Skip to content

Provider & Dependency Updates #16927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Aaron Robinson (ASTRobinson) wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Provider & Dependency Updates #16927

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b15ac77
Provider & Dependency Updates
ASTRobinson May 29, 2026
c327e2f
aws_identitystore_groups
ASTRobinson May 29, 2026
921dc86
fix v6 warning
ASTRobinson May 29, 2026
0c3d290
Merge branch 'main' into feature/obs-plat-v6
ASTRobinson Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 5 additions & 18 deletions terraform/environments/observability-platform/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,29 +6,16 @@ data "aws_ssoadmin_instances" "main" {
provider = aws.sso-readonly
}

data "aws_identitystore_group" "observability_platform_admins" {
for_each = toset(["observability-platform", "operations-engineering", "azure-aws-sso-modernisation-platform"])

data "aws_identitystore_groups" "all" {
provider = aws.sso-readonly

identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]

filter {
attribute_path = "DisplayName"
attribute_value = each.value
}
}

data "aws_identitystore_group" "all_identity_centre_teams" {
for_each = { for team in local.all_identity_centre_teams : team => team }

provider = aws.sso-readonly

identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]

filter {
attribute_path = "DisplayName"
attribute_value = each.value
locals {
identitystore_group_ids_by_name = {
for group in data.aws_identitystore_groups.all.groups :
group.display_name => group.group_id
}
}

Expand Down
2 changes: 1 addition & 1 deletion terraform/environments/observability-platform/iam-policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ module "amazon_managed_grafana_remote_cloudwatch_iam_policy" {
#checkov:skip=CKV_TF_2:Module registry does not support tags for versions

source = "terraform-aws-modules/iam/aws//modules/iam-policy"
version = "5.52.2"
version = "6.6.1"

name_prefix = "amazon-managed-grafana-remote-cloudwatch"

Expand Down
4 changes: 2 additions & 2 deletions terraform/environments/observability-platform/lambda-functions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ module "grafana_api_key_rotator" {
#checkov:skip=CKV_AWS_258:Function is not invoked by URL

source = "terraform-aws-modules/lambda/aws"
version = "7.20.1"
version = "8.8.0"

publish = true
create_package = false
Expand Down Expand Up @@ -53,7 +53,7 @@ module "grafana_api_key_rotator" {

module "securityhub_metric_ingester" {
source = "terraform-aws-modules/lambda/aws"
version = "7.20.1"
version = "8.8.0"

function_name = "securityhub-metric-ingester"
description = "Publishes enriched Security Hub metrics for Grafana"
Expand Down
9 changes: 6 additions & 3 deletions terraform/environments/observability-platform/managed-grafana.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module "managed_grafana" {
#checkov:skip=CKV2_AWS_5:AMG doesn't run in a VPC, so it doesn't need a security group

source = "terraform-aws-modules/managed-service-grafana/aws"
version = "2.2.0"
version = "2.3.1"

name = local.application_name

Expand All @@ -31,10 +31,13 @@ module "managed_grafana" {

role_associations = {
"ADMIN" = {
"group_ids" = [for group in data.aws_identitystore_group.observability_platform_admins : group.id]
"group_ids" = [
for group_name in ["observability-platform", "operations-engineering", "azure-aws-sso-modernisation-platform"] :
local.identitystore_group_ids_by_name[group_name]
]
}
"EDITOR" = {
"group_ids" = [for team in data.aws_identitystore_group.all_identity_centre_teams : team.id]
"group_ids" = [for team in local.all_identity_centre_teams : local.identitystore_group_ids_by_name[team]]
}
}

Expand Down
2 changes: 1 addition & 1 deletion terraform/environments/observability-platform/managed-prometheus.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ module "managed_prometheus" {
#checkov:skip=CKV_TF_2:Module registry does not support tags for versions

source = "terraform-aws-modules/managed-service-prometheus/aws"
version = "2.2.3"
version = "4.3.1"

workspace_alias = local.application_name

Expand Down
2 changes: 1 addition & 1 deletion ...nments/observability-platform/modules/grafana/amazon-prometheus-query-source/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
grafana = {
source = "grafana/grafana"
version = "~> 3.0"
version = "~> 4.0"
}
}
required_version = "~> 1.0"
Expand Down
2 changes: 1 addition & 1 deletion terraform/environments/observability-platform/modules/grafana/athena-source/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
grafana = {
source = "grafana/grafana"
version = "~> 3.0"
version = "~> 4.0"
}
}
required_version = "~> 1.0"
Expand Down
2 changes: 1 addition & 1 deletion terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
grafana = {
source = "grafana/grafana"
version = "~> 3.0"
version = "~> 4.0"
}
}
required_version = "~> 1.0"
Expand Down
4 changes: 2 additions & 2 deletions .../environments/observability-platform/modules/grafana/contact-point/pagerduty/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0, != 5.86.0"
version = "~> 6.0"
}
grafana = {
source = "grafana/grafana"
version = "~> 3.0"
version = "~> 4.0"
}
}
required_version = "~> 1.0"
Expand Down
4 changes: 2 additions & 2 deletions ...form/environments/observability-platform/modules/grafana/contact-point/slack/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0, != 5.86.0"
version = "~> 6.0"
}
grafana = {
source = "grafana/grafana"
version = "~> 3.0"
version = "~> 4.0"
}
}
required_version = "~> 1.0"
Expand Down
12 changes: 7 additions & 5 deletions terraform/environments/observability-platform/modules/grafana/team/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
data "aws_ssoadmin_instances" "main" {}

data "aws_identitystore_group" "this" {
data "aws_identitystore_groups" "all" {
identity_store_id = tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
}

filter {
attribute_path = "DisplayName"
attribute_value = var.identity_centre_team
}
locals {
identitystore_group_id = one([
for group in data.aws_identitystore_groups.all.groups :
group.group_id if group.display_name == var.identity_centre_team
])
}
2 changes: 1 addition & 1 deletion terraform/environments/observability-platform/modules/grafana/team/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
resource "grafana_team" "this" {
name = var.name
team_sync {
groups = [data.aws_identitystore_group.this.id]
groups = [local.identitystore_group_id]
}
}

Expand Down
4 changes: 2 additions & 2 deletions terraform/environments/observability-platform/modules/grafana/team/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0, != 5.86.0"
version = "~> 6.0"
}
grafana = {
source = "grafana/grafana"
version = "~> 3.0"
version = "~> 4.0"
}
}
required_version = "~> 1.0"
Expand Down
2 changes: 1 addition & 1 deletion terraform/environments/observability-platform/modules/grafana/xray-source/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
grafana = {
source = "grafana/grafana"
version = "~> 3.0"
version = "~> 4.0"
}
}
required_version = "~> 1.0"
Expand Down
2 changes: 1 addition & 1 deletion ...s/observability-platform/modules/observability-platform/tenant-configuration/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
version = "~> 6.0"
configuration_aliases = [aws.sso]
}
}
Expand Down
25 changes: 18 additions & 7 deletions terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,12 +32,23 @@ module "iam_role" {
#checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
#checkov:skip=CKV_TF_2:Module registry does not support tags for versions

source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
version = "5.52.2"
source = "terraform-aws-modules/iam/aws//modules/iam-role"
version = "6.6.1"

name = "${var.name}-prometheus"
use_name_prefix = false

trust_policy_permissions = {
AllowAssumeRole = {
actions = ["sts:AssumeRole"]
principals = [{
type = "AWS"
identifiers = ["arn:aws:iam::${var.account_id}:root"]
}]
}
}

create_role = true
role_name = "${var.name}-prometheus"
trusted_role_arns = ["arn:aws:iam::${var.account_id}:root"]
custom_role_policy_arns = [module.iam_policy.arn]
role_requires_mfa = false
policies = {
prometheus = module.iam_policy.arn
}
}
2 changes: 1 addition & 1 deletion terraform/environments/observability-platform/modules/prometheus/iam-role/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0, != 5.86.0"
version = "~> 6.0"
}
}
required_version = "~> 1.0"
Expand Down
2 changes: 1 addition & 1 deletion terraform/environments/observability-platform/observability-platform.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module "observability_platform_tenant" {
#checkov:skip=CKV_TF_2:Module registry does not support tags for versions

source = "ministryofjustice/observability-platform-tenant/aws"
version = "1.2.0"
version = "2.0.0"

observability_platform_account_id = data.aws_caller_identity.current.account_id
enable_xray = true
Expand Down
18 changes: 9 additions & 9 deletions terraform/environments/observability-platform/platform_data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,63 +43,63 @@ data "aws_subnets" "shared-public" {
data "aws_subnet" "data_subnets_a" {
vpc_id = data.aws_vpc.shared.id
tags = {
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}a"
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.region}a"
}
}

data "aws_subnet" "data_subnets_b" {
vpc_id = data.aws_vpc.shared.id
tags = {
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}b"
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.region}b"
}
}

data "aws_subnet" "data_subnets_c" {
vpc_id = data.aws_vpc.shared.id
tags = {
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}c"
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.region}c"
}
}

data "aws_subnet" "private_subnets_a" {
vpc_id = data.aws_vpc.shared.id
tags = {
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}a"
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.region}a"
}
}

data "aws_subnet" "private_subnets_b" {
vpc_id = data.aws_vpc.shared.id
tags = {
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}b"
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.region}b"
}
}

data "aws_subnet" "private_subnets_c" {
vpc_id = data.aws_vpc.shared.id
tags = {
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}c"
"Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.region}c"
}
}

data "aws_subnet" "public_subnets_a" {
vpc_id = data.aws_vpc.shared.id
tags = {
Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}a"
Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.region}a"
}
}

data "aws_subnet" "public_subnets_b" {
vpc_id = data.aws_vpc.shared.id
tags = {
Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}b"
Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.region}b"
}
}

data "aws_subnet" "public_subnets_c" {
vpc_id = data.aws_vpc.shared.id
tags = {
Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}c"
Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.region}c"
}
}

Expand Down
14 changes: 10 additions & 4 deletions terraform/environments/observability-platform/platform_providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,11 @@ provider "aws" {
# AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified)
provider "aws" {
region = "eu-west-2"
assume_role {
role_arn = !can(regex("githubactionsrolesession|AdministratorAccess|user", data.aws_caller_identity.original_session.arn)) ? null : can(regex("user", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/${var.collaborator_access}" : "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccess"
dynamic "assume_role" {
for_each = can(regex("githubactionsrolesession|AdministratorAccess|user", data.aws_caller_identity.original_session.arn)) ? [1] : []
content {
role_arn = can(regex("user", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/${var.collaborator_access}" : "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccess"
}
}
default_tags { tags = local.tags }
}
Expand Down Expand Up @@ -48,8 +51,11 @@ provider "aws" {
provider "aws" {
alias = "us-east-1"
region = "us-east-1"
assume_role {
role_arn = !can(regex("githubactionsrolesession|AdministratorAccess|user", data.aws_caller_identity.original_session.arn)) ? null : can(regex("user", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/${var.collaborator_access}" : "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccessUSEast"
dynamic "assume_role" {
for_each = can(regex("githubactionsrolesession|AdministratorAccess|user", data.aws_caller_identity.original_session.arn)) ? [1] : []
content {
role_arn = can(regex("user", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/${var.collaborator_access}" : "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccessUSEast"
}
}
default_tags { tags = local.tags }
}
Expand Down
4 changes: 2 additions & 2 deletions terraform/environments/observability-platform/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
terraform {
required_providers {
aws = {
version = "~> 5.8, != 5.86.0"
version = "~> 6.0"
source = "hashicorp/aws"
}
grafana = {
source = "grafana/grafana"
version = "~> 3.0"
version = "~> 4.0"
}
http = {
version = "~> 3.0"
Expand Down
Loading