Closed jasonBirchall closed 3 months ago
data.aws_iam_openid_connect_provider.github: Reading...
aws_iam_policy.github_dormant_user_policy: Refreshing state... [id=arn:aws:iam::880656497252:policy/DormantUserS3Access]
data.aws_iam_policy_document.r53_read_policy_document: Reading...
data.aws_iam_policy_document.r53_read_policy_document: Read complete after 0s [id=2046999383]
aws_iam_policy.r53_read_policy: Refreshing state... [id=arn:aws:iam::880656497252:policy/r53_read_policy]
data.aws_iam_openid_connect_provider.github: Read complete after 0s [id=arn:aws:iam::880656497252:oidc-provider/token.actions.githubusercontent.com]
data.aws_iam_policy_document.github_actions_assume_role_policy_document: Reading...
data.aws_iam_policy_document.github_actions_assume_role_policy_document: Read complete after 0s [id=1907641846]
aws_iam_role.r53_backup_role: Refreshing state... [id=operations-engineering-r53-backup-role]
aws_iam_role.github_dormant_user_role: Refreshing state... [id=github_dormant_user_role]
aws_iam_role_policy_attachment.r53_read_policy_attachment: Refreshing state... [id=operations-engineering-r53-backup-role-20240227095015143600000001]
github_actions_secret.role_arn: Refreshing state... [id=operations-engineering:AWS_DSD_R53_EXPORT_ROLE_ARN]
github_actions_secret.aws_role_arn: Refreshing state... [id=operations-engineering:GH_DORMANT_USER_AWS_ROLE_ARN]
aws_iam_role_policy_attachment.role_policy_attachment: Refreshing state... [id=github_dormant_user_role-20240422144734306600000001]
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_iam_access_key.octodns_access_key will be created
+ resource "aws_iam_access_key" "octodns_access_key" {
+ create_date = (known after apply)
+ encrypted_secret = (known after apply)
+ encrypted_ses_smtp_password_v4 = (known after apply)
+ id = (known after apply)
+ key_fingerprint = (known after apply)
+ secret = (sensitive value)
+ ses_smtp_password_v4 = (sensitive value)
+ status = "Active"
+ user = "octodns-cicd-user"
}
# aws_iam_policy.octodns_policy will be created
+ resource "aws_iam_policy" "octodns_policy" {
+ arn = (known after apply)
+ description = "Policy for OctoDNS to manage Route53"
+ id = (known after apply)
+ name = "OctoDNSPolicy"
+ name_prefix = (known after apply)
+ path = "/"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "route53:ListHostedZones",
+ "route53:GetHostedZone",
+ "route53:ChangeResourceRecordSets",
+ "route53:ListResourceRecordSets",
]
+ Effect = "Allow"
+ Resource = "*"
},
]
+ Version = "2012-10-17"
}
)
+ policy_id = (known after apply)
+ tags_all = (known after apply)
}
# aws_iam_user.octodns_user will be created
+ resource "aws_iam_user" "octodns_user" {
+ arn = (known after apply)
+ force_destroy = false
+ id = (known after apply)
+ name = "octodns-cicd-user"
+ path = "/"
+ tags_all = (known after apply)
+ unique_id = (known after apply)
}
# aws_iam_user_policy_attachment.octodns_user_policy_attachment will be created
+ resource "aws_iam_user_policy_attachment" "octodns_user_policy_attachment" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ user = "octodns-cicd-user"
}
# github_actions_secret.octodns_aws_access_key_id will be created
+ resource "github_actions_secret" "octodns_aws_access_key_id" {
+ created_at = (known after apply)
+ id = (known after apply)
+ plaintext_value = (sensitive value)
+ repository = "dns"
+ secret_name = "OCTODNS_AWS_ACCESS_KEY_ID"
+ updated_at = (known after apply)
}
# github_actions_secret.octodns_aws_secret_access_key will be created
+ resource "github_actions_secret" "octodns_aws_secret_access_key" {
+ created_at = (known after apply)
+ id = (known after apply)
+ plaintext_value = (sensitive value)
+ repository = "dns"
+ secret_name = "OCTODNS_AWS_SECRET_ACCESS_KEY"
+ updated_at = (known after apply)
}
Plan: 6 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
---|---|---|---|---|---|
✅ REPOSITORY | gitleaks | yes | no | 0.84s |
See detailed report in MegaLinter reports
_Set VALIDATE_ALL_CODEBASE: true
in mega-linter.yml to validate all sources, not only the diff_
data.aws_iam_openid_connect_provider.github: Reading...
aws_iam_policy.github_dormant_user_policy: Refreshing state... [id=arn:aws:iam::880656497252:policy/DormantUserS3Access]
data.aws_iam_policy_document.r53_read_policy_document: Reading...
data.aws_iam_policy_document.r53_read_policy_document: Read complete after 0s [id=2046999383]
aws_iam_policy.r53_read_policy: Refreshing state... [id=arn:aws:iam::880656497252:policy/r53_read_policy]
data.aws_iam_openid_connect_provider.github: Read complete after 0s [id=arn:aws:iam::880656497252:oidc-provider/token.actions.githubusercontent.com]
data.aws_iam_policy_document.github_actions_assume_role_policy_document: Reading...
data.aws_iam_policy_document.github_actions_assume_role_policy_document: Read complete after 0s [id=1907641846]
aws_iam_role.r53_backup_role: Refreshing state... [id=operations-engineering-r53-backup-role]
aws_iam_role.github_dormant_user_role: Refreshing state... [id=github_dormant_user_role]
aws_iam_role_policy_attachment.r53_read_policy_attachment: Refreshing state... [id=operations-engineering-r53-backup-role-20240227095015143600000001]
github_actions_secret.role_arn: Refreshing state... [id=operations-engineering:AWS_DSD_R53_EXPORT_ROLE_ARN]
aws_iam_role_policy_attachment.role_policy_attachment: Refreshing state... [id=github_dormant_user_role-20240422144734306600000001]
github_actions_secret.aws_role_arn: Refreshing state... [id=operations-engineering:GH_DORMANT_USER_AWS_ROLE_ARN]
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_iam_access_key.octodns_access_key will be created
+ resource "aws_iam_access_key" "octodns_access_key" {
+ create_date = (known after apply)
+ encrypted_secret = (known after apply)
+ encrypted_ses_smtp_password_v4 = (known after apply)
+ id = (known after apply)
+ key_fingerprint = (known after apply)
+ secret = (sensitive value)
+ ses_smtp_password_v4 = (sensitive value)
+ status = "Active"
+ user = "octodns-cicd-user"
}
# aws_iam_policy.octodns_policy will be created
+ resource "aws_iam_policy" "octodns_policy" {
+ arn = (known after apply)
+ description = "Policy for OctoDNS to manage Route53"
+ id = (known after apply)
+ name = "OctoDNSPolicy"
+ name_prefix = (known after apply)
+ path = "/"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "route53:ChangeResourceRecordSets",
+ "route53:CreateHostedZone",
+ "route53:ListHealthChecks",
+ "route53:ListHostedZones",
+ "route53:ListHostedZonesByName",
+ "route53:ListResourceRecordSets",
]
+ Effect = "Allow"
+ Resource = "*"
},
]
+ Version = "2012-10-17"
}
)
+ policy_id = (known after apply)
+ tags_all = (known after apply)
}
# aws_iam_user.octodns_user will be created
+ resource "aws_iam_user" "octodns_user" {
+ arn = (known after apply)
+ force_destroy = false
+ id = (known after apply)
+ name = "octodns-cicd-user"
+ path = "/"
+ tags_all = (known after apply)
+ unique_id = (known after apply)
}
# aws_iam_user_policy_attachment.octodns_user_policy_attachment will be created
+ resource "aws_iam_user_policy_attachment" "octodns_user_policy_attachment" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ user = "octodns-cicd-user"
}
# github_actions_secret.octodns_aws_access_key_id will be created
+ resource "github_actions_secret" "octodns_aws_access_key_id" {
+ created_at = (known after apply)
+ id = (known after apply)
+ plaintext_value = (sensitive value)
+ repository = "dns"
+ secret_name = "OCTODNS_AWS_ACCESS_KEY_ID"
+ updated_at = (known after apply)
}
# github_actions_secret.octodns_aws_secret_access_key will be created
+ resource "github_actions_secret" "octodns_aws_secret_access_key" {
+ created_at = (known after apply)
+ id = (known after apply)
+ plaintext_value = (sensitive value)
+ repository = "dns"
+ secret_name = "OCTODNS_AWS_SECRET_ACCESS_KEY"
+ updated_at = (known after apply)
}
Plan: 6 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
This PR connects to https://github.com/ministryofjustice/operations-engineering/issues/4565
This will create a new user for managing credentials until the route53 provider in OctoDNS gives us the ability to use RBAC. Access and Secret keys are stored in the dns repository.