Update Terraform terraform-aws-modules/vpc/aws to v6

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
terraform-aws-modules/vpc/aws (source)	module	major	4.0.2 → 6.5.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

terraform-aws-modules/terraform-aws-vpc (terraform-aws-modules/vpc/aws)

v6.5.1

Compare Source

Bug Fixes

• Correction with IAM role policy associated with modules/flow-log (#​1264) (de13700)

v6.5.0

Compare Source

Features

• Add support for bgp_asn_extended argument to the customer_gateways variable (#​1249) (ef564c9)

v6.4.1

Compare Source

Bug Fixes

• Update CI workflow versions to latest (#​1250) (22ccfa1)

v6.4.0

Compare Source

Features

• Add wrappers (#​1243) (112bb7f)

v6.3.0

Compare Source

Features

• Add new sub-module for AWS flow log (#​1241) (33aabec)

v6.2.0

Compare Source

Features

• Add support for IAM role path to VPC flow log IAM role (#​1232) (6594a41)

v6.1.0

Compare Source

Features

• Add enhanced region support (#​1225) (fd357b9)

v6.0.1

Compare Source

Bug Fixes

• Bump AWS provider requirement to v6 everywhere (#​1208) (26c99a5)

v6.0.0

Compare Source

⚠ BREAKING CHANGES

• Bump AWS provider requirement to v6 (#​1205)

Features

• Bump AWS provider requirement to v6 (#​1205) (4483701)

v5.21.0

Compare Source

Features

• Add support for subnet_configuration on VPC endpoints (#​1164) (507193e)

v5.20.0

Compare Source

Features

• Allow setting custom tags on aws_vpc_block_public_access_exclusion resource (#​1170) (0d11295)

v5.19.0

Compare Source

Features

• Enhancing VPC Security with Amazon VPC Block Public Access (#​1159) (387f5ee)

v5.18.1

Compare Source

Bug Fixes

• Fixed service_region argument in the VPC endpoint module (#​1162) (5415dee)

v5.18.0

Compare Source

Features

• Support for cross region VPC endpoints (#​1161) (7e205ad)

v5.17.0

Compare Source

Features

• Define default name for VPC endpoint (#​1151) (41348d3)

v5.16.0

Compare Source

Features

• Added additional conditions into Flow Log IAM Role Assumption Policy (#​1138) (7744d3f)

v5.15.0

Compare Source

Features

• Add option to create/delete NAT Gateway route for private route tables (#​1127) (f02a1af)

v5.14.0

Compare Source

Features

• Add outputs for the full list of subnets created and their attributes (#​1116) (e212245)

Bug Fixes

• Update CI workflow versions to latest (#​1125) (b1f2125)

v5.13.0

Compare Source

Features

• Add support for ip_address_type for VPC endpoint (#​1096) (d868303)

v5.12.1

Compare Source

Bug Fixes

• Update flow log ARNs to use partition from aws_partition data source (#​1112) (72cde38)

v5.12.0

Compare Source

Features

• Restrict flow log policy to use log group ARNs (#​1088) (9256722)

v5.11.0

Compare Source

Features

• Add route to 0.0.0.0/0 & ::/0 (when IPv6 is enabled) on all public route tables (#​1100) (b3e7803)

v5.10.0

Compare Source

Features

• Added ipv6_address_preferred_lease_time parameter to aws_vpc_dhcp_options resource (#​1105) (3adb594)

v5.9.0

Compare Source

Features

• Allow custom VPC Flow Log IAM Role name and IAM Policy name (#​1089) (f8cd168)

v5.8.1

Compare Source

Bug Fixes

• Do not replace NAT gateways when additional subnets are added (#​1055) (cf18c37)

v5.8.0

Compare Source

Features

• Add support for multiple route tables to public and intra subnets (#​1051) (da05f24)

v5.7.2

Compare Source

Bug Fixes

• Create private_ipv6_egress routes only when having at least one private subnet (#​1062) (8701204)

v5.7.1

Compare Source

Bug Fixes

• Create the same number of IPv6 egress only gateway routes as the number of NAT gateways that are enabled/created (#​1059) (77df552)

v5.7.0

Compare Source

Features

• Allow setting vpc endpoints as an input for each endpoint (#​1056) (9163310)

v5.6.0

Compare Source

Features

• Support VPC flow log cloudwatch log group class (#​1053) (e2970fd)

v5.5.3

Compare Source

Bug Fixes

• Update CI workflow versions to remove deprecated runtime warnings (#​1052) (3b5b7f1)

5.5.2 (2024-02-09)

Bug Fixes

• Added create_before_destroy to aws_customer_gateway (#​1036) (5f5df57)

5.5.1 (2024-01-13)

Bug Fixes

• Correct VPC endpoint private DNS resolver for_each key (#​1029) (a837be1)

v5.5.2

Compare Source

v5.5.1

Compare Source

v5.5.0

Compare Source

Features

• Add support for dns_options on VPC endpoints (#​1023) (32f853f)

v5.4.0

Compare Source

Features

• Add Cross Account Flow Support (#​1014) (6e25437)

v5.3.0

Compare Source

Features

• Add NAT gateway interface ids output (#​1006) (898bbaf)

v5.2.0

Compare Source

Features

• Add skip_destroy to vpc flow log cloudwatch log group (#​1009) (abe2c0f)

