Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dflook/terraform-plan digest to b0877a1 #132

Merged
merged 1 commit into from
Dec 17, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 10, 2024

This PR contains the following updates:

Package Type Update Change
dflook/terraform-plan action digest 769e5a3 -> b0877a1

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link

github-actions bot commented Jan 10, 2024

Terraform plan in examples/01-minimal-aws-cloudformation-bootstrap

No changes. Your infrastructure matches the configuration.
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

✅ Plan applied in terraform-apply-01-minimal-aws-cloudformation-bootstrap #64

Copy link

github-actions bot commented Jan 10, 2024

Terraform plan in examples/02-minimal-gcp-tf-bootstrap

No changes. Your infrastructure matches the configuration.
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

✅ Plan applied in terraform-apply-02-minimal-gcp-tf-bootstrap #65

Copy link

github-actions bot commented Jan 10, 2024

Terraform plan in examples/04-aws-wireguard-vpn

No changes. Your infrastructure matches the configuration.
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

❌ Error applying plan in terraform-apply-04-aws-wireguard-vpn #48

Copy link

github-actions bot commented Jan 10, 2024

Terraform plan in examples/03-aws-github-actions-oidc

No changes. Your infrastructure matches the configuration.
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

✅ Plan applied in terraform-apply-03-aws-github-actions-oidc #61

Copy link

github-actions bot commented Jan 10, 2024

Terraform plan in examples/06-minimal-aws-terraform-bootstrap

No changes. Your infrastructure matches the configuration.
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

✅ Plan applied in terraform-apply-06-minimal-aws-terraform-bootstrap #47

Copy link

github-actions bot commented Jan 10, 2024

Terraform plan in examples/05-aws-complete

Plan: 135 to add, 0 to change, 0 to destroy.
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_eks_cluster.main will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_eks_cluster" "main" {
+       arn                       = (known after apply)
+       certificate_authority     = (known after apply)
+       cluster_id                = (known after apply)
+       created_at                = (known after apply)
+       enabled_cluster_log_types = (known after apply)
+       endpoint                  = (known after apply)
+       id                        = (known after apply)
+       identity                  = (known after apply)
+       kubernetes_network_config = (known after apply)
+       name                      = "complete-example-prod"
+       outpost_config            = (known after apply)
+       platform_version          = (known after apply)
+       role_arn                  = (known after apply)
+       status                    = (known after apply)
+       tags                      = (known after apply)
+       version                   = (known after apply)
+       vpc_config                = (known after apply)
    }

  # data.aws_iam_policy_document.allow_command_exec will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "allow_command_exec" {
+       id   = (known after apply)
+       json = (known after apply)

+       statement {
+           actions   = [
+               "kms:Decrypt",
+               "ssmmessages:CreateControlChannel",
+               "ssmmessages:CreateDataChannel",
+               "ssmmessages:OpenControlChannel",
+               "ssmmessages:OpenDataChannel",
            ]
+           resources = [
+               "*",
            ]
        }
+       statement {
+           actions   = [
+               "logs:DescribeLogGroups",
            ]
+           resources = [
+               "*",
            ]
        }
+       statement {
+           actions   = [
+               "logs:CreateLogStream",
+               "logs:DescribeLogStreams",
+               "logs:PutLogEvents",
            ]
+           resources = [
+               (known after apply),
            ]
        }
    }

  # data.aws_iam_policy_document.loki_ecs_task_execution_role will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "loki_ecs_task_execution_role" {
+       id   = (known after apply)
+       json = (known after apply)

+       statement {
+           actions   = [
+               "ecr:GetAuthorizationToken",
            ]
+           effect    = "Allow"
+           resources = [
+               "*",
            ]
+           sid       = "AllowECSToAuthenticateToECRInCentralAccount"
        }
+       statement {
+           actions   = [
+               "ecr:BatchCheckLayerAvailability",
+               "ecr:BatchGetImage",
+               "ecr:GetDownloadUrlForLayer",
            ]
+           effect    = "Allow"
+           resources = [
+               (known after apply),
            ]
+           sid       = "AllowECSToPullImage"
        }
+       statement {
+           actions   = [
+               "logs:CreateLogStream",
+               "logs:DescribeLogStreams",
+               "logs:PutLogEvents",
            ]
+           effect    = "Allow"
+           resources = [
+               (known after apply),
            ]
+           sid       = "AllowECSToWriteLogsToCloudWatchLogs"
        }
    }

  # data.aws_iam_policy_document.loki_storage will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "loki_storage" {
+       id   = (known after apply)
+       json = (known after apply)

+       statement {
+           actions   = [
+               "s3:DeleteObject",
+               "s3:GetObject",
+               "s3:ListBucket",
+               "s3:PutObject",
            ]
+           effect    = "Allow"
+           resources = [
+               (known after apply),
+               (known after apply),
            ]
+           sid       = "AllowLokiStorageChunksS3"
        }
    }

  # aws_alb.nginx_ingress will be created
+   resource "aws_alb" "nginx_ingress" {
+       arn                                         = (known after apply)
+       arn_suffix                                  = (known after apply)
+       desync_mitigation_mode                      = "defensive"
+       dns_name                                    = (known after apply)
+       drop_invalid_header_fields                  = true
+       enable_deletion_protection                  = false
+       enable_http2                                = true
+       enable_tls_version_and_cipher_suite_headers = false
+       enable_waf_fail_open                        = false
+       enable_xff_client_port                      = false
+       id                                          = (known after apply)
+       idle_timeout                                = 60
+       internal                                    = false
+       ip_address_type                             = (known after apply)
+       load_balancer_type                          = "application"
+       name                                        = "nginx-ingress"
+       preserve_host_header                        = false
+       security_groups                             = (known after apply)
+       subnets                                     = (known after apply)
+       tags_all                                    = (known after apply)
+       vpc_id                                      = (known after apply)
+       xff_header_processing_mode                  = "append"
+       zone_id                                     = (known after apply)

+       access_logs {
+           bucket  = (known after apply)
+           enabled = true
+           prefix  = "alb"
        }

+       subnet_mapping (known after apply)
    }

  # aws_alb_listener.https will be created
+   resource "aws_alb_listener" "https" {
+       arn               = (known after apply)
+       certificate_arn   = (known after apply)
+       id                = (known after apply)
+       load_balancer_arn = (known after apply)
+       port              = 443
+       protocol          = "HTTPS"
+       ssl_policy        = "ELBSecurityPolicy-FS-1-2-2019-08"
+       tags_all          = (known after apply)

+       default_action {
+           order = (known after apply)
+           type  = "fixed-response"

+           fixed_response {
+               content_type = "text/plain"
+               status_code  = "404"
            }
        }
    }

  # aws_alb_listener.nginx_ingress will be created
+   resource "aws_alb_listener" "nginx_ingress" {
+       arn               = (known after apply)
+       id                = (known after apply)
+       load_balancer_arn = (known after apply)
+       port              = 80
+       protocol          = "HTTP"
+       ssl_policy        = (known after apply)
+       tags_all          = (known after apply)

+       default_action {
+           order = (known after apply)
+           type  = "redirect"

+           redirect {
+               host        = "#{host}"
+               path        = "/#{path}"
+               port        = "443"
+               protocol    = "HTTPS"
+               query       = "#{query}"
+               status_code = "HTTP_301"
            }
        }
    }

  # aws_alb_listener_rule.nginx_ingress will be created
+   resource "aws_alb_listener_rule" "nginx_ingress" {
+       arn          = (known after apply)
+       id           = (known after apply)
+       listener_arn = (known after apply)
+       priority     = (known after apply)
+       tags_all     = (known after apply)

+       action {
+           order            = (known after apply)
+           target_group_arn = (known after apply)
+           type             = "forward"
        }

+       condition {
+           host_header {
+               values = [
+                   "*.terraform.pipetail.cloud",
+                   "terraform.pipetail.cloud",
                ]
            }
        }
    }

  # aws_alb_target_group.nginx_ingress will be created
+   resource "aws_alb_target_group" "nginx_ingress" {
+       arn                                = (known after apply)
+       arn_suffix                         = (known after apply)
+       connection_termination             = false
+       deregistration_delay               = "300"
+       id                                 = (known after apply)
+       ip_address_type                    = (known after apply)
+       lambda_multi_value_headers_enabled = false
+       load_balancing_algorithm_type      = (known after apply)
+       load_balancing_cross_zone_enabled  = (known after apply)
+       name                               = (known after apply)
+       name_prefix                        = "nginx"
+       port                               = 30080
+       preserve_client_ip                 = (known after apply)
+       protocol                           = "HTTP"
+       protocol_version                   = (known after apply)
+       proxy_protocol_v2                  = false
+       slow_start                         = 0
+       tags_all                           = (known after apply)
+       target_type                        = "instance"
+       vpc_id                             = (known after apply)

+       health_check {
+           enabled             = true
+           healthy_threshold   = 5
+           interval            = 30
+           matcher             = "200"
+           path                = "/healthz"
+           port                = "traffic-port"
+           protocol            = "HTTP"
+           timeout             = 5
+           unhealthy_threshold = 2
        }

+       stickiness (known after apply)

+       target_failover (known after apply)
    }

  # aws_budgets_budget.cost will be created
+   resource "aws_budgets_budget" "cost" {
+       account_id        = (known after apply)
+       arn               = (known after apply)
+       budget_type       = "COST"
+       cost_filters      = (known after apply)
+       id                = (known after apply)
+       limit_amount      = "100"
+       limit_unit        = "USD"
+       name              = "overall-cost"
+       name_prefix       = (known after apply)
+       time_period_end   = "2087-06-15_00:00"
+       time_period_start = (known after apply)
+       time_unit         = "MONTHLY"

+       cost_filter (known after apply)

+       cost_types (known after apply)

+       notification {
+           comparison_operator        = "GREATER_THAN"
+           notification_type          = "ACTUAL"
+           subscriber_email_addresses = [
+               "[email protected]",
            ]
+           subscriber_sns_topic_arns  = []
+           threshold                  = 90
+           threshold_type             = "PERCENTAGE"
        }
    }

  # aws_cloudtrail.main will be created
+   resource "aws_cloudtrail" "main" {
+       arn                           = (known after apply)
+       enable_log_file_validation    = true
+       enable_logging                = true
+       home_region                   = (known after apply)
+       id                            = (known after apply)
+       include_global_service_events = true
+       is_multi_region_trail         = true
+       is_organization_trail         = false
+       name                          = "complete-example-main"
+       s3_bucket_name                = (known after apply)
+       tags_all                      = (known after apply)
    }

  # aws_cloudwatch_log_group.command_execution will be created
+   resource "aws_cloudwatch_log_group" "command_execution" {
+       arn               = (known after apply)
+       id                = (known after apply)
+       kms_key_id        = (known after apply)
+       name              = "ecs-command-execution"
+       name_prefix       = (known after apply)
+       retention_in_days = 30
+       skip_destroy      = false
+       tags_all          = (known after apply)
    }

  # aws_cloudwatch_log_group.loki will be created
+   resource "aws_cloudwatch_log_group" "loki" {
+       arn               = (known after apply)
+       id                = (known after apply)
+       name              = "loki"
+       name_prefix       = (known after apply)
+       retention_in_days = 30
+       skip_destroy      = false
+       tags_all          = (known after apply)
    }

  # aws_ecr_repository.grafana will be created
+   resource "aws_ecr_repository" "grafana" {
+       arn                  = (known after apply)
+       id                   = (known after apply)
+       image_tag_mutability = "MUTABLE"
+       name                 = "grafana"
+       registry_id          = (known after apply)
+       repository_url       = (known after apply)
+       tags_all             = (known after apply)

+       image_scanning_configuration {
+           scan_on_push = true
        }
    }

  # aws_ecs_cluster.grafana will be created
+   resource "aws_ecs_cluster" "grafana" {
+       arn                = (known after apply)
+       capacity_providers = (known after apply)
+       id                 = (known after apply)
+       name               = "grafana"
+       tags               = {
+           "ManagedBy" = "Terraform"
+           "Name"      = "grafana"
        }
+       tags_all           = {
+           "ManagedBy" = "Terraform"
+           "Name"      = "grafana"
        }

+       configuration {
+           execute_command_configuration {
+               kms_key_id = (known after apply)
+               logging    = "OVERRIDE"

+               log_configuration {
+                   cloud_watch_encryption_enabled = true
+                   cloud_watch_log_group_name     = "ecs-command-execution"
                }
            }
        }

+       default_capacity_provider_strategy (known after apply)

+       setting {
+           name  = "containerInsights"
+           value = "enabled"
        }
    }

  # aws_ecs_service.loki will be created
+   resource "aws_ecs_service" "loki" {
+       cluster                            = "grafana"
+       deployment_maximum_percent         = 200
+       deployment_minimum_healthy_percent = 100
+       desired_count                      = 1
+       enable_ecs_managed_tags            = false
+       enable_execute_command             = true
+       iam_role                           = (known after apply)
+       id                                 = (known after apply)
+       launch_type                        = "FARGATE"
+       name                               = "loki"
+       platform_version                   = (known after apply)
+       scheduling_strategy                = "REPLICA"
+       tags_all                           = (known after apply)
+       task_definition                    = (known after apply)
+       triggers                           = (known after apply)
+       wait_for_steady_state              = false

+       network_configuration {
+           assign_public_ip = false
+           security_groups  = (known after apply)
+           subnets          = (known after apply)
        }

+       service_registries {
+           registry_arn = (known after apply)
        }
    }

  # aws_ecs_task_definition.loki will be created
+   resource "aws_ecs_task_definition" "loki" {
+       arn                      = (known after apply)
+       arn_without_revision     = (known after apply)
+       container_definitions    = jsonencode(
            [
+               {
+                   essential        = true
+                   image            = "175912345102.dkr.ecr.eu-west-1.amazonaws.com/grafana:loki-2.6.1-arm64"
+                   logConfiguration = {
+                       logDriver = "awslogs"
+                       options   = {
+                           awslogs-group         = "loki"
+                           awslogs-region        = "eu-west-1"
+                           awslogs-stream-prefix = "loki"
                        }
                    }
+                   name             = "loki"
+                   portMappings     = [
+                       {
+                           containerPort = 3100
+                           hostPort      = 3100
+                           protocol      = "tcp"
                        },
                    ]
                },
            ]
        )
+       cpu                      = "4096"
+       execution_role_arn       = (known after apply)
+       family                   = "loki_task_definition"
+       id                       = (known after apply)
+       memory                   = "8192"
+       network_mode             = "awsvpc"
+       requires_compatibilities = [
+           "FARGATE",
        ]
+       revision                 = (known after apply)
+       skip_destroy             = false
+       tags_all                 = (known after apply)
+       task_role_arn            = (known after apply)

+       runtime_platform {
+           cpu_architecture = "ARM64"
        }
    }

  # aws_elasticache_parameter_group.redis will be created
+   resource "aws_elasticache_parameter_group" "redis" {
+       arn         = (known after apply)
+       description = "Managed by Terraform"
+       family      = "redis6.x"
+       id          = (known after apply)
+       name        = "redis6-x"
+       tags_all    = (known after apply)

+       parameter {
+           name  = "activerehashing"
+           value = "yes"
        }
    }

  # aws_elasticache_replication_group.redis will be created
+   resource "aws_elasticache_replication_group" "redis" {
+       apply_immediately              = (known after apply)
+       arn                            = (known after apply)
+       at_rest_encryption_enabled     = (known after apply)
+       auto_minor_version_upgrade     = (known after apply)
+       automatic_failover_enabled     = true
+       cluster_enabled                = (known after apply)
+       configuration_endpoint_address = (known after apply)
+       data_tiering_enabled           = (known after apply)
+       description                    = "redis cluster"
+       engine                         = "redis"
+       engine_version                 = "6.2"
+       engine_version_actual          = (known after apply)
+       global_replication_group_id    = (known after apply)
+       id                             = (known after apply)
+       maintenance_window             = (known after apply)
+       member_clusters                = (known after apply)
+       multi_az_enabled               = false
+       node_type                      = "cache.t4g.small"
+       num_cache_clusters             = 2
+       num_node_groups                = (known after apply)
+       number_cache_clusters          = (known after apply)
+       parameter_group_name           = "redis6-x"
+       port                           = 6379
+       preferred_cache_cluster_azs    = [
+           "eu-west-1a",
+           "eu-west-1b",
        ]
+       primary_endpoint_address       = (known after apply)
+       reader_endpoint_address        = (known after apply)
+       replicas_per_node_group        = (known after apply)
+       replication_group_description  = (known after apply)
+       replication_group_id           = "*************"
+       security_group_ids             = (known after apply)
+       security_group_names           = (known after apply)
+       snapshot_window                = (known after apply)
+       subnet_group_name              = "complete-example-main-vpc"
+       tags_all                       = (known after apply)
+       transit_encryption_enabled     = (known after apply)

+       cluster_mode (known after apply)
    }

  # aws_iam_group.eks_access_administrator will be created
+   resource "aws_iam_group" "eks_access_administrator" {
+       arn       = (known after apply)
+       id        = (known after apply)
+       name      = "eks-administrators"
+       path      = "/"
+       unique_id = (known after apply)
    }

  # aws_iam_group_policy_attachment.eks_access_administrator will be created
+   resource "aws_iam_group_policy_attachment" "eks_access_administrator" {
+       group      = "eks-administrators"
+       id         = (known after apply)
+       policy_arn = (known after apply)
    }

  # aws_iam_policy.eks_access_administrator_allow_assume will be created
+   resource "aws_iam_policy" "eks_access_administrator_allow_assume" {
+       arn         = (known after apply)
+       id          = (known after apply)
+       name        = "eks_administrator_allow_assume"
+       name_prefix = (known after apply)
+       path        = "/"
+       policy      = (known after apply)
+       policy_id   = (known after apply)
+       tags_all    = (known after apply)
    }

  # aws_iam_policy.eks_kubeconfig will be created
+   resource "aws_iam_policy" "eks_kubeconfig" {
+       arn         = (known after apply)
+       description = "allow obtaining of kubeconfig for all EKS clusters"
+       id          = (known after apply)
+       name        = "eks_kubeconfig"
+       name_prefix = (known after apply)
+       path        = "/"
+       policy      = jsonencode(
            {
+               Statement = [
+                   {
+                       Action   = [
+                           "eks:DescribeCluster",
                        ]
+                       Effect   = "Allow"
+                       Resource = [
+                           "*",
                        ]
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       policy_id   = (known after apply)
+       tags_all    = (known after apply)
    }

  # aws_iam_role.eks_access_administrator will be created
+   resource "aws_iam_role" "eks_access_administrator" {
+       arn                   = (known after apply)
+       assume_role_policy    = jsonencode(
            {
+               Statement = [
+                   {
+                       Action    = "sts:AssumeRole"
+                       Effect    = "Allow"
+                       Principal = {
+                           AWS = [
+                               "arn:aws:iam::175912345102:root",
                            ]
                        }
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       create_date           = (known after apply)
+       force_detach_policies = false
+       id                    = (known after apply)
+       managed_policy_arns   = (known after apply)
+       max_session_duration  = 3600
+       name                  = "eks_administrator"
+       name_prefix           = (known after apply)
+       path                  = "/"
+       role_last_used        = (known after apply)
+       tags_all              = (known after apply)
+       unique_id             = (known after apply)

+       inline_policy (known after apply)
    }

  # aws_iam_role.loki_ecs_task will be created
+   resource "aws_iam_role" "loki_ecs_task" {
+       arn                   = (known after apply)
+       assume_role_policy    = jsonencode(
            {
+               Statement = [
+                   {
+                       Action    = "sts:AssumeRole"
+                       Effect    = "Allow"
+                       Principal = {
+                           Service = "ecs-tasks.amazonaws.com"
                        }
+                       Sid       = "AllowECSTasksToAssumeRole"
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       create_date           = (known after apply)
+       force_detach_policies = false
+       id                    = (known after apply)
+       managed_policy_arns   = (known after apply)
+       max_session_duration  = 3600
+       name                  = "loki-ecs-task"
+       name_prefix           = (known after apply)
+       path                  = "/"
+       role_last_used        = (known after apply)
+       tags_all              = (known after apply)
+       unique_id             = (known after apply)

+       inline_policy (known after apply)
    }

  # aws_iam_role.loki_ecs_task_execution will be created
+   resource "aws_iam_role" "loki_ecs_task_execution" {
+       arn                   = (known after apply)
+       assume_role_policy    = jsonencode(
            {
+               Statement = [
+                   {
+                       Action    = "sts:AssumeRole"
+                       Effect    = "Allow"
+                       Principal = {
+                           Service = "ecs-tasks.amazonaws.com"
                        }
+                       Sid       = "AllowECSTasksToAssumeRole"
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       create_date           = (known after apply)
+       force_detach_policies = false
+       id                    = (known after apply)
+       managed_policy_arns   = (known after apply)
+       max_session_duration  = 3600
+       name                  = "loki-ecs-task-execution"
+       name_prefix           = (known after apply)
+       path                  = "/"
+       role_last_used        = (known after apply)
+       tags_all              = (known after apply)
+       unique_id             = (known after apply)

+       inline_policy (known after apply)
    }

  # aws_iam_role_policy.loki_ecs_task_command_exec will be created
+   resource "aws_iam_role_policy" "loki_ecs_task_command_exec" {
+       id     = (known after apply)
+       name   = "loki-ecs-command-exec"
+       policy = (known after apply)
+       role   = "loki-ecs-task"
    }

  # aws_iam_role_policy.loki_ecs_task_execution will be created
+   resource "aws_iam_role_policy" "loki_ecs_task_execution" {
+       id     = (known after apply)
+       name   = "loki-ecs-task-execution"
+       policy = (known after apply)
+       role   = "loki-ecs-task-execution"
    }

  # aws_iam_role_policy.loki_storage will be created
+   resource "aws_iam_role_policy" "loki_storage" {
+       id     = (known after apply)
+       name   = "loki-storage-access"
+       policy = (known after apply)
+       role   = "loki-ecs-task"
    }

  # aws_iam_role_policy_attachment.eks_access_administrator_kubeconfig will be created
+   resource "aws_iam_role_policy_attachment" "eks_access_administrator_kubeconfig" {
+       id         = (known after apply)
+       policy_arn = (known after apply)
+       role       = "eks_administrator"
    }

  # aws_iam_role_policy_attachment.loki_ecs_task_execution will be created
+   resource "aws_iam_role_policy_attachment" "loki_ecs_task_execution" {
+       id         = (known after apply)
+       policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+       role       = "loki-ecs-task-execution"
    }

  # aws_kms_key.main will be created
+   resource "aws_kms_key" "main" {
+       arn                                = (known after apply)
+       bypass_policy_lockout_safety_check = false
+       customer_master_key_spec           = "*****************"
+       deletion_window_in_days            = 10
+       description                        = "Shared KMS key"
+       enable_key_rotation                = true
+       id                                 = (known after apply)
+       is_enabled                         = true
+       key_id                             = (known after apply)
+       key_usage                          = "ENCRYPT_DECRYPT"
+       multi_region                       = (known after apply)
+       policy                             = jsonencode(
            {
+               Statement = [
+                   {
+                       Action    = "kms:*"
+                       Effect    = "Allow"
+                       Principal = {
+                           AWS = "arn:aws:iam::175912345102:root"
                        }
+                       Resource  = "*"
+                       Sid       = "Allow everything in this AWS account to use this KMS key"
                    },
+                   {
+                       Action    = [
+                           "kms:ReEncrypt*",
+                           "kms:GenerateDataKey*",
+                           "kms:Encrypt*",
+                           "kms:Describe*",
+                           "kms:Decrypt*",
                        ]
+                       Effect    = "Allow"
+                       Principal = {
+                           Service = "logs.eu-west-1.amazonaws.com"
                        }
+                       Resource  = "*"
+                       Sid       = "Allow cloudwatch log group encryption"
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       tags_all                           = (known after apply)
    }

  # aws_route53_record.api["A"] will be created
+   resource "aws_route53_record" "api" {
+       allow_overwrite = (known after apply)
+       fqdn            = (known after apply)
+       id              = (known after apply)
+       name            = "api.terraform.pipetail.cloud"
+       type            = "A"
+       zone_id         = "********************"

+       alias {
+           evaluate_target_health = false
+           name                   = (known after apply)
+           zone_id                = (known after apply)
        }
    }

  # aws_route53_record.api["AAAA"] will be created
+   resource "aws_route53_record" "api" {
+       allow_overwrite = (known after apply)
+       fqdn            = (known after apply)
+       id              = (known after apply)
+       name            = "api.terraform.pipetail.cloud"
+       type            = "AAAA"
+       zone_id         = "********************"

+       alias {
+           evaluate_target_health = false
+           name                   = (known after apply)
+           zone_id                = (known after apply)
        }
    }

  # aws_s3_bucket.cloudtrail will be created
+   resource "aws_s3_bucket" "cloudtrail" {
+       acceleration_status         = (known after apply)
+       acl                         = (known after apply)
+       arn                         = (known after apply)
+       bucket                      = "complete-example-cloudtrail"
+       bucket_domain_name          = (known after apply)
+       bucket_prefix               = (known after apply)
+       bucket_regional_domain_name = (known after apply)
+       force_destroy               = true
+       hosted_zone_id              = (known after apply)
+       id                          = (known after apply)
+       object_lock_enabled         = (known after apply)
+       policy                      = (known after apply)
+       region                      = (known after apply)
+       request_payer               = (known after apply)
+       tags_all                    = (known after apply)
+       website_domain              = (known after apply)
+       website_endpoint            = (known after apply)

+       cors_rule (known after apply)

+       grant (known after apply)

+       lifecycle_rule (known after apply)

+       logging (known after apply)

+       object_lock_configuration (known after apply)

+       replication_configuration (known after apply)

+       server_side_encryption_configuration (known after apply)

+       versioning (known after apply)

+       website (known after apply)
    }

  # aws_s3_bucket_policy.cloudtrail will be created
+   resource "aws_s3_bucket_policy" "cloudtrail" {
+       bucket = (known after apply)
+       id     = (known after apply)
+       policy = (known after apply)
    }

  # aws_s3_bucket_public_access_block.cloudtrail will be created
+   resource "aws_s3_bucket_public_access_block" "cloudtrail" {
+       block_public_acls       = true
+       block_public_policy     = true
+       bucket                  = (known after apply)
+       id                      = (known after apply)
+       ignore_public_acls      = true
+       restrict_public_buckets = true
    }

