Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jenkins): Adds GHA deployment workflow #332

Merged
merged 2 commits into from
Oct 22, 2024
Merged

feat(jenkins): Adds GHA deployment workflow #332

merged 2 commits into from
Oct 22, 2024

Conversation

gabebatista
Copy link
Contributor

Issue number:

Summary

Adds a Github Actions workflow to plan, deploy and destroy the jenkins complete example template. This workflow triggers on any changes to modules/jenkins/*. Some best practice features have been disabled as they cause the automated destruction of the solution to fail.

Changes

  • Adds a Github Actions workflow that:
    • Triggers on any PR that changes modules/jenkins/*
    • Prepares environment for terraform
    • Runs terraform plan and posts the output as a comment in the triggering PR
    • After manual approval, deploys the solution into the cloud-game-development+ci AWS account
    • After manual approval, destroys the solution in the cloud-game-development+ci AWS account
  • Disables the following features in the modules/jenkins/examples/complete template to allow for automated destruction of solution:
    • ALB access logs (terraform destroy cannot delete s3 buckets that are not empty)
    • ALB deletion protection (terraform destroy cannot delete the ALB if deletion protection is enabled)
    • EFS backup plan (backup plans are not required when testing module as no data should be stored in a test environment)

User experience

These changes will allow the repository maintainers to more easily test changes made to the Jenkins module. Deployment and Destruction of environments are done based on manual approval steps, so use of this workflow is optional.

Checklist

If your change doesn't seem to apply, please leave them unchecked.

  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented
Is this a breaking change? No

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created might not be successful.

@gabebatista gabebatista requested a review from a team as a code owner September 30, 2024 15:24
@gabebatista gabebatista requested a review from novekm September 30, 2024 15:24
@gabebatista gabebatista had a problem deploying to ${ GITHUB_ENVIRONMENT } September 30, 2024 15:24 — with GitHub Actions Failure
@jorisdon jorisdon self-requested a review September 30, 2024 17:09
@gabebatista gabebatista marked this pull request as draft September 30, 2024 19:23
jorisdon
jorisdon previously approved these changes Oct 2, 2024
View reviewed changes
@gabebatista gabebatista force-pushed the gabeaws/jenkins/gha-deployment-workflow branch from 59b596d to 084b5b6 Compare October 4, 2024 14:52
@gabebatista gabebatista force-pushed the gabeaws/jenkins/gha-deployment-workflow branch from 084b5b6 to b93701b Compare October 4, 2024 15:11
@gabebatista gabebatista force-pushed the gabeaws/jenkins/gha-deployment-workflow branch from b93701b to 7b18e38 Compare October 18, 2024 14:55
@gabebatista gabebatista force-pushed the gabeaws/jenkins/gha-deployment-workflow branch from 7b18e38 to 208ca4b Compare October 18, 2024 18:12
@gabebatista gabebatista changed the title Gabeaws/jenkins/gha deployment workflow feat(jenkins): Adds deployment workflow Oct 18, 2024
@gabebatista gabebatista force-pushed the gabeaws/jenkins/gha-deployment-workflow branch from 208ca4b to b6673e1 Compare October 18, 2024 18:43
@gabebatista gabebatista force-pushed the gabeaws/jenkins/gha-deployment-workflow branch from b6673e1 to 389345b Compare October 18, 2024 18:59
@gabebatista gabebatista force-pushed the gabeaws/jenkins/gha-deployment-workflow branch from 389345b to 11129b8 Compare October 18, 2024 19:03
@gabebatista gabebatista force-pushed the gabeaws/jenkins/gha-deployment-workflow branch from 11129b8 to 96fe0cc Compare October 18, 2024 19:55
@github-actions GitHub Actions
Copy link
Contributor

Terraform Plan 📖success

Show Plan 

data.aws_route53_zone.root: Reading...
data.aws_availability_zones.available: Reading...
data.aws_availability_zones.available: Read complete after 0s [id=us-east-1]
data.aws_route53_zone.root: Read complete after 0s [id=Z0613492V80MHM8OKW46]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # aws_acm_certificate.jenkins will be created
  + resource "aws_acm_certificate" "jenkins" {
      + arn                       = (known after apply)
      + domain_name               = "jenkins.ci.cgdtk.peculiar.games.aws.dev"
      + domain_validation_options = [
          + {
              + domain_name           = "jenkins.ci.cgdtk.peculiar.games.aws.dev"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
        ]
      + id                        = (known after apply)
      + key_algorithm             = (known after apply)
      + not_after                 = (known after apply)
      + not_before                = (known after apply)
      + pending_renewal           = (known after apply)
      + renewal_eligibility       = (known after apply)
      + renewal_summary           = (known after apply)
      + status                    = (known after apply)
      + subject_alternative_names = [
          + "jenkins.ci.cgdtk.peculiar.games.aws.dev",
        ]
      + tags                      = {
          + "environment" = "dev"
        }
      + tags_all                  = {
          + "environment" = "dev"
        }
      + type                      = (known after apply)
      + validation_emails         = (known after apply)
      + validation_method         = "DNS"
    }

  # aws_acm_certificate_validation.jenkins will be created
  + resource "aws_acm_certificate_validation" "jenkins" {
      + certificate_arn         = (known after apply)
      + id                      = (known after apply)
      + validation_record_fqdns = (known after apply)

      + timeouts {
          + create = "15m"
        }
    }

  # aws_default_security_group.default will be created
  + resource "aws_default_security_group" "default" {
      + arn                    = (known after apply)
      + description            = (known after apply)
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = (known after apply)
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags_all               = (known after apply)
      + vpc_id                 = (known after apply)
    }

  # aws_ecs_cluster.jenkins_cluster will be created
  + resource "aws_ecs_cluster" "jenkins_cluster" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + name     = "jenkins-cluster"
      + tags_all = (known after apply)

      + setting {
          + name  = "containerInsights"
          + value = "enabled"
        }
    }

  # aws_ecs_cluster_capacity_providers.providers will be created
  + resource "aws_ecs_cluster_capacity_providers" "providers" {
      + capacity_providers = [
          + "FARGATE",
        ]
      + cluster_name       = "jenkins-cluster"
      + id                 = (known after apply)

      + default_capacity_provider_strategy {
          + base              = 1
          + capacity_provider = "FARGATE"
          + weight            = 100
        }
    }

  # aws_eip.nat_gateway_eip will be created
  + resource "aws_eip" "nat_gateway_eip" {
      + allocation_id        = (known after apply)
      + arn                  = (known after apply)
      + association_id       = (known after apply)
      + carrier_ip           = (known after apply)
      + customer_owned_ip    = (known after apply)
      + domain               = (known after apply)
      + id                   = (known after apply)
      + instance             = (known after apply)
      + network_border_group = (known after apply)
      + network_interface    = (known after apply)
      + private_dns          = (known after apply)
      + private_ip           = (known after apply)
      + ptr_record           = (known after apply)
      + public_dns           = (known after apply)
      + public_ip            = (known after apply)
      + public_ipv4_pool     = (known after apply)
      + tags                 = {
          + "Name"        = "jenkins-nat-eip"
          + "environment" = "cgd"
        }
      + tags_all             = {
          + "Name"        = "jenkins-nat-eip"
          + "environment" = "cgd"
        }
      + vpc                  = (known after apply)
    }

  # aws_internet_gateway.igw will be created
  + resource "aws_internet_gateway" "igw" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "Name"        = "build-pipeline-igw"
          + "environment" = "cgd"
        }
      + tags_all = {
          + "Name"        = "build-pipeline-igw"
          + "environment" = "cgd"
        }
      + vpc_id   = (known after apply)
    }

  # aws_nat_gateway.nat_gateway will be created
  + resource "aws_nat_gateway" "nat_gateway" {
      + allocation_id                      = (known after apply)
      + association_id                     = (known after apply)
      + connectivity_type                  = "public"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "Name"        = "jenkins-nat"
          + "environment" = "cgd"
        }
      + tags_all                           = {
          + "Name"        = "jenkins-nat"
          + "environment" = "cgd"
        }
    }

  # aws_route.private_rt_nat_gateway will be created
  + resource "aws_route" "private_rt_nat_gateway" {
      + destination_cidr_block = "0.0.0.0/0"
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + nat_gateway_id         = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)
    }

  # aws_route53_record.jenkins will be created
  + resource "aws_route53_record" "jenkins" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "jenkins.ci.cgdtk.peculiar.games.aws.dev"
      + type            = "A"
      + zone_id         = "Z0613492V80MHM8OKW46"

      + alias {
          + evaluate_target_health = true
          + name                   = (known after apply)
          + zone_id                = (known after apply)
        }
    }

  # aws_route53_record.jenkins_cert["jenkins.ci.cgdtk.peculiar.games.aws.dev"] will be created
  + resource "aws_route53_record" "jenkins_cert" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = (known after apply)
      + records         = (known after apply)
      + ttl             = 60
      + type            = (known after apply)
      + zone_id         = "Z0613492V80MHM8OKW46"
    }

  # aws_route_table.private_rt will be created
  + resource "aws_route_table" "private_rt" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name"        = "jenkins-private-rt"
          + "environment" = "cgd"
        }
      + tags_all         = {
          + "Name"        = "jenkins-private-rt"
          + "environment" = "cgd"
        }
      + vpc_id           = (known after apply)
    }

  # aws_route_table.public_rt will be created
  + resource "aws_route_table" "public_rt" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = [
          + {
              + carrier_gateway_id         = ""
              + cidr_block                 = "0.0.0.0/0"
              + core_network_arn           = ""
              + destination_prefix_list_id = ""
              + egress_only_gateway_id     = ""
              + gateway_id                 = (known after apply)
              + ipv6_cidr_block            = ""
              + local_gateway_id           = ""
              + nat_gateway_id             = ""
              + network_interface_id       = ""
              + transit_gateway_id         = ""
              + vpc_endpoint_id            = ""
              + vpc_peering_connection_id  = ""
            },
        ]
      + tags             = {
          + "Name"        = "jenkins-public-rt"
          + "environment" = "cgd"
        }
      + tags_all         = {
          + "Name"        = "jenkins-public-rt"
          + "environment" = "cgd"
        }
      + vpc_id           = (known after apply)
    }

  # aws_route_table_association.private_rt_asso[0] will be created
  + resource "aws_route_table_association" "private_rt_asso" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # aws_route_table_association.private_rt_asso[1] will be created
  + resource "aws_route_table_association" "private_rt_asso" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # aws_route_table_association.public_rt_asso[0] will be created
  + resource "aws_route_table_association" "public_rt_asso" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # aws_route_table_association.public_rt_asso[1] will be created
  + resource "aws_route_table_association" "public_rt_asso" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # aws_subnet.private_subnets[0] will be created
  + resource "aws_subnet" "private_subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "us-east-1a"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.0.3.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name"        = "pvt-subnet-1"
          + "environment" = "cgd"
        }
      + tags_all                                       = {
          + "Name"        = "pvt-subnet-1"
          + "environment" = "cgd"
        }
      + vpc_id                                         = (known after apply)
    }

  # aws_subnet.private_subnets[1] will be created
  + resource "aws_subnet" "private_subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "us-east-1b"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.0.4.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name"        = "pvt-subnet-2"
          + "environment" = "cgd"
        }
      + tags_all                                       = {
          + "Name"        = "pvt-subnet-2"
          + "environment" = "cgd"
        }
      + vpc_id                                         = (known after apply)
    }

  # aws_subnet.public_subnets[0] will be created
  + resource "aws_subnet" "public_subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "us-east-1a"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.0.1.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name"        = "pub-subnet-1"
          + "environment" = "cgd"
        }
      + tags_all                                       = {
          + "Name"        = "pub-subnet-1"
          + "environment" = "cgd"
        }
      + vpc_id                                         = (known after apply)
    }

  # aws_subnet.public_subnets[1] will be created
  + resource "aws_subnet" "public_subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "us-east-1b"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.0.2.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name"        = "pub-subnet-2"
          + "environment" = "cgd"
        }
      + tags_all                                       = {
          + "Name"        = "pub-subnet-2"
          + "environment" = "cgd"
        }
      + vpc_id                                         = (known after apply)
    }

  # aws_vpc.jenkins_vpc will be created
  + resource "aws_vpc" "jenkins_vpc" {
      + arn                                  = (known after apply)
      + cidr_block                           = "10.0.0.0/16"
      + default_network_acl_id               = (known after apply)
      + default_route_table_id               = (known after apply)
      + default_security_group_id            = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_dns_hostnames                 = true
      + enable_dns_support                   = true
      + enable_network_address_usage_metrics = (known after apply)
      + id                                   = (known after apply)
      + instance_tenancy                     = "default"
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + ipv6_cidr_block_network_border_group = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + tags                                 = {
          + "Name"        = "jenkins-vpc"
          + "environment" = "cgd"
        }
      + tags_all                             = {
          + "Name"        = "jenkins-vpc"
          + "environment" = "cgd"
        }
    }

  # module.jenkins.data.aws_caller_identity.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "current" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.jenkins.data.aws_ecs_cluster.jenkins_cluster[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_ecs_cluster" "jenkins_cluster" {
      + arn                                  = (known after apply)
      + cluster_name                         = "jenkins-cluster"
      + id                                   = (known after apply)
      + pending_tasks_count                  = (known after apply)
      + registered_container_instances_count = (known after apply)
      + running_tasks_count                  = (known after apply)
      + service_connect_defaults             = (known after apply)
      + setting                              = (known after apply)
      + status                               = (known after apply)
      + tags                                 = (known after apply)
    }

  # module.jenkins.data.aws_elb_service_account.main will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_elb_service_account" "main" {
      + arn = (known after apply)
      + id  = (known after apply)
    }

  # module.jenkins.data.aws_iam_policy_document.build_farm_fsxz_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "build_farm_fsxz_policy" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "fsx:CreateSnapshot",
              + "fsx:DeleteSnapshot",
              + "fsx:ListTagsForResource",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
              + (known after apply),
            ]
        }
      + statement {
          + actions   = [
              + "fsx:DescribeSnapshots",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
      + statement {
          + actions   = [
              + "fsx:DescribeVolumes",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
    }

  # module.jenkins.data.aws_iam_policy_document.build_farm_s3_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "build_farm_s3_policy" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "s3-object-lambda:*",
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
    }

  # module.jenkins.data.aws_iam_policy_document.ec2_fleet_plugin_policy[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "ec2_fleet_plugin_policy" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "ec2:CreateTags",
              + "ec2:DescribeFleetInstances",
              + "ec2:DescribeFleets",
              + "ec2:DescribeInstanceStatus",
              + "ec2:DescribeInstanceTypes",
              + "ec2:DescribeInstances",
              + "ec2:DescribeRegions",
              + "ec2:DescribeSpotFleetInstances",
              + "ec2:DescribeSpotFleetRequests",
              + "ec2:ModifyFleet",
              + "ec2:ModifySpotFleetRequest",
              + "ec2:TerminateInstances",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
        }
      + statement {
          + actions   = [
              + "autoscaling:UpdateAutoScalingGroup",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
      + statement {
          + actions   = [
              + "autoscaling:DescribeAutoScalingGroups",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
        }
      + statement {
          + actions   = [
              + "iam:ListInstanceProfiles",
              + "iam:ListRoles",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
      + statement {
          + actions   = [
              + "iam:PassRole",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
    }

  # module.jenkins.data.aws_iam_policy_document.ec2_trust_relationship will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "ec2_trust_relationship" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "ec2.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.jenkins.data.aws_iam_policy_document.ecs_tasks_trust_relationship will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "ecs_tasks_trust_relationship" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "ecs-tasks.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.jenkins.data.aws_iam_policy_document.jenkins_default_policy[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "jenkins_default_policy" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "ssmmessages:CreateControlChannel",
              + "ssmmessages:CreateDataChannel",
              + "ssmmessages:OpenControlChannel",
              + "ssmmessages:OpenDataChannel",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "ECSExec"
        }
      + statement {
          + actions   = [
              + "elasticfilesystem:ClientMount",
              + "elasticfilesystem:ClientRootAccess",
              + "elasticfilesystem:ClientWrite",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
      + statement {
          + actions   = [
              + "secretsmanager:BatchGetSecretValue",
              + "secretsmanager:GetRandomPassword",
              + "secretsmanager:ListSecrets",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
        }
    }

  # module.jenkins.data.aws_region.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_region" "current" {
      + description = (known after apply)
      + endpoint    = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
    }

  # module.jenkins.data.aws_vpc.build_farm_vpc will be read during apply
  # (config refers to values not yet known)
 <= data "aws_vpc" "build_farm_vpc" {
      + arn                                  = (known after apply)
      + cidr_block                           = (known after apply)
      + cidr_block_associations              = (known after apply)
      + default                              = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_dns_hostnames                 = (known after apply)
      + enable_dns_support                   = (known after apply)
      + enable_network_address_usage_metrics = (known after apply)
      + id                                   = (known after apply)
      + instance_tenancy                     = (known after apply)
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + state                                = (known after apply)
      + tags                                 = (known after apply)
    }

  # module.jenkins.aws_autoscaling_group.jenkins_build_farm_asg["example_builders"] will be created
  + resource "aws_autoscaling_group" "jenkins_build_farm_asg" {
      + arn                              = (known after apply)
      + availability_zones               = (known after apply)
      + default_cooldown                 = (known after apply)
      + desired_capacity                 = (known after apply)
      + force_delete                     = false
      + force_delete_warm_pool           = false
      + health_check_grace_period        = 300
      + health_check_type                = (known after apply)
      + id                               = (known after apply)
      + ignore_failed_scaling_activities = false
      + load_balancers                   = (known after apply)
      + max_size                         = 1
      + metrics_granularity              = "1Minute"
      + min_size                         = 0
      + name                             = "cgd-jenkins-example_builders-build-farm"
      + name_prefix                      = (known after apply)
      + predicted_capacity               = (known after apply)
      + protect_from_scale_in            = false
      + service_linked_role_arn          = (known after apply)
      + target_group_arns                = (known after apply)
      + vpc_zone_identifier              = (known after apply)
      + wait_for_capacity_timeout        = "10m"
      + warm_pool_size                   = (known after apply)

      + launch_template {
          + id      = (known after apply)
          + name    = (known after apply)
          + version = "$Latest"
        }

      + tag {
          + key                 = "ASG"
          + propagate_at_launch = true
          + value               = "example_builders"
        }
      + tag {
          + key                 = "Name"
          + propagate_at_launch = true
          + value               = "cgd-jenkins-example_builders-build-farm"
        }
    }

  # module.jenkins.aws_cloudwatch_log_group.jenkins_service_log_group will be created
  + resource "aws_cloudwatch_log_group" "jenkins_service_log_group" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "cgd-jenkins-log-group"
      + name_prefix       = (known after apply)
      + retention_in_days = 365
      + skip_destroy      = false
      + tags              = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all          = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
    }

  # module.jenkins.aws_ecs_service.jenkins_service will be created
  + resource "aws_ecs_service" "jenkins_service" {
      + cluster                            = (known after apply)
      + deployment_maximum_percent         = 200
      + deployment_minimum_healthy_percent = 100
      + desired_count                      = 1
      + enable_ecs_managed_tags            = false
      + enable_execute_command             = false
      + force_new_deployment               = true
      + iam_role                           = (known after apply)
      + id                                 = (known after apply)
      + launch_type                        = "FARGATE"
      + name                               = "cgd-jenkins-service"
      + platform_version                   = (known after apply)
      + scheduling_strategy                = "REPLICA"
      + tags                               = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all                           = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + task_definition                    = (known after apply)
      + triggers                           = (known after apply)
      + wait_for_steady_state              = false

      + load_balancer {
          + container_name   = "jenkins-container"
          + container_port   = 8080
          + target_group_arn = (known after apply)
        }

      + network_configuration {
          + assign_public_ip = false
          + security_groups  = (known after apply)
          + subnets          = (known after apply)
        }
    }

  # module.jenkins.aws_ecs_task_definition.jenkins_task_definition will be created
  + resource "aws_ecs_task_definition" "jenkins_task_definition" {
      + arn                      = (known after apply)
      + arn_without_revision     = (known after apply)
      + container_definitions    = (known after apply)
      + cpu                      = "1024"
      + execution_role_arn       = (known after apply)
      + family                   = "jenkins"
      + id                       = (known after apply)
      + memory                   = "4096"
      + network_mode             = "awsvpc"
      + requires_compatibilities = [
          + "FARGATE",
        ]
      + revision                 = (known after apply)
      + skip_destroy             = false
      + tags                     = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all                 = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + task_role_arn            = (known after apply)
      + track_latest             = false

      + runtime_platform {
          + cpu_architecture        = "X86_64"
          + operating_system_family = "LINUX"
        }

      + volume {
          + configure_at_launch = (known after apply)
          + name                = "jenkins_data"

          + efs_volume_configuration {
              + file_system_id          = (known after apply)
              + root_directory          = "/"
              + transit_encryption      = "ENABLED"
              + transit_encryption_port = 2999

              + authorization_config {
                  + access_point_id = (known after apply)
                  + iam             = "ENABLED"
                }
            }
        }
    }

  # module.jenkins.aws_efs_access_point.jenkins_efs_access_point will be created
  + resource "aws_efs_access_point" "jenkins_efs_access_point" {
      + arn             = (known after apply)
      + file_system_arn = (known after apply)
      + file_system_id  = (known after apply)
      + id              = (known after apply)
      + owner_id        = (known after apply)
      + tags            = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all        = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }

      + posix_user {
          + gid = 1001
          + uid = 1001
        }

      + root_directory {
          + path = "/var/jenkins_home"

          + creation_info {
              + owner_gid   = 1001
              + owner_uid   = 1001
              + permissions = "755"
            }
        }
    }

  # module.jenkins.aws_efs_file_system.jenkins_efs_file_system will be created
  + resource "aws_efs_file_system" "jenkins_efs_file_system" {
      + arn                     = (known after apply)
      + availability_zone_id    = (known after apply)
      + availability_zone_name  = (known after apply)
      + creation_token          = "cgd-jenkins-efs-file-system"
      + dns_name                = (known after apply)
      + encrypted               = true
      + id                      = (known after apply)
      + kms_key_id              = (known after apply)
      + name                    = (known after apply)
      + number_of_mount_targets = (known after apply)
      + owner_id                = (known after apply)
      + performance_mode        = "generalPurpose"
      + size_in_bytes           = (known after apply)
      + tags                    = {
          + "Name"           = "cgd-jenkins-efs-file-system"
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all                = {
          + "Name"           = "cgd-jenkins-efs-file-system"
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + throughput_mode         = "bursting"

      + lifecycle_policy {
          + transition_to_ia = "AFTER_30_DAYS"
        }
      + lifecycle_policy {
          + transition_to_primary_storage_class = "AFTER_1_ACCESS"
        }
    }

  # module.jenkins.aws_efs_mount_target.jenkins_efs_mount_target[0] will be created
  + resource "aws_efs_mount_target" "jenkins_efs_mount_target" {
      + availability_zone_id   = (known after apply)
      + availability_zone_name = (known after apply)
      + dns_name               = (known after apply)
      + file_system_arn        = (known after apply)
      + file_system_id         = (known after apply)
      + id                     = (known after apply)
      + ip_address             = (known after apply)
      + mount_target_dns_name  = (known after apply)
      + network_interface_id   = (known after apply)
      + owner_id               = (known after apply)
      + security_groups        = (known after apply)
      + subnet_id              = (known after apply)
    }

  # module.jenkins.aws_efs_mount_target.jenkins_efs_mount_target[1] will be created
  + resource "aws_efs_mount_target" "jenkins_efs_mount_target" {
      + availability_zone_id   = (known after apply)
      + availability_zone_name = (known after apply)
      + dns_name               = (known after apply)
      + file_system_arn        = (known after apply)
      + file_system_id         = (known after apply)
      + id                     = (known after apply)
      + ip_address             = (known after apply)
      + mount_target_dns_name  = (known after apply)
      + network_interface_id   = (known after apply)
      + owner_id               = (known after apply)
      + security_groups        = (known after apply)
      + subnet_id              = (known after apply)
    }

  # module.jenkins.aws_fsx_openzfs_file_system.jenkins_build_farm_fsxz_file_system["cache"] will be created
  + resource "aws_fsx_openzfs_file_system" "jenkins_build_farm_fsxz_file_system" {
      + arn                               = (known after apply)
      + automatic_backup_retention_days   = 7
      + copy_tags_to_backups              = true
      + copy_tags_to_volumes              = true
      + daily_automatic_backup_start_time = "06:00"
      + deployment_type                   = "MULTI_AZ_1"
      + dns_name                          = (known after apply)
      + endpoint_ip_address               = (known after apply)
      + endpoint_ip_address_range         = (known after apply)
      + id                                = (known after apply)
      + kms_key_id                        = (known after apply)
      + network_interface_ids             = (known after apply)
      + owner_id                          = (known after apply)
      + preferred_subnet_id               = (known after apply)
      + root_volume_id                    = (known after apply)
      + route_table_ids                   = (known after apply)
      + security_group_ids                = (known after apply)
      + skip_final_backup                 = true
      + storage_capacity                  = 256
      + storage_type                      = "SSD"
      + subnet_ids                        = (known after apply)
      + tags                              = {
          + "Name"           = "cgd-cache"
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all                          = {
          + "Name"           = "cgd-cache"
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + throughput_capacity               = 160
      + vpc_id                            = (known after apply)
      + weekly_maintenance_start_time     = (known after apply)

      + root_volume_configuration {
          + copy_tags_to_snapshots = true
          + data_compression_type  = "LZ4"
          + read_only              = false
          + record_size_kib        = 128

          + nfs_exports {
              + client_configurations {
                  + clients = (known after apply)
                  + options = [
                      + "async",
                      + "rw",
                      + "crossmnt",
                    ]
                }
            }
        }
    }

  # module.jenkins.aws_fsx_openzfs_volume.jenkins_build_farm_fsxz_volume["cache"] will be created
  + resource "aws_fsx_openzfs_volume" "jenkins_build_farm_fsxz_volume" {
      + arn                              = (known after apply)
      + copy_tags_to_snapshots           = true
      + data_compression_type            = "LZ4"
      + id                               = (known after apply)
      + name                             = "cgd-cache"
      + parent_volume_id                 = (known after apply)
      + read_only                        = (known after apply)
      + record_size_kib                  = 128
      + storage_capacity_quota_gib       = (known after apply)
      + storage_capacity_reservation_gib = (known after apply)
      + tags                             = {
          + "Name"           = "cgd-cache"
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all                         = {
          + "Name"           = "cgd-cache"
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + volume_type                      = "OPENZFS"

      + nfs_exports {
          + client_configurations {
              + clients = (known after apply)
              + options = [
                  + "async",
                  + "rw",
                  + "crossmnt",
                ]
            }
        }
    }

  # module.jenkins.aws_iam_instance_profile.build_farm_instance_profile will be created
  + resource "aws_iam_instance_profile" "build_farm_instance_profile" {
      + arn         = (known after apply)
      + create_date = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = (known after apply)
      + path        = "/"
      + role        = (known after apply)
      + tags_all    = (known after apply)
      + unique_id   = (known after apply)
    }

  # module.jenkins.aws_iam_policy.build_farm_fsxz_policy will be created
  + resource "aws_iam_policy" "build_farm_fsxz_policy" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Policy granting Build Farm EC2 instances access to FSxZ."
      + id               = (known after apply)
      + name             = "cgd-build-farm-fsxz-policy"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags_all         = (known after apply)
    }

  # module.jenkins.aws_iam_policy.build_farm_s3_policy will be created
  + resource "aws_iam_policy" "build_farm_s3_policy" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Policy granting Build Farm EC2 instances access to Amazon S3."
      + id               = (known after apply)
      + name             = "cgd-build-farm-s3-policy"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags_all         = (known after apply)
    }

  # module.jenkins.aws_iam_policy.ec2_fleet_plugin_policy[0] will be created
  + resource "aws_iam_policy" "ec2_fleet_plugin_policy" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Policy granting permissions required for Jenkins to use EC2 Fleet plugin."
      + id               = (known after apply)
      + name             = "cgd-ec2-fleet-plugin-policy"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags_all         = (known after apply)
    }

  # module.jenkins.aws_iam_policy.jenkins_default_policy[0] will be created
  + resource "aws_iam_policy" "jenkins_default_policy" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Policy granting permissions for Jenkins."
      + id               = (known after apply)
      + name             = "cgd-jenkins-default-policy"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags_all         = (known after apply)
    }

  # module.jenkins.aws_iam_role.build_farm_role will be created
  + resource "aws_iam_role" "build_farm_role" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = (known after apply)
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all              = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + unique_id             = (known after apply)
    }

  # module.jenkins.aws_iam_role.jenkins_default_role[0] will be created
  + resource "aws_iam_role" "jenkins_default_role" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "cgd-jenkins-default-role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all              = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + unique_id             = (known after apply)
    }

  # module.jenkins.aws_iam_role.jenkins_task_execution_role will be created
  + resource "aws_iam_role" "jenkins_task_execution_role" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = [
          + "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
        ]
      + max_session_duration  = 3600
      + name                  = "cgd-jenkins-task-execution-role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)
    }

  # module.jenkins.aws_iam_role_policy_attachment.ec2_fleet_plugin_policy_attachment[0] will be created
  + resource "aws_iam_role_policy_attachment" "ec2_fleet_plugin_policy_attachment" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "cgd-jenkins-default-role"
    }

  # module.jenkins.aws_launch_template.jenkins_build_farm_launch_template["example_builders"] will be created
  + resource "aws_launch_template" "jenkins_build_farm_launch_template" {
      + arn                    = (known after apply)
      + default_version        = (known after apply)
      + description            = "example_builders build farm launch template."
      + ebs_optimized          = "true"
      + id                     = (known after apply)
      + image_id               = "ami-066784287e358dad1"
      + instance_type          = "t3.medium"
      + latest_version         = (known after apply)
      + name                   = (known after apply)
      + name_prefix            = "cgd-jenkins-example_builders-bf-"
      + tags_all               = (known after apply)
      + vpc_security_group_ids = (known after apply)

      + iam_instance_profile {
          + arn = (known after apply)
        }

      + metadata_options {
          + http_endpoint               = "enabled"
          + http_protocol_ipv6          = (known after apply)
          + http_put_response_hop_limit = 1
          + http_tokens                 = "required"
          + instance_metadata_tags      = "enabled"
        }
    }

  # module.jenkins.aws_lb.jenkins_alb will be created
  + resource "aws_lb" "jenkins_alb" {
      + arn                                                          = (known after apply)
      + arn_suffix                                                   = (known after apply)
      + client_keep_alive                                            = 3600
      + desync_mitigation_mode                                       = "defensive"
      + dns_name                                                     = (known after apply)
      + drop_invalid_header_fields                                   = true
      + enable_deletion_protection                                   = false
      + enable_http2                                                 = true
      + enable_tls_version_and_cipher_suite_headers                  = false
      + enable_waf_fail_open                                         = false
      + enable_xff_client_port                                       = false
      + enforce_security_group_inbound_rules_on_private_link_traffic = (known after apply)
      + id                                                           = (known after apply)
      + idle_timeout                                                 = 60
      + internal                                                     = false
      + ip_address_type                                              = (known after apply)
      + load_balancer_type                                           = "application"
      + name                                                         = "cgd-jenkins-alb"
      + name_prefix                                                  = (known after apply)
      + preserve_host_header                                         = false
      + security_groups                                              = (known after apply)
      + subnets                                                      = (known after apply)
      + tags                                                         = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all                                                     = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + vpc_id                                                       = (known after apply)
      + xff_header_processing_mode                                   = "append"
      + zone_id                                                      = (known after apply)
    }

  # module.jenkins.aws_lb_listener.jenkins_alb_https_listener will be created
  + resource "aws_lb_listener" "jenkins_alb_https_listener" {
      + arn               = (known after apply)
      + certificate_arn   = (known after apply)
      + id                = (known after apply)
      + load_balancer_arn = (known after apply)
      + port              = 443
      + protocol          = "HTTPS"
      + ssl_policy        = "ELBSecurityPolicy-TLS13-1-2-2021-06"
      + tags              = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all          = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }

      + default_action {
          + order            = (known after apply)
          + target_group_arn = (known after apply)
          + type             = "forward"
        }
    }

  # module.jenkins.aws_lb_target_group.jenkins_alb_target_group will be created
  + resource "aws_lb_target_group" "jenkins_alb_target_group" {
      + arn                                = (known after apply)
      + arn_suffix                         = (known after apply)
      + connection_termination             = (known after apply)
      + deregistration_delay               = "300"
      + id                                 = (known after apply)
      + ip_address_type                    = (known after apply)
      + lambda_multi_value_headers_enabled = false
      + load_balancer_arns                 = (known after apply)
      + load_balancing_algorithm_type      = (known after apply)
      + load_balancing_anomaly_mitigation  = (known after apply)
      + load_balancing_cross_zone_enabled  = (known after apply)
      + name                               = "cgd-jenkins-tg"
      + name_prefix                        = (known after apply)
      + port                               = 8080
      + preserve_client_ip                 = (known after apply)
      + protocol                           = "HTTP"
      + protocol_version                   = (known after apply)
      + proxy_protocol_v2                  = false
      + slow_start                         = 0
      + tags                               = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all                           = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + target_type                        = "ip"
      + vpc_id                             = (known after apply)

      + health_check {
          + enabled             = true
          + healthy_threshold   = 2
          + interval            = 30
          + matcher             = "200"
          + path                = "/login"
          + port                = "traffic-port"
          + protocol            = "HTTP"
          + timeout             = 10
          + unhealthy_threshold = 2
        }
    }

  # module.jenkins.aws_s3_bucket.artifact_buckets["builds"] will be created
  + resource "aws_s3_bucket" "artifact_buckets" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = (known after apply)
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = true
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags                        = {
          + "Name"        = "game-builds"
          + "environment" = "dev"
        }
      + tags_all                    = {
          + "Name"        = "game-builds"
          + "environment" = "dev"
        }
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

  # module.jenkins.aws_s3_bucket_public_access_block.artifacts_bucket_public_block["builds"] will be created
  + resource "aws_s3_bucket_public_access_block" "artifacts_bucket_public_block" {
      + block_public_acls       = true
      + block_public_policy     = true
      + bucket                  = (known after apply)
      + id                      = (known after apply)
      + ignore_public_acls      = true
      + restrict_public_buckets = true
    }

  # module.jenkins.aws_s3_bucket_versioning.artifact_bucket_versioning["builds"] will be created
  + resource "aws_s3_bucket_versioning" "artifact_bucket_versioning" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

  # module.jenkins.aws_security_group.jenkins_alb_sg will be created
  + resource "aws_security_group" "jenkins_alb_sg" {
      + arn                    = (known after apply)
      + description            = "Jenkins ALB Security Group"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "cgd-jenkins-ALB"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all               = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + vpc_id                 = (known after apply)
    }

  # module.jenkins.aws_security_group.jenkins_build_farm_sg will be created
  + resource "aws_security_group" "jenkins_build_farm_sg" {
      + arn                    = (known after apply)
      + description            = "Jenkins Build Farm Compute Security Group"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "cgd-jenkins-build-farm"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all               = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + vpc_id                 = (known after apply)
    }

  # module.jenkins.aws_security_group.jenkins_build_storage_sg will be created
  + resource "aws_security_group" "jenkins_build_storage_sg" {
      + arn                    = (known after apply)
      + description            = "Jenkins Build Storage Security Group"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "cgd-jenkins-build-storage-fsx"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all               = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + vpc_id                 = (known after apply)
    }

  # module.jenkins.aws_security_group.jenkins_efs_security_group will be created
  + resource "aws_security_group" "jenkins_efs_security_group" {
      + arn                    = (known after apply)
      + description            = "Jenkins EFS mount target Security Group"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "cgd-jenkins-efs"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all               = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + vpc_id                 = (known after apply)
    }

  # module.jenkins.aws_security_group.jenkins_service_sg will be created
  + resource "aws_security_group" "jenkins_service_sg" {
      + arn                    = (known after apply)
      + description            = "Jenkins Service Security Group"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "cgd-jenkins-service"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + tags_all               = {
          + "environment"    = "dev"
          + "iac-management" = "CGD-Toolkit"
          + "iac-module"     = "Jenkins"
          + "iac-provider"   = "Terraform"
        }
      + vpc_id                 = (known after apply)
    }

  # module.jenkins.aws_vpc_security_group_egress_rule.jenkins_alb_outbound_service will be created
  + resource "aws_vpc_security_group_egress_rule" "jenkins_alb_outbound_service" {
      + arn                          = (known after apply)
      + description                  = "Allow outbound traffic from Jenkins ALB to Jenkins service"
      + from_port                    = 8080
      + id                           = (known after apply)
      + ip_protocol                  = "tcp"
      + referenced_security_group_id = (known after apply)
      + security_group_id            = (known after apply)
      + security_group_rule_id       = (known after apply)
      + tags_all                     = {}
      + to_port                      = 8080
    }

  # module.jenkins.aws_vpc_security_group_egress_rule.jenkins_build_farm_outbound_ipv4 will be created
  + resource "aws_vpc_security_group_egress_rule" "jenkins_build_farm_outbound_ipv4" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + description            = "Allow outbound traffic from Jenkins build farm to internet (ipv4)"
      + id                     = (known after apply)
      + ip_protocol            = "-1"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
    }

  # module.jenkins.aws_vpc_security_group_egress_rule.jenkins_build_farm_outbound_ipv6 will be created
  + resource "aws_vpc_security_group_egress_rule" "jenkins_build_farm_outbound_ipv6" {
      + arn                    = (known after apply)
      + cidr_ipv6              = "::/0"
      + description            = "Allow outbound traffic from Jenkins build farm to internet (ipv6)"
      + id                     = (known after apply)
      + ip_protocol            = "-1"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
    }

  # module.jenkins.aws_vpc_security_group_egress_rule.jenkins_service_outbound_ipv4 will be created
  + resource "aws_vpc_security_group_egress_rule" "jenkins_service_outbound_ipv4" {
      + arn                    = (known after apply)
      + cidr_ipv4              = "0.0.0.0/0"
      + description            = "Allow outbound traffic from Jenkins service to internet (ipv4)"
      + id                     = (known after apply)
      + ip_protocol            = "-1"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
    }

  # module.jenkins.aws_vpc_security_group_egress_rule.jenkins_service_outbound_ipv6 will be created
  + resource "aws_vpc_security_group_egress_rule" "jenkins_service_outbound_ipv6" {
      + arn                    = (known after apply)
      + cidr_ipv6              = "::/0"
      + description            = "Allow outbound traffic from Jenkins service to internet (ipv6)"
      + id                     = (known after apply)
      + ip_protocol            = "-1"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
    }

  # module.jenkins.aws_vpc_security_group_ingress_rule.jenkins_build_farm_inbound_ssh_service will be created
  + resource "aws_vpc_security_group_ingress_rule" "jenkins_build_farm_inbound_ssh_service" {
      + arn                          = (known after apply)
      + description                  = "Allow inbound traffic from Jenkins service to Build Farm instance."
      + from_port                    = 22
      + id                           = (known after apply)
      + ip_protocol                  = "tcp"
      + referenced_security_group_id = (known after apply)
      + security_group_id            = (known after apply)
      + security_group_rule_id       = (known after apply)
      + tags_all                     = {}
      + to_port                      = 22
    }

  # module.jenkins.aws_vpc_security_group_ingress_rule.jenkins_build_vpc_all_traffic will be created
  + resource "aws_vpc_security_group_ingress_rule" "jenkins_build_vpc_all_traffic" {
      + arn                    = (known after apply)
      + cidr_ipv4              = (known after apply)
      + description            = "Allow inbound traffic from Build Farm instance to OpenZFS."
      + id                     = (known after apply)
      + ip_protocol            = "-1"
      + security_group_id      = (known after apply)
      + security_group_rule_id = (known after apply)
      + tags_all               = {}
    }

  # module.jenkins.aws_vpc_security_group_ingress_rule.jenkins_efs_inbound_service will be created
  + resource "aws_vpc_security_group_ingress_rule" "jenkins_efs_inbound_service" {
      + arn                          = (known after apply)
      + description                  = "Allow inbound access from Jenkins service containers to EFS."
      + from_port                    = 2049
      + id                           = (known after apply)
      + ip_protocol                  = "tcp"
      + referenced_security_group_id = (known after apply)
      + security_group_id            = (known after apply)
      + security_group_rule_id       = (known after apply)
      + tags_all                     = {}
      + to_port                      = 2049
    }

  # module.jenkins.aws_vpc_security_group_ingress_rule.jenkins_service_inbound_alb will be created
  + resource "aws_vpc_security_group_ingress_rule" "jenkins_service_inbound_alb" {
      + arn                          = (known after apply)
      + description                  = "Allow inbound traffic from Jenkins ALB to service"
      + from_port                    = 8080
      + id                           = (known after apply)
      + ip_protocol                  = "tcp"
      + referenced_security_group_id = (known after apply)
      + security_group_id            = (known after apply)
      + security_group_rule_id       = (known after apply)
      + tags_all                     = {}
      + to_port                      = 8080
    }

  # module.jenkins.random_string.artifact_buckets will be created
  + resource "random_string" "artifact_buckets" {
      + id          = (known after apply)
      + length      = 4
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

  # module.jenkins.random_string.build_farm will be created
  + resource "random_string" "build_farm" {
      + id          = (known after apply)
      + length      = 4
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

  # module.jenkins.random_string.fsxz will be created
  + resource "random_string" "fsxz" {
      + id          = (known after apply)
      + length      = 4
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

  # module.jenkins.random_string.jenkins will be created
  + resource "random_string" "jenkins" {
      + id          = (known after apply)
      + length      = 4
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

Plan: 66 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pushed by: @gabebatista, Action: pull_request

@gabebatista gabebatista changed the title feat(jenkins): Adds deployment workflow feat(jenkins): Adds GHA deployment workflow Oct 21, 2024
@gabebatista gabebatista marked this pull request as ready for review October 21, 2024 14:02
@gabebatista gabebatista requested review from jorisdon, kylesomers and henrykie and removed request for novekm October 21, 2024 14:02
@jorisdon jorisdon requested a review from novekm October 21, 2024 15:50
@gabebatista gabebatista force-pushed the gabeaws/jenkins/gha-deployment-workflow branch from 96fe0cc to 4328d99 Compare October 22, 2024 13:59
@gabebatista gabebatista merged commit 0bc9680 into main Oct 22, 2024
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@novekm novekm novekm approved these changes

@jorisdon jorisdon jorisdon approved these changes

@kylesomers kylesomers Awaiting requested review from kylesomers

@henrykie henrykie Awaiting requested review from henrykie

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gabebatista @jorisdon @novekm