github-actions[bot]
commented
4 months ago Terraform Run Output 🤖
Format and Style 🖌failure
Initialization ⚙️success
Validation 🤖success
Validation Output
``` $ terraform validate Success! The configuration is valid. ```Plan 📖success
- Plan: 22 to add, 4 to change, 1 to destroy.
Show Plan
``` $ terraform plan random_password.prometheus_metrics_password: Refreshing state... [id=none] random_id.artifact_id: Refreshing state... [id=8Ujqew] random_password.jwt_secret: Refreshing state... [id=none] module.ansible_inventory.local_file.ansible_inventory: Refreshing state... [id=b6de844ed8d384f890fa6f467502390de843f758] module.adm_iam_roles.tls_private_key.oonidevops: Refreshing state... [id=b49a9fdb9f720320340226016efe24808dd68203] module.ansible_inventory.null_resource.ansible_update_known_hosts: Refreshing state... [id=236461505953331670] module.ooniapi_ooniauth.data.aws_ecs_container_definition.ooniapi_service_current[0]: Reading... module.ooniapi_oonimeasurements_deployer.data.aws_caller_identity.current: Reading... module.adm_iam_roles.aws_iam_policy.oonidevops: Refreshing state... [id=arn:aws:iam::905418398257:policy/OONIDevopsPolicy] module.ooniapi_oonimeasurements.data.aws_ecs_container_definition.ooniapi_service_current[0]: Reading... module.ooniapi_ooniprobe_deployer.data.aws_caller_identity.current: Reading... module.ooniapi_oonirun.aws_cloudwatch_log_group.ooniapi_service: Refreshing state... [id=ooni-ecs-group/ooniapi-service-oonirun] module.ooniapi_user.aws_iam_user.ooniapi: Refreshing state... [id=oonidevops-ooniapi] module.ooniapi_ooniprobe.aws_iam_role.ooniapi_service_task: Refreshing state... [id=ooniapi-service-ooniprobe-task-role] module.oonidevops_github_user.aws_iam_policy.oonidevops_github: Refreshing state... [id=arn:aws:iam::905418398257:policy/oonidevops-github-policy] aws_secretsmanager_secret.prometheus_metrics_password: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooni_services/prometheus_metrics_password-M8BbRw] module.ooniapi_oonimeasurements_deployer.data.aws_caller_identity.current: Read complete after 0s [id=905418398257] module.oonith_cluster.data.aws_ssm_parameter.ecs_optimized_ami: Reading... aws_secretsmanager_secret.jwt_secret: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooni_services/jwt_secret-NUESvS] module.ooniapi_ooniprobe_deployer.data.aws_caller_identity.current: Read complete after 0s [id=905418398257] module.ooniapi_ooniprobe.data.aws_ecs_container_definition.ooniapi_service_current[0]: Reading... module.oonith_oohelperd.aws_cloudwatch_log_group.oonith_service: Refreshing state... [id=ooni-ecs-group/oonith-service-oohelperd] module.adm_iam_roles.data.aws_iam_policy_document.assume_role: Reading... module.adm_iam_roles.data.aws_iam_policy_document.assume_role: Read complete after 0s [id=4022892340] module.oonidevops_github_user.aws_secretsmanager_secret.oonidevops_github: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/github_user/access_key_json-9JTJgd] aws_s3_bucket.oonith_codepipeline_bucket: Refreshing state... [id=codepipeline-oonith-eu-central-1-f148ea7b] module.ooniapi_user.aws_ses_email_identity.ooniapi: Refreshing state... [id=admin+dev@ooni.org] module.ooniapi_ooniauth.data.aws_ecs_container_definition.ooniapi_service_current[0]: Read complete after 0s [id=arn:aws:ecs:eu-central-1:905418398257:task-definition/ooniapi-service-ooniauth-td:34/ooniapi-service-ooniauth] module.ooniapi_cluster.aws_cloudwatch_log_group.ooniapi_services: Refreshing state... [id=ooni-ecs-group/ooniapi-ecs-cluster] module.oonith_cluster.data.aws_ssm_parameter.ecs_optimized_ami: Read complete after 0s [id=/aws/service/ecs/optimized-ami/amazon-linux-2/recommended] module.ooniapi_cluster.data.aws_ssm_parameter.ecs_optimized_ami: Reading... module.oonith_oohelperd.data.aws_ecs_container_definition.oonith_service_current[0]: Reading... module.ooniapi_ooniprobe.data.aws_ecs_container_definition.ooniapi_service_current[0]: Read complete after 0s [id=arn:aws:ecs:eu-central-1:905418398257:task-definition/ooniapi-service-ooniprobe-td:18/ooniapi-service-ooniprobe] module.ooni_backendproxy.data.aws_ssm_parameter.ubuntu_22_ami: Reading... module.ooniapi_ooniprobe.aws_cloudwatch_log_group.ooniapi_service: Refreshing state... [id=ooni-ecs-group/ooniapi-service-ooniprobe] module.ooniapi_ooniprobe.aws_acm_certificate.ooniapi_service: Refreshing state... [id=arn:aws:acm:eu-central-1:905418398257:certificate/3c92c753-426b-41ca-97c2-8967c0fd704b] module.ooniapi_ooniauth.aws_iam_role.ooniapi_service_task: Refreshing state... [id=ooniapi-service-ooniauth-task-role] module.ooniapi_cluster.data.aws_ssm_parameter.ecs_optimized_ami: Read complete after 0s [id=/aws/service/ecs/optimized-ami/amazon-linux-2/recommended] module.ooniapi_cluster.aws_iam_role.container_host: Refreshing state... [id=ooniapi-ecs-cluster-container-host-role] module.oonith_oohelperd.data.aws_ecs_container_definition.oonith_service_current[0]: Read complete after 0s [id=arn:aws:ecs:eu-central-1:905418398257:task-definition/oonith-service-oohelperd-td:82/oonith-service-oohelperd] module.oonith_oohelperd.aws_iam_role.oonith_service_task: Refreshing state... [id=oonith-service-oohelperd-task-role] module.ooniapi_ooniauth_deployer.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-ooniauth] module.ooni_backendproxy.data.aws_ssm_parameter.ubuntu_22_ami: Read complete after 1s [id=/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id] data.aws_availability_zones.available: Reading... module.ooniapi_oonirun_deployer.data.aws_caller_identity.current: Reading... module.ooniapi_ooniauth_deployer.data.aws_caller_identity.current: Reading... module.oonith_oohelperd_deployer.data.aws_caller_identity.current: Reading... aws_s3_bucket.ooniapi_codepipeline_bucket: Refreshing state... [id=codepipeline-ooniapi-eu-central-1-f148ea7b] module.ooniapi_oonirun.aws_acm_certificate.ooniapi_service: Refreshing state... [id=arn:aws:acm:eu-central-1:905418398257:certificate/879f6ecd-9260-489a-a120-a578677fe254] module.oonith_oohelperd_deployer.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-oonith-oohelperd] module.ooniapi_oonirun.aws_iam_role.ooniapi_service_task: Refreshing state... [id=ooniapi-service-oonirun-task-role] module.ooniapi_oonirun_deployer.data.aws_caller_identity.current: Read complete after 0s [id=905418398257] module.adm_iam_roles.aws_key_pair.oonidevops: Refreshing state... [id=oonidevops] module.oonith_cluster.aws_iam_role.container_host: Refreshing state... [id=oonith-ecs-cluster-container-host-role] module.ooniapi_ooniauth_deployer.data.aws_caller_identity.current: Read complete after 0s [id=905418398257] module.ooniapi_frontend.aws_acm_certificate.ooniapi: Refreshing state... [id=arn:aws:acm:eu-central-1:905418398257:certificate/c5a662a8-8373-46ed-b2f6-73582b0f01c2] module.ooniapi_ooniprobe_deployer.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-ooniprobe] module.oonith_oohelperd_deployer.data.aws_caller_identity.current: Read complete after 0s [id=905418398257] module.ooniapi_oonirun_deployer.aws_iam_policy.codepipeline: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codepipeline-ooniapi-oonirun] module.adm_iam_roles.aws_secretsmanager_secret.oonidevops_deploy_key: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/deploy_key/ssh_key_private-J5OsZt] module.oonidevops_github_user.aws_iam_user.oonidevops_github: Refreshing state... [id=oonidevops-github] module.ooniapi_ooniauth.aws_acm_certificate.ooniapi_service: Refreshing state... [id=arn:aws:acm:eu-central-1:905418398257:certificate/2202d88a-dd01-478d-af5c-e71ed70817c3] data.aws_availability_zones.available: Read complete after 0s [id=eu-central-1] module.oonith_cluster.aws_cloudwatch_log_group.ooniapi_services: Refreshing state... [id=ooni-ecs-group/oonith-ecs-cluster] module.ooniapi_user.aws_secretsmanager_secret.aws_access_key_id: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooniapi_user/aws_access_key_id-EcXOBx] module.ooniapi_user.aws_secretsmanager_secret.aws_secret_access_key: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooniapi_user/aws_secret_access_key-L0DQDr] module.oonith_oohelperd.aws_acm_certificate.oonith_service: Refreshing state... [id=arn:aws:acm:eu-central-1:905418398257:certificate/5bc4ec37-a842-4362-abad-db1ec463b1ff] module.ooniapi_oonirun.data.aws_ecs_container_definition.ooniapi_service_current[0]: Reading... module.ooniapi_ooniauth.aws_cloudwatch_log_group.ooniapi_service: Refreshing state... [id=ooni-ecs-group/ooniapi-service-ooniauth] aws_secretsmanager_secret.oonipg_url: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooni-tier0-postgres/postgresql_url-w62CTZ] module.ooniapi_user.aws_iam_access_key.ooniapi: Refreshing state... [id=AKIA5FTZELIYSK2XEVOT] module.ooniapi_oonirun.data.aws_ecs_container_definition.ooniapi_service_current[0]: Read complete after 0s [id=arn:aws:ecs:eu-central-1:905418398257:task-definition/ooniapi-service-oonirun-td:34/ooniapi-service-oonirun] module.ooniapi_user.aws_iam_user_policy.ooniapi: Refreshing state... [id=oonidevops-ooniapi:oonidevops-ooniapi-policy] module.adm_iam_roles.aws_iam_role.oonidevops: Refreshing state... [id=oonidevops] module.ooniapi_ooniprobe.aws_iam_role_policy.ooniapi_service_task: Refreshing state... [id=ooniapi-service-ooniprobe-task-role:ooniapi-service-ooniprobe-task-role] aws_secretsmanager_secret_version.jwt_secret: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooni_services/jwt_secret-NUESvS|terraform-20240310182536838400000005] aws_secretsmanager_secret_version.prometheus_metrics_password: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooni_services/prometheus_metrics_password-M8BbRw|terraform-20240314200140936700000008] module.ooniapi_cluster.aws_ecs_cluster.main: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:cluster/ooniapi-ecs-cluster] module.ooniapi_cluster.aws_iam_role_policy.container_host: Refreshing state... [id=ooniapi-ecs-cluster-container-host-role:ooniapi-ecs-cluster-instance-role-policy] module.ooniapi_cluster.aws_iam_instance_profile.container_host: Refreshing state... [id=ooniapi-ecs-cluster] module.ooniapi_ooniauth_deployer.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-ooniapi-ooniauth] module.oonith_oohelperd.aws_iam_role_policy.oonith_service_task: Refreshing state... [id=oonith-service-oohelperd-task-role:oonith-service-oohelperd-task-role] module.ooniapi_ooniauth.aws_iam_role_policy.ooniapi_service_task: Refreshing state... [id=ooniapi-service-ooniauth-task-role:ooniapi-service-ooniauth-task-role] module.oonith_oohelperd_deployer.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-oonith-oohelperd] module.ooniapi_oonirun.aws_iam_role_policy.ooniapi_service_task: Refreshing state... [id=ooniapi-service-oonirun-task-role:ooniapi-service-oonirun-task-role] module.oonith_cluster.aws_iam_instance_profile.container_host: Refreshing state... [id=oonith-ecs-cluster] module.oonith_cluster.aws_iam_role_policy.container_host: Refreshing state... [id=oonith-ecs-cluster-container-host-role:oonith-ecs-cluster-instance-role-policy] module.ooniapi_ooniprobe_deployer.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-ooniapi-ooniprobe] module.ooniapi_oonirun_deployer.aws_iam_role.codepipeline: Refreshing state... [id=codepipeline-ooniapi-oonirun] module.oonidevops_github_user.aws_iam_access_key.oonidevops_github: Refreshing state... [id=AKIA5FTZELIY7OIFEQBN] module.oonidevops_github_user.aws_iam_user_policy_attachment.oonidevops_github: Refreshing state... [id=oonidevops-github-20240313195612421500000001] module.ooniapi_ooniprobe.aws_route53_record.ooniapi_service_validation["ooniprobe.api.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__f976c78b8792bbc3f04508cf0574e363.ooniprobe.api.dev.ooni.io._CNAME] module.ooniapi_oonirun.aws_route53_record.ooniapi_service_validation["oonirun.api.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__2eedf4cd60d6661d37cc36317849f2a4.oonirun.api.dev.ooni.io._CNAME] module.adm_iam_roles.aws_secretsmanager_secret_version.oonidevops_deploy_key: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/deploy_key/ssh_key_private-J5OsZt|terraform-20240310164138349500000001] module.ooniapi_frontend.aws_route53_record.ooniapi_cert_validation["api.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__cd4729fc0c282e771d056e719a7bdf4f.api.dev.ooni.io._CNAME] module.oonith_cluster.aws_ecs_cluster.main: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:cluster/oonith-ecs-cluster] module.ooniapi_user.aws_secretsmanager_secret_version.aws_access_key_id: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooniapi_user/aws_access_key_id-EcXOBx|terraform-20240314200140918400000007] module.ooniapi_user.aws_secretsmanager_secret_version.aws_secret_access_key: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooniapi_user/aws_secret_access_key-L0DQDr|terraform-20240314200140914600000006] module.ooniapi_ooniauth.aws_route53_record.ooniapi_service_validation["ooniauth.api.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__e8e7f4bd29329533805dd684fb3c1cf5.ooniauth.api.dev.ooni.io._CNAME] module.oonith_oohelperd.aws_route53_record.oonith_service_validation["5.th.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__f4d7512857371619137500b772693ba2.5.th.dev.ooni.io._CNAME] module.oonith_oohelperd.aws_route53_record.oonith_service_validation["6.th.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__5a723a4916c23c6d307e545f032ad8b6.6.th.dev.ooni.io._CNAME] module.oonith_oohelperd.aws_route53_record.oonith_service_validation["oohelperd.th.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL__bcaab73c83b6b1e544f8d6a172071b8b.oohelperd.th.dev.ooni.io._CNAME] module.oonidevops_github_user.aws_secretsmanager_secret_version.oonidevops_github: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/github_user/access_key_json-9JTJgd|terraform-20240313203054132800000001] module.oonith_oohelperd.aws_ecs_task_definition.oonith_service: Refreshing state... [id=oonith-service-oohelperd-td] aws_codestarconnections_connection.oonidevops: Refreshing state... [id=arn:aws:codestar-connections:eu-central-1:905418398257:connection/6bd492f6-c11d-43ec-92b0-24c47700d528] module.oonipg.random_password.pg_password: Refreshing state... [id=none] module.terraform_state_backend.data.aws_region.current: Reading... module.terraform_state_backend.data.aws_region.current: Read complete after 0s [id=eu-central-1] module.ooniapi_frontend.aws_acm_certificate_validation.ooniapi: Refreshing state... [id=2024-03-10 17:19:18.261 +0000 UTC] module.network.aws_vpc.main: Refreshing state... [id=vpc-0e382f3ad89286de9] module.oonipg.aws_secretsmanager_secret.pg_password: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooni-tier0-postgres/pg_password-OjzOJC] module.terraform_state_backend.data.aws_iam_policy_document.bucket_policy[0]: Reading... module.terraform_state_backend.aws_s3_bucket.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state] module.terraform_state_backend.data.aws_iam_policy_document.bucket_policy[0]: Read complete after 0s [id=2666303363] module.terraform_state_backend.aws_dynamodb_table.with_server_side_encryption[0]: Refreshing state... [id=oonidevops-dev-terraform-state-lock] module.terraform_state_backend.data.aws_iam_policy_document.aggregated_policy[0]: Reading... module.terraform_state_backend.data.aws_iam_policy_document.aggregated_policy[0]: Read complete after 0s [id=2666303363] module.oonipg.aws_secretsmanager_secret_version.pg_password: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooni-tier0-postgres/pg_password-OjzOJC|terraform-20240310155428358300000002] module.ooniapi_ooniauth_deployer.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-ooniauth-eu-central-1] module.ooniapi_ooniprobe_deployer.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-ooniprobe-eu-central-1] module.ooniapi_oonirun_deployer.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-oonirun-eu-central-1] module.oonith_oohelperd_deployer.aws_iam_policy.codebuild: Refreshing state... [id=arn:aws:iam::905418398257:policy/service-role/codebuild-oohelperd-eu-central-1] module.oonith_oohelperd_deployer.aws_iam_role.codebuild: Refreshing state... [id=codebuild-oonith-oohelperd] module.ooniapi_ooniprobe_deployer.aws_iam_role.codebuild: Refreshing state... [id=codebuild-ooniapi-ooniprobe] module.ooniapi_ooniauth_deployer.aws_iam_role.codebuild: Refreshing state... [id=codebuild-ooniapi-ooniauth] module.ooniapi_oonirun_deployer.aws_iam_role.codebuild: Refreshing state... [id=codebuild-ooniapi-oonirun] module.oonith_oohelperd_deployer.aws_codebuild_project.oonith: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/oonith-oohelperd] module.ooniapi_ooniauth_deployer.aws_codebuild_project.ooniapi: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-ooniauth] module.ooniapi_ooniprobe_deployer.aws_codebuild_project.ooniapi: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-ooniprobe] module.ooniapi_oonirun_deployer.aws_codebuild_project.ooniapi: Refreshing state... [id=arn:aws:codebuild:eu-central-1:905418398257:project/ooniapi-oonirun] module.oonipg.aws_security_group.pg: Refreshing state... [id=sg-005ca579eb9c08cda] module.network.aws_egress_only_internet_gateway.egress_gw: Refreshing state... [id=eigw-03afee035e0b6729a] module.network.aws_internet_gateway.gw: Refreshing state... [id=igw-0c080e9b235ed29d1] module.ooni_backendproxy.aws_alb_target_group.oonibackend_proxy: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oobpx20240422160053180600000001/1ec17e88e2467a5b] module.ooniapi_oonirun.aws_alb_target_group.ooniapi_service_mapped: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oooonM20240418080130682900000001/4d1af4487552b416] module.ooniapi_ooniprobe.aws_security_group.ooniapi_service_ecs: Refreshing state... [id=sg-084e73288da856ff5] module.oonith_cluster.aws_security_group.web: Refreshing state... [id=sg-097a9e3bffe3f2331] module.ooniapi_oonirun.aws_alb_target_group.ooniapi_service_direct: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oooonD20240418080130683000000004/4e00323e6ab8d637] module.ooni_backendproxy.aws_security_group.nginx_sg: Refreshing state... [id=sg-050fe64c8d862ab5e] module.ooniapi_oonirun.aws_security_group.ooniapi_service_ecs: Refreshing state... [id=sg-07d3c73567451826a] module.ooniapi_cluster.aws_security_group.web: Refreshing state... [id=sg-0187eedfe39538357] module.oonith_oohelperd.aws_security_group.oonith_service_ecs: Refreshing state... [id=sg-0a7e0661bbdf6b4b0] module.ooniapi_ooniprobe.aws_alb_target_group.ooniapi_service_direct: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oooonD20240418080130683000000006/99675eb000679c2b] module.ooniapi_ooniauth.aws_security_group.ooniapi_service_ecs: Refreshing state... [id=sg-0d4efdff6d32f5b2b] module.ooniapi_ooniprobe.aws_alb_target_group.ooniapi_service_mapped: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oooonM20240418080130683000000005/c354f69594522da6] module.ooniapi_ooniauth.aws_alb_target_group.ooniapi_service_mapped: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oooonM20240418080130682900000002/0d6a2f45a6e755bc] module.ooniapi_ooniauth.aws_alb_target_group.ooniapi_service_direct: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oooonD20240418080130683000000007/0e1654fb92841045] module.oonith_oohelperd.aws_alb_target_group.oonith_service_direct: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:targetgroup/oooohD20240418080130682900000003/50a9b48b158881a2] module.network.aws_route_table.public: Refreshing state... [id=rtb-0ccb0852e6a365a95] module.network.aws_subnet.private[0]: Refreshing state... [id=subnet-09314a43ec89d6331] module.network.aws_subnet.private[1]: Refreshing state... [id=subnet-0b899a7ad10406d06] module.network.aws_subnet.public[1]: Refreshing state... [id=subnet-0b18966cccfc9d5ef] module.network.aws_subnet.public[0]: Refreshing state... [id=subnet-0e7a4478be988463f] module.network.aws_eip.nat[0]: Refreshing state... [id=eipalloc-022fb13a0c7ddb626] module.network.aws_eip.nat[1]: Refreshing state... [id=eipalloc-03be8df34b488c314] module.oonith_cluster.aws_security_group.container_host: Refreshing state... [id=sg-002f5c42f6ef346a3] module.terraform_state_backend.aws_s3_bucket_server_side_encryption_configuration.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state] module.terraform_state_backend.aws_s3_bucket_versioning.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state] module.terraform_state_backend.aws_s3_bucket_public_access_block.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state] module.ooni_backendproxy.aws_launch_template.ooni_backendproxy: Refreshing state... [id=lt-02ae2b46369a252fe] module.ooniapi_cluster.aws_security_group.container_host: Refreshing state... [id=sg-0aa6a97400b619de3] module.network.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0dbd7fb16801ee049] module.network.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-08ab18165bf481054] module.ooniapi_oonirun.aws_alb.ooniapi_service: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:loadbalancer/app/ooniapi-service-oonirun/b9f74ff75fec23f6] module.ooniapi_frontend.aws_alb.ooniapi: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:loadbalancer/app/ooni-tier0-api-frontend/52df1e7ac0eb1ea6] module.oonipg.aws_db_subnet_group.pg: Refreshing state... [id=ooni-tier0-postgres-dbsng] module.oonith_oohelperd.aws_alb.oonith_service: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:loadbalancer/app/oonith-service-oohelperd/f593bd31a53fe9b8] module.ooniapi_ooniprobe.aws_alb.ooniapi_service: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:loadbalancer/app/ooniapi-service-ooniprobe/e1c3628a052086fd] module.ooniapi_ooniauth.aws_alb.ooniapi_service: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:loadbalancer/app/ooniapi-service-ooniauth/b23b435019fd8ab3] module.network.aws_nat_gateway.nat_gw[0]: Refreshing state... [id=nat-09236631cadad72ab] module.network.aws_nat_gateway.nat_gw[1]: Refreshing state... [id=nat-0eae7a2d1734db8c7] module.oonith_cluster.aws_launch_template.container_host: Refreshing state... [id=lt-0cc1023af38e0c608] module.terraform_state_backend.aws_s3_bucket_policy.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state] module.ooniapi_cluster.aws_launch_template.container_host: Refreshing state... [id=lt-0e328a8671f870c64] module.ooni_backendproxy.aws_autoscaling_group.oonibackend_proxy: Refreshing state... [id=ooni-backendproxy-asg-20240310162930616000000001] module.network.aws_route_table.private[1]: Refreshing state... [id=rtb-0666b737c5e9dd271] module.network.aws_route_table.private[0]: Refreshing state... [id=rtb-011463437da96c77b] module.terraform_state_backend.time_sleep.wait_for_aws_s3_bucket_settings[0]: Refreshing state... [id=2024-03-10T15:06:17Z] module.ooniapi_oonirun.aws_alb_listener.front_end_https: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/ooniapi-service-oonirun/b9f74ff75fec23f6/b7c2581f2b3ac357] module.ooniapi_oonirun.aws_alb_listener.ooniapi_service_http: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/ooniapi-service-oonirun/b9f74ff75fec23f6/f8565f9258861bb5] module.ooniapi_oonirun.aws_route53_record.ooniapi_service: Refreshing state... [id=Z055356431RGCLK3JXZDL_oonirun.api.dev.ooni.io_A] module.ooniapi_frontend.aws_alb_listener.ooniapi_listener_http: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/ooni-tier0-api-frontend/52df1e7ac0eb1ea6/d9b2448464179cd1] module.ooniapi_frontend.aws_alb_listener.ooniapi_listener_https: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/ooni-tier0-api-frontend/52df1e7ac0eb1ea6/2f500e01e10ba5cd] module.ooniapi_frontend.aws_route53_record.ooniapi: Refreshing state... [id=Z055356431RGCLK3JXZDL_api.dev.ooni.io_A] module.oonith_cluster.aws_autoscaling_group.container_host: Refreshing state... [id=oonith-ecs-cluster20240402135340671300000005] module.terraform_state_backend.aws_s3_bucket_ownership_controls.default[0]: Refreshing state... [id=oonidevops-dev-terraform-state] module.oonith_oohelperd.aws_alb_listener.front_end_https: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/oonith-service-oohelperd/f593bd31a53fe9b8/7019bdcf99c58221] module.oonith_oohelperd.aws_route53_record.oonith_service: Refreshing state... [id=Z055356431RGCLK3JXZDL_oohelperd.th.dev.ooni.io_A] module.oonith_oohelperd.aws_alb_listener.oonith_service_http: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/oonith-service-oohelperd/f593bd31a53fe9b8/2303610c118b5d5a] module.oonith_oohelperd.aws_route53_record.oonith_service_alias["5.th.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL_5.th.dev.ooni.io_A] module.oonith_oohelperd.aws_route53_record.oonith_service_alias["6.th.dev.ooni.io"]: Refreshing state... [id=Z055356431RGCLK3JXZDL_6.th.dev.ooni.io_A] module.ooniapi_ooniprobe.aws_alb_listener.front_end_https: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/ooniapi-service-ooniprobe/e1c3628a052086fd/ae5c1586eda58113] module.ooniapi_ooniprobe.aws_alb_listener.ooniapi_service_http: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/ooniapi-service-ooniprobe/e1c3628a052086fd/7869359b1011bd9c] module.ooniapi_ooniprobe.aws_route53_record.ooniapi_service: Refreshing state... [id=Z055356431RGCLK3JXZDL_ooniprobe.api.dev.ooni.io_A] module.ooniapi_cluster.aws_autoscaling_group.container_host: Refreshing state... [id=ooniapi-ecs-cluster20240310192644083800000003] module.ooniapi_ooniauth.aws_alb_listener.ooniapi_service_http: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/ooniapi-service-ooniauth/b23b435019fd8ab3/6a4847ad88d80668] module.ooniapi_ooniauth.aws_alb_listener.front_end_https: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener/app/ooniapi-service-ooniauth/b23b435019fd8ab3/65afb2dc6b055829] module.ooniapi_ooniauth.aws_route53_record.ooniapi_service: Refreshing state... [id=Z055356431RGCLK3JXZDL_ooniauth.api.dev.ooni.io_A] module.network.aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-00c843739fe29695a] module.network.aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-0e7933e6b804ff2c1] module.ooniapi_oonirun.aws_acm_certificate_validation.ooniapi_service: Refreshing state... [id=2024-03-14 17:00:38.999 +0000 UTC] module.ooni_backendproxy.aws_autoscaling_attachment.oonibackend_proxy: Refreshing state... [id=ooni-backendproxy-asg-20240310162930616000000001-20240422160054639200000002] module.oonipg.aws_db_instance.pg: Refreshing state... [id=db-27N7Q6XIBNASFCOXN4N7C762L4] module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_oonirun_rule: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-tier0-api-frontend/52df1e7ac0eb1ea6/2f500e01e10ba5cd/65e6f5e3aca0a4e5] module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_ooniprobe_rule: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-tier0-api-frontend/52df1e7ac0eb1ea6/2f500e01e10ba5cd/2b09ed268181ba4f] module.ooniapi_frontend.aws_lb_listener_rule.ooniapi_ooniauth_rule: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-central-1:905418398257:listener-rule/app/ooni-tier0-api-frontend/52df1e7ac0eb1ea6/2f500e01e10ba5cd/128c53ea760208fc] module.oonith_oohelperd.aws_acm_certificate_validation.oonith_service: Refreshing state... [id=2024-04-17 09:11:44.786 +0000 UTC] module.ooniapi_ooniprobe.aws_acm_certificate_validation.ooniapi_service: Refreshing state... [id=2024-04-08 12:35:09.968 +0000 UTC] module.oonith_oohelperd.aws_ecs_service.oonith_service: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:service/oonith-ecs-cluster/oonith-service-oohelperd] module.ooniapi_ooniauth.aws_acm_certificate_validation.ooniapi_service: Refreshing state... [id=2024-03-14 19:35:39.331 +0000 UTC] aws_secretsmanager_secret_version.oonipg_url: Refreshing state... [id=arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/ooni-tier0-postgres/postgresql_url-w62CTZ|terraform-20240310182536837800000004] aws_route53_record.postgres_dns: Refreshing state... [id=Z091407123AEJO90Z3H6D_postgres.dev.ooni.nu_CNAME] module.ooniapi_oonirun.aws_ecs_task_definition.ooniapi_service: Refreshing state... [id=ooniapi-service-oonirun-td] module.ooniapi_ooniauth.aws_ecs_task_definition.ooniapi_service: Refreshing state... [id=ooniapi-service-ooniauth-td] module.ooniapi_ooniprobe.aws_ecs_task_definition.ooniapi_service: Refreshing state... [id=ooniapi-service-ooniprobe-td] module.oonith_oohelperd_deployer.aws_codepipeline.oonith: Refreshing state... [id=oonith-oohelperd] module.ooniapi_oonirun.aws_ecs_service.ooniapi_service: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:service/ooniapi-ecs-cluster/ooniapi-service-oonirun] module.ooniapi_ooniprobe.aws_ecs_service.ooniapi_service: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:service/ooniapi-ecs-cluster/ooniapi-service-ooniprobe] module.ooniapi_ooniauth.aws_ecs_service.ooniapi_service: Refreshing state... [id=arn:aws:ecs:eu-central-1:905418398257:service/ooniapi-ecs-cluster/ooniapi-service-ooniauth] module.ooniapi_oonirun_deployer.aws_codepipeline.ooniapi: Refreshing state... [id=ooniapi-oonirun] module.ooniapi_ooniprobe_deployer.aws_codepipeline.ooniapi: Refreshing state... [id=ooniapi-ooniprobe] module.ooniapi_ooniauth_deployer.aws_codepipeline.ooniapi: Refreshing state... [id=ooniapi-ooniauth] Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan: # module.oonidevops_github_user.aws_iam_access_key.oonidevops_github has been deleted - resource "aws_iam_access_key" "oonidevops_github" { - id = "AKIA5FTZELIY7OIFEQBN" -> null - secret = (sensitive value) -> null # (4 unchanged attributes hidden) } Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes. ───────────────────────────────────────────────────────────────────────────── Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place -/+ destroy and then create replacement Terraform planned the following actions, but then encountered a problem: # aws_secretsmanager_secret.ooniclickhouse_url will be created + resource "aws_secretsmanager_secret" "ooniclickhouse_url" { + arn = (known after apply) + force_overwrite_replica_secret = false + id = (known after apply) + name = "oonidevops/ooni-tier0-clickhouse/clickhouse_url" + name_prefix = (known after apply) + policy = (known after apply) + recovery_window_in_days = 30 + tags = { + "Environment" = "dev" + "Name" = "oonidevops-dev" + "Repository" = "https://github.com/ooni/devops" } + tags_all = { + "Environment" = "dev" + "Name" = "oonidevops-dev" + "Repository" = "https://github.com/ooni/devops" } } # aws_secretsmanager_secret_version.ooniclickhouse_url will be created + resource "aws_secretsmanager_secret_version" "ooniclickhouse_url" { + arn = (known after apply) + id = (known after apply) + secret_id = (known after apply) + version_id = (known after apply) + version_stages = (known after apply) # (1 unchanged attribute hidden) } # module.ooni_backendproxy.aws_launch_template.ooni_backendproxy will be updated in-place ~ resource "aws_launch_template" "ooni_backendproxy" { id = "lt-02ae2b46369a252fe" ~ image_id = (sensitive value) ~ latest_version = 7 -> (known after apply) name = "ooni-backendproxy-nginx-tmpl-20240310162527731600000004" tags = {} # (16 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.ooniapi_cluster.aws_launch_template.container_host will be updated in-place ~ resource "aws_launch_template" "container_host" { ~ default_version = 10 -> (known after apply) id = "lt-0e328a8671f870c64" ~ image_id = (sensitive value) ~ latest_version = 10 -> (known after apply) name = "ooniapi-ecs-cluster20240310192643664900000001" tags = {} # (16 unchanged attributes hidden) # (4 unchanged blocks hidden) } # module.ooniapi_oonimeasurements.aws_acm_certificate.ooniapi_service will be created + resource "aws_acm_certificate" "ooniapi_service" { + arn = (known after apply) + domain_name = "oonimeasurements.api.dev.ooni.io" + domain_validation_options = [ + { + domain_name = "oonimeasurements.api.dev.ooni.io" + resource_record_name = (known after apply) + resource_record_type = (known after apply) + resource_record_value = (known after apply) }, ] + id = (known after apply) + key_algorithm = (known after apply) + not_after = (known after apply) + not_before = (known after apply) + pending_renewal = (known after apply) + renewal_eligibility = (known after apply) + renewal_summary = (known after apply) + status = (known after apply) + subject_alternative_names = [ + "oonimeasurements.api.dev.ooni.io", ] + tags = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + tags_all = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + type = (known after apply) + validation_emails = (known after apply) + validation_method = "DNS" } # module.ooniapi_oonimeasurements.aws_acm_certificate_validation.ooniapi_service will be created + resource "aws_acm_certificate_validation" "ooniapi_service" { + certificate_arn = (known after apply) + id = (known after apply) + validation_record_fqdns = (known after apply) } # module.ooniapi_oonimeasurements.aws_alb.ooniapi_service will be created + resource "aws_alb" "ooniapi_service" { + arn = (known after apply) + arn_suffix = (known after apply) + desync_mitigation_mode = "defensive" + dns_name = (known after apply) + drop_invalid_header_fields = false + enable_deletion_protection = false + enable_http2 = true + enable_tls_version_and_cipher_suite_headers = false + enable_waf_fail_open = false + enable_xff_client_port = false + enforce_security_group_inbound_rules_on_private_link_traffic = (known after apply) + id = (known after apply) + idle_timeout = 60 + internal = (known after apply) + ip_address_type = (known after apply) + load_balancer_type = "application" + name = "ooniapi-service-oonimeasurements" + name_prefix = (known after apply) + preserve_host_header = false + security_groups = [ + "sg-0187eedfe39538357", ] + subnets = [ + "subnet-0b18966cccfc9d5ef", + "subnet-0e7a4478be988463f", ] + tags = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + tags_all = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + vpc_id = (known after apply) + xff_header_processing_mode = "append" + zone_id = (known after apply) } # module.ooniapi_oonimeasurements.aws_alb_listener.front_end_https will be created + resource "aws_alb_listener" "front_end_https" { + arn = (known after apply) + certificate_arn = (known after apply) + id = (known after apply) + load_balancer_arn = (known after apply) + port = 443 + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-2016-08" + tags = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + tags_all = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + default_action { + order = (known after apply) + target_group_arn = (known after apply) + type = "forward" } } # module.ooniapi_oonimeasurements.aws_alb_listener.ooniapi_service_http will be created + resource "aws_alb_listener" "ooniapi_service_http" { + arn = (known after apply) + id = (known after apply) + load_balancer_arn = (known after apply) + port = 80 + protocol = "HTTP" + ssl_policy = (known after apply) + tags = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + tags_all = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + default_action { + order = (known after apply) + target_group_arn = (known after apply) + type = "forward" } } # module.ooniapi_oonimeasurements.aws_alb_target_group.ooniapi_service_direct will be created + resource "aws_alb_target_group" "ooniapi_service_direct" { + arn = (known after apply) + arn_suffix = (known after apply) + connection_termination = (known after apply) + deregistration_delay = "300" + id = (known after apply) + ip_address_type = (known after apply) + lambda_multi_value_headers_enabled = false + load_balancer_arns = (known after apply) + load_balancing_algorithm_type = (known after apply) + load_balancing_anomaly_mitigation = (known after apply) + load_balancing_cross_zone_enabled = (known after apply) + name = (known after apply) + name_prefix = "oooonD" + port = 80 + preserve_client_ip = (known after apply) + protocol = "HTTP" + protocol_version = (known after apply) + proxy_protocol_v2 = false + slow_start = 0 + tags = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + tags_all = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + target_type = "ip" + vpc_id = "vpc-0e382f3ad89286de9" } # module.ooniapi_oonimeasurements.aws_alb_target_group.ooniapi_service_mapped will be created + resource "aws_alb_target_group" "ooniapi_service_mapped" { + arn = (known after apply) + arn_suffix = (known after apply) + connection_termination = (known after apply) + deregistration_delay = "300" + id = (known after apply) + ip_address_type = (known after apply) + lambda_multi_value_headers_enabled = false + load_balancer_arns = (known after apply) + load_balancing_algorithm_type = (known after apply) + load_balancing_anomaly_mitigation = (known after apply) + load_balancing_cross_zone_enabled = (known after apply) + name = (known after apply) + name_prefix = "oooonM" + port = 80 + preserve_client_ip = (known after apply) + protocol = "HTTP" + protocol_version = (known after apply) + proxy_protocol_v2 = false + slow_start = 0 + tags = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + tags_all = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + target_type = "ip" + vpc_id = "vpc-0e382f3ad89286de9" } # module.ooniapi_oonimeasurements.aws_cloudwatch_log_group.ooniapi_service will be created + resource "aws_cloudwatch_log_group" "ooniapi_service" { + arn = (known after apply) + id = (known after apply) + log_group_class = (known after apply) + name = "ooni-ecs-group/ooniapi-service-oonimeasurements" + name_prefix = (known after apply) + retention_in_days = 0 + skip_destroy = false + tags_all = (known after apply) } # module.ooniapi_oonimeasurements.aws_iam_role.ooniapi_service_task will be created + resource "aws_iam_role" "ooniapi_service_task" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ecs-tasks.amazonaws.com" } + Sid = "" }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "ooniapi-service-oonimeasurements-task-role" + name_prefix = (known after apply) + path = "/" + tags = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + tags_all = { + "Environment" = "dev" + "Name" = "ooni-tier0-oonimeasurements" + "Repository" = "https://github.com/ooni/devops" } + unique_id = (known after apply) } # module.ooniapi_oonimeasurements.aws_iam_role_policy.ooniapi_service_task will be created + resource "aws_iam_role_policy" "ooniapi_service_task" { + id = (known after apply) + name = "ooniapi-service-oonimeasurements-task-role" + name_prefix = (known after apply) + policy = jsonencode( { + Statement = [ + { + Action = [ + "ecs:DeregisterContainerInstance", + "ecs:DiscoverPollEndpoint", + "ecs:Poll", + "ecs:RegisterContainerInstance", + "ecs:Submit*", + "ecs:StartTelemetrySession", ] + Effect = "Allow" + Resource = [ + "*", ] + Sid = "ecsInstanceRole" }, + { + Action = [ + "logs:*", + "cloudwatch:GenerateQuery", ] + Effect = "Allow" + Resource = "*" + Sid = "CloudWatchLogsFullAccess" }, + { + Action = [ + "secretsmanager:GetResourcePolicy", + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:ListSecretVersionIds", ] + Effect = "Allow" + Resource = "*" }, + { + Action = "secretsmanager:ListSecrets" + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "ec2:Describe*", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:Describe*", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:RegisterTargets", ] + Effect = "Allow" + Resource = "*" }, ] + Version = "2012-10-17" } ) + role = "ooniapi-service-oonimeasurements-task-role" } # module.ooniapi_oonimeasurements.aws_route53_record.ooniapi_service will be created + resource "aws_route53_record" "ooniapi_service" { + allow_overwrite = (known after apply) + fqdn = (known after apply) + id = (known after apply) + name = "oonimeasurements.api.dev.ooni.io" + type = "A" + zone_id = "Z055356431RGCLK3JXZDL" + alias { + evaluate_target_health = true + name = (known after apply) + zone_id = (known after apply) } } # module.ooniapi_oonimeasurements.aws_route53_record.ooniapi_service_validation["oonimeasurements.api.dev.ooni.io"] will be created + resource "aws_route53_record" "ooniapi_service_validation" { + allow_overwrite = true + fqdn = (known after apply) + id = (known after apply) + name = (known after apply) + records = (known after apply) + ttl = 60 + type = (known after apply) + zone_id = "Z055356431RGCLK3JXZDL" } # module.ooniapi_oonimeasurements.aws_security_group.ooniapi_service_ecs will be created + resource "aws_security_group" "ooniapi_service_ecs" { + arn = (known after apply) + description = "Allow all traffic" + egress = [ + { + cidr_blocks = [ + "0.0.0.0/0", ] + from_port = 0 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "-1" + security_groups = [] + self = false + to_port = 0 # (1 unchanged attribute hidden) }, + { + cidr_blocks = [] + from_port = 0 + ipv6_cidr_blocks = [ + "::/0", ] + prefix_list_ids = [] + protocol = "-1" + security_groups = [] + self = false + to_port = 0 # (1 unchanged attribute hidden) }, ] + id = (known after apply) + ingress = [ + { + cidr_blocks = [ + "0.0.0.0/0", ] + from_port = 0 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "-1" + security_groups = [] + self = false + to_port = 0 # (1 unchanged attribute hidden) }, + { + cidr_blocks = [] + from_port = 0 + ipv6_cidr_blocks = [ + "::/0", ] + prefix_list_ids = [] + protocol = "-1" + security_groups = [] + self = false + to_port = 0 # (1 unchanged attribute hidden) }, ] + name = (known after apply) + name_prefix = "ooniapi-service" + owner_id = (known after apply) + revoke_rules_on_delete = false + tags_all = (known after apply) + vpc_id = "vpc-0e382f3ad89286de9" } # module.ooniapi_oonimeasurements_deployer.aws_codebuild_project.ooniapi will be created + resource "aws_codebuild_project" "ooniapi" { + arn = (known after apply) + badge_enabled = false + badge_url = (known after apply) + build_timeout = 60 + concurrent_build_limit = 1 + description = (known after apply) + encryption_key = "arn:aws:kms:eu-central-1:905418398257:alias/aws/s3" + id = (known after apply) + name = "ooniapi-oonimeasurements" + project_visibility = "PRIVATE" + public_project_alias = (known after apply) + queued_timeout = 480 + service_role = (known after apply) + tags_all = (known after apply) + artifacts { + encryption_disabled = false + override_artifact_name = false + type = "NO_ARTIFACTS" } + cache { + type = "NO_CACHE" } + environment { + compute_type = "BUILD_GENERAL1_SMALL" + image = "aws/codebuild/standard:7.0" + image_pull_credentials_type = "CODEBUILD" + privileged_mode = true + type = "LINUX_CONTAINER" } + logs_config { + cloudwatch_logs { + status = "ENABLED" } + s3_logs { + encryption_disabled = false + status = "DISABLED" } } + source { + buildspec = "ooniapi/services/oonimeasurements/buildspec.yml" + git_clone_depth = 1 + insecure_ssl = false + location = "https://github.com/ooni/backend.git" + report_build_status = false + type = "GITHUB" + git_submodules_config { + fetch_submodules = false } } } # module.ooniapi_oonimeasurements_deployer.aws_iam_policy.codebuild will be created + resource "aws_iam_policy" "codebuild" { + arn = (known after apply) + description = "Policy used in trust relationship with CodeBuild" + id = (known after apply) + name = "codebuild-oonimeasurements-eu-central-1" + name_prefix = (known after apply) + path = "/service-role/" + policy = jsonencode( { + Statement = [ + { + Action = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", ] + Effect = "Allow" + Resource = [ + "arn:aws:logs:eu-central-1:905418398257:log-group:/aws/codebuild/ooniapi-oonimeasurements", + "arn:aws:logs:eu-central-1:905418398257:log-group:/aws/codebuild/ooniapi-oonimeasurements:*", ] }, + { + Action = [ + "s3:PutObject", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetBucketAcl", + "s3:GetBucketLocation", ] + Effect = "Allow" + Resource = [ + "arn:aws:s3:::codepipeline-ooniapi-eu-central-1-*", ] }, + { + Action = [ + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages", ] + Effect = "Allow" + Resource = [ + "arn:aws:codebuild:eu-central-1:905418398257:report-group/ooniapi-oonimeasurements-*", ] }, + { + Action = "codestar-connections:UseConnection" + Effect = "Allow" + Resource = "arn:aws:codestar-connections:eu-central-1:905418398257:connection/6bd492f6-c11d-43ec-92b0-24c47700d528" }, ] + Version = "2012-10-17" } ) + policy_id = (known after apply) + tags_all = (known after apply) } # module.ooniapi_oonimeasurements_deployer.aws_iam_policy.codepipeline will be created + resource "aws_iam_policy" "codepipeline" { + arn = (known after apply) + description = "Policy used in trust relationship with CodePipeline" + id = (known after apply) + name = "codepipeline-ooniapi-oonimeasurements" + name_prefix = (known after apply) + path = "/service-role/" + policy = jsonencode( { + Statement = [ + { + Action = [ + "iam:PassRole", ] + Condition = { + StringEqualsIfExists = { + "iam:PassedToService" = [ + "cloudformation.amazonaws.com", + "elasticbeanstalk.amazonaws.com", + "ec2.amazonaws.com", + "ecs-tasks.amazonaws.com", ] } } + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "codecommit:CancelUploadArchive", + "codecommit:GetBranch", + "codecommit:GetCommit", + "codecommit:GetRepository", + "codecommit:GetUploadArchiveStatus", + "codecommit:UploadArchive", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "codedeploy:CreateDeployment", + "codedeploy:GetApplication", + "codedeploy:GetApplicationRevision", + "codedeploy:GetDeployment", + "codedeploy:GetDeploymentConfig", + "codedeploy:RegisterApplicationRevision", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "codestar-connections:UseConnection", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "elasticbeanstalk:*", + "ec2:*", + "elasticloadbalancing:*", + "autoscaling:*", + "cloudwatch:*", + "s3:*", + "sns:*", + "cloudformation:*", + "rds:*", + "sqs:*", + "ecs:*", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "lambda:InvokeFunction", + "lambda:ListFunctions", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "opsworks:CreateDeployment", + "opsworks:DescribeApps", + "opsworks:DescribeCommands", + "opsworks:DescribeDeployments", + "opsworks:DescribeInstances", + "opsworks:DescribeStacks", + "opsworks:UpdateApp", + "opsworks:UpdateStack", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "cloudformation:CreateStack", + "cloudformation:DeleteStack", + "cloudformation:DescribeStacks", + "cloudformation:UpdateStack", + "cloudformation:CreateChangeSet", + "cloudformation:DeleteChangeSet", + "cloudformation:DescribeChangeSet", + "cloudformation:ExecuteChangeSet", + "cloudformation:SetStackPolicy", + "cloudformation:ValidateTemplate", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "codebuild:BatchGetBuilds", + "codebuild:StartBuild", + "codebuild:BatchGetBuildBatches", + "codebuild:StartBuildBatch", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "devicefarm:ListProjects", + "devicefarm:ListDevicePools", + "devicefarm:GetRun", + "devicefarm:GetUpload", + "devicefarm:CreateUpload", + "devicefarm:ScheduleRun", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "servicecatalog:ListProvisioningArtifacts", + "servicecatalog:CreateProvisioningArtifact", + "servicecatalog:DescribeProvisioningArtifact", + "servicecatalog:DeleteProvisioningArtifact", + "servicecatalog:UpdateProduct", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "cloudformation:ValidateTemplate", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "ecr:DescribeImages", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "states:DescribeExecution", + "states:DescribeStateMachine", + "states:StartExecution", ] + Effect = "Allow" + Resource = "*" }, + { + Action = [ + "appconfig:StartDeployment", + "appconfig:StopDeployment", + "appconfig:GetDeployment", ] + Effect = "Allow" + Resource = "*" }, ] + Version = "2012-10-17" } ) + policy_id = (known after apply) + tags_all = (known after apply) } # module.ooniapi_oonimeasurements_deployer.aws_iam_role.codebuild will be created + resource "aws_iam_role" "codebuild" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "codebuild.amazonaws.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "codebuild-ooniapi-oonimeasurements" + name_prefix = (known after apply) + path = "/service-role/" + tags_all = (known after apply) + unique_id = (known after apply) } # module.ooniapi_oonimeasurements_deployer.aws_iam_role.codepipeline will be created + resource "aws_iam_role" "codepipeline" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "codepipeline.amazonaws.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "codepipeline-ooniapi-oonimeasurements" + name_prefix = (known after apply) + path = "/service-role/" + tags_all = (known after apply) + unique_id = (known after apply) } # module.oonidevops_github_user.aws_iam_access_key.oonidevops_github will be created + resource "aws_iam_access_key" "oonidevops_github" { + create_date = (known after apply) + encrypted_secret = (known after apply) + encrypted_ses_smtp_password_v4 = (known after apply) + id = (known after apply) + key_fingerprint = (known after apply) + secret = (sensitive value) + ses_smtp_password_v4 = (sensitive value) + status = "Active" + user = "oonidevops-github" } # module.oonidevops_github_user.aws_iam_user.oonidevops_github will be updated in-place ~ resource "aws_iam_user" "oonidevops_github" { id = "oonidevops-github" name = "oonidevops-github" ~ tags = { - "AKIA5FTZELIY4QGQPVBY" = "access ket for oonidevops github user with read-only access" -> null "Environment" = "dev" "Name" = "oonidevops-dev" "Repository" = "https://github.com/ooni/devops" } ~ tags_all = { - "AKIA5FTZELIY4QGQPVBY" = "access ket for oonidevops github user with read-only access" -> null # (3 unchanged elements hidden) } # (5 unchanged attributes hidden) } # module.oonidevops_github_user.aws_secretsmanager_secret_version.oonidevops_github must be replaced -/+ resource "aws_secretsmanager_secret_version" "oonidevops_github" { ~ arn = "arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/github_user/access_key_json-9JTJgd" -> (known after apply) ~ id = "arn:aws:secretsmanager:eu-central-1:905418398257:secret:oonidevops/github_user/access_key_json-9JTJgd|terraform-20240313203054132800000001" -> (known after apply) ~ secret_string = (sensitive value) # forces replacement ~ version_id = "terraform-20240313203054132800000001" -> (known after apply) ~ version_stages = [ - "AWSCURRENT", ] -> (known after apply) # (2 unchanged attributes hidden) } # module.oonith_cluster.aws_launch_template.container_host will be updated in-place ~ resource "aws_launch_template" "container_host" { ~ default_version = 5 -> (known after apply) id = "lt-0cc1023af38e0c608" ~ image_id = (sensitive value) ~ latest_version = 5 -> (known after apply) name = "oonith-ecs-cluster20240402135339541700000003" tags = {} # (16 unchanged attributes hidden) # (4 unchanged blocks hidden) } Plan: 22 to add, 4 to change, 1 to destroy. ```| Pusher | @DecFox |
| Action | pull_request |
| Environment | dev |
| Workflow | .github/workflows/check_terraform.yml |
| Last updated | Sat, 18 May 2024 05:41:53 GMT |
This diff deploys the
oonimeasurementsservice. We can apply this once we have https://github.com/ooni/backend/pull/851 merged