What

This is taken from @duallain 's work over in https://github.com/mdn/infra/pull/490. The plan looks pretty clean with only a few things I am concerned about.

us-west-2 plan, no surprises here some version and tags:

  # module.mdn.helm_release.cluster_autoscaler[0] will be updated in-place
  ~ resource "helm_release" "cluster_autoscaler" {
        id                         = "cluster-autoscaler"
        name                       = "cluster-autoscaler"
      ~ version                    = "9.3.2" -> "9.9.2"
      + wait_for_jobs              = false
        # (24 unchanged attributes hidden)

        # (10 unchanged blocks hidden)
    }

  # module.mdn.module.eks.aws_iam_openid_connect_provider.oidc_provider[0] will be updated in-place
  ~ resource "aws_iam_openid_connect_provider" "oidc_provider" {
        id              = "arn:aws:iam::178589013767:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/17FA68032269B79E4B7618A3074132D9"
      ~ tags            = {
          + "Name"      = "mdn"
          + "Region"    = "us-west-2"
          + "Terraform" = "true"
        }
      ~ tags_all        = {
          + "Name"      = "mdn"
          + "Region"    = "us-west-2"
          + "Terraform" = "true"
        }
        # (4 unchanged attributes hidden)
    }

  # module.mdn.module.eks.aws_iam_policy.cluster_elb_sl_role_creation[0] will be updated in-place
  ~ resource "aws_iam_policy" "cluster_elb_sl_role_creation" {
        id          = "arn:aws:iam::178589013767:policy/mdn-elb-sl-role-creation20201214225204007000000001"
        name        = "mdn-elb-sl-role-creation20201214225204007000000001"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action   = [
                            "ec2:DescribeInternetGateways",
                          + "ec2:DescribeAddresses",
                            "ec2:DescribeAccountAttributes",
                        ]
                        # (3 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
      ~ tags        = {
          + "Name"      = "mdn"
          + "Region"    = "us-west-2"
          + "Terraform" = "true"
        }
      ~ tags_all    = {
          + "Name"      = "mdn"
          + "Region"    = "us-west-2"
          + "Terraform" = "true"
        }
        # (5 unchanged attributes hidden)
    }

  # module.mdn.module.eks.null_resource.wait_for_cluster[0] will be destroyed
  - resource "null_resource" "wait_for_cluster" {
      - id = "5983149665152233146" -> null
    }

  # module.mdn.module.eks.module.node_groups.random_pet.node_groups["default_ng"] will be destroyed
  - resource "random_pet" "node_groups" {
      - id        = "caring-oryx" -> null
      - keepers   = {
          - "disk_size"                 = "100"
          - "iam_role_arn"              = "arn:aws:iam::178589013767:role/mdn20200424033951806400000005"
          - "instance_type"             = "m5.xlarge"
          - "key_name"                  = ""
          - "node_group_name"           = "mdn-default_ng"
          - "source_security_group_ids" = ""
          - "subnet_ids"                = "subnet-4890e603|subnet-aca6f2d5|subnet-0a496f50"
        } -> null
      - length    = 2 -> null
      - separator = "-" -> null
    }

Plan: 0 to add, 3 to change, 2 to destroy.

eu-central-1 is a little trickier, a lot more diffs but they are mostly tags. The one I am mostly concerned about is Terraform not being able to generate the json for the velero backup bucket. I think this is just Terraform being weird but if the policy does actually get blown away we can always figure out why and roll forward. Going to only post those diffs but happy to provide the full diff somewhere else.

...
  # module.mdn.module.velero.data.aws_iam_policy_document.this[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "this"  {
      ~ id      = "3077294010" -> (known after apply)
      ~ json    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "ec2:DescribeVolumes",
                          - "ec2:DescribeSnapshots",
                          - "ec2:DeleteSnapshot",
                          - "ec2:CreateVolume",
                          - "ec2:CreateTags",
                          - "ec2:CreateSnapshot",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = ""
                    },
                  - {
                      - Action   = [
                          - "s3:PutObject",
                          - "s3:ListMultipartUploadParts",
                          - "s3:GetObject",
                          - "s3:DeleteObject",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::velero-mdn-eu-central-1-178589013767/*"
                      - Sid      = ""
                    },
                  - {
                      - Action   = "s3:ListBucket"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::velero-mdn-eu-central-1-178589013767"
                      - Sid      = ""
                    },
                  - {
                      - Action   = [
                          - "kms:ListKeys",
                          - "kms:ListAliases",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "kmskeys"
                    },
                  - {
                      - Action   = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-central-1:178589013767:key/19285028-7c8a-4f37-b1b5-b02c3010ed76"
                      - Sid      = "kms"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
      - version = "2012-10-17" -> null

      ~ statement {
          - not_actions   = [] -> null
          - not_resources = [] -> null
            # (3 unchanged attributes hidden)
        }
      ~ statement {
          - not_actions   = [] -> null
          - not_resources = [] -> null
            # (3 unchanged attributes hidden)
        }
      ~ statement {
          - not_actions   = [] -> null
          - not_resources = [] -> null
            # (3 unchanged attributes hidden)
        }
      ~ statement {
          - effect        = "Allow" -> null
          - not_actions   = [] -> null
          - not_resources = [] -> null
            # (3 unchanged attributes hidden)
        }
      ~ statement {
          - effect        = "Allow" -> null
          - not_actions   = [] -> null
          - not_resources = [] -> null
            # (3 unchanged attributes hidden)
        }
    }

  # module.mdn.module.velero.aws_iam_policy.velero_iam_role_policy[0] will be updated in-place
  ~ resource "aws_iam_policy" "velero_iam_role_policy" {
        id          = "arn:aws:iam::178589013767:policy/velero-mdn-eu-central-1-policy20200505185055278900000003"
        name        = "velero-mdn-eu-central-1-policy20200505185055278900000003"
      ~ policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "ec2:DescribeVolumes",
                          - "ec2:DescribeSnapshots",
                          - "ec2:DeleteSnapshot",
                          - "ec2:CreateVolume",
                          - "ec2:CreateTags",
                          - "ec2:CreateSnapshot",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = ""
                    },
                  - {
                      - Action   = [
                          - "s3:PutObject",
                          - "s3:ListMultipartUploadParts",
                          - "s3:GetObject",
                          - "s3:DeleteObject",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::velero-mdn-eu-central-1-178589013767/*"
                      - Sid      = ""
                    },
                  - {
                      - Action   = "s3:ListBucket"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::velero-mdn-eu-central-1-178589013767"
                      - Sid      = ""
                    },
                  - {
                      - Action   = [
                          - "kms:ListKeys",
                          - "kms:ListAliases",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "kmskeys"
                    },
                  - {
                      - Action   = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-central-1:178589013767:key/19285028-7c8a-4f37-b1b5-b02c3010ed76"
                      - Sid      = "kms"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags        = {}
        # (6 unchanged attributes hidden)
    }
....

mdn / infra

Downsize eks websre #498

What