feat(deployment): enhanced region support (#162)

Author: moritzzimmer

data.tf

@@ -0,0 +1,5 @@
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+data "aws_region" "current" {
+  region = var.region
+}

examples/deployment/complete/codepipeline_step.tf

@@ -3,11 +3,15 @@ locals {
 }
 
 resource "aws_cloudwatch_log_group" "custom_step" {
+  region = local.region
+
   name              = "/aws/codebuild/${local.codebuild_name}"
   retention_in_days = 1
 }
 
 resource "aws_codebuild_project" "custom_step" {
+  region = local.region
+
   name         = local.codebuild_name
   service_role = aws_iam_role.custom_codepipeline_step.arn
 

examples/deployment/complete/data.tf

@@ -0,0 +1,5 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {
+  region = local.region
+}
+

examples/deployment/complete/main.tf

@@ -1,19 +1,19 @@
-data "aws_caller_identity" "current" {}
-data "aws_region" "current" {}
-
 module "fixtures" {
   source = "../../fixtures"
 }
 
 locals {
   environment   = "production"
   function_name = module.fixtures.output_function_name
+  region        = "eu-central-1"
   s3_key        = "${local.function_name}/package/lambda.zip"
 }
 
 module "lambda" {
   source = "../../../"
 
+  region = local.region
+
   architectures                    = ["arm64"]
   description                      = "Example usage for an AWS Lambda deployed from S3 using CodePipeline and CodeDeploy with hooks."
   function_name                    = local.function_name
@@ -27,6 +27,8 @@ module "lambda" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "error_rate" {
+  region = local.region
+
   alarm_description   = "${module.lambda.function_name} has a high error rate"
   alarm_name          = "${module.lambda.function_name}-error-rate"
   comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -79,6 +81,8 @@ resource "aws_cloudwatch_metric_alarm" "error_rate" {
 # ---------------------------------------------------------------------------------------------------------------------
 
 resource "aws_lambda_alias" "this" {
+  region = local.region
+
   function_name    = module.lambda.function_name
   function_version = module.lambda.version
   name             = local.environment
@@ -91,6 +95,8 @@ resource "aws_lambda_alias" "this" {
 module "deployment" {
   source = "../../../modules/deployment"
 
+  region = local.region
+
   alias_name                                                      = aws_lambda_alias.this.name
   codedeploy_appspec_hooks_after_allow_traffic_arn                = module.traffic_hook.arn
   codedeploy_appspec_hooks_before_allow_traffic_arn               = module.traffic_hook.arn
@@ -110,9 +116,6 @@ module "deployment" {
       name          = "FOO"
       default_value = "BAR"
       description   = "test with all config values"
-    },
-    {
-      name = "BAR"
     }
   ]
 
@@ -147,6 +150,8 @@ module "deployment" {
 }
 
 resource "aws_codedeploy_deployment_config" "canary" {
+  region = local.region
+
   deployment_config_name = "custom-lambda-canary-deployment-config"
   compute_platform       = "Lambda"
 
@@ -168,12 +173,14 @@ resource "aws_codedeploy_deployment_config" "canary" {
 module "traffic_hook" {
   source = "../../../"
 
+  region = local.region
+
   architectures    = ["arm64"]
   description      = "Lambda function executed by CodeDeploy before and/or after allow traffic to deployed version."
   filename         = data.archive_file.traffic_hook.output_path
   function_name    = "codedeploy-hook-example"
   handler          = "hook.handler"
-  runtime          = "python3.12"
+  runtime          = "python3.13"
   source_code_hash = data.archive_file.traffic_hook.output_base64sha256
 }
 
@@ -208,11 +215,15 @@ resource "aws_iam_role_policy_attachment" "traffic_hook" {
 #trivy:ignore:AVD-AWS-0088
 #trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket" "source" {
+  region = local.region
+
   bucket        = "ci-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.region}"
   force_destroy = true
 }
 
 resource "aws_s3_bucket_versioning" "source" {
+  region = local.region
+
   bucket = aws_s3_bucket.source.id
 
   versioning_configuration {
@@ -222,11 +233,15 @@ resource "aws_s3_bucket_versioning" "source" {
 
 // make sure to enable S3 bucket notifications to start continuous deployment pipeline
 resource "aws_s3_bucket_notification" "source" {
+  region = local.region
+
   bucket      = aws_s3_bucket.source.id
   eventbridge = true
 }
 
 resource "aws_s3_bucket_public_access_block" "source" {
+  region = local.region
+
   block_public_acls       = true
   block_public_policy     = true
   bucket                  = aws_s3_bucket.source.id
@@ -237,6 +252,8 @@ resource "aws_s3_bucket_public_access_block" "source" {
 // this resource is only used for the initial `terraform apply` - all further
 // deployments are running on CodePipeline
 resource "aws_s3_object" "initial" {
+  region = local.region
+
   bucket = aws_s3_bucket.source.bucket
   key    = local.s3_key
   source = module.fixtures.output_path

main.tf

@@ -1,7 +1,3 @@
-data "aws_region" "current" {}
-data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
-
 locals {
   function_arn = "arn:${data.aws_partition.current.partition}:lambda:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:function:${var.function_name}"
   handler      = var.package_type != "Zip" ? null : var.handler

modules/deployment/README.md

@@ -455,6 +455,7 @@ No modules.
 | <a name="input_ecr_image_tag"></a> [ecr\_image\_tag](#input\_ecr\_image\_tag) | The container tag used for ECR/container based deployments. | `string` | `"latest"` | no |
 | <a name="input_ecr_repository_name"></a> [ecr\_repository\_name](#input\_ecr\_repository\_name) | Name of the ECR repository source used for ECR/container based deployments, required for `package_type=Image`. | `string` | `""` | no |
 | <a name="input_function_name"></a> [function\_name](#input\_function\_name) | The name of your Lambda Function to deploy. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | Alternative region used in all region-aware resources. If not set, the provider's region will be used. | `string` | `null` | no |
 | <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | Name of the bucket used for S3 based deployments, required for `package_type=Zip`. Make sure to enable S3 bucket notifications for this bucket for continuous deployment of your Lambda function, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventBridge.html. | `string` | `""` | no |
 | <a name="input_s3_key"></a> [s3\_key](#input\_s3\_key) | Object key used for S3 based deployments, required for `package_type=Zip`. | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to all resources supporting tags. | `map(string)` | `{}` | no |

modules/deployment/codebuild.tf

@@ -1,11 +1,14 @@
 resource "aws_cloudwatch_log_group" "this" {
+  region = var.region
 
   name              = "/aws/codebuild/${var.function_name}"
   retention_in_days = var.codebuild_cloudwatch_logs_retention_in_days
   tags              = var.tags
 }
 
 resource "aws_codebuild_project" "this" {
+  region = var.region
+
   name         = var.function_name
   service_role = var.codebuild_role_arn == "" ? aws_iam_role.codebuild_role[0].arn : var.codebuild_role_arn
   tags         = var.tags

modules/deployment/codedeploy.tf

@@ -1,9 +1,13 @@
 resource "aws_codedeploy_app" "this" {
+  region = var.region
+
   name             = var.function_name
   compute_platform = "Lambda"
 }
 
 resource "aws_codedeploy_deployment_group" "this" {
+  region = var.region
+
   app_name               = var.function_name
   deployment_config_name = var.deployment_config_name
   deployment_group_name  = var.alias_name

modules/deployment/data.tf

@@ -0,0 +1,5 @@
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+data "aws_region" "current" {
+  region = var.region
+}

modules/deployment/main.tf

@@ -1,7 +1,3 @@
-data "aws_caller_identity" "current" {}
-data "aws_region" "current" {}
-data "aws_partition" "current" {}
-
 locals {
   artifact_store_bucket     = var.codepipeline_artifact_store_bucket != "" ? var.codepipeline_artifact_store_bucket : aws_s3_bucket.pipeline[0].bucket
   artifact_store_bucket_arn = "arn:${data.aws_partition.current.partition}:s3:::${local.artifact_store_bucket}"
@@ -25,6 +21,8 @@ locals {
 resource "aws_codepipeline" "this" {
   depends_on = [aws_iam_role.codepipeline_role]
 
+  region = var.region
+
   name          = local.pipeline_name
   pipeline_type = var.codepipeline_type
   role_arn      = var.codepipeline_role_arn == "" ? aws_iam_role.codepipeline_role[0].arn : var.codepipeline_role_arn
@@ -172,6 +170,8 @@ resource "aws_codepipeline" "this" {
 resource "aws_s3_bucket" "pipeline" {
   count = var.codepipeline_artifact_store_bucket == "" ? 1 : 0
 
+  region = var.region
+
   bucket        = "${local.bucket_name_prefix}-pipeline-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.region}"
   force_destroy = true
   tags          = var.tags
@@ -182,6 +182,8 @@ resource "aws_s3_bucket" "pipeline" {
 resource "aws_s3_bucket_server_side_encryption_configuration" "pipeline" {
   count = var.codepipeline_artifact_store_bucket == "" ? 1 : 0
 
+  region = var.region
+
   bucket = aws_s3_bucket.pipeline[count.index].bucket
 
   rule {
@@ -194,6 +196,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "pipeline" {
 resource "aws_s3_bucket_public_access_block" "source" {
   count = var.codepipeline_artifact_store_bucket == "" ? 1 : 0
 
+  region = var.region
+
   bucket                  = aws_s3_bucket.pipeline[count.index].id
   block_public_acls       = true
   block_public_policy     = true