Fix prisma CLI in Redwood ECS console #91

TylerHendrickson · 2024-01-27T01:36:56Z

This PR fixes problems using Prisma CLI commands in the Redwood ECS console, which were only partially resolved by #87 (which this PR largely reverts).

Problem statement: The Prisma CLI has no support for custom PrismaClient objects, meaning that the programmatic customizations/overrides present in api/src/lib/db.ts file's instantiation of PrismaClient have no effect when running yarn rw prisma ... commands. This is an unfortunate limitation of Prisma that is not particularly well-documented, despite support for at-runtime customization.
Solution: This PR updates the Terraform IAC for the Redwood console environment to mount the entire DATABASE_URL environment variable as a secret on the container (previously we were only doing this for the Postgres-standard PGPASSWORD env var). It also removes the runtime override behavior introduced by #87, as it is no longer needed.

Other considerations: This limitation of Prisma will cause further difficulty in adopting IAM authentication for RDS Postgres (which is our preference over using static credentials), given that there's no mechanism to interpolate non-environment (e.g. secret) values into a connection string at the time that a Prisma CLI command is run, which is necessary given that IAM auth credentials are time-limited.

A potential (but not particularly ideal) solution could be to introduce a wrapper (bash) script that exports IAM auth credentials to subcommands, e.g.
rdsiamauth.bash:

#!/usr/bin/env bash
PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port $PGPORT --region us-west-2 --username $PGUSER)"
export DATABASE_URL="postgres://$PGUSER:$PGPASSWORD@$RDSHOST:$PGPORT?sslmode=$PGSSLMODE&sslrootcert=$PGSSLROOTCERT"

# Run the wrapped command
bash -c "$@"

which could be used like this:

./rdsiamauth.bash yarn rw prisma migrate deploy

Given that we are not yet implementing IAM Auth for RDS, this (or an alternate) solution is out-of-scope for this PR.

github-actions · 2024-01-27T01:40:09Z

QA Summary

See our documentation for tips on how to resolve failing QA checks.

QA Check	Result
🌐 Web Tests	✅
🔗 API Tests	✅
📏 ESLint	✅
🧹 TFLint	✅

Test Coverage

Coverage report for api suite

St	File	% Stmts	% Branch	% Funcs	% Lines	Uncovered Line #s
🔴	All files	19.85	1.82	28.2	20.2
🟢	directives/requireAuth	100	100	100	100
🟢	requireAuth.ts	100	100	100	100
🟡	directives/skipAuth	50	100	0	50
🟡	skipAuth.ts	50	100	0	50	13
🔴	functions	0	100	0	0
🔴	graphql.ts	0	100	0	0	14-22
🔴	functions/cpfValidation	0	100	0	0
🔴	cpfValidation.scenarios.ts	0	100	100	0	3
🔴	cpfValidation.ts	0	100	0	0	7-26
🔴	functions/excelToJson	0	0	0	0
🔴	excelToJson.scenarios.ts	0	100	100	0	3
🔴	excelToJson.ts	0	0	0	0	12-47
🔴	graphql	0	100	100	0
🔴	agencies.sdl.ts	0	100	100	0	1
🔴	expenditureCategories.sdl.ts	0	100	100	0	1
🔴	inputTemplates.sdl.ts	0	100	100	0	1
🔴	organizations.sdl.ts	0	100	100	0	1
🔴	outputTemplates.sdl.ts	0	100	100	0	1
🔴	projects.sdl.ts	0	100	100	0	1
🔴	reportingPeriods.sdl.ts	0	100	100	0	1
🔴	roles.sdl.ts	0	100	100	0	1
🔴	subrecipients.sdl.ts	0	100	100	0	1
🔴	uploadValidations.sdl.ts	0	100	100	0	1
🔴	uploads.sdl.ts	0	100	100	0	1
🔴	users.sdl.ts	0	100	100	0	1
🔴	lib	2.77	1.86	4.44	2.85
🔴	auth.ts	20	10.34	25	21.21	40-41,73-102,121,125-160
🔴	aws.ts	0	0	0	0	18-179
🔴	db.ts	31.25	50	50	31.25	15-35,45,47
🔴	ec-codes.ts	0	100	100	0	1
🟢	logger.ts	100	100	100	100
🔴	persist-upload.js	0	0	0	0	16-295
🔴	preconditions.ts	0	0	0	0	2-3
🔴	records.js	0	0	0	0	12-214
🔴	templateRules.ts	0	0	0	0
🔴	tracer.ts	0	100	100	0	5-14
🔴	validate-upload.js	0	0	0	0	18-790
🔴	validation-error.ts	0	0	0	0	14-22
🔴	validation-rules.js	0	0	0	0	6-194
🟡	services/agencies	70.58	0	83.33	70.58
🟢	agencies.scenarios.ts	100	100	100	100
🟡	agencies.ts	68.75	0	83.33	68.75	39-47
🟢	services/expenditureCategories	92.3	100	83.33	92.3
🟢	expenditureCategories.scenarios.ts	100	100	100	100
🟢	expenditureCategories.ts	91.66	100	83.33	91.66	46
🟢	services/inputTemplates	92.3	100	83.33	92.3
🟢	inputTemplates.scenarios.ts	100	100	100	100
🟢	inputTemplates.ts	91.66	100	83.33	91.66	47
🟡	services/organizations	52	100	38.46	52
🟢	organizations.scenarios.ts	100	100	100	100
🟡	organizations.ts	50	100	38.46	50	36-66,89-113
🟢	services/outputTemplates	92.3	100	83.33	92.3
🟢	outputTemplates.scenarios.ts	100	100	100	100
🟢	outputTemplates.ts	91.66	100	83.33	91.66	43
🟡	services/projects	80	100	62.5	80
🟢	projects.scenarios.ts	100	100	100	100
🟡	projects.ts	78.57	100	62.5	78.57	45-51
🟡	services/reportingPeriods	66.66	100	45.45	66.66
🟢	reportingPeriods.scenarios.ts	100	100	100	100
🟡	reportingPeriods.ts	64.7	100	45.45	64.7	43-66
🟡	services/subrecipients	80	100	62.5	80
🟢	subrecipients.scenarios.ts	100	100	100	100
🟡	subrecipients.ts	78.57	100	62.5	78.57	47-55
🔴	services/uploadValidations	0	100	0	0
🔴	uploadValidations.scenarios.ts	0	100	100	0	5
🔴	uploadValidations.ts	0	100	0	0	9-66
🟡	services/uploads	63.15	100	41.66	63.15
🟢	uploads.scenarios.ts	100	100	100	100
🟡	uploads.ts	61.11	100	41.66	61.11	43-63
🟡	services/users	54.16	0	41.66	54.16
🟢	users.scenarios.ts	100	100	100	100
🟡	users.ts	52.17	0	41.66	52.17	40-48,54-69

Coverage report for web suite

St	File	% Stmts	% Branch	% Funcs	% Lines	Uncovered Line #s
🔴	All files	12.88	11.51	11.49	12.07
🔴	src	25.92	0	21.42	25.92
🔴	App.tsx	0	0	0	0	3-36
🟢	Routes.tsx	100	100	100	100
🔴	auth.ts	35.71	100	16.66	35.71	33-47,71-91
🔴	entry.client.tsx	0	0	100	0	10-22
🔴	src/components/Agency/Agencies	0	100	0	0
🔴	Agencies.tsx	0	100	0	0	9-21
🔴	src/components/Agency/AgenciesCell	0	100	0	0
🔴	AgenciesCell.tsx	0	100	0	0	8-39
🔴	src/components/Agency/Agency	0	0	0	0
🔴	Agency.tsx	0	0	0	0	10-78
🔴	src/components/Agency/AgencyCell	0	100	0	0
🔴	AgencyCell.tsx	0	100	0	0	7-27
🔴	src/components/Agency/AgencyForm	0	0	0	0
🔴	AgencyForm.tsx	0	0	0	0	25-42
🔴	src/components/Agency/EditAgencyCell	0	100	0	0
🔴	EditAgencyCell.tsx	0	100	0	0	10-59
🔴	src/components/Agency/NewAgency	0	100	0	0
🔴	NewAgency.tsx	0	100	0	0	9-35
🟢	src/components/Navigation	100	50	100	100
🟢	Navigation.tsx	100	50	100	100	61
🔴	src/components/Organization/EditOrganizationCell	0	100	0	0
🔴	EditOrganizationCell.tsx	0	100	0	0	13-62
🔴	src/components/Organization/EditOrganizationForm	0	0	0	0
🔴	EditOrganizationForm.tsx	0	0	0	0	27-41
🔴	src/components/Organization/NewOrganization	0	100	0	0
🔴	NewOrganization.tsx	0	100	0	0	9-37
🔴	src/components/Organization/NewOrganizationForm	0	0	0	0
🔴	NewOrganizationForm.tsx	0	0	0	0	25-54
🔴	src/components/Organization/Organization	0	0	0	0
🔴	Organization.tsx	0	0	0	0	10-70
🔴	src/components/Organization/OrganizationCell	0	100	0	0
🔴	OrganizationCell.tsx	0	100	0	0	7-27
🔴	src/components/Organization/OrganizationPickListsCell	40.9	0	27.27	36.84
🟡	OrganizationPickListsCell.mock.ts	50	100	0	100
🔴	OrganizationPickListsCell.stories.tsx	0	0	0	0	6-32
🟡	OrganizationPickListsCell.tsx	72.72	100	50	66.66	38-63
🔴	src/components/Organization/Organizations	0	100	0	0
🔴	Organizations.tsx	0	100	0	0	9-21
🔴	src/components/Organization/OrganizationsCell	0	100	0	0
🔴	OrganizationsCell.tsx	0	100	0	0	8-37
🔴	src/components/ReportingPeriod/EditReportingPeriodCell	0	100	0	0
🔴	EditReportingPeriodCell.tsx	0	100	0	0	13-82
🔴	src/components/ReportingPeriod/NewReportingPeriod	0	100	0	0
🔴	NewReportingPeriod.tsx	0	100	0	0	9-35
🔴	src/components/ReportingPeriod/ReportingPeriod	0	0	0	0
🔴	ReportingPeriod.tsx	0	0	0	0	12-117
🔴	src/components/ReportingPeriod/ReportingPeriodCell	0	100	0	0
🔴	ReportingPeriodCell.tsx	0	100	0	0	7-37
🔴	src/components/ReportingPeriod/ReportingPeriodForm	0	0	0	0
🔴	ReportingPeriodForm.tsx	0	0	0	0	19-44
🔴	src/components/ReportingPeriod/ReportingPeriods	0	0	0	0
🔴	ReportingPeriods.tsx	0	0	0	0	13-104
🔴	src/components/ReportingPeriod/ReportingPeriodsCell	0	100	0	0
🔴	ReportingPeriodsCell.tsx	0	100	0	0	8-47
🟡	src/components/ReportingPeriodsCell	57.14	28.57	60	50
🟢	ReportingPeriodsCell.mock.ts	100	100	100	100
🔴	ReportingPeriodsCell.stories.tsx	0	0	0	0	6-32
🟢	ReportingPeriodsCell.tsx	100	66.66	100	100	66-69
🔴	src/components/TableBuilder	0	0	0	0
🔴	DebouncedInput.tsx	0	0	0	0	13-32
🔴	Filter.tsx	0	0	0	0	6-15
🔴	TableBuilder.tsx	0	0	0	0	22-70
🔴	TableHeader.tsx	0	0	0	0	5-42
🔴	TableRow.tsx	0	100	0	0	3-7
🟡	src/components/TemplateUploadReportingPeriodCell	55	0	55.55	47.05
🟢	TemplateUploadReportingPeriodCell.mock.ts	100	100	100	100
🔴	TemplateUploadReportingPeriodCell.stories.tsx	0	0	0	0	11-37
🟢	TemplateUploadReportingPeriodCell.tsx	100	100	100	100
🔴	src/components/Upload/EditUploadCell	0	100	0	0
🔴	EditUploadCell.tsx	0	100	0	0	10-68
🔴	src/components/Upload/NewUpload	0	100	0	0
🔴	NewUpload.tsx	0	100	0	0	8-32
🔴	src/components/Upload/Upload	0	0	0	0
🔴	Upload.tsx	0	0	0	0	12-100
🔴	src/components/Upload/UploadCell	0	100	0	0
🔴	UploadCell.tsx	0	100	0	0	7-32
🔴	src/components/Upload/UploadForm	0	0	0	0
🔴	UploadForm.tsx	0	0	0	0	21-97
🔴	src/components/Upload/Uploads	0	0	0	0
🔴	Uploads.tsx	0	0	0	0	9-66
🔴	columns.tsx	0	0	0	0	7-62
🔴	src/components/Upload/UploadsCell	0	100	0	0
🔴	UploadsCell.tsx	0	100	0	0	8-53
🔴	src/components/User/EditUserCell	0	100	0	0
🔴	EditUserCell.tsx	0	100	0	0	10-60
🔴	src/components/User/NewUser	0	100	0	0
🔴	NewUser.tsx	0	100	0	0	9-32
🔴	src/components/User/User	0	0	0	0
🔴	User.tsx	0	0	0	0	10-94
🔴	src/components/User/UserCell	0	100	0	0
🔴	UserCell.tsx	0	100	0	0	7-31
🔴	src/components/User/UserForm	0	0	0	0
🔴	UserForm.tsx	0	0	0	0	26-40
🔴	src/components/User/Users	0	100	0	0
🔴	Users.tsx	0	100	0	0	9-24
🔴	src/components/User/UsersCell	0	100	0	0
🔴	UsersCell.tsx	0	100	0	0	8-43
🟡	src/layouts/AuthenticatedLayout	60	50	100	60
🔴	AuthenticatedLayout.stories.tsx	0	100	100	0	5-13
🟢	AuthenticatedLayout.tsx	100	50	100	100	24
🟢	src/lib	100	100	100	100
🟢	formatters.tsx	100	100	100	100
🔴	src/pages/Agency/AgenciesPage	0	100	0	0
🔴	AgenciesPage.tsx	0	100	0	0	8-12
🔴	src/pages/Agency/AgencyPage	0	100	0	0
🔴	AgencyPage.tsx	0	100	0	0	7-8
🔴	src/pages/Agency/EditAgencyPage	0	100	0	0
🔴	EditAgencyPage.tsx	0	100	0	0	7-8
🔴	src/pages/Agency/NewAgencyPage	0	100	0	0
🔴	NewAgencyPage.tsx	0	100	0	0	3-4
🔴	src/pages/FatalErrorPage	0	0	0	0
🔴	FatalErrorPage.tsx	0	0	0	0	15
🟡	src/pages/ForbiddenPage	50	100	100	50
🔴	ForbiddenPage.stories.tsx	0	100	100	0	5-13
🟢	ForbiddenPage.tsx	100	100	100	100
🟡	src/pages/LoginPage	50	100	100	50
🔴	LoginPage.stories.tsx	0	100	100	0	5-13
🟢	LoginPage.tsx	100	100	100	100
🔴	src/pages/NotFoundPage	0	100	0	0
🔴	NotFoundPage.tsx	0	100	0	0	2
🔴	src/pages/Organization/EditOrganizationPage	0	100	0	0
🔴	EditOrganizationPage.tsx	0	100	0	0	7-8
🔴	src/pages/Organization/NewOrganizationPage	0	100	0	0
🔴	NewOrganizationPage.tsx	0	100	0	0	3-4
🔴	src/pages/Organization/OrganizationPage	0	100	0	0
🔴	OrganizationPage.tsx	0	100	0	0	7-8
🔴	src/pages/Organization/OrganizationsPage	0	100	0	0
🔴	OrganizationsPage.tsx	0	100	0	0	7-8
🔴	src/pages/ReportingPeriod/EditReportingPeriodPage	0	100	0	0
🔴	EditReportingPeriodPage.tsx	0	100	0	0	7-8
🔴	src/pages/ReportingPeriod/NewReportingPeriodPage	0	100	0	0
🔴	NewReportingPeriodPage.tsx	0	100	0	0	3-4
🔴	src/pages/ReportingPeriod/ReportingPeriodPage	0	100	0	0
🔴	ReportingPeriodPage.tsx	0	100	0	0	7-8
🟡	src/pages/ReportingPeriod/ReportingPeriodsPage	50	100	100	50
🔴	ReportingPeriodsPage.stories.tsx	0	100	100	0	5-13
🟢	ReportingPeriodsPage.tsx	100	100	100	100
🔴	src/pages/Upload/EditUploadPage	0	100	0	0
🔴	EditUploadPage.tsx	0	100	0	0	7-8
🔴	src/pages/Upload/NewUploadPage	0	100	0	0
🔴	NewUploadPage.tsx	0	100	0	0	3-4
🔴	src/pages/Upload/UploadPage	0	100	0	0
🔴	UploadPage.tsx	0	100	0	0	7-8
🔴	src/pages/Upload/UploadsPage	0	100	0	0
🔴	UploadsPage.tsx	0	100	0	0	7-8
🟡	src/pages/UploadTemplatePage	50	100	50	50
🔴	UploadTemplatePage.stories.tsx	0	100	100	0	5-13
🟡	UploadTemplatePage.tsx	75	100	50	75	9
🔴	src/pages/User/EditUserPage	0	100	0	0
🔴	EditUserPage.tsx	0	100	0	0	7-8
🔴	src/pages/User/NewUserPage	0	100	0	0
🔴	NewUserPage.tsx	0	100	0	0	3-4
🔴	src/pages/User/UserPage	0	100	0	0
🔴	UserPage.tsx	0	100	0	0	7-8
🔴	src/pages/User/UsersPage	0	100	0	0
🔴	UsersPage.tsx	0	100	0	0	7-11
🔴	src/utils	0	0	0	0
🔴	index.ts	0	0	0	0	3-37

Pusher: @TylerHendrickson, Action: pull_request_target, Workflow: Continuous Integration

github-actions · 2024-01-27T01:41:31Z

Terraform Summary

Step	Result
🖌 Terraform Format & Style	✅
⚙️ Terraform Initialization	✅
🤖 Terraform Validation	✅
📖 Terraform Plan	✅

Hint: If "Terraform Format & Style" failed, run terraform fmt -recursive from the terraform/ directory and commit the results.

Output

Validation Output

Success! The configuration is valid.

Plan Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create
  ~ update in-place
-   destroy
-/+ destroy and then create replacement
+/- create replacement and then destroy
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.ecs_console_execution will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "ecs_console_execution" {
+       id   = (known after apply)
+       json = (known after apply)

+       statement {
+           actions   = [
+               "kms:Decrypt",
+               "ssm:GetParameters",
            ]
+           effect    = "Allow"
+           resources = [
+               "arn:aws:kms:us-west-2:357150818708:key/df1661b4-62e5-4668-8e39-f872c9acfceb",
+               (known after apply),
            ]
+           sid       = "DecryptSSMSecrets"
        }
+       statement {
+           actions   = [
+               "logs:CreateLogStream",
+               "logs:DescribeLogStreams",
+               "logs:PutLogEvents",
            ]
+           effect    = "Allow"
+           resources = [
+               "arn:aws:logs:us-west-2:357150818708:log-group:cpfreporter-ecs-20231208081114911100000001",
+               "arn:aws:logs:us-west-2:357150818708:log-group:cpfreporter-ecs-20231208081114911100000001:log-stream:*",
            ]
+           sid       = "WriteLogs"
        }
    }

  # aws_ecs_service.console will be updated in-place
  ~ resource "aws_ecs_service" "console" {
        id                                 = "arn:aws:ecs:us-west-2:357150818708:service/cpfreporter/cpfreporter-console"
        name                               = "cpfreporter-console"
        tags                               = {}
      ~ task_definition                    = "arn:aws:ecs:us-west-2:357150818708:task-definition/cpfreporter-console:42" -> (known after apply)
        # (15 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_ecs_task_definition.console must be replaced
+/- resource "aws_ecs_task_definition" "console" {
      ~ arn                      = "arn:aws:ecs:us-west-2:357150818708:task-definition/cpfreporter-console:42" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-west-2:357150818708:task-definition/cpfreporter-console" -> (known after apply)
      # Warning: this attribute value will no longer be marked as sensitive
      # after applying this change.
      ~ container_definitions    = (sensitive value) # forces replacement
      ~ id                       = "cpfreporter-console" -> (known after apply)
      ~ revision                 = 42 -> (known after apply)
-       tags                     = {} -> null
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_iam_role_policy.ecs_console_execution will be updated in-place
  ~ resource "aws_iam_role_policy" "ecs_console_execution" {
        id          = "cpfreporter-console-ECSTaskExecution-20231208081114917600000004:terraform-20231208081115818900000005"
        name        = "terraform-20231208081115818900000005"
      ~ policy      = jsonencode(
            {
-               Statement = [
-                   {
-                       Action   = [
-                           "ssm:GetParameters",
-                           "kms:Decrypt",
                        ]
-                       Effect   = "Allow"
-                       Resource = [
-                           "arn:aws:ssm:us-west-2:357150818708:parameter/cpfreporter/postgres/master_password",
-                           "arn:aws:kms:us-west-2:357150818708:key/df1661b4-62e5-4668-8e39-f872c9acfceb",
                        ]
-                       Sid      = "DecryptSSMSecrets"
                    },
-                   {
-                       Action   = [
-                           "logs:PutLogEvents",
-                           "logs:DescribeLogStreams",
-                           "logs:CreateLogStream",
                        ]
-                       Effect   = "Allow"
-                       Resource = [
-                           "arn:aws:logs:us-west-2:357150818708:log-group:cpfreporter-ecs-20231208081114911100000001:log-stream:*",
-                           "arn:aws:logs:us-west-2:357150818708:log-group:cpfreporter-ecs-20231208081114911100000001",
                        ]
-                       Sid      = "WriteLogs"
                    },
                ]
-               Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # aws_s3_object.lambda_artifact-cpfValidation will be updated in-place
  ~ resource "aws_s3_object" "lambda_artifact-cpfValidation" {
      ~ etag                   = "941a24008125db82f9a3944a10abe9e9-5" -> "03f26d9515a21efcc51fb0dc9cc27268"
        id                     = "cpfValidation.03f26d9515a21efcc51fb0dc9cc27268.zip"
        tags                   = {}
      ~ version_id             = "Ax_CUH0xbw12zB3zaWq9TQa7P.GmJhRp" -> (known after apply)
        # (11 unchanged attributes hidden)
    }

  # aws_s3_object.lambda_artifact-excelToJson will be updated in-place
  ~ resource "aws_s3_object" "lambda_artifact-excelToJson" {
      ~ etag                   = "b08aae30188b2349c62ad4146d6e4e5c-6" -> "f12d747e0b78b872f335428cbff9a31b"
        id                     = "excelToJson.f12d747e0b78b872f335428cbff9a31b.zip"
        tags                   = {}
      ~ version_id             = "sH4DlvMDHpcpdFoTOSATDdKA2Lri7aAJ" -> (known after apply)
        # (11 unchanged attributes hidden)
    }

  # aws_s3_object.lambda_artifact-graphql must be replaced
+/- resource "aws_s3_object" "lambda_artifact-graphql" {
+       acl                    = (known after apply)
      ~ bucket_key_enabled     = false -> (known after apply)
+       checksum_crc32         = (known after apply)
+       checksum_crc32c        = (known after apply)
+       checksum_sha1          = (known after apply)
+       checksum_sha256        = (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "1fd327266c3707af7a1534e1279814b2-6" -> "cba38e0a7b86146fd8b46e381b65279f"
      ~ id                     = "graphql.87a1740978da9ac280c9fde1ae6d8580.zip" -> (known after apply)
      ~ key                    = "graphql.87a1740978da9ac280c9fde1ae6d8580.zip" -> "graphql.cba38e0a7b86146fd8b46e381b65279f.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ source_hash            = "87a1740978da9ac280c9fde1ae6d8580" -> "cba38e0a7b86146fd8b46e381b65279f"
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "9XqIdQR3d5KT0HANYaf7Wel0Q7iQ8A51" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["200.html"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "46019f9d24e3350f6452b3aa8e6027b7" -> "a026d5003306eda761f9dffea99711ea"
        id                     = "dist/200.html"
      ~ source_hash            = "46019f9d24e3350f6452b3aa8e6027b7" -> "a026d5003306eda761f9dffea99711ea"
        tags                   = {}
      ~ version_id             = "ed0wyMwE_1QBLwTxRRUINz13jRoKr7kt" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["build-manifest.json"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "08a47c8569a0ea72137b40919898da1f" -> "f19e19b6440a39a92a56ada5ac73f8a1"
        id                     = "dist/build-manifest.json"
      ~ source_hash            = "08a47c8569a0ea72137b40919898da1f" -> "f19e19b6440a39a92a56ada5ac73f8a1"
        tags                   = {}
      ~ version_id             = "qyTVqAE10pt2D8Poj0pn3DOEEkfuv.vm" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["chunk-references.json"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "794b951e82e31ed0f51fd49df6fbee83" -> "e945421ff963baaa6dd9b01320ba65f8"
        id                     = "dist/chunk-references.json"
      ~ source_hash            = "794b951e82e31ed0f51fd49df6fbee83" -> "e945421ff963baaa6dd9b01320ba65f8"
        tags                   = {}
      ~ version_id             = "VUdi1oefZdpcBaWsLcsFpb1s3LqXiwWf" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["index.html"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "46019f9d24e3350f6452b3aa8e6027b7" -> "a026d5003306eda761f9dffea99711ea"
        id                     = "dist/index.html"
      ~ source_hash            = "46019f9d24e3350f6452b3aa8e6027b7" -> "a026d5003306eda761f9dffea99711ea"
        tags                   = {}
      ~ version_id             = "ZfGk6EmSBe23jWrEbZ7ufdQGTiQIByOc" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.2f761955.js"] will be destroyed
  # (because key ["static/js/app.2f761955.js"] is not in for_each map)
-   resource "aws_s3_object" "origin_dist_artifact" {
-       bucket                 = "cpfreporter-origin-357150818708-us-west-2" -> null
-       bucket_key_enabled     = false -> null
-       content_type           = "text/javascript" -> null
-       etag                   = "659840fa923cd5eb65e1f18a015083df" -> null
-       force_destroy          = false -> null
-       id                     = "dist/static/js/app.2f761955.js" -> null
-       key                    = "dist/static/js/app.2f761955.js" -> null
-       metadata               = {} -> null
-       server_side_encryption = "AES256" -> null
-       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.2f761955.js" -> null
-       source_hash            = "659840fa923cd5eb65e1f18a015083df" -> null
-       storage_class          = "STANDARD" -> null
-       tags                   = {} -> null
-       tags_all               = {
-           "env"        = "staging"
-           "management" = "terraform"
-           "owner"      = "grants"
-           "repo"       = "cpf-reporter"
-           "service"    = "cpf-reporter"
-           "usage"      = "workload"
        } -> null
-       version_id             = "xFeFYJXcolcIfAxwQGSzp1ToCogGWxQt" -> null
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.2f761955.js.LICENSE.txt"] will be destroyed
  # (because key ["static/js/app.2f761955.js.LICENSE.txt"] is not in for_each map)
-   resource "aws_s3_object" "origin_dist_artifact" {
-       bucket                 = "cpfreporter-origin-357150818708-us-west-2" -> null
-       bucket_key_enabled     = false -> null
-       content_type           = "text/plain" -> null
-       etag                   = "8d38c03ef794fa32760c896577fdf875" -> null
-       force_destroy          = false -> null
-       id                     = "dist/static/js/app.2f761955.js.LICENSE.txt" -> null
-       key                    = "dist/static/js/app.2f761955.js.LICENSE.txt" -> null
-       metadata               = {} -> null
-       server_side_encryption = "AES256" -> null
-       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.2f761955.js.LICENSE.txt" -> null
-       source_hash            = "8d38c03ef794fa32760c896577fdf875" -> null
-       storage_class          = "STANDARD" -> null
-       tags                   = {} -> null
-       tags_all               = {
-           "env"        = "staging"
-           "management" = "terraform"
-           "owner"      = "grants"
-           "repo"       = "cpf-reporter"
-           "service"    = "cpf-reporter"
-           "usage"      = "workload"
        } -> null
-       version_id             = "eGEZ__.rYy9hmedHjTr6cnJBfZYNoKnX" -> null
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.a4a59ef2.js"] will be created
+   resource "aws_s3_object" "origin_dist_artifact" {
+       acl                    = (known after apply)
+       bucket                 = "cpfreporter-origin-357150818708-us-west-2"
+       bucket_key_enabled     = (known after apply)
+       checksum_crc32         = (known after apply)
+       checksum_crc32c        = (known after apply)
+       checksum_sha1          = (known after apply)
+       checksum_sha256        = (known after apply)
+       content_type           = "text/javascript"
+       etag                   = "477001a4168880f36a33d621b9e8d254"
+       force_destroy          = false
+       id                     = (known after apply)
+       key                    = "dist/static/js/app.a4a59ef2.js"
+       kms_key_id             = (known after apply)
+       server_side_encryption = "AES256"
+       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.a4a59ef2.js"
+       source_hash            = "477001a4168880f36a33d621b9e8d254"
+       storage_class          = (known after apply)
+       tags_all               = {
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "cpf-reporter"
+           "service"    = "cpf-reporter"
+           "usage"      = "workload"
        }
+       version_id             = (known after apply)
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.a4a59ef2.js.LICENSE.txt"] will be created
+   resource "aws_s3_object" "origin_dist_artifact" {
+       acl                    = (known after apply)
+       bucket                 = "cpfreporter-origin-357150818708-us-west-2"
+       bucket_key_enabled     = (known after apply)
+       checksum_crc32         = (known after apply)
+       checksum_crc32c        = (known after apply)
+       checksum_sha1          = (known after apply)
+       checksum_sha256        = (known after apply)
+       content_type           = "text/plain"
+       etag                   = "8d38c03ef794fa32760c896577fdf875"
+       force_destroy          = false
+       id                     = (known after apply)
+       key                    = "dist/static/js/app.a4a59ef2.js.LICENSE.txt"
+       kms_key_id             = (known after apply)
+       server_side_encryption = "AES256"
+       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.a4a59ef2.js.LICENSE.txt"
+       source_hash            = "8d38c03ef794fa32760c896577fdf875"
+       storage_class          = (known after apply)
+       tags_all               = {
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "cpf-reporter"
+           "service"    = "cpf-reporter"
+           "usage"      = "workload"
        }
+       version_id             = (known after apply)
    }

  # aws_ssm_parameter.ecs_console_secret_database_url will be created
+   resource "aws_ssm_parameter" "ecs_console_secret_database_url" {
+       arn            = (known after apply)
+       data_type      = (known after apply)
+       description    = "Prisma database URL for connecting the Postgres cluster"
+       id             = (known after apply)
+       insecure_value = (known after apply)
+       key_id         = "arn:aws:kms:us-west-2:357150818708:key/df1661b4-62e5-4668-8e39-f872c9acfceb"
+       name           = "/cpfreporter/postgres/database_url"
+       tags_all       = {
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "cpf-reporter"
+           "service"    = "cpf-reporter"
+           "usage"      = "workload"
        }
+       tier           = (known after apply)
+       type           = "SecureString"
+       value          = (sensitive value)
+       version        = (known after apply)
    }

  # module.lambda_function-cpfValidation.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "cpfreporter-cpfValidation"
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:cpfreporter-cpfValidation:11" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:cpfreporter-cpfValidation:11/invocations" -> (known after apply)
        tags                           = {}
      ~ version                        = "11" -> (known after apply)
        # (21 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_COMMIT_SHA"                = "c332228b120116c937a20169d95cc147203ba8ce" -> "53a2668b8b84e9238d070d3e02b4ed0827cfc65d"
              ~ "DD_TAGS"                      = "git.commit.sha:c332228b120116c937a20169d95cc147203ba8ce,git.repository_url:github.com/usdigitalresponse/cpf-reporter" -> "git.commit.sha:53a2668b8b84e9238d070d3e02b4ed0827cfc65d,git.repository_url:github.com/usdigitalresponse/cpf-reporter"
              ~ "DD_VERSION"                   = "c332228b120116c937a20169d95cc147203ba8ce" -> "53a2668b8b84e9238d070d3e02b4ed0827cfc65d"
                # (13 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.lambda_function-cpfValidation.aws_lambda_permission.current_version_triggers["S3BucketNotification"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "S3BucketNotification" -> (known after apply)
      ~ qualifier           = "11" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.lambda_function-excelToJson.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "cpfreporter-excelToJson"
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:cpfreporter-excelToJson:11" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:cpfreporter-excelToJson:11/invocations" -> (known after apply)
        tags                           = {}
      ~ version                        = "11" -> (known after apply)
        # (21 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_COMMIT_SHA"                = "c332228b120116c937a20169d95cc147203ba8ce" -> "53a2668b8b84e9238d070d3e02b4ed0827cfc65d"
              ~ "DD_TAGS"                      = "git.commit.sha:c332228b120116c937a20169d95cc147203ba8ce,git.repository_url:github.com/usdigitalresponse/cpf-reporter" -> "git.commit.sha:53a2668b8b84e9238d070d3e02b4ed0827cfc65d,git.repository_url:github.com/usdigitalresponse/cpf-reporter"
              ~ "DD_VERSION"                   = "c332228b120116c937a20169d95cc147203ba8ce" -> "53a2668b8b84e9238d070d3e02b4ed0827cfc65d"
                # (13 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.lambda_function-excelToJson.aws_lambda_permission.current_version_triggers["S3BucketNotification"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "S3BucketNotification" -> (known after apply)
      ~ qualifier           = "11" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.lambda_function-graphql.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "cpfreporter-graphql"
      ~ last_modified                  = "2024-01-26T16:05:16.000+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:cpfreporter-graphql:58" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:cpfreporter-graphql:58/invocations" -> (known after apply)
      ~ s3_key                         = "graphql.87a1740978da9ac280c9fde1ae6d8580.zip" -> "graphql.cba38e0a7b86146fd8b46e381b65279f.zip"
        tags                           = {}
      ~ version                        = "58" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_COMMIT_SHA"                      = "c332228b120116c937a20169d95cc147203ba8ce" -> "53a2668b8b84e9238d070d3e02b4ed0827cfc65d"
              ~ "DD_TAGS"                            = "git.commit.sha:c332228b120116c937a20169d95cc147203ba8ce,git.repository_url:github.com/usdigitalresponse/cpf-reporter" -> "git.commit.sha:53a2668b8b84e9238d070d3e02b4ed0827cfc65d,git.repository_url:github.com/usdigitalresponse/cpf-reporter"
              ~ "DD_VERSION"                         = "c332228b120116c937a20169d95cc147203ba8ce" -> "53a2668b8b84e9238d070d3e02b4ed0827cfc65d"
                # (17 unchanged elements hidden)
            }
        }

        # (4 unchanged blocks hidden)
    }

  # module.lambda_function-graphql.aws_lambda_permission.current_version_triggers["APIGateway"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "APIGateway" -> (known after apply)
      ~ qualifier           = "58" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

Plan: 8 to add, 11 to change, 7 to destroy.

Pusher: @TylerHendrickson, Action: pull_request_target, Workflow: Continuous Integration

TylerHendrickson added 2 commits January 27, 2024 00:55

Map secret DATABASE_URL in ECS Redwood console

6eabe85

Remove env_PGPASSWORD convention from db lib

ffcc06c

TylerHendrickson self-assigned this Jan 27, 2024

github-actions bot added bug Something isn't working infra javascript terraform labels Jan 27, 2024

TylerHendrickson requested review from as1729 and a team January 27, 2024 01:47

Fix missing attribute in policy statement resources

53a2668

as1729 approved these changes Jan 27, 2024

View reviewed changes

TylerHendrickson merged commit f46d5aa into main Jan 27, 2024
19 checks passed

TylerHendrickson deleted the fix/prisma-migrate-in-console branch January 27, 2024 02:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix prisma CLI in Redwood ECS console #91

Fix prisma CLI in Redwood ECS console #91

TylerHendrickson commented Jan 27, 2024

github-actions bot commented Jan 27, 2024 •

edited

Loading

github-actions bot commented Jan 27, 2024 •

edited

Loading

Fix prisma CLI in Redwood ECS console #91

Fix prisma CLI in Redwood ECS console #91

Conversation

TylerHendrickson commented Jan 27, 2024

github-actions bot commented Jan 27, 2024 • edited Loading

QA Summary

Test Coverage

github-actions bot commented Jan 27, 2024 • edited Loading

Terraform Summary

Output

github-actions bot commented Jan 27, 2024 •

edited

Loading

github-actions bot commented Jan 27, 2024 •

edited

Loading