search

cds-snc / url-shortener

An API written in Python that shortens URLs
MIT License
4 stars 1 forks source link

Feat/rotate staging api key #352

Closed maxneuvians closed 1 year ago

maxneuvians commented 1 year ago

Feat: update the Notify API key in staging

github-actions[bot] commented 1 year ago

Staging: api

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 0 to add, 2 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|----------------------------------------------------------| | update | `aws_ssm_parameter.notify_api_key` | | | `module.url_shortener_lambda.aws_iam_policy.policies[0]` |
Show plan ```terraform Resource actions are indicated with the following symbols: ~ update in-place <= read (data resources) Terraform will perform the following actions: # data.aws_iam_policy_document.api_policies will be read during apply # (depends on a resource or a module with changes pending) <= data "aws_iam_policy_document" "api_policies" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "dynamodb:DeleteItem", + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:Query", + "dynamodb:UpdateItem", ] + effect = "Allow" + resources = [ + "arn:aws:dynamodb:ca-central-1:843973686572:table/url_shortener", + "arn:aws:dynamodb:ca-central-1:843973686572:table/url_shortener/index/emailIndex", ] } + statement { + actions = [ + "ssm:GetParameters", ] + effect = "Allow" + resources = [ + "arn:aws:ssm:ca-central-1:843973686572:parameter/auth_token_app", + "arn:aws:ssm:ca-central-1:843973686572:parameter/auth_token_notify", + "arn:aws:ssm:ca-central-1:843973686572:parameter/cloudfront_header", + "arn:aws:ssm:ca-central-1:843973686572:parameter/hashing_peppers", + "arn:aws:ssm:ca-central-1:843973686572:parameter/login_token_salt", + "arn:aws:ssm:ca-central-1:843973686572:parameter/notify_api_key", + "arn:aws:ssm:ca-central-1:843973686572:parameter/notify_contact_email", ] } } # aws_ssm_parameter.notify_api_key will be updated in-place ~ resource "aws_ssm_parameter" "notify_api_key" { id = "notify_api_key" + insecure_value = (known after apply) name = "notify_api_key" tags = { "CostCentre" = "url-shortener-staging" "Terraform" = "true" } ~ value = (sensitive value) ~ version = 1 -> (known after apply) # (8 unchanged attributes hidden) } # module.url_shortener_lambda.aws_iam_policy.policies[0] will be updated in-place ~ resource "aws_iam_policy" "policies" { id = "arn:aws:iam::843973686572:policy/url-shortener-api-0" name = "url-shortener-api-0" ~ policy = jsonencode( { - Statement = [ - { - Action = [ - "dynamodb:UpdateItem", - "dynamodb:Query", - "dynamodb:PutItem", - "dynamodb:GetItem", - "dynamodb:DescribeTable", - "dynamodb:DeleteItem", ] - Effect = "Allow" - Resource = [ - "arn:aws:dynamodb:ca-central-1:843973686572:table/url_shortener/index/emailIndex", - "arn:aws:dynamodb:ca-central-1:843973686572:table/url_shortener", ] - Sid = "" }, - { - Action = "ssm:GetParameters" - Effect = "Allow" - Resource = [ - "arn:aws:ssm:ca-central-1:843973686572:parameter/notify_contact_email", - "arn:aws:ssm:ca-central-1:843973686572:parameter/notify_api_key", - "arn:aws:ssm:ca-central-1:843973686572:parameter/login_token_salt", - "arn:aws:ssm:ca-central-1:843973686572:parameter/hashing_peppers", - "arn:aws:ssm:ca-central-1:843973686572:parameter/cloudfront_header", - "arn:aws:ssm:ca-central-1:843973686572:parameter/auth_token_notify", - "arn:aws:ssm:ca-central-1:843973686572:parameter/auth_token_app", ] - Sid = "" }, ] - Version = "2012-10-17" } ) -> (known after apply) tags = { "CostCentre" = "url-shortener-staging" "Terraform" = "true" } # (4 unchanged attributes hidden) } Plan: 0 to add, 2 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_cloudwatch_log_group.sentinel_forwarder_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_policy.sentinel_forwarder_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_role.sentinel_forwarder_lambda"] WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_lambda_function.sentinel_forwarder"] 21 tests, 17 passed, 4 warnings, 0 failures, 0 exceptions ```