Allow GH Runner to delete secrets

Terraform plan in .

With variables

TF_VAR_AWS_ACCESS_KEY_ID     = (sensitive value)
TF_VAR_AWS_SECRET_ACCESS_KEY = (sensitive value)
TF_VAR_VERCEL_API_TOKEN      = "oiMAmyaqs466YuOfZLbuCOEs"

Plan: 13 to add, 7 to change, 13 to destroy.

```hcl Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place - destroy Terraform will perform the following actions: # module.kms.aws_secretsmanager_secret.AWS_ACCESS_KEY_ID will be destroyed # (because aws_secretsmanager_secret.AWS_ACCESS_KEY_ID is not in configuration) - resource "aws_secretsmanager_secret" "AWS_ACCESS_KEY_ID" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:AWS_ACCESS_KEY_ID-qxfKXG" -> null - description = "Gives eaas permission to store documents on S3" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:AWS_ACCESS_KEY_ID-qxfKXG" -> null - name = "AWS_ACCESS_KEY_ID" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.AWS_SECRET_ACCESS_KEY will be destroyed # (because aws_secretsmanager_secret.AWS_SECRET_ACCESS_KEY is not in configuration) - resource "aws_secretsmanager_secret" "AWS_SECRET_ACCESS_KEY" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:AWS_SECRET_ACCESS_KEY-HP0om1" -> null - description = "Gives eaas permission to store documents on S3" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:AWS_SECRET_ACCESS_KEY-HP0om1" -> null - name = "AWS_SECRET_ACCESS_KEY" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.DATABASE_URL will be destroyed # (because aws_secretsmanager_secret.DATABASE_URL is not in configuration) - resource "aws_secretsmanager_secret" "DATABASE_URL" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:DATABASE_URL-Je5EWK" -> null - description = "Allows eaas to access Supabase postgres" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:DATABASE_URL-Je5EWK" -> null - name = "DATABASE_URL" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.GITHUB_ID will be destroyed # (because aws_secretsmanager_secret.GITHUB_ID is not in configuration) - resource "aws_secretsmanager_secret" "GITHUB_ID" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GITHUB_ID-gbx940" -> null - description = "Enables Vercel to use GitHub as OAuth provider" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GITHUB_ID-gbx940" -> null - name = "GITHUB_ID" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.GITHUB_SECRET will be destroyed # (because aws_secretsmanager_secret.GITHUB_SECRET is not in configuration) - resource "aws_secretsmanager_secret" "GITHUB_SECRET" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GITHUB_SECRET-RnHiuE" -> null - description = "Enables Vercel to use GitHub as OAuth provider" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GITHUB_SECRET-RnHiuE" -> null - name = "GITHUB_SECRET" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.GOOGLE_CLIENT_ID will be destroyed # (because aws_secretsmanager_secret.GOOGLE_CLIENT_ID is not in configuration) - resource "aws_secretsmanager_secret" "GOOGLE_CLIENT_ID" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GOOGLE_CLIENT_ID-uf9KkN" -> null - description = "Enables Vercel to use Google as OAuth provider" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GOOGLE_CLIENT_ID-uf9KkN" -> null - name = "GOOGLE_CLIENT_ID" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.GOOGLE_CLIENT_SECRET will be destroyed # (because aws_secretsmanager_secret.GOOGLE_CLIENT_SECRET is not in configuration) - resource "aws_secretsmanager_secret" "GOOGLE_CLIENT_SECRET" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GOOGLE_CLIENT_SECRET-OwUY9b" -> null - description = "Enables Vercel to use Google as OAuth provider" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:GOOGLE_CLIENT_SECRET-OwUY9b" -> null - name = "GOOGLE_CLIENT_SECRET" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.S3_BUCKET_NAME will be destroyed # (because aws_secretsmanager_secret.S3_BUCKET_NAME is not in configuration) - resource "aws_secretsmanager_secret" "S3_BUCKET_NAME" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:S3_BUCKET_NAME-uf9KkN" -> null - description = "Tells eaas where to store documents on S3" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:S3_BUCKET_NAME-uf9KkN" -> null - name = "S3_BUCKET_NAME" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.SHADOW_DATABASE_URL will be destroyed # (because aws_secretsmanager_secret.SHADOW_DATABASE_URL is not in configuration) - resource "aws_secretsmanager_secret" "SHADOW_DATABASE_URL" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:SHADOW_DATABASE_URL-4uokNR" -> null - description = "Allows eaas to access Prisma postgres shadow on Supabase" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:SHADOW_DATABASE_URL-4uokNR" -> null - name = "SHADOW_DATABASE_URL" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.SUPER_GITHUB_TOKEN will be destroyed # (because aws_secretsmanager_secret.SUPER_GITHUB_TOKEN is not in configuration) - resource "aws_secretsmanager_secret" "SUPER_GITHUB_TOKEN" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:SUPER_GITHUB_TOKEN-EUY2Ro" -> null - description = "A second token necessary for Github Actions terraform plan and apply in Terraform repo" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:SUPER_GITHUB_TOKEN-EUY2Ro" -> null - name = "SUPER_GITHUB_TOKEN" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.TF_VAR_AWS_ACCESS_KEY_ID will be destroyed # (because aws_secretsmanager_secret.TF_VAR_AWS_ACCESS_KEY_ID is not in configuration) - resource "aws_secretsmanager_secret" "TF_VAR_AWS_ACCESS_KEY_ID" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:TF_VAR_AWS_ACCESS_KEY_ID-ueqKQd" -> null - description = "Allows Terraform to manage S3. Created in roles/s3_iam" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:TF_VAR_AWS_ACCESS_KEY_ID-ueqKQd" -> null - name = "TF_VAR_AWS_ACCESS_KEY_ID" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.TF_VAR_AWS_SECRET_ACCESS_KEY will be destroyed # (because aws_secretsmanager_secret.TF_VAR_AWS_SECRET_ACCESS_KEY is not in configuration) - resource "aws_secretsmanager_secret" "TF_VAR_AWS_SECRET_ACCESS_KEY" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:TF_VAR_AWS_SECRET_ACCESS_KEY-3xniRI" -> null - description = "Allows Terraform to manage S3. Created in roles/s3_iam" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:TF_VAR_AWS_SECRET_ACCESS_KEY-3xniRI" -> null - name = "TF_VAR_AWS_SECRET_ACCESS_KEY" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.kms.aws_secretsmanager_secret.VERCEL_API_KEY will be destroyed # (because aws_secretsmanager_secret.VERCEL_API_KEY is not in configuration) - resource "aws_secretsmanager_secret" "VERCEL_API_KEY" { - arn = "arn:aws:secretsmanager:us-west-1:207932680283:secret:VERCEL_API_KEY-SkFmrM" -> null - description = "Allows Terraform to manage Vercel projects" -> null - force_overwrite_replica_secret = false -> null - id = "arn:aws:secretsmanager:us-west-1:207932680283:secret:VERCEL_API_KEY-SkFmrM" -> null - name = "VERCEL_API_KEY" -> null - recovery_window_in_days = 30 -> null - rotation_enabled = false -> null - tags = {} -> null - tags_all = {} -> null } # module.repos.github_actions_secret.DATABASE_URL will be created + resource "github_actions_secret" "DATABASE_URL" { + created_at = (known after apply) + id = (known after apply) + plaintext_value = (sensitive value) + repository = "eaas" + secret_name = "DATABASE_URL" + updated_at = (known after apply) } # module.repos.github_actions_secret.SHADOW_DATABASE_URL will be created + resource "github_actions_secret" "SHADOW_DATABASE_URL" { + created_at = (known after apply) + id = (known after apply) + plaintext_value = (sensitive value) + repository = "eaas" + secret_name = "SHADOW_DATABASE_URL" + updated_at = (known after apply) } # module.repos.github_actions_secret.super_github_token will be created + resource "github_actions_secret" "super_github_token" { + created_at = (known after apply) + id = (known after apply) + plaintext_value = (sensitive value) + repository = "terraform" + secret_name = "SUPER_GITHUB_TOKEN" + updated_at = (known after apply) } # module.repos.github_actions_secret.tf_var_aws_access_key_id will be created + resource "github_actions_secret" "tf_var_aws_access_key_id" { + created_at = (known after apply) + id = (known after apply) + repository = "terraform" + secret_name = "TF_VAR_AWS_ACCESS_KEY_ID" + updated_at = (known after apply) } # module.repos.github_actions_secret.tf_var_aws_secret_access_key will be created + resource "github_actions_secret" "tf_var_aws_secret_access_key" { + created_at = (known after apply) + id = (known after apply) + repository = "terraform" + secret_name = "TF_VAR_AWS_SECRET_ACCESS_KEY" + updated_at = (known after apply) } # module.repos.github_actions_secret.vercel_api_token will be created + resource "github_actions_secret" "vercel_api_token" { + created_at = (known after apply) + id = (known after apply) + plaintext_value = (sensitive value) + repository = "terraform" + secret_name = "VERCEL_API_TOKEN" + updated_at = (known after apply) } # module.repos.github_branch_protection.eaas will be updated in-place ~ resource "github_branch_protection" "eaas" { id = "BPR_kwDOI7EyTc4CIwZR" # (11 unchanged attributes hidden) ~ required_pull_request_reviews { ~ pull_request_bypassers = [ - "MDQ6VXNlcjMxMTg5NjQ=", # (1 unchanged element hidden) ] # (6 unchanged attributes hidden) } } # module.repos.github_branch_protection.embeddings_api will be updated in-place ~ resource "github_branch_protection" "embeddings_api" { id = "BPR_kwDOI-ZWE84CIwg4" # (11 unchanged attributes hidden) ~ required_pull_request_reviews { ~ pull_request_bypassers = [ - "MDQ6VXNlcjMxMTg5NjQ=", # (1 unchanged element hidden) ] # (6 unchanged attributes hidden) } } # module.repos.github_branch_protection.fast-api-ocean will be updated in-place ~ resource "github_branch_protection" "fast-api-ocean" { id = "BPR_kwDOI96H_s4CIwg3" # (11 unchanged attributes hidden) ~ required_pull_request_reviews { ~ pull_request_bypassers = [ - "MDQ6VXNlcjMxMTg5NjQ=", # (1 unchanged element hidden) ] # (6 unchanged attributes hidden) } } # module.repos.github_branch_protection.terraform will be updated in-place ~ resource "github_branch_protection" "terraform" { id = "BPR_kwDOJOQLq84CJzKa" # (11 unchanged attributes hidden) ~ required_pull_request_reviews { ~ pull_request_bypassers = [ - "MDQ6VXNlcjMxMTg5NjQ=", # (1 unchanged element hidden) ] # (6 unchanged attributes hidden) } # (1 unchanged block hidden) } # module.roles.aws_iam_user.gh_runner will be updated in-place ~ resource "aws_iam_user" "gh_runner" { id = "gh_runner" name = "gh_runner" ~ tags = { - "AKIATA2OA5BNZB3F3CKT" = "S3 access" -> null } ~ tags_all = { - "AKIATA2OA5BNZB3F3CKT" = "S3 access" } -> (known after apply) # (4 unchanged attributes hidden) } # module.roles.aws_iam_user_policy.gh_runner_policy will be updated in-place ~ resource "aws_iam_user_policy" "gh_runner_policy" { id = "gh_runner:gh_runner_policy" name = "gh_runner_policy" ~ policy = jsonencode( ~ { ~ Statement = [ ~ { ~ Resource = "arn:aws:iam::207932680283:role/create_roles" -> "arn:aws:iam::207932680283:role/secrets_manager_role" # (2 unchanged attributes hidden) }, ] # (1 unchanged attribute hidden) } ) # (1 unchanged attribute hidden) } # module.vercel.vercel_project_environment_variable.AWS_ACCESS_KEY_ID will be created + resource "vercel_project_environment_variable" "AWS_ACCESS_KEY_ID" { + id = (known after apply) + key = "AWS_ACCESS_KEY_ID" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.AWS_SECRET_ACCESS_KEY will be created + resource "vercel_project_environment_variable" "AWS_SECRET_ACCESS_KEY" { + id = (known after apply) + key = "AWS_SECRET_ACCESS_KEY" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.GITHUB_ID will be created + resource "vercel_project_environment_variable" "GITHUB_ID" { + id = (known after apply) + key = "GITHUB_ID" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.GITHUB_SECRET will be created + resource "vercel_project_environment_variable" "GITHUB_SECRET" { + id = (known after apply) + key = "GITHUB_SECRET" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.GOOGLE_CLIENT_ID will be created + resource "vercel_project_environment_variable" "GOOGLE_CLIENT_ID" { + id = (known after apply) + key = "GOOGLE_CLIENT_ID" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.GOOGLE_CLIENT_SECRET will be created + resource "vercel_project_environment_variable" "GOOGLE_CLIENT_SECRET" { + id = (known after apply) + key = "GOOGLE_CLIENT_SECRET" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } # module.vercel.vercel_project_environment_variable.NEXTAUTH_URL will be updated in-place ~ resource "vercel_project_environment_variable" "NEXTAUTH_URL" { id = "JUue6ewfQxDcamjk" # (5 unchanged attributes hidden) } # module.vercel.vercel_project_environment_variable.S3_BUCKET_NAME will be created + resource "vercel_project_environment_variable" "S3_BUCKET_NAME" { + id = (known after apply) + key = "S3_BUCKET_NAME" + project_id = "********************************" + target = [ + "production", ] + team_id = (known after apply) + value = (sensitive value) } Plan: 13 to add, 7 to change, 13 to destroy. Warning: Value for undeclared variable The root module does not declare a variable named "TF_VAR_VERCEL_API_TOKEN" but a value was found in file "/tmp/variables.tfvars". If you meant to use this value, add a "variable" block to the configuration. To silence these warnings, use TF_VAR_... environment variables to provide certain "global" settings to all configurations in your organization. To reduce the verbosity of these warnings, use the -compact-warnings option. ```

:x: Error applying plan in Terraform Apply #28

GradientFlow-ai / terraform

Allow GH Runner to delete secrets #32