search

GradientFlow-ai / terraform

IaC for GradientFlow
MIT License
0 stars 0 forks source link

Streamline secrets #29

Closed coyotespike closed 1 year ago

github-actions[bot] commented 1 year ago

Terraform plan in .

With variables

TF_VAR_AWS_ACCESS_KEY_ID     = (sensitive value)
TF_VAR_AWS_SECRET_ACCESS_KEY = (sensitive value)
TF_VAR_VERCEL_API_TOKEN      = ""

Plan: 14 to add, 7 to change, 20 to destroy. ```hcl Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place - destroy -/+ destroy and then create replacement Terraform will perform the following actions: # module.kms.aws_secretsmanager_secret.AWS_ACCESS_KEY_ID will be destroyed # (because aws_secretsmanager_secret.AWS_ACCESS_KEY_ID is not in configuration) - resource "aws_secretsmanager_secret" "AWS_ACCESS_KEY_ID" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:AWS_ACCESS_KEY_ID-qxfKXG" -> null - description = "Gives eaas permission to store documents on S3" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:AWS_ACCESS_KEY_ID-qxfKXG" -> null - name = "AWS_ACCESS_KEY_ID" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.AWS_SECRET_ACCESS_KEY will be destroyed # (because aws_secretsmanager_secret.AWS_SECRET_ACCESS_KEY is not in configuration) - resource "aws_secretsmanager_secret" "AWS_SECRET_ACCESS_KEY" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:AWS_SECRET_ACCESS_KEY-HP0om1" -> null - description = "Gives eaas permission to store documents on S3" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:AWS_SECRET_ACCESS_KEY-HP0om1" -> null - name = "AWS_SECRET_ACCESS_KEY" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.DATABASE_URL will be destroyed # (because aws_secretsmanager_secret.DATABASE_URL is not in configuration) - resource "aws_secretsmanager_secret" "DATABASE_URL" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:DATABASE_URL-Je5EWK" -> null - description = "Allows eaas to access Supabase postgres" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:DATABASE_URL-Je5EWK" -> null - name = "DATABASE_URL" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.GITHUB_ID will be destroyed # (because aws_secretsmanager_secret.GITHUB_ID is not in configuration) - resource "aws_secretsmanager_secret" "GITHUB_ID" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GITHUB_ID-gbx940" -> null - description = "Enables Vercel to use GitHub as OAuth provider" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GITHUB_ID-gbx940" -> null - name = "GITHUB_ID" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.GITHUB_SECRET will be destroyed # (because aws_secretsmanager_secret.GITHUB_SECRET is not in configuration) - resource "aws_secretsmanager_secret" "GITHUB_SECRET" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GITHUB_SECRET-RnHiuE" -> null - description = "Enables Vercel to use GitHub as OAuth provider" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GITHUB_SECRET-RnHiuE" -> null - name = "GITHUB_SECRET" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.GOOGLE_CLIENT_ID will be destroyed # (because aws_secretsmanager_secret.GOOGLE_CLIENT_ID is not in configuration) - resource "aws_secretsmanager_secret" "GOOGLE_CLIENT_ID" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GOOGLE_CLIENT_ID-uf9KkN" -> null - description = "Enables Vercel to use Google as OAuth provider" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GOOGLE_CLIENT_ID-uf9KkN" -> null - name = "GOOGLE_CLIENT_ID" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.GOOGLE_CLIENT_SECRET will be destroyed # (because aws_secretsmanager_secret.GOOGLE_CLIENT_SECRET is not in configuration) - resource "aws_secretsmanager_secret" "GOOGLE_CLIENT_SECRET" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GOOGLE_CLIENT_SECRET-OwUY9b" -> null - description = "Enables Vercel to use Google as OAuth provider" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GOOGLE_CLIENT_SECRET-OwUY9b" -> null - name = "GOOGLE_CLIENT_SECRET" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.S3_BUCKET_NAME will be destroyed # (because aws_secretsmanager_secret.S3_BUCKET_NAME is not in configuration) - resource "aws_secretsmanager_secret" "S3_BUCKET_NAME" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:S3_BUCKET_NAME-uf9KkN" -> null - description = "Tells eaas where to store documents on S3" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:S3_BUCKET_NAME-uf9KkN" -> null - name = "S3_BUCKET_NAME" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.SHADOW_DATABASE_URL will be destroyed # (because aws_secretsmanager_secret.SHADOW_DATABASE_URL is not in configuration) - resource "aws_secretsmanager_secret" "SHADOW_DATABASE_URL" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:SHADOW_DATABASE_URL-4uokNR" -> null - description = "Allows eaas to access Prisma postgres shadow on Supabase" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:SHADOW_DATABASE_URL-4uokNR" -> null - name = "SHADOW_DATABASE_URL" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.SUPER_GITHUB_TOKEN will be destroyed # (because aws_secretsmanager_secret.SUPER_GITHUB_TOKEN is not in configuration) - resource "aws_secretsmanager_secret" "SUPER_GITHUB_TOKEN" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:SUPER_GITHUB_TOKEN-EUY2Ro" -> null - description = "A second token necessary for Github Actions terraform plan and apply in Terraform repo" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:SUPER_GITHUB_TOKEN-EUY2Ro" -> null - name = "SUPER_GITHUB_TOKEN" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.TF_VAR_AWS_ACCESS_KEY_ID will be destroyed # (because aws_secretsmanager_secret.TF_VAR_AWS_ACCESS_KEY_ID is not in configuration) - resource "aws_secretsmanager_secret" "TF_VAR_AWS_ACCESS_KEY_ID" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:TF_VAR_AWS_ACCESS_KEY_ID-ueqKQd" -> null - description = "Allows Terraform to manage S3. Created in roles/s3_iam" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:TF_VAR_AWS_ACCESS_KEY_ID-ueqKQd" -> null - name = "TF_VAR_AWS_ACCESS_KEY_ID" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.TF_VAR_AWS_SECRET_ACCESS_KEY will be destroyed # (because aws_secretsmanager_secret.TF_VAR_AWS_SECRET_ACCESS_KEY is not in configuration) - resource "aws_secretsmanager_secret" "TF_VAR_AWS_SECRET_ACCESS_KEY" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:TF_VAR_AWS_SECRET_ACCESS_KEY-3xniRI" -> null - description = "Allows Terraform to manage S3. Created in roles/s3_iam" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:TF_VAR_AWS_SECRET_ACCESS_KEY-3xniRI" -> null - name = "TF_VAR_AWS_SECRET_ACCESS_KEY" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.VERCEL_API_KEY will be destroyed # (because aws_secretsmanager_secret.VERCEL_API_KEY is not in configuration) - resource "aws_secretsmanager_secret" "VERCEL_API_KEY" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:VERCEL_API_KEY-SkFmrM" -> null - description = "Allows Terraform to manage Vercel projects" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:VERCEL_API_KEY-SkFmrM" -> null - name = "VERCEL_API_KEY" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.members.github_membership.membership_for_aj will be created + resource "github_membership" "membership_for_aj" { + etag = (known after apply) + id = (known after apply) + role = "member" + username = "antoniojcaporicci" } # module.repos.github_actions_secret.DATABASE_URL will be created + resource "github_actions_secret" "DATABASE_URL" { + created_at = (known after apply) + id = (known after apply) + plaintext_value = (sensitive value) + repository = "eaas" + secret_name = "DATABASE_URL" + updated_at = (known after apply) } # module.repos.github_actions_secret.SHADOW_DATABASE_URL will be created + resource "github_actions_secret" "SHADOW_DATABASE_URL" { + created_at = (known after apply) + id = (known after apply) + plaintext_value = (sensitive value) + repository = "eaas" + secret_name = "SHADOW_DATABASE_URL" + updated_at = (known after apply) } # module.repos.github_actions_secret.secrets_manager_id will be destroyed # (because github_actions_secret.secrets_manager_id is not in configuration) - resource "github_actions_secret" "secrets_manager_id" { - created_at = "2023-04-02 20:57:07 +0000 UTC" -> null - id = "terraform:AWS_MANAGER_ID" -> null - repository = "terraform" -> null - secret_name = "AWS_MANAGER_ID" -> null - updated_at = "2023-04-02 22:03:56 +0000 UTC" -> null } # module.repos.github_actions_secret.secrets_manager_key will be destroyed # (because github_actions_secret.secrets_manager_key is not in configuration) - resource "github_actions_secret" "secrets_manager_key" { - created_at = "2023-04-02 20:57:04 +0000 UTC" -> null - id = "terraform:AWS_MANAGER_KEY" -> null - repository = "terraform" -> null - secret_name = "AWS_MANAGER_KEY" -> null - updated_at = "2023-04-02 22:03:57 +0000 UTC" -> null } # module.repos.github_actions_secret.super_github_token must be replaced -/+ resource "github_actions_secret" "super_github_token" { ~ created_at = "2023-04-02 21:12:34 +0000 UTC" -> (known after apply) ~ id = "****************************" -> (known after apply) + plaintext_value = (sensitive value) # forces replacement ~ updated_at = "2023-04-02 22:03:55 +0000 UTC" -> (known after apply) # (2 unchanged attributes hidden) } # module.repos.github_actions_secret.tf_var_aws_access_key_id will be created + resource "github_actions_secret" "tf_var_aws_access_key_id" { + created_at = (known after apply) + id = (known after apply) + repository = "terraform" + secret_name = "TF_VAR_AWS_ACCESS_KEY_ID" + updated_at = (known after apply) } # module.repos.github_actions_secret.tf_var_aws_secret_access_key will be created + resource "github_actions_secret" "tf_var_aws_secret_access_key" { + created_at = (known after apply) + id = (known after apply) + repository = "terraform" + secret_name = "TF_VAR_AWS_SECRET_ACCESS_KEY" + updated_at = (known after apply) } # module.repos.github_actions_secret.vercel_api_token will be created + resource "github_actions_secret" "vercel_api_token" { + created_at = (known after apply) + id = (known after apply) + plaintext_value = (sensitive value) + repository = "terraform" + secret_name = "VERCEL_API_TOKEN" + updated_at = (known after apply) } # module.repos.github_branch_protection.eaas will be updated in-place ~ resource "github_branch_protection" "eaas" { id = "BPR_kwDOI7EyTc4CIwZR" # (11 unchanged attributes hidden) ~ required_pull_request_reviews { ~ pull_request_bypassers = [ - "MDQ6VXNlcjMxMTg5NjQ=", # (1 unchanged element hidden) ] # (6 unchanged attributes hidden) } } # module.repos.github_branch_protection.embeddings_api will be updated in-place ~ resource "github_branch_protection" "embeddings_api" { id = "BPR_kwDOI-ZWE84CIwg4" # (11 unchanged attributes hidden) ~ required_pull_request_reviews { ~ pull_request_bypassers = [ - "MDQ6VXNlcjMxMTg5NjQ=", # (1 unchanged element hidden) ] # (6 unchanged attributes hidden) } } # module.repos.github_branch_protection.fast-api-ocean will be updated in-place ~ resource "github_branch_protection" "fast-api-ocean" { id = "BPR_kwDOI96H_s4CIwg3" # (11 unchanged attributes hidden) ~ required_pull_request_reviews { ~ pull_request_bypassers = [ - "MDQ6VXNlcjMxMTg5NjQ=", # (1 unchanged element hidden) ] # (6 unchanged attributes hidden) } } # module.repos.github_branch_protection.terraform will be updated in-place ~ resource "github_branch_protection" "terraform" { id = "BPR_kwDOJOQLq84CJzKa" # (11 unchanged attributes hidden) ~ required_pull_request_reviews { ~ pull_request_bypassers = [ - "MDQ6VXNlcjMxMTg5NjQ=", # (1 unchanged element hidden) ] # (6 unchanged attributes hidden) } ~ required_status_checks { ~ contexts = [ + "GitGuardian Security Checks", # (3 unchanged elements hidden) ] # (1 unchanged attribute hidden) } } # module.repos.github_repository.terraform will be updated in-place ~ resource "github_repository" "terraform" { ~ has_wiki = false -> true id = "terraform" name = "terraform" # (34 unchanged attributes hidden) # (1 unchanged block hidden) } # module.roles.aws_iam_policy.secrets_manager_policy will be destroyed # (because aws_iam_policy.secrets_manager_policy is not in configuration) - resource "aws_iam_policy" "secrets_manager_policy" { - arn = "arn:aws:iam::207932680283:policy/secrets_manager_policy_20230402220348861700000001" -> null - id = "arn:aws:iam::207932680283:policy/secrets_manager_policy_20230402220348861700000001" -> null - name = "secrets_manager_policy_20230402220348861700000001" -> null - name_prefix = "secrets_manager_policy_" -> null - path = "/" -> null - policy = jsonencode( { - Statement = [ - { - Action = [ - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", - "secretsmanager:ListSecrets", - "secretsmanager:CreateSecret", - "secretsmanager:UpdateSecret", - "secretsmanager:DeleteSecret", - "secretsmanager:TagResource", - "secretsmanager:UntagResource", ] - Effect = "Allow" - Resource = "*" }, ] - Version = "2012-10-17" } ) -> null - policy_id = "ANPATA2OA5BN5ZUKDQQIE" -> null - tags = {} -> null - tags_all = {} -> null } # module.roles.aws_iam_role.secrets_manager_role will be destroyed # (because aws_iam_role.secrets_manager_role is not in configuration) - resource "aws_iam_role" "secrets_manager_role" { - arn = "arn:aws:iam::207932680283:role/secrets_manager_role" -> null - assume_role_policy = jsonencode( { - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::207932680283:user/gh_runner" } }, ] - Version = "2012-10-17" } ) -> null - create_date = "2023-04-02T22:03:49Z" -> null - force_detach_policies = false -> null - id = "secrets_manager_role" -> null - managed_policy_arns = [] -> null - max_session_duration = 3600 -> null - name = "secrets_manager_role" -> null - path = "/" -> null - tags = {} -> null - tags_all = {} -> null - unique_id = "AROATA2OA5BNQA6O66JZN" -> null } # module.roles.aws_iam_user.gh_runner will be updated in-place ~ resource "aws_iam_user" "gh_runner" { id = "gh_runner" name = "gh_runner" ~ tags = { - "AKIATA2OA5BNZB3F3CKT" = "S3 access" -> null } ~ tags_all = { - "AKIATA2OA5BNZB3F3CKT" = "S3 access" } -> (known after apply) # (4 unchanged attributes hidden) } # module.vercel.vercel_project_environment_variable.AWS_ACCESS_KEY_ID will be created + resource "vercel_project_environment_variable" "AWS_ACCESS_KEY_ID" { + id = (known after apply) + key = "AWS_ACCESS_KEY_ID" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.AWS_SECRET_ACCESS_KEY will be created + resource "vercel_project_environment_variable" "AWS_SECRET_ACCESS_KEY" { + id = (known after apply) + key = "AWS_SECRET_ACCESS_KEY" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.GITHUB_ID will be created + resource "vercel_project_environment_variable" "GITHUB_ID" { + id = (known after apply) + key = "GITHUB_ID" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.GITHUB_SECRET will be created + resource "vercel_project_environment_variable" "GITHUB_SECRET" { + id = (known after apply) + key = "GITHUB_SECRET" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.GOOGLE_CLIENT_ID will be created + resource "vercel_project_environment_variable" "GOOGLE_CLIENT_ID" { + id = (known after apply) + key = "GOOGLE_CLIENT_ID" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.GOOGLE_CLIENT_SECRET will be created + resource "vercel_project_environment_variable" "GOOGLE_CLIENT_SECRET" { + id = (known after apply) + key = "GOOGLE_CLIENT_SECRET" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.NEXTAUTH_URL will be updated in-place ~ resource "vercel_project_environment_variable" "NEXTAUTH_URL" { id = "JUue6ewfQxDcamjk" # (5 unchanged attributes hidden) } # module.vercel.vercel_project_environment_variable.S3_BUCKET_NAME will be created + resource "vercel_project_environment_variable" "S3_BUCKET_NAME" { + id = (known after apply) + key = "S3_BUCKET_NAME" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.aws_access_key_id will be destroyed # (because vercel_project_environment_variable.aws_access_key_id is not in configuration) - resource "vercel_project_environment_variable" "aws_access_key_id" { - id = "yReP7AMiiIyX4535" -> null - key = "AWS_ACCESS_KEY_ID" -> null - project_id = "prj_zlMmSbDuvXxab6HQhClU9k2DMk0z" -> null - target = [ - "production", ] -> null - team_id = "team_mllS6R4z5VZ2JecC9ZnMxi5g" -> null - value = (sensitive value) -> null } # module.vercel.vercel_project_environment_variable.aws_secret_access_key will be destroyed # (because vercel_project_environment_variable.aws_secret_access_key is not in configuration) - resource "vercel_project_environment_variable" "aws_secret_access_key" { - id = "JoR94vjf6HUUFUgd" -> null - key = "AWS_SECRET_ACCESS_KEY" -> null - project_id = "prj_zlMmSbDuvXxab6HQhClU9k2DMk0z" -> null - target = [ - "production", ] -> null - team_id = "team_mllS6R4z5VZ2JecC9ZnMxi5g" -> null - value = (sensitive value) -> null } Plan: 14 to add, 7 to change, 20 to destroy. Warning: Value for undeclared variable The root module does not declare a variable named "TF_VAR_VERCEL_API_TOKEN" but a value was found in file "/tmp/variables.tfvars". If you meant to use this value, add a "variable" block to the configuration. To silence these warnings, use TF_VAR_... environment variables to provide certain "global" settings to all configurations in your organization. To reduce the verbosity of these warnings, use the -compact-warnings option. ```

:memo: Plan generated in .github/workflows/terraform-plan.yml #61

coyotespike commented 1 year ago

terraform apply