feature: API Audit Logs #824
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
craigzour
reviewed
Sep 13, 2024
patheard
reviewed
Sep 16, 2024
⚠ Terrform update availableTerraform: 1.9.5 (using 1.9.2)
Terragrunt: 0.67.5 (using 0.63.2) |
Staging: sqs✅ Terraform Init: Plan: 2 to add, 0 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_sqs_queue.api_audit_log_deadletter_queue will be created
+ resource "aws_sqs_queue" "api_audit_log_deadletter_queue" {
+ arn = (known after apply)
+ content_based_deduplication = false
+ deduplication_scope = (known after apply)
+ delay_seconds = 60
+ fifo_queue = false
+ fifo_throughput_limit = (known after apply)
+ id = (known after apply)
+ kms_data_key_reuse_period_seconds = 300
+ kms_master_key_id = "alias/aws/sqs"
+ max_message_size = 262144
+ message_retention_seconds = 1209600
+ name = "api_audit_log_deadletter_queue"
+ name_prefix = (known after apply)
+ policy = (known after apply)
+ receive_wait_time_seconds = 5
+ redrive_allow_policy = (known after apply)
+ redrive_policy = (known after apply)
+ sqs_managed_sse_enabled = (known after apply)
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ url = (known after apply)
+ visibility_timeout_seconds = 30
}
# aws_sqs_queue.api_audit_log_queue will be created
+ resource "aws_sqs_queue" "api_audit_log_queue" {
+ arn = (known after apply)
+ content_based_deduplication = false
+ deduplication_scope = (known after apply)
+ delay_seconds = 0
+ fifo_queue = false
+ fifo_throughput_limit = (known after apply)
+ id = (known after apply)
+ kms_data_key_reuse_period_seconds = 300
+ kms_master_key_id = "alias/aws/sqs"
+ max_message_size = 262144
+ message_retention_seconds = 172800
+ name = "api_audit_log_queue"
+ name_prefix = (known after apply)
+ policy = (known after apply)
+ receive_wait_time_seconds = 0
+ redrive_allow_policy = (known after apply)
+ redrive_policy = (known after apply)
+ sqs_managed_sse_enabled = (known after apply)
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ url = (known after apply)
+ visibility_timeout_seconds = 1960
}
Plan: 2 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ sqs_api_audit_log_deadletter_queue_arn = (known after apply)
+ sqs_api_audit_log_queue_arn = (known after apply)
+ sqs_api_audit_log_queue_id = (known after apply)
+ sqs_app_audit_log_deadletter_queue_arn = "arn:aws:sqs:ca-central-1:687401027353:audit_log_deadletter_queue"
+ sqs_app_audit_log_queue_arn = "arn:aws:sqs:ca-central-1:687401027353:audit_log_queue"
+ sqs_app_audit_log_queue_id = "https://sqs.ca-central-1.amazonaws.com/687401027353/audit_log_queue"
- sqs_audit_log_deadletter_queue_arn = "arn:aws:sqs:ca-central-1:687401027353:audit_log_deadletter_queue" -> null
- sqs_audit_log_queue_arn = "arn:aws:sqs:ca-central-1:687401027353:audit_log_queue" -> null
- sqs_audit_log_queue_id = "https://sqs.ca-central-1.amazonaws.com/687401027353/audit_log_queue" -> null
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.api_audit_log_deadletter_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.api_audit_log_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.audit_log_deadletter_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.audit_log_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reliability_deadletter_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reliability_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reprocess_submission_queue"]
26 tests, 19 passed, 7 warnings, 0 failures, 0 exceptions
|
Staging: dynamodb✅ Terraform Init: Plan: 1 to add, 0 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_dynamodb_table.api_audit_logs will be created
+ resource "aws_dynamodb_table" "api_audit_logs" {
+ arn = (known after apply)
+ billing_mode = "PAY_PER_REQUEST"
+ deletion_protection_enabled = true
+ hash_key = "UserID"
+ id = (known after apply)
+ name = "ApiAuditLogs"
+ range_key = "Event#SubjectID#TimeStamp"
+ read_capacity = (known after apply)
+ stream_arn = (known after apply)
+ stream_enabled = false
+ stream_label = (known after apply)
+ stream_view_type = (known after apply)
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ write_capacity = (known after apply)
+ attribute {
+ name = "Event#SubjectID#TimeStamp"
+ type = "S"
}
+ attribute {
+ name = "Status"
+ type = "S"
}
+ attribute {
+ name = "TimeStamp"
+ type = "N"
}
+ attribute {
+ name = "UserID"
+ type = "S"
}
+ global_secondary_index {
+ hash_key = "Status"
+ name = "StatusByTimestamp"
+ non_key_attributes = []
+ projection_type = "ALL"
+ range_key = "TimeStamp"
}
+ global_secondary_index {
+ hash_key = "UserID"
+ name = "UserByTime"
+ non_key_attributes = []
+ projection_type = "KEYS_ONLY"
+ range_key = "TimeStamp"
}
+ point_in_time_recovery {
+ enabled = true
}
+ server_side_encryption {
+ enabled = true
+ kms_key_arn = "arn:aws:kms:ca-central-1:687401027353:key/1f3edb85-9eac-4da9-8c7c-43a68e339ede"
}
+ ttl (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ dynamodb_api_audit_logs_arn = (known after apply)
+ dynamodb_api_audit_logs_table_name = "ApiAuditLogs"
+ dynamodb_app_audit_logs_arn = "arn:aws:dynamodb:ca-central-1:687401027353:table/AuditLogs"
+ dynamodb_app_audit_logs_table_name = "AuditLogs"
- dynamodb_audit_logs_arn = "arn:aws:dynamodb:ca-central-1:687401027353:table/AuditLogs" -> null
- dynamodb_audit_logs_table_name = "AuditLogs" -> null
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.api_audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.reliability_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.vault"]
23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions
|
Yes, we can tackle that in a separate PR. |
Staging: app✅ Terraform Init: Plan: 1 to add, 1 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# aws_ecs_task_definition.form_viewer will be created
+ resource "aws_ecs_task_definition" "form_viewer" {
+ arn = (known after apply)
+ arn_without_revision = (known after apply)
+ container_definitions = jsonencode(
[
+ {
+ Command = null
+ Cpu = 0
+ CredentialSpecs = null
+ DependsOn = null
+ DisableNetworking = null
+ DnsSearchDomains = null
+ DnsServers = null
+ DockerLabels = null
+ DockerSecurityOptions = null
+ EntryPoint = null
+ Environment = [
+ {
+ Name = "AUDIT_LOG_QUEUE_URL"
+ Value = "http://sqs.ca-central-1.localhost.localstack.cloud:4566/000000000000/audit_log_queue"
},
+ {
+ Name = "COGNITO_CLIENT_ID"
+ Value = "17bsg3b2b7q5snon007rru264u"
},
+ {
+ Name = "COGNITO_ENDPOINT_URL"
+ Value = "cognito-idp.ca-central-1.amazonaws.com/ca-central-1_Cguq9JNQ1"
},
+ {
+ Name = "EMAIL_ADDRESS_CONTACT_US"
+ Value = "[email protected]"
},
+ {
+ Name = "EMAIL_ADDRESS_SUPPORT"
+ Value = "[email protected]"
},
+ {
+ Name = "HOST_URL"
+ Value = "https://forms-staging.cdssandbox.xyz"
},
+ {
+ Name = "METRIC_PROVIDER"
+ Value = "stdout"
},
+ {
+ Name = "NEXTAUTH_URL"
+ Value = "https://forms-staging.cdssandbox.xyz"
},
+ {
+ Name = "RECAPTCHA_V3_SITE_KEY"
+ Value = "6LfJDN4eAAAAAGvdRF7ZnQ7ciqdo1RQnQDFmh0VY"
},
+ {
+ Name = "REDIS_URL"
+ Value = "gcforms-redis-rep-group.uwpetx.ng.0001.cac1.cache.amazonaws.com"
},
+ {
+ Name = "RELIABILITY_FILE_STORAGE"
+ Value = "forms-staging-reliability-file-storage"
},
+ {
+ Name = "REPROCESS_SUBMISSION_QUEUE_URL"
+ Value = "https://sqs.ca-central-1.amazonaws.com/687401027353/reprocess_submission_queue.fifo"
},
+ {
+ Name = "TEMPLATE_ID"
+ Value = "8d597a1b-a1d6-4e3c-8421-042a2b4158b7"
},
+ {
+ Name = "TEMPORARY_TOKEN_TEMPLATE_ID"
+ Value = "b6885d06-d10a-422a-973f-05e274d9aa86"
},
+ {
+ Name = "TRACER_PROVIDER"
+ Value = "stdout"
},
+ {
+ Name = "VAULT_FILE_STORAGE"
+ Value = "forms-staging-vault-file-storage"
},
+ {
+ Name = "ZITADEL_PROVIDER"
+ Value = "https://auth.forms-staging.cdssandbox.xyz"
},
]
+ EnvironmentFiles = null
+ Essential = true
+ ExtraHosts = null
+ FirelensConfiguration = null
+ HealthCheck = null
+ Hostname = null
+ Image = "687401027353.dkr.ecr.ca-central-1.amazonaws.com/form_viewer_staging"
+ Interactive = null
+ Links = null
+ LinuxParameters = {
+ Capabilities = {
+ Add = []
+ Drop = [
+ "ALL",
]
}
+ Devices = null
+ InitProcessEnabled = null
+ MaxSwap = null
+ SharedMemorySize = null
+ Swappiness = null
+ Tmpfs = null
}
+ LogConfiguration = {
+ LogDriver = "awslogs"
+ Options = {
+ awslogs-group = "Forms"
+ awslogs-region = "ca-central-1"
+ awslogs-stream-prefix = "ecs-form-viewer"
}
+ SecretOptions = null
}
+ Memory = null
+ MemoryReservation = null
+ MountPoints = []
+ Name = "form_viewer"
+ PortMappings = [
+ {
+ AppProtocol = ""
+ ContainerPort = 3000
+ ContainerPortRange = null
+ HostPort = 3000
+ Name = null
+ Protocol = "tcp"
},
]
+ Privileged = null
+ PseudoTerminal = null
+ ReadonlyRootFilesystem = null
+ RepositoryCredentials = null
+ ResourceRequirements = null
+ Secrets = [
+ {
+ Name = "DATABASE_URL"
+ ValueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:server-database-url-0PSpE3"
},
+ {
+ Name = "FRESHDESK_API_KEY"
+ ValueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:freshdesk_api_key-JVyxop"
},
+ {
+ Name = "GC_NOTIFY_CALLBACK_BEARER_TOKEN"
+ ValueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_callback_bearer_token-aXJPLs"
},
+ {
+ Name = "NOTIFY_API_KEY"
+ ValueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_api_key-eR3nNp"
},
+ {
+ Name = "RECAPTCHA_V3_SECRET_KEY"
+ ValueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:recaptcha_secret-tTjsBo"
},
+ {
+ Name = "SENTRY_API_KEY"
+ ValueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:sentry_api_key-QBmONz"
},
+ {
+ Name = "TOKEN_SECRET"
+ ValueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:token_secret-n5Doyu"
},
+ {
+ Name = "ZITADEL_ADMINISTRATION_KEY"
+ ValueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:zitadel_administration_key-Oaki1d"
},
]
+ StartTimeout = null
+ StopTimeout = null
+ SystemControls = []
+ Ulimits = null
+ User = null
+ VolumesFrom = []
+ WorkingDirectory = null
},
]
)
+ cpu = "2048"
+ execution_role_arn = "arn:aws:iam::687401027353:role/form-viewer"
+ family = "form-viewer"
+ id = (known after apply)
+ memory = "4096"
+ network_mode = "awsvpc"
+ requires_compatibilities = [
+ "FARGATE",
]
+ revision = (known after apply)
+ skip_destroy = false
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ task_role_arn = "arn:aws:iam::687401027353:role/form-viewer"
+ track_latest = false
}
# aws_iam_policy.forms_sqs will be updated in-place
~ resource "aws_iam_policy" "forms_sqs" {
id = "arn:aws:iam::687401027353:policy/forms_sqs"
name = "forms_sqs"
~ policy = jsonencode(
~ {
~ Statement = [
~ {
~ Resource = [
"arn:aws:sqs:ca-central-1:687401027353:reprocess_submission_queue.fifo",
~ "arn:aws:sqs:ca-central-1:687401027353:audit_log_queue" -> "arn:aws:sqs:ca-central-1:000000000000:audit_log_queue",
]
- Sid = ""
# (2 unchanged attributes hidden)
},
]
# (1 unchanged attribute hidden)
}
)
tags = {}
# (7 unchanged attributes hidden)
}
Plan: 1 to add, 1 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_appautoscaling_target.forms[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_app.app"]
WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_deployment_group.app"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_cluster.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_service.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_task_definition.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cognito"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_secrets_manager"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_sqs"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.codedeploy"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.forms"]
34 tests, 19 passed, 15 warnings, 0 failures, 0 exceptions
|
Staging: api✅ Terraform Init: Plan: 0 to add, 2 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# module.api_ecs.aws_ecs_service.this will be updated in-place
~ resource "aws_ecs_service" "this" {
id = "arn:aws:ecs:ca-central-1:687401027353:service/Forms/forms-api"
name = "forms-api"
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
~ task_definition = "forms-api:43" -> "forms-api"
# (15 unchanged attributes hidden)
# (4 unchanged blocks hidden)
}
# module.api_ecs.aws_iam_policy.this_task[0] will be updated in-place
~ resource "aws_iam_policy" "this_task" {
id = "arn:aws:iam::687401027353:policy/forms-api_ecs_task_policy"
name = "forms-api_ecs_task_policy"
~ policy = jsonencode(
~ {
~ Statement = [
# (3 unchanged elements hidden)
{
Action = "secretsmanager:GetSecretValue"
Effect = "Allow"
Resource = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:server-database-url-0PSpE3"
},
+ {
+ Action = [
+ "sqs:SendMessage",
+ "sqs:GetQueueUrl",
]
+ Effect = "Allow"
+ Resource = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_queue"
},
]
# (1 unchanged attribute hidden)
}
)
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (7 unchanged attributes hidden)
}
Plan: 0 to add, 2 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest results20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions
|
Staging: lambdas✅ Terraform Init: Plan: 2 to add, 2 to change, 1 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
~ update in-place
- destroy
Terraform will perform the following actions:
# aws_iam_policy.lambda_dynamodb will be updated in-place
~ resource "aws_iam_policy" "lambda_dynamodb" {
id = "arn:aws:iam::687401027353:policy/lambda_dynamobdb"
name = "lambda_dynamobdb"
~ policy = jsonencode(
~ {
~ Statement = [
~ {
~ Resource = [
# (3 unchanged elements hidden)
"arn:aws:dynamodb:ca-central-1:687401027353:table/ReliabilityQueue",
- "arn:aws:dynamodb:ca-central-1:687401027353:table/AuditLogs/index/*",
- "arn:aws:dynamodb:ca-central-1:687401027353:table/AuditLogs",
+ "arn:aws:dynamodb:ca-central-1:123456789012:table/AuditLogs/index/*",
+ "arn:aws:dynamodb:ca-central-1:123456789012:table/AuditLogs",
+ "arn:aws:dynamodb:ca-central-1:123456789012:table/ApiAuditLogs/index/*",
+ "arn:aws:dynamodb:ca-central-1:123456789012:table/ApiAuditLogs",
]
- Sid = ""
# (2 unchanged attributes hidden)
},
]
# (1 unchanged attribute hidden)
}
)
tags = {}
# (7 unchanged attributes hidden)
}
# aws_lambda_event_source_mapping.api_audit_logs will be created
+ resource "aws_lambda_event_source_mapping" "api_audit_logs" {
+ batch_size = 10
+ enabled = true
+ event_source_arn = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_queue"
+ function_arn = (known after apply)
+ function_name = "arn:aws:lambda:ca-central-1:687401027353:function:audit-logs"
+ function_response_types = [
+ "ReportBatchItemFailures",
]
+ id = (known after apply)
+ last_modified = (known after apply)
+ last_processing_result = (known after apply)
+ maximum_batching_window_in_seconds = 30
+ maximum_record_age_in_seconds = (known after apply)
+ maximum_retry_attempts = (known after apply)
+ parallelization_factor = (known after apply)
+ state = (known after apply)
+ state_transition_reason = (known after apply)
+ uuid = (known after apply)
+ amazon_managed_kafka_event_source_config (known after apply)
+ self_managed_kafka_event_source_config (known after apply)
}
# aws_lambda_event_source_mapping.app_audit_logs will be created
+ resource "aws_lambda_event_source_mapping" "app_audit_logs" {
+ batch_size = 10
+ enabled = true
+ event_source_arn = "arn:aws:sqs:ca-central-1:000000000000:audit_log_queue"
+ function_arn = (known after apply)
+ function_name = "arn:aws:lambda:ca-central-1:687401027353:function:audit-logs"
+ function_response_types = [
+ "ReportBatchItemFailures",
]
+ id = (known after apply)
+ last_modified = (known after apply)
+ last_processing_result = (known after apply)
+ maximum_batching_window_in_seconds = 30
+ maximum_record_age_in_seconds = (known after apply)
+ maximum_retry_attempts = (known after apply)
+ parallelization_factor = (known after apply)
+ state = (known after apply)
+ state_transition_reason = (known after apply)
+ uuid = (known after apply)
+ amazon_managed_kafka_event_source_config (known after apply)
+ self_managed_kafka_event_source_config (known after apply)
}
# aws_lambda_event_source_mapping.audit_logs will be destroyed
# (because aws_lambda_event_source_mapping.audit_logs is not in configuration)
- resource "aws_lambda_event_source_mapping" "audit_logs" {
- batch_size = 10 -> null
- bisect_batch_on_function_error = false -> null
- enabled = true -> null
- event_source_arn = "arn:aws:sqs:ca-central-1:687401027353:audit_log_queue" -> null
- function_arn = "arn:aws:lambda:ca-central-1:687401027353:function:audit-logs" -> null
- function_name = "arn:aws:lambda:ca-central-1:687401027353:function:audit-logs" -> null
- function_response_types = [
- "ReportBatchItemFailures",
] -> null
- id = "bc90f6e4-30dc-4493-a000-2635f5db0fe9" -> null
- last_modified = "2024-05-02T15:22:41Z" -> null
- maximum_batching_window_in_seconds = 30 -> null
- maximum_record_age_in_seconds = 0 -> null
- maximum_retry_attempts = 0 -> null
- parallelization_factor = 0 -> null
- queues = [] -> null
- state = "Enabled" -> null
- state_transition_reason = "USER_INITIATED" -> null
- topics = [] -> null
- tumbling_window_in_seconds = 0 -> null
- uuid = "bc90f6e4-30dc-4493-a000-2635f5db0fe9" -> null
# (3 unchanged attributes hidden)
}
# aws_lambda_function.audit_logs will be updated in-place
~ resource "aws_lambda_function" "audit_logs" {
id = "audit-logs"
tags = {}
# (28 unchanged attributes hidden)
~ environment {
~ variables = {
+ "API_AUDIT_LOGS_SQS_ARN" = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_queue"
+ "APP_AUDIT_LOGS_SQS_ARN" = "arn:aws:sqs:ca-central-1:000000000000:audit_log_queue"
# (2 unchanged elements hidden)
}
}
# (3 unchanged blocks hidden)
}
Plan: 2 to add, 2 to change, 1 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.form_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.nagware_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.reliability_dlq_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.response_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.response_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.vault_integrity"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_logging"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_rds"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_secrets"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sqs"]
WARN -... |
Staging: alarms✅ Terraform Init: Plan: 1 to add, 2 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# aws_cloudwatch_metric_alarm.api_audit_log_dead_letter_queue_warn will be created
+ resource "aws_cloudwatch_metric_alarm" "api_audit_log_dead_letter_queue_warn" {
+ actions_enabled = true
+ alarm_actions = [
+ "arn:aws:sns:ca-central-1:687401027353:alert-warning",
]
+ alarm_description = "Detect when a message is sent to the API Audit Log Dead Letter Queue"
+ alarm_name = "ApiAuditLogDeadLetterQueueWarn"
+ arn = (known after apply)
+ comparison_operator = "GreaterThanThreshold"
+ evaluate_low_sample_count_percentiles = (known after apply)
+ evaluation_periods = 1
+ id = (known after apply)
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ threshold = 0
+ treat_missing_data = "missing"
+ metric_query {
+ id = "m1"
+ return_data = false
# (3 unchanged attributes hidden)
+ metric {
+ dimensions = {
+ "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_deadletter_queue"
}
+ metric_name = "ApproximateNumberOfMessagesVisible"
+ namespace = "AWS/SQS"
+ period = 60
+ stat = "Sum"
+ unit = "Count"
}
}
+ metric_query {
+ id = "m2"
+ return_data = false
# (3 unchanged attributes hidden)
+ metric {
+ dimensions = {
+ "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_deadletter_queue"
}
+ metric_name = "ApproximateNumberOfMessagesNotVisible"
+ namespace = "AWS/SQS"
+ period = 60
+ stat = "Sum"
+ unit = "Count"
}
}
+ metric_query {
+ expression = "RATE(m2+m1)"
+ id = "e1"
+ label = "Error Rate"
+ return_data = true
# (1 unchanged attribute hidden)
}
}
# aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn will be updated in-place
~ resource "aws_cloudwatch_metric_alarm" "audit_log_dead_letter_queue_warn" {
id = "AuditLogDeadLetterQueueWarn"
tags = {}
# (22 unchanged attributes hidden)
- metric_query {
- id = "m1" -> null
- period = 0 -> null
- return_data = false -> null
# (3 unchanged attributes hidden)
- metric {
- dimensions = {
- "QueueName" = "arn:aws:sqs:ca-central-1:687401027353:audit_log_deadletter_queue"
} -> null
- metric_name = "ApproximateNumberOfMessagesVisible" -> null
- namespace = "AWS/SQS" -> null
- period = 60 -> null
- stat = "Sum" -> null
- unit = "Count" -> null
}
}
- metric_query {
- id = "m2" -> null
- period = 0 -> null
- return_data = false -> null
# (3 unchanged attributes hidden)
- metric {
- dimensions = {
- "QueueName" = "arn:aws:sqs:ca-central-1:687401027353:audit_log_deadletter_queue"
} -> null
- metric_name = "ApproximateNumberOfMessagesNotVisible" -> null
- namespace = "AWS/SQS" -> null
- period = 60 -> null
- stat = "Sum" -> null
- unit = "Count" -> null
}
}
- metric_query {
- expression = "RATE(m2+m1)" -> null
- id = "e1" -> null
- label = "Error Rate" -> null
- period = 0 -> null
- return_data = true -> null
# (1 unchanged attribute hidden)
}
+ metric_query {
+ id = "m1"
+ return_data = false
# (3 unchanged attributes hidden)
+ metric {
+ dimensions = {
+ "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:audit_log_deadletter_queue"
}
+ metric_name = "ApproximateNumberOfMessagesVisible"
+ namespace = "AWS/SQS"
+ period = 60
+ stat = "Sum"
+ unit = "Count"
}
}
+ metric_query {
+ id = "m2"
+ return_data = false
# (3 unchanged attributes hidden)
+ metric {
+ dimensions = {
+ "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:audit_log_deadletter_queue"
}
+ metric_name = "ApproximateNumberOfMessagesNotVisible"
+ namespace = "AWS/SQS"
+ period = 60
+ stat = "Sum"
+ unit = "Count"
}
}
+ metric_query {
+ expression = "RATE(m2+m1)"
+ id = "e1"
+ label = "Error Rate"
+ return_data = true
}
}
# aws_iam_role_policy.athena_dynamodb_policy will be updated in-place
~ resource "aws_iam_role_policy" "athena_dynamodb_policy" {
id = "athena_dynamodb_role:athena_dynamodb_policy"
name = "athena_dynamodb_policy"
~ policy = jsonencode(
~ {
~ Statement = [
# (1 unchanged element hidden)
{
Action = [
"glue:GetTableVersions",
"glue:GetPartitions",
"glue:GetTables",
"glue:GetTableVersion",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetPartition",
"glue:GetDatabase",
"glue:ListSchemas",
"athena:GetQueryExecution",
"s3:ListAllMyBuckets",
]
Effect = "Allow"
Resource = "*"
},
~ {
~ Resource = [
~ "arn:aws:dynamodb:ca-central-1:687401027353:table/AuditLogs" -> "arn:aws:dynamodb:ca-central-1:123456789012:table/AuditLogs",
~ "arn:aws:dynamodb:ca-central-1:687401027353:table/auditlogs" -> "arn:aws:dynamodb:ca-central-1:123456789012:table/auditlogs",
]
# (2 unchanged attributes hidden)
},
{
Action = [
"dynamodb:ListTables",
]
Effect = "Allow"
Resource = "*"
},
# (2 unchanged elements hidden)
]
# (1 unchanged attribute hidden)
}
)
# (2 unchanged attributes hidden)
}
Plan: 1 to add, 2 to change, 0 to destroy.
Warning: Argument is deprecated
with module.athena_bucket.aws_s3_bucket.this,
on .terraform/modules/athena_bucket/S3/main.tf line 8, in resource "aws_s3_bucket" "this":
8: resource "aws_s3_bucket" "this" {
Use the aws_s3_bucket_server_side_encryption_configuration resource instead
(and 3 more similar warnings elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_athena_data_catalog.dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_athena_data_catalog.rds_data_catalog"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.codedeploy_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notify_slack"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ELB_5xx_error_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ELB_healthy_hosts"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.UnHealthyHostCount-TargetGroup1"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.UnHealthyHostCount-TargetGroup2"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.alb_ddos"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_audit_log_dead_letter_queue_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_cpu_utilization_high_warn[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_lb_healthy_host_count[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_lb_unhealthy_host_count[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_memory_utilization_high_warn[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_response_time_warn[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_login_outside_canada_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_signin_exceeded"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ddos_detected_forms_warn"]
WARN - plan.json - main - Missing Common... |
craigzour
approved these changes
Sep 16, 2024
craigzour
approved these changes
Sep 16, 2024
patheard
approved these changes
Sep 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary | Résumé
Enables API Audit Logging by:
Small Refactor:
Requires PR from forms-api to test properly: cds-snc/forms-api#54
closes cds-snc/platform-forms-client#4224
Test instructions | Instructions pour tester la modification
Locally run the App, API Server, and Localstack