Closed rodriguez-matias closed 12 months ago
💰 Infracost estimate: monthly cost will not change
This comment will be updated when the cost estimate changes.
[11:13:40.808] INFO Checking environment name definition in account.tfvars...
[11:13:40.815] INFO ✔ OK
[11:13:40.819] INFO Checking backend key...
[11:13:40.821] INFO Found: 'shared/identities/terraform.tfstate'
[11:13:40.822] INFO ✔ OK
[11:13:40.827] INFO Checking backend.tfvars:
[11:13:40.835] INFO Checking if profile starts with bb-shared...
[11:13:40.838] INFO ✔ OK
[11:13:40.840] INFO Checking if bucket starts with bb-shared...
[11:13:40.843] INFO ✔ OK
[11:13:40.849] INFO Checking if dynamodb table starts with bb-shared...
[11:13:40.852] INFO ✔ OK
[14:13:42] INFO Attempting to get temporary credentials for shared account.
[14:13:55] INFO Credentials for shared account written successfully.
Initializing modules...
Initializing the backend...
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/aws v4.67.0...
- Installed hashicorp/aws v4.67.0 (signed by HashiCorp)
Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
[14:20:56] INFO Attempting to get temporary credentials for shared account.
[14:20:58] INFO Using already configured temporary credentials.
Acquiring state lock. This may take a few moments...
module.user_auditor_ci.aws_iam_user.this[0]: Refreshing state... [id=auditor.ci]
module.iam_group_auditors.data.aws_caller_identity.current[0]: Reading...
module.iam_assumable_role_service_support.data.aws_partition.current: Reading...
module.aws_iam_account_config.aws_iam_account_password_policy.this[0]: Refreshing state... [id=iam-account-password-policy]
module.iam_assumable_role_service_organizations.data.aws_partition.current: Reading...
module.iam_group_auditors.aws_iam_group.this[0]: Refreshing state... [id=auditors]
module.iam_assumable_role_finops.data.aws_partition.current: Reading...
module.iam_assumable_role_finops.data.aws_caller_identity.current: Reading...
module.iam_assumable_role_service_support.data.aws_partition.current: Read complete after 0s [id=aws]
module.iam_assumable_role_service_organizations.data.aws_partition.current: Read complete after 0s [id=aws]
module.iam_assumable_role_finops.data.aws_partition.current: Read complete after 0s [id=aws]
data.aws_iam_policy_document.backup_s3_binbash_gdrive: Reading...
data.aws_iam_policy_document.backup_s3_binbash_gdrive: Read complete after 0s [id=40xxxxxx11]
module.iam_assumable_role_devops.aws_iam_role.this[0]: Refreshing state... [id=DevOps]
.
.
.
aws_iam_role.github_actions_role: Refreshing state... [id=shared-github-actions-oidc]
module.iam_assumable_role_auditor.aws_iam_role.this[0]: Refreshing state... [id=Auditor]
module.iam_assumable_role_oaar.aws_iam_role.this[0]: Refreshing state... [id=OrganizationAccountAccessRole]
module.iam_assumable_role_deploy_master.aws_iam_role.this[0]: Refreshing state... [id=DeployMaster]
module.iam_group_auditors.aws_iam_group_policy_attachment.iam_self_management[0]: Refreshing state... [id=auditors-202005xxxxxxxx0000004]
module.iam_assumable_role_service_organizations.aws_iam_role_policy_attachment.custom[0]: Refreshing state... [id=AWSServiceRoleForOrganizations-arn:aws:iam::aws:policy/aws-se
rvice-role/AWSOrganizationsServiceTrustPolicy]
module.iam_assumable_role_service_support.aws_iam_role_policy_attachment.custom[0]: Refreshing state... [id=AWSServiceRoleForSupport-arn:aws:iam::aws:policy/aws-service-role/A
WSSupportServiceRolePolicy]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_iam_openid_connect_provider.aws_github_oidc will be updated in-place
~ resource "aws_iam_openid_connect_provider" "aws_github_oidc" {
id = "arn:aws:iam::xxxxxxxx:oidc-provider/token.actions.githubusercontent.com"
tags = {}
~ thumbprint_list = [
"6938fd4d98bab03faadb97b34396831e3780aea1",
+ "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
+ "f879abce0008e4eb126e0097e46620f5aaae26ad",
]
# (4 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_iam_openid_connect_provider.aws_github_oidc: Modifying... [id=arn:aws:iam::xxxxxxxx:oidc-provider/token.actions.githubusercontent.com]
aws_iam_openid_connect_provider.aws_github_oidc: Modifications complete after 1s [id=arn:aws:iam::xxxxxxxx:oidc-provider/token.actions.githubusercontent.com]
Releasing state lock. This may take a few moments...
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Outputs:
user_auditor_ci_iam_access_key_encrypted_secret = <sensitive>
user_auditor_ci_iam_access_key_id = <sensitive>
user_auditor_ci_name = "auditor.ci"
What?
Why?
Official Solution:
https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/#:~:text=We%20have%20received,1c58a3a8518e8759bf075b76b750d4f2df264fcd
References