upstream/terraform
1
0
Fork 0
mirror of https://github.com/hashicorp/terraform.git synced 2026-02-19 02:39:17 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

backend/s3: upgrade guide notes for Terraform 1.10 (#36037)

Browse source 
This includes sections on the introduction of S3 native state locking and the removal of deprecated root level attributes related to role assumption which have been replaced by the `assume_role` block.
This commit is contained in:
Jared Baker 2024-11-19 04:20:21 -05:00 committed by GitHub
parent 9402a85c5d
commit 4a69eec07c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 41 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
website/docs/language/upgrade-guides/index.mdx
View file

@ -26,3 +26,44 @@ to discuss it.
Moved blocks now respect reserved keywords such as `local`, `each`, `self` etc. when parsing resource addresses.
Configurations that reference resources with type names that match top level blocks and
keywords from moved blocks will need to prepend the reference identifier with `resource.`.
## S3 Backend
### S3 Native State Locking
The S3 backend now supports S3 native state locking as an opt-in, experimental feature.
An S3 lock can be used alongside a DynamoDB lock, or independently.
When both locking mechanisms are configured, a lock must be successfully acquired from both locations before subsequent operations will proceed.
To opt-in to S3 native state locking, set `use_lockfile` to `true`.
```terraform
terraform {
backend "s3" {
# additional configuration omitted for brevity
use_lockfile = true
}
}
```
With S3 locking enabled, a lock file will be placed in the same location as the state file.
The lock file will be named identically to the state file, but with a `.tflock` extension.
**S3 bucket policies and IAM policies attached to the calling principal may need to be adjusted to include permissions for the new lock file.**
In a future minor version of Terraform the experimental label will be removed from the `use_lockfile` attribute and attributes related to DynamoDB based locking will be deprecated.
### Root Assume Role Attribute Removal
Several root level attributes related to IAM role assumption which were previously deprecated have been removed.
Each removed field has an analogous field inside the [`assume_role` block](https://developer.hashicorp.com/terraform/language/backend/s3#assume-role-configuration) which should be used instead.
| Removed | Replacement |
| --- | --- |
| `role_arn` | `assume_role.role_arn` |
| `session_name` | `assume_role.session_name` |
| `external_id` | `assume_role.external_id` |
| `assume_role_duration_seconds` | `assume_role.duration` |
| `assume_role_policy` | `assume_role.policy` |
| `assume_role_policy_arns` | `assume_role.policy_arn` |
| `assume_role_tags` | `assume_role.tags` |
| `assume_role_transitive_tag_keys` | `assume_role.transitive_tag_keys` |