Skip to content

feat: add conftest policy for provider version pinning in modules#203

Merged
marekaf merged 1 commit intomasterfrom
feat/add-provider-pinning-conftest-policy
Mar 4, 2026
Merged

feat: add conftest policy for provider version pinning in modules#203
marekaf merged 1 commit intomasterfrom
feat/add-provider-pinning-conftest-policy

Conversation

@marekaf
Copy link
Member

@marekaf marekaf commented Mar 4, 2026

No description provided.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

Terraform plan in examples/06-minimal-aws-terraform-bootstrap

No changes. Your infrastructure matches the configuration. 
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

📝 Plan generated in terraform-plan-06-minimal-aws-terraform-bootstrap #216

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

Terraform plan in examples/01-minimal-aws-cloudformation-bootstrap

No changes. Your infrastructure matches the configuration. 
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

📝 Plan generated in terraform-plan-01-minimal-aws-cloudformation-bootstrap #343

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

Terraform plan in examples/03-aws-github-actions-oidc

No changes. Your infrastructure matches the configuration. 
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

📝 Plan generated in terraform-plan-03-aws-github-actions-oidc #338

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

Terraform plan in examples/02-minimal-gcp-tf-bootstrap

No changes. Your infrastructure matches the configuration. 
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

📝 Plan generated in terraform-plan-02-minimal-gcp-tf-bootstrap #353

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

Terraform plan in examples/04-aws-wireguard-vpn

Plan: 4 to add, 0 to change, 0 to destroy. Changes to Outputs. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create

Terraform will perform the following actions:

  # module.wireguard_vpn.module.ec2_instance.aws_instance.this[0] will be created
+   resource "aws_instance" "this" {
+       ami                                  = "ami-05dff77713a4fa273"
+       arn                                  = (known after apply)
+       associate_public_ip_address          = true
+       availability_zone                    = (known after apply)
+       disable_api_stop                     = (known after apply)
+       disable_api_termination              = (known after apply)
+       ebs_optimized                        = (known after apply)
+       enable_primary_ipv6                  = (known after apply)
+       force_destroy                        = false
+       get_password_data                    = false
+       host_id                              = (known after apply)
+       host_resource_group_arn              = (known after apply)
+       iam_instance_profile                 = (known after apply)
+       id                                   = (known after apply)
+       instance_initiated_shutdown_behavior = (known after apply)
+       instance_lifecycle                   = (known after apply)
+       instance_state                       = (known after apply)
+       instance_type                        = "t2.micro"
+       ipv6_address_count                   = (known after apply)
+       ipv6_addresses                       = (known after apply)
+       key_name                             = (known after apply)
+       monitoring                           = true
+       outpost_arn                          = (known after apply)
+       password_data                        = (known after apply)
+       placement_group                      = (known after apply)
+       placement_group_id                   = (known after apply)
+       placement_partition_number           = (known after apply)
+       primary_network_interface_id         = (known after apply)
+       private_dns                          = (known after apply)
+       private_ip                           = (known after apply)
+       public_dns                           = (known after apply)
+       public_ip                            = (known after apply)
+       region                               = "eu-west-1"
+       secondary_private_ips                = (known after apply)
+       security_groups                      = (known after apply)
+       source_dest_check                    = true
+       spot_instance_request_id             = (known after apply)
+       subnet_id                            = "************************"
+       tags                                 = {
+           "Name" = "wireguard-vpn"
        }
+       tags_all                             = {
+           "Name" = "wireguard-vpn"
        }
+       tenancy                              = (known after apply)
+       user_data_base64                     = (known after apply)
+       user_data_replace_on_change          = false
+       volume_tags                          = {
+           "Name" = "wireguard-vpn"
        }
+       vpc_security_group_ids               = (known after apply)

+       capacity_reservation_specification (known after apply)

+       cpu_options (known after apply)

+       credit_specification {}

+       ebs_block_device (known after apply)

+       enclave_options {
+           enabled = (known after apply)
        }

+       ephemeral_block_device (known after apply)

+       instance_market_options (known after apply)

+       maintenance_options (known after apply)

+       metadata_options {
+           http_endpoint               = "enabled"
+           http_protocol_ipv6          = "disabled"
+           http_put_response_hop_limit = 1
+           http_tokens                 = "********"
+           instance_metadata_tags      = (known after apply)
        }

+       network_interface (known after apply)

+       primary_network_interface (known after apply)

+       private_dns_name_options (known after apply)

+       root_block_device (known after apply)

+       secondary_network_interface (known after apply)
    }

  # module.wireguard_vpn.module.ec2_instance.aws_security_group.this[0] will be created
+   resource "aws_security_group" "this" {
+       arn                    = (known after apply)
+       description            = "Managed by Terraform"
+       egress                 = (known after apply)
+       id                     = (known after apply)
+       ingress                = (known after apply)
+       name                   = (known after apply)
+       name_prefix            = "wireguard-vpn-"
+       owner_id               = (known after apply)
+       region                 = "eu-west-1"
+       revoke_rules_on_delete = false
+       tags                   = {
+           "Name" = "wireguard-vpn"
        }
+       tags_all               = {
+           "Name" = "wireguard-vpn"
        }
+       vpc_id                 = "*********************"
    }

  # module.wireguard_vpn.module.ec2_instance.aws_vpc_security_group_egress_rule.this["ipv4_default"] will be created
+   resource "aws_vpc_security_group_egress_rule" "this" {
+       arn                    = (known after apply)
+       cidr_ipv4              = "0.0.0.0/0"
+       description            = "Allow all IPv4 traffic"
+       id                     = (known after apply)
+       ip_protocol            = "-1"
+       region                 = "eu-west-1"
+       security_group_id      = (known after apply)
+       security_group_rule_id = (known after apply)
+       tags                   = {
+           "Name" = "wireguard-vpn-ipv4_default"
        }
+       tags_all               = {
+           "Name" = "wireguard-vpn-ipv4_default"
        }
    }

  # module.wireguard_vpn.module.ec2_instance.aws_vpc_security_group_egress_rule.this["ipv6_default"] will be created
+   resource "aws_vpc_security_group_egress_rule" "this" {
+       arn                    = (known after apply)
+       cidr_ipv6              = "::/0"
+       description            = "Allow all IPv6 traffic"
+       id                     = (known after apply)
+       ip_protocol            = "-1"
+       region                 = "eu-west-1"
+       security_group_id      = (known after apply)
+       security_group_rule_id = (known after apply)
+       tags                   = {
+           "Name" = "wireguard-vpn-ipv6_default"
        }
+       tags_all               = {
+           "Name" = "wireguard-vpn-ipv6_default"
        }
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Changes to Outputs:
+   vpn_config    = (known after apply)

Warning: Deprecated attribute

  on /tmp/terraform-data-dir/modules/vpc/vpc-flow-logs.tf line 28, in locals:
  28:     "arn:${data.aws_partition.current[0].partition}:logs:${data.aws_region.current[0].name}:${data.aws_caller_identity.current[0].account_id}:log-group:${log_group.name}:*"

The attribute "name" is deprecated. Refer to the provider documentation for
details.

📝 Plan generated in terraform-plan-04-aws-wireguard-vpn #148

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2026

Terraform plan in examples/05-aws-complete

Plan: 154 to add, 0 to change, 0 to destroy. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_eks_cluster.main will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_eks_cluster" "main" {
+       access_config                = (known after apply)
+       arn                          = (known after apply)
+       certificate_authority        = (known after apply)
+       cluster_id                   = (known after apply)
+       compute_config               = (known after apply)
+       control_plane_scaling_config = (known after apply)
+       created_at                   = (known after apply)
+       deletion_protection          = (known after apply)
+       enabled_cluster_log_types    = (known after apply)
+       endpoint                     = (known after apply)
+       id                           = (known after apply)
+       identity                     = (known after apply)
+       kubernetes_network_config    = (known after apply)
+       name                         = "complete-example-prod"
+       outpost_config               = (known after apply)
+       platform_version             = (known after apply)
+       region                       = (known after apply)
+       remote_network_config        = (known after apply)
+       role_arn                     = (known after apply)
+       status                       = (known after apply)
+       storage_config               = (known after apply)
+       tags                         = (known after apply)
+       upgrade_policy               = (known after apply)
+       version                      = (known after apply)
+       vpc_config                   = (known after apply)
+       zonal_shift_config           = (known after apply)
    }

  # aws_alb.nginx_ingress will be created
+   resource "aws_alb" "nginx_ingress" {
+       arn                                                          = (known after apply)
+       arn_suffix                                                   = (known after apply)
+       client_keep_alive                                            = 3600
+       desync_mitigation_mode                                       = "defensive"
+       dns_name                                                     = (known after apply)
+       drop_invalid_header_fields                                   = true
+       enable_deletion_protection                                   = false
+       enable_http2                                                 = true
+       enable_tls_version_and_cipher_suite_headers                  = false
+       enable_waf_fail_open                                         = false
+       enable_xff_client_port                                       = false
+       enable_zonal_shift                                           = false
+       enforce_security_group_inbound_rules_on_private_link_traffic = (known after apply)
+       id                                                           = (known after apply)
+       idle_timeout                                                 = 60
+       internal                                                     = false
+       ip_address_type                                              = (known after apply)
+       load_balancer_type                                           = "application"
+       name                                                         = "nginx-ingress"
+       name_prefix                                                  = (known after apply)
+       preserve_host_header                                         = false
+       region                                                       = "eu-west-1"
+       secondary_ips_auto_assigned_per_subnet                       = (known after apply)
+       security_groups                                              = (known after apply)
+       subnets                                                      = (known after apply)
+       tags_all                                                     = (known after apply)
+       vpc_id                                                       = (known after apply)
+       xff_header_processing_mode                                   = "append"
+       zone_id                                                      = (known after apply)

+       access_logs {
+           bucket  = (known after apply)
+           enabled = true
+           prefix  = "alb"
        }

+       subnet_mapping (known after apply)
    }

  # aws_alb_listener.https will be created
+   resource "aws_alb_listener" "https" {
+       arn                                                                   = (known after apply)
+       certificate_arn                                                       = (known after apply)
+       id                                                                    = (known after apply)
+       load_balancer_arn                                                     = (known after apply)
+       port                                                                  = 443
+       protocol                                                              = "HTTPS"
+       region                                                                = "eu-west-1"
+       routing_http_request_x_amzn_mtls_clientcert_header_name               = (known after apply)
+       routing_http_request_x_amzn_mtls_clientcert_issuer_header_name        = (known after apply)
+       routing_http_request_x_amzn_mtls_clientcert_leaf_header_name          = (known after apply)
+       routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name = (known after apply)
+       routing_http_request_x_amzn_mtls_clientcert_subject_header_name       = (known after apply)
+       routing_http_request_x_amzn_mtls_clientcert_validity_header_name      = (known after apply)
+       routing_http_request_x_amzn_tls_cipher_suite_header_name              = (known after apply)
+       routing_http_request_x_amzn_tls_version_header_name                   = (known after apply)
+       routing_http_response_access_control_allow_credentials_header_value   = (known after apply)
+       routing_http_response_access_control_allow_headers_header_value       = (known after apply)
+       routing_http_response_access_control_allow_methods_header_value       = (known after apply)
+       routing_http_response_access_control_allow_origin_header_value        = (known after apply)
+       routing_http_response_access_control_expose_headers_header_value      = (known after apply)
+       routing_http_response_access_control_max_age_header_value             = (known after apply)
+       routing_http_response_content_security_policy_header_value            = (known after apply)
+       routing_http_response_server_enabled                                  = (known after apply)
+       routing_http_response_strict_transport_security_header_value          = (known after apply)
+       routing_http_response_x_content_type_options_header_value             = (known after apply)
+       routing_http_response_x_frame_options_header_value                    = (known after apply)
+       ssl_policy                                                            = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+       tags_all                                                              = (known after apply)
+       tcp_idle_timeout_seconds                                              = (known after apply)

+       default_action {
+           order = (known after apply)
+           type  = "fixed-response"

+           fixed_response {
+               content_type = "text/plain"
+               status_code  = "404"
            }
        }

+       mutual_authentication (known after apply)
    }

  # aws_alb_listener.nginx_ingress will be created
+   resource "aws_alb_listener" "nginx_ingress" {
+       arn                                                                   = (known after apply)
+       id                                                                    = (known after apply)
+       load_balancer_arn                                                     = (known after apply)
+       port                                                                  = 80
+       protocol                                                              = "HTTP"
+       region                                                                = "eu-west-1"
+       routing_http_request_x_amzn_mtls_clientcert_header_name               = (known after apply)
+       routing_http_request_x_amzn_mtls_clientcert_issuer_header_name        = (known after apply)
+       routing_http_request_x_amzn_mtls_clientcert_leaf_header_name          = (known after apply)
+       routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name = (known after apply)
+       routing_http_request_x_amzn_mtls_clientcert_subject_header_name       = (known after apply)
+       routing_http_request_x_amzn_mtls_clientcert_validity_header_name      = (known after apply)
+       routing_http_request_x_amzn_tls_cipher_suite_header_name              = (known after apply)
+       routing_http_request_x_amzn_tls_version_header_name                   = (known after apply)
+       routing_http_response_access_control_allow_credentials_header_value   = (known after apply)
+       routing_http_response_access_control_allow_headers_header_value       = (known after apply)
+       routing_http_response_access_control_allow_methods_header_value       = (known after apply)
+       routing_http_response_access_control_allow_origin_header_value        = (known after apply)
+       routing_http_response_access_control_expose_headers_header_value      = (known after apply)
+       routing_http_response_access_control_max_age_header_value             = (known after apply)
+       routing_http_response_content_security_policy_header_value            = (known after apply)
+       routing_http_response_server_enabled                                  = (known after apply)
+       routing_http_response_strict_transport_security_header_value          = (known after apply)
+       routing_http_response_x_content_type_options_header_value             = (known after apply)
+       routing_http_response_x_frame_options_header_value                    = (known after apply)
+       ssl_policy                                                            = (known after apply)
+       tags_all                                                              = (known after apply)
+       tcp_idle_timeout_seconds                                              = (known after apply)

+       default_action {
+           order = (known after apply)
+           type  = "redirect"

+           redirect {
+               host        = "#{host}"
+               path        = "/#{path}"
+               port        = "443"
+               protocol    = "HTTPS"
+               query       = "#{query}"
+               status_code = "HTTP_301"
            }
        }

+       mutual_authentication (known after apply)
    }

  # aws_alb_listener_rule.nginx_ingress will be created
+   resource "aws_alb_listener_rule" "nginx_ingress" {
+       arn          = (known after apply)
+       id           = (known after apply)
+       listener_arn = (known after apply)
+       priority     = (known after apply)
+       region       = "eu-west-1"
+       tags_all     = (known after apply)

+       action {
+           order            = (known after apply)
+           target_group_arn = (known after apply)
+           type             = "forward"
        }

+       condition {
+           host_header {
+               regex_values = []
+               values       = [
+                   "*.terraform.pipetail.cloud",
+                   "terraform.pipetail.cloud",
                ]
            }
        }
    }

  # aws_alb_target_group.nginx_ingress will be created
+   resource "aws_alb_target_group" "nginx_ingress" {
+       arn                                = (known after apply)
+       arn_suffix                         = (known after apply)
+       connection_termination             = (known after apply)
+       deregistration_delay               = "300"
+       id                                 = (known after apply)
+       ip_address_type                    = (known after apply)
+       lambda_multi_value_headers_enabled = false
+       load_balancer_arns                 = (known after apply)
+       load_balancing_algorithm_type      = (known after apply)
+       load_balancing_anomaly_mitigation  = (known after apply)
+       load_balancing_cross_zone_enabled  = (known after apply)
+       name                               = (known after apply)
+       name_prefix                        = "nginx"
+       port                               = 30080
+       preserve_client_ip                 = (known after apply)
+       protocol                           = "HTTP"
+       protocol_version                   = (known after apply)
+       proxy_protocol_v2                  = false
+       region                             = "eu-west-1"
+       slow_start                         = 0
+       tags_all                           = (known after apply)
+       target_type                        = "instance"
+       vpc_id                             = (known after apply)

+       health_check {
+           enabled             = true
+           healthy_threshold   = 5
+           interval            = 30
+           matcher             = "200"
+           path                = "/healthz"
+           port                = "traffic-port"
+           protocol            = "HTTP"
+           timeout             = 5
+           unhealthy_threshold = 2
        }

+       stickiness (known after apply)

+       target_failover (known after apply)

+       target_group_health (known after apply)

+       target_health_state (known after apply)
    }

  # aws_budgets_budget.cost will be created
+   resource "aws_budgets_budget" "cost" {
+       account_id        = (known after apply)
+       arn               = (known after apply)
+       budget_type       = "COST"
+       id                = (known after apply)
+       limit_amount      = "100"
+       limit_unit        = "USD"
+       name              = "overall-cost"
+       name_prefix       = (known after apply)
+       tags_all          = (known after apply)
+       time_period_end   = "2087-06-15_00:00"
+       time_period_start = (known after apply)
+       time_unit         = "MONTHLY"

+       cost_filter (known after apply)

+       cost_types (known after apply)

+       notification {
+           comparison_operator        = "GREATER_THAN"
+           notification_type          = "ACTUAL"
+           subscriber_email_addresses = [
+               "marek.bartik@pipetail.io",
            ]
+           subscriber_sns_topic_arns  = []
+           threshold                  = 90
+           threshold_type             = "PERCENTAGE"
        }
    }

  # aws_cloudtrail.main will be created
+   resource "aws_cloudtrail" "main" {
+       arn                           = (known after apply)
+       enable_log_file_validation    = true
+       enable_logging                = true
+       home_region                   = (known after apply)
+       id                            = (known after apply)
+       include_global_service_events = true
+       is_multi_region_trail         = true
+       is_organization_trail         = false
+       name                          = "complete-example-main"
+       region                        = "eu-west-1"
+       s3_bucket_name                = (known after apply)
+       sns_topic_arn                 = (known after apply)
+       tags_all                      = (known after apply)
    }

  # aws_cloudwatch_log_group.command_execution will be created
+   resource "aws_cloudwatch_log_group" "command_execution" {
+       arn                         = (known after apply)
+       deletion_protection_enabled = (known after apply)
+       id                          = (known after apply)
+       kms_key_id                  = (known after apply)
+       log_group_class             = (known after apply)
+       name                        = "ecs-command-execution"
+       name_prefix                 = (known after apply)
+       region                      = "eu-west-1"
+       retention_in_days           = 30
+       skip_destroy                = false
+       tags_all                    = (known after apply)
    }

  # aws_cloudwatch_log_group.loki will be created
+   resource "aws_cloudwatch_log_group" "loki" {
+       arn                         = (known after apply)
+       deletion_protection_enabled = (known after apply)
+       id                          = (known after apply)
+       log_group_class             = (known after apply)
+       name                        = "loki"
+       name_prefix                 = (known after apply)
+       region                      = "eu-west-1"
+       retention_in_days           = 30
+       skip_destroy                = false
+       tags_all                    = (known after apply)
    }

  # aws_ecr_repository.grafana will be created
+   resource "aws_ecr_repository" "grafana" {
+       arn                  = (known after apply)
+       id                   = (known after apply)
+       image_tag_mutability = "MUTABLE"
+       name                 = "grafana"
+       region               = "eu-west-1"
+       registry_id          = (known after apply)
+       repository_url       = (known after apply)
+       tags_all             = (known after apply)

+       image_scanning_configuration {
+           scan_on_push = true
        }
    }

  # aws_ecs_cluster.grafana will be created
+   resource "aws_ecs_cluster" "grafana" {
+       arn      = (known after apply)
+       id       = (known after apply)
+       name     = "grafana"
+       region   = "eu-west-1"
+       tags     = {
+           "ManagedBy" = "Terraform"
+           "Name"      = "grafana"
        }
+       tags_all = {
+           "ManagedBy" = "Terraform"
+           "Name"      = "grafana"
        }

+       configuration {
+           execute_command_configuration {
+               kms_key_id = (known after apply)
+               logging    = "OVERRIDE"

+               log_configuration {
+                   cloud_watch_encryption_enabled = true
+                   cloud_watch_log_group_name     = "ecs-command-execution"
                }
            }
        }

+       setting {
+           name  = "containerInsights"
+           value = "enabled"
        }
    }

  # aws_ecs_service.loki will be created
+   resource "aws_ecs_service" "loki" {
+       arn                                = (known after apply)
+       availability_zone_rebalancing      = (known after apply)
+       cluster                            = "grafana"
+       deployment_maximum_percent         = 200
+       deployment_minimum_healthy_percent = 100
+       desired_count                      = 1
+       enable_ecs_managed_tags            = false
+       enable_execute_command             = true
+       iam_role                           = (known after apply)
+       id                                 = (known after apply)
+       launch_type                        = "FARGATE"
+       name                               = "loki"
+       platform_version                   = (known after apply)
+       region                             = "eu-west-1"
+       scheduling_strategy                = "REPLICA"
+       tags_all                           = (known after apply)
+       task_definition                    = (known after apply)
+       triggers                           = (known after apply)
+       wait_for_steady_state              = false

+       deployment_configuration (known after apply)

+       network_configuration {
+           assign_public_ip = false
+           security_groups  = (known after apply)
+           subnets          = (known after apply)
        }

+       service_registries {
+           registry_arn = (known after apply)
        }
    }

  # aws_ecs_task_definition.loki will be created
+   resource "aws_ecs_task_definition" "loki" {
+       arn                      = (known after apply)
+       arn_without_revision     = (known after apply)
+       container_definitions    = jsonencode(
            [
+               {
+                   essential        = true
+                   image            = "175912345102.dkr.ecr.eu-west-1.amazonaws.com/grafana:loki-2.6.1-arm64"
+                   logConfiguration = {
+                       logDriver = "awslogs"
+                       options   = {
+                           awslogs-group         = "loki"
+                           awslogs-region        = "eu-west-1"
+                           awslogs-stream-prefix = "loki"
                        }
                    }
+                   name             = "loki"
+                   portMappings     = [
+                       {
+                           containerPort = 3100
+                           hostPort      = 3100
+                           protocol      = "tcp"
                        },
                    ]
                },
            ]
        )
+       cpu                      = "4096"
+       enable_fault_injection   = (known after apply)
+       execution_role_arn       = (known after apply)
+       family                   = "loki_task_definition"
+       id                       = (known after apply)
+       memory                   = "8192"
+       network_mode             = "awsvpc"
+       region                   = "eu-west-1"
+       requires_compatibilities = [
+           "FARGATE",
        ]
+       revision                 = (known after apply)
+       skip_destroy             = false
+       tags_all                 = (known after apply)
+       task_role_arn            = (known after apply)
+       track_latest             = false

+       runtime_platform {
+           cpu_architecture = "ARM64"
        }
    }

  # aws_elasticache_parameter_group.redis will be created
+   resource "aws_elasticache_parameter_group" "redis" {
+       arn         = (known after apply)
+       description = "Managed by Terraform"
+       family      = "redis6.x"
+       id          = (known after apply)
+       name        = "redis6-x"
+       region      = "eu-west-1"
+       tags_all    = (known after apply)

+       parameter {
+           name  = "activerehashing"
+           value = "yes"
        }
    }

  # aws_elasticache_replication_group.redis will be created
+   resource "aws_elasticache_replication_group" "redis" {
+       apply_immediately              = (known after apply)
+       arn                            = (known after apply)
+       at_rest_encryption_enabled     = (known after apply)
+       auto_minor_version_upgrade     = (known after apply)
+       automatic_failover_enabled     = true
+       cluster_enabled                = (known after apply)
+       cluster_mode                   = (known after apply)
+       configuration_endpoint_address = (known after apply)
+       data_tiering_enabled           = (known after apply)
+       description                    = "redis cluster"
+       engine                         = "redis"
+       engine_version                 = "6.2"
+       engine_version_actual          = (known after apply)
+       global_replication_group_id    = (known after apply)
+       id                             = (known after apply)
+       ip_discovery                   = (known after apply)
+       maintenance_window             = (known after apply)
+       member_clusters                = (known after apply)
+       multi_az_enabled               = false
+       network_type                   = (known after apply)
+       node_type                      = "cache.t4g.small"
+       num_cache_clusters             = 2
+       num_node_groups                = (known after apply)
+       parameter_group_name           = "redis6-x"
+       port                           = 6379
+       preferred_cache_cluster_azs    = [
+           "eu-west-1a",
+           "eu-west-1b",
        ]
+       primary_endpoint_address       = (known after apply)
+       reader_endpoint_address        = (known after apply)
+       region                         = "eu-west-1"
+       replicas_per_node_group        = (known after apply)
+       replication_group_id           = "*************"
+       security_group_ids             = (known after apply)
+       security_group_names           = (known after apply)
+       snapshot_window                = (known after apply)
+       subnet_group_name              = "complete-example-main-vpc"
+       tags_all                       = (known after apply)
+       transit_encryption_enabled     = (known after apply)
+       transit_encryption_mode        = (known after apply)

+       node_group_configuration (known after apply)
    }

  # aws_iam_group.eks_access_administrator will be created
+   resource "aws_iam_group" "eks_access_administrator" {
+       arn       = (known after apply)
+       id        = (known after apply)
+       name      = "eks-administrators"
+       path      = "/"
+       unique_id = (known after apply)
    }

  # aws_iam_group_policy_attachment.eks_access_administrator will be created
+   resource "aws_iam_group_policy_attachment" "eks_access_administrator" {
+       group      = "eks-administrators"
+       id         = (known after apply)
+       policy_arn = (known after apply)
    }

  # aws_iam_policy.eks_access_administrator_allow_assume will be created
+   resource "aws_iam_policy" "eks_access_administrator_allow_assume" {
+       arn              = (known after apply)
+       attachment_count = (known after apply)
+       id               = (known after apply)
+       name             = "eks_administrator_allow_assume"
+       name_prefix      = (known after apply)
+       path             = "/"
+       policy           = (known after apply)
+       policy_id        = (known after apply)
+       tags_all         = (known after apply)
    }

  # aws_iam_policy.eks_kubeconfig will be created
+   resource "aws_iam_policy" "eks_kubeconfig" {
+       arn              = (known after apply)
+       attachment_count = (known after apply)
+       description      = "allow obtaining of kubeconfig for all EKS clusters"
+       id               = (known after apply)
+       name             = "eks_kubeconfig"
+       name_prefix      = (known after apply)
+       path             = "/"
+       policy           = jsonencode(
            {
+               Statement = [
+                   {
+                       Action   = [
+                           "eks:DescribeCluster",
                        ]
+                       Effect   = "Allow"
+                       Resource = [
+                           "*",
                        ]
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       policy_id        = (known after apply)
+       tags_all         = (known after apply)
    }

  # aws_iam_role.eks_access_administrator will be created
+   resource "aws_iam_role" "eks_access_administrator" {
+       arn                   = (known after apply)
+       assume_role_policy    = jsonencode(
            {
+               Statement = [
+                   {
+                       Action    = "sts:AssumeRole"
+                       Effect    = "Allow"
+                       Principal = {
+                           AWS = [
+                               "arn:aws:iam::175912345102:root",
                            ]
                        }
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       create_date           = (known after apply)
+       force_detach_policies = false
+       id                    = (known after apply)
+       managed_policy_arns   = (known after apply)
+       max_session_duration  = 3600
+       name                  = "eks_administrator"
+       name_prefix           = (known after apply)
+       path                  = "/"
+       tags_all              = (known after apply)
+       unique_id             = (known after apply)

+       inline_policy (known after apply)
    }

  # aws_iam_role.loki_ecs_task will be created
+   resource "aws_iam_role" "loki_ecs_task" {
+       arn                   = (known after apply)
+       assume_role_policy    = jsonencode(
            {
+               Statement = [
+                   {
+                       Action    = "sts:AssumeRole"
+                       Effect    = "Allow"
+                       Principal = {
+                           Service = "ecs-tasks.amazonaws.com"
                        }
+                       Sid       = "AllowECSTasksToAssumeRole"
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       create_date           = (known after apply)
+       force_detach_policies = false
+       id                    = (known after apply)
+       managed_policy_arns   = (known after apply)
+       max_session_duration  = 3600
+       name                  = "loki-ecs-task"
+       name_prefix           = (known after apply)
+       path                  = "/"
+       tags_all              = (known after apply)
+       unique_id             = (known after apply)

+       inline_policy (known after apply)
    }

  # aws_iam_role.loki_ecs_task_execution will be created
+   resource "aws_iam_role" "loki_ecs_task_execution" {
+       arn                   = (known after apply)
+       assume_role_policy    = jsonencode(
            {
+               Statement = [
+                   {
+                       Action    = "sts:AssumeRole"
+                       Effect    = "Allow"
+                       Principal = {
+                           Service = "ecs-tasks.amazonaws.com"
                        }
+                       Sid       = "AllowECSTasksToAssumeRole"
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       create_date           = (known after apply)
+       force_detach_policies = false
+       id                    = (known after apply)
+       managed_policy_arns   = (known after apply)
+       max_session_duration  = 3600
+       name                  = "loki-ecs-task-execution"
+       name_prefix           = (known after apply)
+       path                  = "/"
+       tags_all              = (known after apply)
+       unique_id             = (known after apply)

+       inline_policy (known after apply)
    }

  # aws_iam_role_policy.loki_ecs_task_command_exec will be created
+   resource "aws_iam_role_policy" "loki_ecs_task_command_exec" {
+       id          = (known after apply)
+       name        = "loki-ecs-command-exec"
+       name_prefix = (known after apply)
+       policy      = (known after apply)
+       role        = "loki-ecs-task"
    }

  # aws_iam_role_policy.loki_ecs_task_execution will be created
+   resource "aws_iam_role_policy" "loki_ecs_task_execution" {
+       id          = (known after apply)
+       name        = "loki-ecs-task-execution"
+       name_prefix = (known after apply)
+       policy      = (known after apply)
+       role        = "loki-ecs-task-execution"
    }

  # aws_iam_role_policy.loki_storage will be created
+   resource "aws_iam_role_policy" "loki_storage" {
+       id          = (known after apply)
+       name        = "loki-storage-access"
+       name_prefix = (known after apply)
+       policy      = (known after apply)
+       role        = "loki-ecs-task"
    }

  # aws_iam_role_policy_attachment.eks_access_administrator_kubeconfig will be created
+   resource "aws_iam_role_policy_attachment" "eks_access_administrator_kubeconfig" {
+       id         = (known after apply)
+       policy_arn = (known after apply)
+       role       = "eks_administrator"
    }

  # aws_iam_role_policy_attachment.loki_ecs_task_execution will be created
+   resource "aws_iam_role_policy_attachment" "loki_ecs_task_execution" {
+       id         = (known after apply)
+       policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+       role       = "loki-ecs-task-execution"
    }

  # aws_kms_key.main will be created
+   resource "aws_kms_key" "main" {
+       arn                                = (known after apply)
+       bypass_policy_lockout_safety_check = false
+       customer_master_key_spec           = "*****************"
+       deletion_window_in_days            = 10
+       description                        = "Shared KMS key"
+       enable_key_rotation                = true
+       id                                 = (known after apply)
+       is_enabled                         = true
+       key_id                             = (known after apply)
+       key_usage                          = "ENCRYPT_DECRYPT"
+       multi_region                       = (known after apply)
+       policy                             = jsonencode(
            {
+               Statement = [
+                   {
+                       Action    = [
+                           "kms:*",
                        ]
+                       Effect    = "Allow"
+                       Principal = {
+                           AWS = "arn:aws:iam::175912345102:root"
                        }
+                       Resource  = [
+                           "*",
                        ]
+                       Sid       = "Allow everything in this AWS account to use this KMS key"
                    },
+                   {
+                       Action    = [
+                           "kms:Encrypt*",
+                           "kms:Decrypt*",
+                           "kms:ReEncrypt*",
+                           "kms:GenerateDataKey*",
+                           "kms:Describe*",
                        ]
+                       Effect    = "Allow"
+                       Principal = {
+                           Service = "logs.eu-west-1.amazonaws.com"
                        }
+                       Resource  = [
+                           "*",
                        ]
+                       Sid       = "Allow cloudwatch log group encryption"
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       region                             = "eu-west-1"
+       rotation_period_in_days            = (known after apply)
+       tags_all                           = (known after apply)
    }

  # aws_rds_cluster_parameter_group.main will be created
+   resource "aws_rds_cluster_parameter_group" "main" {
+       arn         = (known after apply)
+       description = "Managed by Terraform"
+       family      = "aurora-postgresql16"
+       id          = (known after apply)
+       name        = "complete-example-aurora-postgresql16"
+       name_prefix = (known after apply)
+       region      = "eu-west-1"
+       tags_all    = (known after apply)

+       parameter {
+           apply_method = "immediate"
+           name         = "apg_ccm_enabled"
+           value        = "1"
        }
+       parameter {
+           apply_method = "immediate"
+           name         = "auto_explain.log_analyze"
+           value        = "1"
        }
+       parameter {
+           apply_method = "immediate"
+           name         = "auto_explain.log_buffers"
+           value        = "1"
        }
+       parameter {
+           apply_method = "immediate"
+           name         = "auto_explain.log_format"
+           value        = "json"
        }
+       parameter {
+           apply_method = "immediate"
+           name         = "auto_explain.log_min_duration"
+           value        = "1000"
        }
+       parameter {
+           apply_method = "immediate"
+           name         = "auto_explain.log_nested_statements"
+           value        = "1"
        }
+       parameter {
+           apply_method = "immediate"
+           name         = "auto_explain.log_verbose"
+           value        = "1"
        }
+       parameter {
+           apply_method = "immediate"
+           name         = "auto_explain.sample_rate"
+           value        = "1"
        }
+       parameter {
+           apply_method = "immediate"
+           name         = "track_activities"
+           value        = "1"
        }
+       parameter {
+           apply_method = "pending-reboot"
+           name         = "rds.enable_plan_management"
+           value        = "1"
        }
+       parameter {
+           apply_method = "pending-reboot"
+           name         = "shared_preload_libraries"
+           value        = "pg_stat_statements,auto_explain"
        }
    }

  # aws_route53_record.api["A"] will be created
+   resource "aws_route53_record" "api" {
+       allow_overwrite = (known after apply)
+       fqdn            = (known after apply)
+       id              = (known after apply)
+       name            = "api.terraform.pipetail.cloud"
+       type            = "A"
+       zone_id         = "********************"

+       alias {
+           evaluate_target_health = false
+           name                   = (known after apply)
+           zone_id                = (known after apply)
        }
    }

  # aws_route53_record.api["AAAA"] will be created
+   resource "aws_route53_record" "api" {
+       allow_overwrite = (known after apply)
+       fqdn            = (known after apply)
+       id              = (known after apply)
+       name            = "api.terraform.pipetail.cloud"
+       type            = "AAAA"
+       zone_id         = "********************"

+       alias {
+           evaluate_target_health = false
+           name                   = (known after apply)
+           zone_id                = (known after apply)
        }
    }

  # aws_s3_bucket.cloudtrail will be created
+   resource "aws_s3_bucket" "cloudtrail" {
+       acceleration_status         = (known after apply)
+       acl                         = (known after apply)
+       arn                         = (known after apply)
+       bucket                      = "complete-example-cloudtrail"
+       bucket_domain_name          = (known after apply)
+       bucket_prefix               = (known after apply)
+       bucket_region               = (known after apply)
+       bucket_regional_domain_name = (known after apply)
+       force_destroy               = true
+       hosted_zone_id              = (known after apply)
+       id                          = (known after apply)
+       object_lock_enabled         = (known after apply)
+       policy                      = (known after apply)
+       region                      = "eu-west-1"
+       request_payer               = (known after apply)
+       tags_all                    = (known after apply)
+       website_domain              = (known after apply)
+       website_endpoint            = (known after apply)

+       cors_rule (known after apply)

+       grant (known after apply)

+       lifecycle_rule (known after apply)

+       logging (known after apply)

+       object_lock_configuration (known after apply)

+       replication_configuration (known after apply)

+       server_side_encryption_configuration (known after apply)

+       versioning (known after apply)

+       website (known after apply)
    }

  # aws_s3_bucket_policy.cloudtrail will be created
+   resource "aws_s3_bucket_policy" "cloudtrail" {
+       bucket = (known after apply)
+       id     = (known after apply)
+       policy = (known after apply)
+       region = "eu-west-1"
    }

  # aws_s3_bucket_public_access_block.cloudtrail will be created
+   resource "aws_s3_bucket_public_access_block" "cloudtrail" {
+       block_public_acls       = true
+       block_public_policy     = true
+       bucket                  = (known after apply)
+       id                      = (known after apply)
+       ignore_public_acls      = true
+       region                  = "eu-west-1"
+       restrict_public_buckets = true
    }

  # aws_s3_bucket_server_side_encryption_configuration.cloudtrail will be created
+   resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" {
+       bucket = "complete-example-cloudtrail"
+       id     = (known after apply)
+       region = "eu-west-1"

+       rule {
+           blocked_encryption_types = []

+           apply_server_side_encryption_by_default {
+               sse_algorithm     = "AES256"
#                (1 unchanged attribute hidden)
            }
        }
    }

  # aws_service_discovery_private_dns_namespace.loki will be created
+   resource "aws_service_discovery_private_dns_namespace" "loki" {
+       arn         = (known after apply)
+       description = "Service discovery local domain for grafana loki"
+       hosted_zone = (known after apply)
+       id          = (known after apply)
+       name        = "grafana.local"
+       region      = "eu-west-1"
+       tags_all    = (known after apply)
+       vpc         = (known after apply)
    }

  # aws_service_discovery_service.loki will be created
+   resource "aws_service_discovery_service" "loki" {
+       arn           = (known after apply)
+       force_destroy = false
+       id            = (known after apply)
+       name          = "loki"
+       namespace_id  = (known after apply)
+       region        = "eu-west-1"
+       tags_all      = (known after apply)
+       type          = (known after apply)

+       dns_config {
+           namespace_id   = (known after apply)
+           routing_policy = "MULTIVALUE"

+           dns_records {
+               ttl  = 10
+               type = "A"
            }
        }
    }

  # helm_release.nginx_ingress will be created
+   resource "helm_release" "nginx_ingress" {
+       atomic                     = true
+       chart                      = "ingress-nginx"
+       cleanup_on_fail            = false
+       create_namespace           = true
+       dependency_update          = false
+       disable_crd_hooks          = false
+       disable_openapi_validation = false
+       disable_webhooks           = false
+       force_update               = false
+       id                         = (known after apply)
+       lint                       = false
+       manifest                   = (known after apply)
+       max_history                = 0
+       metadata                   = (known after apply)
+       name                       = "nginx-ingress"
+       namespace                  = "nginx-ingress"
+       pass_credentials           = false
+       recreate_pods              = false
+       render_subchart_notes      = true
+       replace                    = false
+       repository                 = "https://kubernetes.github.io/ingress-nginx"
+       reset_values               = false
+       reuse_values               = false
+       skip_crds                  = false
+       status                     = "deployed"
+       timeout                    = 300
+       values                     = [
+           <<-EOT
                controller:
                  replicaCount: 3
                  resources:
                    limits:
                      memory: 128Mi
                    requests:
                      cpu: 100m
                      memory: 128Mi
                  podAnnotations:
                    prometheus.io/scrape: "true"
                    prometheus.io/path: "/metrics"
                    prometheus.io/port: "10254"
                    prometheus.io/scheme: "http"
                    log: "true"
                  podLabels:
                    app: nginx-ingress
                    release: nginx-prod
                
                  ingressClass: "nginx"
                
                  publishService:
                    enabled: true
                
                  metrics:
                    enabled: true
                
                  service:
                    externalTrafficPolicy: Cluster
                    type: NodePort
                    nodePorts:
                      http: 30080
                      https: 30443
                
                  admissionWebhooks:
                    enabled: false
                
                  config:
                    proxy-body-size: "500M"
                    proxy-buffer-size: "256k"
                    use-forwarded-headers: "true"
                    client-header-buffer-size: "256k"
                
                defaultBackend:
                  enabled: true
            EOT,
        ]
+       verify                     = false
+       version                    = "4.6.1"
+       wait                       = true
+       wait_for_jobs              = false
    }

  # random_password.db_master_password will be created
+   resource "random_password" "db_master_password" {
+       bcrypt_hash = (sensitive value)
+       id          = (known after apply)
+       length      = 32
+       lower       = true
+       min_lower   = 0
+       min_numeric = 0
+       min_special = 0
+       min_upper   = 0
+       number      = true
+       numeric     = true
+       result      = (sensitive value)
+       special     = false
+       upper       = true
    }

  # module.certificate.aws_acm_certificate.main will be created
+   resource "aws_acm_certificate" "main" {
+       arn                       = (known after apply)
+       domain_name               = "*.terraform.pipetail.cloud"
+       domain_validation_options = [
+           {
+               domain_name           = "*.terraform.pipetail.cloud"
+               resource_record_name  = (known after apply)
+               resource_record_type  = (known after apply)
+               resource_record_value = (known after apply)
            },
+           {
+               domain_name           = "terraform.pipetail.cloud"
+               resource_record_name  = (known after apply)
+               resource_record_type  = (known after apply)
+               resource_record_value = (known after apply)
            },
        ]
+       id                        = (known after apply)
+       key_algorithm             = (known after apply)
+       not_after                 = (known after apply)
+       not_before                = (known after apply)
+       pending_renewal           = (known after apply)
+       region                    = "eu-west-1"
+       renewal_eligibility       = (known after apply)
+       renewal_summary           = (known after apply)
+       status                    = (known after apply)
+       subject_alternative_names = [
+           "*.terraform.pipetail.cloud",
+           "terraform.pipetail.cloud",
        ]
+       tags_all                  = (known after apply)
+       type                      = (known after apply)
+       validation_emails         = (known after apply)
+       validation_method         = "DNS"

+       options (known after apply)
    }

  # module.certificate.aws_acm_certificate.virginia will be created
+   resource "aws_acm_certificate" "virginia" {
+       arn                       = (known after apply)
+       domain_name               = "*.terraform.pipetail.cloud"
+       domain_validation_options = [
+           {
+               domain_name           = "*.terraform.pipetail.cloud"
+               resource_record_name  = (known after apply)
+               resource_record_type  = (known after apply)
+               resource_record_value = (known after apply)
            },
+           {
+               domain_name           = "terraform.pipetail.cloud"
+               resource_record_name  = (known after apply)
+               resource_record_type  = (known after apply)
+               resource_record_value = (known after apply)
            },
        ]
+       id                        = (known after apply)
+       key_algorithm             = (known after apply)
+       not_after                 = (known after apply)
+       not_before                = (known after apply)
+       pending_renewal           = (known after apply)
+       region                    = "us-east-1"
+       renewal_eligibility       = (known after apply)
+       renewal_summary           = (known after apply)
+       status                    = (known after apply)
+       subject_alternative_names = [
+           "*.terraform.pipetail.cloud",
+           "terraform.pipetail.cloud",
        ]
+       tags_all                  = (known after apply)
+       type                      = (known after apply)
+       validation_emails         = (known after apply)
+       validation_method         = "DNS"

+       options (known after apply)
    }

  # module.certificate.aws_acm_certificate_validation.main will be created
+   resource "aws_acm_certificate_validation" "main" {
+       certificate_arn         = (known after apply)
+       id                      = (known after apply)
+       region                  = "eu-west-1"
+       validation_record_fqdns = (known after apply)
    }

  # module.certificate.aws_route53_record.validation["*.terraform.pipetail.cloud"] will be created
+   resource "aws_route53_record" "validation" {
+       allow_overwrite = true
+       fqdn            = (known after apply)
+       id              = (known after apply)
+       name            = (known after apply)
+       records         = (known after apply)
+       ttl             = 60
+       type            = (known after apply)
+       zone_id         = "********************"
    }

  # module.certificate.aws_route53_record.validation["terraform.pipetail.cloud"] will be created
Plan is too large to fit in a PR comment. See the full plan in the workflow log.

📝 Plan generated in terraform-plan-05-aws-complete #274

@marekaf marekaf force-pushed the feat/add-provider-pinning-conftest-policy branch from 612901e to 7d0147b Compare March 4, 2026 08:25
@marekaf marekaf force-pushed the feat/add-provider-pinning-conftest-policy branch from 7d0147b to 8326156 Compare March 4, 2026 08:29
@marekaf marekaf changed the title Feat/add provider pinning conftest policy feat: add conftest policy for provider version pinning in modules Mar 4, 2026
@marekaf marekaf merged commit be44080 into master Mar 4, 2026
3 checks passed
@marekaf marekaf deleted the feat/add-provider-pinning-conftest-policy branch March 4, 2026 08:47
marekaf added a commit that referenced this pull request Mar 4, 2026
@marekaf
feat: add conftest policy for provider version pinning in modules (#203)
c432083
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@marekaf