  # aws_s3_bucket_server_side_encryption_configuration.cloudtrail will be created
+   resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" {
+       bucket = "complete-example-cloudtrail"
+       id     = (known after apply)

+       rule {
+           apply_server_side_encryption_by_default {
+               sse_algorithm     = "AES256"
#                (1 unchanged attribute hidden)
            }
        }
    }

  # aws_service_discovery_private_dns_namespace.loki will be created
+   resource "aws_service_discovery_private_dns_namespace" "loki" {
+       arn         = (known after apply)
+       description = "Service discovery local domain for grafana loki"
+       hosted_zone = (known after apply)
+       id          = (known after apply)
+       name        = "grafana.local"
+       tags_all    = (known after apply)
+       vpc         = (known after apply)
    }

  # aws_service_discovery_service.loki will be created
+   resource "aws_service_discovery_service" "loki" {
+       arn           = (known after apply)
+       force_destroy = false
+       id            = (known after apply)
+       name          = "loki"
+       namespace_id  = (known after apply)
+       tags_all      = (known after apply)
+       type          = (known after apply)

+       dns_config {
+           namespace_id   = (known after apply)
+           routing_policy = "MULTIVALUE"

+           dns_records {
+               ttl  = 10
+               type = "A"
            }
        }
    }

  # helm_release.nginx_ingress will be created
+   resource "helm_release" "nginx_ingress" {
+       atomic                     = true
+       chart                      = "ingress-nginx"
+       cleanup_on_fail            = false
+       create_namespace           = true
+       dependency_update          = false
+       disable_crd_hooks          = false
+       disable_openapi_validation = false
+       disable_webhooks           = false
+       force_update               = false
+       id                         = (known after apply)
+       lint                       = false
+       manifest                   = (known after apply)
+       max_history                = 0
+       metadata                   = (known after apply)
+       name                       = "nginx-ingress"
+       namespace                  = "nginx-ingress"
+       pass_credentials           = false
+       recreate_pods              = false
+       render_subchart_notes      = true
+       replace                    = false
+       repository                 = "https://kubernetes.github.io/ingress-nginx"
+       reset_values               = false
+       reuse_values               = false
+       skip_crds                  = false
+       status                     = "deployed"
+       timeout                    = 300
+       values                     = [
+           <<-EOT
                controller:
                  replicaCount: 3
                  resources:
                    limits:
                      memory: 128Mi
                    requests:
                      cpu: 100m
                      memory: 128Mi
                  podAnnotations:
                    prometheus.io/scrape: "true"
                    prometheus.io/path: "/metrics"
                    prometheus.io/port: "10254"
                    prometheus.io/scheme: "http"
                    log: "true"
                  podLabels:
                    app: nginx-ingress
                    release: nginx-prod
                
                  ingressClass: "nginx"
                
                  publishService:
                    enabled: true
                
                  metrics:
                    enabled: true
                
                  service:
                    externalTrafficPolicy: Cluster
                    type: NodePort
                    nodePorts:
                      http: 30080
                      https: 30443
                
                  admissionWebhooks:
                    enabled: false
                
                  config:
                    proxy-body-size: "500M"
                    proxy-buffer-size: "256k"
                    use-forwarded-headers: "true"
                    client-header-buffer-size: "256k"
                
                defaultBackend:
                  enabled: true
            EOT,
        ]
+       verify                     = false
+       version                    = "4.6.1"
+       wait                       = true
+       wait_for_jobs              = false
    }

  # module.certificate.aws_acm_certificate.main will be created
+   resource "aws_acm_certificate" "main" {
+       arn                       = (known after apply)
+       domain_name               = "*.terraform.pipetail.cloud"
+       domain_validation_options = [
+           {
+               domain_name           = "*.terraform.pipetail.cloud"
+               resource_record_name  = (known after apply)
+               resource_record_type  = (known after apply)
+               resource_record_value = (known after apply)
            },
+           {
+               domain_name           = "terraform.pipetail.cloud"
+               resource_record_name  = (known after apply)
+               resource_record_type  = (known after apply)
+               resource_record_value = (known after apply)
            },
        ]
+       id                        = (known after apply)
+       key_algorithm             = (known after apply)
+       not_after                 = (known after apply)
+       not_before                = (known after apply)
+       pending_renewal           = (known after apply)
+       renewal_eligibility       = (known after apply)
+       renewal_summary           = (known after apply)
+       status                    = (known after apply)
+       subject_alternative_names = [
+           "*.terraform.pipetail.cloud",
+           "terraform.pipetail.cloud",
        ]
+       tags_all                  = (known after apply)
+       type                      = (known after apply)
+       validation_emails         = (known after apply)
+       validation_method         = "DNS"

+       options (known after apply)
    }

  # module.certificate.aws_acm_certificate.virginia will be created
+   resource "aws_acm_certificate" "virginia" {
+       arn                       = (known after apply)
+       domain_name               = "*.terraform.pipetail.cloud"
+       domain_validation_options = [
+           {
+               domain_name           = "*.terraform.pipetail.cloud"
+               resource_record_name  = (known after apply)
+               resource_record_type  = (known after apply)
+               resource_record_value = (known after apply)
            },
+           {
+               domain_name           = "terraform.pipetail.cloud"
+               resource_record_name  = (known after apply)
+               resource_record_type  = (known after apply)
+               resource_record_value = (known after apply)
            },
        ]
+       id                        = (known after apply)
+       key_algorithm             = (known after apply)
+       not_after                 = (known after apply)
+       not_before                = (known after apply)
+       pending_renewal           = (known after apply)
+       renewal_eligibility       = (known after apply)
+       renewal_summary           = (known after apply)
+       status                    = (known after apply)
+       subject_alternative_names = [
+           "*.terraform.pipetail.cloud",
+           "terraform.pipetail.cloud",
        ]
+       tags_all                  = (known after apply)
+       type                      = (known after apply)
+       validation_emails         = (known after apply)
+       validation_method         = "DNS"

+       options (known after apply)
    }

  # module.certificate.aws_acm_certificate_validation.main will be created
+   resource "aws_acm_certificate_validation" "main" {
+       certificate_arn         = (known after apply)
+       id                      = (known after apply)
+       validation_record_fqdns = (known after apply)
    }

  # module.certificate.aws_route53_record.validation["*.terraform.pipetail.cloud"] will be created
+   resource "aws_route53_record" "validation" {
+       allow_overwrite = true
+       fqdn            = (known after apply)
+       id              = (known after apply)
+       name            = (known after apply)
+       records         = (known after apply)
+       ttl             = 60
+       type            = (known after apply)
+       zone_id         = "********************"
    }

  # module.certificate.aws_route53_record.validation["terraform.pipetail.cloud"] will be created
+   resource "aws_route53_record" "validation" {
+       allow_overwrite = true
+       fqdn            = (known after apply)
+       id              = (known after apply)
+       name            = (known after apply)
+       records         = (known after apply)
+       ttl             = 60
+       type            = (known after apply)
+       zone_id         = "********************"
    }

  # module.eks.aws_kms_alias.secrets_encryption will be created
+   resource "aws_kms_alias" "secrets_encryption" {
+       arn            = (known after apply)
+       id             = (known after apply)
+       name           = "alias/eks_complete-example-prod_encryption"
+       name_prefix    = (known after apply)
+       target_key_arn = (known after apply)
+       target_key_id  = (known after apply)
    }

  # module.eks.aws_security_group_rule.eks_workers_to_eks_workers_all will be created
+   resource "aws_security_group_rule" "eks_workers_to_eks_workers_all" {
+       description              = "EKS between workers all traffic"
+       from_port                = 0
+       id                       = (known after apply)
+       protocol                 = "-1"
+       security_group_id        = (known after apply)
+       security_group_rule_id   = (known after apply)
+       self                     = false
+       source_security_group_id = (known after apply)
+       to_port                  = 0
+       type                     = "ingress"
    }

  # module.eks.aws_security_group_rule.ingress["http"] will be created
+   resource "aws_security_group_rule" "ingress" {
+       description              = "Ingress to EKS Worker nodes"
+       from_port                = 30080
+       id                       = (known after apply)
+       protocol                 = "tcp"
+       security_group_id        = (known after apply)
+       security_group_rule_id   = (known after apply)
+       self                     = false
+       source_security_group_id = (known after apply)
+       to_port                  = 30080
+       type                     = "ingress"
    }

  # module.eks.aws_security_group_rule.ingress["https"] will be created
+   resource "aws_security_group_rule" "ingress" {
+       description              = "Ingress to EKS Worker nodes"
+       from_port                = 30443
+       id                       = (known after apply)
+       protocol                 = "tcp"
+       security_group_id        = (known after apply)
+       security_group_rule_id   = (known after apply)
+       self                     = false
+       source_security_group_id = (known after apply)
+       to_port                  = 30443
+       type                     = "ingress"
    }

  # module.elb_logs.data.aws_iam_policy_document.combined[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "combined" {
+       id                      = (known after apply)
+       json                    = (known after apply)
+       source_policy_documents = (known after apply)
    }

  # module.elb_logs.data.aws_iam_policy_document.deny_insecure_transport[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "deny_insecure_transport" {
+       id   = (known after apply)
+       json = (known after apply)

+       statement {
+           actions   = [
+               "s3:*",
            ]
+           effect    = "Deny"
+           resources = [
+               (known after apply),
+               (known after apply),
            ]
+           sid       = "denyInsecureTransport"

+           condition {
+               test     = "Bool"
+               values   = [
+                   "false",
                ]
+               variable = "aws:SecureTransport"
            }

+           principals {
+               identifiers = [
+                   "*",
                ]
+               type        = "*"
            }
        }
    }

  # module.elb_logs.data.aws_iam_policy_document.elb_log_delivery[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "elb_log_delivery" {
+       id   = (known after apply)
+       json = (known after apply)

+       statement {
+           actions   = [
+               "s3:PutObject",
            ]
+           effect    = "Allow"
+           resources = [
+               (known after apply),
            ]
+           sid       = "ELBRegionEu-West-1"

+           principals {
+               identifiers = [
+                   "arn:aws:iam::156460612806:root",
                ]
+               type        = "AWS"
            }
        }
+       statement {
+           actions   = [
+               "s3:PutObject",
            ]
+           effect    = "Allow"
+           resources = [
+               (known after apply),
            ]
#            (1 unchanged attribute hidden)

+           principals {
+               identifiers = [
+                   "logdelivery.elasticloadbalancing.amazonaws.com",
                ]
+               type        = "Service"
            }
        }
    }

  # module.elb_logs.aws_s3_bucket.this[0] will be created
+   resource "aws_s3_bucket" "this" {
+       acceleration_status         = (known after apply)
+       acl                         = (known after apply)
+       arn                         = (known after apply)
+       bucket                      = "complete-example-elb-logs"
+       bucket_domain_name          = (known after apply)
+       bucket_prefix               = (known after apply)
+       bucket_regional_domain_name = (known after apply)
+       force_destroy               = true
+       hosted_zone_id              = (known after apply)
+       id                          = (known after apply)
+       object_lock_enabled         = false
+       policy                      = (known after apply)
+       region                      = (known after apply)
+       request_payer               = (known after apply)
+       tags_all                    = (known after apply)
+       website_domain              = (known after apply)
+       website_endpoint            = (known after apply)

+       cors_rule (known after apply)

+       grant (known after apply)

+       lifecycle_rule (known after apply)

+       logging (known after apply)

+       object_lock_configuration (known after apply)

+       replication_configuration (known after apply)

+       server_side_encryption_configuration (known after apply)

+       versioning (known after apply)

+       website (known after apply)
    }

  # module.elb_logs.aws_s3_bucket_acl.this[0] will be created
+   resource "aws_s3_bucket_acl" "this" {
+       acl    = "log-delivery-write"
+       bucket = (known after apply)
+       id     = (known after apply)

+       access_control_policy (known after apply)
    }

  # module.elb_logs.aws_s3_bucket_ownership_controls.this[0] will be created
+   resource "aws_s3_bucket_ownership_controls" "this" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           object_ownership = "ObjectWriter"
        }
    }

  # module.elb_logs.aws_s3_bucket_policy.this[0] will be created
+   resource "aws_s3_bucket_policy" "this" {
+       bucket = (known after apply)
+       id     = (known after apply)
+       policy = (known after apply)
    }

  # module.elb_logs.aws_s3_bucket_public_access_block.this[0] will be created
+   resource "aws_s3_bucket_public_access_block" "this" {
+       block_public_acls       = true
+       block_public_policy     = true
+       bucket                  = (known after apply)
+       id                      = (known after apply)
+       ignore_public_acls      = true
+       restrict_public_buckets = true
    }

  # module.elb_logs.aws_s3_bucket_server_side_encryption_configuration.this[0] will be created
+   resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           apply_server_side_encryption_by_default {
+               sse_algorithm     = "AES256"
#                (1 unchanged attribute hidden)
            }
        }
    }

  # module.loki_storage.aws_s3_bucket.this[0] will be created
+   resource "aws_s3_bucket" "this" {
+       acceleration_status         = (known after apply)
+       acl                         = (known after apply)
+       arn                         = (known after apply)
+       bucket                      = "complete-example-loki-data"
+       bucket_domain_name          = (known after apply)
Plan is too large to fit in a PR comment. See the full plan in the workflow log.

📝 Plan generated in terraform-plan-05-aws-complete #155

@renovate renovate bot changed the title chore(deps): update dflook/terraform-plan digest to a96d199 chore(deps): update dflook/terraform-plan digest to f25146e Jan 12, 2024
@renovate renovate bot force-pushed the renovate/dflook-terraform-plan-digest branch from 0182af3 to 79ade6d Compare January 12, 2024 15:37
@renovate renovate bot changed the title chore(deps): update dflook/terraform-plan digest to f25146e chore(deps): update dflook/terraform-plan digest to 34813b8 Jan 17, 2024
@renovate renovate bot force-pushed the renovate/dflook-terraform-plan-digest branch from 79ade6d to 628a1a7 Compare January 17, 2024 18:18
@renovate renovate bot changed the title chore(deps): update dflook/terraform-plan digest to 34813b8 chore(deps): update dflook/terraform-plan digest to fd5954b Feb 11, 2024
@renovate renovate bot force-pushed the renovate/dflook-terraform-plan-digest branch from 628a1a7 to efeb3df Compare February 11, 2024 15:43
@renovate renovate bot changed the title chore(deps): update dflook/terraform-plan digest to fd5954b chore(deps): update dflook/terraform-plan digest to 0f4a504 Mar 1, 2024
@renovate renovate bot force-pushed the renovate/dflook-terraform-plan-digest branch from efeb3df to 19349aa Compare March 1, 2024 18:38
@renovate renovate bot changed the title chore(deps): update dflook/terraform-plan digest to 0f4a504 chore(deps): update dflook/terraform-plan digest to 082a8bc May 28, 2024
@renovate renovate bot force-pushed the renovate/dflook-terraform-plan-digest branch from 19349aa to 9963876 Compare May 28, 2024 21:50
@renovate renovate bot changed the title chore(deps): update dflook/terraform-plan digest to 082a8bc chore(deps): update dflook/terraform-plan digest to d9df4f6 Jun 1, 2024
@renovate renovate bot force-pushed the renovate/dflook-terraform-plan-digest branch from 9963876 to 67ecb69 Compare June 1, 2024 19:51
@renovate renovate bot changed the title chore(deps): update dflook/terraform-plan digest to d9df4f6 chore(deps): update dflook/terraform-plan digest to b0877a1 Aug 4, 2024
@renovate renovate bot force-pushed the renovate/dflook-terraform-plan-digest branch from 67ecb69 to b543c32 Compare August 4, 2024 12:58
@marekaf marekaf merged commit df0887f into master Dec 17, 2024
9 checks passed
@marekaf marekaf deleted the renovate/dflook-terraform-plan-digest branch December 17, 2024 08:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant