terraform-aws-modules · bryantbiggs · Jun 25, 2025 · Dec 4, 2024 · Jun 24, 2025 · Jun 24, 2025
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.99.4
     hooks:
       - id: terraform_fmt
       - id: terraform_docs

diff --git a/README.md b/README.md
diff --git a/docs/UPGRADE-3.0.md b/docs/UPGRADE-3.0.md
@@ -0,0 +1,136 @@
+# Upgrade from v2.x to v3.x
+
+If you have any questions regarding this upgrade process, please consult the `examples` directory:
+
+- [EC2](https://github.com/terraform-aws-modules/terraform-aws-batch/tree/master/examples/ec2)
+- [Fargate](https://github.com/terraform-aws-modules/terraform-aws-batch/tree/master/examples/fargate)
+
+If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- Terraform v1.5.7 is now minimum supported version
+- AWS provider v6.0.0 is now minimum supported version
+- `instance_iam_role_additional_policies`, `service_iam_role_additional_policies`, `spot_fleet_iam_role_additional_policies` types are now `map(string)` instead of `list(string)`
+- IAM assume role policy SIDs have been modified to match their use (previously all were `ECSAssumeRole` which is inaccurate)
+- `compute_environment_order` is now a required argument for `aws_batch_job_queue` per the Batch API and replaces `compute_environments`
+
+## Additional changes
+
+### Added
+
+- Support for `region` parameter to specify the AWS region for the resources created if different from the provider region.
+- Support for `compute_environment_order`, `job_state_time_limit_action`, `timeouts` arguments for job queues
+- All (currently) supported arguments for `eks_properties` argument have been added to the job definition resource
+- Support for `scheduling_priority` and `node_properties` arguments for job definitions
+
+### Modified
+
+- Variable definitions now contain detailed `object` types in place of the previously used any type.
+- `compute_environment_name` argument has been changed to `name` per provider `v6.x` API; no-op for users
+- `compute_environment_name_prefix` argument has been changed to `name_prefix` per provider `v6.x` API; no-op for users
+
+### Removed
+
+- None
+
+### Variable and output changes
+
+1. Removed variables:
+
+   - None
+
+2. Renamed variables:
+
+   - None
+
+3. Added variables:
+
+   - None
+
+4. Removed outputs:
+
+   - None
+
+5. Renamed outputs:
+
+   - None
+
+6. Added outputs:
+
+   - None
+
+## Upgrade State Migrations
+
+### Before 2.x Example
+
+```hcl
+module "batch" {
+  source  = "terraform-aws-modules/batch/aws"
+  version = "2.1.0"
+
+  # Truncated for brevity, only relevant module API changes are shown ...
+
+  instance_iam_role_additional_policies = [
+    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  ]
+
+  compute_environments = {
+    a_ec2 = {
+      ... # Other properties for a_ec2 compute environment
+    }
+
+    b_ec2_spot = {
+      ... # Other properties for b_ec2_spot compute environment
+    }
+  }
+
+  tags = local.tags
+}
+```
+
+### After 3.x Example
+
+```hcl
+module "batch" {
+  source  = "terraform-aws-modules/batch/aws"
+  version = "3.0.0"
+
+  # Truncated for brevity, only relevant module API changes are shown ...
+
+  instance_iam_role_additional_policies = {
+    AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  }
+
+  compute_environments = {
+    a_ec2 = {
+      ... # Other properties for a_ec2 compute environment
+    }
+
+    b_ec2_spot = {
+      ... # Other properties for b_ec2_spot compute environment
+    }
+  }
+  # Now required
+  compute_environment_order = {
+    0 = {
+      compute_environment_key = "a_ec2"
+    }
+    1 = {
+      compute_environment_key = "b_ec2_spot"
+    }
+  }
+
+  tags = local.tags
+}
+```
+
+To migrate from the `v2.x` version to `v3.x` version example shown above, the following state move commands can be performed to maintain the current resources without modification:
+
+```bash
+# For each additional policy in instance_iam_role_additional_policies, simply move the prior value to the new key you have defined in your configuration
+# This can be done similarly for aws_iam_role_policy_attachment.service and aws_iam_role_policy_attachment.spot_fleet
+terraform state mv \
+  'module.batch.aws_iam_role_policy_attachment.instance["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]' \
+  'module.batch.aws_iam_role_policy_attachment.instance["AmazonSSMManagedInstanceCore"]'
+```
diff --git a/examples/ec2/README.md b/examples/ec2/README.md
@@ -24,31 +24,30 @@ Note that this example may create resources which will incur monetary charges on
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_batch"></a> [batch](#module\_batch) | ../.. | n/a |
 | <a name="module_batch_disabled"></a> [batch\_disabled](#module\_batch\_disabled) | ../.. | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 |
-| <a name="module_vpc_endpoint_security_group"></a> [vpc\_endpoint\_security\_group](#module\_vpc\_endpoint\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
-| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | ~> 4.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
+| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | ~> 6.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 
 ## Inputs
 

diff --git a/examples/ec2/main.tf b/examples/ec2/main.tf
@@ -2,9 +2,14 @@ provider "aws" {
   region = local.region
 }
 
+data "aws_availability_zones" "available" {}
+
 locals {
   region = "us-east-1"
-  name   = "batch-ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "batch-ex-${basename(path.cwd)}"
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
 
   tags = {
     Name       = local.name
@@ -13,8 +18,6 @@ locals {
   }
 }
 
-data "aws_region" "current" {}
-
 ################################################################################
 # Batch Module
 ################################################################################
@@ -31,9 +34,9 @@ module "batch" {
   instance_iam_role_name        = "${local.name}-ecs-instance"
   instance_iam_role_path        = "/batch/"
   instance_iam_role_description = "IAM instance role/profile for AWS Batch ECS instance(s)"
-  instance_iam_role_additional_policies = [
-    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
-  ]
+  instance_iam_role_additional_policies = {
+    AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  }
   instance_iam_role_tags = {
     ModuleCreatedRole = "Yes"
   }
@@ -64,7 +67,7 @@ module "batch" {
         desired_vcpus  = 4
         instance_types = ["m5.large", "r5.large"]
 
-        security_group_ids = [module.vpc_endpoint_security_group.security_group_id]
+        security_group_ids = [module.vpc_endpoints.security_group_id]
         subnets            = module.vpc.private_subnets
 
         # Note - any tag changes here will force compute environment replacement
@@ -91,7 +94,7 @@ module "batch" {
         desired_vcpus  = 4
         instance_types = ["m4.large", "m3.large", "r4.large", "r3.large"]
 
-        security_group_ids = [module.vpc_endpoint_security_group.security_group_id]
+        security_group_ids = [module.vpc_endpoints.security_group_id]
         subnets            = module.vpc.private_subnets
 
         # Note - any tag changes here will force compute environment replacement
@@ -118,7 +121,14 @@ module "batch" {
       state    = "ENABLED"
       priority = 1
 
-      compute_environments = ["b_ec2_spot"]
+      compute_environment_order = {
+        0 = {
+          compute_environment_key = "b_ec2_spot"
+        }
+        1 = {
+          compute_environment_key = "a_ec2"
+        }
+      }
 
       tags = {
         JobQueue = "Low priority job queue"
@@ -130,6 +140,12 @@ module "batch" {
       state    = "ENABLED"
       priority = 99
 
+      compute_environment_order = {
+        0 = {
+          compute_environment_key = "a_ec2"
+        }
+      }
+
       fair_share_policy = {
         compute_reservation = 1
         share_decay_seconds = 3600
@@ -201,88 +217,60 @@ module "batch" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 4.0"
+  version = "~> 6.0"
 
   name = local.name
-  cidr = "10.99.0.0/18"
+  cidr = local.vpc_cidr
 
-  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  public_subnets  = ["10.99.0.0/24", "10.99.1.0/24", "10.99.2.0/24"]
-  private_subnets = ["10.99.3.0/24", "10.99.4.0/24", "10.99.5.0/24"]
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
 
   enable_nat_gateway = true
   single_nat_gateway = true
 
-  public_route_table_tags  = { Name = "${local.name}-public" }
-  public_subnet_tags       = { Name = "${local.name}-public" }
-  private_route_table_tags = { Name = "${local.name}-private" }
-  private_subnet_tags      = { Name = "${local.name}-private" }
-
-  enable_dhcp_options      = true
-  enable_dns_hostnames     = true
-  dhcp_options_domain_name = data.aws_region.current.name == "us-east-1" ? "ec2.internal" : "${data.aws_region.current.name}.compute.internal"
-
   tags = local.tags
 }
 
 module "vpc_endpoints" {
   source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
-  version = "~> 4.0"
-
-  vpc_id             = module.vpc.vpc_id
-  security_group_ids = [module.vpc_endpoint_security_group.security_group_id]
-
-  endpoints = {
-    ecr_api = {
-      service             = "ecr.api"
-      private_dns_enabled = true
-      subnet_ids          = module.vpc.private_subnets
-    }
-    ecr_dkr = {
-      service             = "ecr.dkr"
-      private_dns_enabled = true
-      subnet_ids          = module.vpc.private_subnets
-    }
-    ecs = {
-      service             = "ecs"
-      private_dns_enabled = true
-      subnet_ids          = module.vpc.private_subnets
-    }
-    ssm = {
-      service             = "ssm"
-      private_dns_enabled = true
-      subnet_ids          = module.vpc.private_subnets
-    }
-    s3 = {
-      service         = "s3"
-      service_type    = "Gateway"
-      route_table_ids = module.vpc.private_route_table_ids
+  version = "~> 6.0"
+
+  vpc_id = module.vpc.vpc_id
+
+  # Security group
+  create_security_group      = true
+  security_group_name_prefix = "${local.name}-vpc-endpoints-"
+  security_group_description = "VPC endpoint security group"
+  security_group_rules = {
+    ingress_https = {
+      description = "HTTPS from VPC"
+      cidr_blocks = [module.vpc.vpc_cidr_block]
     }
   }
 
-  tags = local.tags
-}
-
-module "vpc_endpoint_security_group" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
-
-  name        = "${local.name}-vpc-endpoint"
-  description = "Security group for VPC endpoints"
-  vpc_id      = module.vpc.vpc_id
-
-  ingress_with_self = [
+  endpoints = merge(
     {
-      from_port   = 443
-      to_port     = 443
-      protocol    = "tcp"
-      description = "Container to VPC endpoint service"
-      self        = true
+      s3 = {
+        service         = "s3"
+        service_type    = "Gateway"
+        route_table_ids = module.vpc.private_route_table_ids
+        tags = {
+          Name = "${local.name}-s3"
+        }
+      }
     },
-  ]
-
-  egress_cidr_blocks = ["0.0.0.0/0"]
-  egress_rules       = ["https-443-tcp"]
+    {
+      for service in toset(["ecr.api", "ecr.dkr", "ecs", "ssm"]) :
+      replace(service, ".", "_") =>
+      {
+        service             = service
+        subnet_ids          = module.vpc.private_subnets
+        private_dns_enabled = true
+        tags                = { Name = "${local.name}-${service}" }
+      }
+    }
+  )
 
   tags = local.tags
 }