redshift_endpoint_access.this[0].vpc_endpoint, null)
+output "endpoint_access" {
+  description = "A map of access endpoints created and their attributes"
+  value       = aws_redshift_endpoint_access.this
 }
 
 ################################################################################

variables.tf

@@ -465,7 +465,7 @@ variable "logging" {
   type = object({
     bucket_name          = optional(string)
     log_destination_type = optional(string)
-    log_exports          = optional(list(string))
+    log_exports          = optional(list(string), [])
     s3_key_prefix        = optional(string)
   })
   default = null