Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: GCForms release v3.6.0 #598

Merged
merged 1 commit into from
Feb 27, 2024
Merged

Conversation

sre-read-write[bot]
Copy link
Contributor

@sre-read-write sre-read-write bot commented Feb 20, 2024

🤖 I have created a release beep boop

3.6.0 (2024-02-27)

Features

Bug Fixes

  • add a way of unit testing lambda quickly and fix the lowercase logical error (#600) (4b733d7)
  • add missing subscription filter to audit logs archiver lambda logs (#597) (0def180)
  • missing permissions for the audit logs archiver lambda to access S3 bucket (#601) (05ce856)

This PR was generated with Release Please. See documentation.

@sre-read-write sre-read-write bot changed the title chore: GCForms release v3.5.3 chore: GCForms release v3.6.0 Feb 21, 2024
@sre-read-write sre-read-write bot force-pushed the release-please--branches--develop branch 3 times, most recently from 51cce4d to bc08a15 Compare February 22, 2024 13:52
@craigzour
Copy link
Contributor

This pull request includes the new Audit logs archiver feature. We will have to run a migration script once it is released in production.

@sre-read-write sre-read-write bot force-pushed the release-please--branches--develop branch from bc08a15 to f710aaf Compare February 26, 2024 17:03
@sre-read-write sre-read-write bot force-pushed the release-please--branches--develop branch from f710aaf to b302428 Compare February 27, 2024 14:15
Copy link

Production: s3

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 5 to add, 0 to change, 0 to destroy
Show summary
CHANGE NAME
add aws_s3_bucket.audit_logs_archive_storage
aws_s3_bucket_lifecycle_configuration.audit_logs_archive_storage
aws_s3_bucket_ownership_controls.audit_logs_archive_storage
aws_s3_bucket_public_access_block.audit_logs_archive_storage
aws_s3_bucket_server_side_encryption_configuration.audit_logs_archive_storage
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_s3_bucket.audit_logs_archive_storage will be created
  + resource "aws_s3_bucket" "audit_logs_archive_storage" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "forms-production-audit-logs-archive-storage"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

  # aws_s3_bucket_lifecycle_configuration.audit_logs_archive_storage will be created
  + resource "aws_s3_bucket_lifecycle_configuration" "audit_logs_archive_storage" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + rule {
          + id     = "Clear Audit Logs Archive Storage after 1 year and 11 months"
          + status = "Enabled"

          + expiration {
              + days                         = 700
              + expired_object_delete_marker = (known after apply)
            }
        }
    }

  # aws_s3_bucket_ownership_controls.audit_logs_archive_storage will be created
  + resource "aws_s3_bucket_ownership_controls" "audit_logs_archive_storage" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_public_access_block.audit_logs_archive_storage will be created
  + resource "aws_s3_bucket_public_access_block" "audit_logs_archive_storage" {
      + block_public_acls       = true
      + block_public_policy     = true
      + bucket                  = (known after apply)
      + id                      = (known after apply)
      + ignore_public_acls      = true
      + restrict_public_buckets = true
    }

  # aws_s3_bucket_server_side_encryption_configuration.audit_logs_archive_storage will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "audit_logs_archive_storage" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm = "AES256"
            }
        }
    }

Plan: 5 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + audit_logs_archive_storage_arn = (known after apply)
  + audit_logs_archive_storage_id  = (known after apply)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.archive_storage"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.audit_logs_archive_storage"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.lambda_code"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.reliability_file_storage"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.vault_file_storage"]

24 tests, 19 passed, 5 warnings, 0 failures, 0 exceptions

Copy link

Production: dynamodb

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy
Show summary
CHANGE NAME
update aws_dynamodb_table.audit_logs
Show plan
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_dynamodb_table.audit_logs will be updated in-place
  ~ resource "aws_dynamodb_table" "audit_logs" {
        id                          = "AuditLogs"
        name                        = "AuditLogs"
      ~ stream_arn                  = "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs/stream/2023-04-17T14:24:26.127" -> (known after apply)
      ~ stream_enabled              = true -> false
        tags                        = {}
        # (11 unchanged attributes hidden)

      + attribute {
          + name = "Status"
          + type = "S"
        }

      - global_secondary_index {
          - hash_key           = "UserID" -> null
          - name               = "UserByTime" -> null
          - non_key_attributes = [] -> null
          - projection_type    = "KEYS_ONLY" -> null
          - range_key          = "TimeStamp" -> null
          - read_capacity      = 0 -> null
          - write_capacity     = 0 -> null
        }
      + global_secondary_index {
          + hash_key           = "Status"
          + name               = "StatusByTimestamp"
          + non_key_attributes = []
          + projection_type    = "ALL"
          + range_key          = "TimeStamp"
        }
      + global_secondary_index {
          + hash_key           = "UserID"
          + name               = "UserByTime"
          + non_key_attributes = []
          + projection_type    = "KEYS_ONLY"
          + range_key          = "TimeStamp"
        }

        # (6 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.reliability_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.vault"]

22 tests, 19 passed, 3 warnings, 0 failures, 0 exceptions

Copy link

Production: app

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 1 to add, 0 to change, 0 to destroy
Show summary
CHANGE NAME
add aws_ecs_task_definition.form_viewer
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_ecs_task_definition.form_viewer will be created
  + resource "aws_ecs_task_definition" "form_viewer" {
      + arn                      = (known after apply)
      + arn_without_revision     = (known after apply)
      + container_definitions    = jsonencode(
            [
              + {
                  + environment      = [
                      + {
                          + name  = "AUDIT_LOG_QUEUE_URL"
                          + value = "https://sqs.ca-central-1.amazonaws.com/957818836222/audit_log_queue"
                        },
                      + {
                          + name  = "COGNITO_CLIENT_ID"
                          + value = "5rkjd3us3ocssieiitdbtjitiv"
                        },
                      + {
                          + name  = "COGNITO_ENDPOINT_URL"
                          + value = "cognito-idp.ca-central-1.amazonaws.com/ca-central-1_eSTGTCw33"
                        },
                      + {
                          + name  = "EMAIL_ADDRESS_CONTACT_US"
                          + value = "assistance+forms-formulaires@cds-snc.ca"
                        },
                      + {
                          + name  = "EMAIL_ADDRESS_SUPPORT"
                          + value = "assistance+forms-formulaires@cds-snc.ca"
                        },
                      + {
                          + name  = "METRIC_PROVIDER"
                          + value = "stdout"
                        },
                      + {
                          + name  = "NEXTAUTH_URL"
                          + value = "https://forms-formulaires.alpha.canada.ca"
                        },
                      + {
                          + name  = "RECAPTCHA_V3_SITE_KEY"
                          + value = "6LfuLrQnAAAAAK9Df3gem4XLMRVY2Laq6t2fhZhZ"
                        },
                      + {
                          + name  = "REDIS_URL"
                          + value = "gcforms-redis-rep-group.iyrckm.ng.0001.cac1.cache.amazonaws.com"
                        },
                      + {
                          + name  = "RELIABILITY_FILE_STORAGE"
                          + value = "forms-production-reliability-file-storage"
                        },
                      + {
                          + name  = "REPROCESS_SUBMISSION_QUEUE_URL"
                          + value = "https://sqs.ca-central-1.amazonaws.com/957818836222/reprocess_submission_queue.fifo"
                        },
                      + {
                          + name  = "TEMPLATE_ID"
                          + value = "92096ac6-1cc5-40ae-9052-fffdb8439a90"
                        },
                      + {
                          + name  = "TEMPORARY_TOKEN_TEMPLATE_ID"
                          + value = "61cec9c4-64ca-4e4d-b4d2-a0e931c44422"
                        },
                      + {
                          + name  = "TRACER_PROVIDER"
                          + value = "stdout"
                        },
                      + {
                          + name  = "VAULT_FILE_STORAGE"
                          + value = "forms-production-vault-file-storage"
                        },
                    ]
                  + image            = "957818836222.dkr.ecr.ca-central-1.amazonaws.com/form_viewer_production"
                  + linuxParameters  = {
                      + capabilities = {
                          + drop = [
                              + "ALL",
                            ]
                        }
                    }
                  + logConfiguration = {
                      + logDriver = "awslogs"
                      + options   = {
                          + awslogs-group         = "Forms"
                          + awslogs-region        = "ca-central-1"
                          + awslogs-stream-prefix = "ecs-form-viewer"
                        }
                    }
                  + name             = "form_viewer"
                  + portMappings     = [
                      + {
                          + containerPort = 3000
                        },
                    ]
                  + secrets          = [
                      + {
                          + name      = "NOTIFY_API_KEY"
                          + valueFrom = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:notify_api_key-sLtddr"
                        },
                      + {
                          + name      = "RECAPTCHA_V3_SECRET_KEY"
                          + valueFrom = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:recaptcha_secret-LxfCjN"
                        },
                      + {
                          + name      = "DATABASE_URL"
                          + valueFrom = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:server-database-url-jVtWGE"
                        },
                      + {
                          + name      = "TOKEN_SECRET"
                          + valueFrom = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:token_secret-jw4Dou"
                        },
                      + {
                          + name      = "GC_NOTIFY_CALLBACK_BEARER_TOKEN"
                          + valueFrom = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:notify_callback_bearer_token-sWF9yQ"
                        },
                      + {
                          + name      = "FRESHDESK_API_KEY"
                          + valueFrom = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:freshdesk_api_key-2Q118n"
                        },
                    ]
                },
            ]
        )
      + cpu                      = "2048"
      + execution_role_arn       = "arn:aws:iam::957818836222:role/form-viewer"
      + family                   = "form-viewer"
      + id                       = (known after apply)
      + memory                   = "4096"
      + network_mode             = "awsvpc"
      + requires_compatibilities = [
          + "FARGATE",
        ]
      + revision                 = (known after apply)
      + skip_destroy             = false
      + tags_all                 = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + task_role_arn            = "arn:aws:iam::957818836222:role/form-viewer"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_appautoscaling_target.forms[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_app.app"]
WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_deployment_group.app"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_cluster.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_service.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_task_definition.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cognito"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_secrets_manager"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_sqs"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.codedeploy"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.forms"]

34 tests, 19 passed, 15 warnings, 0 failures, 0 exceptions

Copy link

Production: lambdas

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 6 to add, 6 to change, 0 to destroy
Show summary
CHANGE NAME
add aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger
aws_cloudwatch_event_target.audit_logs_archiver_lambda_trigger
aws_cloudwatch_log_group.audit_logs_archiver
aws_lambda_function.audit_logs_archiver
aws_lambda_permission.audit_logs_archiver
aws_s3_object.audit_logs_archiver_code
update aws_iam_policy.lambda_s3
aws_lambda_function.audit_logs
aws_lambda_function.submission
aws_lambda_function.vault_integrity
aws_s3_object.audit_logs_code
aws_s3_object.submission_code
Show plan
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger will be created
  + resource "aws_cloudwatch_event_rule" "audit_logs_archiver_lambda_trigger" {
      + arn                 = (known after apply)
      + description         = "Fires every day at 1am EST"
      + event_bus_name      = "default"
      + id                  = (known after apply)
      + name                = "audit-logs-archiver-lambda-trigger"
      + name_prefix         = (known after apply)
      + schedule_expression = "cron(0 6 * * ? *)"
      + tags_all            = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_cloudwatch_event_target.audit_logs_archiver_lambda_trigger will be created
  + resource "aws_cloudwatch_event_target" "audit_logs_archiver_lambda_trigger" {
      + arn            = (known after apply)
      + event_bus_name = "default"
      + id             = (known after apply)
      + rule           = "audit-logs-archiver-lambda-trigger"
      + target_id      = (known after apply)
    }

  # aws_cloudwatch_log_group.audit_logs_archiver will be created
  + resource "aws_cloudwatch_log_group" "audit_logs_archiver" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + kms_key_id        = "arn:aws:kms:ca-central-1:957818836222:key/b5973af1-3114-4808-9455-57441c35854d"
      + log_group_class   = (known after apply)
      + name              = "/aws/lambda/Audit_Logs_Archiver"
      + name_prefix       = (known after apply)
      + retention_in_days = 731
      + skip_destroy      = false
      + tags_all          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_iam_policy.lambda_s3 will be updated in-place
  ~ resource "aws_iam_policy" "lambda_s3" {
        id          = "arn:aws:iam::957818836222:policy/lambda_s3"
        name        = "lambda_s3"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = [
                          + "arn:aws:s3:::forms-staging-audit-logs-archive-storage/*",
                          + "arn:aws:s3:::forms-staging-audit-logs-archive-storage",
                            "arn:aws:s3:::forms-production-vault-file-storage/*",
                            # (7 unchanged elements hidden)
                        ]
                        # (2 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags        = {}
        # (5 unchanged attributes hidden)
    }

  # aws_lambda_function.audit_logs will be updated in-place
  ~ resource "aws_lambda_function" "audit_logs" {
        id                             = "Audit_Logs"
      ~ last_modified                  = "2024-01-25T16:19:37.000+0000" -> (known after apply)
      ~ s3_object_version              = "3hlR1o6WdUP0F5ZluvO1LG85o.p7NIiO" -> (known after apply)
      ~ source_code_hash               = "Buwqu7thcIBHaO7og80TTG/nf0wASM21hynA9WhHPz0=" -> "uJgR/UkrTb9d9cw3c7/M14DNOgixZp33RJLBUZP3LQ0="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_lambda_function.audit_logs_archiver will be created
  + resource "aws_lambda_function" "audit_logs_archiver" {
      + architectures                  = (known after apply)
      + arn                            = (known after apply)
      + function_name                  = "Audit_Logs_Archiver"
      + handler                        = "audit_logs_archiver.handler"
      + id                             = (known after apply)
      + invoke_arn                     = (known after apply)
      + last_modified                  = (known after apply)
      + memory_size                    = 128
      + package_type                   = "Zip"
      + publish                        = false
      + qualified_arn                  = (known after apply)
      + qualified_invoke_arn           = (known after apply)
      + reserved_concurrent_executions = -1
      + role                           = "arn:aws:iam::957818836222:role/iam_for_lambda"
      + runtime                        = "nodejs18.x"
      + s3_bucket                      = "forms-production-lambda-code"
      + s3_key                         = "audit_logs_archiver_code"
      + s3_object_version              = (known after apply)
      + signing_job_arn                = (known after apply)
      + signing_profile_version_arn    = (known after apply)
      + skip_destroy                   = false
      + source_code_hash               = "j21QkAUTlKxkmkad5xW89Zgl6fwIQ54MWvLhLAnhwdI="
      + source_code_size               = (known after apply)
      + tags_all                       = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + timeout                        = 900
      + version                        = (known after apply)

      + environment {
          + variables = {
              + "AUDIT_LOGS_ARCHIVE_STORAGE_S3_BUCKET" = "forms-staging-audit-logs-archive-storage"
              + "AUDIT_LOGS_DYNAMODB_TABLE_NAME"       = "AuditLogs"
              + "LOCALSTACK"                           = "false"
              + "REGION"                               = "ca-central-1"
            }
        }

      + tracing_config {
          + mode = "PassThrough"
        }
    }

  # aws_lambda_function.submission will be updated in-place
  ~ resource "aws_lambda_function" "submission" {
        id                             = "Submission"
      ~ last_modified                  = "2024-01-25T16:19:37.000+0000" -> (known after apply)
      ~ s3_object_version              = "bBzd3fM7fzihAZKRcPh2x2Eom92FQGQs" -> (known after apply)
      ~ source_code_hash               = "upOHVsX4QZQdq2GJDkBlWCCQTia0Q0WdEVP2ZbhUGXk=" -> "MUixujtBoNJnnkSJ7B6Vthx0gUQCXxS8qA23h6mRcC8="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_lambda_function.vault_integrity will be updated in-place
  ~ resource "aws_lambda_function" "vault_integrity" {
        id                             = "Vault_Data_Integrity_Check"
      ~ last_modified                  = "2024-02-13T15:11:44.000+0000" -> (known after apply)
      ~ source_code_hash               = "9lDCUtEgnDGaN0b7aU2yhDlM0DDumsUYZhbUsYDuAF4=" -> "TowbMcppnki+0a5fq50Oral3CqleiwGw7U1igvFz0Ws="
        tags                           = {}
        # (24 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_lambda_permission.audit_logs_archiver will be created
  + resource "aws_lambda_permission" "audit_logs_archiver" {
      + action              = "lambda:InvokeFunction"
      + function_name       = "Audit_Logs_Archiver"
      + id                  = (known after apply)
      + principal           = "events.amazonaws.com"
      + source_arn          = (known after apply)
      + statement_id        = "AllowExecutionFromCloudWatch"
      + statement_id_prefix = (known after apply)
    }

  # aws_s3_object.audit_logs_archiver_code will be created
  + resource "aws_s3_object" "audit_logs_archiver_code" {
      + acl                    = (known after apply)
      + bucket                 = "forms-production-lambda-code"
      + bucket_key_enabled     = (known after apply)
      + checksum_crc32         = (known after apply)
      + checksum_crc32c        = (known after apply)
      + checksum_sha1          = (known after apply)
      + checksum_sha256        = (known after apply)
      + content_type           = (known after apply)
      + etag                   = (known after apply)
      + force_destroy          = false
      + id                     = (known after apply)
      + key                    = "audit_logs_archiver_code"
      + kms_key_id             = (known after apply)
      + server_side_encryption = (known after apply)
      + source                 = "/tmp/audit_logs_archiver_code.zip"
      + source_hash            = "j21QkAUTlKxkmkad5xW89Zgl6fwIQ54MWvLhLAnhwdI="
      + storage_class          = (known after apply)
      + tags_all               = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + version_id             = (known after apply)
    }

  # aws_s3_object.audit_logs_code will be updated in-place
  ~ resource "aws_s3_object" "audit_logs_code" {
        id                     = "audit_logs_code"
      ~ source_hash            = "Buwqu7thcIBHaO7og80TTG/nf0wASM21hynA9WhHPz0=" -> "uJgR/UkrTb9d9cw3c7/M14DNOgixZp33RJLBUZP3LQ0="
        tags                   = {}
      ~ version_id             = "3hlR1o6WdUP0F5ZluvO1LG85o.p7NIiO" -> (known after apply)
        # (11 unchanged attributes hidden)
    }

  # aws_s3_object.submission_code will be updated in-place
  ~ resource "aws_s3_object" "submission_code" {
        id                     = "submission_code"
      ~ source_hash            = "upOHVsX4QZQdq2GJDkBlWCCQTia0Q0WdEVP2ZbhUGXk=" -> "MUixujtBoNJnnkSJ7B6Vthx0gUQCXxS8qA23h6mRcC8="
        tags                   = {}
      ~ version_id             = "bBzd3fM7fzihAZKRcPh2x2Eom92FQGQs" -> (known after apply)
        # (11 unchanged attributes hidden)
    }

Plan: 6 to add, 6 to change, 0 to destroy.

Changes to Outputs:
  + lambda_audit_logs_archiver_group_name            = "/aws/lambda/Audit_Logs_Archiver"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.form_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.nagware_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.reliability_dlq_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.response_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.response_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.vault_integrity"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_logging"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_rds"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_secrets"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sqs"]
WARN -...

Copy link

Production: alarms

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 3 to add, 1 to change, 0 to destroy
Show summary
CHANGE NAME
update aws_lambda_function.notify_slack
add aws_cloudwatch_log_subscription_filter.lambda_error_detection["audit_logs_archiver"]
aws_cloudwatch_log_subscription_filter.lambda_timeout_detection["audit_logs_archiver"]
aws_cloudwatch_metric_alarm.UnHealthyHostCount
Show plan
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_cloudwatch_log_subscription_filter.lambda_error_detection["audit_logs_archiver"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_error_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "{($.level = \"warn\") || ($.level = \"error\")}"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Audit_Logs_Archiver"
      + name            = "error_detection_in_audit_logs_archiver_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.lambda_timeout_detection["audit_logs_archiver"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "lambda_timeout_detection" {
      + destination_arn = "arn:aws:lambda:ca-central-1:957818836222:function:NotifySlack"
      + distribution    = "ByLogStream"
      + filter_pattern  = "Task timed out"
      + id              = (known after apply)
      + log_group_name  = "/aws/lambda/Audit_Logs_Archiver"
      + name            = "timeout_detection_in_audit_logs_archiver_lambda_logs"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_metric_alarm.UnHealthyHostCount will be created
  + resource "aws_cloudwatch_metric_alarm" "UnHealthyHostCount" {
      + actions_enabled                       = true
      + alarm_actions                         = [
          + "arn:aws:sns:ca-central-1:957818836222:alert-critical",
        ]
      + alarm_description                     = "ELB Health Check - UnHealthyHostCount exceed threshold."
      + alarm_name                            = "UnHealthyHostCount-SEV1"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanThreshold"
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 1
      + id                                    = (known after apply)
      + metric_name                           = "HTTPCode_ELB_5XX_Count"
      + namespace                             = "AWS/ApplicationELB"
      + period                                = 60
      + statistic                             = "SampleCount"
      + tags_all                              = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + threshold                             = 1
      + treat_missing_data                    = "notBreaching"
    }

  # aws_lambda_function.notify_slack will be updated in-place
  ~ resource "aws_lambda_function" "notify_slack" {
        id                             = "NotifySlack"
      ~ last_modified                  = "2024-01-25T16:21:41.000+0000" -> (known after apply)
      ~ source_code_hash               = "aGx6QTTnU0Sadob77F9K9cNvEB58TKpnkHqYlJvbKtI=" -> "xsBes0R4ZOY7o2StbXMBaVtoT0FDHuA4M3s/XvSuvlo="
        tags                           = {}
        # (20 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              + "OPSGENIE_API_KEY" = (sensitive value)
                # (2 unchanged elements hidden)
            }
        }

        # (2 unchanged blocks hidden)
    }

Plan: 3 to add, 1 to change, 0 to destroy.

Warning: Argument is deprecated

  with module.athena_bucket.aws_s3_bucket.this,
  on .terraform/modules/athena_bucket/S3/main.tf line 8, in resource "aws_s3_bucket" "this":
   8: resource "aws_s3_bucket" "this" {

Use the aws_s3_bucket_lifecycle_configuration resource instead

(and 3 more similar warnings elsewhere)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.codedeploy_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notify_slack"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ELB_5xx_error_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.UnHealthyHostCount"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.alb_ddos"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_login_outside_canada_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_signin_exceeded"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ddos_detected_forms_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ddos_detected_route53_warn[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.forms_cpu_utilization_high_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.forms_memory_utilization_high_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.reliability_dead_letter_queue_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.response_time_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.route53_ddos[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.twoFa_verification_exceeded"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.vault_data_integrity_check_lambda_iterator_age"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.notify_slack_lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_lambda_function.notify_slack"]

38 tests, 19 passed, 19 warnings, 0 failures, 0 exceptions

@patheard patheard merged commit 965b3bf into develop Feb 27, 2024
1 check passed
@patheard patheard deleted the release-please--branches--develop branch February 27, 2024 16:32
@sre-read-write
Copy link
Contributor Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants