Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: apply prod account #463

Merged
merged 1 commit into from
Nov 21, 2024
Merged

feat: apply prod account #463

merged 1 commit into from
Nov 21, 2024

Conversation

Wi11Shell
Copy link
Contributor

Production Apply

Related issue: https://dvsa.atlassian.net/browse/VOL-5261

Before submitting (or marking as "ready for review")

  • Does the pull request title follow the conventional commit specification?
  • Have you performed a self-review of the code
  • Have you have added tests that prove the fix or feature is effective and working
  • Did you make sure to update any documentation relating to this change?

@Wi11Shell Wi11Shell requested a review from a team as a code owner November 20, 2024 16:20
@github-actions GitHub Actions
Copy link
Contributor

Terraform plan for account: prod

Commit: 772ae56

Plan summary

29 to add, 6 to change, 0 to destroy

🆕 Creates

module.account.aws_s3_bucket_policy.bucket_policy
module.account.aws_signer_signing_profile.this
module.account.module.assets[0].aws_s3_bucket.this[0]
module.account.module.assets[0].aws_s3_bucket_public_access_block.this[0]
module.account.module.ecr["api"].aws_ecr_lifecycle_policy.this[0]
module.account.module.ecr["api"].aws_ecr_registry_scanning_configuration.this[0]
module.account.module.ecr["api"].aws_ecr_repository.this[0]
module.account.module.ecr["api"].aws_ecr_repository_policy.this[0]
module.account.module.ecr["cli"].aws_ecr_lifecycle_policy.this[0]
module.account.module.ecr["cli"].aws_ecr_registry_scanning_configuration.this[0]
module.account.module.ecr["cli"].aws_ecr_repository.this[0]
module.account.module.ecr["cli"].aws_ecr_repository_policy.this[0]
module.account.module.ecr["internal"].aws_ecr_lifecycle_policy.this[0]
module.account.module.ecr["internal"].aws_ecr_registry_scanning_configuration.this[0]
module.account.module.ecr["internal"].aws_ecr_repository.this[0]
module.account.module.ecr["internal"].aws_ecr_repository_policy.this[0]
module.account.module.ecr["selfserve"].aws_ecr_lifecycle_policy.this[0]
module.account.module.ecr["selfserve"].aws_ecr_registry_scanning_configuration.this[0]
module.account.module.ecr["selfserve"].aws_ecr_repository.this[0]
module.account.module.ecr["selfserve"].aws_ecr_repository_policy.this[0]
module.environment-remote-state["prep"].module.dynamodb_state_lock_policy[0].aws_iam_policy.policy[0]
module.environment-remote-state["prep"].module.dynamodb_table.aws_dynamodb_table.this[0]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role.this[0]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["DynamodbStateLock"]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["PrepDynamodbStateLock"]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["ReadOnlyAccess"]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["S3StateLock"]
module.account.module.github[0].module.iam_github_oidc_role[0].aws_iam_role.this[0]
module.account.module.github[0].module.iam_github_oidc_role[0].aws_iam_role_policy_attachment.this["AdministratorAccess"]

📖 Reads

module.account.data.aws_iam_policy_document.s3_policy
module.account.module.ecr["api"].data.aws_iam_policy_document.repository[0]
module.account.module.ecr["cli"].data.aws_iam_policy_document.repository[0]
module.account.module.ecr["internal"].data.aws_iam_policy_document.repository[0]
module.account.module.ecr["selfserve"].data.aws_iam_policy_document.repository[0]
module.account-remote-state.module.s3[0].data.aws_iam_policy_document.combined[0]
module.account-remote-state.module.s3[0].data.aws_iam_policy_document.deny_insecure_transport[0]

🔄 Updates

module.account-remote-state.module.dynamodb_state_lock_policy[0].aws_iam_policy.policy[0]
module.account-remote-state.module.dynamodb_table.aws_dynamodb_table.this[0]
module.account-remote-state.module.s3[0].aws_s3_bucket.this[0]
module.account-remote-state.module.s3[0].aws_s3_bucket_policy.this[0]
module.account-remote-state.module.s3_state_policy[0].aws_iam_policy.policy[0]
module.account.module.github[0].module.iam_github_oidc_provider[0].aws_iam_openid_connect_provider.this[0]
Show full plan 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
 <= read (data resources)

Terraform will perform the following actions:

  # module.account.data.aws_iam_policy_document.s3_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "s3_policy" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "s3:GetObject",
            ]
          + resources = [
              + (known after apply),
            ]

          + principals {
              + identifiers = [
                  + "cloudfront.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.account.aws_s3_bucket_policy.bucket_policy will be created
  + resource "aws_s3_bucket_policy" "bucket_policy" {
      + bucket = (known after apply)
      + id     = (known after apply)
      + policy = (known after apply)
    }

  # module.account.aws_signer_signing_profile.this will be created
  + resource "aws_signer_signing_profile" "this" {
      + arn                   = (known after apply)
      + id                    = (known after apply)
      + name                  = (known after apply)
      + name_prefix           = "vol_app_"
      + platform_display_name = (known after apply)
      + platform_id           = "Notation-OCI-SHA384-ECDSA"
      + revocation_record     = (known after apply)
      + status                = (known after apply)
      + tags_all              = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + version               = (known after apply)
      + version_arn           = (known after apply)

      + signature_validity_period (known after apply)

      + signing_material (known after apply)
    }

  # module.account.module.assets[0].aws_s3_bucket.this[0] will be created
  + resource "aws_s3_bucket" "this" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "vol-app-assets"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = false
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule (known after apply)

      + grant (known after apply)

      + lifecycle_rule (known after apply)

      + logging (known after apply)

      + object_lock_configuration (known after apply)

      + replication_configuration (known after apply)

      + server_side_encryption_configuration (known after apply)

      + versioning (known after apply)

      + website (known after apply)
    }

  # module.account.module.assets[0].aws_s3_bucket_public_access_block.this[0] will be created
  + resource "aws_s3_bucket_public_access_block" "this" {
      + block_public_acls       = true
      + block_public_policy     = true
      + bucket                  = (known after apply)
      + id                      = (known after apply)
      + ignore_public_acls      = true
      + restrict_public_buckets = true
    }

  # module.account.module.ecr["api"].data.aws_iam_policy_document.repository[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "repository" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "ecr:BatchCheckLayerAvailability",
              + "ecr:BatchGetImage",
              + "ecr:DescribeImageScanFindings",
              + "ecr:DescribeImages",
              + "ecr:DescribeRepositories",
              + "ecr:GetAuthorizationToken",
              + "ecr:GetDownloadUrlForLayer",
              + "ecr:GetLifecyclePolicy",
              + "ecr:GetLifecyclePolicyPreview",
              + "ecr:GetRepositoryPolicy",
              + "ecr:ListImages",
              + "ecr:ListTagsForResource",
            ]
          + sid     = "PrivateReadOnly"

          + principals {
              + identifiers = [
                  + (known after apply),
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions = [
              + "ecr:CompleteLayerUpload",
              + "ecr:InitiateLayerUpload",
              + "ecr:PutImage",
              + "ecr:UploadLayerPart",
            ]
          + sid     = "ReadWrite"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.account.module.ecr["api"].aws_ecr_lifecycle_policy.this[0] will be created
  + resource "aws_ecr_lifecycle_policy" "this" {
      + id          = (known after apply)
      + policy      = jsonencode(
            {
              + rules = [
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 release images"
                      + rulePriority = 10
                      + selection    = {
                          + countNumber    = 5
                          + countType      = "imageCountMoreThan"
                          + tagPatternList = [
                              + "*.*.*",
                            ]
                          + tagStatus      = "tagged"
                        }
                    },
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 non-release images"
                      + rulePriority = 20
                      + selection    = {
                          + countNumber = 5
                          + countType   = "imageCountMoreThan"
                          + tagStatus   = "any"
                        }
                    },
                ]
            }
        )
      + registry_id = (known after apply)
      + repository  = "vol-app/api"
    }

  # module.account.module.ecr["api"].aws_ecr_registry_scanning_configuration.this[0] will be created
  + resource "aws_ecr_registry_scanning_configuration" "this" {
      + id          = (known after apply)
      + registry_id = (known after apply)
      + scan_type   = "ENHANCED"

      + rule {
          + scan_frequency = "SCAN_ON_PUSH"

          + repository_filter {
              + filter      = "*"
              + filter_type = "WILDCARD"
            }
        }
      + rule {
          + scan_frequency = "CONTINUOUS_SCAN"

          + repository_filter {
              + filter      = "*.*.*"
              + filter_type = "WILDCARD"
            }
        }
    }

  # module.account.module.ecr["api"].aws_ecr_repository.this[0] will be created
  + resource "aws_ecr_repository" "this" {
      + arn                  = (known after apply)
      + id                   = (known after apply)
      + image_tag_mutability = "IMMUTABLE"
      + name                 = "vol-app/api"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags_all             = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }

      + encryption_configuration {
          + encryption_type = "AES256"
          + kms_key         = (known after apply)
        }

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # module.account.module.ecr["api"].aws_ecr_repository_policy.this[0] will be created
  + resource "aws_ecr_repository_policy" "this" {
      + id          = (known after apply)
      + policy      = (known after apply)
      + registry_id = (known after apply)
      + repository  = "vol-app/api"
    }

  # module.account.module.ecr["cli"].data.aws_iam_policy_document.repository[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "repository" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "ecr:BatchCheckLayerAvailability",
              + "ecr:BatchGetImage",
              + "ecr:DescribeImageScanFindings",
              + "ecr:DescribeImages",
              + "ecr:DescribeRepositories",
              + "ecr:GetAuthorizationToken",
              + "ecr:GetDownloadUrlForLayer",
              + "ecr:GetLifecyclePolicy",
              + "ecr:GetLifecyclePolicyPreview",
              + "ecr:GetRepositoryPolicy",
              + "ecr:ListImages",
              + "ecr:ListTagsForResource",
            ]
          + sid     = "PrivateReadOnly"

          + principals {
              + identifiers = [
                  + (known after apply),
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions = [
              + "ecr:CompleteLayerUpload",
              + "ecr:InitiateLayerUpload",
              + "ecr:PutImage",
              + "ecr:UploadLayerPart",
            ]
          + sid     = "ReadWrite"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.account.module.ecr["cli"].aws_ecr_lifecycle_policy.this[0] will be created
  + resource "aws_ecr_lifecycle_policy" "this" {
      + id          = (known after apply)
      + policy      = jsonencode(
            {
              + rules = [
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 release images"
                      + rulePriority = 10
                      + selection    = {
                          + countNumber    = 5
                          + countType      = "imageCountMoreThan"
                          + tagPatternList = [
                              + "*.*.*",
                            ]
                          + tagStatus      = "tagged"
                        }
                    },
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 non-release images"
                      + rulePriority = 20
                      + selection    = {
                          + countNumber = 5
                          + countType   = "imageCountMoreThan"
                          + tagStatus   = "any"
                        }
                    },
                ]
            }
        )
      + registry_id = (known after apply)
      + repository  = "vol-app/cli"
    }

  # module.account.module.ecr["cli"].aws_ecr_registry_scanning_configuration.this[0] will be created
  + resource "aws_ecr_registry_scanning_configuration" "this" {
      + id          = (known after apply)
      + registry_id = (known after apply)
      + scan_type   = "ENHANCED"

      + rule {
          + scan_frequency = "SCAN_ON_PUSH"

          + repository_filter {
              + filter      = "*"
              + filter_type = "WILDCARD"
            }
        }
      + rule {
          + scan_frequency = "CONTINUOUS_SCAN"

          + repository_filter {
              + filter      = "*.*.*"
              + filter_type = "WILDCARD"
            }
        }
    }

  # module.account.module.ecr["cli"].aws_ecr_repository.this[0] will be created
  + resource "aws_ecr_repository" "this" {
      + arn                  = (known after apply)
      + id                   = (known after apply)
      + image_tag_mutability = "IMMUTABLE"
      + name                 = "vol-app/cli"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags_all             = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }

      + encryption_configuration {
          + encryption_type = "AES256"
          + kms_key         = (known after apply)
        }

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # module.account.module.ecr["cli"].aws_ecr_repository_policy.this[0] will be created
  + resource "aws_ecr_repository_policy" "this" {
      + id          = (known after apply)
      + policy      = (known after apply)
      + registry_id = (known after apply)
      + repository  = "vol-app/cli"
    }

  # module.account.module.ecr["internal"].data.aws_iam_policy_document.repository[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "repository" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "ecr:BatchCheckLayerAvailability",
              + "ecr:BatchGetImage",
              + "ecr:DescribeImageScanFindings",
              + "ecr:DescribeImages",
              + "ecr:DescribeRepositories",
              + "ecr:GetAuthorizationToken",
              + "ecr:GetDownloadUrlForLayer",
              + "ecr:GetLifecyclePolicy",
              + "ecr:GetLifecyclePolicyPreview",
              + "ecr:GetRepositoryPolicy",
              + "ecr:ListImages",
              + "ecr:ListTagsForResource",
            ]
          + sid     = "PrivateReadOnly"

          + principals {
              + identifiers = [
                  + (known after apply),
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions = [
              + "ecr:CompleteLayerUpload",
              + "ecr:InitiateLayerUpload",
              + "ecr:PutImage",
              + "ecr:UploadLayerPart",
            ]
          + sid     = "ReadWrite"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.account.module.ecr["internal"].aws_ecr_lifecycle_policy.this[0] will be created
  + resource "aws_ecr_lifecycle_policy" "this" {
      + id          = (known after apply)
      + policy      = jsonencode(
            {
              + rules = [
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 release images"
                      + rulePriority = 10
                      + selection    = {
                          + countNumber    = 5
                          + countType      = "imageCountMoreThan"
                          + tagPatternList = [
                              + "*.*.*",
                            ]
                          + tagStatus      = "tagged"
                        }
                    },
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 non-release images"
                      + rulePriority = 20
                      + selection    = {
                          + countNumber = 5
                          + countType   = "imageCountMoreThan"
                          + tagStatus   = "any"
                        }
                    },
                ]
            }
        )
      + registry_id = (known after apply)
      + repository  = "vol-app/internal"
    }

  # module.account.module.ecr["internal"].aws_ecr_registry_scanning_configuration.this[0] will be created
  + resource "aws_ecr_registry_scanning_configuration" "this" {
      + id          = (known after apply)
      + registry_id = (known after apply)
      + scan_type   = "ENHANCED"

      + rule {
          + scan_frequency = "SCAN_ON_PUSH"

          + repository_filter {
              + filter      = "*"
              + filter_type = "WILDCARD"
            }
        }
      + rule {
          + scan_frequency = "CONTINUOUS_SCAN"

          + repository_filter {
              + filter      = "*.*.*"
              + filter_type = "WILDCARD"
            }
        }
    }

  # module.account.module.ecr["internal"].aws_ecr_repository.this[0] will be created
  + resource "aws_ecr_repository" "this" {
      + arn                  = (known after apply)
      + id                   = (known after apply)
      + image_tag_mutability = "IMMUTABLE"
      + name                 = "vol-app/internal"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags_all             = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }

      + encryption_configuration {
          + encryption_type = "AES256"
          + kms_key         = (known after apply)
        }

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # module.account.module.ecr["internal"].aws_ecr_repository_policy.this[0] will be created
  + resource "aws_ecr_repository_policy" "this" {
      + id          = (known after apply)
      + policy      = (known after apply)
      + registry_id = (known after apply)
      + repository  = "vol-app/internal"
    }

  # module.account.module.ecr["selfserve"].data.aws_iam_policy_document.repository[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "repository" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "ecr:BatchCheckLayerAvailability",
              + "ecr:BatchGetImage",
              + "ecr:DescribeImageScanFindings",
              + "ecr:DescribeImages",
              + "ecr:DescribeRepositories",
              + "ecr:GetAuthorizationToken",
              + "ecr:GetDownloadUrlForLayer",
              + "ecr:GetLifecyclePolicy",
              + "ecr:GetLifecyclePolicyPreview",
              + "ecr:GetRepositoryPolicy",
              + "ecr:ListImages",
              + "ecr:ListTagsForResource",
            ]
          + sid     = "PrivateReadOnly"

          + principals {
              + identifiers = [
                  + (known after apply),
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions = [
              + "ecr:CompleteLayerUpload",
              + "ecr:InitiateLayerUpload",
              + "ecr:PutImage",
              + "ecr:UploadLayerPart",
            ]
          + sid     = "ReadWrite"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.account.module.ecr["selfserve"].aws_ecr_lifecycle_policy.this[0] will be created
  + resource "aws_ecr_lifecycle_policy" "this" {
      + id          = (known after apply)
      + policy      = jsonencode(
            {
              + rules = [
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 release images"
                      + rulePriority = 10
                      + selection    = {
                          + countNumber    = 5
                          + countType      = "imageCountMoreThan"
                          + tagPatternList = [
                              + "*.*.*",
                            ]
                          + tagStatus      = "tagged"
                        }
                    },
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 non-release images"
                      + rulePriority = 20
                      + selection    = {
                          + countNumber = 5
                          + countType   = "imageCountMoreThan"
                          + tagStatus   = "any"
                        }
                    },
                ]
            }
        )
      + registry_id = (known after apply)
      + repository  = "vol-app/selfserve"
    }

  # module.account.module.ecr["selfserve"].aws_ecr_registry_scanning_configuration.this[0] will be created
  + resource "aws_ecr_registry_scanning_configuration" "this" {
      + id          = (known after apply)
      + registry_id = (known after apply)
      + scan_type   = "ENHANCED"

      + rule {
          + scan_frequency = "SCAN_ON_PUSH"

          + repository_filter {
              + filter      = "*"
              + filter_type = "WILDCARD"
            }
        }
      + rule {
          + scan_frequency = "CONTINUOUS_SCAN"

          + repository_filter {
              + filter      = "*.*.*"
              + filter_type = "WILDCARD"
            }
        }
    }

  # module.account.module.ecr["selfserve"].aws_ecr_repository.this[0] will be created
  + resource "aws_ecr_repository" "this" {
      + arn                  = (known after apply)
      + id                   = (known after apply)
      + image_tag_mutability = "IMMUTABLE"
      + name                 = "vol-app/selfserve"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags_all             = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }

      + encryption_configuration {
          + encryption_type = "AES256"
          + kms_key         = (known after apply)
        }

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # module.account.module.ecr["selfserve"].aws_ecr_repository_policy.this[0] will be created
  + resource "aws_ecr_repository_policy" "this" {
      + id          = (known after apply)
      + policy      = (known after apply)
      + registry_id = (known after apply)
      + repository  = "vol-app/selfserve"
    }

  # module.account-remote-state.module.dynamodb_state_lock_policy[0].aws_iam_policy.policy[0] will be updated in-place
  # (imported from "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-lock-policy")
  ~ resource "aws_iam_policy" "policy" {
        arn              = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-lock-policy"
        attachment_count = 0
        description      = "Policy to allow access to the Terraform state lock"
        id               = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-lock-policy"
        name             = "vol-app-146997448015-terraform-state-lock-policy"
        name_prefix      = null
        path             = "/"
        policy           = jsonencode(
            {
                Statement = [
                    {
                        Action   = [
                            "dynamodb:DescribeTable",
                            "dynamodb:GetItem",
                            "dynamodb:PutItem",
                            "dynamodb:DeleteItem",
                        ]
                        Effect   = "Allow"
                        Resource = "arn:aws:dynamodb:eu-west-1:146997448015:table/vol-app-146997448015-terraform-state-lock"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id        = "ANPASEON3BVH4VZQ4MXXW"
        tags             = {}
      ~ tags_all         = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
    }

  # module.account-remote-state.module.dynamodb_table.aws_dynamodb_table.this[0] will be updated in-place
  # (imported from "vol-app-146997448015-terraform-state-lock")
  ~ resource "aws_dynamodb_table" "this" {
        arn                         = "arn:aws:dynamodb:eu-west-1:146997448015:table/vol-app-146997448015-terraform-state-lock"
        billing_mode                = "PAY_PER_REQUEST"
        deletion_protection_enabled = false
        hash_key                    = "LockID"
        id                          = "vol-app-146997448015-terraform-state-lock"
        name                        = "vol-app-146997448015-terraform-state-lock"
        read_capacity               = 0
        stream_arn                  = null
        stream_enabled              = false
        stream_label                = null
        stream_view_type            = null
        table_class                 = "STANDARD"
        tags                        = {
            "Name" = "vol-app-146997448015-terraform-state-lock"
        }
      ~ tags_all                    = {
            "Name"       = "vol-app-146997448015-terraform-state-lock"
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
        write_capacity              = 0

        attribute {
            name = "LockID"
            type = "S"
        }

        point_in_time_recovery {
            enabled = false
        }

      + timeouts {
          + create = "10m"
          + delete = "10m"
          + update = "60m"
        }

        ttl {
            attribute_name = null
            enabled        = false
        }
    }

  # module.account-remote-state.module.s3[0].data.aws_iam_policy_document.combined[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "combined" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = (known after apply)
    }

  # module.account-remote-state.module.s3[0].data.aws_iam_policy_document.deny_insecure_transport[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "deny_insecure_transport" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Deny"
          + resources = [
              + "arn:aws:s3:::vol-app-146997448015-terraform-state",
              + "arn:aws:s3:::vol-app-146997448015-terraform-state/*",
            ]
          + sid       = "denyInsecureTransport"

          + condition {
              + test     = "Bool"
              + values   = [
                  + "false",
                ]
              + variable = "aws:SecureTransport"
            }

          + principals {
              + identifiers = [
                  + "*",
                ]
              + type        = "*"
            }
        }
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket.this[0] will be updated in-place
  # (imported from "vol-app-146997448015-terraform-state")
  ~ resource "aws_s3_bucket" "this" {
        acceleration_status         = null
        arn                         = "arn:aws:s3:::vol-app-146997448015-terraform-state"
        bucket                      = "vol-app-146997448015-terraform-state"
        bucket_domain_name          = "vol-app-146997448015-terraform-state.s3.amazonaws.com"
        bucket_prefix               = null
        bucket_regional_domain_name = "vol-app-146997448015-terraform-state.s3.eu-west-1.amazonaws.com"
      + force_destroy               = false
        hosted_zone_id              = "Z1BKCTXD74EZPE"
        id                          = "vol-app-146997448015-terraform-state"
        object_lock_enabled         = false
        policy                      = jsonencode(
            {
                Statement = [
                    {
                        Action    = "s3:*"
                        Condition = {
                            Bool = {
                                "aws:SecureTransport" = "false"
                            }
                        }
                        Effect    = "Deny"
                        Principal = "*"
                        Resource  = [
                            "arn:aws:s3:::vol-app-146997448015-terraform-state/*",
                            "arn:aws:s3:::vol-app-146997448015-terraform-state",
                        ]
                        Sid       = "denyInsecureTransport"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        region                      = "eu-west-1"
        request_payer               = "BucketOwner"
        tags                        = {}
      ~ tags_all                    = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }

        grant {
            id          = "54ab964107a4663cef07947193d5189c97bf2ea3f2cbddd3582edce5684d0155"
            permissions = [
                "FULL_CONTROL",
            ]
            type        = "CanonicalUser"
            uri         = null
        }

        lifecycle_rule {
            abort_incomplete_multipart_upload_days = 0
            enabled                                = true
            id                                     = "lifecycle"
            prefix                                 = null
            tags                                   = {}

            noncurrent_version_expiration {
                days = 90
            }
        }

        server_side_encryption_configuration {
            rule {
                bucket_key_enabled = false

                apply_server_side_encryption_by_default {
                    kms_master_key_id = null
                    sse_algorithm     = "AES256"
                }
            }
        }

        versioning {
            enabled    = true
            mfa_delete = false
        }
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_lifecycle_configuration.this[0] will be imported
    resource "aws_s3_bucket_lifecycle_configuration" "this" {
        bucket                                 = "vol-app-146997448015-terraform-state"
        expected_bucket_owner                  = null
        id                                     = "vol-app-146997448015-terraform-state"
        transition_default_minimum_object_size = "all_storage_classes_128K"

        rule {
            id     = "lifecycle"
            prefix = null
            status = "Enabled"

            filter {
                object_size_greater_than = null
                object_size_less_than    = null
                prefix                   = null
            }

            noncurrent_version_expiration {
                newer_noncurrent_versions = null
                noncurrent_days           = 90
            }
        }
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_ownership_controls.this[0] will be imported
    resource "aws_s3_bucket_ownership_controls" "this" {
        bucket = "vol-app-146997448015-terraform-state"
        id     = "vol-app-146997448015-terraform-state"

        rule {
            object_ownership = "BucketOwnerEnforced"
        }
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_policy.this[0] will be updated in-place
  # (imported from "vol-app-146997448015-terraform-state")
  ~ resource "aws_s3_bucket_policy" "this" {
        bucket = "vol-app-146997448015-terraform-state"
        id     = "vol-app-146997448015-terraform-state"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Condition = {
                          - Bool = {
                              - "aws:SecureTransport" = "false"
                            }
                        }
                      - Effect    = "Deny"
                      - Principal = "*"
                      - Resource  = [
                          - "arn:aws:s3:::vol-app-146997448015-terraform-state/*",
                          - "arn:aws:s3:::vol-app-146997448015-terraform-state",
                        ]
                      - Sid       = "denyInsecureTransport"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_public_access_block.this[0] will be imported
    resource "aws_s3_bucket_public_access_block" "this" {
        block_public_acls       = true
        block_public_policy     = true
        bucket                  = "vol-app-146997448015-terraform-state"
        id                      = "vol-app-146997448015-terraform-state"
        ignore_public_acls      = true
        restrict_public_buckets = true
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_server_side_encryption_configuration.this[0] will be imported
    resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
        bucket                = "vol-app-146997448015-terraform-state"
        expected_bucket_owner = null
        id                    = "vol-app-146997448015-terraform-state"

        rule {
            bucket_key_enabled = false

            apply_server_side_encryption_by_default {
                kms_master_key_id = null
                sse_algorithm     = "AES256"
            }
        }
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_versioning.this[0] will be imported
    resource "aws_s3_bucket_versioning" "this" {
        bucket                = "vol-app-146997448015-terraform-state"
        expected_bucket_owner = null
        id                    = "vol-app-146997448015-terraform-state"

        versioning_configuration {
            mfa_delete = null
            status     = "Enabled"
        }
    }

  # module.account-remote-state.module.s3_state_policy[0].aws_iam_policy.policy[0] will be updated in-place
  # (imported from "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-policy")
  ~ resource "aws_iam_policy" "policy" {
        arn              = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-policy"
        attachment_count = 0
        description      = "Policy to allow access to the Terraform state in S3"
        id               = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-policy"
        name             = "vol-app-146997448015-terraform-state-policy"
        name_prefix      = null
        path             = "/"
        policy           = jsonencode(
            {
                Statement = [
                    {
                        Action   = [
                            "s3:GetObject",
                            "s3:PutObject",
                            "s3:ListBucket",
                        ]
                        Effect   = "Allow"
                        Resource = "arn:aws:s3:::vol-app-146997448015-terraform-state"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id        = "ANPASEON3BVH3MNJOTWE7"
        tags             = {}
      ~ tags_all         = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
    }

  # module.environment-remote-state["prep"].module.dynamodb_state_lock_policy[0].aws_iam_policy.policy[0] will be created
  + resource "aws_iam_policy" "policy" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Policy to allow access to the Terraform state lock"
      + id               = (known after apply)
      + name             = "vol-app-146997448015-prep-terraform-state-lock-policy"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags_all         = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
    }

  # module.environment-remote-state["prep"].module.dynamodb_table.aws_dynamodb_table.this[0] will be created
  + resource "aws_dynamodb_table" "this" {
      + arn              = (known after apply)
      + billing_mode     = "PAY_PER_REQUEST"
      + hash_key         = "LockID"
      + id               = (known after apply)
      + name             = "vol-app-146997448015-prep-terraform-state-lock"
      + read_capacity    = (known after apply)
      + stream_arn       = (known after apply)
      + stream_enabled   = false
      + stream_label     = (known after apply)
      + stream_view_type = (known after apply)
      + tags             = {
          + "Name" = "vol-app-146997448015-prep-terraform-state-lock"
        }
      + tags_all         = {
          + "Name"       = "vol-app-146997448015-prep-terraform-state-lock"
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + write_capacity   = (known after apply)

      + attribute {
          + name = "LockID"
          + type = "S"
        }

      + point_in_time_recovery {
          + enabled = false
        }

      + server_side_encryption {
          + enabled     = false
          + kms_key_arn = (known after apply)
        }

      + timeouts {
          + create = "10m"
          + delete = "10m"
          + update = "60m"
        }

      + ttl {
          + enabled        = false
            # (1 unchanged attribute hidden)
        }
    }

  # module.account.module.github[0].module.iam_github_oidc_provider[0].aws_iam_openid_connect_provider.this[0] will be updated in-place
  # (imported from "arn:aws:iam::146997448015:oidc-provider/token.actions.githubusercontent.com")
  ~ resource "aws_iam_openid_connect_provider" "this" {
        arn             = "arn:aws:iam::146997448015:oidc-provider/token.actions.githubusercontent.com"
        client_id_list  = [
            "sts.amazonaws.com",
        ]
        id              = "arn:aws:iam::146997448015:oidc-provider/token.actions.githubusercontent.com"
        tags            = {}
      ~ tags_all        = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
        thumbprint_list = [
            "d89e3bd43d5d909b47a18977aa9d5ce36cee184c",
            "33e4e80807204c2b6182a3a14b591acd25b5f0db",
            "74f3a68f16524f15424927704c9506f55a9316bd",
            "6938fd4d98bab03faadb97b34396831e3780aea1",
            "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
        ]
        url             = "token.actions.githubusercontent.com"
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = [
                          + "sts:TagSession",
                          + "sts:AssumeRoleWithWebIdentity",
                        ]
                      + Condition = {
                          + "ForAllValues:StringEquals" = {
                              + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
                              + "token.actions.githubusercontent.com:iss" = "https://token.actions.githubusercontent.com"
                            }
                          + StringLike                  = {
                              + "token.actions.githubusercontent.com:sub" = "repo:dvsa/vol-app:pull_request"
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::146997448015:oidc-provider/token.actions.githubusercontent.com"
                        }
                      + Sid       = "GithubOidcAuth"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "vol-app-github-actions-readonly-role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["DynamodbStateLock"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-lock-policy"
      + role       = "vol-app-github-actions-readonly-role"
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["PrepDynamodbStateLock"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "vol-app-github-actions-readonly-role"
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["ReadOnlyAccess"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
      + role       = "vol-app-github-actions-readonly-role"
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["S3StateLock"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-policy"
      + role       = "vol-app-github-actions-readonly-role"
    }

  # module.account.module.github[0].module.iam_github_oidc_role[0].aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = [
                          + "sts:TagSession",
                          + "sts:AssumeRoleWithWebIdentity",
                        ]
                      + Condition = {
                          + "ForAllValues:StringEquals" = {
                              + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
                              + "token.actions.githubusercontent.com:iss" = "https://token.actions.githubusercontent.com"
                            }
                          + StringLike                  = {
                              + "token.actions.githubusercontent.com:sub" = [
                                  + "repo:dvsa/vol-app:ref:refs/heads/main",
                                  + "repo:dvsa/vol-app:environment:account-prod",
                                  + "repo:dvsa/vol-app:environment:prep",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::146997448015:oidc-provider/token.actions.githubusercontent.com"
                        }
                      + Sid       = "GithubOidcAuth"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "vol-app-github-actions-role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # module.account.module.github[0].module.iam_github_oidc_role[0].aws_iam_role_policy_attachment.this["AdministratorAccess"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
      + role       = "vol-app-github-actions-role"
    }

Plan: 11 to import, 29 to add, 6 to change, 0 to destroy.

@Wi11Shell Wi11Shell merged commit 336478a into main Nov 21, 2024
19 checks passed
@Wi11Shell Wi11Shell deleted the 5261-apply-prod branch November 21, 2024 09:24
@github-actions github-actions bot mentioned this pull request Nov 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmarstondvsa cmarstondvsa cmarstondvsa approved these changes

@fibble fibble fibble approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Wi11Shell @fibble @cmarstondvsa