chore: GCForms release v3.23.0 #829

sre-read-write · 2024-09-16T13:11:09Z

🤖 I have created a release beep boop

3.23.0 (2024-09-16)

Features

API Audit Logs (#824) (401d6b9)
create Forms API OIDC role for releases (#830) (6ded50e)

Miscellaneous Chores

deps: update all non-major github action dependencies (#828) (a3988e8)

This PR was generated with Release Please. See documentation.

github-actions · 2024-09-16T19:43:19Z

Production: oidc_roles

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 3 to add, 1 to change, 0 to destroy

Show summary

CHANGE	NAME
add	`aws_iam_policy.forms_api_release[0]`
	`aws_iam_role_policy_attachment.forms_api_release[0]`
	`module.github_workflow_roles.aws_iam_role.this["forms-api-release"]`
update	`aws_iam_policy.platform_forms_client_release[0]`

Show plan

Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_iam_policy.forms_api_release[0] will be created
  + resource "aws_iam_policy" "forms_api_release" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + id               = (known after apply)
      + name             = "forms-api-release"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "ecr:UploadLayerPart",
                          + "ecr:SetRepositoryPolicy",
                          + "ecr:PutImage",
                          + "ecr:ListImages",
                          + "ecr:InitiateLayerUpload",
                          + "ecr:GetRepositoryPolicy",
                          + "ecr:GetDownloadUrlForLayer",
                          + "ecr:DescribeRepositories",
                          + "ecr:DescribeImages",
                          + "ecr:CompleteLayerUpload",
                          + "ecr:BatchGetImage",
                          + "ecr:BatchDeleteImage",
                          + "ecr:BatchCheckLayerAvailability",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:ecr:ca-central-1:957818836222:repository/forms/api",
                          + "arn:aws:ecr:ca-central-1:957818836222:repository/form_viewer_production",
                        ]
                    },
                  + {
                      + Action   = "ecr:GetAuthorizationToken"
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = (known after apply)
      + tags_all         = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
    }

  # aws_iam_policy.platform_forms_client_release[0] will be updated in-place
  ~ resource "aws_iam_policy" "platform_forms_client_release" {
        id               = "arn:aws:iam::957818836222:policy/platform-forms-client-release"
        name             = "platform-forms-client-release"
      ~ policy           = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = "arn:aws:ecr:ca-central-1:957818836222:repository/form_viewer_production" -> [
                          + "arn:aws:ecr:ca-central-1:957818836222:repository/forms/api",
                          + "arn:aws:ecr:ca-central-1:957818836222:repository/form_viewer_production",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                    {
                        Action   = "ecr:GetAuthorizationToken"
                        Effect   = "Allow"
                        Resource = "*"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # aws_iam_role_policy_attachment.forms_api_release[0] will be created
  + resource "aws_iam_role_policy_attachment" "forms_api_release" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "forms-api-release"
    }

  # module.github_workflow_roles.aws_iam_role.this["forms-api-release"] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRoleWithWebIdentity"
                      + Condition = {
                          + StringLike = {
                              + "token.actions.githubusercontent.com:sub" = "repo:cds-snc/forms-api:ref:refs/tags/v*"
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::957818836222:oidc-provider/token.actions.githubusercontent.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "forms-api-release"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + tags_all              = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

Plan: 3 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_api_release[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.platform_forms_client_release[0]"]

21 tests, 19 passed, 2 warnings, 0 failures, 0 exceptions

github-actions · 2024-09-16T19:43:34Z

Production: sqs

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 2 to add, 0 to change, 0 to destroy

Show summary

CHANGE	NAME
add	`aws_sqs_queue.api_audit_log_deadletter_queue`
	`aws_sqs_queue.api_audit_log_queue`

Show plan

Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_sqs_queue.api_audit_log_deadletter_queue will be created
  + resource "aws_sqs_queue" "api_audit_log_deadletter_queue" {
      + arn                               = (known after apply)
      + content_based_deduplication       = false
      + deduplication_scope               = (known after apply)
      + delay_seconds                     = 60
      + fifo_queue                        = false
      + fifo_throughput_limit             = (known after apply)
      + id                                = (known after apply)
      + kms_data_key_reuse_period_seconds = 300
      + kms_master_key_id                 = "alias/aws/sqs"
      + max_message_size                  = 262144
      + message_retention_seconds         = 1209600
      + name                              = "api_audit_log_deadletter_queue"
      + name_prefix                       = (known after apply)
      + policy                            = (known after apply)
      + receive_wait_time_seconds         = 5
      + redrive_allow_policy              = (known after apply)
      + redrive_policy                    = (known after apply)
      + sqs_managed_sse_enabled           = (known after apply)
      + tags_all                          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + url                               = (known after apply)
      + visibility_timeout_seconds        = 30
    }

  # aws_sqs_queue.api_audit_log_queue will be created
  + resource "aws_sqs_queue" "api_audit_log_queue" {
      + arn                               = (known after apply)
      + content_based_deduplication       = false
      + deduplication_scope               = (known after apply)
      + delay_seconds                     = 0
      + fifo_queue                        = false
      + fifo_throughput_limit             = (known after apply)
      + id                                = (known after apply)
      + kms_data_key_reuse_period_seconds = 300
      + kms_master_key_id                 = "alias/aws/sqs"
      + max_message_size                  = 262144
      + message_retention_seconds         = 172800
      + name                              = "api_audit_log_queue"
      + name_prefix                       = (known after apply)
      + policy                            = (known after apply)
      + receive_wait_time_seconds         = 0
      + redrive_allow_policy              = (known after apply)
      + redrive_policy                    = (known after apply)
      + sqs_managed_sse_enabled           = (known after apply)
      + tags_all                          = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + url                               = (known after apply)
      + visibility_timeout_seconds        = 1960
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + sqs_api_audit_log_deadletter_queue_arn = (known after apply)
  + sqs_api_audit_log_queue_arn            = (known after apply)
  + sqs_api_audit_log_queue_id             = (known after apply)
  + sqs_app_audit_log_deadletter_queue_arn = "arn:aws:sqs:ca-central-1:957818836222:audit_log_deadletter_queue"
  + sqs_app_audit_log_queue_arn            = "arn:aws:sqs:ca-central-1:957818836222:audit_log_queue"
  + sqs_app_audit_log_queue_id             = "https://sqs.ca-central-1.amazonaws.com/957818836222/audit_log_queue"
  - sqs_audit_log_deadletter_queue_arn     = "arn:aws:sqs:ca-central-1:957818836222:audit_log_deadletter_queue" -> null
  - sqs_audit_log_queue_arn                = "arn:aws:sqs:ca-central-1:957818836222:audit_log_queue" -> null
  - sqs_audit_log_queue_id                 = "https://sqs.ca-central-1.amazonaws.com/957818836222/audit_log_queue" -> null

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.api_audit_log_deadletter_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.api_audit_log_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.audit_log_deadletter_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.audit_log_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reliability_deadletter_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reliability_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_sqs_queue.reprocess_submission_queue"]

26 tests, 19 passed, 7 warnings, 0 failures, 0 exceptions

github-actions · 2024-09-16T19:45:44Z

Production: dynamodb

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 1 to add, 0 to change, 0 to destroy

Show summary

CHANGE	NAME
add	`aws_dynamodb_table.api_audit_logs`

Show plan

Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_dynamodb_table.api_audit_logs will be created
  + resource "aws_dynamodb_table" "api_audit_logs" {
      + arn                         = (known after apply)
      + billing_mode                = "PAY_PER_REQUEST"
      + deletion_protection_enabled = true
      + hash_key                    = "UserID"
      + id                          = (known after apply)
      + name                        = "ApiAuditLogs"
      + range_key                   = "Event#SubjectID#TimeStamp"
      + read_capacity               = (known after apply)
      + stream_arn                  = (known after apply)
      + stream_enabled              = false
      + stream_label                = (known after apply)
      + stream_view_type            = (known after apply)
      + tags_all                    = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + write_capacity              = (known after apply)

      + attribute {
          + name = "Event#SubjectID#TimeStamp"
          + type = "S"
        }
      + attribute {
          + name = "Status"
          + type = "S"
        }
      + attribute {
          + name = "TimeStamp"
          + type = "N"
        }
      + attribute {
          + name = "UserID"
          + type = "S"
        }

      + global_secondary_index {
          + hash_key           = "Status"
          + name               = "StatusByTimestamp"
          + non_key_attributes = []
          + projection_type    = "ALL"
          + range_key          = "TimeStamp"
        }
      + global_secondary_index {
          + hash_key           = "UserID"
          + name               = "UserByTime"
          + non_key_attributes = []
          + projection_type    = "KEYS_ONLY"
          + range_key          = "TimeStamp"
        }

      + point_in_time_recovery {
          + enabled = true
        }

      + server_side_encryption {
          + enabled     = true
          + kms_key_arn = "arn:aws:kms:ca-central-1:957818836222:key/afbaea67-8277-4a4c-853e-7697dd2dade5"
        }

      + ttl (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + dynamodb_api_audit_logs_arn        = (known after apply)
  + dynamodb_api_audit_logs_table_name = "ApiAuditLogs"
  + dynamodb_app_audit_logs_arn        = "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs"
  + dynamodb_app_audit_logs_table_name = "AuditLogs"
  - dynamodb_audit_logs_arn            = "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs" -> null
  - dynamodb_audit_logs_table_name     = "AuditLogs" -> null

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.api_audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.reliability_queue"]
WARN - plan.json - main - Missing Common Tags: ["aws_dynamodb_table.vault"]

23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions

github-actions · 2024-09-16T19:47:39Z

Production: idp

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy

Show summary

CHANGE	NAME
update	`module.idp_ecs.aws_ecs_service.this`

Show plan

Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.idp_ecs.aws_ecs_service.this will be updated in-place
  ~ resource "aws_ecs_service" "this" {
        id                                 = "arn:aws:ecs:ca-central-1:957818836222:service/idp/zitadel"
        name                               = "zitadel"
        tags                               = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
      ~ task_definition                    = "zitadel:3" -> "zitadel"
        # (15 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_alb_listener_rule.idp_protocol_version"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.idp_send_email"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_user.idp_send_email"]
WARN - plan.json - main - Missing Common Tags: ["aws_shield_protection.idp"]

23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions

github-actions · 2024-09-16T19:48:23Z

Production: app

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

⚠️ Warning: resources will be destroyed by this change!

Plan: 1 to add, 1 to change, 1 to destroy

Show summary

CHANGE	NAME
update	`aws_iam_policy.forms_sqs`
recreate	`aws_ecs_task_definition.form_viewer`

Show plan

Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_ecs_task_definition.form_viewer must be replaced
-/+ resource "aws_ecs_task_definition" "form_viewer" {
      ~ arn                      = "arn:aws:ecs:ca-central-1:957818836222:task-definition/form-viewer:91" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:ca-central-1:957818836222:task-definition/form-viewer" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [
              ~ {
                  ~ Environment            = [
                      ~ {
                          ~ Value = "https://sqs.ca-central-1.amazonaws.com/957818836222/audit_log_queue" -> "http://sqs.ca-central-1.localhost.localstack.cloud:4566/000000000000/audit_log_queue"
                            # (1 unchanged attribute hidden)
                        },
                        {
                            Name  = "COGNITO_CLIENT_ID"
                            Value = "5rkjd3us3ocssieiitdbtjitiv"
                        },
                        # (15 unchanged elements hidden)
                    ]
                    # (39 unchanged attributes hidden)
                },
            ] # forces replacement
        )
      ~ id                       = "form-viewer" -> (known after apply)
      ~ revision                 = 91 -> (known after apply)
      - tags                     = {} -> null
        # (12 unchanged attributes hidden)
    }

  # aws_iam_policy.forms_sqs will be updated in-place
  ~ resource "aws_iam_policy" "forms_sqs" {
        id               = "arn:aws:iam::957818836222:policy/forms_sqs"
        name             = "forms_sqs"
      ~ policy           = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = [
                            "arn:aws:sqs:ca-central-1:957818836222:reprocess_submission_queue.fifo",
                          ~ "arn:aws:sqs:ca-central-1:957818836222:audit_log_queue" -> "arn:aws:sqs:ca-central-1:000000000000:audit_log_queue",
                        ]
                      - Sid      = ""
                        # (2 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags             = {}
        # (7 unchanged attributes hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_appautoscaling_target.forms[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_app.app"]
WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_deployment_group.app"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_cluster.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_service.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_task_definition.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cognito"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_secrets_manager"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_sqs"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.codedeploy"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.forms"]

34 tests, 19 passed, 15 warnings, 0 failures, 0 exceptions

github-actions · 2024-09-16T19:49:11Z

Production: api

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 0 to add, 2 to change, 0 to destroy

Show summary

CHANGE	NAME
update	`module.api_ecs.aws_ecs_service.this`
	`module.api_ecs.aws_iam_policy.this_task[0]`

Show plan

Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.api_ecs.aws_ecs_service.this will be updated in-place
  ~ resource "aws_ecs_service" "this" {
        id                                 = "arn:aws:ecs:ca-central-1:957818836222:service/Forms/forms-api"
        name                               = "forms-api"
        tags                               = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
      ~ task_definition                    = "forms-api:1" -> "forms-api"
        # (15 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.api_ecs.aws_iam_policy.this_task[0] will be updated in-place
  ~ resource "aws_iam_policy" "this_task" {
        id               = "arn:aws:iam::957818836222:policy/forms-api_ecs_task_policy"
        name             = "forms-api_ecs_task_policy"
      ~ policy           = jsonencode(
          ~ {
              ~ Statement = [
                    # (3 unchanged elements hidden)
                    {
                        Action   = "secretsmanager:GetSecretValue"
                        Effect   = "Allow"
                        Resource = "arn:aws:secretsmanager:ca-central-1:957818836222:secret:server-database-url-jVtWGE"
                    },
                  + {
                      + Action   = [
                          + "sqs:SendMessage",
                          + "sqs:GetQueueUrl",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_queue"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags             = {
            "CostCentre" = "forms-platform-production"
            "Terraform"  = "true"
        }
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions

github-actions · 2024-09-16T19:49:59Z

Production: lambdas

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

⚠️ Warning: resources will be destroyed by this change!

Plan: 2 to add, 2 to change, 1 to destroy

Show summary

CHANGE	NAME
delete	`aws_lambda_event_source_mapping.audit_logs`
update	`aws_iam_policy.lambda_dynamodb`
	`aws_lambda_function.audit_logs`
add	`aws_lambda_event_source_mapping.api_audit_logs`
	`aws_lambda_event_source_mapping.app_audit_logs`

Show plan

Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_iam_policy.lambda_dynamodb will be updated in-place
  ~ resource "aws_iam_policy" "lambda_dynamodb" {
        id               = "arn:aws:iam::957818836222:policy/lambda_dynamobdb"
        name             = "lambda_dynamobdb"
      ~ policy           = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = [
                            # (3 unchanged elements hidden)
                            "arn:aws:dynamodb:ca-central-1:957818836222:table/ReliabilityQueue",
                          - "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs/index/*",
                          - "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs",
                          + "arn:aws:dynamodb:ca-central-1:123456789012:table/AuditLogs/index/*",
                          + "arn:aws:dynamodb:ca-central-1:123456789012:table/AuditLogs",
                          + "arn:aws:dynamodb:ca-central-1:123456789012:table/ApiAuditLogs/index/*",
                          + "arn:aws:dynamodb:ca-central-1:123456789012:table/ApiAuditLogs",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # aws_lambda_event_source_mapping.api_audit_logs will be created
  + resource "aws_lambda_event_source_mapping" "api_audit_logs" {
      + batch_size                         = 10
      + enabled                            = true
      + event_source_arn                   = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_queue"
      + function_arn                       = (known after apply)
      + function_name                      = "arn:aws:lambda:ca-central-1:957818836222:function:audit-logs"
      + function_response_types            = [
          + "ReportBatchItemFailures",
        ]
      + id                                 = (known after apply)
      + last_modified                      = (known after apply)
      + last_processing_result             = (known after apply)
      + maximum_batching_window_in_seconds = 30
      + maximum_record_age_in_seconds      = (known after apply)
      + maximum_retry_attempts             = (known after apply)
      + parallelization_factor             = (known after apply)
      + state                              = (known after apply)
      + state_transition_reason            = (known after apply)
      + uuid                               = (known after apply)

      + amazon_managed_kafka_event_source_config (known after apply)

      + self_managed_kafka_event_source_config (known after apply)
    }

  # aws_lambda_event_source_mapping.app_audit_logs will be created
  + resource "aws_lambda_event_source_mapping" "app_audit_logs" {
      + batch_size                         = 10
      + enabled                            = true
      + event_source_arn                   = "arn:aws:sqs:ca-central-1:000000000000:audit_log_queue"
      + function_arn                       = (known after apply)
      + function_name                      = "arn:aws:lambda:ca-central-1:957818836222:function:audit-logs"
      + function_response_types            = [
          + "ReportBatchItemFailures",
        ]
      + id                                 = (known after apply)
      + last_modified                      = (known after apply)
      + last_processing_result             = (known after apply)
      + maximum_batching_window_in_seconds = 30
      + maximum_record_age_in_seconds      = (known after apply)
      + maximum_retry_attempts             = (known after apply)
      + parallelization_factor             = (known after apply)
      + state                              = (known after apply)
      + state_transition_reason            = (known after apply)
      + uuid                               = (known after apply)

      + amazon_managed_kafka_event_source_config (known after apply)

      + self_managed_kafka_event_source_config (known after apply)
    }

  # aws_lambda_event_source_mapping.audit_logs will be destroyed
  # (because aws_lambda_event_source_mapping.audit_logs is not in configuration)
  - resource "aws_lambda_event_source_mapping" "audit_logs" {
      - batch_size                         = 10 -> null
      - bisect_batch_on_function_error     = false -> null
      - enabled                            = true -> null
      - event_source_arn                   = "arn:aws:sqs:ca-central-1:957818836222:audit_log_queue" -> null
      - function_arn                       = "arn:aws:lambda:ca-central-1:957818836222:function:audit-logs" -> null
      - function_name                      = "arn:aws:lambda:ca-central-1:957818836222:function:audit-logs" -> null
      - function_response_types            = [
          - "ReportBatchItemFailures",
        ] -> null
      - id                                 = "46934244-6fab-43a6-9280-8c8309c0d6b8" -> null
      - last_modified                      = "2024-05-30T12:32:02Z" -> null
      - maximum_batching_window_in_seconds = 30 -> null
      - maximum_record_age_in_seconds      = 0 -> null
      - maximum_retry_attempts             = 0 -> null
      - parallelization_factor             = 0 -> null
      - queues                             = [] -> null
      - state                              = "Enabled" -> null
      - state_transition_reason            = "USER_INITIATED" -> null
      - topics                             = [] -> null
      - tumbling_window_in_seconds         = 0 -> null
      - uuid                               = "46934244-6fab-43a6-9280-8c8309c0d6b8" -> null
        # (3 unchanged attributes hidden)
    }

  # aws_lambda_function.audit_logs will be updated in-place
  ~ resource "aws_lambda_function" "audit_logs" {
        id                             = "audit-logs"
        tags                           = {}
        # (28 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              + "API_AUDIT_LOGS_SQS_ARN" = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_queue"
              + "APP_AUDIT_LOGS_SQS_ARN" = "arn:aws:sqs:ca-central-1:000000000000:audit_log_queue"
                # (2 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

Plan: 2 to add, 2 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.form_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.nagware_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.reliability_dlq_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.response_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.response_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.vault_integrity"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_logging"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_rds"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_secrets"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sqs"]
WARN -...

github-actions · 2024-09-16T19:51:14Z

Production: alarms

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 1 to add, 2 to change, 0 to destroy

Show summary

CHANGE	NAME
update	`aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn`
	`aws_iam_role_policy.athena_dynamodb_policy`
add	`aws_cloudwatch_metric_alarm.api_audit_log_dead_letter_queue_warn`

Show plan

Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_cloudwatch_metric_alarm.api_audit_log_dead_letter_queue_warn will be created
  + resource "aws_cloudwatch_metric_alarm" "api_audit_log_dead_letter_queue_warn" {
      + actions_enabled                       = true
      + alarm_actions                         = [
          + "arn:aws:sns:ca-central-1:957818836222:alert-warning",
        ]
      + alarm_description                     = "Detect when a message is sent to the API Audit Log Dead Letter Queue"
      + alarm_name                            = "ApiAuditLogDeadLetterQueueWarn"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanThreshold"
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 1
      + id                                    = (known after apply)
      + tags_all                              = {
          + "CostCentre" = "forms-platform-production"
          + "Terraform"  = "true"
        }
      + threshold                             = 0
      + treat_missing_data                    = "missing"

      + metric_query {
          + id          = "m1"
          + return_data = false
            # (3 unchanged attributes hidden)

          + metric {
              + dimensions  = {
                  + "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_deadletter_queue"
                }
              + metric_name = "ApproximateNumberOfMessagesVisible"
              + namespace   = "AWS/SQS"
              + period      = 60
              + stat        = "Sum"
              + unit        = "Count"
            }
        }
      + metric_query {
          + id          = "m2"
          + return_data = false
            # (3 unchanged attributes hidden)

          + metric {
              + dimensions  = {
                  + "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:api_audit_log_deadletter_queue"
                }
              + metric_name = "ApproximateNumberOfMessagesNotVisible"
              + namespace   = "AWS/SQS"
              + period      = 60
              + stat        = "Sum"
              + unit        = "Count"
            }
        }
      + metric_query {
          + expression  = "RATE(m2+m1)"
          + id          = "e1"
          + label       = "Error Rate"
          + return_data = true
            # (1 unchanged attribute hidden)
        }
    }

  # aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "audit_log_dead_letter_queue_warn" {
        id                                    = "AuditLogDeadLetterQueueWarn"
        tags                                  = {}
        # (22 unchanged attributes hidden)

      - metric_query {
          - id          = "m1" -> null
          - period      = 0 -> null
          - return_data = false -> null
            # (3 unchanged attributes hidden)

          - metric {
              - dimensions  = {
                  - "QueueName" = "arn:aws:sqs:ca-central-1:957818836222:audit_log_deadletter_queue"
                } -> null
              - metric_name = "ApproximateNumberOfMessagesVisible" -> null
              - namespace   = "AWS/SQS" -> null
              - period      = 60 -> null
              - stat        = "Sum" -> null
              - unit        = "Count" -> null
            }
        }
      - metric_query {
          - id          = "m2" -> null
          - period      = 0 -> null
          - return_data = false -> null
            # (3 unchanged attributes hidden)

          - metric {
              - dimensions  = {
                  - "QueueName" = "arn:aws:sqs:ca-central-1:957818836222:audit_log_deadletter_queue"
                } -> null
              - metric_name = "ApproximateNumberOfMessagesNotVisible" -> null
              - namespace   = "AWS/SQS" -> null
              - period      = 60 -> null
              - stat        = "Sum" -> null
              - unit        = "Count" -> null
            }
        }
      - metric_query {
          - expression  = "RATE(m2+m1)" -> null
          - id          = "e1" -> null
          - label       = "Error Rate" -> null
          - period      = 0 -> null
          - return_data = true -> null
            # (1 unchanged attribute hidden)
        }
      + metric_query {
          + id          = "m1"
          + return_data = false
            # (3 unchanged attributes hidden)

          + metric {
              + dimensions  = {
                  + "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:audit_log_deadletter_queue"
                }
              + metric_name = "ApproximateNumberOfMessagesVisible"
              + namespace   = "AWS/SQS"
              + period      = 60
              + stat        = "Sum"
              + unit        = "Count"
            }
        }
      + metric_query {
          + id          = "m2"
          + return_data = false
            # (3 unchanged attributes hidden)

          + metric {
              + dimensions  = {
                  + "QueueName" = "arn:aws:sqs:ca-central-1:000000000000:audit_log_deadletter_queue"
                }
              + metric_name = "ApproximateNumberOfMessagesNotVisible"
              + namespace   = "AWS/SQS"
              + period      = 60
              + stat        = "Sum"
              + unit        = "Count"
            }
        }
      + metric_query {
          + expression  = "RATE(m2+m1)"
          + id          = "e1"
          + label       = "Error Rate"
          + return_data = true
        }
    }

  # aws_iam_role_policy.athena_dynamodb_policy will be updated in-place
  ~ resource "aws_iam_role_policy" "athena_dynamodb_policy" {
        id          = "athena_dynamodb_role:athena_dynamodb_policy"
        name        = "athena_dynamodb_policy"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                    # (1 unchanged element hidden)
                    {
                        Action   = [
                            "glue:GetTableVersions",
                            "glue:GetPartitions",
                            "glue:GetTables",
                            "glue:GetTableVersion",
                            "glue:GetDatabases",
                            "glue:GetTable",
                            "glue:GetPartition",
                            "glue:GetDatabase",
                            "glue:ListSchemas",
                            "athena:GetQueryExecution",
                            "s3:ListAllMyBuckets",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                    },
                  ~ {
                      ~ Resource = [
                          ~ "arn:aws:dynamodb:ca-central-1:957818836222:table/AuditLogs" -> "arn:aws:dynamodb:ca-central-1:123456789012:table/AuditLogs",
                          ~ "arn:aws:dynamodb:ca-central-1:957818836222:table/auditlogs" -> "arn:aws:dynamodb:ca-central-1:123456789012:table/auditlogs",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                    {
                        Action   = [
                            "dynamodb:ListTables",
                        ]
                        Effect   = "Allow"
                        Resource = "*"
                    },
                    # (2 unchanged elements hidden)
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

Plan: 1 to add, 2 to change, 0 to destroy.

Warning: Argument is deprecated

  with module.athena_bucket.aws_s3_bucket.this,
  on .terraform/modules/athena_bucket/S3/main.tf line 8, in resource "aws_s3_bucket" "this":
   8: resource "aws_s3_bucket" "this" {

Use the aws_s3_bucket_lifecycle_configuration resource instead

(and 3 more similar warnings elsewhere)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_athena_data_catalog.dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_athena_data_catalog.rds_data_catalog"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.codedeploy_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notify_slack"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ELB_5xx_error_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ELB_healthy_hosts"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.UnHealthyHostCount-TargetGroup1"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.UnHealthyHostCount-TargetGroup2"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.alb_ddos"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_audit_log_dead_letter_queue_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_cpu_utilization_high_warn[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_lb_healthy_host_count[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_lb_unhealthy_host_count[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_memory_utilization_high_warn[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_response_time_warn[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_login_outside_canada_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_signin_exceeded"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ddos_detected_forms_warn"]
WARN - plan.json - main - Missing Common...

sre-read-write · 2024-09-17T13:47:52Z

🤖 Created releases:

v3.23.0
🌻

sre-read-write bot added the autorelease: pending label Sep 16, 2024

sre-read-write bot requested review from bryan-robitaille, dsamojlenko, timarney and craigzour as code owners September 16, 2024 13:11

sre-read-write bot changed the title ~~chore: GCForms release v3.22.1~~ chore: GCForms release v3.23.0 Sep 16, 2024

sre-read-write bot force-pushed the release-please--branches--develop branch from c8552ea to d651aec Compare September 16, 2024 14:33

chore: GCForms release v3.23.0

cf73a33

sre-read-write bot force-pushed the release-please--branches--develop branch from d651aec to cf73a33 Compare September 16, 2024 19:41

bryan-robitaille approved these changes Sep 17, 2024

View reviewed changes

patheard merged commit dd024f5 into develop Sep 17, 2024
32 checks passed

patheard deleted the release-please--branches--develop branch September 17, 2024 13:47

sre-read-write bot added autorelease: tagged and removed autorelease: pending labels Sep 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: GCForms release v3.23.0 #829

chore: GCForms release v3.23.0 #829

sre-read-write bot commented Sep 16, 2024 •

edited

Loading

github-actions bot commented Sep 16, 2024

github-actions bot commented Sep 16, 2024

github-actions bot commented Sep 16, 2024

github-actions bot commented Sep 16, 2024

github-actions bot commented Sep 16, 2024

github-actions bot commented Sep 16, 2024

github-actions bot commented Sep 16, 2024

github-actions bot commented Sep 16, 2024

sre-read-write bot commented Sep 17, 2024

chore: GCForms release v3.23.0 #829

chore: GCForms release v3.23.0 #829

Conversation

sre-read-write bot commented Sep 16, 2024 • edited Loading

🤖 I have created a release beep boop

3.23.0 (2024-09-16)

Features

Miscellaneous Chores

github-actions bot commented Sep 16, 2024

Production: oidc_roles

github-actions bot commented Sep 16, 2024

Production: sqs

github-actions bot commented Sep 16, 2024

Production: dynamodb

github-actions bot commented Sep 16, 2024

Production: idp

github-actions bot commented Sep 16, 2024

Production: app

github-actions bot commented Sep 16, 2024

Production: api

github-actions bot commented Sep 16, 2024

Production: lambdas

github-actions bot commented Sep 16, 2024

Production: alarms

sre-read-write bot commented Sep 17, 2024

sre-read-write bot commented Sep 16, 2024 •

edited

Loading