fix: Updates from testing and validation

Author: bryantbiggs

docs/UPGRADE-3.0.md

@@ -88,6 +88,7 @@ If you find a bug, please open an issue with supporting configuration to reprodu
       - None
 
     - `virtual_cluster` sub-module
+      - None
 
 6. Added outputs:
 
@@ -98,24 +99,101 @@ If you find a bug, please open an issue with supporting configuration to reprodu
       - None
 
     - `virtual_cluster` sub-module
+      - None
+
+## Upgrade Migration
+
+### Before v2.x Example
 
-## Upgrade Migrations
+```hcl
+module "emr" {
+  source  = "terraform-aws-modules/emr/aws"
+  version = "~> 2.0"
+
+  # Only the affected attributes are shown
+
+  bootstrap_action = {
+    example = {
+      name = "Just an example",
+      path = "file:/bin/echo",
+      args = ["Hello World!"]
+    }
+  }
+}
+```
 
-Not applicable - there aren't any structural changes other than the security group rule changes noted above. A diff of before vs after would look identical.
+### After v3.x Example
+
+```hcl
+module "emr" {
+  source  = "terraform-aws-modules/emr/aws"
+  version = "~> 2.0"
+
+  # Only the affected attributes are shown
+
+  # Copy and paste from output to maintain backwards compatibility
+  # This was added by the AWS Redshift API and provider in v6.x
+  os_release_label = "2023.9.20251014.0"
+
+  bootstrap_action = [
+    {
+      name = "Just an example",
+      path = "file:/bin/echo",
+      args = ["Hello World!"]
+    }
+  ]
+}
+```
 
 ### State Changes
 
 Due to the change from `aws_security_group_rule` to `aws_vpc_security_group_ingress_rule` and `aws_vpc_security_group_egress_rule`, the following reference state changes are required to maintain the current security group rules. (Note: these are different resources so they cannot be moved with `terraform mv ...`)
 
+#### Instance Group
+
 ```sh
+# Master Security Group
+terraform state rm 'module.emr_instance_group.aws_security_group_rule.master["default"]'
+terraform state import 'module.emr_instance_group.aws_vpc_security_group_egress_rule.master["all-traffic"]' 'sg-xxx'
+
+# Slave Security Group
 terraform state rm 'module.emr_instance_group.aws_security_group_rule.slave["default"]'
-terraform state import 'module.emr_instance_group.aws_vpc_security_group_egress_rule.this["default"]' 'sg-xxx'
+terraform state import 'module.emr_instance_group.aws_vpc_security_group_egress_rule.slave["all-traffic"]' 'sg-xxx'
 
-terraform state rm 'module.emr_instance_group.aws_security_group_rule.master["default"]'
-terraform state import 'module.emr_instance_group.aws_vpc_security_group_egress_rule.this["default"]' 'sg-xxx'
+# Service Security Group
+terraform state rm 'module.emr_instance_group.aws_security_group_rule.service["master_9443_ingress"]'
+terraform state import 'module.emr_instance_group.aws_vpc_security_group_ingress_rule.service["master_9443"]' 'sg-xxx'
+
+terraform state rm 'module.emr_instance_group.aws_security_group_rule.service["master_9443_egress"]'
+terraform state import 'module.emr_instance_group.aws_vpc_security_group_egress_rule.service["master_8443"]' 'sg-xxx'
+
+terraform state rm 'module.emr_instance_group.aws_security_group_rule.service["core_task_8443_egress"]'
+terraform state import 'module.emr_instance_group.aws_vpc_security_group_egress_rule.service["core_task_8443"]' 'sg-xxx'
+```
+
+#### Instance Fleet
+
+```sh
+# Master Security Group
+terraform state rm 'module.emr_instance_fleet.aws_security_group_rule.master["default"]'
+terraform state import 'module.emr_instance_fleet.aws_vpc_security_group_egress_rule.master["all-traffic"]' 'sg-xxx'
+
+# Slave Security Group
+terraform state rm 'module.emr_instance_fleet.aws_security_group_rule.slave["default"]'
+terraform state import 'module.emr_instance_fleet.aws_vpc_security_group_egress_rule.slave["all-traffic"]' 'sg-xxx'
+
+# Service Security Group
+terraform state rm 'module.emr_instance_fleet.aws_security_group_rule.service["master_9443_ingress"]'
+terraform state import 'module.emr_instance_fleet.aws_vpc_security_group_ingress_rule.service["master_9443"]' 'sg-xxx'
+
+terraform state rm 'module.emr_instance_fleet.aws_security_group_rule.service["master_9443_egress"]'
+terraform state import 'module.emr_instance_fleet.aws_vpc_security_group_egress_rule.service["master_8443"]' 'sg-xxx'
+
+terraform state rm 'module.emr_instance_fleet.aws_security_group_rule.service["core_task_8443_egress"]'
+terraform state import 'module.emr_instance_fleet.aws_vpc_security_group_egress_rule.service["core_task_8443"]' 'sg-xxx'
 ```
 
-Serverless sub-module
+#### Serverless sub-module
 
 ```sh
 terraform state rm 'module.emr_serverless_spark.aws_security_group_rule.this["egress_all"]'

examples/private-cluster/main.tf

@@ -33,7 +33,6 @@ locals {
 module "emr_instance_fleet" {
   source = "../.."
 
-  # create = false
   name = "${local.name}-instance-fleet"
 
   release_label_filters = {
@@ -43,7 +42,7 @@ module "emr_instance_fleet" {
   }
   applications = ["spark", "trino"]
   auto_termination_policy = {
-    idle_timeout = 3600
+    idle_timeout = 14400
   }
 
   bootstrap_action = [
@@ -177,7 +176,7 @@ module "emr_instance_group" {
   }
   applications = ["spark", "trino"]
   auto_termination_policy = {
-    idle_timeout = 3600
+    idle_timeout = 14400
   }
 
   bootstrap_action = [

examples/public-cluster/main.tf

@@ -40,7 +40,7 @@ module "emr_instance_fleet" {
   }
   applications = ["spark", "trino"]
   auto_termination_policy = {
-    idle_timeout = 3600
+    idle_timeout = 14400
   }
 
   bootstrap_action = [
@@ -173,7 +173,7 @@ module "emr_instance_group" {
   }
   applications = ["spark", "trino"]
   auto_termination_policy = {
-    idle_timeout = 3600
+    idle_timeout = 14400
   }
 
   bootstrap_action = [

examples/serverless-cluster/main.tf

@@ -35,8 +35,7 @@ module "emr_serverless_spark" {
 
   release_label_filters = {
     emr7 = {
-      prefix      = "emr-7"
-      application = "spark"
+      prefix = "emr-7"
     }
   }
 
@@ -91,8 +90,7 @@ module "emr_serverless_hive" {
 
   release_label_filters = {
     emr7 = {
-      prefix      = "emr-7"
-      application = "hive"
+      prefix = "emr-7"
     }
   }
 

examples/virtual-cluster/main.tf

@@ -234,7 +234,7 @@ module "vpc_endpoints" {
   security_group_rules = {
     ingress_https = {
       description = "HTTPS from private subnets"
-      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
+      cidr_blocks = module.vpc.private_subnets_cidr_blocks
     }
   }
 

main.tf

@@ -511,7 +511,7 @@ resource "aws_emr_security_configuration" "this" {
 
 locals {
   # Autoscaling not supported when using instance fleets
-  create_autoscaling_iam_role = var.create && var.create_autoscaling_iam_role && (var.core_instance_fleet != null || var.master_instance_fleet != null) == 0
+  create_autoscaling_iam_role = var.create && var.create_autoscaling_iam_role && var.core_instance_fleet == null && var.master_instance_fleet == null
   autoscaling_iam_role_name   = coalesce(var.autoscaling_iam_role_name, "${var.name}-autoscaling")
 }
 
@@ -788,7 +788,7 @@ resource "aws_vpc_security_group_ingress_rule" "master" {
   tags = merge(
     var.tags,
     var.managed_security_group_tags,
-    { Name = try(coalesce(each.value.name, "${local.master_security_group_name}-${each.key}"), null) },
+    { Name = try(coalesce(each.value.name, "${local.master_security_group_name}-${each.key}")) },
     each.value.tags
   )
   to_port = try(coalesce(each.value.to_port, each.value.from_port), null)
@@ -810,7 +810,7 @@ resource "aws_vpc_security_group_egress_rule" "master" {
   tags = merge(
     var.tags,
     var.managed_security_group_tags,
-    { Name = try(coalesce(each.value.name, "${local.master_security_group_name}-${each.key}"), null) },
+    { Name = try(coalesce(each.value.name, "${local.master_security_group_name}-${each.key}")) },
     each.value.tags
   )
   to_port = each.value.to_port
@@ -864,7 +864,7 @@ resource "aws_vpc_security_group_ingress_rule" "slave" {
   tags = merge(
     var.tags,
     var.managed_security_group_tags,
-    { Name = try(coalesce(each.value.name, "${local.slave_security_group_name}-${each.key}"), null) },
+    { Name = try(coalesce(each.value.name, "${local.slave_security_group_name}-${each.key}")) },
     each.value.tags
   )
   to_port = try(coalesce(each.value.to_port, each.value.from_port), null)
@@ -886,7 +886,7 @@ resource "aws_vpc_security_group_egress_rule" "slave" {
   tags = merge(
     var.tags,
     var.managed_security_group_tags,
-    { Name = try(coalesce(each.value.name, "${local.slave_security_group_name}-${each.key}"), null) },
+    { Name = try(coalesce(each.value.name, "${local.slave_security_group_name}-${each.key}")) },
     each.value.tags
   )
   to_port = each.value.to_port
@@ -903,6 +903,7 @@ locals {
   service_security_group_ingress_rules = merge(
     {
       "master_9443" = {
+        name                            = null
         cidr_ipv4                       = null
         cidr_ipv6                       = null
         description                     = "Master security group secure communication"
@@ -921,6 +922,7 @@ locals {
   service_security_group_egress_rules = merge(
     {
       "core_task_8443" = {
+        name                            = null
         cidr_ipv4                       = null
         cidr_ipv6                       = null
         description                     = "Allow the cluster manager to communicate with the core and task nodes"
@@ -933,6 +935,7 @@ locals {
         to_port                         = 8443
       }
       "master_8443" = {
+        name                            = null
         cidr_ipv4                       = null
         cidr_ipv6                       = null
         description                     = "Allow the cluster manager to communicate with the masterk nodes"
@@ -989,7 +992,7 @@ resource "aws_vpc_security_group_ingress_rule" "service" {
   tags = merge(
     var.tags,
     var.managed_security_group_tags,
-    { Name = try(coalesce(each.value.name, "${local.service_security_group_name}-${each.key}"), null) },
+    { Name = try(coalesce(each.value.name, "${local.service_security_group_name}-${each.key}")) },
     each.value.tags
   )
   to_port = try(coalesce(each.value.to_port, each.value.from_port), null)
@@ -1011,7 +1014,7 @@ resource "aws_vpc_security_group_egress_rule" "service" {
   tags = merge(
     var.tags,
     var.managed_security_group_tags,
-    { Name = try(coalesce(each.value.name, "${local.service_security_group_name}-${each.key}"), null) },
+    { Name = try(coalesce(each.value.name, "${local.service_security_group_name}-${each.key}")) },
     each.value.tags
   )
   to_port = each.value.to_port

migrations.tf

@@ -0,0 +1,20 @@
+################################################################################
+# Migrations: v2.4.3 -> v3.0
+################################################################################
+
+moved {
+  from = aws_emr_instance_group.this["0"]
+  to   = aws_emr_instance_group.this[0]
+}
+
+moved {
+  from = aws_emr_instance_fleet.this["0"]
+  to   = aws_emr_instance_fleet.this[0]
+}
+
+
+# module.emr_instance_fleet.aws_iam_role_policy_attachment.autoscaling[0] will be created
+# module.emr_instance_fleet.aws_iam_role.autoscaling[0] will be created
+
+# module.emr_instance_group.aws_iam_role_policy_attachment.autoscaling[0] will be destroyed
+# module.emr_instance_group.aws_iam_role.autoscaling[0] will be destroyed

modules/serverless/main.tf

@@ -7,7 +7,7 @@ data "aws_emr_release_labels" "this" {
     for_each = var.release_label_filters
 
     content {
-      application = try(coalesce(filters.value.application, var.type))
+      application = filters.value.application
       prefix      = filters.value.prefix
     }
   }
@@ -109,7 +109,7 @@ resource "aws_emrserverless_application" "this" {
     }
   }
 
-  release_label = try(coalesce(var.release_label, element(data.aws_emr_release_labels.this[0].release_labels, 0)), "")
+  release_label = try(coalesce(var.release_label, element(data.aws_emr_release_labels.this[0].release_labels, 0)))
 
   dynamic "monitoring_configuration" {
     for_each = var.monitoring_configuration != null ? [var.monitoring_configuration] : []