Terraform Secrets Overhaul #1562
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Closed
4 tasks
staging: ecr✅ Terraform Init: Plan: 0 to add, 1 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_iam_role_policy.github_docker_push will be updated in-place
~ resource "aws_iam_role_policy" "github_docker_push" {
id = "github_docker_push:github_docker_push"
name = "github_docker_push"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ policy = (sensitive value)
# (2 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.api-lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.google-cidr"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.heartbeat"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.notify_admin[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.performance-test[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.pinpoint_to_sqs_sms_callbacks"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.ses_receiving_emails"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.ses_to_sqs_email_callbacks"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.sns_to_sqs_sms_callbacks"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.system_status"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.api_lambda_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.google_cidr_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.heartbeat_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.pinpoint_to_sqs_sms_callbacks_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.ses_receiving_emails_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.ses_to_sqs_email_callbacks_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.sns_to_sqs_sms_callbacks_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.system_status_repository_url"]
37 tests, 19 passed, 18 warnings, 0 failures, 0 exceptions
|
staging: common✅ Terraform Init: Plan: 4 to add, 22 to change, 4 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
-/+ destroy and then create replacement
Terraform will perform the following actions:
# aws_athena_named_query.create_table_alb_logs will be updated in-place
~ resource "aws_athena_named_query" "create_table_alb_logs" {
id = "d68a28f2-6b1d-4d64-a55e-57b0b3365501"
name = "create_table_alb_logs"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ query = (sensitive value)
# (3 unchanged attributes hidden)
}
# aws_athena_named_query.create_table_all_waf_logs will be updated in-place
~ resource "aws_athena_named_query" "create_table_all_waf_logs" {
id = "a9303f07-6939-49a9-a154-938e24f9e7fb"
name = "WAF: create table waf_logs"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ query = (sensitive value)
# (3 unchanged attributes hidden)
}
# aws_athena_named_query.create_table_waf_logs will be updated in-place
~ resource "aws_athena_named_query" "create_table_waf_logs" {
id = "6c04e571-2d74-45e3-b542-57e94baac3df"
name = "WAF: create table waf_logs_lb"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ query = (sensitive value)
# (3 unchanged attributes hidden)
}
# aws_athena_named_query.create_table_waf_logs_api_lambda will be updated in-place
~ resource "aws_athena_named_query" "create_table_waf_logs_api_lambda" {
id = "bc24bd8f-8290-4214-95f3-d00c0418d7db"
name = "WAF: create table waf_logs_api_lambda"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ query = (sensitive value)
# (3 unchanged attributes hidden)
}
# aws_cloudwatch_dashboard.emails[0] will be updated in-place
~ resource "aws_cloudwatch_dashboard" "emails" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ dashboard_body = (sensitive value)
id = "Emails"
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_dashboard.sms[0] will be updated in-place
~ resource "aws_cloudwatch_dashboard" "sms" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ dashboard_body = (sensitive value)
id = "SMS"
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.route53_resolver_query_log[0] will be updated in-place
~ resource "aws_cloudwatch_log_group" "route53_resolver_query_log" {
id = "route53/ca-central-1/239043911459/DNS/logs"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ name = (sensitive value)
tags = {
"CostCenter" = "notification-canada-ca-staging"
}
# (7 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.sns_deliveries[0] will be updated in-place
~ resource "aws_cloudwatch_log_group" "sns_deliveries" {
id = "sns/ca-central-1/239043911459/DirectPublishToPhoneNumber"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ name = (sensitive value)
tags = {
"CostCenter" = "notification-canada-ca-staging"
}
# (7 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.sns_deliveries_failures[0] will be updated in-place
~ resource "aws_cloudwatch_log_group" "sns_deliveries_failures" {
id = "sns/ca-central-1/239043911459/DirectPublishToPhoneNumber/Failure"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ name = (sensitive value)
tags = {
"CostCenter" = "notification-canada-ca-staging"
}
# (7 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.sns_deliveries_failures_us_west_2[0] will be updated in-place
~ resource "aws_cloudwatch_log_group" "sns_deliveries_failures_us_west_2" {
id = "sns/us-west-2/239043911459/DirectPublishToPhoneNumber/Failure"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ name = (sensitive value)
tags = {
"CostCenter" = "notification-canada-ca-staging"
}
# (7 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.sns_deliveries_us_west_2[0] will be updated in-place
~ resource "aws_cloudwatch_log_group" "sns_deliveries_us_west_2" {
