feat!: (IAC-1190) Update Providers, Modules, & Binaries

[jarpat]

Changes

Made updates to the binaries, providers, and modules in the viya4-iac-aws project to resolve warnings that came from our Aqua security scan.

This is a "breaking change" but compatible with the upcoming viya4-iac-aws:8.0.0 release provided users take the time to run "terraform init -upgrade" before they run apply again. Users of the docker image will have the updated binaries, providers, and modules if they rebuild it using the dockerfile.

Version Updates

Binaries

• Terraform 1.4.5 -> 1.6.3
• AWS CLI 2.11.21 -> 2.13.33
• kubectl 1.26.7 > 1.26.10

Providers

hashicorp/aws

• Versions:
  • Initial Version: 5.4.0
  • Final Version: 5.25.0
    • Notes:
      • No notable breaking changes or deprecations observed that would affect us, mostly the addition of new features.
• Change Log: https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md

hashicorp/kubernetes

• Versions:
  • Initial Version: 2.20.0
  • Final Version: 2.23.0
    • Notes:
      • No notable breaking changes or deprecations observed that would affect us, mostly the addition of new features.
• Change Log: https://github.com/hashicorp/terraform-provider-kubernetes/blob/main/CHANGELOG.md

Modules

terraform-aws-modules/eks/aws

• Versions:
  • Initial Version: 18.31.2
  • Final Version: 19.19.1
    • Notes:
      • cluster_id will no longer return a value, will need to be replaced with cluster_name
      • iam_role_additional_policies needs to be a map. The key can be any unique string while the value is the policy.
      • node_security_group_enable_recommended_rules, new variable that set to true to introduces some recommended security group rules. See second bullet point here to see what it allows https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-19.0.md#added. Since we already set node_security_group_additional_rules with our own rules, will be setting this value to false.
      • create_kms_key, is now to set to true by default, setting the value to false to retain our previous behavior
      • cluster_encryption_config now has values set by default, setting to an empty list to retain our previous behavior.
• Change Log: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/CHANGELOG.md
• Upgrade Notes: https://github.com/bryantbiggs/terraform-aws-eks/blob/master/docs/UPGRADE-19.0.md

terraform-aws-modules/rds/aws

• Versions:
  • Initial Version: 5.9.0
  • Final Version: 6.2.0
    • Notes:
      • Outputs have been updated, db_instance_id -> db_instance_identifier
      • Outputs have been updated, db_instance_password -> removed
      • Outputs have been updated, create_random_password -> removed
      • New variable enabled by default manage_master_user_password, no matter the password provided will generate a random password and use AWS Secrets Manager, setting to false to keep current behavior.
• Change Log: https://github.com/terraform-aws-modules/terraform-aws-rds/blob/master/CHANGELOG.md

terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc

• Versions:
  • Initial Version: 4.24.1
  • Final Version: 5.30.2
    • Notes:
      • No notable breaking changes or deprecations observed that would affect us, mostly the addition of new features.
• Change Log: https://github.com/terraform-aws-modules/terraform-aws-iam/blob/v5.30.2/CHANGELOG.md

Tests

Scenario	Provider	Task	K8s Version	Order	Cadence	Notes
1	AWS	OOTB - Docker	v1.26.10-eks-4f4795d	*****	fast:2020
2	AWS	OOTB - Terraform on Host	v1.26.10-eks-4f4795d	*****	fast:2020
3	AWS	OOTB with 8.0.0 -> Upgrade K8s with PR	v1.26.10-eks-4f4795d -> v1.27.7-eks-4f4795d	*****	fast:2020

[jarpat]

Note for reviewers, cluster_id was deprecated where it no longer blocks until terraform is able to communicate with the cluster and no longer returns a value unless you are using AWS Outposts. The recommendation was to directly get those values from module.eks rather than using the aws_eks_cluster data object here which allows for the "block" to reintroduced.

So the code was changed a bit, but functionally no changes.

See L61 and in locals.
https://github.com/sassoftware/viya4-iac-aws/pull/246/files#diff-dc46acf24afd63ef8c556b77c126ccc6e578bc87e3aa09a931f33d9bf2532fbbL20