search

cds-snc / simplify-privacy-statements-V2

starter-app repo based version of privacy app.
https://simplify-privacy-statements.alpha.canada.ca
MIT License
5 stars 1 forks source link

Bug/cloudfront errors #259

Closed omartehsin1 closed 1 year ago

omartehsin1 commented 1 year ago

Summary | Résumé

Bug fix for aws_wafv2_web_acl and S3 bucket name typo

github-actions[bot] commented 1 year ago

Production: cloudfront

✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 4 to add, 1 to change, 0 to destroy
Show plan ```terraform Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # aws_cloudfront_distribution.simplify_privacy_app_cf_distribution will be created + resource "aws_cloudfront_distribution" "simplify_privacy_app_cf_distribution" { + aliases = [ + "simplify-privacy-statements.alpha.canada.ca", ] + arn = (known after apply) + caller_reference = (known after apply) + domain_name = (known after apply) + enabled = true + etag = (known after apply) + hosted_zone_id = (known after apply) + http_version = "http2" + id = (known after apply) + in_progress_validation_batches = (known after apply) + is_ipv6_enabled = false + last_modified_time = (known after apply) + price_class = "PriceClass_100" + retain_on_delete = false + status = (known after apply) + tags = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + trusted_key_groups = (known after apply) + trusted_signers = (known after apply) + wait_for_deployment = true + web_acl_id = (known after apply) + default_cache_behavior { + allowed_methods = [ + "DELETE", + "GET", + "HEAD", + "OPTIONS", + "PATCH", + "POST", + "PUT", ] + cached_methods = [ + "GET", + "HEAD", ] + compress = false + default_ttl = (known after apply) + max_ttl = (known after apply) + min_ttl = 0 + response_headers_policy_id = "15cb4030-2708-406b-a7ba-92df299a954d" + target_origin_id = "generated_statement_lambda_function" + trusted_key_groups = (known after apply) + trusted_signers = (known after apply) + viewer_protocol_policy = "redirect-to-https" + forwarded_values { + headers = (known after apply) + query_string = true + query_string_cache_keys = (known after apply) + cookies { + forward = "none" + whitelisted_names = (known after apply) } } } + logging_config { + bucket = "simplify-privacy-statements-production-logs.s3.amazonaws.com" + include_cookies = false + prefix = "cloudfront" } + origin { + connection_attempts = 3 + connection_timeout = 10 + domain_name = "edbi6zcop5ta2t5wb6hb5y6kja0rsajp.lambda-url.ca-central-1.on.aws" + origin_id = "generated_statement_lambda_function" + custom_origin_config { + http_port = 80 + https_port = 443 + origin_keepalive_timeout = 5 + origin_protocol_policy = "https-only" + origin_read_timeout = 60 + origin_ssl_protocols = [ + "TLSv1.2", ] } } + restrictions { + geo_restriction { + locations = (known after apply) + restriction_type = "none" } } + viewer_certificate { + acm_certificate_arn = "arn:aws:acm:us-east-1:414662622316:certificate/1861f75e-4c5f-4752-b012-01738304a76b" + minimum_protocol_version = "TLSv1.2_2021" + ssl_support_method = "sni-only" } } # aws_iam_policy.write_waf_logs will be updated in-place ~ resource "aws_iam_policy" "write_waf_logs" { id = "arn:aws:iam::414662622316:policy/simplify-privacy-statements_WriteLogs" name = "simplify-privacy-statements_WriteLogs" ~ policy = jsonencode( ~ { ~ Statement = [ ~ { ~ Resource = [ - "arn:aws:s3:::cbs-statellite-414662622316/waf_acl_logs/*", - "arn:aws:s3:::cbs-statellite-414662622316", + "arn:aws:s3:::cbs-satellite-414662622316/waf_acl_logs/*", + "arn:aws:s3:::cbs-satellite-414662622316", ] # (3 unchanged elements hidden) }, ] # (1 unchanged element hidden) } ) tags = { "CostCentre" = "simplify-privacy-statements-production" "Terraform" = "true" } # (5 unchanged attributes hidden) } # aws_kinesis_firehose_delivery_stream.simplify_privacy_statements_waf will be created + resource "aws_kinesis_firehose_delivery_stream" "simplify_privacy_statements_waf" { + arn = (known after apply) + destination = "extended_s3" + destination_id = (known after apply) + id = (known after apply) + name = "aws-waf-logs-simplify_privacy" + tags = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + version_id = (known after apply) + extended_s3_configuration { + bucket_arn = "arn:aws:s3:::cbs-satellite-414662622316" + buffer_interval = 300 + buffer_size = 5 + compression_format = "GZIP" + prefix = "waf_acl_logs/AWSLogs/414662622316/" + role_arn = "arn:aws:iam::414662622316:role/simplify-privacy-app-logs" + s3_backup_mode = "Disabled" + cloudwatch_logging_options { + enabled = true + log_group_name = "/aws/kinesisfirehose/simplify_privacy_statements_waf" + log_stream_name = "WAFLogS3Delivery" } } + server_side_encryption { + enabled = true + key_type = "AWS_OWNED_CMK" } } # aws_wafv2_web_acl.simplify_privacy_statements_waf will be created + resource "aws_wafv2_web_acl" "simplify_privacy_statements_waf" { + arn = (known after apply) + capacity = (known after apply) + description = "WAF for Simplify Privacy Statements" + id = (known after apply) + lock_token = (known after apply) + name = "simplify_privacy_statements_waf" + scope = "CLOUDFRONT" + tags = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + default_action { + allow { } } + rule { + name = "APIRateLimit" + priority = 20 + action { + block { } } + statement { + rate_based_statement { + aggregate_key_type = "IP" + limit = 2000 } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "APIRateLimit" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesAmazonIpReputationList" + priority = 10 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesAmazonIpReputationList" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesAmazonIpReputationList" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesCommonRuleSet" + priority = 30 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesCommonRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesCommonRuleSet" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesKnownBadInputsRuleSet" + priority = 40 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesKnownBadInputsRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesKnownBadInputsRuleSet" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesLinuxRuleSet" + priority = 50 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesLinuxRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesLinuxRuleSet" + sampled_requests_enabled = true } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "api" + sampled_requests_enabled = false } } # aws_wafv2_web_acl_logging_configuration.simplify_privacy_statements_waf will be created + resource "aws_wafv2_web_acl_logging_configuration" "simplify_privacy_statements_waf" { + id = (known after apply) + log_destination_configs = (known after apply) + resource_arn = (known after apply) } Plan: 4 to add, 1 to change, 0 to destroy. Warning: Argument is deprecated with module.log_bucket.aws_s3_bucket.this, on .terraform/modules/log_bucket/S3_log_bucket/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_server_side_encryption_configuration resource instead (and 3 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```
Show Conftest results ```sh 18 tests, 18 passed, 0 warnings, 0 failures, 0 exceptions ```