id = "sns/us-west-2/239043911459/DirectPublishToPhoneNumber"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ name = (sensitive value)
tags = {
"CostCenter" = "notification-canada-ca-staging"
}
# (7 unchanged attributes hidden)
}
# aws_cloudwatch_log_metric_filter.sns-sms-blocked-as-spam[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "sns-sms-blocked-as-spam" {
id = "sns-sms-blocked-as-spam"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "sns-sms-blocked-as-spam"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_cloudwatch_log_metric_filter.sns-sms-blocked-as-spam-us-west-2[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "sns-sms-blocked-as-spam-us-west-2" {
id = "sns-sms-blocked-as-spam-us-west-2"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "sns-sms-blocked-as-spam-us-west-2"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_cloudwatch_log_metric_filter.sns-sms-phone-carrier-unavailable[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "sns-sms-phone-carrier-unavailable" {
id = "sns-sms-phone-carrier-unavailable"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "sns-sms-phone-carrier-unavailable"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_cloudwatch_log_metric_filter.sns-sms-phone-carrier-unavailable-us-west-2[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "sns-sms-phone-carrier-unavailable-us-west-2" {
id = "sns-sms-phone-carrier-unavailable-us-west-2"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "sns-sms-phone-carrier-unavailable-us-west-2"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_cloudwatch_log_metric_filter.sns-sms-rate-exceeded[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "sns-sms-rate-exceeded" {
id = "sns-sms-rate-exceeded"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "sns-sms-rate-exceeded"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_cloudwatch_log_metric_filter.sns-sms-rate-exceeded-us-west-2[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "sns-sms-rate-exceeded-us-west-2" {
id = "sns-sms-rate-exceeded-us-west-2"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "sns-sms-rate-exceeded-us-west-2"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_route53_resolver_query_log_config.dns_query_log_config[0] will be updated in-place
~ resource "aws_route53_resolver_query_log_config" "dns_query_log_config" {
id = "rqlc-f83a5950234b4aa2"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ name = (sensitive value)
tags = {
"CostCenter" = "notification-canada-ca-staging"
}
# (5 unchanged attributes hidden)
}
# aws_s3_bucket_policy.alb_log_bucket_allow_elb_account will be updated in-place
~ resource "aws_s3_bucket_policy" "alb_log_bucket_allow_elb_account" {
id = "notification-canada-ca-staging-alb-logs"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ policy = (sensitive value)
# (1 unchanged attribute hidden)
}
# aws_s3_bucket_policy.sns_sms_usage_report_bucket_policy will be updated in-place
~ resource "aws_s3_bucket_policy" "sns_sms_usage_report_bucket_policy" {
id = "notification-canada-ca-staging-sms-usage-logs"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ policy = (sensitive value)
# (1 unchanged attribute hidden)
}
# aws_s3_bucket_policy.sns_sms_usage_report_bucket_us_west_2_policy will be updated in-place
~ resource "aws_s3_bucket_policy" "sns_sms_usage_report_bucket_us_west_2_policy" {
id = "notification-canada-ca-staging-sms-usage-west-2-logs"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ policy = (sensitive value)
# (1 unchanged attribute hidden)
}
# aws_sns_topic.notification-canada-ca-alert-general will be updated in-place
~ resource "aws_sns_topic" "notification-canada-ca-alert-general" {
id = "arn:aws:sns:ca-central-1:239043911459:alert-general"
name = "alert-general"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ policy = (sensitive value)
tags = {
"CostCenter" = "notification-canada-ca-staging"
}
# (28 unchanged attributes hidden)
}
# module.notify_slack_critical.module.lambda.null_resource.archive[0] must be replaced
-/+ resource "null_resource" "archive" {
~ id = "4343283993432098235" -> (known after apply)
~ triggers = { # forces replacement
~ "timestamp" = "<WARNING: Missing lambda zip artifacts wouldn't be restored>" -> "1727965231016511000"
# (1 unchanged element hidden)
}
}
# module.notify_slack_general.module.lambda.null_resource.archive[0] must be replaced
-/+ resource "null_resource" "archive" {
~ id = "8065581048293872297" -> (known after apply)
~ triggers = { # forces replacement
~ "timestamp" = "<WARNING: Missing lambda zip artifacts wouldn't be restored>" -> "1727965221760978000"
# (1 unchanged element hidden)
}
}
# module.notify_slack_ok.module.lambda.null_resource.archive[0] must be replaced
-/+ resource "null_resource" "archive" {
~ id = "5799159728241661225" -> (known after apply)
~ triggers = { # forces replacement
~ "timestamp" = "<WARNING: Missing lambda zip artifacts wouldn't be restored>" -> "1727965231055924000"
# (1 unchanged element hidden)
}
}
# module.notify_slack_warning.module.lambda.null_resource.archive[0] must be replaced
-/+ resource "null_resource" "archive" {
~ id = "3493195851672287646" -> (known after apply)
~ triggers = { # forces replacement
~ "timestamp" = "<WARNING: Missing lambda zip artifacts wouldn't be restored>" -> "1727965231021135000"
# (1 unchanged element hidden)
}
}
Plan: 4 to add, 22 to change, 4 to destroy.
Warning: Argument is deprecated
with aws_s3_bucket.csv_bucket,
on s3.tf line 5, in resource "aws_s3_bucket" "csv_bucket":
5: resource "aws_s3_bucket" "csv_bucket" {
Use the aws_s3_bucket_lifecycle_configuration resource instead
(and 65 more similar warnings elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.ad_hoc"]
WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.build_tables"]
WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.primary"]
WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.support"]
WARN - plan.json - main - Missing Common Tags: ["aws_budgets_budget.notify_global"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.aws_health[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.route53_resolver_query_log[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries_failures[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries_failures_us_west_2[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries_us_west_2[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-bulk-not-being-processed-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-bulk-not-being-processed-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-inflights-not-being-processed-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-inflights-not-being-processed-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-not-being-processed-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-not-being-processed-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.contact-3-500-error-15-minutes-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.document-download-bucket-size-warning[0]"]
WARN - plan.json... |
staging: ses_receiving_emails✅ Terraform Init: Plan: 0 to add, 1 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_lambda_permission.ses_receiving_emails will be updated in-place
~ resource "aws_lambda_permission" "ses_receiving_emails" {
id = "terraform-20230206164915770300000001"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ source_account = (sensitive value)
# (9 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Warning: Reference to undefined provider
on lambda.tf line 4, in module "ses_receiving_emails":
4: aws = aws.us-east-1
There is no explicit declaration for local provider name "aws" in
module.ses_receiving_emails, so Terraform is assuming you mean to pass a
configuration for "hashicorp/aws".
If you also control the child module, add a required_providers entry named
"aws" with the source address "hashicorp/aws".
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-1-500-error-1-minute-warning-ses_receiving_emails-api[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-10-500-error-5-minutes-critical-ses_receiving_emails-api[0]"]
21 tests, 19 passed, 2 warnings, 0 failures, 0 exceptions
|
staging: heartbeat✅ Terraform Init: Plan: 0 to add, 1 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# module.heartbeat.aws_lambda_function.this will be updated in-place
~ resource "aws_lambda_function" "this" {
id = "heartbeat"
tags = {
"CostCentre" = "notification-canada-ca-staging"
"Terraform" = "true"
}
# (28 unchanged attributes hidden)
~ environment {
~ variables = {
~ "heartbeat_api_key" = (sensitive value)
# Warning: this attribute value will no longer be marked as sensitive
# after applying this change. The value is unchanged.
~ "heartbeat_base_url" = (sensitive value)
# (1 unchanged element hidden)
}
}
# (3 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.heartbeat_testing[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.heartbeat_log_group[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-1-500-error-1-minute-warning-heartbeat-api[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-10-500-error-5-minutes-critical-heartbeat-api[0]"]
23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions
|
staging: pinpoint_to_sqs_sms_callbacks✅ Terraform Init: Plan: 0 to add, 12 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
<= read (data resources)
Terraform will perform the following actions:
# data.aws_iam_policy_document.pinpoint_logs will be read during apply
# (depends on a resource or a module with changes pending)
<= data "aws_iam_policy_document" "pinpoint_logs" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "logs:CreateLogStream",
+ "logs:DescribeLogStreams",
+ "logs:PutLogEvents",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:logs:ca-central-1:239043911459:log-group:sns/ca-central-1/239043911459/PinpointDirectPublishToPhoneNumber/Failure:*",
+ "arn:aws:logs:ca-central-1:239043911459:log-group:sns/ca-central-1/239043911459/PinpointDirectPublishToPhoneNumber:*",
]
}
}
# aws_cloudwatch_dashboard.pinpoint[0] will be updated in-place
~ resource "aws_cloudwatch_dashboard" "pinpoint" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ dashboard_body = (sensitive value)
id = "SMS-Pinpoint"
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.pinpoint_deliveries will be updated in-place
~ resource "aws_cloudwatch_log_group" "pinpoint_deliveries" {
id = "sns/ca-central-1/239043911459/PinpointDirectPublishToPhoneNumber"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ name = (sensitive value)
tags = {
"CostCenter" = "notification-canada-ca-staging"
}
# (7 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.pinpoint_deliveries_failures will be updated in-place
~ resource "aws_cloudwatch_log_group" "pinpoint_deliveries_failures" {
id = "sns/ca-central-1/239043911459/PinpointDirectPublishToPhoneNumber/Failure"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ name = (sensitive value)
tags = {
"CostCenter" = "notification-canada-ca-staging"
}
# (7 unchanged attributes hidden)
}
# aws_cloudwatch_log_metric_filter.pinpoint-sms-blocked-as-spam[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "pinpoint-sms-blocked-as-spam" {
id = "pinpoint-sms-blocked-as-spam"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "pinpoint-sms-blocked-as-spam"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_cloudwatch_log_metric_filter.pinpoint-sms-failures[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "pinpoint-sms-failures" {
id = "pinpoint-sms-failures"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "pinpoint-sms-failures"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_cloudwatch_log_metric_filter.pinpoint-sms-phone-carrier-unavailable[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "pinpoint-sms-phone-carrier-unavailable" {
id = "pinpoint-sms-phone-carrier-unavailable"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "pinpoint-sms-phone-carrier-unavailable"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_cloudwatch_log_metric_filter.pinpoint-sms-rate-exceeded[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "pinpoint-sms-rate-exceeded" {
id = "pinpoint-sms-rate-exceeded"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "pinpoint-sms-rate-exceeded"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_cloudwatch_log_metric_filter.pinpoint-sms-successes[0] will be updated in-place
~ resource "aws_cloudwatch_log_metric_filter" "pinpoint-sms-successes" {
id = "pinpoint-sms-successes"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "pinpoint-sms-successes"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
# aws_cloudwatch_log_subscription_filter.pinpoint_deliveries_ca_central_to_lambda[0] will be updated in-place
~ resource "aws_cloudwatch_log_subscription_filter" "pinpoint_deliveries_ca_central_to_lambda" {
id = "cwlsf-4047392200"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "pinpoint_deliveries_ca_central"
# (4 unchanged attributes hidden)
}
# aws_cloudwatch_log_subscription_filter.pinpoint_deliveries_failures_ca_central_to_lambda[0] will be updated in-place
~ resource "aws_cloudwatch_log_subscription_filter" "pinpoint_deliveries_failures_ca_central_to_lambda" {
id = "cwlsf-1805960966"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ log_group_name = (sensitive value)
name = "pinpoint_deliveries_failures_ca_central"
# (4 unchanged attributes hidden)
}
# aws_cloudwatch_query_definition.pinpoint-logs[0] will be updated in-place
~ resource "aws_cloudwatch_query_definition" "pinpoint-logs" {
id = "3c055307-3799-4600-8521-98a558a484db"
~ log_group_names = [
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ (sensitive value),
]
name = "SMS / Pinpoint logs"
# (2 unchanged attributes hidden)
}
# aws_iam_policy.pinpoint_logs will be updated in-place
~ resource "aws_iam_policy" "pinpoint_logs" {
id = "arn:aws:iam::239043911459:policy/PinpointLogsPolicy"
name = "PinpointLogsPolicy"
~ policy = jsonencode(
{
- Statement = [
- {
- Action = [
- "logs:PutLogEvents",
- "logs:DescribeLogStreams",
- "logs:CreateLogStream",
]
- Effect = "Allow"
- Resource = [
- "arn:aws:logs:ca-central-1:239043911459:log-group:sns/ca-central-1/239043911459/PinpointDirectPublishToPhoneNumber:*",
- "arn:aws:logs:ca-central-1:239043911459:log-group:sns/ca-central-1/239043911459/PinpointDirectPublishToPhoneNumber/Failure:*",
]
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
tags = {}
# (7 unchanged attributes hidden)
}
Plan: 0 to add, 12 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.pinpoint_deliveries"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.pinpoint_deliveries_failures"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.pinpoint_to_sqs_sms_callbacks_log_group[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.lambda-image-pinpoint-delivery-receipts-errors-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.lambda-image-pinpoint-delivery-receipts-errors-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-1-500-error-1-minute-warning-pinpoint_to_sqs_sms_callbacks-api[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-10-500-error-5-minutes-critical-pinpoint_to_sqs_sms_callbacks-api[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.pinpoint-sms-blocked-as-spam-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.pinpoint-sms-phone-carrier-unavailable-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.pinpoint-sms-rate-exceeded-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.pinpoint-sms-success-rate-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.pinpoint-sms-success-rate-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.total-sms-spending-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.total-sms-spending-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.pinpoint_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.pinpoint_logs"]
35 tests, 19 passed, 16 warnings, 0 failures, 0 exceptions
|
staging: dns✅ Terraform Init: Plan: 0 to add, 5 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_iam_role.dev_dns_manager[0] will be updated in-place
~ resource "aws_iam_role" "dev_dns_manager" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ assume_role_policy = (sensitive value)
id = "dev_dns_manager_role"
name = "dev_dns_manager_role"
tags = {}
# (11 unchanged attributes hidden)
# (1 unchanged block hidden)
}
# aws_iam_role.production_dns_manager[0] will be updated in-place
~ resource "aws_iam_role" "production_dns_manager" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ assume_role_policy = (sensitive value)
id = "production_dns_manager_role"
name = "production_dns_manager_role"
tags = {}
# (11 unchanged attributes hidden)
# (1 unchanged block hidden)
}
# aws_iam_role.sandbox_dns_manager[0] will be updated in-place
~ resource "aws_iam_role" "sandbox_dns_manager" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ assume_role_policy = (sensitive value)
id = "sandbox_dns_manager_role"
name = "sandbox_dns_manager_role"
tags = {}
# (11 unchanged attributes hidden)
# (1 unchanged block hidden)
}
# aws_iam_role.scratch_dns_manager[0] will be updated in-place
~ resource "aws_iam_role" "scratch_dns_manager" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ assume_role_policy = (sensitive value)
id = "scratch_dns_manager_role"
name = "scratch_dns_manager_role"
tags = {}
# (11 unchanged attributes hidden)
# (1 unchanged block hidden)
}
# aws_iam_role.staging_dns_manager[0] will be updated in-place
~ resource "aws_iam_role" "staging_dns_manager" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ assume_role_policy = (sensitive value)
id = "staging_dns_manager_role"
name = "staging_dns_manager_role"
tags = {}
# (11 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 5 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.internal_dns"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.dev_dns_manager[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.production_dns_manager[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.sandbox_dns_manager[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.scratch_dns_manager[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.staging_dns_manager[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.internal_dns"]
WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.notification-sandbox[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.internal_dns_cert_base64"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.internal_dns_fqdn"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.internal_dns_key_base64"]
30 tests, 19 passed, 11 warnings, 0 failures, 0 exceptions
|
staging: eks✅ Terraform Init: Plan: 1 to add, 9 to change, 1 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
-/+ destroy and then create replacement
Terraform will perform the following actions:
# aws_cloudwatch_dashboard.errors[0] will be updated in-place
~ resource "aws_cloudwatch_dashboard" "errors" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ dashboard_body = (sensitive value)
id = "Errors"
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_dashboard.notify_system[0] will be updated in-place
~ resource "aws_cloudwatch_dashboard" "notify_system" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ dashboard_body = (sensitive value)
id = "Notify-System-Overview"
# (2 unchanged attributes hidden)
}
# aws_iam_policy.parameters_csi will be updated in-place
~ resource "aws_iam_policy" "parameters_csi" {
id = "arn:aws:iam::239043911459:policy/parameters-csi-policy"
name = "parameters-csi-policy"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ policy = (sensitive value)
tags = {}
# (7 unchanged attributes hidden)
}
# aws_iam_policy.secrets_csi will be updated in-place
~ resource "aws_iam_policy" "secrets_csi" {
id = "arn:aws:iam::239043911459:policy/secrets-csi-policy"
name = "secrets-csi-policy"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ policy = (sensitive value)
tags = {}
# (7 unchanged attributes hidden)
}
# aws_kinesis_firehose_delivery_stream.firehose-waf-logs will be updated in-place
~ resource "aws_kinesis_firehose_delivery_stream" "firehose-waf-logs" {
id = "arn:aws:firehose:ca-central-1:239043911459:deliverystream/aws-waf-logs-notification-canada-ca-waf"
name = "aws-waf-logs-notification-canada-ca-waf"
tags = {
"CostCenter" = "notification-canada-ca-staging"
"Terraform" = "true"
}
# (5 unchanged attributes hidden)
~ extended_s3_configuration {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ prefix = (sensitive value)
# (10 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
# (1 unchanged block hidden)
}
# aws_secretsmanager_secret_version.pr_bot_private_key must be replaced
-/+ resource "aws_secretsmanager_secret_version" "pr_bot_private_key" {
~ arn = "arn:aws:secretsmanager:ca-central-1:239043911459:secret:PR_BOT_PRIVATE_KEY-EIUsAp" -> (known after apply)
~ id = "arn:aws:secretsmanager:ca-central-1:239043911459:secret:PR_BOT_PRIVATE_KEY-EIUsAp|terraform-20240318133723242600000006" -> (known after apply)
~ secret_string = (sensitive value) # forces replacement
~ version_id = "terraform-20240318133723242600000006" -> (known after apply)
~ version_stages = [
- "AWSCURRENT",
] -> (known after apply)
# (2 unchanged attributes hidden)
}
# module.sentinel_forwarder.aws_lambda_function.sentinel_forwarder will be updated in-place
~ resource "aws_lambda_function" "sentinel_forwarder" {
id = "sentinel-cloud-watch-forwarder"
~ layers = [
~ "arn:aws:lambda:ca-central-1:283582579564:layer:aws-sentinel-connector-layer:153" -> "arn:aws:lambda:ca-central-1:283582579564:layer:aws-sentinel-connector-layer:161",
]
tags = {
"CostCentre" = "notification-canada-ca-staging"
}
# (28 unchanged attributes hidden)
# (4 unchanged blocks hidden)
}
# module.sentinel_forwarder.aws_lambda_permission.sentinel_forwarder_cloudwatch_log_subscription[0] will be updated in-place
~ resource "aws_lambda_permission" "sentinel_forwarder_cloudwatch_log_subscription" {
id = "AllowExecutionFromCloudWatchLogs-sentinel-cloud-watch-forwarder-0"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ source_arn = (sensitive value)
# (6 unchanged attributes hidden)
}
# module.sentinel_forwarder.aws_lambda_permission.sentinel_forwarder_cloudwatch_log_subscription[1] will be updated in-place
~ resource "aws_lambda_permission" "sentinel_forwarder_cloudwatch_log_subscription" {
id = "AllowExecutionFromCloudWatchLogs-sentinel-cloud-watch-forwarder-1"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ source_arn = (sensitive value)
# (6 unchanged attributes hidden)
}
# module.sentinel_forwarder.aws_lambda_permission.sentinel_forwarder_cloudwatch_log_subscription[2] will be updated in-place
~ resource "aws_lambda_permission" "sentinel_forwarder_cloudwatch_log_subscription" {
id = "AllowExecutionFromCloudWatchLogs-sentinel-cloud-watch-forwarder-2"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ source_arn = (sensitive value)
# (6 unchanged attributes hidden)
}
Plan: 1 to add, 9 to change, 1 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.celery-error[0]"]
WARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.scanfiles-timeout[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.client_vpn"]
WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.notification-canada-ca"]
WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.notification-canada-ca-alt[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_acmpca_certificate_authority.client_vpn"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb.notification-canada-ca"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_listener.internal_alb_tls"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_listener.notification-canada-ca"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.internal_nginx_http"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-admin"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-api"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-document"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-document-api"]
WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-documentation"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notification-canada-ca-eks-application-logs[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notification-canada-ca-eks-cluster-logs[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notification-canada-ca-eks-prometheus-logs[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.admin-evicted-pods[0]"]
WARN - plan.json - main - Missing Common... |
staging: rds✅ Terraform Init: Plan: 0 to add, 1 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_kms_key.rds_snapshot[0] will be updated in-place
~ resource "aws_kms_key" "rds_snapshot" {
id = "95792326-c848-4b7d-b800-9501f876e742"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change.
~ policy = (sensitive value)
tags = {}
# (14 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.logs_exports"]
WARN - plan.json - main - Missing Common Tags: ["aws_db_event_subscription.notification-canada-ca"]
WARN - plan.json - main - Missing Common Tags: ["aws_db_event_subscription.notification-canada-ca-cluster"]
WARN - plan.json - main - Missing Common Tags: ["aws_db_subnet_group.notification-canada-ca"]
WARN - plan.json - main - Missing Common Tags: ["aws_kms_key.rds_snapshot[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_rds_cluster.notification-canada-ca"]
WARN - plan.json - main - Missing Common Tags: ["aws_rds_cluster_instance.notification-canada-ca-instances[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_rds_cluster_instance.notification-canada-ca-instances[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_rds_cluster_instance.notification-canada-ca-instances[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_rds_cluster_parameter_group.default"]
WARN - plan.json - main - Missing Common Tags: ["aws_rds_cluster_parameter_group.pgaudit"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.app_db_user"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.database_user"]
WARN - plan.json - main - Missing Common Tags: ["module.rds_proxy.aws_cloudwatch_log_group.this[0]"]
WARN - plan.json - main - Missing Common Tags: ["module.rds_proxy.aws_db_proxy.this[0]"]
WARN - plan.json - main - Missing Common Tags: ["module.rds_proxy.aws_db_proxy_endpoint.this[\"read_only\"]"]
WARN - plan.json - main - Missing Common Tags: ["module.rds_proxy.aws_db_proxy_endpoint.this[\"read_write\"]"]
WARN - plan.json - main - Missing Common Tags: ["module.rds_proxy.aws_iam_role.this[0]"]
37 tests, 19 passed, 18 warnings, 0 failures, 0 exceptions
|
staging: quicksight✅ Terraform Init: Plan: 0 to add, 4 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_cloudformation_stack.sms-usage-notifications will be updated in-place
~ resource "aws_cloudformation_stack" "sms-usage-notifications" {
id = "arn:aws:cloudformation:ca-central-1:239043911459:stack/sms-usage-notifications/fd642d50-f107-11ee-97dd-0eecde249eef"
name = "sms-usage-notifications"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ notification_arns = (sensitive value)
tags = {}
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ template_body = (sensitive value)
# (6 unchanged attributes hidden)
}
# aws_iam_policy.quicksight_vpc_connection_iam will be updated in-place
~ resource "aws_iam_policy" "quicksight_vpc_connection_iam" {
id = "arn:aws:iam::239043911459:policy/quicksight-vpc-connection-iam"
name = "quicksight-vpc-connection-iam"
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ policy = (sensitive value)
tags = {}
# (7 unchanged attributes hidden)
}
# aws_quicksight_account_subscription.subscription will be updated in-place
~ resource "aws_quicksight_account_subscription" "subscription" {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ account_name = (sensitive value)
id = "239043911459"
# (5 unchanged attributes hidden)
}
# aws_s3_object.manifest_file will be updated in-place
~ resource "aws_s3_object" "manifest_file" {
~ etag = "4f558e8d8cdbbf914a95755cbda61968" -> "221f592f333f2fc284626cfdb8c4bc80"
id = "quicksight/s3-manifest-sms-usage.json"
tags = {}
+ version_id = (known after apply)
# (24 unchanged attributes hidden)
}
Plan: 0 to add, 4 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudformation_stack.sms-usage-notifications"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.quicksight-rds"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.quicksight-s3-usage"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.quicksight_vpc_connection_ec2"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.quicksight_vpc_connection_iam"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.quicksight"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.vpc_connection_role"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.jobs"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.login_events"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.notifications"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.organisation"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.services"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.sms_usage"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.template-category-history"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.templates"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.users"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_source.rds"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_source.s3_sms_usage"]
WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_vpc_connection.rds"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.manifest_file"]
39 tests, 19 passed, 20 warnings, 0 failures, 0 exceptions
|
staging: lambda-api✅ Terraform Init: Plan: 1 to add, 4 to change, 1 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
+/- create replacement and then destroy
<= read (data resources)
Terraform will perform the following actions:
# data.aws_iam_policy_document.ecr will be read during apply
# (depends on a resource or a module with changes pending)
<= data "aws_iam_policy_document" "ecr" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "ecr:GetAuthorizationToken",
]
+ effect = "Allow"
+ resources = [
+ "*",
]
+ sid = "GetAuthorizationToken"
}
+ statement {
+ actions = [
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:BatchGetImage",
+ "ecr:CompleteLayerUpload",
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:InitiateLayerUpload",
+ "ecr:PutImage",
+ "ecr:UploadLayerPart",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:ecr:ca-central-1:239043911459:repository/notify/api-lambda",
]
+ sid = "AllowPushPull"
}
+ statement {
+ actions = [
+ "lambda:GetAlias",
+ "lambda:GetFunction",
+ "lambda:GetFunctionConfiguration",
+ "lambda:ListAliases",
+ "lambda:ListVersionsByFunction",
+ "lambda:PublishVersion",
+ "lambda:UpdateAlias",
+ "lambda:UpdateFunctionCode",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:lambda:ca-central-1:239043911459:function:api-lambda",
]
+ sid = "PermissionsToUpdateFunction"
}
+ statement {
+ actions = [
+ "lambda:GetLayerVersion",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:lambda:ca-central-1:451483290750:layer:NewRelicPython*:*",
]
+ sid = "PermissionsToDownloadNewRelicLambdaLayers"
}
}
# aws_api_gateway_deployment.api must be replaced
+/- resource "aws_api_gateway_deployment" "api" {
~ created_date = "2024-07-29T16:20:27Z" -> (known after apply)
~ execution_arn = "arn:aws:execute-api:ca-central-1:239043911459:74i43aysii/" -> (known after apply)
~ id = "po3xiu" -> (known after apply)
~ invoke_url = "https://74i43aysii.execute-api.ca-central-1.amazonaws.com/" -> (known after apply)
~ triggers = { # forces replacement
~ "redeployment" = "304451798044b5fdc34090ab32a96a2473bf6afa" -> "c1c3df7a50ee1a689772094fb67e86de0dd192aa"
}
# (2 unchanged attributes hidden)
}
# aws_api_gateway_stage.api will be updated in-place
~ resource "aws_api_gateway_stage" "api" {
~ deployment_id = "po3xiu" -> (known after apply)
id = "ags-74i43aysii-v1"
tags = {}
# (14 unchanged attributes hidden)
# (1 unchanged block hidden)
}
# aws_iam_policy.ecr will be updated in-place
~ resource "aws_iam_policy" "ecr" {
id = "arn:aws:iam::239043911459:policy/ecr-api-lambda-access"
name = "ecr-api-lambda-access"
~ policy = jsonencode(
{
- Statement = [
- {
- Action = "ecr:GetAuthorizationToken"
- Effect = "Allow"
- Resource = "*"
- Sid = "GetAuthorizationToken"
},
- {
- Action = [
- "ecr:UploadLayerPart",
- "ecr:PutImage",
- "ecr:InitiateLayerUpload",
- "ecr:GetDownloadUrlForLayer",
- "ecr:CompleteLayerUpload",
- "ecr:BatchGetImage",
- "ecr:BatchCheckLayerAvailability",
]
- Effect = "Allow"
- Resource = "arn:aws:ecr:ca-central-1:239043911459:repository/notify/api-lambda"
- Sid = "AllowPushPull"
},
- {
- Action = [
- "lambda:UpdateFunctionCode",
- "lambda:UpdateAlias",
- "lambda:PublishVersion",
- "lambda:ListVersionsByFunction",
- "lambda:ListAliases",
- "lambda:GetFunctionConfiguration",
- "lambda:GetFunction",
- "lambda:GetAlias",
]
- Effect = "Allow"
- Resource = "arn:aws:lambda:ca-central-1:239043911459:function:api-lambda"
- Sid = "PermissionsToUpdateFunction"
},
- {
- Action = "lambda:GetLayerVersion"
- Effect = "Allow"
- Resource = "arn:aws:lambda:ca-central-1:451483290750:layer:NewRelicPython*:*"
- Sid = "PermissionsToDownloadNewRelicLambdaLayers"
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
tags = {}
# (7 unchanged attributes hidden)
}
# aws_kinesis_firehose_delivery_stream.firehose-api-lambda-waf-logs will be updated in-place
~ resource "aws_kinesis_firehose_delivery_stream" "firehose-api-lambda-waf-logs" {
id = "arn:aws:firehose:ca-central-1:239043911459:deliverystream/aws-waf-logs-notification-canada-ca-api-lambda-waf"
name = "aws-waf-logs-notification-canada-ca-api-lambda-waf"
tags = {
"CostCenter" = "notification-canada-ca-staging"
"Terraform" = "true"
}
# (5 unchanged attributes hidden)
~ extended_s3_configuration {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ prefix = (sensitive value)
# (10 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
# (1 unchanged block hidden)
}
# aws_lambda_function.api will be updated in-place
~ resource "aws_lambda_function" "api" {
id = "api-lambda"
tags = {}
# (28 unchanged attributes hidden)
~ environment {
~ variables = {
# Warning: this attribute value will be marked as sensitive and will not
# display in UI output after applying this change. The value is unchanged.
~ "NEW_RELIC_ACCOUNT_ID" = (sensitive value)
# (18 unchanged elements hidden)
}
}
# (4 unchanged blocks hidden)
}
Plan: 1 to add, 4 to change, 1 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_api_gateway_domain_name.alt_api_lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_api_gateway_domain_name.api"]
WARN - plan.json - main - Missing Common Tags: ["aws_api_gateway_domain_name.api_lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_api_gateway_rest_api.api"]
WARN - plan.json - main - Missing Common Tags: ["aws_api_gateway_stage.api"]
WARN - plan.json - main - Missing Common Tags: ["aws_appautoscaling_target.api"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.api_gateway_log_group"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.api_lambda_log_group[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.failed-login-count-5-minute-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-1-error-1-minute-warning-lambda-api[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-1-error-1-minute-warning-salesforce-api[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-10-error-5-minutes-critical-lambda-api[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.api"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.ecr"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.api"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.api_cloudwatch[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_user.ecr-user"]
WARN - plan.json - main - Missing Common Tags: ["aws_kinesis_firehose_delivery_stream.firehose-api-lambda-waf-logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_lambda_function.api"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.new-relic-license-key"]
WARN - plan.json - main - Missing Common Tags: ["aws_wafv2_web_acl.api_lambda"]
WARN - plan.json - main - Missing Common Tags:... |
ben851
approved these changes
Oct 3, 2024
This was referenced Oct 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary | Résumé
This is a very large PR that encapsulates a seismic shift in how we store and consume variables with our Terraform repository.
Related Issues | Cartes liées
https://app.zenhub.com/workspaces/notify-planning-core-6411dfb7c95fb80014e0cab0/issues/gh/cds-snc/notification-planning-core/410
Before merging this PR
Read code suggestions left by the
cds-ai-codereviewer bot. Address
valid suggestions and shortly write down reasons to not address others. To help
with the classification of the comments, please use these reactions on each of the
comments made by the AI review:
The classifications will be extracted and summarized into an analysis of how helpful
or not the AI code review really is.
Test instructions | Instructions pour tester la modification
Release Instructions | Instructions pour le déploiement
None.
Reviewer checklist | Liste de vérification du réviseur