From 017f3408db24f3318e27d3a1308522925d2e5af7 Mon Sep 17 00:00:00 2001
From: Fabio Santos <fabiodanielmonteirosantos@gmail.com>
Date: Sat, 16 Sep 2023 22:37:51 +0100
Subject: [PATCH] fix: Add AWS Provider Version Constraint to major version 4

---
 README.md   | 18 ++++++++++++++++--
 iam.tf      | 28 ++++++++++++++--------------
 versions.tf |  2 +-
 3 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 670021b..94232be 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,7 @@ Supports all destinations and all Kinesis Firehose Features.
 
 ## Table of Contents
 
+* [Module versioning rule](#module-versioning-rule)
 * [Features](#features)
 * [How to Use](#how-to-use)
   * [Sources](#sources)
@@ -45,6 +46,13 @@ Supports all destinations and all Kinesis Firehose Features.
 * [Outputs](#outputs)
 * [License](#license)
 
+## Module versioning rule
+
+| Module version | AWS Provider version |
+|----------------|----------------------|
+| >= 1.x.x       | ~> 4.4               |
+| >= 2.x.x       | ~> 5.0 (WIP)         |
+
 ## Features
 
 - Sources 
@@ -735,13 +743,13 @@ The destination variable configured in module is mapped to firehose valid destin
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.4 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.4 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.4 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.4 |
 
 ## Modules
 
@@ -786,6 +794,8 @@ No modules.
 | [aws_iam_policy_document.application](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.application_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cross_account_elasticsearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cross_account_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.elasticsearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.glue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -864,6 +874,7 @@ No modules.
 | <a name="input_dynamic_partitioning_retry_duration"></a> [dynamic\_partitioning\_retry\_duration](#input\_dynamic\_partitioning\_retry\_duration) | Total amount of seconds Firehose spends on retries | `number` | `300` | no |
 | <a name="input_dynatrace_api_url"></a> [dynatrace\_api\_url](#input\_dynatrace\_api\_url) | API URL to Dynatrace destination | `string` | `null` | no |
 | <a name="input_dynatrace_endpoint_location"></a> [dynatrace\_endpoint\_location](#input\_dynatrace\_endpoint\_location) | Endpoint Location to Dynatrace destination | `string` | `"eu"` | no |
+| <a name="input_elasticsearch_cross_account"></a> [elasticsearch\_cross\_account](#input\_elasticsearch\_cross\_account) | Indicates if Elasticsearch domain is in a different account | `bool` | `false` | no |
 | <a name="input_elasticsearch_domain_arn"></a> [elasticsearch\_domain\_arn](#input\_elasticsearch\_domain\_arn) | The ARN of the Amazon ES domain. The pattern needs to be arn:.* | `string` | `null` | no |
 | <a name="input_elasticsearch_enable_vpc"></a> [elasticsearch\_enable\_vpc](#input\_elasticsearch\_enable\_vpc) | Indicates if destination is configured in VPC. Supported only to Elasticsearch destinations | `bool` | `false` | no |
 | <a name="input_elasticsearch_index_name"></a> [elasticsearch\_index\_name](#input\_elasticsearch\_index\_name) | The Elasticsearch index name | `string` | `null` | no |
@@ -935,6 +946,7 @@ No modules.
 | <a name="input_s3_backup_use_existing_role"></a> [s3\_backup\_use\_existing\_role](#input\_s3\_backup\_use\_existing\_role) | Indicates if want use the kinesis firehose role to s3 backup bucket access. | `bool` | `true` | no |
 | <a name="input_s3_bucket_arn"></a> [s3\_bucket\_arn](#input\_s3\_bucket\_arn) | The ARN of the S3 destination bucket | `string` | `null` | no |
 | <a name="input_s3_compression_format"></a> [s3\_compression\_format](#input\_s3\_compression\_format) | The compression format | `string` | `"UNCOMPRESSED"` | no |
+| <a name="input_s3_cross_account"></a> [s3\_cross\_account](#input\_s3\_cross\_account) | Indicates if S3 bucket destination is in a different account | `bool` | `false` | no |
 | <a name="input_s3_error_output_prefix"></a> [s3\_error\_output\_prefix](#input\_s3\_error\_output\_prefix) | Prefix added to failed records before writing them to S3. This prefix appears immediately following the bucket name. | `string` | `null` | no |
 | <a name="input_s3_kms_key_arn"></a> [s3\_kms\_key\_arn](#input\_s3\_kms\_key\_arn) | Specifies the KMS key ARN the stream will use to encrypt data. If not set, no encryption will be used | `string` | `null` | no |
 | <a name="input_s3_own_bucket"></a> [s3\_own\_bucket](#input\_s3\_own\_bucket) | Indicates if you own the bucket. If not, will be configure permissions to grants the bucket owner full access to the objects delivered by Kinesis Data Firehose | `bool` | `true` | no |
@@ -989,7 +1001,9 @@ No modules.
 | <a name="output_kinesis_firehose_name"></a> [kinesis\_firehose\_name](#output\_kinesis\_firehose\_name) | The name of the Kinesis Firehose Stream |
 | <a name="output_kinesis_firehose_role_arn"></a> [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | The ARN of the IAM role created for Kinesis Firehose Stream |
 | <a name="output_kinesis_firehose_version_id"></a> [kinesis\_firehose\_version\_id](#output\_kinesis\_firehose\_version\_id) | The Version id of the Kinesis Firehose Stream |
+| <a name="output_opensearch_cross_account_service_policy"></a> [opensearch\_cross\_account\_service\_policy](#output\_opensearch\_cross\_account\_service\_policy) | OpenSearch Service policy when the opensearch domain belongs to another account |
 | <a name="output_opensearch_iam_service_linked_role_arn"></a> [opensearch\_iam\_service\_linked\_role\_arn](#output\_opensearch\_iam\_service\_linked\_role\_arn) | The ARN of the Opensearch IAM Service linked role |
+| <a name="output_s3_cross_account_bucket_policy"></a> [s3\_cross\_account\_bucket\_policy](#output\_s3\_cross\_account\_bucket\_policy) | Bucket Policy to S3 Bucket Destination when the bucket belongs to another account |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## License
diff --git a/iam.tf b/iam.tf
index 9430bf5..b91a4f9 100644
--- a/iam.tf
+++ b/iam.tf
@@ -86,7 +86,7 @@ data "aws_iam_policy_document" "kinesis" {
 }
 
 resource "aws_iam_policy" "kinesis" {
-  count = local.add_kinesis_source_policy ? 1 : 0
+  count  = local.add_kinesis_source_policy ? 1 : 0
   name   = "${local.role_name}-kinesis"
   path   = var.policy_path
   policy = data.aws_iam_policy_document.kinesis[0].json
@@ -94,7 +94,7 @@ resource "aws_iam_policy" "kinesis" {
 }
 
 resource "aws_iam_role_policy_attachment" "kinesis" {
-  count = local.add_kinesis_source_policy ? 1 : 0
+  count      = local.add_kinesis_source_policy ? 1 : 0
   role       = aws_iam_role.firehose[0].name
   policy_arn = aws_iam_policy.kinesis[0].arn
 }
@@ -115,7 +115,7 @@ data "aws_iam_policy_document" "lambda" {
 }
 
 resource "aws_iam_policy" "lambda" {
-  count = local.add_lambda_policy ? 1 : 0
+  count  = local.add_lambda_policy ? 1 : 0
   name   = "${local.role_name}-lambda"
   path   = var.policy_path
   policy = data.aws_iam_policy_document.lambda[0].json
@@ -123,7 +123,7 @@ resource "aws_iam_policy" "lambda" {
 }
 
 resource "aws_iam_role_policy_attachment" "lambda" {
-  count = local.add_lambda_policy ? 1 : 0
+  count      = local.add_lambda_policy ? 1 : 0
   role       = aws_iam_role.firehose[0].name
   policy_arn = aws_iam_policy.lambda[0].arn
 }
@@ -237,7 +237,7 @@ data "aws_iam_policy_document" "glue" {
 }
 
 resource "aws_iam_policy" "glue" {
-  count = local.add_glue_policy ? 1 : 0
+  count  = local.add_glue_policy ? 1 : 0
   name   = "${local.role_name}-glue"
   path   = var.policy_path
   policy = data.aws_iam_policy_document.glue[0].json
@@ -245,7 +245,7 @@ resource "aws_iam_policy" "glue" {
 }
 
 resource "aws_iam_role_policy_attachment" "glue" {
-  count = local.add_glue_policy ? 1 : 0
+  count      = local.add_glue_policy ? 1 : 0
   role       = aws_iam_role.firehose[0].name
   policy_arn = aws_iam_policy.glue[0].arn
 }
@@ -276,7 +276,7 @@ data "aws_iam_policy_document" "s3" {
 }
 
 resource "aws_iam_policy" "s3" {
-  count = local.add_s3_policy ? 1 : 0
+  count  = local.add_s3_policy ? 1 : 0
   name   = "${local.role_name}-s3"
   path   = var.policy_path
   policy = data.aws_iam_policy_document.s3[0].json
@@ -284,16 +284,16 @@ resource "aws_iam_policy" "s3" {
 }
 
 resource "aws_iam_role_policy_attachment" "s3" {
-  count = local.add_s3_policy ? 1 : 0
+  count      = local.add_s3_policy ? 1 : 0
   role       = aws_iam_role.firehose[0].name
   policy_arn = aws_iam_policy.s3[0].arn
 }
 
 data "aws_iam_policy_document" "cross_account_s3" {
-  count = var.create && var.create_role && local.s3_destination && var.s3_cross_account ? 1 : 0
+  count   = var.create && var.create_role && local.s3_destination && var.s3_cross_account ? 1 : 0
   version = "2012-10-17"
   statement {
-    sid = "Cross Account Access to ${data.aws_caller_identity.current.account_id} Account"
+    sid    = "Cross Account Access to ${data.aws_caller_identity.current.account_id} Account"
     effect = "Allow"
 
     principals {
@@ -336,7 +336,7 @@ data "aws_iam_policy_document" "cw" {
 }
 
 resource "aws_iam_policy" "cw" {
-  count = local.add_cw_policy ? 1 : 0
+  count  = local.add_cw_policy ? 1 : 0
   name   = "${local.role_name}-cw"
   path   = var.policy_path
   policy = data.aws_iam_policy_document.cw[0].json
@@ -344,7 +344,7 @@ resource "aws_iam_policy" "cw" {
 }
 
 resource "aws_iam_role_policy_attachment" "cw" {
-  count = local.add_cw_policy ? 1 : 0
+  count      = local.add_cw_policy ? 1 : 0
   role       = aws_iam_role.firehose[0].name
   policy_arn = aws_iam_policy.cw[0].arn
 }
@@ -413,10 +413,10 @@ resource "aws_iam_role_policy_attachment" "elasticsearch" {
 }
 
 data "aws_iam_policy_document" "cross_account_elasticsearch" {
-  count = local.add_elasticsearch_policy && var.elasticsearch_cross_account ? 1 : 0
+  count   = local.add_elasticsearch_policy && var.elasticsearch_cross_account ? 1 : 0
   version = "2012-10-17"
   statement {
-    sid = "Cross Account Access to ${data.aws_caller_identity.current.account_id} Account"
+    sid    = "Cross Account Access to ${data.aws_caller_identity.current.account_id} Account"
     effect = "Allow"
 
     principals {
diff --git a/versions.tf b/versions.tf
index e420177..792de36 100644
--- a/versions.tf
+++ b/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.4"
+      version = "~> 4.4"
     }
   }
 }