Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Print specific message if CORE row isn't found #99

Merged
merged 6 commits into from
Aug 13, 2024
Merged

Conversation

chrisbloe
Copy link
Contributor

No description provided.

Copy link

Report for environment: prod

Terraform Format and Style 🖌success

Format Output


Terraform Initialization ⚙️success

Initialization Output

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.


Terraform Plan 📖failure

Show Plan ()

aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0]: Refreshing state... [id=prod-ehr-repo-bucket]
data.aws_ssm_parameter.db-username: Reading...
data.aws_ssm_parameter.private_subnets: Reading...
data.aws_caller_identity.current: Reading...
data.aws_ssm_parameter.gocd_sg_id: Reading...
data.aws_ssm_parameter.repo_databases_parameter_group_name: Reading...
aws_ecs_cluster.ecs-cluster: Refreshing state... [id=arn:aws:ecs:eu-west-2:535760944720:cluster/prod-ehr-repo-ecs-cluster]
data.aws_iam_policy_document.ecs-assume-role-policy: Reading...
data.aws_ssm_parameter.db-password: Reading...
data.aws_iam_policy_document.ecs-assume-role-policy: Read complete after 0s [id=320642683]
aws_s3_bucket.ehr_repo_access_logs: Refreshing state... [id=prod-ehr-repo-access-logs]
data.aws_sns_topic.alarm_notifications: Reading...
data.aws_caller_identity.current: Read complete after 0s [id=535760944720]
aws_kms_key.ehr-repo-key: Refreshing state... [id=a3c164bb-c5ac-4ef7-999e-0000475e0176]
data.aws_sns_topic.alarm_notifications: Read complete after 1s [id=arn:aws:sns:eu-west-2:535760944720:prod-alarm-notifications-sns-topic]
data.aws_ssm_parameter.vpn_sg_id: Reading...
data.aws_ssm_parameter.private_zone_id: Reading...
data.aws_ssm_parameter.gocd_sg_id: Read complete after 1s [id=/repo/prod/user-input/external/gocd-agent-sg-id]
data.aws_ssm_parameter.private_subnets: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/deductions-core-private-subnets]
data.aws_ssm_parameter.database_subnets: Reading...
data.aws_ssm_parameter.repo_databases_parameter_group_name: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/repo-databases-parameter-group-name-version-13]
aws_s3_bucket.ehr-repo-bucket: Refreshing state... [id=prod-ehr-repo-bucket]
data.aws_ssm_parameter.environment_private_zone_id: Reading...
data.aws_ssm_parameter.db-username: Read complete after 1s [id=/repo/prod/user-input/ehr-repo-db-username]
data.aws_iam_policy_document.ehr-repo-s3-bucket: Reading...
data.aws_ssm_parameter.db-password: Read complete after 1s [id=/repo/prod/user-input/ehr-repo-db-password]
data.aws_iam_policy_document.ehr-repo-s3-bucket: Read complete after 0s [id=4137863563]
data.aws_ssm_parameter.alb_access_logs_bucket: Reading...
data.aws_iam_policy_document.ehr-repo-s3: Reading...
data.aws_iam_policy_document.ehr-repo-s3: Read complete after 0s [id=1020153983]
data.aws_ssm_parameter.deductions_private_vpc_id: Reading...
data.aws_ssm_parameter.dynamodb_name: Reading...
data.aws_ssm_parameter.vpn_sg_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/vpn-sg-id]
data.aws_ssm_parameter.deductions_core_vpc_id: Reading...
data.aws_ssm_parameter.database_subnets: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core-database-subnets]
data.aws_ssm_parameter.s3_prefix_list_id: Reading...
data.aws_ssm_parameter.environment_private_zone_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/environment-private-zone-id]
data.aws_ssm_parameter.private_zone_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/private-root-zone-id]
data.aws_vpc.mhs: Reading...
data.aws_ssm_parameter.dynamodb_prefix_list_id: Reading...
data.aws_ssm_parameter.deductions_private_vpc_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/private-vpc-id]
data.aws_ssm_parameter.alb_access_logs_bucket: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/alb-access-logs-s3-bucket-id]
data.aws_ssm_parameter.environment_public_zone_id: Reading...
aws_iam_role.ehr-repo: Refreshing state... [id=prod-ehr-repo-EcsTaskRole]
data.aws_ssm_parameter.dynamodb_name: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/ehr-transfer-tracker-db-name]
aws_cloudwatch_metric_alarm.error_log_alarm: Refreshing state... [id=prod-ehr-repo-error-logs]
aws_iam_policy.ehr-repo-s3-bucket: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-s3-bucket]
data.aws_ssm_parameter.deductions_core_vpc_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core-vpc-id]
aws_iam_policy.ehr-repo-s3: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-s3]
data.aws_ssm_parameter.s3_prefix_list_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core/s3-prefix-list-id]
aws_ssm_parameter.deductions_core_ecs_cluster_id: Refreshing state... [id=/repo/prod/output/prm-deductions-ehr-repository/deductions-core-ecs-cluster-id]
aws_db_subnet_group.db-cluster-subnet-group: Refreshing state... [id=prod-ehr-db-subnet-group]
data.aws_ssm_parameter.environment_public_zone_id: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/environment-public-zone-id]
