search

cds-snc / forms-terraform

Infrastructure as Code for the GC Forms environment
MIT License
16 stars 7 forks source link

chore: GCForms release v3.23.0 #829

Closed sre-read-write[bot] closed 2 months ago

sre-read-write[bot] commented 2 months ago

:robot: I have created a release beep boop

3.23.0 (2024-09-16)

Features

Miscellaneous Chores

This PR was generated with Release Please. See documentation.

github-actions[bot] commented 2 months ago

Production: oidc_roles

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 3 to add, 1 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|-----------------------------------------------------------------------| | add | `aws_iam_policy.forms_api_release[0]` | | | `aws_iam_role_policy_attachment.forms_api_release[0]` | | | `module.github_workflow_roles.aws_iam_role.this["forms-api-release"]` | | update | `aws_iam_policy.platform_forms_client_release[0]` |
Show plan ```terraform Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # aws_iam_policy.forms_api_release[0] will be created + resource "aws_iam_policy" "forms_api_release" { + arn = (known after apply) + attachment_count = (known after apply) + id = (known after apply) + name = "forms-api-release" + name_prefix = (known after apply) + path = "/" + policy = jsonencode( { + Statement = [ + { + Action = [ + "ecr:UploadLayerPart", + "ecr:SetRepositoryPolicy", + "ecr:PutImage", + "ecr:ListImages", + "ecr:InitiateLayerUpload", + "ecr:GetRepositoryPolicy", + "ecr:GetDownloadUrlForLayer", + "ecr:DescribeRepositories", + "ecr:DescribeImages", + "ecr:CompleteLayerUpload", + "ecr:BatchGetImage", + "ecr:BatchDeleteImage", + "ecr:BatchCheckLayerAvailability", ] + Effect = "Allow" + Resource = [ + "arn:aws:ecr:ca-central-1:957818836222:repository/forms/api", + "arn:aws:ecr:ca-central-1:957818836222:repository/form_viewer_production", ] }, + { + Action = "ecr:GetAuthorizationToken" + Effect = "Allow" + Resource = "*" }, ] + Version = "2012-10-17" } ) + policy_id = (known after apply) + tags_all = { + "CostCentre" = "forms-platform-production" + "Terraform" = "true" } } # aws_iam_policy.platform_forms_client_release[0] will be updated in-place ~ resource "aws_iam_policy" "platform_forms_client_release" { id = "arn:aws:iam::957818836222:policy/platform-forms-client-release" name = "platform-forms-client-release" ~ policy = jsonencode( ~ { ~ Statement = [ ~ { ~ Resource = "arn:aws:ecr:ca-central-1:957818836222:repository/form_viewer_production" -> [ + "arn:aws:ecr:ca-central-1:957818836222:repository/forms/api", + "arn:aws:ecr:ca-central-1:957818836222:repository/form_viewer_production", ] # (2 unchanged attributes hidden) }, { Action = "ecr:GetAuthorizationToken" Effect = "Allow" Resource = "*" }, ] # (1 unchanged attribute hidden) } ) tags = {} # (7 unchanged attributes hidden) } # aws_iam_role_policy_attachment.forms_api_release[0] will be created + resource "aws_iam_role_policy_attachment" "forms_api_release" { + id = (known after apply) + policy_arn = (known after apply) + role = "forms-api-release" } # module.github_workflow_roles.aws_iam_role.this["forms-api-release"] will be created + resource "aws_iam_role" "this" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringLike = { + "token.actions.githubusercontent.com:sub" = "repo:cds-snc/forms-api:ref:refs/tags/v*" } } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::957818836222:oidc-provider/token.actions.githubusercontent.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "forms-api-release" + name_prefix = (known after apply) + path = "/" + tags = { + "CostCentre" = "forms-platform-production" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "forms-platform-production" + "Terraform" = "true" } + unique_id = (known after apply) + inline_policy (known after apply) } Plan: 3 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_api_release[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.platform_forms_client_release[0]"] 21 tests, 19 passed, 2 warnings, 0 failures, 0 exceptions ```
github-actions[bot] commented 2 months ago

Production: sqs

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 2 to add, 0 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|------------------------------------------------| | add | `aws_sqs_queue.api_audit_log_deadletter_queue` | | | `aws_sqs_queue.api_audit_log_queue` |
Show plan ```terraform Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_sqs_queue.api_audit_log_deadletter_queue will be created + resource "aws_sqs_queue" "api_audit_log_deadletter_queue" { + arn = (known after apply) + content_based_deduplication = false + deduplication_scope = (known after apply) + delay_seconds = 60 + fifo_queue = false + fifo_throughput_limit = (known after apply) + id = (known after apply) + kms_data_key_reuse_period_seconds = 300 + kms_master_key_id = "alias/aws/sqs" + max_message_size = 262144 + message_retention_seconds = 1209600 + name = "api_audit_log_deadletter_queue" + name_prefix = (known after apply) + policy = (known after apply) + receive_wait_time_seconds = 5 + redrive_allow_policy = (known after apply) + redrive_policy = (known after apply) + sqs_managed_sse_enabled = (known after apply) + tags_all = { + "CostCentre" = "forms-platform-production" + "Terraform" = "true" } + url = (known after apply) + visibility_timeout_seconds = 30 } # aws_sqs_queue.api_audit_log_queue will be created + resource "aws_sqs_queue" "api_audit_log_queue" { + arn = (known after apply) + content_based_deduplication = false + deduplication_scope = (known after apply) + delay_seconds = 0 + fifo_queue = false + fifo_throughput_limit = (known after apply) + id = (known after apply) + kms_data_key_reuse_period_seconds = 300 + kms_master_key_id = "alias/aws/sqs" + max_message_size = 262144 + message_retention_seconds = 172800 + name = "api_audit_log_queue" + name_prefix = (known after apply) + policy = (known after apply) + receive_wait_time_seconds = 0 + redrive_allow_policy = (known after apply) + redrive_policy = (known after apply) + sqs_managed_sse_enabled = (known after apply) + tags_all = { + "CostCentre" = "forms-platform-production" + "Terraform" = "true" } + url = (known after apply) + visibility_timeout_seconds = 1960 } Plan: 2 to add, 0 to change, 0 to destroy. Changes to Outputs: + sqs_api_audit_log_deadletter_queue_arn = (known after apply) + sqs_api_audit_log_queue_arn = (known after apply) + sqs_api_audit_log_queue_id = (known after apply) + sqs_app_audit_log_deadletter_queue_arn = "arn:aws:sqs:ca-central-1:957818836222:audit_log_deadletter_queue" + sqs_app_audit_log_queue_arn = "arn:aws:sqs:ca-central-1:957818836222:audit_log_queue" + sqs_app_audit_log_queue_id = "https://sqs.ca-central-1.amazonaws.com/957818836222/audit_log_queue" - sqs_audit_log_deadletter_queue_arn = "arn:aws:sqs:ca-central-1:957818836222:audit_log_deadletter_queue" -> null - sqs_audit_log_queue_arn = "arn:aws:sqs:ca-central-1:957818836222:audit_log_queue" -> null - sqs_audit_log_queue_id = "https://sqs.ca-central-1.amazonaws.com/957818836222/audit_log_queue" -> null ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.api_audit_log_deadletter_queue"] WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.api_audit_log_queue"] WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.audit_log_deadletter_queue"] WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.audit_log_queue"] WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reliability_deadletter_queue"] WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reliability_queue"] WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reprocess_submission_queue"] 26 tests, 19 passed, 7 warnings, 0 failures, 0 exceptions ```
github-actions[bot] commented 2 months ago

Production: dynamodb

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 1 to add, 0 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|-------------------------------------| | add | `aws_dynamodb_table.api_audit_logs` |
Show plan ```terraform Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_dynamodb_table.api_audit_logs will be created + resource "aws_dynamodb_table" "api_audit_logs" { + arn = (known after apply) + billing_mode = "PAY_PER_REQUEST" + deletion_protection_enabled = true + hash_key = "UserID" + id = (known after apply) + name = "ApiAuditLogs" + range_key = "Event#SubjectID#TimeStamp" + read_capacity = (known after apply) + stream_arn = (known after apply) + stream_enabled = false + stream_label = (known after apply) + stream_view_type = (known after apply) + tags_all = { + "CostCentre" = "forms-platform-production" + "Terraform" = "true" } + write_capacity = (known after apply) + attribute { + name = "Event#SubjectID#TimeStamp" + type = "S" } + attribute { + name = "Status" + type = "S" } + attribute { + name = "TimeStamp" + type = "N" } + attribute { + name = "UserID" + type = "S" } + global_secondary_index { + hash_key = "Status" + name = "StatusByTimestamp" + non_key_attributes = [] + projection_type = "ALL" + range_key = "TimeStamp" } + global_secondary_index { + hash_key = "UserID" + name = "UserByTime" + non_key_attributes = [] + projection_type = "KEYS_ONLY" + range_key = "TimeStamp" } + point_in_time_recovery { + enabled = true } + server_side_encryption { + enabled = true + kms_key_arn = "arn:aws:kms:ca-central-1:957818836222:key/afbaea67-8277-4a4c-853e-7697dd2dade5" } + ttl (known after apply) } Plan: 1 to add, 0 to change, 0 to destroy. Changes to Outputs: + dynamodb_api_audit_logs_arn = (known after apply) + dynamodb_api_audit_logs_table_name = "ApiAuditLogs" + dynamodb_app_audit_logs_arn = "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs" + dynamodb_app_audit_logs_table_name = "AuditLogs" - dynamodb_audit_logs_arn = "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs" -> null - dynamodb_audit_logs_table_name = "AuditLogs" -> null ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.api_audit_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.audit_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.reliability_queue"] WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.vault"] 23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions ```
github-actions[bot] commented 2 months ago

Production: idp

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 0 to add, 1 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|---------------------------------------| | update | `module.idp_ecs.aws_ecs_service.this` |
Show plan ```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.idp_ecs.aws_ecs_service.this will be updated in-place ~ resource "aws_ecs_service" "this" { id = "arn:aws:ecs:ca-central-1:957818836222:service/idp/zitadel" name = "zitadel" tags = { "CostCentre" = "forms-platform-production" "Terraform" = "true" } ~ task_definition = "zitadel:3" -> "zitadel" # (15 unchanged attributes hidden) # (5 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_alb_listener_rule.idp_protocol_version"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.idp_send_email"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_user.idp_send_email"] WARN - plan.json - main - Missing Common Tags: ["aws_shield_protection.idp"] 23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions ```
github-actions[bot] commented 2 months ago

Production: app

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 1 to add, 1 to change, 1 to destroy
Show summary | CHANGE | NAME | |----------|---------------------------------------| | update | `aws_iam_policy.forms_sqs` | | recreate | `aws_ecs_task_definition.form_viewer` |
Show plan ```terraform Resource actions are indicated with the following symbols: ~ update in-place -/+ destroy and then create replacement Terraform will perform the following actions: # aws_ecs_task_definition.form_viewer must be replaced -/+ resource "aws_ecs_task_definition" "form_viewer" { ~ arn = "arn:aws:ecs:ca-central-1:957818836222:task-definition/form-viewer:91" -> (known after apply) ~ arn_without_revision = "arn:aws:ecs:ca-central-1:957818836222:task-definition/form-viewer" -> (known after apply) ~ container_definitions = jsonencode( ~ [ ~ { ~ Environment = [ ~ { ~ Value = "https://sqs.ca-central-1.amazonaws.com/957818836222/audit_log_queue" -> "http://sqs.ca-central-1.localhost.localstack.cloud:4566/000000000000/audit_log_queue" # (1 unchanged attribute hidden) }, { Name = "COGNITO_CLIENT_ID" Value = "5rkjd3us3ocssieiitdbtjitiv" }, # (15 unchanged elements hidden) ] # (39 unchanged attributes hidden) }, ] # forces replacement ) ~ id = "form-viewer" -> (known after apply) ~ revision = 91 -> (known after apply) - tags = {} -> null # (12 unchanged attributes hidden) } # aws_iam_policy.forms_sqs will be updated in-place ~ resource "aws_iam_policy" "forms_sqs" { id = "arn:aws:iam::957818836222:policy/forms_sqs" name = "forms_sqs" ~ policy = jsonencode( ~ { ~ Statement = [ ~ { ~ Resource = [ "arn:aws:sqs:ca-central-1:957818836222:reprocess_submission_queue.fifo", ~ "arn:aws:sqs:ca-central-1:957818836222:audit_log_queue" -> "arn:aws:sqs:ca-central-1:000000000000:audit_log_queue", ] - Sid = "" # (2 unchanged attributes hidden) }, ] # (1 unchanged attribute hidden) } ) tags = {} # (7 unchanged attributes hidden) } Plan: 1 to add, 1 to change, 1 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_appautoscaling_target.forms[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.forms"] WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_app.app"] WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_deployment_group.app"] WARN - plan.json - main - Missing Common Tags: ["aws_ecs_cluster.forms"] WARN - plan.json - main - Missing Common Tags: ["aws_ecs_service.form_viewer"] WARN - plan.json - main - Missing Common Tags: ["aws_ecs_task_definition.form_viewer"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cognito"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_dynamodb"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_kms"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_s3"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_secrets_manager"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_sqs"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.codedeploy"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.forms"] 34 tests, 19 passed, 15 warnings, 0 failures, 0 exceptions ```
github-actions[bot] commented 2 months ago

Production: api

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 0 to add, 2 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|----------------------------------------------| | update | `module.api_ecs.aws_ecs_service.this` | | | `module.api_ecs.aws_iam_policy.this_task[0]` |
Show plan ```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.api_ecs.aws_ecs_service.this will be updated in-place ~ resource "aws_ecs_service" "this" { id = "arn:aws:ecs:ca-central-1:957818836222:service/Forms/forms-api" name = "forms-api" tags = { "CostCentre" = "forms-platform-production" "Terraform" = "true" } ~ task_definition = "forms-api:1" -> "forms-api" # (15 unchanged attributes hidden) # (4 unchanged blocks hidden) } # module.api_ecs.aws_iam_policy.this_task[0] will be updated in-place ~ resource "aws_iam_policy" "this_task" { id = "arn:aws:iam::957818836222:policy/forms-api_ecs_task_policy" name = "forms-api_ecs_task_policy" ~ policy = jsonencode( ~ { ~ Statement = [ # (3 unchanged elements hidden) { Action = "secretsmanager:GetSecretValue" Effect = "Allow" Resource = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:server-database-url-jVtWGE" }, + { + Action = [ + "sqs:SendMessage", + "sqs:GetQueueUrl", ] + Effect = "Allow" + Resource = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_queue" }, ] # (1 unchanged attribute hidden) } ) tags = { "CostCentre" = "forms-platform-production" "Terraform" = "true" } # (7 unchanged attributes hidden) } Plan: 0 to add, 2 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh 20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions ```
github-actions[bot] commented 2 months ago

Production: lambdas

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 2 to add, 2 to change, 1 to destroy
Show summary | CHANGE | NAME | |--------|--------------------------------------------------| | delete | `aws_lambda_event_source_mapping.audit_logs` | | update | `aws_iam_policy.lambda_dynamodb` | | | `aws_lambda_function.audit_logs` | | add | `aws_lambda_event_source_mapping.api_audit_logs` | | | `aws_lambda_event_source_mapping.app_audit_logs` |
Show plan ```terraform Resource actions are indicated with the following symbols: + create ~ update in-place - destroy Terraform will perform the following actions: # aws_iam_policy.lambda_dynamodb will be updated in-place ~ resource "aws_iam_policy" "lambda_dynamodb" { id = "arn:aws:iam::957818836222:policy/lambda_dynamobdb" name = "lambda_dynamobdb" ~ policy = jsonencode( ~ { ~ Statement = [ ~ { ~ Resource = [ # (3 unchanged elements hidden) "arn:aws:dynamodb:ca-central-1:957818836222:table/ReliabilityQueue", - "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs/index/*", - "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs", + "arn:aws:dynamodb:ca-central-1:123456789012:table/AuditLogs/index/*", + "arn:aws:dynamodb:ca-central-1:123456789012:table/AuditLogs", + "arn:aws:dynamodb:ca-central-1:123456789012:table/ApiAuditLogs/index/*", + "arn:aws:dynamodb:ca-central-1:123456789012:table/ApiAuditLogs", ] # (2 unchanged attributes hidden) }, ] # (1 unchanged attribute hidden) } ) tags = {} # (7 unchanged attributes hidden) } # aws_lambda_event_source_mapping.api_audit_logs will be created + resource "aws_lambda_event_source_mapping" "api_audit_logs" { + batch_size = 10 + enabled = true + event_source_arn = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_queue" + function_arn = (known after apply) + function_name = "arn:aws:lambda:ca-central-1:957818836222:function:audit-logs" + function_response_types = [ + "ReportBatchItemFailures", ] + id = (known after apply) + last_modified = (known after apply) + last_processing_result = (known after apply) + maximum_batching_window_in_seconds = 30 + maximum_record_age_in_seconds = (known after apply) + maximum_retry_attempts = (known after apply) + parallelization_factor = (known after apply) + state = (known after apply) + state_transition_reason = (known after apply) + uuid = (known after apply) + amazon_managed_kafka_event_source_config (known after apply) + self_managed_kafka_event_source_config (known after apply) } # aws_lambda_event_source_mapping.app_audit_logs will be created + resource "aws_lambda_event_source_mapping" "app_audit_logs" { + batch_size = 10 + enabled = true + event_source_arn = "arn:aws:sqs:ca-central-1:000000000000:audit_log_queue" + function_arn = (known after apply) + function_name = "arn:aws:lambda:ca-central-1:957818836222:function:audit-logs" + function_response_types = [ + "ReportBatchItemFailures", ] + id = (known after apply) + last_modified = (known after apply) + last_processing_result = (known after apply) + maximum_batching_window_in_seconds = 30 + maximum_record_age_in_seconds = (known after apply) + maximum_retry_attempts = (known after apply) + parallelization_factor = (known after apply) + state = (known after apply) + state_transition_reason = (known after apply) + uuid = (known after apply) + amazon_managed_kafka_event_source_config (known after apply) + self_managed_kafka_event_source_config (known after apply) } # aws_lambda_event_source_mapping.audit_logs will be destroyed # (because aws_lambda_event_source_mapping.audit_logs is not in configuration) - resource "aws_lambda_event_source_mapping" "audit_logs" { - batch_size = 10 -> null - bisect_batch_on_function_error = false -> null - enabled = true -> null - event_source_arn = "arn:aws:sqs:ca-central-1:957818836222:audit_log_queue" -> null - function_arn = "arn:aws:lambda:ca-central-1:957818836222:function:audit-logs" -> null - function_name = "arn:aws:lambda:ca-central-1:957818836222:function:audit-logs" -> null - function_response_types = [ - "ReportBatchItemFailures", ] -> null - id = "46934244-6fab-43a6-9280-8c8309c0d6b8" -> null - last_modified = "2024-05-30T12:32:02Z" -> null - maximum_batching_window_in_seconds = 30 -> null - maximum_record_age_in_seconds = 0 -> null - maximum_retry_attempts = 0 -> null - parallelization_factor = 0 -> null - queues = [] -> null - state = "Enabled" -> null - state_transition_reason = "USER_INITIATED" -> null - topics = [] -> null - tumbling_window_in_seconds = 0 -> null - uuid = "46934244-6fab-43a6-9280-8c8309c0d6b8" -> null # (3 unchanged attributes hidden) } # aws_lambda_function.audit_logs will be updated in-place ~ resource "aws_lambda_function" "audit_logs" { id = "audit-logs" tags = {} # (28 unchanged attributes hidden) ~ environment { ~ variables = { + "API_AUDIT_LOGS_SQS_ARN" = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_queue" + "APP_AUDIT_LOGS_SQS_ARN" = "arn:aws:sqs:ca-central-1:000000000000:audit_log_queue" # (2 unchanged elements hidden) } } # (3 unchanged blocks hidden) } Plan: 2 to add, 2 to change, 1 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.form_archiver_lambda_trigger"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.nagware_lambda_trigger"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.reliability_dlq_lambda_trigger"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.response_archiver_lambda_trigger"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs_archiver"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.response_archiver"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.vault_integrity"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_dynamodb"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_kms"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_logging"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_rds"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_s3"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_secrets"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sns"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sqs"] WARN -... ```
github-actions[bot] commented 2 months ago

Production: alarms

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 1 to add, 2 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|--------------------------------------------------------------------| | update | `aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn` | | | `aws_iam_role_policy.athena_dynamodb_policy` | | add | `aws_cloudwatch_metric_alarm.api_audit_log_dead_letter_queue_warn` |
Show plan ```terraform Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # aws_cloudwatch_metric_alarm.api_audit_log_dead_letter_queue_warn will be created + resource "aws_cloudwatch_metric_alarm" "api_audit_log_dead_letter_queue_warn" { + actions_enabled = true + alarm_actions = [ + "arn:aws:sns:ca-central-1:957818836222:alert-warning", ] + alarm_description = "Detect when a message is sent to the API Audit Log Dead Letter Queue" + alarm_name = "ApiAuditLogDeadLetterQueueWarn" + arn = (known after apply) + comparison_operator = "GreaterThanThreshold" + evaluate_low_sample_count_percentiles = (known after apply) + evaluation_periods = 1 + id = (known after apply) + tags_all = { + "CostCentre" = "forms-platform-production" + "Terraform" = "true" } + threshold = 0 + treat_missing_data = "missing" + metric_query { + id = "m1" + return_data = false # (3 unchanged attributes hidden) + metric { + dimensions = { + "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_deadletter_queue" } + metric_name = "ApproximateNumberOfMessagesVisible" + namespace = "AWS/SQS" + period = 60 + stat = "Sum" + unit = "Count" } } + metric_query { + id = "m2" + return_data = false # (3 unchanged attributes hidden) + metric { + dimensions = { + "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_deadletter_queue" } + metric_name = "ApproximateNumberOfMessagesNotVisible" + namespace = "AWS/SQS" + period = 60 + stat = "Sum" + unit = "Count" } } + metric_query { + expression = "RATE(m2+m1)" + id = "e1" + label = "Error Rate" + return_data = true # (1 unchanged attribute hidden) } } # aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn will be updated in-place ~ resource "aws_cloudwatch_metric_alarm" "audit_log_dead_letter_queue_warn" { id = "AuditLogDeadLetterQueueWarn" tags = {} # (22 unchanged attributes hidden) - metric_query { - id = "m1" -> null - period = 0 -> null - return_data = false -> null # (3 unchanged attributes hidden) - metric { - dimensions = { - "QueueName" = "arn:aws:sqs:ca-central-1:957818836222:audit_log_deadletter_queue" } -> null - metric_name = "ApproximateNumberOfMessagesVisible" -> null - namespace = "AWS/SQS" -> null - period = 60 -> null - stat = "Sum" -> null - unit = "Count" -> null } } - metric_query { - id = "m2" -> null - period = 0 -> null - return_data = false -> null # (3 unchanged attributes hidden) - metric { - dimensions = { - "QueueName" = "arn:aws:sqs:ca-central-1:957818836222:audit_log_deadletter_queue" } -> null - metric_name = "ApproximateNumberOfMessagesNotVisible" -> null - namespace = "AWS/SQS" -> null - period = 60 -> null - stat = "Sum" -> null - unit = "Count" -> null } } - metric_query { - expression = "RATE(m2+m1)" -> null - id = "e1" -> null - label = "Error Rate" -> null - period = 0 -> null - return_data = true -> null # (1 unchanged attribute hidden) } + metric_query { + id = "m1" + return_data = false # (3 unchanged attributes hidden) + metric { + dimensions = { + "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:audit_log_deadletter_queue" } + metric_name = "ApproximateNumberOfMessagesVisible" + namespace = "AWS/SQS" + period = 60 + stat = "Sum" + unit = "Count" } } + metric_query { + id = "m2" + return_data = false # (3 unchanged attributes hidden) + metric { + dimensions = { + "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:audit_log_deadletter_queue" } + metric_name = "ApproximateNumberOfMessagesNotVisible" + namespace = "AWS/SQS" + period = 60 + stat = "Sum" + unit = "Count" } } + metric_query { + expression = "RATE(m2+m1)" + id = "e1" + label = "Error Rate" + return_data = true } } # aws_iam_role_policy.athena_dynamodb_policy will be updated in-place ~ resource "aws_iam_role_policy" "athena_dynamodb_policy" { id = "athena_dynamodb_role:athena_dynamodb_policy" name = "athena_dynamodb_policy" ~ policy = jsonencode( ~ { ~ Statement = [ # (1 unchanged element hidden) { Action = [ "glue:GetTableVersions", "glue:GetPartitions", "glue:GetTables", "glue:GetTableVersion", "glue:GetDatabases", "glue:GetTable", "glue:GetPartition", "glue:GetDatabase", "glue:ListSchemas", "athena:GetQueryExecution", "s3:ListAllMyBuckets", ] Effect = "Allow" Resource = "*" }, ~ { ~ Resource = [ ~ "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs" -> "arn:aws:dynamodb:ca-central-1:123456789012:table/AuditLogs", ~ "arn:aws:dynamodb:ca-central-1:957818836222:table/auditlogs" -> "arn:aws:dynamodb:ca-central-1:123456789012:table/auditlogs", ] # (2 unchanged attributes hidden) }, { Action = [ "dynamodb:ListTables", ] Effect = "Allow" Resource = "*" }, # (2 unchanged elements hidden) ] # (1 unchanged attribute hidden) } ) # (2 unchanged attributes hidden) } Plan: 1 to add, 2 to change, 0 to destroy. Warning: Argument is deprecated with module.athena_bucket.aws_s3_bucket.this, on .terraform/modules/athena_bucket/S3/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_lifecycle_configuration resource instead (and 3 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_athena_data_catalog.dynamodb"] WARN - plan.json - main - Missing Common Tags: ["aws_athena_data_catalog.rds_data_catalog"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.codedeploy_sns"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notify_slack"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ELB_5xx_error_warn"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ELB_healthy_hosts"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.UnHealthyHostCount-TargetGroup1"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.UnHealthyHostCount-TargetGroup2"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.alb_ddos"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_audit_log_dead_letter_queue_warn"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_cpu_utilization_high_warn[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_lb_healthy_host_count[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_lb_unhealthy_host_count[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_memory_utilization_high_warn[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_response_time_warn[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_login_outside_canada_warn"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_signin_exceeded"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ddos_detected_forms_warn"] WARN - plan.json - main - Missing Common... ```
sre-read-write[bot] commented 2 months ago

:robot: Created releases: