bug: Breaking changes in a Patch release

[JPLachance]

Describe the bug

Version 0.4.5 got released 2 hours ago and includes the following change: https://github.com/lacework/terraform-aws-iam-role/commit/90a6326c439f0e6ab409d6277d5a473f83850f65

Since the lacework/iam-role/aws Terraform module is a dependency of multiple other modules, like https://github.com/lacework/terraform-aws-ecr/blob/main/main.tf#L18, since Lacework did not bump a major version of lacework/iam-role/aws , the lacework/ecr/aws module stopped working.

Steps to reproduce

In a project, enforce the Lacework provider 1.x, try to use the previous version of lacework/ecr/aws, it does not work.

Expected behavior

Please bump a major of the module when the module requires a new major of the Provider 😅

What should have happened

It's too late now, I know, I just wanted to share.

How does the Lacework team could improve tho?

I would pin all dependencies, then leverage a tool like Renovate or Dependabot to help me keep dependencies up to date. I would also bump major versions when a breaking change is possible.

[bdandoy]

@PengyuanZhao can you please help get this fixed? It is now breaking our terraform repos.

[djcurill]

Experiencing similar issues. I think the issue is the lacework-iam-role has ~> 2.0 (here) set while the lacework-config is ~> 1.18 (here).

[brucex]

yes we are experiencing the same issue as well too. this should have been a major release if we're requiring the lacework provider to 2.0.

can we unpublish the latest version in the terraform registry? @zekisherif

[karlpvoss]

I think this would need to be an unpublish fix if possible, since this not only breaks the current version but also breaks old versions, such as terraform-aws-config v0.14.2, which has a dependency on lacework/iam-role/aws as -> 0.4, and now has a transitive requirement on provider lacework/lacework 2.0.

If unpublish is not possible please roll out patch releases for all affected previous versions that reverts the transitive dependency by fixing to lacework/iam-role/aws v0.4.4.

[zekisherif]

I apologize for the trouble caused by recent changes we've released. Our release process had an issue which slowed down the roll out of these changes for all modules, hence why certain modules were still pinned at 1.18 for lacework provider. In retrospect, we should have updated the major version for all terraform modules.

I've just released terraform-aws-config to be have lacework ~> 2.0. It's not a major version upgrade (just a continuation of the same release process that got stuck). All the other modules should be updated as of Nov 6th.

Please let me know if this is sufficient to unblock all of you.

[zekisherif]

In addition, if you are pinning lacework to 1.x please move to 2.x in your project. There are not significant breaking changes other than for resource_groups (which was already broken for all previous versions of the lacework provider). If you are not using resource_groups (specifically the original version of resource groups), then it should be a seamless transition.

[JPLachance]

which was already broken for all previous versions of the lacework provider

Yep. I noticed that one too 😅 Removing an API like that without prior notice is was also not ideal.

[ilyas1uphealth]

So the resolution is that it's not being unpublished or fixed, and everyone using older versions must fork and patch or upgrade?

[karlpvoss]

I'm lucky to be in an environment where I can just upgrade this.

Anybody working in enterprise is going to have to get this audited, checked, signed off, and then deployed; with their pipelines affected the whole time.

If you're going to have advice like this in your documentation is should be able to be followed.

This ensures that you will get minor updates, which include big fixes and minor changes, while avoiding version upgrades that could result in breaking changes.