5.1.2 (2023-09-07)

Bug Fixes

• The number of intra subnets should not influence the number of NAT gateways provisioned (#​968) (1e36f9f)

5.1.1 (2023-07-25)

Bug Fixes

• Ensure database route table output works (#​926) (e4c48d4), closes #​857

v5.1.2

Compare Source

v5.1.1

Compare Source

v5.1.0

Compare Source

Features

• Add support for creating a security group for VPC endpoint(s) (#​962) (802d5f1)

v5.0.0

Compare Source

⚠ BREAKING CHANGES

• Bump Terraform AWS Provider version to 5.0 (#​941)

Features

• Bump Terraform AWS Provider version to 5.0 (#​941) (2517eb9)

4.0.2 (2023-05-15)

Bug Fixes

• Add dns64 routes (#​924) (743798d)

4.0.1 (2023-04-07)

Bug Fixes

• Add missing private subnets to max subnet length local (#​920) (6f51f34)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[claude]

Pull Request Review: VPC Module Major Version Update (v4.0.2 → v6.5.1)

Summary

This PR upgrades the terraform-aws-modules/vpc/aws module from version 4.0.2 to 6.5.1, jumping two major versions (4 → 5 → 6). This is a high-risk change that requires careful testing before merging.

---

Critical Concerns

1. Breaking Changes - Major Version Jumps ⚠️

This update spans two major version upgrades (v4 → v5 → v6):

• v4 → v5: Requires AWS Provider v5.0+
• v5 → v6: Requires AWS Provider v6.0+

Current Setup:

• Your AWS provider version: 5.100.0 (dreamkast_infra/prod/terraform.tf:5)
• INCOMPATIBLE with VPC module v6.x which requires AWS Provider v6.0+

Action Required: You must upgrade your AWS provider to v6.x before merging this PR, or downgrade the VPC module to v5.x instead of v6.x.

2. Missing Migration Testing 🔴

Major version upgrades typically include:

• Resource recreations
• State migrations
• Potential breaking changes in outputs/variables

Recommendation:

• Review the official upgrade guides (UPGRADE-5.0.md and UPGRADE-6.0.md in the module repo)
• Run terraform plan in a staging environment first
• Check for any resource replacements that could cause downtime

---

Code Quality Analysis

Positive Aspects ✅

1. Automated Dependency Management: Using Renovate bot for updates
2. Module Outputs Usage: The module outputs being used appear to be stable across versions:
   • vpc_id, public_subnets, private_subnets, intra_subnets, private_route_table_ids, private_subnets_cidr_blocks, public_subnets_cidr_blocks

Potential Issues

1. Subnet Tag Swap (Existing Issue) ⚠️
Found in dreamkast_infra/prod/vpc.tf:29-39 - The "kind" tags appear to be swapped between public and private subnets. While not introduced by this PR, it's worth noting.

2. AWS Provider Version Constraint 🔴
dreamkast_infra/prod/terraform.tf:5 specifies a pinned version 5.100.0. The VPC module v6.x requires AWS Provider v6.0+, creating an incompatibility.

---

Security Considerations

No Direct Security Issues

The version upgrade itself doesn't introduce obvious security vulnerabilities. However:

1. Flow Log Improvements: v6.x includes enhanced VPC flow log IAM role policies
2. VPC Block Public Access: v5.19.0+ added support for Amazon VPC Block Public Access feature
3. IAM Role Path Support: v6.2.0 added support for IAM role paths in VPC flow logs

Note: Your current configuration has enable_nat_gateway = false and doesn't appear to use VPC flow logs, so many of these enhancements won't apply.

---

Performance Considerations

No significant performance impact expected. The module changes are primarily bug fixes, new optional features, and AWS provider compatibility updates.

---

Test Coverage

Missing:

• No visible test files for this infrastructure
• No staging/dev environment validation visible in this PR

Recommendation:

1. Test in a non-production environment first
2. Run terraform init -upgrade and terraform plan to review resource changes
3. Ensure all 20+ resources referencing module.vpc.* still work correctly (ALB, ECS, RDS, Redis, etc.)

---

Action Items Before Merging

1. CRITICAL: Update AWS Provider to v6.x in dreamkast_infra/prod/terraform.tf
2. REQUIRED: Run terraform plan and review for any resources marked for replacement
3. RECOMMENDED: Review upgrade guides and changelog for breaking changes
4. RECOMMENDED: Test in staging environment if available
5. OPTIONAL: Fix the subnet tag swap issue (pre-existing)

---

Recommendation

DO NOT MERGE until AWS Provider is upgraded to v6.x. The current configuration is incompatible.

Suggested Approach:

1. Either update AWS provider to v6.x in the same PR, OR
2. Modify this PR to use VPC module v5.x instead (e.g., v5.21.0)
3. Run full validation in staging
4. Then proceed with merge

---

Review completed by Claude Code 🤖

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 6.x releases. But if you manually upgrade to 6.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.