Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: GCForms release v3.5.0 #526

Merged
merged 1 commit into from
Jan 25, 2024
Merged

Conversation

sre-read-write[bot]
Copy link
Contributor

@sre-read-write sre-read-write bot commented Nov 1, 2023

🤖 I have created a release beep boop

3.5.0 (2024-01-25)

Features

  • add new cloudwatch alarm and waf rule for Cognito login outside Canada (#558) (d23a252)
  • disable health check until maintenance mode implementation is finalized (#538) (41c7d0a)
  • enable deletion protection on all DynamoDB tables (#580) (62a00aa)
  • implement maintenance page design (#544) (418b71a)
  • OIDC roles for GitHub workflows (#568) (3840ad9)
  • redirect to static maintenance web page when in maintenance mode or service is down (#530) (a99ccbe)
  • send notification on Slack when a timeout is detected in the lambda logs (#581) (d200b33)

Bug Fixes

  • acl not required with bucket ownership controls (#570) (1e31ae7)
  • Check for localstack or AWS env (#547) (f0e15b2)
  • deps: update dependency axios to v1 [security] (#531) (9860d8e)
  • ecs force deployment option (#573) (2d0e004)
  • enable code signing on Vault data integrity check lambda (#548) (50e1edc)
  • GC Notify API Key is not properly passed to Nagware and Reliability lambdas (#553) (0c9bfaa)
  • GitHub workflow OIDC role claims (#575) (bee2a0a)
  • import pg package was not properly done in Nagware lambda (#554) (58fdc66)
  • initialization of NotifyClient is not working because of the way we pass the API key (#576) (bd1904e)
  • intergrity alarm (#542) (7440068)
  • maintenance mode deployment issue (#533) (a0ff418)
  • maintenance mode deployment issues second try (#534) (35f59eb)
  • maintenance mode WAF rules to allow for new page resources to be loaded (#550) (98cbf18)
  • Missed an S3 ACL on previous PR (#572) (783c8bc)
  • missing aliases in Cloudfront distribution (#540) (6f95764)
  • missing provider in WAF regex pattern set (#552) (44ddbad)
  • missing provider in waf rule (#537) (6926dc3)
  • missing WAF rule and certificate. Health check now targets load balancer DNS (#535) (85b8ea5)
  • PR review OIDC role for VPC lambda deploys (#578) (e4c8376)
  • revert certificate changes including ELB DNS (#536) (a4e41a1)
  • rework response archiver lambda (#577) (e5da375)
  • split Staging/Prod use of Scan Files service (#569) (d043405)
  • update Terragrunt mock values to fix TF plan (#583) (26e4374)
  • update to README file, adjust iterator age alarm threshold and fix to vault data integrity check local lambda test script (#525) (0761ad0)
  • WAF rule for maintenance mode not having proper scope (#551) (f90bddc)

Miscellaneous Chores

  • AWS Provider upgrade (#556) (1d6273c)
  • create production import.tf file (#584) (9d3b92a)
  • created local '.github/workflows/backstage-catalog-helper.yml' from remote 'tools/sre_file_sync/backstage-catalog-helper.yml' (#520) (c4f5f0d)
  • deps: update all non-major github action dependencies (#512) (75bc194)
  • reorganization of infrastructure as code for better local development (#532) (6f84917)
  • update email with sign off language rather than confirm language (#541) (64158be)
  • Update README.md (#506) (00ee9ca)

This PR was generated with Release Please. See documentation.

@sre-read-write sre-read-write bot changed the title chore: GCForms release v3.4.1 chore: GCForms release v3.5.0 Nov 15, 2023
@sre-read-write sre-read-write bot force-pushed the release-please--branches--develop branch 10 times, most recently from d9f15b5 to e654c64 Compare November 20, 2023 14:59
@sre-read-write sre-read-write bot force-pushed the release-please--branches--develop branch 13 times, most recently from 186fb1b to a7158ac Compare December 11, 2023 18:15
@sre-read-write sre-read-write bot force-pushed the release-please--branches--develop branch 2 times, most recently from 5f0c329 to 28c22fa Compare December 14, 2023 16:44
@sre-read-write sre-read-write bot force-pushed the release-please--branches--develop branch 2 times, most recently from cb2d10f to 2455f30 Compare January 16, 2024 19:15
@sre-read-write sre-read-write bot force-pushed the release-please--branches--develop branch from 2455f30 to 909a1e6 Compare January 22, 2024 20:39
@sre-read-write sre-read-write bot force-pushed the release-please--branches--develop branch from 909a1e6 to 2c3412a Compare January 25, 2024 14:01
Copy link

Production: ecr

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy
Show summary
CHANGE NAME
update aws_ecr_repository.viewer_repository
Show plan
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_ecr_repository.viewer_repository will be updated in-place
  ~ resource "aws_ecr_repository" "viewer_repository" {
        id                   = "form_viewer_production"
        name                 = "form_viewer_production"
      ~ tags                 = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (5 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.viewer_repository"]

20 tests, 19 passed, 1 warning, 0 failures, 0 exceptions

Copy link

Production: hosted_zone

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 0 to add, 1 to change, 1 to destroy
Show summary
CHANGE NAME
delete aws_route53_zone.form_viewer[1]
update aws_route53_zone.form_viewer[0]
Show plan
Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_route53_zone.form_viewer[0] will be updated in-place
  ~ resource "aws_route53_zone" "form_viewer" {
        id                  = "Z1031499PBK3926Y7HKK"
        name                = "forms-formulaires.alpha.canada.ca"
      ~ tags                = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (7 unchanged attributes hidden)
    }

  # aws_route53_zone.form_viewer[1] will be destroyed
  # (because index [1] is out of range for count)
  - resource "aws_route53_zone" "form_viewer" {
      - arn                 = "arn:aws:route53:::hostedzone/Z0774184336K3QX9DUJ7E" -> null
      - comment             = "Managed by Terraform" -> null
      - force_destroy       = false -> null
      - id                  = "Z0774184336K3QX9DUJ7E" -> null
      - name                = "forms-formulaires.canada.ca" -> null
      - name_servers        = [
          - "ns-1218.awsdns-24.org",
          - "ns-2042.awsdns-63.co.uk",
          - "ns-26.awsdns-03.com",
          - "ns-843.awsdns-41.net",
        ] -> null
      - primary_name_server = "ns-2042.awsdns-63.co.uk" -> null
      - tags                = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
      - tags_all            = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
      - zone_id             = "Z0774184336K3QX9DUJ7E" -> null
    }

Plan: 0 to add, 1 to change, 1 to destroy.

Changes to Outputs:
  ~ hosted_zone_ids   = [
        "Z1031499PBK3926Y7HKK",
      - "Z0774184336K3QX9DUJ7E",
    ]
  ~ hosted_zone_names = [
        "forms-formulaires.alpha.canada.ca",
      - "forms-formulaires.canada.ca",
    ]

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_route53_zone.form_viewer[0]"]

20 tests, 19 passed, 1 warning, 0 failures, 0 exceptions

Copy link

Production: kms

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 3 to change, 0 to destroy
Show summary
CHANGE NAME
update aws_kms_key.cloudwatch
aws_kms_key.cloudwatch_us_east
aws_kms_key.dynamo_db
Show plan
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_kms_key.cloudwatch will be updated in-place
  ~ resource "aws_kms_key" "cloudwatch" {
        id                                 = "b5973af1-3114-4808-9455-57441c35854d"
      ~ tags                               = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (11 unchanged attributes hidden)
    }

  # aws_kms_key.cloudwatch_us_east will be updated in-place
  ~ resource "aws_kms_key" "cloudwatch_us_east" {
        id                                 = "cd20da31-792b-421e-bd6e-e5b16fd791c9"
      ~ tags                               = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (11 unchanged attributes hidden)
    }

  # aws_kms_key.dynamo_db will be updated in-place
  ~ resource "aws_kms_key" "dynamo_db" {
        id                                 = "afbaea67-8277-4a4c-853e-7697dd2dade5"
      ~ tags                               = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (11 unchanged attributes hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_kms_key.cloudwatch"]
WARN - plan.json - main - Missing Common Tags: ["aws_kms_key.cloudwatch_us_east"]
WARN - plan.json - main - Missing Common Tags: ["aws_kms_key.dynamo_db"]

22 tests, 19 passed, 3 warnings, 0 failures, 0 exceptions

Copy link

Production: oidc_roles

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 6 to add, 0 to change, 0 to destroy
Show summary
CHANGE NAME
add aws_iam_policy.platform_forms_client_release[0]
aws_iam_role_policy_attachment.forms_terraform_apply_release_admin[0]
aws_iam_role_policy_attachment.platform_forms_client_release[0]
module.github_workflow_roles.aws_iam_role.this["forms-terraform-apply-release"]
module.github_workflow_roles.aws_iam_role.this["platform-forms-client-pr-review-env"]
module.github_workflow_roles.aws_iam_role.this["platform-forms-client-release"]
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_policy.platform_forms_client_release[0] will be created
  + resource "aws_iam_policy" "platform_forms_client_release" {
      + arn         = (known after apply)
      + id          = (known after apply)
      + name        = "platform-forms-client-release"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "ecr:UploadLayerPart",
                          + "ecr:SetRepositoryPolicy",
                          + "ecr:PutImage",
                          + "ecr:ListImages",
                          + "ecr:InitiateLayerUpload",
                          + "ecr:GetRepositoryPolicy",
                          + "ecr:GetDownloadUrlForLayer",
                          + "ecr:DescribeRepositories",
                          + "ecr:DescribeImages",
                          + "ecr:CompleteLayerUpload",
                          + "ecr:BatchGetImage",
                          + "ecr:BatchDeleteImage",
                          + "ecr:BatchCheckLayerAvailability",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:ecr:ca-central-1:957818836222:repository/form_viewer_production"
                    },
                  + {
                      + Action   = "ecr:GetAuthorizationToken"
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags_all    = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_iam_role_policy_attachment.forms_terraform_apply_release_admin[0] will be created
  + resource "aws_iam_role_policy_attachment" "forms_terraform_apply_release_admin" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
      + role       = "forms-terraform-apply-release"
    }

  # aws_iam_role_policy_attachment.platform_forms_client_release[0] will be created
  + resource "aws_iam_role_policy_attachment" "platform_forms_client_release" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "platform-forms-client-release"
    }

  # module.github_workflow_roles.aws_iam_role.this["forms-terraform-apply-release"] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRoleWithWebIdentity"
                      + Condition = {
                          + StringLike = {
                              + "token.actions.githubusercontent.com:sub" = "repo:cds-snc/forms-terraform:ref:refs/tags/v*"
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::957818836222:oidc-provider/token.actions.githubusercontent.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "forms-terraform-apply-release"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + tags_all              = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + unique_id             = (known after apply)
    }

  # module.github_workflow_roles.aws_iam_role.this["platform-forms-client-pr-review-env"] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRoleWithWebIdentity"
                      + Condition = {
                          + StringLike = {
                              + "token.actions.githubusercontent.com:sub" = "repo:cds-snc/platform-forms-client:pull_request"
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::957818836222:oidc-provider/token.actions.githubusercontent.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "platform-forms-client-pr-review-env"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + tags_all              = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + unique_id             = (known after apply)
    }

  # module.github_workflow_roles.aws_iam_role.this["platform-forms-client-release"] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRoleWithWebIdentity"
                      + Condition = {
                          + StringLike = {
                              + "token.actions.githubusercontent.com:sub" = "repo:cds-snc/platform-forms-client:ref:refs/tags/v*"
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::957818836222:oidc-provider/token.actions.githubusercontent.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "platform-forms-client-release"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + tags_all              = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + unique_id             = (known after apply)
    }

Plan: 6 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.platform_forms_client_release[0]"]

20 tests, 19 passed, 1 warning, 0 failures, 0 exceptions

Copy link

Production: sqs

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 5 to change, 0 to destroy
Show summary
CHANGE NAME
update aws_sqs_queue.audit_log_deadletter_queue
aws_sqs_queue.audit_log_queue
aws_sqs_queue.reliability_deadletter_queue
aws_sqs_queue.reliability_queue
aws_sqs_queue.reprocess_submission_queue
Show plan
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_sqs_queue.audit_log_deadletter_queue will be updated in-place
  ~ resource "aws_sqs_queue" "audit_log_deadletter_queue" {
        id                                = "https://sqs.ca-central-1.amazonaws.com/957818836222/audit_log_deadletter_queue"
        name                              = "audit_log_deadletter_queue"
      ~ tags                              = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (13 unchanged attributes hidden)
    }

  # aws_sqs_queue.audit_log_queue will be updated in-place
  ~ resource "aws_sqs_queue" "audit_log_queue" {
        id                                = "https://sqs.ca-central-1.amazonaws.com/957818836222/audit_log_queue"
        name                              = "audit_log_queue"
      ~ tags                              = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (15 unchanged attributes hidden)
    }

  # aws_sqs_queue.reliability_deadletter_queue will be updated in-place
  ~ resource "aws_sqs_queue" "reliability_deadletter_queue" {
        id                                = "https://sqs.ca-central-1.amazonaws.com/957818836222/reliability_deadletter_queue.fifo"
        name                              = "reliability_deadletter_queue.fifo"
      ~ tags                              = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (15 unchanged attributes hidden)
    }

  # aws_sqs_queue.reliability_queue will be updated in-place
  ~ resource "aws_sqs_queue" "reliability_queue" {
        id                                = "https://sqs.ca-central-1.amazonaws.com/957818836222/submission_processing.fifo"
        name                              = "submission_processing.fifo"
      ~ tags                              = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)
    }

  # aws_sqs_queue.reprocess_submission_queue will be updated in-place
  ~ resource "aws_sqs_queue" "reprocess_submission_queue" {
        id                                = "https://sqs.ca-central-1.amazonaws.com/957818836222/reprocess_submission_queue.fifo"
        name                              = "reprocess_submission_queue.fifo"
      ~ tags                              = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)
    }

Plan: 0 to add, 5 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.audit_log_deadletter_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.audit_log_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reliability_deadletter_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reliability_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reprocess_submission_queue"]

24 tests, 19 passed, 5 warnings, 0 failures, 0 exceptions

Copy link

Production: secrets

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 2 to add, 4 to change, 0 to destroy
Show summary
CHANGE NAME
add aws_secretsmanager_secret.notify_callback_bearer_token
aws_secretsmanager_secret_version.notify_callback_bearer_token
update aws_secretsmanager_secret_version.freshdesk_api_key
aws_secretsmanager_secret_version.notify_api_key
aws_secretsmanager_secret_version.recaptcha_secret
aws_secretsmanager_secret_version.token_secret
Show plan
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_secretsmanager_secret.notify_callback_bearer_token will be created
  + resource "aws_secretsmanager_secret" "notify_callback_bearer_token" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = "notify_callback_bearer_token"
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 0
      + tags_all                       = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_secretsmanager_secret_version.freshdesk_api_key will be updated in-place
  ~ resource "aws_secretsmanager_secret_version" "freshdesk_api_key" {
        id             = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:freshdesk_api_key-2Q118n|050422F2-B95D-45CF-83EC-7F5D7B1A59A2"
        # (5 unchanged attributes hidden)
    }

  # aws_secretsmanager_secret_version.notify_api_key will be updated in-place
  ~ resource "aws_secretsmanager_secret_version" "notify_api_key" {
        id             = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:notify_api_key-sLtddr|EE73FE9C-4AE8-4807-8C62-583B67026995"
        # (5 unchanged attributes hidden)
    }

  # aws_secretsmanager_secret_version.notify_callback_bearer_token will be created
  + resource "aws_secretsmanager_secret_version" "notify_callback_bearer_token" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

  # aws_secretsmanager_secret_version.recaptcha_secret will be updated in-place
  ~ resource "aws_secretsmanager_secret_version" "recaptcha_secret" {
        id             = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:recaptcha_secret-LxfCjN|967811CC-0531-47D8-8EBB-989DA955784C"
        # (5 unchanged attributes hidden)
    }

  # aws_secretsmanager_secret_version.token_secret will be updated in-place
  ~ resource "aws_secretsmanager_secret_version" "token_secret" {
        id             = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:token_secret-jw4Dou|B98778D7-F936-4F7A-985E-CC38A5FA7213"
        # (5 unchanged attributes hidden)
    }

Plan: 2 to add, 4 to change, 0 to destroy.

Changes to Outputs:
  + notify_callback_bearer_token_secret_arn = (known after apply)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.freshdesk_api_key"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.notify_api_key"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.notify_callback_bearer_token"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.recaptcha_secret"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.token_secret"]

24 tests, 19 passed, 5 warnings, 0 failures, 0 exceptions

Copy link

Production: s3

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 13 to add, 0 to change, 0 to destroy
Show summary
CHANGE NAME
add aws_s3_bucket.lambda_code
aws_s3_bucket_lifecycle_configuration.archive_storage
aws_s3_bucket_lifecycle_configuration.reliability_file_storage
aws_s3_bucket_ownership_controls.archive_storage
aws_s3_bucket_ownership_controls.lambda_code
aws_s3_bucket_ownership_controls.reliability_file_storage
aws_s3_bucket_ownership_controls.vault_file_storage
aws_s3_bucket_public_access_block.lambda_code
aws_s3_bucket_server_side_encryption_configuration.archive_storage
aws_s3_bucket_server_side_encryption_configuration.lambda_code
aws_s3_bucket_server_side_encryption_configuration.reliability_file_storage
aws_s3_bucket_server_side_encryption_configuration.vault_file_storage
aws_s3_bucket_versioning.lambda_code
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_s3_bucket.lambda_code will be created
  + resource "aws_s3_bucket" "lambda_code" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "forms-production-lambda-code"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

  # aws_s3_bucket_lifecycle_configuration.archive_storage will be created
  + resource "aws_s3_bucket_lifecycle_configuration" "archive_storage" {
      + bucket = "forms-production-archive-storage"
      + id     = (known after apply)

      + rule {
          + id     = "Clear Archive Storage after 30 days"
          + status = "Enabled"

          + expiration {
              + days                         = 30
              + expired_object_delete_marker = (known after apply)
            }
        }
    }

  # aws_s3_bucket_lifecycle_configuration.reliability_file_storage will be created
  + resource "aws_s3_bucket_lifecycle_configuration" "reliability_file_storage" {
      + bucket = "forms-production-reliability-file-storage"
      + id     = (known after apply)

      + rule {
          + id     = "Clear Reliability Queue after 30 days"
          + status = "Enabled"

          + expiration {
              + days                         = 30
              + expired_object_delete_marker = (known after apply)
            }
        }
    }

  # aws_s3_bucket_ownership_controls.archive_storage will be created
  + resource "aws_s3_bucket_ownership_controls" "archive_storage" {
      + bucket = "forms-production-archive-storage"
      + id     = (known after apply)

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_ownership_controls.lambda_code will be created
  + resource "aws_s3_bucket_ownership_controls" "lambda_code" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_ownership_controls.reliability_file_storage will be created
  + resource "aws_s3_bucket_ownership_controls" "reliability_file_storage" {
      + bucket = "forms-production-reliability-file-storage"
      + id     = (known after apply)

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_ownership_controls.vault_file_storage will be created
  + resource "aws_s3_bucket_ownership_controls" "vault_file_storage" {
      + bucket = "forms-production-vault-file-storage"
      + id     = (known after apply)

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_public_access_block.lambda_code will be created
  + resource "aws_s3_bucket_public_access_block" "lambda_code" {
      + block_public_acls       = true
      + block_public_policy     = true
      + bucket                  = (known after apply)
      + id                      = (known after apply)
      + ignore_public_acls      = true
      + restrict_public_buckets = true
    }

  # aws_s3_bucket_server_side_encryption_configuration.archive_storage will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "archive_storage" {
      + bucket = "forms-production-archive-storage"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm = "AES256"
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.lambda_code will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "lambda_code" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm = "AES256"
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.reliability_file_storage will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "reliability_file_storage" {
      + bucket = "forms-production-reliability-file-storage"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm = "AES256"
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.vault_file_storage will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "vault_file_storage" {
      + bucket = "forms-production-vault-file-storage"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm = "AES256"
            }
        }
    }

  # aws_s3_bucket_versioning.lambda_code will be created
  + resource "aws_s3_bucket_versioning" "lambda_code" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

Plan: 13 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + lambda_code_arn              = (known after apply)
  + lambda_code_id               = (known after apply)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.archive_storage"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.lambda_code"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.reliability_file_storage"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.vault_file_storage"]

23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions

Copy link

Production: sns

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 5 to change, 0 to destroy
Show summary
CHANGE NAME
update aws_sns_topic.alert_critical
aws_sns_topic.alert_ok
aws_sns_topic.alert_ok_us_east
aws_sns_topic.alert_warning
aws_sns_topic.alert_warning_us_east
Show plan
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_sns_topic.alert_critical will be updated in-place
  ~ resource "aws_sns_topic" "alert_critical" {
        id                                       = "arn:aws:sns:ca-central-1:957818836222:alert-critical"
        name                                     = "alert-critical"
      ~ tags                                     = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (13 unchanged attributes hidden)
    }

  # aws_sns_topic.alert_ok will be updated in-place
  ~ resource "aws_sns_topic" "alert_ok" {
        id                                       = "arn:aws:sns:ca-central-1:957818836222:alert-ok"
        name                                     = "alert-ok"
      ~ tags                                     = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (13 unchanged attributes hidden)
    }

  # aws_sns_topic.alert_ok_us_east will be updated in-place
  ~ resource "aws_sns_topic" "alert_ok_us_east" {
        id                                       = "arn:aws:sns:us-east-1:957818836222:alert-ok"
        name                                     = "alert-ok"
      ~ tags                                     = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (13 unchanged attributes hidden)
    }

  # aws_sns_topic.alert_warning will be updated in-place
  ~ resource "aws_sns_topic" "alert_warning" {
        id                                       = "arn:aws:sns:ca-central-1:957818836222:alert-warning"
        name                                     = "alert-warning"
      ~ tags                                     = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (13 unchanged attributes hidden)
    }

  # aws_sns_topic.alert_warning_us_east will be updated in-place
  ~ resource "aws_sns_topic" "alert_warning_us_east" {
        id                                       = "arn:aws:sns:us-east-1:957818836222:alert-warning"
        name                                     = "alert-warning"
      ~ tags                                     = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (13 unchanged attributes hidden)
    }

Plan: 0 to add, 5 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.alert_critical"]
WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.alert_ok"]
WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.alert_ok_us_east"]
WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.alert_warning"]
WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.alert_warning_us_east"]

24 tests, 19 passed, 5 warnings, 0 failures, 0 exceptions

Copy link

Production: cognito

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 2 to add, 13 to change, 3 to destroy
Show summary
CHANGE NAME
delete aws_lambda_layer_version.cognito_email_sender_nodejs
aws_secretsmanager_secret.cognito_notify_api_key
aws_secretsmanager_secret_version.cognito_notify_api_key
update aws_cloudwatch_log_group.cognito_email_sender
aws_cloudwatch_log_group.cognito_pre_sign_up
aws_cognito_user_pool.forms
aws_cognito_user_pool_client.forms
aws_iam_policy.cognito_lambda_kms
aws_iam_policy.cognito_lambda_logging
aws_iam_policy.cognito_lambda_secrets
aws_iam_policy.cognito_userpool_import_logging
aws_iam_role.cognito_lambda
aws_iam_role.cognito_userpool_import
aws_kms_key.cognito_encryption
aws_lambda_function.cognito_email_sender
aws_lambda_function.cognito_pre_sign_up
add aws_iam_policy.lambda_s3
aws_s3_object.cognito_email_sender_code
Show plan
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.cognito_lambda_kms will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "cognito_lambda_kms" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:kms:ca-central-1:957818836222:key/632f1017-9281-41b3-8f25-56c6f81843a6",
            ]
        }
    }

  # aws_cloudwatch_log_group.cognito_email_sender will be updated in-place
  ~ resource "aws_cloudwatch_log_group" "cognito_email_sender" {
        id                = "/aws/lambda/Cognito_Email_Sender"
        name              = "/aws/lambda/Cognito_Email_Sender"
      ~ retention_in_days = 90 -> 731
        tags              = {}
      ~ tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (4 unchanged attributes hidden)
    }

  # aws_cloudwatch_log_group.cognito_pre_sign_up will be updated in-place
  ~ resource "aws_cloudwatch_log_group" "cognito_pre_sign_up" {
        id                = "/aws/lambda/Cognito_Pre_Sign_Up"
        name              = "/aws/lambda/Cognito_Pre_Sign_Up"
      ~ retention_in_days = 90 -> 731
        tags              = {}
      ~ tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (4 unchanged attributes hidden)
    }

  # aws_cognito_user_pool.forms will be updated in-place
  ~ resource "aws_cognito_user_pool" "forms" {
        id                        = "ca-central-1_eSTGTCw33"
        name                      = "forms_user_pool"
        tags                      = {}
      ~ tags_all                  = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (10 unchanged attributes hidden)

        # (6 unchanged blocks hidden)
    }

  # aws_cognito_user_pool_client.forms will be updated in-place
  ~ resource "aws_cognito_user_pool_client" "forms" {
      ~ callback_urls                                 = [
          - "https://forms-formulaires.canada.ca/api/auth/callback/cognito",
            # (2 unchanged elements hidden)
        ]
        id                                            = "5rkjd3us3ocssieiitdbtjitiv"
        name                                          = "forms_client"
        # (16 unchanged attributes hidden)
    }

  # aws_iam_policy.cognito_lambda_kms will be updated in-place
  ~ resource "aws_iam_policy" "cognito_lambda_kms" {
        id          = "arn:aws:iam::957818836222:policy/cognito_lambda_kms"
        name        = "cognito_lambda_kms"
      ~ policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:ca-central-1:957818836222:key/632f1017-9281-41b3-8f25-56c6f81843a6"
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
      ~ tags        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (5 unchanged attributes hidden)
    }

  # aws_iam_policy.cognito_lambda_logging will be updated in-place
  ~ resource "aws_iam_policy" "cognito_lambda_logging" {
        id          = "arn:aws:iam::957818836222:policy/cognito_lambda_logging"
        name        = "cognito_lambda_logging"
      ~ tags        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)
    }

  # aws_iam_policy.cognito_lambda_secrets will be updated in-place
  ~ resource "aws_iam_policy" "cognito_lambda_secrets" {
        id          = "arn:aws:iam::957818836222:policy/cognito_lambda_secrets"
        name        = "cognito_lambda_secrets"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:cognito_notify_api_key-M0cR8f" -> "arn:aws:secretsmanager:ca-central-1:957818836222:secret:notify_api_key-sLtddr"
                      - Sid      = ""
                        # (2 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
      ~ tags        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (5 unchanged attributes hidden)
    }

  # aws_iam_policy.cognito_userpool_import_logging will be updated in-place
  ~ resource "aws_iam_policy" "cognito_userpool_import_logging" {
        id          = "arn:aws:iam::957818836222:policy/cognito_userpool_import_logging"
        name        = "cognito_userpool_import_logging"
      ~ tags        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)
    }

  # aws_iam_policy.lambda_s3 will be created
  + resource "aws_iam_policy" "lambda_s3" {
      + arn         = (known after apply)
      + description = "IAM policy for storing files in S3"
      + id          = (known after apply)
      + name        = "cognito_lambda_s3"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:PutObject",
                          + "s3:ListBucket",
                          + "s3:GetObject",
                          + "s3:DeleteObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::forms-staging-lambda-code/*",
                          + "arn:aws:s3:::forms-staging-lambda-code",
                        ]
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags_all    = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_iam_role.cognito_lambda will be updated in-place
  ~ resource "aws_iam_role" "cognito_lambda" {
        id                    = "iam_for_cognito_lambda"
        name                  = "iam_for_cognito_lambda"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_iam_role.cognito_userpool_import will be updated in-place
  ~ resource "aws_iam_role" "cognito_userpool_import" {
        id                    = "role_for_cognito_user_pool_import"
        name                  = "role_for_cognito_user_pool_import"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_kms_key.cognito_encryption will be updated in-place
  ~ resource "aws_kms_key" "cognito_encryption" {
        id                                 = "632f1017-9281-41b3-8f25-56c6f81843a6"
      ~ tags                               = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (11 unchanged attributes hidden)
    }

  # aws_lambda_function.cognito_email_sender will be updated in-place
  ~ resource "aws_lambda_function" "cognito_email_sender" {
      - filename                       = "/tmp/cognito_email_sender_main.zip" -> null
        id                             = "Cognito_Email_Sender"
      ~ last_modified                  = "2023-10-05T18:39:35.000+0000" -> (known after apply)
      ~ layers                         = [
          - "arn:aws:lambda:ca-central-1:957818836222:layer:cognito_email_sender_node_packages:6",
        ]
      ~ runtime                        = "nodejs16.x" -> "nodejs18.x"
      + s3_bucket                      = "forms-staging-lambda-code"
      + s3_key                         = "cognito_email_sender_code"
      + s3_object_version              = (known after apply)
      ~ source_code_hash               = "Au9QF/JOavDRQ5VevDLPhwxxPe8omiNw08gEHhHx55Q=" -> "JQU+xOvCFaZHW/kdM3TnHxkFnJXz/ytxiRXLMJzpxF0="
      ~ tags                           = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "NOTIFY_API_KEY" = (sensitive value)
                # (3 unchanged elements hidden)
            }
        }

        # (2 unchanged blocks hidden)
    }

  # aws_lambda_function.cognito_pre_sign_up will be updated in-place
  ~ resource "aws_lambda_function" "cognito_pre_sign_up" {
        id                             = "Cognito_Pre_Sign_Up"
      ~ runtime                        = "nodejs16.x" -> "nodejs18.x"
      ~ tags                           = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (21 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # aws_lambda_layer_version.cognito_email_sender_nodejs will be destroyed
  # (because aws_lambda_layer_version.cognito_email_sender_nodejs is not in configuration)
  - resource "aws_lambda_layer_version" "cognito_email_sender_nodejs" {
      - arn                      = "arn:aws:lambda:ca-central-1:957818836222:layer:cognito_email_sender_node_packages:6" -> null
      - compatible_architectures = [] -> null
      - compatible_runtimes      = [
          - "nodejs16.x",
        ] -> null
      - created_date             = "2023-09-19T18:53:44.051+0000" -> null
      - filename                 = "/tmp/cognito_email_sender_nodejs.zip" -> null
      - id                       = "arn:aws:lambda:ca-central-1:957818836222:layer:cognito_email_sender_node_packages:6" -> null
      - layer_arn                = "arn:aws:lambda:ca-central-1:957818836222:layer:cognito_email_sender_node_packages" -> null
      - layer_name               = "cognito_email_sender_node_packages" -> null
      - skip_destroy             = false -> null
      - source_code_hash         = "qs5cRdZWWVSfafohxew27cuy4hk3mS87FPivY+FhcwQ=" -> null
      - source_code_size         = 14750107 -> null
      - version                  = "6" -> null
    }

  # aws_s3_object.cognito_email_sender_code will be created
  + resource "aws_s3_object" "cognito_email_sender_code" {
      + acl                    = (known after apply)
      + bucket                 = "forms-staging-lambda-code"
      + bucket_key_enabled     = (known after apply)
      + checksum_crc32         = (known after apply)
      + checksum_crc32c        = (known after apply)
      + checksum_sha1          = (known after apply)
      + checksum_sha256        = (known after apply)
      + content_type           = (known after apply)
      + etag                   = (known after apply)
      + force_destroy          = false
      + id                     = (known after apply)
      + key                    = "cognito_email_sender_code"
      + kms_key_id             = (known after apply)
      + server_side_encryption = (known after apply)
      + source                 = "/tmp/cognito_email_sender.zip"
      + source_hash            = "JQU+xOvCFaZHW/kdM3TnHxkFnJXz/ytxiRXLMJzpxF0="
      + storage_class          = (known after apply)
      + tags_all               = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + version_id             = (known after apply)
    }

  # aws_secretsmanager_secret.cognito_notify_api_key will be destroyed
  # (because aws_secretsmanager_secret.cognito_notify_api_key is not in configuration)
  - resource "aws_secretsmanager_secret" "cognito_notify_api_key" {
      - arn                            = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:cognito_notify_api_key-M0cR8f" -> null
      - force_overwrite_replica_secret = false -> null
      - id                             = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:cognito_notify_api_key-M0cR8f" -> null
      - name                           = "cognito_notify_api_key" -> null
      - recovery_window_in_days        = 0 -> null
      - tags                           = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
      - tags_all                       = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
    }

  # aws_secretsmanager_secret_version.cognito_notify_api_key will be destroyed
  # (because aws_secretsmanager_secret_version.cognito_notify_api_key is not in configuration)
  - resource "aws_secretsmanager_secret_version" "cognito_notify_api_key" {
      - arn            = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:cognito_notify_api_key-M0cR8f" -> null
      - id             = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:cognito_notify_api_key-M0cR8f|95DD5E13-0829-49EF-93EF-4B5AA3BA58ED" -> null
      - secret_id      = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:cognito_notify_api_key-M0cR8f" -> null
      - secret_string  = (sensitive value) -> null
      - version_id     = "95DD5E13-0829-49EF-93EF-4B5AA3BA58ED" -> null
      - version_stages = [
          - "AWSCURRENT",
        ] -> null
    }

Plan: 2 to add, 13 to change, 3 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.cognito_email_sender"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.cognito_pre_sign_up"]
WARN - plan.json - main - Missing Common Tags: ["aws_cognito_user_pool.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cognito_lambda_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cognito_lambda_logging"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cognito_lambda_secrets"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cognito_userpool_import_logging"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.cognito_lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.cognito_userpool_import"]
WARN - plan.json - main - Missing Common Tags: ["aws_kms_key.cognito_encryption"]
WARN - plan.json - main - Missing Common Tags: ["aws_lambda_function.cognito_email_sender"]
WARN - plan.json - main - Missing Common Tags: ["aws_lambda_function.cognito_pre_sign_up"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.cognito_email_sender_code"]

33 tests, 19 passed, 14 warnings, 0 failures, 0 exceptions

Copy link

Production: network

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 0 to add, 38 to change, 1 to destroy
Show summary
CHANGE NAME
update aws_default_network_acl.forms
aws_default_security_group.default
aws_eip.forms_natgw[0]
aws_eip.forms_natgw[1]
aws_eip.forms_natgw[2]
aws_flow_log.vpc_flow_logs
aws_internet_gateway.forms
aws_nat_gateway.forms[0]
aws_nat_gateway.forms[1]
aws_nat_gateway.forms[2]
aws_route_table.forms_private_subnet[0]
aws_route_table.forms_private_subnet[1]
aws_route_table.forms_private_subnet[2]
aws_route_table.forms_public_subnet
aws_security_group.forms
aws_security_group.forms_database
aws_security_group.forms_egress
aws_security_group.forms_load_balancer
aws_security_group.forms_redis
aws_security_group.privatelink
aws_subnet.forms_private[0]
aws_subnet.forms_private[1]
aws_subnet.forms_private[2]
aws_subnet.forms_public[0]
aws_subnet.forms_public[1]
aws_subnet.forms_public[2]
aws_vpc.forms
aws_vpc_endpoint.dynamodb
aws_vpc_endpoint.ecr-api
aws_vpc_endpoint.ecr-dkr
aws_vpc_endpoint.kms
aws_vpc_endpoint.lambda
aws_vpc_endpoint.logs
aws_vpc_endpoint.monitoring
aws_vpc_endpoint.rds
aws_vpc_endpoint.s3
aws_vpc_endpoint.secretsmanager
aws_vpc_endpoint.sqs
delete aws_cloudwatch_log_group.vpc_flow_logs
Show plan
Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_subnets.ecr_endpoint_available will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_subnets" "ecr_endpoint_available" {
      + id   = (known after apply)
      + ids  = (known after apply)
      + tags = (known after apply)

      + filter {
          + name   = "availability-zone"
          + values = [
              + "ca-central-1a",
              + "ca-central-1b",
            ]
        }
      + filter {
          + name   = "tag:Access"
          + values = [
              + "private",
            ]
        }
      + filter {
          + name   = "vpc-id"
          + values = [
              + "vpc-0e852a6f3554a8bca",
            ]
        }
    }

  # data.aws_subnets.lambda_endpoint_available will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_subnets" "lambda_endpoint_available" {
      + id   = (known after apply)
      + ids  = (known after apply)
      + tags = (known after apply)

      + filter {
          + name   = "availability-zone"
          + values = [
              + "ca-central-1a",
              + "ca-central-1b",
            ]
        }
      + filter {
          + name   = "tag:Access"
          + values = [
              + "private",
            ]
        }
      + filter {
          + name   = "vpc-id"
          + values = [
              + "vpc-0e852a6f3554a8bca",
            ]
        }
    }

  # aws_cloudwatch_log_group.vpc_flow_logs will be destroyed
  # (because aws_cloudwatch_log_group.vpc_flow_logs is not in configuration)
  - resource "aws_cloudwatch_log_group" "vpc_flow_logs" {
      - arn               = "arn:aws:logs:ca-central-1:957818836222:log-group:vpc_flow_logs" -> null
      - id                = "vpc_flow_logs" -> null
      - kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d" -> null
      - log_group_class   = "STANDARD" -> null
      - name              = "vpc_flow_logs" -> null
      - retention_in_days = 30 -> null
      - skip_destroy      = false -> null
      - tags              = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
      - tags_all          = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
    }

  # aws_default_network_acl.forms will be updated in-place
  ~ resource "aws_default_network_acl" "forms" {
        id                     = "acl-054bdb4f6351cf6e8"
      ~ tags                   = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # aws_default_security_group.default will be updated in-place
  ~ resource "aws_default_security_group" "default" {
        id                     = "sg-027a790f905adbb8e"
        name                   = "default"
      ~ tags                   = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (8 unchanged attributes hidden)
    }

  # aws_eip.forms_natgw[0] will be updated in-place
  ~ resource "aws_eip" "forms_natgw" {
        id                   = "eipalloc-08d3d2a884ec58cc8"
      ~ tags                 = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "forms NAT GW 0"
          - "Terraform"  = "true" -> null
        }
        # (12 unchanged attributes hidden)
    }

  # aws_eip.forms_natgw[1] will be updated in-place
  ~ resource "aws_eip" "forms_natgw" {
        id                   = "eipalloc-0329d2be583e03c20"
      ~ tags                 = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "forms NAT GW 1"
          - "Terraform"  = "true" -> null
        }
        # (12 unchanged attributes hidden)
    }

  # aws_eip.forms_natgw[2] will be updated in-place
  ~ resource "aws_eip" "forms_natgw" {
        id                   = "eipalloc-060ce086e80bc118a"
      ~ tags                 = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "forms NAT GW 2"
          - "Terraform"  = "true" -> null
        }
        # (12 unchanged attributes hidden)
    }

  # aws_flow_log.vpc_flow_logs will be updated in-place
  ~ resource "aws_flow_log" "vpc_flow_logs" {
        id                       = "fl-065bf4e6e6ce5d704"
      ~ tags                     = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_internet_gateway.forms will be updated in-place
  ~ resource "aws_internet_gateway" "forms" {
        id       = "igw-023ce972ab41e75de"
      ~ tags     = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "forms"
          - "Terraform"  = "true" -> null
        }
        # (4 unchanged attributes hidden)
    }

  # aws_nat_gateway.forms[0] will be updated in-place
  ~ resource "aws_nat_gateway" "forms" {
        id                                 = "nat-071055050cf485fc9"
      ~ tags                               = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "forms NAT GW"
          - "Terraform"  = "true" -> null
        }
        # (11 unchanged attributes hidden)
    }

  # aws_nat_gateway.forms[1] will be updated in-place
  ~ resource "aws_nat_gateway" "forms" {
        id                                 = "nat-04e2b29333e84d271"
      ~ tags                               = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "forms NAT GW"
          - "Terraform"  = "true" -> null
        }
        # (11 unchanged attributes hidden)
    }

  # aws_nat_gateway.forms[2] will be updated in-place
  ~ resource "aws_nat_gateway" "forms" {
        id                                 = "nat-0adb087cdb234415e"
      ~ tags                               = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "forms NAT GW"
          - "Terraform"  = "true" -> null
        }
        # (11 unchanged attributes hidden)
    }

  # aws_route_table.forms_private_subnet[0] will be updated in-place
  ~ resource "aws_route_table" "forms_private_subnet" {
        id               = "rtb-000360ffc3d5ded7d"
      ~ tags             = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "Private Subnet Route Table 0"
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)
    }

  # aws_route_table.forms_private_subnet[1] will be updated in-place
  ~ resource "aws_route_table" "forms_private_subnet" {
        id               = "rtb-07180f7c036aeb396"
      ~ tags             = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "Private Subnet Route Table 1"
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)
    }

  # aws_route_table.forms_private_subnet[2] will be updated in-place
  ~ resource "aws_route_table" "forms_private_subnet" {
        id               = "rtb-0670bdf15c614fd97"
      ~ tags             = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "Private Subnet Route Table 2"
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)
    }

  # aws_route_table.forms_public_subnet will be updated in-place
  ~ resource "aws_route_table" "forms_public_subnet" {
        id               = "rtb-0fc60a97f9ae525e0"
      ~ tags             = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "Public Subnet Route Table"
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)
    }

  # aws_security_group.forms will be updated in-place
  ~ resource "aws_security_group" "forms" {
        id                     = "sg-0155dac5ed87643b8"
        name                   = "forms"
      ~ tags                   = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (8 unchanged attributes hidden)
    }

  # aws_security_group.forms_database will be updated in-place
  ~ resource "aws_security_group" "forms_database" {
        id                     = "sg-0603a6edcc9e34d98"
        name                   = "forms-database"
      ~ tags                   = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (8 unchanged attributes hidden)
    }

  # aws_security_group.forms_egress will be updated in-place
  ~ resource "aws_security_group" "forms_egress" {
        id                     = "sg-0c7360a0f85a6029d"
        name                   = "egress-anywhere"
      ~ tags                   = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (8 unchanged attributes hidden)
    }

  # aws_security_group.forms_load_balancer will be updated in-place
  ~ resource "aws_security_group" "forms_load_balancer" {
        id                     = "sg-01b5880f792f4ec91"
        name                   = "forms-load-balancer"
      ~ tags                   = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (8 unchanged attributes hidden)
    }

  # aws_security_group.forms_redis will be updated in-place
  ~ resource "aws_security_group" "forms_redis" {
        id                     = "sg-0388290614e570375"
        name                   = "forms-redis"
      ~ tags                   = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (8 unchanged attributes hidden)
    }

  # aws_security_group.privatelink will be updated in-place
  ~ resource "aws_security_group" "privatelink" {
        id                     = "sg-0799d12ff9d17bded"
        name                   = "privatelink"
      ~ tags                   = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (8 unchanged attributes hidden)
    }

  # aws_subnet.forms_private[0] will be updated in-place
  ~ resource "aws_subnet" "forms_private" {
        id                                             = "subnet-066cf27132a20a02a"
      ~ tags                                           = {
            "Access"     = "private"
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "Private Subnet 01"
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)
    }

  # aws_subnet.forms_private[1] will be updated in-place
  ~ resource "aws_subnet" "forms_private" {
        id                                             = "subnet-05b9cd59ad60e88af"
      ~ tags                                           = {
            "Access"     = "private"
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "Private Subnet 02"
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)
    }

  # aws_subnet.forms_private[2] will be updated in-place
  ~ resource "aws_subnet" "forms_private" {
        id                                             = "subnet-025adc92b0ee815ba"
      ~ tags                                           = {
            "Access"     = "private"
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "Private Subnet 03"
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)
    }

  # aws_subnet.forms_public[0] will be updated in-place
  ~ resource "aws_subnet" "forms_public" {
        id                                             = "subnet-0133239e9f30e9b85"
      ~ tags                                           = {
            "Access"     = "public"
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "Public Subnet 01"
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)
    }

  # aws_subnet.forms_public[1] will be updated in-place
  ~ resource "aws_subnet" "forms_public" {
        id                                             = "subnet-0251ed3bd219fb8e4"
      ~ tags                                           = {
            "Access"     = "public"
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "Public Subnet 02"
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)
    }

  # aws_subnet.forms_public[2] will be updated in-place
  ~ resource "aws_subnet" "forms_public" {
        id                                             = "subnet-01cc2a8428d4971fc"
      ~ tags                                           = {
            "Access"     = "public"
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "Public Subnet 03"
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)
    }

  # aws_vpc.forms will be updated in-place
  ~ resource "aws_vpc" "forms" {
        id                                   = "vpc-0e852a6f3554a8bca"
      ~ tags                                 = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "forms"
          - "Terraform"  = "true" -> null
        }
        # (15 unchanged attributes hidden)
    }

  # aws_vpc_endpoint.dynamodb will be updated in-place
  ~ resource "aws_vpc_endpoint" "dynamodb" {
        id                    = "vpce-0a174a7ed4eb0e1df"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)
    }

  # aws_vpc_endpoint.ecr-api will be updated in-place
  ~ resource "aws_vpc_endpoint" "ecr-api" {
        id                    = "vpce-0be31e055c8632c41"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_vpc_endpoint.ecr-dkr will be updated in-place
  ~ resource "aws_vpc_endpoint" "ecr-dkr" {
        id                    = "vpce-0112e82a947a58d99"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_vpc_endpoint.kms will be updated in-place
  ~ resource "aws_vpc_endpoint" "kms" {
        id                    = "vpce-01823afab34fa01b8"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_vpc_endpoint.lambda will be updated in-place
  ~ resource "aws_vpc_endpoint" "lambda" {
        id                    = "vpce-09edc14f3327ad9af"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_vpc_endpoint.logs will be updated in-place
  ~ resource "aws_vpc_endpoint" "logs" {
        id                    = "vpce-0510598639c5d4b1e"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_vpc_endpoint.monitoring will be updated in-place
  ~ resource "aws_vpc_endpoint" "monitoring" {
        id                    = "vpce-0d2d7991102b71192"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_vpc_endpoint.rds will be updated in-place
  ~ resource "aws_vpc_endpoint" "rds" {
        id                    = "vpce-034bdcb2f931edfb6"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_vpc_endpoint.s3 will be updated in-place
  ~ resource "aws_vpc_endpoint" "s3" {
        id                    = "vpce-0454046d5763f35a5"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)
    }

  # aws_vpc_endpoint.secretsmanager will be updated in-place
  ~ resource "aws_vpc_endpoint" "secretsmanager" {
        id                    = "vpce-0a905000c1bcc3235"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_vpc_endpoint.sqs will be updated in-place
  ~ resource "aws_vpc_endpoint" "sqs" {
        id                    = "vpce-0c9ca7adb924ca99f"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 38 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_default_network_acl.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_default_security_group.default"]
WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_flow_log.vpc_flow_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_internet_gateway.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_public_subnet"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_database"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_egress"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_load_balancer"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_redis"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.privatelink"]
WARN - plan.json - main - Missing Common Tags: ["aws_subnet.forms_private[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_subnet.forms_private[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_subnet.forms_private[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_subnet.forms_public[0]"]
WARN - plan.json - main - Missing Common Tags:...

Copy link

Production: dynamodb

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 3 to change, 0 to destroy
Show summary
CHANGE NAME
update aws_dynamodb_table.audit_logs
aws_dynamodb_table.reliability_queue
aws_dynamodb_table.vault
Show plan
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_dynamodb_table.audit_logs will be updated in-place
  ~ resource "aws_dynamodb_table" "audit_logs" {
      ~ deletion_protection_enabled = false -> true
        id                          = "AuditLogs"
        name                        = "AuditLogs"
      ~ tags                        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (12 unchanged attributes hidden)

        # (7 unchanged blocks hidden)
    }

  # aws_dynamodb_table.reliability_queue will be updated in-place
  ~ resource "aws_dynamodb_table" "reliability_queue" {
      ~ deletion_protection_enabled = false -> true
        id                          = "ReliabilityQueue"
        name                        = "ReliabilityQueue"
      ~ tags                        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (8 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # aws_dynamodb_table.vault will be updated in-place
  ~ resource "aws_dynamodb_table" "vault" {
      ~ deletion_protection_enabled = false -> true
        id                          = "Vault"
        name                        = "Vault"
      + stream_arn                  = (known after apply)
      ~ stream_enabled              = false -> true
      + stream_view_type            = "NEW_AND_OLD_IMAGES"
      ~ tags                        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (8 unchanged attributes hidden)

        # (11 unchanged blocks hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

Changes to Outputs:
  + dynamodb_vault_stream_arn      = (known after apply)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.reliability_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.vault"]

22 tests, 19 passed, 3 warnings, 0 failures, 0 exceptions

Copy link

Production: load_balancer

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 20 to add, 15 to change, 3 to destroy
Show summary
CHANGE NAME
add aws_acm_certificate.form_viewer_maintenance_mode
aws_acm_certificate_validation.form_viewer_maintenance_mode_cloudfront_certificate
aws_cloudfront_distribution.maintenance_mode
aws_cloudfront_origin_access_identity.maintenance_mode
aws_route53_record.form_viewer_maintenance[0]
aws_route53_record.form_viewer_maintenance_mode_certificate_validation[&quot;forms-formulaires.alpha.canada.ca&quot;]
aws_s3_bucket.maintenance_mode
aws_s3_bucket_ownership_controls.maintenance_mode
aws_s3_bucket_policy.allow_cloudfront_to_access_static_website_in_s3
aws_s3_bucket_public_access_block.maintenance_mode
aws_s3_bucket_server_side_encryption_configuration.maintenance_mode
aws_s3_bucket_website_configuration.maintenance_mode
aws_s3_object.maintenance_static_page_css_files[&quot;style.css&quot;]
aws_s3_object.maintenance_static_page_html_files[&quot;index-fr.html&quot;]
aws_s3_object.maintenance_static_page_html_files[&quot;index.html&quot;]
aws_s3_object.maintenance_static_page_ico_files[&quot;favicon.ico&quot;]
aws_s3_object.maintenance_static_page_svg_files[&quot;site-unavailable.svg&quot;]
aws_wafv2_regex_pattern_set.cognito_login_paths
aws_wafv2_regex_pattern_set.valid_maintenance_mode_uri_paths
aws_wafv2_web_acl.forms_maintenance_mode_acl
delete aws_route53_record.form_viewer[1]
aws_s3_bucket.firehose_waf_logs
aws_s3_bucket_public_access_block.firehose_waf_logs
update aws_acm_certificate.form_viewer
aws_iam_role.firehose_waf_logs
aws_kinesis_firehose_delivery_stream.firehose_waf_logs
aws_lb.form_viewer
aws_lb_listener.form_viewer_http
aws_lb_listener.form_viewer_https
aws_lb_target_group.form_viewer_1
aws_lb_target_group.form_viewer_2
aws_route53_record.form_viewer[0]
aws_shield_protection.alb
aws_shield_protection.route53_hosted_zone[0]
aws_shield_protection.route53_hosted_zone[1]
aws_wafv2_regex_pattern_set.forms_base_url
aws_wafv2_regex_pattern_set.valid_app_uri_paths
aws_wafv2_web_acl.forms_acl

✂   Warning: plan has been truncated! See the full plan in the logs.

Show plan
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.allow_cloudfront_to_access_static_website_in_s3 will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "allow_cloudfront_to_access_static_website_in_s3" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:GetObject",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # aws_acm_certificate.form_viewer will be updated in-place
  ~ resource "aws_acm_certificate" "form_viewer" {
        id                        = "arn:aws:acm:ca-central-1:957818836222:certificate/71036e98-a054-4f6c-acf5-1024111a9af8"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (15 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_acm_certificate.form_viewer_maintenance_mode will be created
  + resource "aws_acm_certificate" "form_viewer_maintenance_mode" {
      + arn                       = (known after apply)
      + domain_name               = "forms-formulaires.alpha.canada.ca"
      + domain_validation_options = [
          + {
              + domain_name           = "forms-formulaires.alpha.canada.ca"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
        ]
      + id                        = (known after apply)
      + key_algorithm             = (known after apply)
      + not_after                 = (known after apply)
      + not_before                = (known after apply)
      + pending_renewal           = (known after apply)
      + renewal_eligibility       = (known after apply)
      + renewal_summary           = (known after apply)
      + status                    = (known after apply)
      + subject_alternative_names = [
          + "forms-formulaires.alpha.canada.ca",
        ]
      + tags_all                  = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + type                      = (known after apply)
      + validation_emails         = (known after apply)
      + validation_method         = "DNS"
    }

  # aws_acm_certificate_validation.form_viewer_maintenance_mode_cloudfront_certificate will be created
  + resource "aws_acm_certificate_validation" "form_viewer_maintenance_mode_cloudfront_certificate" {
      + certificate_arn         = (known after apply)
      + id                      = (known after apply)
      + validation_record_fqdns = (known after apply)
    }

  # aws_cloudfront_distribution.maintenance_mode will be created
  + resource "aws_cloudfront_distribution" "maintenance_mode" {
      + aliases                         = [
          + "forms-formulaires.alpha.canada.ca",
        ]
      + arn                             = (known after apply)
      + caller_reference                = (known after apply)
      + continuous_deployment_policy_id = (known after apply)
      + default_root_object             = "index.html"
      + domain_name                     = (known after apply)
      + enabled                         = true
      + etag                            = (known after apply)
      + hosted_zone_id                  = (known after apply)
      + http_version                    = "http2"
      + id                              = (known after apply)
      + in_progress_validation_batches  = (known after apply)
      + is_ipv6_enabled                 = false
      + last_modified_time              = (known after apply)
      + price_class                     = "PriceClass_100"
      + retain_on_delete                = false
      + staging                         = false
      + status                          = (known after apply)
      + tags_all                        = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + trusted_key_groups              = (known after apply)
      + trusted_signers                 = (known after apply)
      + wait_for_deployment             = true
      + web_acl_id                      = (known after apply)

      + default_cache_behavior {
          + allowed_methods        = [
              + "GET",
              + "HEAD",
            ]
          + cached_methods         = [
              + "GET",
              + "HEAD",
            ]
          + compress               = true
          + default_ttl            = 3600
          + max_ttl                = 86400
          + min_ttl                = 0
          + target_origin_id       = "MaintenanceMode"
          + trusted_key_groups     = (known after apply)
          + trusted_signers        = (known after apply)
          + viewer_protocol_policy = "redirect-to-https"

          + forwarded_values {
              + headers                 = (known after apply)
              + query_string            = false
              + query_string_cache_keys = (known after apply)

              + cookies {
                  + forward           = "none"
                  + whitelisted_names = (known after apply)
                }
            }
        }

      + origin {
          + connection_attempts = 3
          + connection_timeout  = 10
          + domain_name         = (known after apply)
          + origin_id           = "MaintenanceMode"

          + s3_origin_config {
              + origin_access_identity = (known after apply)
            }
        }

      + restrictions {
          + geo_restriction {
              + locations        = (known after apply)
              + restriction_type = "none"
            }
        }

      + viewer_certificate {
          + acm_certificate_arn      = (known after apply)
          + minimum_protocol_version = "TLSv1.2_2019"
          + ssl_support_method       = "sni-only"
        }
    }

  # aws_cloudfront_origin_access_identity.maintenance_mode will be created
  + resource "aws_cloudfront_origin_access_identity" "maintenance_mode" {
      + caller_reference                = (known after apply)
      + cloudfront_access_identity_path = (known after apply)
      + comment                         = "Access Identity for the Maintenance Website"
      + etag                            = (known after apply)
      + iam_arn                         = (known after apply)
      + id                              = (known after apply)
      + s3_canonical_user_id            = (known after apply)
    }

  # aws_iam_role.firehose_waf_logs will be updated in-place
  ~ resource "aws_iam_role" "firehose_waf_logs" {
        id                    = "firehose_waf_logs"
        name                  = "firehose_waf_logs"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_kinesis_firehose_delivery_stream.firehose_waf_logs will be updated in-place
  ~ resource "aws_kinesis_firehose_delivery_stream" "firehose_waf_logs" {
        id             = "arn:aws:firehose:ca-central-1:957818836222:deliverystream/aws-waf-logs-forms"
        name           = "aws-waf-logs-forms"
      ~ tags           = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (5 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # aws_lb.form_viewer will be updated in-place
  ~ resource "aws_lb" "form_viewer" {
        id                                          = "arn:aws:elasticloadbalancing:ca-central-1:957818836222:loadbalancer/app/form-viewer/ef2ad28d416e7d87"
        name                                        = "form-viewer"
      ~ tags                                        = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "form_viewer"
          - "Terraform"  = "true" -> null
        }
        # (22 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

  # aws_lb_listener.form_viewer_http will be updated in-place
  ~ resource "aws_lb_listener" "form_viewer_http" {
        id                = "arn:aws:elasticloadbalancing:ca-central-1:957818836222:listener/app/form-viewer/ef2ad28d416e7d87/5a5321156d4692bb"
      ~ tags              = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_lb_listener.form_viewer_https will be updated in-place
  ~ resource "aws_lb_listener" "form_viewer_https" {
        id                = "arn:aws:elasticloadbalancing:ca-central-1:957818836222:listener/app/form-viewer/ef2ad28d416e7d87/6cbbf9263c624fe9"
      ~ tags              = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (7 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # aws_lb_target_group.form_viewer_1 will be updated in-place
  ~ resource "aws_lb_target_group" "form_viewer_1" {
        id                                 = "arn:aws:elasticloadbalancing:ca-central-1:957818836222:targetgroup/form-viewer/8dac72758c8ecdcc"
        name                               = "form-viewer"
      ~ tags                               = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "form_viewer_1"
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)

      ~ health_check {
          ~ matcher             = "301,200" -> "200"
            # (8 unchanged attributes hidden)
        }

        # (3 unchanged blocks hidden)
    }

  # aws_lb_target_group.form_viewer_2 will be updated in-place
  ~ resource "aws_lb_target_group" "form_viewer_2" {
        id                                 = "arn:aws:elasticloadbalancing:ca-central-1:957818836222:targetgroup/form-viewer-2/a03ac97959b5fb63"
        name                               = "form-viewer-2"
      ~ tags                               = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "form_viewer_2"
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)

      ~ health_check {
          ~ matcher             = "301,200" -> "200"
            # (8 unchanged attributes hidden)
        }

        # (3 unchanged blocks hidden)
    }

  # aws_route53_record.form_viewer[0] will be updated in-place
  ~ resource "aws_route53_record" "form_viewer" {
        id                               = "Z1031499PBK3926Y7HKK_forms-formulaires.alpha.canada.ca_A"
        name                             = "forms-formulaires.alpha.canada.ca"
      + set_identifier                   = "form_viewer_forms-formulaires.alpha.canada.ca_primary"
        # (6 unchanged attributes hidden)

      + failover_routing_policy {
          + type = "PRIMARY"
        }

        # (1 unchanged block hidden)
    }

  # aws_route53_record.form_viewer[1] will be destroyed
  # (because index [1] is out of range for count)
  - resource "aws_route53_record" "form_viewer" {
      - fqdn                             = "forms-formulaires.canada.ca" -> null
      - id                               = "Z0774184336K3QX9DUJ7E_forms-formulaires.canada.ca_A" -> null
      - multivalue_answer_routing_policy = false -> null
      - name                             = "forms-formulaires.canada.ca" -> null
      - records                          = [] -> null
      - ttl                              = 0 -> null
      - type                             = "A" -> null
      - zone_id                          = "Z0774184336K3QX9DUJ7E" -> null

      - alias {
          - evaluate_target_health = true -> null
          - name                   = "form-viewer-1039776084.ca-central-1.elb.amazonaws.com" -> null
          - zone_id                = "ZQSVJUPU6J1EY" -> null
        }
    }

  # aws_route53_record.form_viewer_maintenance[0] will be created
  + resource "aws_route53_record" "form_viewer_maintenance" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "forms-formulaires.alpha.canada.ca"
      + set_identifier  = "form_viewer_forms-formulaires.alpha.canada.ca_secondary"
      + type            = "A"
      + zone_id         = "Z1031499PBK3926Y7HKK"

      + alias {
          + evaluate_target_health = false
          + name                   = (known after apply)
          + zone_id                = (known after apply)
        }

      + failover_routing_policy {
          + type = "SECONDARY"
        }
    }

  # aws_route53_record.form_viewer_maintenance_mode_certificate_validation["forms-formulaires.alpha.canada.ca"] will be created
  + resource "aws_route53_record" "form_viewer_maintenance_mode_certificate_validation" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = (known after apply)
      + records         = (known after apply)
      + ttl             = 60
      + type            = (known after apply)
      + zone_id         = "Z1031499PBK3926Y7HKK"
    }

  # aws_s3_bucket.firehose_waf_logs will be destroyed
  # (because aws_s3_bucket.firehose_waf_logs is not in configuration)
  - resource "aws_s3_bucket" "firehose_waf_logs" {
      - acl                         = "private" -> null
      - arn                         = "arn:aws:s3:::forms-waf-logs" -> null
      - bucket                      = "forms-waf-logs" -> null
      - bucket_domain_name          = "forms-waf-logs.s3.amazonaws.com" -> null
      - bucket_regional_domain_name = "forms-waf-logs.s3.ca-central-1.amazonaws.com" -> null
      - force_destroy               = false -> null
      - hosted_zone_id              = "Z1QDHH18159H29" -> null
      - id                          = "forms-waf-logs" -> null
      - object_lock_enabled         = false -> null
      - region                      = "ca-central-1" -> null
      - request_payer               = "BucketOwner" -> null
      - tags                        = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
      - tags_all                    = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null

      - grant {
          - id          = "9a5058ac2253284c428c54c019d006666ef3eb73e380322b05c715157b6c384a" -> null
          - permissions = [
              - "FULL_CONTROL",
            ] -> null
          - type        = "CanonicalUser" -> null
        }

      - lifecycle_rule {
          - abort_incomplete_multipart_upload_days = 0 -> null
          - enabled                                = true -> null
          - id                                     = "tf-s3-lifecycle-20211122163203859500000001" -> null
          - tags                                   = {} -> null

          - expiration {
              - days                         = 90 -> null
              - expired_object_delete_marker = false -> null
            }
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm = "AES256" -> null
                }
            }
        }

      - versioning {
          - enabled    = false -> null
          - mfa_delete = false -> null
        }
    }

  # aws_s3_bucket.maintenance_mode will be created
  + resource "aws_s3_bucket" "maintenance_mode" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "gc-forms-production-application-maintenance-page"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

  # aws_s3_bucket_ownership_controls.maintenance_mode will be created
  + resource "aws_s3_bucket_ownership_controls" "maintenance_mode" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_policy.allow_cloudfront_to_access_static_website_in_s3 will be created
  + resource "aws_s3_bucket_policy" "allow_cloudfront_to_access_static_website_in_s3" {
      + bucket = (known after apply)
      + id     = (known after apply)
      + policy = (known after apply)
    }

  # aws_s3_bucket_public_access_block.firehose_waf_logs will be destroyed
  # (because aws_s3_bucket_public_access_block.firehose_waf_logs is not in configuration)
  - resource "aws_s3_bucket_public_access_block" "firehose_waf_logs" {
      - block_public_acls       = true -> null
      - block_public_policy     = true -> null
      - bucket                  = "forms-waf-logs" -> null
      - id                      = "forms-waf-logs" -> null
      - ignore_public_acls      = true -> null
      - restrict_public_buckets = true -> null
    }

  # aws_s3_bucket_public_access_block.maintenance_mode will be created
  + resource "aws_s3_bucket_public_access_block" "maintenance_mode" {
      + block_public_acls       = true
      + block_public_policy     = true
      + bucket                  = (known after apply)
      + id                      = (known after apply)
      + ignore_public_acls      = true
      + restrict_public_buckets = true
    }

  # aws_s3_bucket_server_side_encryption_configuration.maintenance_mode will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "maintenance_mode" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm = "AES256"
            }
        }
    }

  # aws_s3_bucket_website_configuration.maintenance_mode will be created
  + resource "aws_s3_bucket_website_configuration" "maintenance_mode" {
      + bucket           = (known after apply)
      + id               = (known after apply)
      + routing_rules    = (known after apply)
      + website_domain   = (known after apply)
      + website_endpoint = (known after apply)

      + index_document {
          + suffix = "index.html"
        }
    }

  # aws_s3_object.maintenance_static_page_css_files["style.css"] will be created
  + resource "aws_s3_object" "maintenance_static_page_css_files" {
      + acl                    = (known after apply)
      + bucket                 = (known after apply)
      + bucket_key_enabled     = (known after apply)
      + checksum_crc32         = (known after apply)
      + checksum_crc32c        = (known after apply)
      + checksum_sha1          = (known after apply)
      + checksum_sha256        = (known after apply)
      + content_type           = "text/css"
      + etag                   = "92fa1c75f720e83330756f94b06aa8bf"
      + force_destroy          = false
      + id                     = (known after apply)
      + key                    = "style.css"
      + kms_key_id             = (known after apply)
      + server_side_encryption = (known after apply)
      + source                 = "./static_website/style.css"
      + storage_class          = (known after apply)
      + tags_all               = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + version_id             = (known after apply)
    }

  # aws_s3_object.maintenance_static_page_html_files["index-fr.html"] will be created
  + resource "aws_s3_object" "maintenance_static_page_html_files" {
      + acl                    = (known after apply)
      + bucket                 = (known after apply)
      + bucket_key_enabled     = (known after apply)
      + checksum_crc32         = (known after apply)
      + checksum_crc32c        = (known after apply)
      + checksum_sha1          = (known after apply)
      + checksum_sha256        = (known after apply)
      + content_type           = "text/html"
      + etag                   = "5c195ef016b9e898437a543aba2301ac"
      + force_destroy          = false
      + id                     = (known after apply)
      + key                    = "index-fr.html"
      + kms_key_id             = (known after apply)
      + server_side_encryption = (known after apply)
      + source                 = "./static_website/index-fr.html"
      + storage_class          = (known after apply)
      + tags_all               = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + version_id             = (known after apply)
    }

  # aws_s3_object.maintenance_static_page_html_files["index.html"] will be created
  + resource "aws_s3_object" "maintenance_static_page_html_files" {
      + acl                    = (known after apply)
      + bucket                 = (known after apply)
      + bucket_key_enabled     = (known after apply)
      + checksum_crc32         = (known after apply)
      + checksum_crc32c        = (known after apply)
      + checksum_sha1          = (known after apply)
      + checksum_sha256        = (known after apply)
      + content_type           = "text/html"
      + etag                   = "f15e6aa2fd75c9b6b97d93d2b1fedfbd"
      + force_destroy          = false
      + id                     = (known after apply)
      + key                    = "index.html"
      + kms_key_id             = (known after apply)
      + server_side_encryption = (known after apply)
      + source                 = "./static_website/index.html"
      + storage_class          = (known after apply)
      + tags_all               = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + version_id             = (known after apply)
    }

  # aws_s3_object.maintenance_static_page_ico_files["favicon.ico"] will be created
  + resource "aws_s3_object" "maintenance_static_page_ico_files" {
      + acl                    = (known after apply)
      + bucket                 = (known after apply)
      + bucket_key_enabled     = (known after apply)
      + checksum_crc32         = (known after apply)
      + checksum_crc32c        = (known after apply)
      + checksum_sha1          = (known after apply)
      + checksum_sha256        = (known after apply)
      + content_type           = "image/png"
      + etag                   = "58bd7822fbbd5642104beae2b25a1b5b"
      + force_destroy          = false
      + id                     = (known after apply)
      + key                    = "favicon.ico"
      + kms_key_id             = (known after apply)
      + server_side_encryption = (known after apply)
      + source                 = "./static_website/favicon.ico"
      + storage_class          = (known after apply)
      + tags_all               = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + version_id             = (known after apply)
    }

  # aws_s3_object.maintenance_static_page_svg_files["site-unavailable.svg"] will be created
  + resource "aws_s3_object" "maintenance_static_page_svg_files" {
      + acl                    = (known after apply)
      + bucket                 = (known after apply)
      + bucket_key_enabled     = (known after apply)
      + checksum_crc32         = (known after apply)
      + checksum_crc32c        = (known after apply)
      + checksum_sha1          = (known after apply)
      + checksum_sha256        = (known after apply)
      + content_type           = "image/svg+xml"
      + etag                   = "1d263a8e324e88ea09c9b630de277c45"
      + force_destroy          = false
      + id                     = (known after apply)
      + key                    = "site-unavailable.svg"
      + kms_key_id             = (known after apply)
      + server_side_encryption = (known after apply)
      + source                 = "./static_website/site-unavailable.svg"
      + storage_class          = (known after apply)
      + tags_all               = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + version_id             = (known after apply)
    }

  # aws_shield_protection.alb will be updated in-place
  ~ resource "aws_shield_protection" "alb" {
        id           = "226e4196-5d94-447d-a43b-ed55167f7abb"
        name         = "LoadBalancer"
      ~ tags         = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (3 unchanged attributes hidden)
    }

  # aws_shield_protection.route53_hosted_zone[0] will be updated in-place
  ~ resource "aws_shield_protection" "route53_hosted_zone" {
        id           = "abb8c7ef-5e58-4b87-afe6-2eeb93734f51"
        name         = "Route53HostedZone"
      ~ tags         = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (3 unchanged attributes hidden)
    }

  # aws_shield_protection.route53_hosted_zone[1] will be updated in-place
  ~ resource "aws_shield_protection" "route53_hosted_zone" {
        id           = "d363bd65-e6a1-4084-82d7-42fc99c81ad5"
        name         = "Route53HostedZone"
      ~ tags         = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (3 unchanged attributes hidden)
    }

  # aws_wafv2_regex_pattern_set.cognito_login_paths will be created
  + resource "aws_wafv2_regex_pattern_set" "cognito_login_paths" {
      + arn         = (known after apply)
      + description = "Regex to match the login URIs"
      + id          = (known after apply)
      + lock_token  = (known after apply)
      + name        = "cognito_login_paths"
      + scope       = "REGIONAL"
      + tags_all    = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }

      + regular_expression {
          + regex_string = "^\\/(api\\/auth\\/(signin|callback)\\/cognito)$"
        }
    }

  # aws_wafv2_regex_pattern_set.forms_base_url will be updated in-place
  ~ resource "aws_wafv2_regex_pattern_set" "forms_base_url" {
        id          = "e1ceb832-c7e4-4b53-a818-44a55e27b3e4"
        name        = "forms_base_url"
        tags        = {}
      ~ tags_all    = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (4 unchanged attributes hidden)

      - regular_expression {
          - regex_string = "^forms-formulaires.canada.ca$" -> null
        }

        # (1 unchanged block hidden)
    }

  # aws_wafv2_regex_pattern_set.valid_app_uri_paths will be updated in-place
  ~ resource "aws_wafv2_regex_pattern_set" "valid_app_uri_paths" {
        id          = "f3927a12-2101-47c6-9a47-7353ac95ba92"
        name        = "valid_app_uri_paths"
        tags        = {}
      ~ tags_all    = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (4 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

  # aws_wafv2_regex_pattern_set.valid_maintenance_mode_uri_paths will be created
  + resource "aws_wafv2_regex_pattern_set" "valid_maintenance_mode_uri_paths" {
      + arn         = (known after apply)
      + description = "Regex to match the maintenance page valid URIs"
      + id          = (known after apply)
      + lock_token  = (known after apply)
      + name        = "valid_maintenance_page_uri_paths"
      + scope       = "CLOUDFRONT"
      + tags_all    = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }

      + regular_expression {
          + regex_string = "^\\/(index.html|index-fr.html|style.css|site-unavailable.svg|favicon.ico)?$"
        }
    }

  # aws_wafv2_web_acl.forms_acl will be updated in-place
  ~ resource "aws_wafv2_web_acl" "forms_acl" {
        id            = "88f61111-f91e-442b-9a19-c57c4f43ef7a"
        name          = "GCForms"
      ~ tags          = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)

      - rule {
          - name     =...
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.form_viewer_maintenance_mode"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudfront_distribution.maintenance_mode"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.firehose_waf_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_kinesis_firehose_delivery_stream.firehose_waf_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_lb.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_lb_listener.form_viewer_http"]
WARN - plan.json - main - Missing Common Tags: ["aws_lb_listener.form_viewer_https"]
WARN - plan.json - main - Missing Common Tags: ["aws_lb_target_group.form_viewer_1"]
WARN - plan.json - main - Missing Common Tags: ["aws_lb_target_group.form_viewer_2"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.maintenance_mode"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.maintenance_static_page_css_files[\"style.css\"]"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.maintenance_static_page_html_files[\"index-fr.html\"]"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.maintenance_static_page_html_files[\"index.html\"]"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.maintenance_static_page_ico_files[\"favicon.ico\"]"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.maintenance_static_page_svg_files[\"site-unavailable.svg\"]"]
WARN - plan.json - main - Missing Common Tags: ["aws_shield_protection.alb"]
WARN - plan.json - main - Missing Common Tags: ["aws_shield_protection.route53_hosted_zone[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_shield_protection.route53_hosted_zone[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_wafv2_regex_pattern_set.cognito_login_paths"]
WARN - plan.json - main - Missing Common Tags:...

Copy link

Production: redis

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 2 to change, 0 to destroy
Show summary
CHANGE NAME
update aws_elasticache_replication_group.redis
aws_elasticache_subnet_group.redis
Show plan
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_elasticache_replication_group.redis will be updated in-place
  ~ resource "aws_elasticache_replication_group" "redis" {
        id                         = "gcforms-redis-rep-group"
      ~ tags                       = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (33 unchanged attributes hidden)
    }

  # aws_elasticache_subnet_group.redis will be updated in-place
  ~ resource "aws_elasticache_subnet_group" "redis" {
        id          = "redis-subnet-group"
        name        = "redis-subnet-group"
      ~ tags        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_elasticache_replication_group.redis"]
WARN - plan.json - main - Missing Common Tags: ["aws_elasticache_subnet_group.redis"]

21 tests, 19 passed, 2 warnings, 0 failures, 0 exceptions

Copy link

Production: rds

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 3 to change, 0 to destroy
Show summary
CHANGE NAME
update aws_rds_cluster.forms
aws_secretsmanager_secret.database_secret
aws_secretsmanager_secret.database_url
Show plan
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_rds_cluster.forms will be updated in-place
  ~ resource "aws_rds_cluster" "forms" {
      ~ copy_tags_to_snapshot               = false -> true
        id                                  = "forms-db-cluster"
      ~ tags                                = {
          - "CostCentre" = "forms-platform-production" -> null
            "Name"       = "forms-db-cluster"
          - "Terraform"  = "true" -> null
        }
        # (39 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_secretsmanager_secret.database_secret will be updated in-place
  ~ resource "aws_secretsmanager_secret" "database_secret" {
      + force_overwrite_replica_secret = false
        id                             = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:database-secret-RThElE"
        name                           = "database-secret"
        tags                           = {}
      ~ tags_all                       = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (2 unchanged attributes hidden)
    }

  # aws_secretsmanager_secret.database_url will be updated in-place
  ~ resource "aws_secretsmanager_secret" "database_url" {
      + force_overwrite_replica_secret = false
        id                             = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:server-database-url-jVtWGE"
        name                           = "server-database-url"
        tags                           = {}
      ~ tags_all                       = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_rds_cluster.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.database_secret"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.database_url"]

22 tests, 19 passed, 3 warnings, 0 failures, 0 exceptions

Copy link

Production: app

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 1 to add, 14 to change, 43 to destroy
Show summary
CHANGE NAME
add aws_ecs_task_definition.form_viewer
delete aws_cloudwatch_event_rule.cron_2am_every_day
aws_cloudwatch_event_rule.cron_3am_every_day
aws_cloudwatch_event_rule.cron_4am_every_day
aws_cloudwatch_event_rule.cron_5am_every_business_day
aws_cloudwatch_event_target.run_archive_form_responses_lambda_every_day
aws_cloudwatch_event_target.run_archive_form_templates_lambda_every_day
aws_cloudwatch_event_target.run_dead_letter_queue_consumer_lambda_every_day
aws_cloudwatch_event_target.run_nagware_lambda_every_day
aws_cloudwatch_log_group.archive_form_templates
aws_cloudwatch_log_group.archiver
aws_cloudwatch_log_group.audit_logs
aws_cloudwatch_log_group.dead_letter_queue_consumer
aws_iam_policy.lambda_app_invoke
aws_lambda_event_source_mapping.audit_logs
aws_lambda_function.archive_form_templates
aws_lambda_function.archiver
aws_lambda_function.audit_logs
aws_lambda_function.dead_letter_queue_consumer
aws_lambda_layer_version.archive_form_templates_lib
aws_lambda_layer_version.archive_form_templates_nodejs
aws_lambda_layer_version.archiver_lib
aws_lambda_layer_version.archiver_nodejs
aws_lambda_layer_version.audit_logs_lib
aws_lambda_layer_version.dead_letter_queue_consumer_lib
aws_lambda_layer_version.nagware_lib
aws_lambda_layer_version.nagware_nodejs
aws_lambda_layer_version.reliability_lib
aws_lambda_layer_version.reliability_nodejs
aws_lambda_layer_version.submission_lib
aws_lambda_permission.allow_cloudwatch_to_run_archive_form_responses_lambda
aws_lambda_permission.allow_cloudwatch_to_run_archive_form_templates_lambda
aws_lambda_permission.allow_cloudwatch_to_run_dead_letter_queue_consumer_lambda
aws_secretsmanager_secret.gc_notify_callback_bearer_token
aws_secretsmanager_secret_version.gc_notify_callback_bearer_token
module.vault_scan_object.aws_iam_policy.scan_files[0]
module.vault_scan_object.aws_iam_role.scan_files[0]
module.vault_scan_object.aws_iam_role_policy_attachment.scan_files[0]
module.vault_scan_object.aws_kms_alias.s3_scan_object_queue
module.vault_scan_object.aws_kms_key.s3_scan_object_queue
module.vault_scan_object.aws_s3_bucket_notification.s3_scan_object
module.vault_scan_object.aws_s3_bucket_policy.upload_bucket[0]
module.vault_scan_object.aws_sqs_queue.s3_scan_object
module.vault_scan_object.aws_sqs_queue_policy.s3_scan_object
update aws_appautoscaling_target.forms[0]
aws_cloudwatch_log_group.forms
aws_codedeploy_app.app
aws_codedeploy_deployment_group.app
aws_ecs_cluster.forms
aws_ecs_service.form_viewer
aws_iam_policy.cognito
aws_iam_policy.forms_dynamodb
aws_iam_policy.forms_kms
aws_iam_policy.forms_s3
aws_iam_policy.forms_secrets_manager
aws_iam_policy.forms_sqs
aws_iam_role.codedeploy
aws_iam_role.forms

✂   Warning: plan has been truncated! See the full plan in the logs.

Show plan
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
 <= read (data resources)

Terraform will perform the following actions:

  # data.template_file.form_viewer_task will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "template_file" "form_viewer_task" {
      + id       = (known after apply)
      + rendered = (known after apply)
      + template = jsonencode(
            [
              + {
                  + environment      = [
                      + {
                          + name  = "METRIC_PROVIDER"
                          + value = "${metric_provider}"
                        },
                      + {
                          + name  = "TRACER_PROVIDER"
                          + value = "${tracer_provider}"
                        },
                      + {
                          + name  = "NEXTAUTH_URL"
                          + value = "${nextauth_url}"
                        },
                      + {
                          + name  = "REDIS_URL"
                          + value = "${redis_url}"
                        },
                      + {
                          + name  = "RELIABILITY_FILE_STORAGE"
                          + value = "${reliability_file_storage}"
                        },
                      + {
                          + name  = "RECAPTCHA_V3_SITE_KEY"
                          + value = "${recaptcha_public}"
                        },
                      + {
                          + name  = "TEMPORARY_TOKEN_TEMPLATE_ID"
                          + value = "${gc_temp_token_template_id}"
                        },
                      + {
                          + name  = "TEMPLATE_ID"
                          + value = "${gc_template_id}"
                        },
                      + {
                          + name  = "VAULT_FILE_STORAGE"
                          + value = "${vault_file_storage}"
                        },
                      + {
                          + name  = "COGNITO_ENDPOINT_URL"
                          + value = "${cognito_endpoint_url}"
                        },
                      + {
                          + name  = "COGNITO_CLIENT_ID"
                          + value = "${cognito_client_id}"
                        },
                      + {
                          + name  = "EMAIL_ADDRESS_CONTACT_US"
                          + value = "${email_address_contact_us}"
                        },
                      + {
                          + name  = "EMAIL_ADDRESS_SUPPORT"
                          + value = "${email_address_support}"
                        },
                      + {
                          + name  = "REPROCESS_SUBMISSION_QUEUE_URL"
                          + value = "${reprocess_submission_queue}"
                        },
                      + {
                          + name  = "AUDIT_LOG_QUEUE_URL"
                          + value = "${audit_log_queue_url}"
                        },
                    ]
                  + image            = "${image}"
                  + linuxParameters  = {
                      + capabilities = {
                          + drop = [
                              + "ALL",
                            ]
                        }
                    }
                  + logConfiguration = {
                      + logDriver = "awslogs"
                      + options   = {
                          + awslogs-group         = "${awslogs-group}"
                          + awslogs-region        = "${awslogs-region}"
                          + awslogs-stream-prefix = "${awslogs-stream-prefix}"
                        }
                    }
                  + name             = "form_viewer"
                  + portMappings     = [
                      + {
                          + containerPort = 3000
                        },
                    ]
                  + secrets          = [
                      + {
                          + name      = "NOTIFY_API_KEY"
                          + valueFrom = "${notify_api_key}"
                        },
                      + {
                          + name      = "RECAPTCHA_V3_SECRET_KEY"
                          + valueFrom = "${recaptcha_secret}"
                        },
                      + {
                          + name      = "DATABASE_URL"
                          + valueFrom = "${database_url}"
                        },
                      + {
                          + name      = "TOKEN_SECRET"
                          + valueFrom = "${token_secret}"
                        },
                      + {
                          + name      = "GC_NOTIFY_CALLBACK_BEARER_TOKEN"
                          + valueFrom = "${gc_notify_callback_bearer_token}"
                        },
                      + {
                          + name      = "FRESHDESK_API_KEY"
                          + valueFrom = "${freshdesk_api_key}"
                        },
                    ]
                },
            ]
        )
      + vars     = {
          + "audit_log_queue_url"             = "https://sqs.ca-central-1.amazonaws.com/957818836222/audit_log_queue"
          + "awslogs-group"                   = "Forms"
          + "awslogs-region"                  = "ca-central-1"
          + "awslogs-stream-prefix"           = "ecs-form-viewer"
          + "cognito_client_id"               = "5rkjd3us3ocssieiitdbtjitiv"
          + "cognito_endpoint_url"            = "cognito-idp.ca-central-1.amazonaws.com/ca-central-1_eSTGTCw33"
          + "database_url"                    = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:server-database-url-jVtWGE"
          + "email_address_contact_us"        = "assistance+forms-formulaires@cds-snc.ca"
          + "email_address_support"           = "assistance+forms-formulaires@cds-snc.ca"
          + "freshdesk_api_key"               = (sensitive value)
          + "gc_notify_callback_bearer_token" = (sensitive value)
          + "gc_temp_token_template_id"       = "61cec9c4-64ca-4e4d-b4d2-a0e931c44422"
          + "gc_template_id"                  = "92096ac6-1cc5-40ae-9052-fffdb8439a90"
          + "image"                           = "957818836222.dkr.ecr.ca-central-1.amazonaws.com/form_viewer_production"
          + "metric_provider"                 = "stdout"
          + "nextauth_url"                    = "https://forms-formulaires.alpha.canada.ca"
          + "notify_api_key"                  = (sensitive value)
          + "recaptcha_public"                = "6LfuLrQnAAAAAK9Df3gem4XLMRVY2Laq6t2fhZhZ"
          + "recaptcha_secret"                = (sensitive value)
          + "redis_url"                       = "gcforms-redis-rep-group.iyrckm.ng.0001.cac1.cache.amazonaws.com"
          + "reliability_file_storage"        = "forms-production-reliability-file-storage"
          + "reprocess_submission_queue"      = "https://sqs.ca-central-1.amazonaws.com/957818836222/reprocess_submission_queue.fifo"
          + "token_secret"                    = (sensitive value)
          + "tracer_provider"                 = "stdout"
          + "vault_file_storage"              = "forms-production-vault-file-storage"
        }
    }

  # aws_appautoscaling_target.forms[0] will be updated in-place
  ~ resource "aws_appautoscaling_target" "forms" {
        id                 = "service/arn:aws:ecs:ca-central-1:957818836222:cluster/Forms/form-viewer"
        tags               = {}
      ~ tags_all           = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (6 unchanged attributes hidden)
    }

  # aws_cloudwatch_event_rule.cron_2am_every_day will be destroyed
  # (because aws_cloudwatch_event_rule.cron_2am_every_day is not in configuration)
  - resource "aws_cloudwatch_event_rule" "cron_2am_every_day" {
      - arn                 = "arn:aws:events:ca-central-1:957818836222:rule/every-day-at-2am" -> null
      - description         = "Fires every day at 2am EST" -> null
      - event_bus_name      = "default" -> null
      - id                  = "every-day-at-2am" -> null
      - is_enabled          = true -> null
      - name                = "every-day-at-2am" -> null
      - schedule_expression = "cron(0 7 * * ? *)" -> null
      - state               = "ENABLED" -> null
      - tags                = {} -> null
      - tags_all            = {} -> null
    }

  # aws_cloudwatch_event_rule.cron_3am_every_day will be destroyed
  # (because aws_cloudwatch_event_rule.cron_3am_every_day is not in configuration)
  - resource "aws_cloudwatch_event_rule" "cron_3am_every_day" {
      - arn                 = "arn:aws:events:ca-central-1:957818836222:rule/every-day-at-3am" -> null
      - description         = "Fires every day at 3am EST" -> null
      - event_bus_name      = "default" -> null
      - id                  = "every-day-at-3am" -> null
      - is_enabled          = true -> null
      - name                = "every-day-at-3am" -> null
      - schedule_expression = "cron(0 8 * * ? *)" -> null
      - state               = "ENABLED" -> null
      - tags                = {} -> null
      - tags_all            = {} -> null
    }

  # aws_cloudwatch_event_rule.cron_4am_every_day will be destroyed
  # (because aws_cloudwatch_event_rule.cron_4am_every_day is not in configuration)
  - resource "aws_cloudwatch_event_rule" "cron_4am_every_day" {
      - arn                 = "arn:aws:events:ca-central-1:957818836222:rule/every-day-at-4am" -> null
      - description         = "Fires every day at 4am EST" -> null
      - event_bus_name      = "default" -> null
      - id                  = "every-day-at-4am" -> null
      - is_enabled          = true -> null
      - name                = "every-day-at-4am" -> null
      - schedule_expression = "cron(0 9 * * ? *)" -> null
      - state               = "ENABLED" -> null
      - tags                = {} -> null
      - tags_all            = {} -> null
    }

  # aws_cloudwatch_event_rule.cron_5am_every_business_day will be destroyed
  # (because aws_cloudwatch_event_rule.cron_5am_every_business_day is not in configuration)
  - resource "aws_cloudwatch_event_rule" "cron_5am_every_business_day" {
      - arn                 = "arn:aws:events:ca-central-1:957818836222:rule/every-business-day-at-5am" -> null
      - description         = "Fires every business day at 5am EST" -> null
      - event_bus_name      = "default" -> null
      - id                  = "every-business-day-at-5am" -> null
      - is_enabled          = true -> null
      - name                = "every-business-day-at-5am" -> null
      - schedule_expression = "cron(0 10 ? * MON-FRI *)" -> null
      - state               = "ENABLED" -> null
      - tags                = {} -> null
      - tags_all            = {} -> null
    }

  # aws_cloudwatch_event_target.run_archive_form_responses_lambda_every_day will be destroyed
  # (because aws_cloudwatch_event_target.run_archive_form_responses_lambda_every_day is not in configuration)
  - resource "aws_cloudwatch_event_target" "run_archive_form_responses_lambda_every_day" {
      - arn            = "arn:aws:lambda:ca-central-1:957818836222:function:Archiver" -> null
      - event_bus_name = "default" -> null
      - id             = "every-day-at-3am-terraform-20230417142819762400000003" -> null
      - rule           = "every-day-at-3am" -> null
      - target_id      = "terraform-20230417142819762400000003" -> null
    }

  # aws_cloudwatch_event_target.run_archive_form_templates_lambda_every_day will be destroyed
  # (because aws_cloudwatch_event_target.run_archive_form_templates_lambda_every_day is not in configuration)
  - resource "aws_cloudwatch_event_target" "run_archive_form_templates_lambda_every_day" {
      - arn            = "arn:aws:lambda:ca-central-1:957818836222:function:ArchiveFormTemplates" -> null
      - event_bus_name = "default" -> null
      - id             = "every-day-at-4am-terraform-20230104154840782700000005" -> null
      - rule           = "every-day-at-4am" -> null
      - target_id      = "terraform-20230104154840782700000005" -> null
    }

  # aws_cloudwatch_event_target.run_dead_letter_queue_consumer_lambda_every_day will be destroyed
  # (because aws_cloudwatch_event_target.run_dead_letter_queue_consumer_lambda_every_day is not in configuration)
  - resource "aws_cloudwatch_event_target" "run_dead_letter_queue_consumer_lambda_every_day" {
      - arn            = "arn:aws:lambda:ca-central-1:957818836222:function:DeadLetterQueueConsumer" -> null
      - event_bus_name = "default" -> null
      - id             = "every-day-at-2am-terraform-20230417142807011500000002" -> null
      - rule           = "every-day-at-2am" -> null
      - target_id      = "terraform-20230417142807011500000002" -> null
    }

  # aws_cloudwatch_event_target.run_nagware_lambda_every_day will be destroyed
  # (because aws_cloudwatch_event_target.run_nagware_lambda_every_day is not in configuration)
  - resource "aws_cloudwatch_event_target" "run_nagware_lambda_every_day" {
      - arn            = "arn:aws:lambda:ca-central-1:957818836222:function:Nagware" -> null
      - event_bus_name = "default" -> null
      - id             = "every-business-day-at-5am-terraform-20230417142753187400000001" -> null
      - rule           = "every-business-day-at-5am" -> null
      - target_id      = "terraform-20230417142753187400000001" -> null
    }

  # aws_cloudwatch_log_group.archive_form_templates will be destroyed
  # (because aws_cloudwatch_log_group.archive_form_templates is not in configuration)
  - resource "aws_cloudwatch_log_group" "archive_form_templates" {
      - arn               = "arn:aws:logs:ca-central-1:957818836222:log-group:/aws/lambda/ArchiveFormTemplates" -> null
      - id                = "/aws/lambda/ArchiveFormTemplates" -> null
      - kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d" -> null
      - log_group_class   = "STANDARD" -> null
      - name              = "/aws/lambda/ArchiveFormTemplates" -> null
      - retention_in_days = 90 -> null
      - skip_destroy      = false -> null
      - tags              = {} -> null
      - tags_all          = {} -> null
    }

  # aws_cloudwatch_log_group.archiver will be destroyed
  # (because aws_cloudwatch_log_group.archiver is not in configuration)
  - resource "aws_cloudwatch_log_group" "archiver" {
      - arn               = "arn:aws:logs:ca-central-1:957818836222:log-group:/aws/lambda/Archiver" -> null
      - id                = "/aws/lambda/Archiver" -> null
      - kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d" -> null
      - log_group_class   = "STANDARD" -> null
      - name              = "/aws/lambda/Archiver" -> null
      - retention_in_days = 90 -> null
      - skip_destroy      = false -> null
      - tags              = {} -> null
      - tags_all          = {} -> null
    }

  # aws_cloudwatch_log_group.audit_logs will be destroyed
  # (because aws_cloudwatch_log_group.audit_logs is not in configuration)
  - resource "aws_cloudwatch_log_group" "audit_logs" {
      - arn               = "arn:aws:logs:ca-central-1:957818836222:log-group:/aws/lambda/AuditLogs" -> null
      - id                = "/aws/lambda/AuditLogs" -> null
      - kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d" -> null
      - log_group_class   = "STANDARD" -> null
      - name              = "/aws/lambda/AuditLogs" -> null
      - retention_in_days = 90 -> null
      - skip_destroy      = false -> null
      - tags              = {} -> null
      - tags_all          = {} -> null
    }

  # aws_cloudwatch_log_group.dead_letter_queue_consumer will be destroyed
  # (because aws_cloudwatch_log_group.dead_letter_queue_consumer is not in configuration)
  - resource "aws_cloudwatch_log_group" "dead_letter_queue_consumer" {
      - arn               = "arn:aws:logs:ca-central-1:957818836222:log-group:/aws/lambda/DeadLetterQueueConsumer" -> null
      - id                = "/aws/lambda/DeadLetterQueueConsumer" -> null
      - kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d" -> null
      - log_group_class   = "STANDARD" -> null
      - name              = "/aws/lambda/DeadLetterQueueConsumer" -> null
      - retention_in_days = 90 -> null
      - skip_destroy      = false -> null
      - tags              = {} -> null
      - tags_all          = {} -> null
    }

  # aws_cloudwatch_log_group.forms will be updated in-place
  ~ resource "aws_cloudwatch_log_group" "forms" {
        id                = "Forms"
        name              = "Forms"
      ~ retention_in_days = 90 -> 731
      ~ tags              = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (5 unchanged attributes hidden)
    }

  # aws_codedeploy_app.app will be updated in-place
  ~ resource "aws_codedeploy_app" "app" {
        id               = "38ffd54a-d5be-4ce4-8a02-127b6be4b444:AppECS-Forms-form-viewer"
        name             = "AppECS-Forms-form-viewer"
      ~ tags             = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (5 unchanged attributes hidden)
    }

  # aws_codedeploy_deployment_group.app will be updated in-place
  ~ resource "aws_codedeploy_deployment_group" "app" {
        id                          = "242791d0-af89-4e05-8e16-b250dac864b9"
      ~ tags                        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (10 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

  # aws_ecs_cluster.forms will be updated in-place
  ~ resource "aws_ecs_cluster" "forms" {
        id       = "arn:aws:ecs:ca-central-1:957818836222:cluster/Forms"
        name     = "Forms"
      ~ tags     = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (2 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_ecs_service.form_viewer will be updated in-place
  ~ resource "aws_ecs_service" "form_viewer" {
      + force_new_deployment               = true
        id                                 = "arn:aws:ecs:ca-central-1:957818836222:service/Forms/form-viewer"
        name                               = "form-viewer"
      ~ tags                               = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (16 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_ecs_task_definition.form_viewer will be created
  + resource "aws_ecs_task_definition" "form_viewer" {
      + arn                      = (known after apply)
      + arn_without_revision     = (known after apply)
      + container_definitions    = (known after apply)
      + cpu                      = "2048"
      + execution_role_arn       = "arn:aws:iam::957818836222:role/form-viewer"
      + family                   = "form-viewer"
      + id                       = (known after apply)
      + memory                   = "4096"
      + network_mode             = "awsvpc"
      + requires_compatibilities = [
          + "FARGATE",
        ]
      + revision                 = (known after apply)
      + skip_destroy             = false
      + tags_all                 = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + task_role_arn            = "arn:aws:iam::957818836222:role/form-viewer"
    }

  # aws_iam_policy.cognito will be updated in-place
  ~ resource "aws_iam_policy" "cognito" {
        id          = "arn:aws:iam::957818836222:policy/cognito"
        name        = "cognito"
      ~ tags        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)
    }

  # aws_iam_policy.forms_dynamodb will be updated in-place
  ~ resource "aws_iam_policy" "forms_dynamodb" {
        id          = "arn:aws:iam::957818836222:policy/forms_dynamodb"
        name        = "forms_dynamodb"
      ~ tags        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)
    }

  # aws_iam_policy.forms_kms will be updated in-place
  ~ resource "aws_iam_policy" "forms_kms" {
        id          = "arn:aws:iam::957818836222:policy/ecs_kms"
        name        = "ecs_kms"
      ~ tags        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)
    }

  # aws_iam_policy.forms_s3 will be updated in-place
  ~ resource "aws_iam_policy" "forms_s3" {
        id        = "arn:aws:iam::957818836222:policy/formsS3Access"
        name      = "formsS3Access"
      ~ tags      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (5 unchanged attributes hidden)
    }

  # aws_iam_policy.forms_secrets_manager will be updated in-place
  ~ resource "aws_iam_policy" "forms_secrets_manager" {
        id        = "arn:aws:iam::957818836222:policy/formsSecretsManagerKeyRetrieval"
        name      = "formsSecretsManagerKeyRetrieval"
      ~ policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = [
                            # (3 unchanged elements hidden)
                            "arn:aws:secretsmanager:ca-central-1:957818836222:secret:notify_api_key-sLtddr",
                          - "arn:aws:secretsmanager:ca-central-1:957818836222:secret:gc_notify_callback_bearer_token-0zuI6O",
                            "arn:aws:secretsmanager:ca-central-1:957818836222:secret:freshdesk_api_key-2Q118n",
                          + "arn:aws:secretsmanager:ca-central-1:123456789012:secret:notify_callback_bearer_token_secret",
                        ]
                      - Sid      = ""
                        # (2 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
      ~ tags      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (4 unchanged attributes hidden)
    }

  # aws_iam_policy.forms_sqs will be updated in-place
  ~ resource "aws_iam_policy" "forms_sqs" {
        id          = "arn:aws:iam::957818836222:policy/forms_sqs"
        name        = "forms_sqs"
      ~ tags        = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (6 unchanged attributes hidden)
    }

  # aws_iam_policy.lambda_app_invoke will be destroyed
  # (because aws_iam_policy.lambda_app_invoke is not in configuration)
  - resource "aws_iam_policy" "lambda_app_invoke" {
      - arn         = "arn:aws:iam::957818836222:policy/lambda_app_invoke" -> null
      - description = "IAM policy for allowing the Forms app to invoke Lambda functions" -> null
      - id          = "arn:aws:iam::957818836222:policy/lambda_app_invoke" -> null
      - name        = "lambda_app_invoke" -> null
      - path        = "/" -> null
      - policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = "lambda:InvokeFunction"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:lambda:ca-central-1:957818836222:function:Submission"
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id   = "ANPA56ATTST7NBGPS5RMA" -> null
      - tags        = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
      - tags_all    = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
    }

  # aws_iam_role.codedeploy will be updated in-place
  ~ resource "aws_iam_role" "codedeploy" {
        id                    = "codedeploy"
        name                  = "codedeploy"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_iam_role.forms will be updated in-place
  ~ resource "aws_iam_role" "forms" {
        id                    = "form-viewer"
        name                  = "form-viewer"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_lambda_event_source_mapping.audit_logs will be destroyed
  # (because aws_lambda_event_source_mapping.audit_logs is not in configuration)
  - resource "aws_lambda_event_source_mapping" "audit_logs" {
      - batch_size                         = 10 -> null
      - bisect_batch_on_function_error     = false -> null
      - enabled                            = true -> null
      - event_source_arn                   = "arn:aws:sqs:ca-central-1:957818836222:audit_log_queue" -> null
      - function_arn                       = "arn:aws:lambda:ca-central-1:957818836222:function:AuditLogs" -> null
      - function_name                      = "arn:aws:lambda:ca-central-1:957818836222:function:AuditLogs" -> null
      - function_response_types            = [
          - "ReportBatchItemFailures",
        ] -> null
      - id                                 = "619b8515-4455-4fd3-a99e-f92c2bfc73b6" -> null
      - last_modified                      = "2023-04-17T14:27:24Z" -> null
      - maximum_batching_window_in_seconds = 30 -> null
      - maximum_record_age_in_seconds      = 0 -> null
      - maximum_retry_attempts             = 0 -> null
      - parallelization_factor             = 0 -> null
      - queues                             = [] -> null
      - state                              = "Enabled" -> null
      - state_transition_reason            = "USER_INITIATED" -> null
      - topics                             = [] -> null
      - tumbling_window_in_seconds         = 0 -> null
      - uuid                               = "619b8515-4455-4fd3-a99e-f92c2bfc73b6" -> null
    }

  # aws_lambda_function.archive_form_templates will be destroyed
  # (because aws_lambda_function.archive_form_templates is not in configuration)
  - resource "aws_lambda_function" "archive_form_templates" {
      - architectures                  = [
          - "x86_64",
        ] -> null
      - arn                            = "arn:aws:lambda:ca-central-1:957818836222:function:ArchiveFormTemplates" -> null
      - filename                       = "/tmp/archive_form_templates_main.zip" -> null
      - function_name                  = "ArchiveFormTemplates" -> null
      - handler                        = "archiver.handler" -> null
      - id                             = "ArchiveFormTemplates" -> null
      - invoke_arn                     = "arn:aws:apigateway:ca-central-1:lambda:path/2015-03-31/functions/arn:aws:lambda:ca-central-1:957818836222:function:ArchiveFormTemplates/invocations" -> null
      - last_modified                  = "2023-10-25T18:12:55.000+0000" -> null
      - layers                         = [
          - "arn:aws:lambda:ca-central-1:957818836222:layer:archive_form_templates_lib_packages:3",
          - "arn:aws:lambda:ca-central-1:957818836222:layer:archive_form_templates_node_packages:6",
        ] -> null
      - memory_size                    = 128 -> null
      - package_type                   = "Zip" -> null
      - publish                        = false -> null
      - qualified_arn                  = "arn:aws:lambda:ca-central-1:957818836222:function:ArchiveFormTemplates:$LATEST" -> null
      - qualified_invoke_arn           = "arn:aws:apigateway:ca-central-1:lambda:path/2015-03-31/functions/arn:aws:lambda:ca-central-1:957818836222:function:ArchiveFormTemplates:$LATEST/invocations" -> null
      - reserved_concurrent_executions = -1 -> null
      - role                           = "arn:aws:iam::957818836222:role/iam_for_lambda" -> null
      - runtime                        = "nodejs18.x" -> null
      - skip_destroy                   = false -> null
      - source_code_hash               = "X/5IZ2OGKUQN37O1Tmg8PkYLrDM/SAqY03rH0V1L2kI=" -> null
      - source_code_size               = 416 -> null
      - tags                           = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
      - tags_all                       = {
          - "CostCentre" = "forms-platform-production"
          - "Terraform"  = "true"
        } -> null
      - timeout                        = 300 -> null
      - version                        = "$LATEST" -> null

      - environment {
          - variables = {
              - "DB_ARN"      = "arn:aws:rds:ca-central-1:957818836222:cluster:forms-db-cluster"
              - "DB_NAME"     = "forms"
              - "DB_SECRET"   = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:database-secret-RThElE"
              - "ENVIRONMENT" = "production"
            ...
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_appautoscaling_target.forms[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_app.app"]
WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_deployment_group.app"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_cluster.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_service.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_task_definition.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cognito"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_secrets_manager"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_sqs"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.codedeploy"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.forms"]

34 tests, 19 passed, 15 warnings, 0 failures, 0 exceptions

Copy link

Staging: lambdas

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 32 to add, 14 to change, 2 to destroy
Show summary
CHANGE NAME
add aws_cloudwatch_event_target.run_archive_form_responses_lambda_every_day
aws_cloudwatch_event_target.run_archive_form_templates_lambda_every_day
aws_cloudwatch_event_target.run_dead_letter_queue_consumer_lambda_every_day
aws_cloudwatch_event_target.run_nagware_lambda_every_day
aws_cloudwatch_log_group.archive_form_templates
aws_cloudwatch_log_group.audit_logs
aws_cloudwatch_log_group.dead_letter_queue_consumer
aws_cloudwatch_log_group.response_archiver
aws_cloudwatch_log_group.vault_integrity
aws_lambda_code_signing_config.lambda_code_signing_config[0]
aws_lambda_event_source_mapping.audit_logs
aws_lambda_event_source_mapping.vault_updated_item_stream
aws_lambda_function.audit_logs
aws_lambda_function.form_archiver
aws_lambda_function.reliability_dlq_consumer
aws_lambda_function.response_archiver
aws_lambda_function.vault_integrity
aws_lambda_permission.allow_cloudwatch_to_run_archive_form_responses_lambda
aws_lambda_permission.allow_cloudwatch_to_run_dead_letter_queue_consumer_lambda
aws_lambda_permission.allow_cloudwatch_to_run_form_archiver_lambda
aws_s3_object.audit_logs_code
aws_s3_object.form_archiver_code
aws_s3_object.nagware_code
aws_s3_object.reliability_code
aws_s3_object.reliability_dlq_consumer_code
aws_s3_object.response_archiver_code
aws_s3_object.submission_code
aws_s3_object.vault_integrity_code
aws_signer_signing_job.vault_integrity[0]
aws_signer_signing_profile.lambda_signing_profile[0]
update aws_cloudwatch_event_rule.cron_2am_every_day
aws_cloudwatch_event_rule.cron_3am_every_day
aws_cloudwatch_event_rule.cron_4am_every_day
aws_cloudwatch_event_rule.cron_5am_every_business_day
aws_cloudwatch_log_group.nagware
aws_cloudwatch_log_group.reliability
aws_cloudwatch_log_group.submission
aws_iam_policy.lambda_dynamodb
aws_iam_policy.lambda_rds
aws_iam_policy.lambda_s3
aws_iam_policy.lambda_secrets
aws_lambda_function.nagware
aws_lambda_function.reliability
aws_lambda_function.submission
recreate aws_lambda_permission.allow_cloudwatch_to_run_nagware_lambda
aws_lambda_permission.submission

✂   Warning: plan has been truncated! See the full plan in the logs.

Show plan
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_cloudwatch_event_rule.cron_2am_every_day will be updated in-place
  # (imported from "every-day-at-2am")
  ~ resource "aws_cloudwatch_event_rule" "cron_2am_every_day" {
        arn                 = "arn:aws:events:ca-central-1:957818836222:rule/every-day-at-2am"
        description         = "Fires every day at 2am EST"
        event_bus_name      = "default"
        id                  = "every-day-at-2am"
        is_enabled          = true
        name                = "every-day-at-2am"
        schedule_expression = "cron(0 7 * * ? *)"
        state               = "ENABLED"
        tags                = {}
      ~ tags_all            = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_event_rule.cron_3am_every_day will be updated in-place
  # (imported from "every-day-at-3am")
  ~ resource "aws_cloudwatch_event_rule" "cron_3am_every_day" {
        arn                 = "arn:aws:events:ca-central-1:957818836222:rule/every-day-at-3am"
        description         = "Fires every day at 3am EST"
        event_bus_name      = "default"
        id                  = "every-day-at-3am"
        is_enabled          = true
        name                = "every-day-at-3am"
        schedule_expression = "cron(0 8 * * ? *)"
        state               = "ENABLED"
        tags                = {}
      ~ tags_all            = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_event_rule.cron_4am_every_day will be updated in-place
  # (imported from "every-day-at-4am")
  ~ resource "aws_cloudwatch_event_rule" "cron_4am_every_day" {
        arn                 = "arn:aws:events:ca-central-1:957818836222:rule/every-day-at-4am"
        description         = "Fires every day at 4am EST"
        event_bus_name      = "default"
        id                  = "every-day-at-4am"
        is_enabled          = true
        name                = "every-day-at-4am"
        schedule_expression = "cron(0 9 * * ? *)"
        state               = "ENABLED"
        tags                = {}
      ~ tags_all            = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_event_rule.cron_5am_every_business_day will be updated in-place
  # (imported from "every-business-day-at-5am")
  ~ resource "aws_cloudwatch_event_rule" "cron_5am_every_business_day" {
        arn                 = "arn:aws:events:ca-central-1:957818836222:rule/every-business-day-at-5am"
        description         = "Fires every business day at 5am EST"
        event_bus_name      = "default"
        id                  = "every-business-day-at-5am"
        is_enabled          = true
        name                = "every-business-day-at-5am"
        schedule_expression = "cron(0 10 ? * MON-FRI *)"
        state               = "ENABLED"
        tags                = {}
      ~ tags_all            = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_event_target.run_archive_form_responses_lambda_every_day will be created
  + resource "aws_cloudwatch_event_target" "run_archive_form_responses_lambda_every_day" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = "every-day-at-3am"
      + target_id      = (known after apply)
    }

  # aws_cloudwatch_event_target.run_archive_form_templates_lambda_every_day will be created
  + resource "aws_cloudwatch_event_target" "run_archive_form_templates_lambda_every_day" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = "every-day-at-4am"
      + target_id      = (known after apply)
    }

  # aws_cloudwatch_event_target.run_dead_letter_queue_consumer_lambda_every_day will be created
  + resource "aws_cloudwatch_event_target" "run_dead_letter_queue_consumer_lambda_every_day" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = "every-day-at-2am"
      + target_id      = (known after apply)
    }

  # aws_cloudwatch_event_target.run_nagware_lambda_every_day will be created
  + resource "aws_cloudwatch_event_target" "run_nagware_lambda_every_day" {
      + arn            = "arn:aws:lambda:ca-central-1:957818836222:function:Nagware"
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = "every-business-day-at-5am"
      + target_id      = (known after apply)
    }

  # aws_cloudwatch_log_group.archive_form_templates will be created
  + resource "aws_cloudwatch_log_group" "archive_form_templates" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d"
      + log_group_class   = (known after apply)
      + name              = "/aws/lambda/Archive_Form_Templates"
      + name_prefix       = (known after apply)
      + retention_in_days = 731
      + skip_destroy      = false
      + tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_log_group.audit_logs will be created
  + resource "aws_cloudwatch_log_group" "audit_logs" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d"
      + log_group_class   = (known after apply)
      + name              = "/aws/lambda/Audit_Logs"
      + name_prefix       = (known after apply)
      + retention_in_days = 731
      + skip_destroy      = false
      + tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_log_group.dead_letter_queue_consumer will be created
  + resource "aws_cloudwatch_log_group" "dead_letter_queue_consumer" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d"
      + log_group_class   = (known after apply)
      + name              = "/aws/lambda/Reliability_DLQ_Consumer"
      + name_prefix       = (known after apply)
      + retention_in_days = 731
      + skip_destroy      = false
      + tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_log_group.nagware will be updated in-place
  # (imported from "/aws/lambda/Nagware")
  ~ resource "aws_cloudwatch_log_group" "nagware" {
        arn               = "arn:aws:logs:ca-central-1:957818836222:log-group:/aws/lambda/Nagware"
        id                = "/aws/lambda/Nagware"
        kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d"
        log_group_class   = "STANDARD"
        name              = "/aws/lambda/Nagware"
      ~ retention_in_days = 90 -> 731
        skip_destroy      = false
        tags              = {}
      ~ tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_log_group.reliability will be updated in-place
  # (imported from "/aws/lambda/Reliability")
  ~ resource "aws_cloudwatch_log_group" "reliability" {
        arn               = "arn:aws:logs:ca-central-1:957818836222:log-group:/aws/lambda/Reliability"
        id                = "/aws/lambda/Reliability"
        kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d"
        log_group_class   = "STANDARD"
        name              = "/aws/lambda/Reliability"
      ~ retention_in_days = 90 -> 731
        skip_destroy      = false
        tags              = {}
      ~ tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_log_group.response_archiver will be created
  + resource "aws_cloudwatch_log_group" "response_archiver" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d"
      + log_group_class   = (known after apply)
      + name              = "/aws/lambda/Response_Archiver"
      + name_prefix       = (known after apply)
      + retention_in_days = 731
      + skip_destroy      = false
      + tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_log_group.submission will be updated in-place
  # (imported from "/aws/lambda/Submission")
  ~ resource "aws_cloudwatch_log_group" "submission" {
        arn               = "arn:aws:logs:ca-central-1:957818836222:log-group:/aws/lambda/Submission"
        id                = "/aws/lambda/Submission"
        kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d"
        log_group_class   = "STANDARD"
        name              = "/aws/lambda/Submission"
      ~ retention_in_days = 90 -> 731
        skip_destroy      = false
        tags              = {}
      ~ tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_log_group.vault_integrity will be created
  + resource "aws_cloudwatch_log_group" "vault_integrity" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d"
      + log_group_class   = (known after apply)
      + name              = "/aws/lambda/Vault_Data_Integrity_Check"
      + name_prefix       = (known after apply)
      + retention_in_days = 731
      + skip_destroy      = false
      + tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_iam_policy.lambda_dynamodb will be updated in-place
  # (imported from "arn:aws:iam::957818836222:policy/lambda_dynamobdb")
  ~ resource "aws_iam_policy" "lambda_dynamodb" {
        arn         = "arn:aws:iam::957818836222:policy/lambda_dynamobdb"
        description = "IAM policy for storing Form responses in DynamoDB"
        id          = "arn:aws:iam::957818836222:policy/lambda_dynamobdb"
        name        = "lambda_dynamobdb"
        path        = "/"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action   = [
                            "dynamodb:UpdateItem",
                            "dynamodb:Scan",
                            "dynamodb:Query",
                            "dynamodb:PutItem",
                          + "dynamodb:ListStreams",
                            "dynamodb:GetShardIterator",
                            "dynamodb:GetRecords",
                            "dynamodb:GetItem",
                            "dynamodb:DescribeStream",
                            "dynamodb:DeleteItem",
                            "dynamodb:BatchWriteItem",
                        ]
                        Effect   = "Allow"
                      ~ Resource = [
                            "arn:aws:dynamodb:ca-central-1:957818836222:table/Vault/index/*",
                            "arn:aws:dynamodb:ca-central-1:957818836222:table/Vault",
                            "arn:aws:dynamodb:ca-central-1:957818836222:table/ReliabilityQueue",
                            "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs/index/*",
                            "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs",
                          + "arn:aws:dynamodb:ca-central-1:123456789012:table/Vault/stream/2023-03-14T15:54:31.086",
                        ]
                      - Sid      = ""
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id   = "ANPA56ATTST7JI63YIBQ7"
        tags        = {}
        tags_all    = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
    }

  # aws_iam_policy.lambda_kms will be imported
    resource "aws_iam_policy" "lambda_kms" {
        arn         = "arn:aws:iam::957818836222:policy/lambda_kms"
        description = "IAM policy for storing encrypting and decrypting data"
        id          = "arn:aws:iam::957818836222:policy/lambda_kms"
        name        = "lambda_kms"
        path        = "/"
        policy      = jsonencode(
            {
                Statement = [
                    {
                        Action   = [
                            "kms:GenerateDataKey",
                            "kms:Encrypt",
                            "kms:Decrypt",
                        ]
                        Effect   = "Allow"
                        Resource = [
                            "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d",
                            "arn:aws:kms:ca-central-1:957818836222:key/afbaea67-8277-4a4c-853e-7697dd2dade5",
                        ]
                        Sid      = ""
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id   = "ANPA56ATTST7DAMVNIVMU"
        tags        = {}
        tags_all    = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
    }

  # aws_iam_policy.lambda_logging will be imported
    resource "aws_iam_policy" "lambda_logging" {
        arn         = "arn:aws:iam::957818836222:policy/lambda_logging"
        description = "IAM policy for logging from a lambda"
        id          = "arn:aws:iam::957818836222:policy/lambda_logging"
        name        = "lambda_logging"
        path        = "/"
        policy      = jsonencode(
            {
                Statement = [
                    {
                        Action   = [
                            "logs:CreateLogGroup",
                            "logs:CreateLogStream",
                            "logs:PutLogEvents",
                        ]
                        Effect   = "Allow"
                        Resource = "arn:aws:logs:*:*:*"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id   = "ANPA56ATTST7DLPNBNMP7"
        tags        = {}
        tags_all    = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
    }

  # aws_iam_policy.lambda_rds will be updated in-place
  # (imported from "arn:aws:iam::957818836222:policy/lambda_rds")
  ~ resource "aws_iam_policy" "lambda_rds" {
        arn         = "arn:aws:iam::957818836222:policy/lambda_rds"
        description = "IAM policy for allowing acces to DB"
        id          = "arn:aws:iam::957818836222:policy/lambda_rds"
        name        = "lambda_rds"
        path        = "/"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action   = [
                          - "dbqms:CreateFavoriteQuery",
                          - "dbqms:DescribeFavoriteQueries",
                          + "tag:GetResources",
                          + "secretsmanager:CreateSecret",
                          + "rds-data:RollbackTransaction",
                          + "rds-data:ExecuteStatement",
                          + "rds-data:ExecuteSql",
                          + "rds-data:CommitTransaction",
                          + "rds-data:BeginTransaction",
                          + "rds-data:BatchExecuteStatement",
                          + "dbqms:UpdateQueryHistory",
                            "dbqms:UpdateFavoriteQuery",
                          - "dbqms:DeleteFavoriteQueries",
                            "dbqms:GetQueryString",
                          - "dbqms:CreateQueryHistory",
                            "dbqms:DescribeQueryHistory",
                          - "dbqms:UpdateQueryHistory",
                          + "dbqms:DescribeFavoriteQueries",
                            "dbqms:DeleteQueryHistory",
                          - "rds-data:ExecuteSql",
                          - "rds-data:ExecuteStatement",
                          - "rds-data:BatchExecuteStatement",
                          - "rds-data:BeginTransaction",
                          - "rds-data:CommitTransaction",
                          - "rds-data:RollbackTransaction",
                          - "secretsmanager:CreateSecret",
                          - "secretsmanager:ListSecrets",
                          - "secretsmanager:GetRandomPassword",
                          - "tag:GetResources",
                          + "dbqms:DeleteFavoriteQueries",
                          + "dbqms:CreateQueryHistory",
                          + "dbqms:CreateFavoriteQuery",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                        Sid      = "RDSDataServiceAccess"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id   = "ANPA56ATTST7KRZUNWE7S"
        tags        = {}
        tags_all    = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
    }

  # aws_iam_policy.lambda_s3 will be updated in-place
  # (imported from "arn:aws:iam::957818836222:policy/lambda_s3")
  ~ resource "aws_iam_policy" "lambda_s3" {
        arn         = "arn:aws:iam::957818836222:policy/lambda_s3"
        description = "IAM policy for storing files in S3"
        id          = "arn:aws:iam::957818836222:policy/lambda_s3"
        name        = "lambda_s3"
        path        = "/"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                        Action   = [
                            "s3:PutObject",
                            "s3:ListBucket",
                            "s3:GetObject",
                            "s3:DeleteObject",
                        ]
                        Effect   = "Allow"
                      ~ Resource = [
                          + "arn:aws:s3:::forms-staging-lambda-code/*",
                          + "arn:aws:s3:::forms-staging-lambda-code",
                            "arn:aws:s3:::forms-production-vault-file-storage/*",
                            "arn:aws:s3:::forms-production-vault-file-storage",
                            "arn:aws:s3:::forms-production-reliability-file-storage/*",
                            "arn:aws:s3:::forms-production-reliability-file-storage",
                            "arn:aws:s3:::forms-production-archive-storage/*",
                            "arn:aws:s3:::forms-production-archive-storage",
                        ]
                      - Sid      = ""
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id   = "ANPA56ATTST7NCGZE6SVF"
        tags        = {}
        tags_all    = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
    }

  # aws_iam_policy.lambda_secrets will be updated in-place
  # (imported from "arn:aws:iam::957818836222:policy/lambda_secrets")
  ~ resource "aws_iam_policy" "lambda_secrets" {
        arn         = "arn:aws:iam::957818836222:policy/lambda_secrets"
        description = "IAM policy for accessing secret manager"
        id          = "arn:aws:iam::957818836222:policy/lambda_secrets"
        name        = "lambda_secrets"
        path        = "/"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                        Action   = "secretsmanager:GetSecretValue"
                        Effect   = "Allow"
                      ~ Resource = [
                          - "arn:aws:secretsmanager:ca-central-1:957818836222:secret:token_secret-jw4Dou",
                            "arn:aws:secretsmanager:ca-central-1:957818836222:secret:notify_api_key-sLtddr",
                            "arn:aws:secretsmanager:ca-central-1:957818836222:secret:database-secret-RThElE",
                        ]
                      - Sid      = ""
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id   = "ANPA56ATTST7ITUHDHSRG"
        tags        = {}
        tags_all    = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
    }

  # aws_iam_policy.lambda_sns will be imported
    resource "aws_iam_policy" "lambda_sns" {
        arn         = "arn:aws:iam::957818836222:policy/lambda_sns"
        description = "IAM policy for allowing lambda to publish message in SNS for Slack notification"
        id          = "arn:aws:iam::957818836222:policy/lambda_sns"
        name        = "lambda_sns"
        path        = "/"
        policy      = jsonencode(
            {
                Statement = [
                    {
                        Action   = "sns:Publish"
                        Effect   = "Allow"
                        Resource = "arn:aws:sns:ca-central-1:957818836222:alert-critical"
                        Sid      = ""
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id   = "ANPA56ATTST7GQDHURLJZ"
        tags        = {}
        tags_all    = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
    }

  # aws_iam_policy.lambda_sqs will be imported
    resource "aws_iam_policy" "lambda_sqs" {
        arn         = "arn:aws:iam::957818836222:policy/lambda_sqs"
        description = "IAM policy for sending messages through SQS"
        id          = "arn:aws:iam::957818836222:policy/lambda_sqs"
        name        = "lambda_sqs"
        path        = "/"
        policy      = jsonencode(
            {
                Statement = [
                    {
                        Action   = [
                            "sqs:SendMessage",
                            "sqs:ReceiveMessage",
                            "sqs:DeleteMessage",
                            "sqs:GetQueueAttributes",
                        ]
                        Effect   = "Allow"
                        Resource = "arn:aws:sqs:*:*:*"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id   = "ANPA56ATTST7CRSZB3F5K"
        tags        = {}
        tags_all    = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
    }

  # aws_iam_role.lambda will be imported
    resource "aws_iam_role" "lambda" {
        arn                   = "arn:aws:iam::957818836222:role/iam_for_lambda"
        assume_role_policy    = jsonencode(
            {
                Statement = [
                    {
                        Action    = "sts:AssumeRole"
                        Effect    = "Allow"
                        Principal = {
                            Service = "lambda.amazonaws.com"
                        }
                        Sid       = ""
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        create_date           = "2021-03-04T19:25:30Z"
        force_detach_policies = false
        id                    = "iam_for_lambda"
        managed_policy_arns   = [
            "arn:aws:iam::957818836222:policy/lambda_dynamobdb",
            "arn:aws:iam::957818836222:policy/lambda_kms",
            "arn:aws:iam::957818836222:policy/lambda_logging",
            "arn:aws:iam::957818836222:policy/lambda_rds",
            "arn:aws:iam::957818836222:policy/lambda_s3",
            "arn:aws:iam::957818836222:policy/lambda_secrets",
            "arn:aws:iam::957818836222:policy/lambda_sns",
            "arn:aws:iam::957818836222:policy/lambda_sqs",
            "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole",
        ]
        max_session_duration  = 3600
        name                  = "iam_for_lambda"
        path                  = "/"
        tags                  = {}
        tags_all              = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
        unique_id             = "AROA56ATTST7BVNHHGEZ3"
    }

  # aws_iam_role_policy_attachment.AWSLambdaVPCAccessExecutionRole will be imported
    resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
        id         = "iam_for_lambda-arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
        policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
        role       = "iam_for_lambda"
    }

  # aws_iam_role_policy_attachment.lambda_dynamodb will be imported
    resource "aws_iam_role_policy_attachment" "lambda_dynamodb" {
        id         = "iam_for_lambda-arn:aws:iam::957818836222:policy/lambda_dynamobdb"
        policy_arn = "arn:aws:iam::957818836222:policy/lambda_dynamobdb"
        role       = "iam_for_lambda"
    }

  # aws_iam_role_policy_attachment.lambda_kms will be imported
    resource "aws_iam_role_policy_attachment" "lambda_kms" {
        id         = "iam_for_lambda-arn:aws:iam::957818836222:policy/lambda_kms"
        policy_arn = "arn:aws:iam::957818836222:policy/lambda_kms"
        role       = "iam_for_lambda"
    }

  # aws_iam_role_policy_attachment.lambda_logs will be imported
    resource "aws_iam_role_policy_attachment" "lambda_logs" {
        id         = "iam_for_lambda-arn:aws:iam::957818836222:policy/lambda_logging"
        policy_arn = "arn:aws:iam::957818836222:policy/lambda_logging"
        role       = "iam_for_lambda"
    }

  # aws_iam_role_policy_attachment.lambda_rds will be imported
    resource "aws_iam_role_policy_attachment" "lambda_rds" {
        id         = "iam_for_lambda-arn:aws:iam::957818836222:policy/lambda_rds"
        policy_arn = "arn:aws:iam::957818836222:policy/lambda_rds"
        role       = "iam_for_lambda"
    }

  # aws_iam_role_policy_attachment.lambda_s3 will be imported
    resource "aws_iam_role_policy_attachment" "lambda_s3" {
        id         = "iam_for_lambda-arn:aws:iam::957818836222:policy/lambda_s3"
        policy_arn = "arn:aws:iam::957818836222:policy/lambda_s3"
        role       = "iam_for_lambda"
    }

  # aws_iam_role_policy_attachment.lambda_secrets will be imported
    resource "aws_iam_role_policy_attachment" "lambda_secrets" {
        id         = "iam_for_lambda-arn:aws:iam::957818836222:policy/lambda_secrets"
        policy_arn = "arn:aws:iam::957818836222:policy/lambda_secrets"
        role       = "iam_for_lambda"
    }

  # aws_iam_role_policy_attachment.lambda_sns will be imported
    resource "aws_iam_role_policy_attachment" "lambda_sns" {
        id         = "iam_for_lambda-arn:aws:iam::957818836222:policy/lambda_sns"
        policy_arn = "arn:aws:iam::957818836222:policy/lambda_sns"
        role       = "iam_for_lambda"
    }

  # aws_iam_role_policy_attachment.lambda_sqs will be imported
    resource "aws_iam_role_policy_attachment" "lambda_sqs" {
        id         = "iam_for_lambda-arn:aws:iam::957818836222:policy/lambda_sqs"
        policy_arn = "arn:aws:iam::957818836222:policy/lambda_sqs"
        role       = "iam_for_lambda"
    }

  # aws_lambda_code_signing_config.lambda_code_signing_config[0] will be created
  + resource "aws_lambda_code_signing_config" "lambda_code_signing_config" {
      + arn           = (known after apply)
      + config_id     = (known after apply)
      + id            = (known after apply)
      + last_modified = (known after apply)

      + allowed_publishers {
          + signing_profile_version_arns = (known after apply)
        }

      + policies {
          + untrusted_artifact_on_deployment = "Enforce"
        }
    }

  # aws_lambda_event_source_mapping.audit_logs will be created
  + resource "aws_lambda_event_source_mapping" "audit_logs" {
      + batch_size                         = 10
      + enabled                            = true
      + event_source_arn                   = "arn:aws:sqs:ca-central-1:957818836222:audit_log_queue"
      + function_arn                       = (known after apply)
      + function_name                      = (known after apply)
      + function_response_types            = [
          + "ReportBatchItemFailures",
        ]
      + id                                 = (known after apply)
      + last_modified                      = (known after apply)
      + last_processing_result             = (known after apply)
      + maximum_batching_window_in_seconds = 30
      + maximum_record_age_in_seconds      = (known after apply)
      + maximum_retry_attempts             = (known after apply)
      + parallelization_factor             = (known after apply)
      + state                              = (known after apply)
      + state_transition_reason            = (known after apply)
      + uuid              ...
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.cron_2am_every_day"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.cron_3am_every_day"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.cron_4am_every_day"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.cron_5am_every_business_day"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.response_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.vault_integrity"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_logging"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_rds"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_secrets"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sqs"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_lambda_function.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_lambda_function.form_archiver"]
WARN -...

Copy link

Production: alarms

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 18 to add, 19 to change, 7 to destroy
Show summary
CHANGE NAME
add aws_cloudwatch_log_subscription_filter.lambda_error_detection[&quot;audit_log&quot;]
aws_cloudwatch_log_subscription_filter.lambda_error_detection[&quot;dlq_consumer&quot;]
aws_cloudwatch_log_subscription_filter.lambda_error_detection[&quot;nagware&quot;]
aws_cloudwatch_log_subscription_filter.lambda_error_detection[&quot;reliability&quot;]
aws_cloudwatch_log_subscription_filter.lambda_error_detection[&quot;response_archiver&quot;]
aws_cloudwatch_log_subscription_filter.lambda_error_detection[&quot;submission&quot;]
aws_cloudwatch_log_subscription_filter.lambda_error_detection[&quot;template_archiver&quot;]
aws_cloudwatch_log_subscription_filter.lambda_error_detection[&quot;vault_data_integrity_check&quot;]
aws_cloudwatch_log_subscription_filter.lambda_timeout_detection[&quot;audit_log&quot;]
aws_cloudwatch_log_subscription_filter.lambda_timeout_detection[&quot;dlq_consumer&quot;]
aws_cloudwatch_log_subscription_filter.lambda_timeout_detection[&quot;nagware&quot;]
aws_cloudwatch_log_subscription_filter.lambda_timeout_detection[&quot;reliability&quot;]
aws_cloudwatch_log_subscription_filter.lambda_timeout_detection[&quot;response_archiver&quot;]
aws_cloudwatch_log_subscription_filter.lambda_timeout_detection[&quot;submission&quot;]
aws_cloudwatch_log_subscription_filter.lambda_timeout_detection[&quot;template_archiver&quot;]
aws_cloudwatch_log_subscription_filter.lambda_timeout_detection[&quot;vault_data_integrity_check&quot;]
aws_cloudwatch_metric_alarm.cognito_login_outside_canada_warn
aws_cloudwatch_metric_alarm.vault_data_integrity_check_lambda_iterator_age
delete aws_cloudwatch_log_subscription_filter.archiver_log_stream
aws_cloudwatch_log_subscription_filter.audit_log_stream
aws_cloudwatch_log_subscription_filter.dlq_consumer_log_stream
aws_cloudwatch_log_subscription_filter.nagware_log_stream
aws_cloudwatch_log_subscription_filter.reliability_log_stream
aws_cloudwatch_log_subscription_filter.submission_log_stream
aws_cloudwatch_log_subscription_filter.template_archiver_log_stream
update aws_cloudwatch_event_rule.codedeploy_sns
aws_cloudwatch_log_group.notify_slack
aws_cloudwatch_metric_alarm.ELB_5xx_error_warn
aws_cloudwatch_metric_alarm.alb_ddos
aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn
aws_cloudwatch_metric_alarm.cognito_signin_exceeded
aws_cloudwatch_metric_alarm.ddos_detected_forms_warn
aws_cloudwatch_metric_alarm.ddos_detected_route53_warn[0]
aws_cloudwatch_metric_alarm.ddos_detected_route53_warn[1]
aws_cloudwatch_metric_alarm.forms_cpu_utilization_high_warn
aws_cloudwatch_metric_alarm.forms_memory_utilization_high_warn
aws_cloudwatch_metric_alarm.reliability_dead_letter_queue_warn
aws_cloudwatch_metric_alarm.response_time_warn
aws_cloudwatch_metric_alarm.route53_ddos[0]
aws_cloudwatch_metric_alarm.route53_ddos[1]
aws_cloudwatch_metric_alarm.twoFa_verification_exceeded
aws_iam_role.notify_slack_lambda
aws_lambda_function.notify_slack
module.athena_bucket.aws_s3_bucket.this
Show plan
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_cloudwatch_event_rule.codedeploy_sns will be updated in-place
  ~ resource "aws_cloudwatch_event_rule" "codedeploy_sns" {
        id             = "alert-on-codedeploy-status"
        name           = "alert-on-codedeploy-status"
      ~ tags           = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (7 unchanged attributes hidden)
    }

  # aws_cloudwatch_log_group.notify_slack will be updated in-place
  ~ resource "aws_cloudwatch_log_group" "notify_slack" {
        id                = "/aws/lambda/NotifySlack"
        name              = "/aws/lambda/NotifySlack"
      ~ retention_in_days = 90 -> 731
        tags              = {}
      ~ tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (4 unchanged attributes hidden)
    }

  # aws_cloudwatch_log_subscription_filter.archiver_log_stream will be destroyed
  # (because aws_cloudwatch_log_subscription_filter.archiver_log_stream is not in configuration)
  - resource "aws_cloudwatch_log_subscription_filter" "archiver_log_stream" {
      - destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack" -> null
      - distribution    = "ByLogStream" -> null
      - filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}" -> null
      - id              = "cwlsf-2821336831" -> null
      - log_group_name  = "/aws/lambda/Archiver" -> null
      - name            = "archiver_log_stream" -> null
    }

  # aws_cloudwatch_log_subscription_filter.audit_log_stream will be destroyed
  # (because aws_cloudwatch_log_subscription_filter.audit_log_stream is not in configuration)
  - resource "aws_cloudwatch_log_subscription_filter" "audit_log_stream" {
      - destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack" -> null
      - distribution    = "ByLogStream" -> null
      - filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}" -> null
      - id              = "cwlsf-1997887864" -> null
      - log_group_name  = "/aws/lambda/AuditLogs" -> null
      - name            = "audit_log_stream" -> null
    }

  # aws_cloudwatch_log_subscription_filter.dlq_consumer_log_stream will be destroyed
  # (because aws_cloudwatch_log_subscription_filter.dlq_consumer_log_stream is not in configuration)
  - resource "aws_cloudwatch_log_subscription_filter" "dlq_consumer_log_stream" {
      - destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack" -> null
      - distribution    = "ByLogStream" -> null
      - filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}" -> null
      - id              = "cwlsf-3956109137" -> null
      - log_group_name  = "/aws/lambda/DeadLetterQueueConsumer" -> null
      - name            = "dql_consumer_log_stream" -> null
    }

  # aws_cloudwatch_log_subscription_filter.lambda_error_detection["audit_log"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_error_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/AuditLogs"
      + name            = "error_detection_in_audit_log_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_error_detection["dlq_consumer"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_error_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/DeadLetterQueueConsumer"
      + name            = "error_detection_in_dlq_consumer_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_error_detection["nagware"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_error_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Nagware"
      + name            = "error_detection_in_nagware_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_error_detection["reliability"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_error_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Reliability"
      + name            = "error_detection_in_reliability_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_error_detection["response_archiver"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_error_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Response_Archiver"
      + name            = "error_detection_in_response_archiver_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_error_detection["submission"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_error_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Submission"
      + name            = "error_detection_in_submission_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_error_detection["template_archiver"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_error_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Archive_Form_Templates"
      + name            = "error_detection_in_template_archiver_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_error_detection["vault_data_integrity_check"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_error_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Vault_Data_Integrity_Check"
      + name            = "error_detection_in_vault_data_integrity_check_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_timeout_detection["audit_log"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_timeout_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "Task timed out"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/AuditLogs"
      + name            = "timeout_detection_in_audit_log_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_timeout_detection["dlq_consumer"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_timeout_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "Task timed out"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/DeadLetterQueueConsumer"
      + name            = "timeout_detection_in_dlq_consumer_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_timeout_detection["nagware"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_timeout_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "Task timed out"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Nagware"
      + name            = "timeout_detection_in_nagware_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_timeout_detection["reliability"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_timeout_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "Task timed out"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Reliability"
      + name            = "timeout_detection_in_reliability_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_timeout_detection["response_archiver"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_timeout_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "Task timed out"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Response_Archiver"
      + name            = "timeout_detection_in_response_archiver_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_timeout_detection["submission"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_timeout_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "Task timed out"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Submission"
      + name            = "timeout_detection_in_submission_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_timeout_detection["template_archiver"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_timeout_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "Task timed out"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Archive_Form_Templates"
      + name            = "timeout_detection_in_template_archiver_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_timeout_detection["vault_data_integrity_check"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_timeout_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "Task timed out"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Vault_Data_Integrity_Check"
      + name            = "timeout_detection_in_vault_data_integrity_check_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.nagware_log_stream will be destroyed
  # (because aws_cloudwatch_log_subscription_filter.nagware_log_stream is not in configuration)
  - resource "aws_cloudwatch_log_subscription_filter" "nagware_log_stream" {
      - destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack" -> null
      - distribution    = "ByLogStream" -> null
      - filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}" -> null
      - id              = "cwlsf-2378547274" -> null
      - log_group_name  = "/aws/lambda/Nagware" -> null
      - name            = "nagware_log_stream" -> null
    }

  # aws_cloudwatch_log_subscription_filter.reliability_log_stream will be destroyed
  # (because aws_cloudwatch_log_subscription_filter.reliability_log_stream is not in configuration)
  - resource "aws_cloudwatch_log_subscription_filter" "reliability_log_stream" {
      - destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack" -> null
      - distribution    = "ByLogStream" -> null
      - filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}" -> null
      - id              = "cwlsf-2677299195" -> null
      - log_group_name  = "/aws/lambda/Reliability" -> null
      - name            = "reliability_log_stream" -> null
    }

  # aws_cloudwatch_log_subscription_filter.submission_log_stream will be destroyed
  # (because aws_cloudwatch_log_subscription_filter.submission_log_stream is not in configuration)
  - resource "aws_cloudwatch_log_subscription_filter" "submission_log_stream" {
      - destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack" -> null
      - distribution    = "ByLogStream" -> null
      - filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}" -> null
      - id              = "cwlsf-2956744385" -> null
      - log_group_name  = "/aws/lambda/Submission" -> null
      - name            = "submission_log_stream" -> null
    }

  # aws_cloudwatch_log_subscription_filter.template_archiver_log_stream will be destroyed
  # (because aws_cloudwatch_log_subscription_filter.template_archiver_log_stream is not in configuration)
  - resource "aws_cloudwatch_log_subscription_filter" "template_archiver_log_stream" {
      - destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack" -> null
      - distribution    = "ByLogStream" -> null
      - filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}" -> null
      - id              = "cwlsf-2480592169" -> null
      - log_group_name  = "/aws/lambda/ArchiveFormTemplates" -> null
      - name            = "template_archiver_log_stream" -> null
    }

  # aws_cloudwatch_metric_alarm.ELB_5xx_error_warn will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "ELB_5xx_error_warn" {
        id                        = "HTTPCode_ELB_5XX_Count"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (18 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.alb_ddos will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "alb_ddos" {
        id                        = "ALBDDoS"
        tags                      = {}
      ~ tags_all                  = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (17 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "audit_log_dead_letter_queue_warn" {
        id                        = "AuditLogDeadLetterQueueWarn"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (15 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_cloudwatch_metric_alarm.cognito_login_outside_canada_warn will be created
  + resource "aws_cloudwatch_metric_alarm" "cognito_login_outside_canada_warn" {
      + actions_enabled                       = true
      + alarm_actions                         = [
          + "arn:aws:sns:ca-central-1:957818836222:alert-warning",
        ]
      + alarm_description                     = "Forms: A sign-in by a forms owner has been detected from outside of Canada."
      + alarm_name                            = "AWSCognitoLoginOutsideCanadaAlarm"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanThreshold"
      + dimensions                            = {
          + "Region" = "ca-central-1"
          + "Rule"   = "AWSCognitoLoginOutsideCanada"
          + "WebACL" = "GCForms"
        }
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 1
      + id                                    = (known after apply)
      + metric_name                           = "CountedRequests"
      + namespace                             = "AWS/WAFV2"
      + period                                = 60
      + statistic                             = "SampleCount"
      + tags_all                              = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + threshold                             = 0
      + treat_missing_data                    = "notBreaching"
    }

  # aws_cloudwatch_metric_alarm.cognito_signin_exceeded will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "cognito_signin_exceeded" {
        id                        = "CognitoSigninExceeded"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (18 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.ddos_detected_forms_warn will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "ddos_detected_forms_warn" {
        id                        = "DDoSDetectedformsWarn"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (18 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.ddos_detected_route53_warn[0] will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "ddos_detected_route53_warn" {
        id                        = "DDoSDetectedRoute53Warn"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (18 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.ddos_detected_route53_warn[1] will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "ddos_detected_route53_warn" {
      ~ dimensions                = {
          ~ "ResourceArn" = "Z1031499PBK3926Y7HKK" -> "Z0774184336K3QX9DUJ7E"
        }
        id                        = "DDoSDetectedRoute53Warn"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (17 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.forms_cpu_utilization_high_warn will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "forms_cpu_utilization_high_warn" {
        id                        = "CpuUtilizationWarn"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (18 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.forms_memory_utilization_high_warn will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "forms_memory_utilization_high_warn" {
        id                        = "MemoryUtilizationWarn"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (18 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.reliability_dead_letter_queue_warn will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "reliability_dead_letter_queue_warn" {
        id                        = "ReliabilityDeadLetterQueueWarn"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (15 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_cloudwatch_metric_alarm.response_time_warn will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "response_time_warn" {
        id                        = "ResponseTimeWarn"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (15 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_cloudwatch_metric_alarm.route53_ddos[0] will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "route53_ddos" {
        id                        = "Route53DDoS"
        tags                      = {}
      ~ tags_all                  = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (17 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.route53_ddos[1] will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "route53_ddos" {
      ~ dimensions                = {
          ~ "ResourceArn" = "Z1031499PBK3926Y7HKK" -> "Z0774184336K3QX9DUJ7E"
        }
        id                        = "Route53DDoS"
        tags                      = {}
      ~ tags_all                  = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
        # (16 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.twoFa_verification_exceeded will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "twoFa_verification_exceeded" {
        id                        = "2FAVerificationExceeded"
      ~ tags                      = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (18 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.vault_data_integrity_check_lambda_iterator_age will be created
  + resource "aws_cloudwatch_metric_alarm" "vault_data_integrity_check_lambda_iterator_age" {
      + actions_enabled                       = true
      + alarm_actions                         = [
          + "arn:aws:sns:ca-central-1:957818836222:alert-warning",
        ]
      + alarm_description                     = "Warning - Vault data integrity check lambda is unable to keep up with the amount of events sent by the Vault DynamoDB stream"
      + alarm_name                            = "Vault data integrity check lambda iterator age"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanThreshold"
      + dimensions                            = {
          + "FunctionName" = "Vault_Data_Integrity_Check"
          + "Resource"     = "Vault_Data_Integrity_Check"
        }
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 2
      + id                                    = (known after apply)
      + metric_name                           = "IteratorAge"
      + namespace                             = "AWS/Lambda"
      + ok_actions                            = [
          + "arn:aws:sns:ca-central-1:957818836222:alert-ok",
        ]
      + period                                = 60
      + statistic                             = "Average"
      + tags_all                              = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + threshold                             = 90000
      + treat_missing_data                    = "notBreaching"
    }

  # aws_iam_role.notify_slack_lambda will be updated in-place
  ~ resource "aws_iam_role" "notify_slack_lambda" {
        id                    = "NotifySlackLambda"
        name                  = "NotifySlackLambda"
      ~ tags                  = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_lambda_function.notify_slack will be updated in-place
  ~ resource "aws_lambda_function" "notify_slack" {
        id                             = "NotifySlack"
      ~ last_modified                  = "2023-08-16T18:18:08.956+0000" -> (known after apply)
      ~ runtime                        = "nodejs14.x" -> "nodejs18.x"
      ~ source_code_hash               = "1jhdhT6lr8Vi+fcLtGWh4KDwpLBmROfUtD6qnYTbujE=" -> "aGx6QTTnU0Sadob77F9K9cNvEB58TKpnkHqYlJvbKtI="
      ~ tags                           = {
          - "CostCentre" = "forms-platform-production" -> null
          - "Terraform"  = "true" -> null
        }
        # (19 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.athena_bucket.aws_s3_bucket.this will be updated in-place
  ~ resource "aws_s3_bucket" "this" {
        id                          = "forms-production-athena-bucket"
      ~ tags                        = {
            "CostCentre" = "forms-platform-production"
          + "Critical"   = "false"
            "Terraform"  = "true"
        }
      ~ tags_all                    = {
          + "Critical"   = "false"
            # (2 unchanged elements hidden)
        }
        # (10 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 18 to add, 19 to change, 7 to destroy.

Warning: Argument is deprecated

  with module.athena_bucket.aws_s3_bucket.this,
  on .terraform/modules/athena_bucket/S3/main.tf line 8, in resource "aws_s3_bucket" "this":
   8: resource "aws_s3_bucket" "this" {

Use the aws_s3_bucket_lifecycle_configuration resource instead

(and 3 more similar warnings elsewhere)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.codedeploy_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notify_slack"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ELB_5xx_error_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.alb_ddos"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_login_outside_canada_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_signin_exceeded"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ddos_detected_forms_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ddos_detected_route53_warn[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ddos_detected_route53_warn[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.forms_cpu_utilization_high_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.forms_memory_utilization_high_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.reliability_dead_letter_queue_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.response_time_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.route53_ddos[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.route53_ddos[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.twoFa_verification_exceeded"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.vault_data_integrity_check_lambda_iterator_age"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.notify_slack_lambda"]
WARN - plan.json - main - Missing...

@patheard patheard merged commit 4e720c0 into develop Jan 25, 2024
1 check passed
@patheard patheard deleted the release-please--branches--develop branch January 25, 2024 14:57
@sre-read-write
Copy link
Contributor Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants