issues
search
SeaGL
/
seagl-terraform
Terraform used to maintain SeaGL's VMs, RDS database, DNS, etc.
GNU Affero General Public License v3.0
1
stars
2
forks
source link
add sre@ outbound, import google TXT auth
#4
Closed
sntxrr
closed
2 years ago
sntxrr
commented
2 years ago
setup sre@ as outbound smtp relay
import google TXT auth
retry RDS along the way (only because it previously didn't apply cleanly)
github-actions[bot]
commented
2 years ago
Terraform Format and Style 🖌``
Terraform Initialization ⚙️
success
Terraform Plan 📖
success
Terraform Validation 🤖
success
Show Plan
``` terraform random_password.osem_db_master_pass: Refreshing state... [id=none] aws_s3_bucket.state: Refreshing state... [id=seagl-terraform] aws_ses_domain_identity.email_domain_identity: Refreshing state... [id=seagl.org] data.aws_vpc.vpc: Reading... aws_ses_domain_identity.seagl: Refreshing state... [id=seagl.org] aws_route53_record.route_53_dmarc_txt: Refreshing state... [id=Z0173878287JIU5M4KB8R__dmarc.seagl.org_TXT] aws_route53_record.route_53_root_txt: Refreshing state... [id=Z0173878287JIU5M4KB8R_seagl.org_TXT] aws_ses_domain_dkim.email_dkim: Refreshing state... [id=seagl.org] aws_route53_record.seagl_amazonses_verification_record: Refreshing state... [id=Z0173878287JIU5M4KB8R__amazonses.seagl.org_TXT] aws_route53_record.email_dkim_records[0]: Refreshing state... [id=Z0173878287JIU5M4KB8R_nldzqxeyq5fyslu3tzvj4ltbwbexupuj._domainkey.seagl.org_CNAME] aws_route53_record.email_dkim_records[2]: Refreshing state... [id=Z0173878287JIU5M4KB8R_o7o3tsrrlwgkmmx3a7f5njkrvi75woso._domainkey.seagl.org_CNAME] aws_route53_record.email_dkim_records[1]: Refreshing state... [id=Z0173878287JIU5M4KB8R_zjerfwsrr5wpwp5p5klnsrrzp6ralpcp._domainkey.seagl.org_CNAME] data.aws_vpc.vpc: Read complete after 2s [id=vpc-231ecb46] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place -/+ destroy and then create replacement Terraform will perform the following actions: # aws_db_instance.osem will be created + resource "aws_db_instance" "osem" { + address = (known after apply) + allocated_storage = 30 + apply_immediately = (known after apply) + arn = (known after apply) + auto_minor_version_upgrade = true + availability_zone = (known after apply) + backup_retention_period = 7 + backup_window = (known after apply) + ca_cert_identifier = (known after apply) + character_set_name = (known after apply) + copy_tags_to_snapshot = false + db_subnet_group_name = "osem" + delete_automated_backups = true + endpoint = (known after apply) + engine = "mariadb" + engine_version = "10.6.7" + engine_version_actual = (known after apply) + hosted_zone_id = (known after apply) + id = (known after apply) + identifier = (known after apply) + identifier_prefix = (known after apply) + instance_class = "db.m5.large" + kms_key_id = (known after apply) + latest_restorable_time = (known after apply) + license_model = (known after apply) + maintenance_window = (known after apply) + max_allocated_storage = 100 + monitoring_interval = 0 + monitoring_role_arn = (known after apply) + multi_az = (known after apply) + name = "osem" + nchar_character_set_name = (known after apply) + option_group_name = (known after apply) + parameter_group_name = "default.mariadb10.6" + password = (sensitive value) + performance_insights_enabled = false + performance_insights_kms_key_id = (known after apply) + performance_insights_retention_period = (known after apply) + port = (known after apply) + publicly_accessible = false + replicas = (known after apply) + resource_id = (known after apply) + skip_final_snapshot = true + snapshot_identifier = (known after apply) + status = (known after apply) + storage_encrypted = true + storage_type = (known after apply) + tags_all = (known after apply) + timezone = (known after apply) + username = "osem" + vpc_security_group_ids = (known after apply) } # aws_db_subnet_group.osem will be created + resource "aws_db_subnet_group" "osem" { + arn = (known after apply) + description = "Managed by Terraform" + id = (known after apply) + name = "osem" + name_prefix = (known after apply) + subnet_ids = [ + "subnet-5a826503", + "subnet-8b7adbee", + "subnet-d507c0a2", ] + tags_all = (known after apply) } # aws_route53_record.route_53_root_txt must be replaced -/+ resource "aws_route53_record" "route_53_root_txt" { + allow_overwrite = (known after apply) ~ fqdn = "seagl.org" -> (known after apply) ~ id = "Z0173878287JIU5M4KB8R_seagl.org_TXT" -> (known after apply) - name = "seagl.org" -> null # forces replacement # (4 unchanged attributes hidden) } # aws_s3_bucket.state will be updated in-place ~ resource "aws_s3_bucket" "state" { + acl = "private" + force_destroy = false id = "seagl-terraform" tags = {} # (9 unchanged attributes hidden) - server_side_encryption_configuration { - rule { - bucket_key_enabled = false -> null - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" -> null } } } # (1 unchanged block hidden) } # aws_s3_bucket_acl.state will be created + resource "aws_s3_bucket_acl" "state" { + acl = "private" + bucket = "seagl-terraform" + id = (known after apply) + access_control_policy { + grant { + permission = (known after apply) + grantee { + display_name = (known after apply) + email_address = (known after apply) + id = (known after apply) + type = (known after apply) + uri = (known after apply) } } + owner { + display_name = (known after apply) + id = (known after apply) } } } # aws_s3_bucket_public_access_block.state will be created + resource "aws_s3_bucket_public_access_block" "state" { + block_public_acls = true + block_public_policy = true + bucket = "seagl-terraform" + id = (known after apply) + ignore_public_acls = true + restrict_public_buckets = true } # aws_s3_bucket_versioning.state will be created + resource "aws_s3_bucket_versioning" "state" { + bucket = "seagl-terraform" + id = (known after apply) + versioning_configuration { + mfa_delete = (known after apply) + status = "Enabled" } } # aws_secretsmanager_secret.osem-db-pass will be created + resource "aws_secretsmanager_secret" "osem-db-pass" { + arn = (known after apply) + force_overwrite_replica_secret = false + id = (known after apply) + name = "db-pass-osem" + name_prefix = (known after apply) + policy = (known after apply) + recovery_window_in_days = 30 + rotation_enabled = (known after apply) + rotation_lambda_arn = (known after apply) + tags_all = (known after apply) + replica { + kms_key_id = (known after apply) + last_accessed_date = (known after apply) + region = (known after apply) + status = (known after apply) + status_message = (known after apply) } + rotation_rules { + automatically_after_days = (known after apply) } } # aws_secretsmanager_secret_version.osem-db-pass-val will be created + resource "aws_secretsmanager_secret_version" "osem-db-pass-val" { + arn = (known after apply) + id = (known after apply) + secret_id = (known after apply) + secret_string = (sensitive value) + version_id = (known after apply) + version_stages = (known after apply) } # aws_security_group.osem_rds_security_group will be created + resource "aws_security_group" "osem_rds_security_group" { + arn = (known after apply) + description = "Private SG for OSEM RDS" + egress = (known after apply) + id = (known after apply) + ingress = (known after apply) + name = "osem-private-sg" + name_prefix = (known after apply) + owner_id = (known after apply) + revoke_rules_on_delete = false + tags = { + "ManagedBy" = "terraform" + "Name" = "osem--private-sg" + "Role" = "private" } + tags_all = { + "ManagedBy" = "terraform" + "Name" = "osem--private-sg" + "Role" = "private" } + vpc_id = "vpc-231ecb46" } # aws_security_group_rule.private_in will be created + resource "aws_security_group_rule" "private_in" { + cidr_blocks = [ + "172.31.0.0/16", ] + from_port = 3306 + id = (known after apply) + protocol = "-1" + security_group_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 3306 + type = "ingress" } # aws_security_group_rule.private_out will be created + resource "aws_security_group_rule" "private_out" { + cidr_blocks = [ + "0.0.0.0/0", ] + from_port = 0 + id = (known after apply) + protocol = "-1" + security_group_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 0 + type = "egress" } # aws_ses_email_identity.email will be created + resource "aws_ses_email_identity" "email" { + arn = (known after apply) + email = "sre@seagl.org" + id = (known after apply) } Plan: 12 to add, 1 to change, 1 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. ```
Pushed by: @sntxrr, Action:
pull_request