chore(deps): update hashicorp/setup-terraform action to v4#198
Merged
chore(deps): update hashicorp/setup-terraform action to v4#198
Conversation
Contributor
|
Terraform plan in examples/06-minimal-aws-terraform-bootstrap No changes. Your infrastructure matches the configuration.✅ Plan applied in terraform-apply-06-minimal-aws-terraform-bootstrap #85 |
Contributor
|
Terraform plan in examples/05-aws-complete Plan: 152 to add, 0 to change, 0 to destroy.Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# data.aws_eks_cluster.main will be read during apply
# (depends on a resource or a module with changes pending)
<= data "aws_eks_cluster" "main" {
+ access_config = (known after apply)
+ arn = (known after apply)
+ certificate_authority = (known after apply)
+ cluster_id = (known after apply)
+ compute_config = (known after apply)
+ created_at = (known after apply)
+ enabled_cluster_log_types = (known after apply)
+ endpoint = (known after apply)
+ id = (known after apply)
+ identity = (known after apply)
+ kubernetes_network_config = (known after apply)
+ name = "complete-example-prod"
+ outpost_config = (known after apply)
+ platform_version = (known after apply)
+ remote_network_config = (known after apply)
+ role_arn = (known after apply)
+ status = (known after apply)
+ storage_config = (known after apply)
+ tags = (known after apply)
+ upgrade_policy = (known after apply)
+ version = (known after apply)
+ vpc_config = (known after apply)
+ zonal_shift_config = (known after apply)
}
# data.aws_iam_policy_document.allow_command_exec will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "allow_command_exec" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "kms:Decrypt",
+ "ssmmessages:CreateControlChannel",
+ "ssmmessages:CreateDataChannel",
+ "ssmmessages:OpenControlChannel",
+ "ssmmessages:OpenDataChannel",
]
+ resources = [
+ "*",
]
}
+ statement {
+ actions = [
+ "logs:DescribeLogGroups",
]
+ resources = [
+ "*",
]
}
+ statement {
+ actions = [
+ "logs:CreateLogStream",
+ "logs:DescribeLogStreams",
+ "logs:PutLogEvents",
]
+ resources = [
+ (known after apply),
]
}
}
# data.aws_iam_policy_document.loki_ecs_task_execution_role will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "loki_ecs_task_execution_role" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "ecr:GetAuthorizationToken",
]
+ effect = "Allow"
+ resources = [
+ "*",
]
+ sid = "AllowECSToAuthenticateToECRInCentralAccount"
}
+ statement {
+ actions = [
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:BatchGetImage",
+ "ecr:GetDownloadUrlForLayer",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
+ sid = "AllowECSToPullImage"
}
+ statement {
+ actions = [
+ "logs:CreateLogStream",
+ "logs:DescribeLogStreams",
+ "logs:PutLogEvents",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
+ sid = "AllowECSToWriteLogsToCloudWatchLogs"
}
}
# data.aws_iam_policy_document.loki_storage will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "loki_storage" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "s3:DeleteObject",
+ "s3:GetObject",
+ "s3:ListBucket",
+ "s3:PutObject",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
+ (known after apply),
]
+ sid = "AllowLokiStorageChunksS3"
}
}
# aws_alb.nginx_ingress will be created
+ resource "aws_alb" "nginx_ingress" {
+ arn = (known after apply)
+ arn_suffix = (known after apply)
+ client_keep_alive = 3600
+ desync_mitigation_mode = "defensive"
+ dns_name = (known after apply)
+ drop_invalid_header_fields = true
+ enable_deletion_protection = false
+ enable_http2 = true
+ enable_tls_version_and_cipher_suite_headers = false
+ enable_waf_fail_open = false
+ enable_xff_client_port = false
+ enable_zonal_shift = false
+ enforce_security_group_inbound_rules_on_private_link_traffic = (known after apply)
+ id = (known after apply)
+ idle_timeout = 60
+ internal = false
+ ip_address_type = (known after apply)
+ load_balancer_type = "application"
+ name = "nginx-ingress"
+ name_prefix = (known after apply)
+ preserve_host_header = false
+ security_groups = (known after apply)
+ subnets = (known after apply)
+ tags_all = (known after apply)
+ vpc_id = (known after apply)
+ xff_header_processing_mode = "append"
+ zone_id = (known after apply)
+ access_logs {
+ bucket = (known after apply)
+ enabled = true
+ prefix = "alb"
}
+ subnet_mapping (known after apply)
}
# aws_alb_listener.https will be created
+ resource "aws_alb_listener" "https" {
+ arn = (known after apply)
+ certificate_arn = (known after apply)
+ id = (known after apply)
+ load_balancer_arn = (known after apply)
+ port = 443
+ protocol = "HTTPS"
+ routing_http_request_x_amzn_mtls_clientcert_header_name = (known after apply)
+ routing_http_request_x_amzn_mtls_clientcert_issuer_header_name = (known after apply)
+ routing_http_request_x_amzn_mtls_clientcert_leaf_header_name = (known after apply)
+ routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name = (known after apply)
+ routing_http_request_x_amzn_mtls_clientcert_subject_header_name = (known after apply)
+ routing_http_request_x_amzn_mtls_clientcert_validity_header_name = (known after apply)
+ routing_http_request_x_amzn_tls_cipher_suite_header_name = (known after apply)
+ routing_http_request_x_amzn_tls_version_header_name = (known after apply)
+ routing_http_response_access_control_allow_credentials_header_value = (known after apply)
+ routing_http_response_access_control_allow_headers_header_value = (known after apply)
+ routing_http_response_access_control_allow_methods_header_value = (known after apply)
+ routing_http_response_access_control_allow_origin_header_value = (known after apply)
+ routing_http_response_access_control_expose_headers_header_value = (known after apply)
+ routing_http_response_access_control_max_age_header_value = (known after apply)
+ routing_http_response_content_security_policy_header_value = (known after apply)
+ routing_http_response_server_enabled = (known after apply)
+ routing_http_response_strict_transport_security_header_value = (known after apply)
+ routing_http_response_x_content_type_options_header_value = (known after apply)
+ routing_http_response_x_frame_options_header_value = (known after apply)
+ ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+ tags_all = (known after apply)
+ tcp_idle_timeout_seconds = (known after apply)
+ default_action {
+ order = (known after apply)
+ type = "fixed-response"
+ fixed_response {
+ content_type = "text/plain"
+ status_code = "404"
}
}
+ mutual_authentication (known after apply)
}
# aws_alb_listener.nginx_ingress will be created
+ resource "aws_alb_listener" "nginx_ingress" {
+ arn = (known after apply)
+ id = (known after apply)
+ load_balancer_arn = (known after apply)
+ port = 80
+ protocol = "HTTP"
+ routing_http_request_x_amzn_mtls_clientcert_header_name = (known after apply)
+ routing_http_request_x_amzn_mtls_clientcert_issuer_header_name = (known after apply)
+ routing_http_request_x_amzn_mtls_clientcert_leaf_header_name = (known after apply)
+ routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name = (known after apply)
+ routing_http_request_x_amzn_mtls_clientcert_subject_header_name = (known after apply)
+ routing_http_request_x_amzn_mtls_clientcert_validity_header_name = (known after apply)
+ routing_http_request_x_amzn_tls_cipher_suite_header_name = (known after apply)
+ routing_http_request_x_amzn_tls_version_header_name = (known after apply)
+ routing_http_response_access_control_allow_credentials_header_value = (known after apply)
+ routing_http_response_access_control_allow_headers_header_value = (known after apply)
+ routing_http_response_access_control_allow_methods_header_value = (known after apply)
+ routing_http_response_access_control_allow_origin_header_value = (known after apply)
+ routing_http_response_access_control_expose_headers_header_value = (known after apply)
+ routing_http_response_access_control_max_age_header_value = (known after apply)
+ routing_http_response_content_security_policy_header_value = (known after apply)
+ routing_http_response_server_enabled = (known after apply)
+ routing_http_response_strict_transport_security_header_value = (known after apply)
+ routing_http_response_x_content_type_options_header_value = (known after apply)
+ routing_http_response_x_frame_options_header_value = (known after apply)
+ ssl_policy = (known after apply)
+ tags_all = (known after apply)
+ tcp_idle_timeout_seconds = (known after apply)
+ default_action {
+ order = (known after apply)
+ type = "redirect"
+ redirect {
+ host = "#{host}"
+ path = "/#{path}"
+ port = "443"
+ protocol = "HTTPS"
+ query = "#{query}"
+ status_code = "HTTP_301"
}
}
+ mutual_authentication (known after apply)
}
# aws_alb_listener_rule.nginx_ingress will be created
+ resource "aws_alb_listener_rule" "nginx_ingress" {
+ arn = (known after apply)
+ id = (known after apply)
+ listener_arn = (known after apply)
+ priority = (known after apply)
+ tags_all = (known after apply)
+ action {
+ order = (known after apply)
+ target_group_arn = (known after apply)
+ type = "forward"
}
+ condition {
+ host_header {
+ values = [
+ "*.terraform.pipetail.cloud",
+ "terraform.pipetail.cloud",
]
}
}
}
# aws_alb_target_group.nginx_ingress will be created
+ resource "aws_alb_target_group" "nginx_ingress" {
+ arn = (known after apply)
+ arn_suffix = (known after apply)
+ connection_termination = (known after apply)
+ deregistration_delay = "300"
+ id = (known after apply)
+ ip_address_type = (known after apply)
+ lambda_multi_value_headers_enabled = false
+ load_balancer_arns = (known after apply)
+ load_balancing_algorithm_type = (known after apply)
+ load_balancing_anomaly_mitigation = (known after apply)
+ load_balancing_cross_zone_enabled = (known after apply)
+ name = (known after apply)
+ name_prefix = "nginx"
+ port = 30080
+ preserve_client_ip = (known after apply)
+ protocol = "HTTP"
+ protocol_version = (known after apply)
+ proxy_protocol_v2 = false
+ slow_start = 0
+ tags_all = (known after apply)
+ target_type = "instance"
+ vpc_id = (known after apply)
+ health_check {
+ enabled = true
+ healthy_threshold = 5
+ interval = 30
+ matcher = "200"
+ path = "/healthz"
+ port = "traffic-port"
+ protocol = "HTTP"
+ timeout = 5
+ unhealthy_threshold = 2
}
+ stickiness (known after apply)
+ target_failover (known after apply)
+ target_group_health (known after apply)
+ target_health_state (known after apply)
}
# aws_budgets_budget.cost will be created
+ resource "aws_budgets_budget" "cost" {
+ account_id = (known after apply)
+ arn = (known after apply)
+ budget_type = "COST"
+ id = (known after apply)
+ limit_amount = "100"
+ limit_unit = "USD"
+ name = "overall-cost"
+ name_prefix = (known after apply)
+ tags_all = (known after apply)
+ time_period_end = "2087-06-15_00:00"
+ time_period_start = (known after apply)
+ time_unit = "MONTHLY"
+ cost_filter (known after apply)
+ cost_types (known after apply)
+ notification {
+ comparison_operator = "GREATER_THAN"
+ notification_type = "ACTUAL"
+ subscriber_email_addresses = [
+ "marek.bartik@pipetail.io",
]
+ subscriber_sns_topic_arns = []
+ threshold = 90
+ threshold_type = "PERCENTAGE"
}
}
# aws_cloudtrail.main will be created
+ resource "aws_cloudtrail" "main" {
+ arn = (known after apply)
+ enable_log_file_validation = true
+ enable_logging = true
+ home_region = (known after apply)
+ id = (known after apply)
+ include_global_service_events = true
+ is_multi_region_trail = true
+ is_organization_trail = false
+ name = "complete-example-main"
+ s3_bucket_name = (known after apply)
+ sns_topic_arn = (known after apply)
+ tags_all = (known after apply)
}
# aws_cloudwatch_log_group.command_execution will be created
+ resource "aws_cloudwatch_log_group" "command_execution" {
+ arn = (known after apply)
+ id = (known after apply)
+ kms_key_id = (known after apply)
+ log_group_class = (known after apply)
+ name = "ecs-command-execution"
+ name_prefix = (known after apply)
+ retention_in_days = 30
+ skip_destroy = false
+ tags_all = (known after apply)
}
# aws_cloudwatch_log_group.loki will be created
+ resource "aws_cloudwatch_log_group" "loki" {
+ arn = (known after apply)
+ id = (known after apply)
+ log_group_class = (known after apply)
+ name = "loki"
+ name_prefix = (known after apply)
+ retention_in_days = 30
+ skip_destroy = false
+ tags_all = (known after apply)
}
# aws_ecr_repository.grafana will be created
+ resource "aws_ecr_repository" "grafana" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "MUTABLE"
+ name = "grafana"
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags_all = (known after apply)
+ image_scanning_configuration {
+ scan_on_push = true
}
}
# aws_ecs_cluster.grafana will be created
+ resource "aws_ecs_cluster" "grafana" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "grafana"
+ tags = {
+ "ManagedBy" = "Terraform"
+ "Name" = "grafana"
}
+ tags_all = {
+ "ManagedBy" = "Terraform"
+ "Name" = "grafana"
}
+ configuration {
+ execute_command_configuration {
+ kms_key_id = (known after apply)
+ logging = "OVERRIDE"
+ log_configuration {
+ cloud_watch_encryption_enabled = true
+ cloud_watch_log_group_name = "ecs-command-execution"
}
}
}
+ setting {
+ name = "containerInsights"
+ value = "enabled"
}
}
# aws_ecs_service.loki will be created
+ resource "aws_ecs_service" "loki" {
+ availability_zone_rebalancing = "DISABLED"
+ cluster = "grafana"
+ deployment_maximum_percent = 200
+ deployment_minimum_healthy_percent = 100
+ desired_count = 1
+ enable_ecs_managed_tags = false
+ enable_execute_command = true
+ iam_role = (known after apply)
+ id = (known after apply)
+ launch_type = "FARGATE"
+ name = "loki"
+ platform_version = (known after apply)
+ scheduling_strategy = "REPLICA"
+ tags_all = (known after apply)
+ task_definition = (known after apply)
+ triggers = (known after apply)
+ wait_for_steady_state = false
+ network_configuration {
+ assign_public_ip = false
+ security_groups = (known after apply)
+ subnets = (known after apply)
}
+ service_registries {
+ registry_arn = (known after apply)
}
}
# aws_ecs_task_definition.loki will be created
+ resource "aws_ecs_task_definition" "loki" {
+ arn = (known after apply)
+ arn_without_revision = (known after apply)
+ container_definitions = jsonencode(
[
+ {
+ essential = true
+ image = "175912345102.dkr.ecr.eu-west-1.amazonaws.com/grafana:loki-2.6.1-arm64"
+ logConfiguration = {
+ logDriver = "awslogs"
+ options = {
+ awslogs-group = "loki"
+ awslogs-region = "eu-west-1"
+ awslogs-stream-prefix = "loki"
}
}
+ name = "loki"
+ portMappings = [
+ {
+ containerPort = 3100
+ hostPort = 3100
+ protocol = "tcp"
},
]
},
]
)
+ cpu = "4096"
+ enable_fault_injection = (known after apply)
+ execution_role_arn = (known after apply)
+ family = "loki_task_definition"
+ id = (known after apply)
+ memory = "8192"
+ network_mode = "awsvpc"
+ requires_compatibilities = [
+ "FARGATE",
]
+ revision = (known after apply)
+ skip_destroy = false
+ tags_all = (known after apply)
+ task_role_arn = (known after apply)
+ track_latest = false
+ runtime_platform {
+ cpu_architecture = "ARM64"
}
}
# aws_elasticache_parameter_group.redis will be created
+ resource "aws_elasticache_parameter_group" "redis" {
+ arn = (known after apply)
+ description = "Managed by Terraform"
+ family = "redis6.x"
+ id = (known after apply)
+ name = "redis6-x"
+ tags_all = (known after apply)
+ parameter {
+ name = "activerehashing"
+ value = "yes"
}
}
# aws_elasticache_replication_group.redis will be created
+ resource "aws_elasticache_replication_group" "redis" {
+ apply_immediately = (known after apply)
+ arn = (known after apply)
+ at_rest_encryption_enabled = (known after apply)
+ auth_token_update_strategy = "******"
+ auto_minor_version_upgrade = (known after apply)
+ automatic_failover_enabled = true
+ cluster_enabled = (known after apply)
+ cluster_mode = (known after apply)
+ configuration_endpoint_address = (known after apply)
+ data_tiering_enabled = (known after apply)
+ description = "redis cluster"
+ engine = "redis"
+ engine_version = "6.2"
+ engine_version_actual = (known after apply)
+ global_replication_group_id = (known after apply)
+ id = (known after apply)
+ ip_discovery = (known after apply)
+ maintenance_window = (known after apply)
+ member_clusters = (known after apply)
+ multi_az_enabled = false
+ network_type = (known after apply)
+ node_type = "cache.t4g.small"
+ num_cache_clusters = 2
+ num_node_groups = (known after apply)
+ parameter_group_name = "redis6-x"
+ port = 6379
+ preferred_cache_cluster_azs = [
+ "eu-west-1a",
+ "eu-west-1b",
]
+ primary_endpoint_address = (known after apply)
+ reader_endpoint_address = (known after apply)
+ replicas_per_node_group = (known after apply)
+ replication_group_id = "*************"
+ security_group_ids = (known after apply)
+ security_group_names = (known after apply)
+ snapshot_window = (known after apply)
+ subnet_group_name = "complete-example-main-vpc"
+ tags_all = (known after apply)
+ transit_encryption_enabled = (known after apply)
+ transit_encryption_mode = (known after apply)
}
# aws_iam_group.eks_access_administrator will be created
+ resource "aws_iam_group" "eks_access_administrator" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "eks-administrators"
+ path = "/"
+ unique_id = (known after apply)
}
# aws_iam_group_policy_attachment.eks_access_administrator will be created
+ resource "aws_iam_group_policy_attachment" "eks_access_administrator" {
+ group = "eks-administrators"
+ id = (known after apply)
+ policy_arn = (known after apply)
}
# aws_iam_policy.eks_access_administrator_allow_assume will be created
+ resource "aws_iam_policy" "eks_access_administrator_allow_assume" {
+ arn = (known after apply)
+ attachment_count = (known after apply)
+ id = (known after apply)
+ name = "eks_administrator_allow_assume"
+ name_prefix = (known after apply)
+ path = "/"
+ policy = (known after apply)
+ policy_id = (known after apply)
+ tags_all = (known after apply)
}
# aws_iam_policy.eks_kubeconfig will be created
+ resource "aws_iam_policy" "eks_kubeconfig" {
+ arn = (known after apply)
+ attachment_count = (known after apply)
+ description = "allow obtaining of kubeconfig for all EKS clusters"
+ id = (known after apply)
+ name = "eks_kubeconfig"
+ name_prefix = (known after apply)
+ path = "/"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "eks:DescribeCluster",
]
+ Effect = "Allow"
+ Resource = [
+ "*",
]
},
]
+ Version = "2012-10-17"
}
)
+ policy_id = (known after apply)
+ tags_all = (known after apply)
}
# aws_iam_role.eks_access_administrator will be created
+ resource "aws_iam_role" "eks_access_administrator" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ AWS = [
+ "arn:aws:iam::175912345102:root",
]
}
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "eks_administrator"
+ name_prefix = (known after apply)
+ path = "/"
+ tags_all = (known after apply)
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# aws_iam_role.loki_ecs_task will be created
+ resource "aws_iam_role" "loki_ecs_task" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ecs-tasks.amazonaws.com"
}
+ Sid = "AllowECSTasksToAssumeRole"
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "loki-ecs-task"
+ name_prefix = (known after apply)
+ path = "/"
+ tags_all = (known after apply)
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# aws_iam_role.loki_ecs_task_execution will be created
+ resource "aws_iam_role" "loki_ecs_task_execution" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ecs-tasks.amazonaws.com"
}
+ Sid = "AllowECSTasksToAssumeRole"
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "loki-ecs-task-execution"
+ name_prefix = (known after apply)
+ path = "/"
+ tags_all = (known after apply)
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# aws_iam_role_policy.loki_ecs_task_command_exec will be created
+ resource "aws_iam_role_policy" "loki_ecs_task_command_exec" {
+ id = (known after apply)
+ name = "loki-ecs-command-exec"
+ name_prefix = (known after apply)
+ policy = (known after apply)
+ role = "loki-ecs-task"
}
# aws_iam_role_policy.loki_ecs_task_execution will be created
+ resource "aws_iam_role_policy" "loki_ecs_task_execution" {
+ id = (known after apply)
+ name = "loki-ecs-task-execution"
+ name_prefix = (known after apply)
+ policy = (known after apply)
+ role = "loki-ecs-task-execution"
}
# aws_iam_role_policy.loki_storage will be created
+ resource "aws_iam_role_policy" "loki_storage" {
+ id = (known after apply)
+ name = "loki-storage-access"
+ name_prefix = (known after apply)
+ policy = (known after apply)
+ role = "loki-ecs-task"
}
# aws_iam_role_policy_attachment.eks_access_administrator_kubeconfig will be created
+ resource "aws_iam_role_policy_attachment" "eks_access_administrator_kubeconfig" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ role = "eks_administrator"
}
# aws_iam_role_policy_attachment.loki_ecs_task_execution will be created
+ resource "aws_iam_role_policy_attachment" "loki_ecs_task_execution" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+ role = "loki-ecs-task-execution"
}
# aws_kms_key.main will be created
+ resource "aws_kms_key" "main" {
+ arn = (known after apply)
+ bypass_policy_lockout_safety_check = false
+ customer_master_key_spec = "*****************"
+ deletion_window_in_days = 10
+ description = "Shared KMS key"
+ enable_key_rotation = true
+ id = (known after apply)
+ is_enabled = true
+ key_id = (known after apply)
+ key_usage = "ENCRYPT_DECRYPT"
+ multi_region = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "kms:*"
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::175912345102:root"
}
+ Resource = "*"
+ Sid = "Allow everything in this AWS account to use this KMS key"
},
+ {
+ Action = [
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
+ "kms:Encrypt*",
+ "kms:Describe*",
+ "kms:Decrypt*",
]
+ Effect = "Allow"
+ Principal = {
+ Service = "logs.eu-west-1.amazonaws.com"
}
+ Resource = "*"
+ Sid = "Allow cloudwatch log group encryption"
},
]
+ Version = "2012-10-17"
}
)
+ rotation_period_in_days = (known after apply)
+ tags_all = (known after apply)
}
# aws_rds_cluster_parameter_group.main will be created
+ resource "aws_rds_cluster_parameter_group" "main" {
+ arn = (known after apply)
+ description = "Managed by Terraform"
+ family = "aurora-postgresql16"
+ id = (known after apply)
+ name = "complete-example-aurora-postgresql16"
+ name_prefix = (known after apply)
+ tags_all = (known after apply)
+ parameter {
+ apply_method = "immediate"
+ name = "apg_ccm_enabled"
+ value = "1"
}
+ parameter {
+ apply_method = "immediate"
+ name = "auto_explain.log_analyze"
+ value = "1"
}
+ parameter {
+ apply_method = "immediate"
+ name = "auto_explain.log_buffers"
+ value = "1"
}
+ parameter {
+ apply_method = "immediate"
+ name = "auto_explain.log_format"
+ value = "json"
}
+ parameter {
+ apply_method = "immediate"
+ name = "auto_explain.log_min_duration"
+ value = "1000"
}
+ parameter {
+ apply_method = "immediate"
+ name = "auto_explain.log_nested_statements"
+ value = "1"
}
+ parameter {
+ apply_method = "immediate"
+ name = "auto_explain.log_verbose"
+ value = "1"
}
+ parameter {
+ apply_method = "immediate"
+ name = "auto_explain.sample_rate"
+ value = "1"
}
+ parameter {
+ apply_method = "immediate"
+ name = "track_activities"
+ value = "1"
}
+ parameter {
+ apply_method = "pending-reboot"
+ name = "rds.enable_plan_management"
+ value = "1"
}
+ parameter {
+ apply_method = "pending-reboot"
+ name = "shared_preload_libraries"
+ value = "pg_stat_statements,auto_explain"
}
}
# aws_route53_record.api["A"] will be created
+ resource "aws_route53_record" "api" {
+ allow_overwrite = (known after apply)
+ fqdn = (known after apply)
+ id = (known after apply)
+ name = "api.terraform.pipetail.cloud"
+ type = "A"
+ zone_id = "********************"
+ alias {
+ evaluate_target_health = false
+ name = (known after apply)
+ zone_id = (known after apply)
}
}
# aws_route53_record.api["AAAA"] will be created
+ resource "aws_route53_record" "api" {
+ allow_overwrite = (known after apply)
+ fqdn = (known after apply)
+ id = (known after apply)
+ name = "api.terraform.pipetail.cloud"
+ type = "AAAA"
+ zone_id = "********************"
+ alias {
+ evaluate_target_health = false
+ name = (known after apply)
+ zone_id = (known after apply)
}
}
# aws_s3_bucket.cloudtrail will be created
+ resource "aws_s3_bucket" "cloudtrail" {
+ acceleration_status = (known after apply)
+ acl = (known after apply)
+ arn = (known after apply)
+ bucket = "complete-example-cloudtrail"
+ bucket_domain_name = (known after apply)
+ bucket_prefix = (known after apply)
+ bucket_regional_domain_name = (known after apply)
+ force_destroy = true
+ hosted_zone_id = (known after apply)
+ id = (known after apply)
+ object_lock_enabled = (known after apply)
+ policy = (known after apply)
+ region = (known after apply)
+ request_payer = (known after apply)
+ tags_all = (known after apply)
+ website_domain = (known after apply)
+ website_endpoint = (known after apply)
+ cors_rule (known after apply)
+ grant (known after apply)
+ lifecycle_rule (known after apply)
+ logging (known after apply)
+ object_lock_configuration (known after apply)
+ replication_configuration (known after apply)
+ server_side_encryption_configuration (known after apply)
+ versioning (known after apply)
+ website (known after apply)
}
# aws_s3_bucket_policy.cloudtrail will be created
+ resource "aws_s3_bucket_policy" "cloudtrail" {
+ bucket = (known after apply)
+ id = (known after apply)
+ policy = (known after apply)
}
# aws_s3_bucket_public_access_block.cloudtrail will be created
+ resource "aws_s3_bucket_public_access_block" "cloudtrail" {
+ block_public_acls = true
+ block_public_policy = true
+ bucket = (known after apply)
+ id = (known after apply)
+ ignore_public_acls = true
+ restrict_public_buckets = true
}
# aws_s3_bucket_server_side_encryption_configuration.cloudtrail will be created
+ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" {
+ bucket = "complete-example-cloudtrail"
+ id = (known after apply)
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
# (1 unchanged attribute hidden)
}
}
}
# aws_service_discovery_private_dns_namespace.loki will be created
+ resource "aws_service_discovery_private_dns_namespace" "loki" {
+ arn = (known after apply)
+ description = "Service discovery local domain for grafana loki"
+ hosted_zone = (known after apply)
+ id = (known after apply)
+ name = "grafana.local"
+ tags_all = (known after apply)
+ vpc = (known after apply)
}
# aws_service_discovery_service.loki will be created
+ resource "aws_service_discovery_service" "loki" {
+ arn = (known after apply)
+ force_destroy = false
+ id = (known after apply)
+ name = "loki"
+ namespace_id = (known after apply)
+ tags_all = (known after apply)
+ type = (known after apply)
+ dns_config {
+ namespace_id = (known after apply)
+ routing_policy = "MULTIVALUE"
+ dns_records {
+ ttl = 10
+ type = "A"
}
}
}
# helm_release.nginx_ingress will be created
+ resource "helm_release" "nginx_ingress" {
+ atomic = true
+ chart = "ingress-nginx"
+ cleanup_on_fail = false
+ create_namespace = true
+ dependency_update = false
+ disable_crd_hooks = false
+ disable_openapi_validation = false
+ disable_webhooks = false
+ force_update = false
+ id = (known after apply)
+ lint = false
+ manifest = (known after apply)
+ max_history = 0
+ metadata = (known after apply)
+ name = "nginx-ingress"
+ namespace = "nginx-ingress"
+ pass_credentials = false
+ recreate_pods = false
+ render_subchart_notes = true
+ replace = false
+ repository = "https://kubernetes.github.io/ingress-nginx"
+ reset_values = false
+ reuse_values = false
+ skip_crds = false
+ status = "deployed"
+ timeout = 300
+ values = [
+ <<-EOT
controller:
replicaCount: 3
resources:
limits:
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: "10254"
prometheus.io/scheme: "http"
log: "true"
podLabels:
app: nginx-ingress
release: nginx-prod
ingressClass: "nginx"
publishService:
enabled: true
metrics:
enabled: true
service:
externalTrafficPolicy: Cluster
type: NodePort
nodePorts:
http: 30080
https: 30443
admissionWebhooks:
enabled: false
config:
proxy-body-size: "500M"
proxy-buffer-size: "256k"
use-forwarded-headers: "true"
client-header-buffer-size: "256k"
defaultBackend:
enabled: true
EOT,
]
+ verify = false
+ version = "4.6.1"
+ wait = true
+ wait_for_jobs = false
}
# random_password.db_master_password will be created
+ resource "random_password" "db_master_password" {
+ bcrypt_hash = (sensitive value)
+ id = (known after apply)
+ length = 32
+ lower = true
+ min_lower = 0
+ min_numeric = 0
+ min_special = 0
+ min_upper = 0
+ number = true
+ numeric = true
+ result = (sensitive value)
+ special = false
+ upper = true
}
# module.certificate.aws_acm_certificate.main will be created
+ resource "aws_acm_certificate" "main" {
+ arn = (known after apply)
+ domain_name = "*.terraform.pipetail.cloud"
+ domain_validation_options = [
+ {
+ domain_name = "*.terraform.pipetail.cloud"
+ resource_record_name = (known after apply)
+ resource_record_type = (known after apply)
+ resource_record_value = (known after apply)
},
+ {
+ domain_name = "terraform.pipetail.cloud"
+ resource_record_name = (known after apply)
+ resource_record_type = (known after apply)
+ resource_record_value = (known after apply)
},
]
+ id = (known after apply)
+ key_algorithm = (known after apply)
+ not_after = (known after apply)
+ not_before = (known after apply)
+ pending_renewal = (known after apply)
+ renewal_eligibility = (known after apply)
+ renewal_summary = (known after apply)
+ status = (known after apply)
+ subject_alternative_names = [
+ "*.terraform.pipetail.cloud",
+ "terraform.pipetail.cloud",
]
+ tags_all = (known after apply)
+ type = (known after apply)
+ validation_emails = (known after apply)
+ validation_method = "DNS"
+ options (known after apply)
}
# module.certificate.aws_acm_certificate.virginia will be created
+ resource "aws_acm_certificate" "virginia" {
+ arn = (known after apply)
+ domain_name = "*.terraform.pipetail.cloud"
+ domain_validation_options = [
+ {
+ domain_name = "*.terraform.pipetail.cloud"
+ resource_record_name = (known after apply)
+ resource_record_type = (known after apply)
+ resource_record_value = (known after apply)
},
+ {
+ domain_name = "terraform.pipetail.cloud"
+ resource_record_name = (known after apply)
+ resource_record_type = (known after apply)
+ resource_record_value = (known after apply)
},
]
+ id = (known after apply)
+ key_algorithm = (known after apply)
+ not_after = (known after apply)
+ not_before = (known after apply)
+ pending_renewal = (known after apply)
+ renewal_eligibility = (known after apply)
+ renewal_summary = (known after apply)
+ status = (known after apply)
+ subject_alternative_names = [
+ "*.terraform.pipetail.cloud",
+ "terraform.pipetail.cloud",
]
+ tags_all = (known after apply)
+ type = (known after apply)
+ validation_emails = (known after apply)
+ validation_method = "DNS"
Plan is too large to fit in a PR comment. See the full plan in the workflow log.📝 Plan generated in terraform-plan-05-aws-complete #263 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v3→v4Release Notes
hashicorp/setup-terraform (hashicorp/setup-terraform)
v4Compare Source
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.