data.aws_vpc.private_vpc: Reading...
aws_cloudwatch_log_group.log-group: Refreshing state... [id=/nhs/deductions/prod-535760944720/ehr-repo]
data.aws_iam_policy_document.ssm_policy_doc: Reading...
data.aws_iam_policy_document.ssm_policy_doc: Read complete after 0s [id=1951628828]
data.aws_iam_policy_document.ecr_policy_doc: Reading...
data.aws_iam_policy_document.ecr_policy_doc: Read complete after 0s [id=3935638853]
data.aws_iam_policy_document.logs_policy_doc: Reading...
data.aws_iam_policy_document.logs_policy_doc: Read complete after 0s [id=2047735215]
aws_kms_alias.ehr_repo_encryption: Refreshing state... [id=alias/ehr-repo-encryption-kms-key]
aws_security_group.service_to_ehr_repo: Refreshing state... [id=sg-0843b1d0b553c2023]
aws_security_group.vpn_to_db_sg: Refreshing state... [id=sg-0202aa7080b14a4fe]
aws_security_group.gocd_to_db_sg: Refreshing state... [id=sg-04a1bdc4b2d04025f]
aws_security_group.gocd_to_ehr_repo: Refreshing state... [id=sg-03ac6aa886cc858a1]
data.aws_vpc.deductions_core_vpc: Reading...
aws_alb_target_group.internal-alb-tg: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-west-2:535760944720:targetgroup/prod-ehr-repo-int-tg/ee3bb55b5e3d566e]
aws_security_group.ehr_repo_alb: Refreshing state... [id=sg-07e5606b3bcd4649d]
aws_security_group.vpn_to_ehr_repo: Refreshing state... [id=sg-0b1fbb458ed13a742]
data.aws_route53_zone.environment_public_zone: Reading...
aws_iam_policy.ssm_policy: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-ssm]
data.aws_vpc.mhs: Read complete after 2s [id=vpc-0b9256aa629d17dc2]
aws_iam_policy.ehr-ecr: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-ecr]
aws_iam_policy.ehr-logs: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-logs]
aws_iam_role_policy_attachment.ehr-repo-s3-bucket-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932284900000005]
data.aws_route53_zone.environment_public_zone: Read complete after 0s [id=Z03667822QZ8RSZRQVF9T]
aws_iam_role_policy_attachment.ehr-repo-s3-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932264800000003]
aws_ssm_parameter.service_to_ehr_repo: Refreshing state... [id=/repo/prod/output/prm-deductions-ehr-repository/service-to-ehr-repo-sg-id]
aws_cloudwatch_log_metric_filter.log_metric_filter: Refreshing state... [id=prod-ehr-repo-error-logs]
aws_security_group_rule.vpn_to_db_sg[0]: Refreshing state... [id=sgrule-2902444858]
aws_iam_role_policy_attachment.ssm_policy_attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932263800000002]
aws_acm_certificate.ehr-repo-cert: Refreshing state... [id=arn:aws:acm:eu-west-2:535760944720:certificate/3880818d-3f9e-4a1c-b002-678d4cead6ef]
aws_iam_role_policy_attachment.ehr-ecr-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932249100000001]
aws_iam_role_policy_attachment.ehr-logs: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932275100000004]
data.aws_vpc.private_vpc: Read complete after 1s
aws_route53_record.ehr-repo-cert-validation-record["ehr-repo.prod.patient-deductions.nhs.uk"]: Refreshing state... [id=Z03667822QZ8RSZRQVF9T__f4650d75793e219d9df2da1ec8a65eab.ehr-repo.prod.patient-deductions.nhs.uk._CNAME]
aws_acm_certificate_validation.ehr-repo-cert-validation: Refreshing state... [id=2023-09-06 00:40:21.735 +0000 UTC]
data.aws_vpc.deductions_core_vpc: Read complete after 2s
aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_public_access_block.ehr_repo_access_logs_access_block: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_policy.ehr_repo_permit_developer_to_see_access_logs_policy[0]: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_versioning.ehr_repo_access_logs[0]: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_policy.ehr-repo-bucket_policy: Refreshing state... [id=prod-ehr-repo-bucket]
aws_s3_bucket_versioning.ehr_repo_bucket[0]: Refreshing state... [id=prod-ehr-repo-bucket]
aws_s3_bucket_public_access_block.ehr_repo_access_block: Refreshing state... [id=prod-ehr-repo-bucket]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform planned the following actions, but then encountered a problem:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "prod-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "prod-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (2 unchanged blocks hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "prod-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "prod-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "prod-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "prod-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0] will be destroyed
  # (because aws_s3_bucket_object_lock_configuration.ehr_repo_bucket is not in configuration)
  - resource "aws_s3_bucket_object_lock_configuration" "ehr_repo_bucket" {
      - bucket                = "prod-ehr-repo-bucket" -> null
      - id                    = "prod-ehr-repo-bucket" -> null
      - object_lock_enabled   = "Enabled" -> null
        # (1 unchanged attribute hidden)

      - rule {
          - default_retention {
              - days  = 36500 -> null
              - mode  = "GOVERNANCE" -> null
              - years = 0 -> null
            }
        }
    }

  # aws_s3_bucket_policy.ehr_repo_permit_developer_to_see_access_logs_policy[0] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_developer_to_see_access_logs_policy" {
        id     = "prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = [
                            "s3:Get*",
                            "s3:ListBucket",
                        ]
                        Condition = {
                            Bool = {
                                "aws:SecureTransport" = "false"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            AWS = "arn:aws:iam::535760944720:role/RepoDeveloper"
                        }
                        Resource  = [
                            "arn:aws:s3:::prod-ehr-repo-access-logs",
                            "arn:aws:s3:::prod-ehr-repo-access-logs/*",
                        ]
                    },
                  - {
                      - Action    = "s3:PutObject"
                      - Condition = {
                          - StringEquals = {
                              - "aws:SourceAccount" = "535760944720"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "logging.s3.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::prod-ehr-repo-access-logs/*"
                      - Sid       = "S3PolicyStmt-DO-NOT-MODIFY-1710949274265"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_s3_to_write_access_logs_policy" {
        id     = "prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action    = [
                          - "s3:Get*",
                          - "s3:ListBucket",
                        ] -> "s3:PutObject"
                      ~ Principal = {
                          - AWS     = "arn:aws:iam::535760944720:role/RepoDeveloper"
                          + Service = "logging.s3.amazonaws.com"
                        }
                      ~ Resource  = [
                          - "arn:aws:s3:::prod-ehr-repo-access-logs",
                          - "arn:aws:s3:::prod-ehr-repo-access-logs/*",
                        ] -> "arn:aws:s3:::prod-ehr-repo-access-logs/s3-access-log/*"
                      + Sid       = "S3ServerAccessLogsPolicy"
                        # (2 unchanged attributes hidden)
                    },
                  - {
                      - Action    = "s3:PutObject"
                      - Condition = {
                          - StringEquals = {
                              - "aws:SourceAccount" = "535760944720"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "logging.s3.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::prod-ehr-repo-access-logs/*"
                      - Sid       = "S3PolicyStmt-DO-NOT-MODIFY-1710949274265"
                    },
                ]
              ~ Version   = "2008-10-17" -> "2012-10-17"
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "prod-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_security_group.ehr_repo_alb will be updated in-place
  ~ resource "aws_security_group" "ehr_repo_alb" {
        id                     = "sg-07e5606b3bcd4649d"
        name                   = "prod-alb-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-alb-ehr-repo"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.gocd_to_db_sg will be updated in-place
  ~ resource "aws_security_group" "gocd_to_db_sg" {
        id                     = "sg-04a1bdc4b2d04025f"
      ~ ingress                = (sensitive value)
        name                   = "prod-gocd-to-ehr-repo-db-sg"
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-gocd-to-ehr-repo-db-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.gocd_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "gocd_to_ehr_repo" {
        id                     = "sg-03ac6aa886cc858a1"
      ~ ingress                = (sensitive value)
        name                   = "prod-gocd-to-ehr-repo"
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-gocd-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.service_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "service_to_ehr_repo" {
        id                     = "sg-0843b1d0b553c2023"
        name                   = "prod-service-to-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-service-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.vpn_to_db_sg will be updated in-place
  ~ resource "aws_security_group" "vpn_to_db_sg" {
        id                     = "sg-0202aa7080b14a4fe"
        name                   = "prod-vpn-to-ehr-repo-db-sg"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-vpn-to-ehr-repo-db-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.vpn_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "vpn_to_ehr_repo" {
        id                     = "sg-0b1fbb458ed13a742"
        name                   = "prod-vpn-to-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-vpn-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

Plan: 5 to add, 10 to change, 1 to destroy.

Copy link

Report for environment: dev

Terraform Format and Style 🖌success

Format Output


Terraform Initialization ⚙️success

Initialization Output

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.


Terraform Plan 📖success

Show Plan (0 to add, 2 to change, 0 to destroy)


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "dev-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "dev"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "dev-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "dev-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "dev"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Copy link

Report for environment: pre-prod

Terraform Format and Style 🖌success

Format Output


Terraform Initialization ⚙️success

Initialization Output

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.


Terraform Plan 📖success

Show Plan (5 to add, 3 to change, 1 to destroy)


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "pre-prod-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "pre-prod"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "pre-prod-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (2 unchanged blocks hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "pre-prod-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "pre-prod"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "pre-prod-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "pre-prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "pre-prod-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "pre-prod-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0] will be destroyed
  # (because aws_s3_bucket_object_lock_configuration.ehr_repo_bucket is not in configuration)
  - resource "aws_s3_bucket_object_lock_configuration" "ehr_repo_bucket" {
      - bucket                = "pre-prod-ehr-repo-bucket" -> null
      - id                    = "pre-prod-ehr-repo-bucket" -> null
      - object_lock_enabled   = "Enabled" -> null
        # (1 unchanged attribute hidden)

      - rule {
          - default_retention {
              - days  = 36500 -> null
              - mode  = "GOVERNANCE" -> null
              - years = 0 -> null
            }
        }
    }

  # aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_s3_to_write_access_logs_policy" {
        id     = "pre-prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action    = [
                          - "s3:Get*",
                          - "s3:ListBucket",
                        ] -> "s3:PutObject"
                      ~ Principal = {
                          - AWS     = "arn:aws:iam::108148468272:role/RepoDeveloper"
                          + Service = "logging.s3.amazonaws.com"
                        }
                      ~ Resource  = [
                          - "arn:aws:s3:::pre-prod-ehr-repo-access-logs",
                          - "arn:aws:s3:::pre-prod-ehr-repo-access-logs/*",
                        ] -> "arn:aws:s3:::pre-prod-ehr-repo-access-logs/s3-access-log/*"
                      + Sid       = "S3ServerAccessLogsPolicy"
                        # (2 unchanged attributes hidden)
                    },
                ]
              ~ Version   = "2008-10-17" -> "2012-10-17"
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "pre-prod-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "pre-prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 5 to add, 3 to change, 1 to destroy.

Copy link

Report for environment: test

Terraform Format and Style 🖌success

Format Output


Terraform Initialization ⚙️success

Initialization Output

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.


Terraform Plan 📖success

Show Plan (5 to add, 2 to change, 0 to destroy)


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "test-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "test"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "test-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "test-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "test"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "test-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "test-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "test-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "test-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "test-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "test-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 5 to add, 2 to change, 0 to destroy.

@AndyFlintNHS AndyFlintNHS merged commit 67ed0f4 into main Aug 13, 2024
6 checks passed
@AndyFlintNHS AndyFlintNHS deleted the PRMP-723 branch August 13, 2024 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants