chore: Updates from testing and validating upgrade guide

bryantbiggs · bryantbiggs · commit b751a5953674 · 2025-11-14T11:11:02.000-06:00
diff --git a/README.md b/README.md
@@ -25,6 +25,7 @@ module "redshift" {
   encrypted   = true
   kms_key_arn = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
 
+  vpc_id                               = "vpc-1234556abcdef"
   enhanced_vpc_routing                 = true
   availability_zone_relocation_enabled = true
 
@@ -265,7 +266,7 @@ No modules.
 | <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the scheduled action IAM role created | `map(string)` | `{}` | no |
 | <a name="input_iam_role_use_name_prefix"></a> [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether scheduled action the IAM role name (`iam_role_name`) is used as a prefix | `string` | `true` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN for the KMS encryption key. When specifying `kms_key_arn`, `encrypted` needs to be set to `true` | `string` | `null` | no |
-| <a name="input_logging"></a> [logging](#input\_logging) | Logging configuration for the cluster | <pre>object({<br/>    bucket_name          = optional(string)<br/>    log_destination_type = optional(string)<br/>    log_exports          = optional(list(string))<br/>    s3_key_prefix        = optional(string)<br/>  })</pre> | `null` | no |
+| <a name="input_logging"></a> [logging](#input\_logging) | Logging configuration for the cluster | <pre>object({<br/>    bucket_name          = optional(string)<br/>    log_destination_type = optional(string)<br/>    log_exports          = optional(list(string), [])<br/>    s3_key_prefix        = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_maintenance_track_name"></a> [maintenance\_track\_name](#input\_maintenance\_track\_name) | The name of the maintenance track for the restored cluster. When you take a snapshot, the snapshot inherits the MaintenanceTrack value from the cluster. The snapshot might be on a different track than the cluster that was the source for the snapshot. Default value is `current` | `string` | `null` | no |
 | <a name="input_manage_master_password"></a> [manage\_master\_password](#input\_manage\_master\_password) | Whether to use AWS SecretsManager to manage the cluster admin credentials. Conflicts with `master_password`. One of `master_password` or `manage_master_password` is required unless `snapshot_identifier` is provided | `bool` | `false` | no |
 | <a name="input_manage_master_password_rotation"></a> [manage\_master\_password\_rotation](#input\_manage\_master\_password\_rotation) | Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation | `bool` | `false` | no |
@@ -343,10 +344,7 @@ No modules.
 | <a name="output_cluster_type"></a> [cluster\_type](#output\_cluster\_type) | The Redshift cluster type |
 | <a name="output_cluster_version"></a> [cluster\_version](#output\_cluster\_version) | The version of Redshift engine software |
 | <a name="output_cluster_vpc_security_group_ids"></a> [cluster\_vpc\_security\_group\_ids](#output\_cluster\_vpc\_security\_group\_ids) | The VPC security group ids associated with the cluster |
-| <a name="output_endpoint_access_address"></a> [endpoint\_access\_address](#output\_endpoint\_access\_address) | The DNS address of the endpoint |
-| <a name="output_endpoint_access_id"></a> [endpoint\_access\_id](#output\_endpoint\_access\_id) | The Redshift-managed VPC endpoint name |
-| <a name="output_endpoint_access_port"></a> [endpoint\_access\_port](#output\_endpoint\_access\_port) | The port number on which the cluster accepts incoming connections |
-| <a name="output_endpoint_access_vpc_endpoint"></a> [endpoint\_access\_vpc\_endpoint](#output\_endpoint\_access\_vpc\_endpoint) | The connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below |
+| <a name="output_endpoint_access"></a> [endpoint\_access](#output\_endpoint\_access) | A map of access endpoints created and their attributes |
 | <a name="output_master_password_secret_arn"></a> [master\_password\_secret\_arn](#output\_master\_password\_secret\_arn) | ARN of managed master password secret |
 | <a name="output_parameter_group_arn"></a> [parameter\_group\_arn](#output\_parameter\_group\_arn) | Amazon Resource Name (ARN) of the parameter group created |
 | <a name="output_parameter_group_id"></a> [parameter\_group\_id](#output\_parameter\_group\_id) | The name of the Redshift parameter group created |
diff --git a/docs/UPGRADE-7.0.md b/docs/UPGRADE-7.0.md
@@ -8,13 +8,14 @@ Please consult the `examples` directory for reference example configurations. If
 - AWS provider `v6.18` is now minimum supported version
 - The ability for the module to create a random password has been removed in order to ensure passwords are not stored in plain text within the state file. Users must now provide their own password via the `master_password_wo` variable.
   - `master_password` is no longer supported and only the write-only equivalent is supported (`master_password_wo` and `master_password_wo_version`)
+- The variable(s) used to create access endpoints has changed from creating a single endpoint to n-number of endpoints
 
 ## Additional changes
 
 ### Added
 
 - Support for `region` argument to specify the AWS region for the resources created if different from the provider region.
-- Support for creating security group
+- Support for creating a security group used by the cluster
 
 ### Modified
 
@@ -23,7 +24,7 @@ Please consult the `examples` directory for reference example configurations. If
 
 ### Removed
 
--
+- Support for generating random passwords has been removed.
 
 ### Variable and output changes
 
@@ -64,15 +65,18 @@ Please consult the `examples` directory for reference example configurations. If
 
 4. Removed outputs:
 
-    -
+    - `endpoint_access_address` -> see `endpoint_access` output
+    - `endpoint_access_port` -> see `endpoint_access` output
+    - `endpoint_access_id` -> see `endpoint_access` output
+    - `endpoint_access_vpc_endpoint` -> see `endpoint_access` output
 
 5. Renamed outputs:
 
-    -
+    - None
 
 6. Added outputs:
 
-    -
+    - None
 
 ## Upgrade Migration
 
@@ -121,9 +125,9 @@ module "redshift" {
 
   # Endpoint access - only available when using the ra3.x type
   create_endpoint_access          = true
-  endpoint_name                   = "example-example"
-  endpoint_subnet_group_name      = aws_redshift_subnet_group.endpoint.id
-  endpoint_vpc_security_group_ids = [module.security_group.security_group_id]
+  endpoint_name                   = "example"
+  endpoint_subnet_group_name      = "example"
+  endpoint_vpc_security_group_ids = ["sg-12345678"]
 }
 ```
 
@@ -136,6 +140,9 @@ module "redshift" {
 
   # Only the affected attributes are shown
 
+  # Security group
+  vpc_id = "vpc-1234556abcdef"
+
   # Snapshot schedule
   snapshot_schedule = {
     identifier    = "example"
@@ -180,14 +187,19 @@ module "redshift" {
   # Endpoint access - only available when using the ra3.x type
   endpoint_access = {
     example = {
-      name                   = "example-example"
-      subnet_group_name      = aws_redshift_subnet_group.endpoint.id
-      vpc_security_group_ids = [module.security_group.security_group_id]
+      name                   = "example"
+      subnet_group_name      = "example"
+      vpc_security_group_ids = ["sg-12345678"]
     }
   }
+
+  # Maintains backward compatibility, as needed
+  parameter_group_family = "redshift-1.0"
 }
 ```
 
 ### State Move Commands
 
-TBD
+```sh
+terraform state mv 'module.redshift.aws_redshift_endpoint_access.this[0]' 'module.redshift.aws_redshift_endpoint_access.this["example"]'
+```
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -88,10 +88,7 @@ No inputs.
 | <a name="output_cluster_type"></a> [cluster\_type](#output\_cluster\_type) | The Redshift cluster type |
 | <a name="output_cluster_version"></a> [cluster\_version](#output\_cluster\_version) | The version of Redshift engine software |
 | <a name="output_cluster_vpc_security_group_ids"></a> [cluster\_vpc\_security\_group\_ids](#output\_cluster\_vpc\_security\_group\_ids) | The VPC security group ids associated with the cluster |
-| <a name="output_endpoint_access_address"></a> [endpoint\_access\_address](#output\_endpoint\_access\_address) | The DNS address of the endpoint |
-| <a name="output_endpoint_access_id"></a> [endpoint\_access\_id](#output\_endpoint\_access\_id) | The Redshift-managed VPC endpoint name |
-| <a name="output_endpoint_access_port"></a> [endpoint\_access\_port](#output\_endpoint\_access\_port) | The port number on which the cluster accepts incoming connections |
-| <a name="output_endpoint_access_vpc_endpoint"></a> [endpoint\_access\_vpc\_endpoint](#output\_endpoint\_access\_vpc\_endpoint) | The connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below |
+| <a name="output_endpoint_access"></a> [endpoint\_access](#output\_endpoint\_access) | A map of access endpoints created and their attributes |
 | <a name="output_master_password_secret_arn"></a> [master\_password\_secret\_arn](#output\_master\_password\_secret\_arn) | ARN of managed master password secret |
 | <a name="output_master_password_secretsmanager_secret_rotation_enabled"></a> [master\_password\_secretsmanager\_secret\_rotation\_enabled](#output\_master\_password\_secretsmanager\_secret\_rotation\_enabled) | Specifies whether automatic rotation is enabled for the secret |
 | <a name="output_parameter_group_arn"></a> [parameter\_group\_arn](#output\_parameter\_group\_arn) | Amazon Resource Name (ARN) of the parameter group created |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -51,6 +51,7 @@ module "redshift" {
   # Only available when using the ra3.x type
   availability_zone_relocation_enabled = true
   enhanced_vpc_routing                 = true
+  vpc_id                               = module.vpc.vpc_id
 
   snapshot_copy = {
     destination_region = "us-east-1"
@@ -217,8 +218,9 @@ module "with_cloudwatch_logging" {
   source = "../../"
 
   cluster_identifier = "${local.name}-with-cloudwatch-logging"
-  node_type          = "dc2.large"
+  node_type          = "ra3.large"
 
+  vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.redshift_subnets
 
   create_cloudwatch_log_group            = true
@@ -239,8 +241,9 @@ module "default" {
   source = "../../"
 
   cluster_identifier = "${local.name}-default"
-  node_type          = "dc2.large"
+  node_type          = "ra3.large"
 
+  vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.redshift_subnets
 
   tags = local.tags
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -115,6 +115,7 @@ output "cluster_namespace_arn" {
 output "cluster_master_password" {
   description = "The Redshift cluster master password"
   value       = module.redshift.cluster_master_password
+  sensitive   = true
 }
 
 output "cluster_master_username" {
@@ -187,24 +188,9 @@ output "scheduled_action_iam_role_unique_id" {
 # Endpoint Access
 ################################################################################
 
-output "endpoint_access_address" {
-  description = "The DNS address of the endpoint"
-  value       = module.redshift.endpoint_access_address
-}
-
-output "endpoint_access_id" {
-  description = "The Redshift-managed VPC endpoint name"
-  value       = module.redshift.endpoint_access_id
-}
-
-output "endpoint_access_port" {
-  description = "The port number on which the cluster accepts incoming connections"
-  value       = module.redshift.endpoint_access_port
-}
-
-output "endpoint_access_vpc_endpoint" {
-  description = "The connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below"
-  value       = module.redshift.endpoint_access_vpc_endpoint
+output "endpoint_access" {
+  description = "A map of access endpoints created and their attributes"
+  value       = module.redshift.endpoint_access
 }
 
 ################################################################################
diff --git a/main.tf b/main.tf
@@ -125,10 +125,6 @@ resource "aws_redshift_subnet_group" "this" {
 # Snapshot Schedule
 ################################################################################
 
-locals {
-  snapshot_schedule_identifier = try(coalesce(var.snapshot_schedule.identifier, var.cluster_identifier))
-}
-
 resource "aws_redshift_snapshot_schedule" "this" {
   count = var.create && var.snapshot_schedule != null ? 1 : 0
 
@@ -137,8 +133,8 @@ resource "aws_redshift_snapshot_schedule" "this" {
   definitions       = var.snapshot_schedule.definitions
   description       = var.snapshot_schedule.description
   force_destroy     = var.snapshot_schedule.force_destroy
-  identifier        = var.snapshot_schedule.use_prefix ? null : local.snapshot_schedule_identifier
-  identifier_prefix = var.snapshot_schedule.use_prefix ? "${local.snapshot_schedule_identifier}-" : null
+  identifier        = var.snapshot_schedule.use_prefix ? null : try(coalesce(var.snapshot_schedule.identifier, var.cluster_identifier), "")
+  identifier_prefix = var.snapshot_schedule.use_prefix ? "${try(coalesce(var.snapshot_schedule.identifier, var.cluster_identifier), "")}-" : null
 
   tags = merge(var.tags, var.snapshot_schedule.tags)
 }
@@ -178,15 +174,15 @@ resource "aws_redshift_scheduled_action" "this" {
 
     content {
       dynamic "pause_cluster" {
-        for_each = each.value.pause_cluster != null ? [1] : []
+        for_each = target_action.value.pause_cluster != null && target_action.value.pause_cluster ? [1] : []
 
         content {
           cluster_identifier = aws_redshift_cluster.this[0].id
         }
       }
 
       dynamic "resize_cluster" {
-        for_each = each.value.resize_cluster != null ? [1] : []
+        for_each = target_action.value.resize_cluster != null ? [target_action.value.resize_cluster] : []
 
         content {
           classic            = resize_cluster.value.classic
@@ -198,7 +194,7 @@ resource "aws_redshift_scheduled_action" "this" {
       }
 
       dynamic "resume_cluster" {
-        for_each = each.value.resume_cluster != null ? [each.value.resume_cluster] : []
+        for_each = target_action.value.resume_cluster != null && target_action.value.resume_cluster ? [target_action.value.resume_cluster] : []
 
         content {
           cluster_identifier = aws_redshift_cluster.this[0].id
@@ -317,7 +313,7 @@ resource "aws_redshift_authentication_profile" "this" {
 
   region = var.region
 
-  authentication_profile_name    = try(each.value.name, each.key)
+  authentication_profile_name    = try(coalesce(each.value.name, each.key))
   authentication_profile_content = jsonencode(each.value.content)
 }
 
@@ -342,7 +338,7 @@ resource "aws_redshift_logging" "this" {
 ################################################################################
 
 resource "aws_cloudwatch_log_group" "this" {
-  for_each = toset([for log in try(var.logging.log_exports, []) : log if var.create && var.create_cloudwatch_log_group])
+  for_each = var.create && var.create_cloudwatch_log_group && var.logging != null ? toset([for log in try(var.logging.log_exports, []) : log]) : toset([])
 
   region = var.region
 
diff --git a/outputs.tf b/outputs.tf
@@ -193,24 +193,9 @@ output "scheduled_action_iam_role_unique_id" {
 # Endpoint Access
 ################################################################################
 
-output "endpoint_access_address" {
-  description = "The DNS address of the endpoint"
-  value       = try(aws_redshift_endpoint_access.this[0].address, null)
-}
-
-output "endpoint_access_id" {
-  description = "The Redshift-managed VPC endpoint name"
-  value       = try(aws_redshift_endpoint_access.this[0].id, null)
-}
-
-output "endpoint_access_port" {
-  description = "The port number on which the cluster accepts incoming connections"
-  value       = try(aws_redshift_endpoint_access.this[0].port, null)
-}
-
-output "endpoint_access_vpc_endpoint" {
-  description = "The connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below"
-  value       = try(aws_redshift_endpoint_access.this[0].vpc_endpoint, null)
+output "endpoint_access" {
+  description = "A map of access endpoints created and their attributes"
+  value       = aws_redshift_endpoint_access.this
 }
 
 ################################################################################
diff --git a/variables.tf b/variables.tf
@@ -465,7 +465,7 @@ variable "logging" {
   type = object({
     bucket_name          = optional(string)
     log_destination_type = optional(string)
-    log_exports          = optional(list(string))
+    log_exports          = optional(list(string), [])
     s3_key_prefix        = optional(string)
   })
   default = null
