Skip to content

[PRMP-620] bump up nodejs and packages version#98

Merged
chrisbloe-nhse merged 15 commits intomainfrom
PRMP-620
Aug 7, 2024
Merged

[PRMP-620] bump up nodejs and packages version#98
chrisbloe-nhse merged 15 commits intomainfrom
PRMP-620

Conversation

@joefong-nhs
Copy link
Copy Markdown
Contributor

@joefong-nhs joefong-nhs commented Jul 26, 2024

No description provided.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 7, 2024

Report for environment: test

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (5 to add, 2 to change, 0 to destroy) 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "test-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "test"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "test-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "test-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "test"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "test-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "test-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "test-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "test-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "test-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "test-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 5 to add, 2 to change, 0 to destroy.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 7, 2024

Report for environment: pre-prod

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (5 to add, 3 to change, 1 to destroy) 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "pre-prod-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "pre-prod"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "pre-prod-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (2 unchanged blocks hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "pre-prod-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "pre-prod"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "pre-prod-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "pre-prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "pre-prod-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "pre-prod-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0] will be destroyed
  # (because aws_s3_bucket_object_lock_configuration.ehr_repo_bucket is not in configuration)
  - resource "aws_s3_bucket_object_lock_configuration" "ehr_repo_bucket" {
      - bucket                = "pre-prod-ehr-repo-bucket" -> null
      - id                    = "pre-prod-ehr-repo-bucket" -> null
      - object_lock_enabled   = "Enabled" -> null
        # (1 unchanged attribute hidden)

      - rule {
          - default_retention {
              - days  = 36500 -> null
              - mode  = "GOVERNANCE" -> null
              - years = 0 -> null
            }
        }
    }

  # aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_s3_to_write_access_logs_policy" {
        id     = "pre-prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action    = [
                          - "s3:Get*",
                          - "s3:ListBucket",
                        ] -> "s3:PutObject"
                      ~ Principal = {
                          - AWS     = "arn:aws:iam::108148468272:role/RepoDeveloper"
                          + Service = "logging.s3.amazonaws.com"
                        }
                      ~ Resource  = [
                          - "arn:aws:s3:::pre-prod-ehr-repo-access-logs",
                          - "arn:aws:s3:::pre-prod-ehr-repo-access-logs/*",
                        ] -> "arn:aws:s3:::pre-prod-ehr-repo-access-logs/s3-access-log/*"
                      + Sid       = "S3ServerAccessLogsPolicy"
                        # (2 unchanged attributes hidden)
                    },
                ]
              ~ Version   = "2008-10-17" -> "2012-10-17"
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "pre-prod-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "pre-prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 5 to add, 3 to change, 1 to destroy.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 7, 2024

Report for environment: prod

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖failure

Show Plan () 

data.aws_iam_policy_document.ehr-repo-s3: Reading...
aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0]: Refreshing state... [id=prod-ehr-repo-bucket]
data.aws_ssm_parameter.environment_public_zone_id: Reading...
data.aws_ssm_parameter.private_zone_id: Reading...
data.aws_iam_policy_document.ehr-repo-s3: Read complete after 0s [id=1020153983]
data.aws_ssm_parameter.private_subnets: Reading...
data.aws_ssm_parameter.db-username: Reading...
data.aws_ssm_parameter.deductions_core_vpc_id: Reading...
data.aws_ssm_parameter.db-password: Reading...
aws_s3_bucket.ehr-repo-bucket: Refreshing state... [id=prod-ehr-repo-bucket]
data.aws_ssm_parameter.deductions_private_vpc_id: Reading...
data.aws_sns_topic.alarm_notifications: Reading...
data.aws_ssm_parameter.private_subnets: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core-private-subnets]
data.aws_ssm_parameter.environment_public_zone_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/environment-public-zone-id]
data.aws_ssm_parameter.deductions_private_vpc_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/private-vpc-id]
data.aws_ssm_parameter.vpn_sg_id: Reading...
aws_s3_bucket.ehr_repo_access_logs: Refreshing state... [id=prod-ehr-repo-access-logs]
data.aws_ssm_parameter.deductions_core_vpc_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core-vpc-id]
data.aws_ssm_parameter.private_zone_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/private-root-zone-id]
data.aws_ssm_parameter.dynamodb_name: Reading...
data.aws_ssm_parameter.alb_access_logs_bucket: Reading...
data.aws_ssm_parameter.s3_prefix_list_id: Reading...
data.aws_sns_topic.alarm_notifications: Read complete after 0s [id=arn:aws:sns:eu-west-2:535760944720:prod-alarm-notifications-sns-topic]
data.aws_caller_identity.current: Reading...
data.aws_ssm_parameter.db-password: Read complete after 0s [id=/repo/prod/user-input/ehr-repo-db-password]
data.aws_ssm_parameter.repo_databases_parameter_group_name: Reading...
data.aws_ssm_parameter.db-username: Read complete after 0s [id=/repo/prod/user-input/ehr-repo-db-username]
data.aws_ssm_parameter.dynamodb_prefix_list_id: Reading...
data.aws_ssm_parameter.gocd_sg_id: Reading...
data.aws_caller_identity.current: Read complete after 0s [id=535760944720]
data.aws_iam_policy_document.ehr-repo-s3-bucket: Reading...
data.aws_iam_policy_document.ehr-repo-s3-bucket: Read complete after 0s [id=4137863563]
data.aws_iam_policy_document.ecs-assume-role-policy: Reading...
data.aws_iam_policy_document.ecs-assume-role-policy: Read complete after 0s [id=320642683]
data.aws_ssm_parameter.environment_private_zone_id: Reading...
data.aws_ssm_parameter.repo_databases_parameter_group_name: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/repo-databases-parameter-group-name-version-13]
data.aws_ssm_parameter.dynamodb_name: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/ehr-transfer-tracker-db-name]
data.aws_ssm_parameter.vpn_sg_id: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/vpn-sg-id]
data.aws_ssm_parameter.s3_prefix_list_id: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/deductions-core/s3-prefix-list-id]
data.aws_ssm_parameter.gocd_sg_id: Read complete after 1s [id=/repo/prod/user-input/external/gocd-agent-sg-id]
aws_ecs_cluster.ecs-cluster: Refreshing state... [id=arn:aws:ecs:eu-west-2:535760944720:cluster/prod-ehr-repo-ecs-cluster]
aws_iam_policy.ehr-repo-s3: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-s3]
data.aws_ssm_parameter.database_subnets: Reading...
data.aws_ssm_parameter.alb_access_logs_bucket: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/alb-access-logs-s3-bucket-id]
data.aws_vpc.mhs: Reading...
data.aws_route53_zone.environment_public_zone: Reading...
aws_kms_key.ehr-repo-key: Refreshing state... [id=a3c164bb-c5ac-4ef7-999e-0000475e0176]
data.aws_vpc.private_vpc: Reading...
data.aws_ssm_parameter.environment_private_zone_id: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/environment-private-zone-id]
aws_alb_target_group.internal-alb-tg: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-west-2:535760944720:targetgroup/prod-ehr-repo-int-tg/ee3bb55b5e3d566e]
aws_security_group.ehr_repo_alb: Refreshing state... [id=sg-07e5606b3bcd4649d]
data.aws_route53_zone.environment_public_zone: Read complete after 0s [id=Z03667822QZ8RSZRQVF9T]
data.aws_vpc.deductions_core_vpc: Reading...
data.aws_ssm_parameter.database_subnets: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core-database-subnets]
aws_security_group.vpn_to_db_sg: Refreshing state... [id=sg-0202aa7080b14a4fe]
aws_security_group.service_to_ehr_repo: Refreshing state... [id=sg-0843b1d0b553c2023]
aws_cloudwatch_metric_alarm.error_log_alarm: Refreshing state... [id=prod-ehr-repo-error-logs]
aws_iam_policy.ehr-repo-s3-bucket: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-s3-bucket]
aws_iam_role.ehr-repo: Refreshing state... [id=prod-ehr-repo-EcsTaskRole]
aws_security_group.gocd_to_db_sg: Refreshing state... [id=sg-04a1bdc4b2d04025f]
aws_security_group.gocd_to_ehr_repo: Refreshing state... [id=sg-03ac6aa886cc858a1]
aws_security_group.vpn_to_ehr_repo: Refreshing state... [id=sg-0b1fbb458ed13a742]
aws_acm_certificate.ehr-repo-cert: Refreshing state... [id=arn:aws:acm:eu-west-2:535760944720:certificate/3880818d-3f9e-4a1c-b002-678d4cead6ef]
aws_db_subnet_group.db-cluster-subnet-group: Refreshing state... [id=prod-ehr-db-subnet-group]
aws_ssm_parameter.deductions_core_ecs_cluster_id: Refreshing state... [id=/repo/prod/output/prm-deductions-ehr-repository/deductions-core-ecs-cluster-id]
aws_security_group_rule.vpn_to_db_sg[0]: Refreshing state... [id=sgrule-2902444858]
data.aws_vpc.mhs: Read complete after 1s [id=vpc-0b9256aa629d17dc2]
aws_cloudwatch_log_group.log-group: Refreshing state... [id=/nhs/deductions/prod-535760944720/ehr-repo]
data.aws_vpc.private_vpc: Read complete after 1s
data.aws_iam_policy_document.ssm_policy_doc: Reading...
data.aws_iam_policy_document.ssm_policy_doc: Read complete after 0s [id=1951628828]
data.aws_iam_policy_document.ecr_policy_doc: Reading...
data.aws_iam_policy_document.ecr_policy_doc: Read complete after 0s [id=3935638853]
data.aws_iam_policy_document.logs_policy_doc: Reading...
data.aws_iam_policy_document.logs_policy_doc: Read complete after 0s [id=2047735215]
aws_ssm_parameter.service_to_ehr_repo: Refreshing state... [id=/repo/prod/output/prm-deductions-ehr-repository/service-to-ehr-repo-sg-id]
aws_kms_alias.ehr_repo_encryption: Refreshing state... [id=alias/ehr-repo-encryption-kms-key]
data.aws_vpc.deductions_core_vpc: Read complete after 1s
aws_iam_role_policy_attachment.ehr-repo-s3-bucket-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932284900000005]
aws_iam_role_policy_attachment.ehr-repo-s3-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932264800000003]
aws_iam_policy.ssm_policy: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-ssm]
aws_iam_policy.ehr-ecr: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-ecr]
aws_iam_policy.ehr-logs: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-logs]
aws_iam_role_policy_attachment.ssm_policy_attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932263800000002]
aws_route53_record.ehr-repo-cert-validation-record["ehr-repo.prod.patient-deductions.nhs.uk"]: Refreshing state... [id=Z03667822QZ8RSZRQVF9T__f4650d75793e219d9df2da1ec8a65eab.ehr-repo.prod.patient-deductions.nhs.uk._CNAME]
aws_iam_role_policy_attachment.ehr-logs: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932275100000004]
aws_iam_role_policy_attachment.ehr-ecr-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932249100000001]
aws_acm_certificate_validation.ehr-repo-cert-validation: Refreshing state... [id=2023-09-06 00:40:21.735 +0000 UTC]
aws_cloudwatch_log_metric_filter.log_metric_filter: Refreshing state... [id=prod-ehr-repo-error-logs]
aws_s3_bucket_versioning.ehr_repo_bucket[0]: Refreshing state... [id=prod-ehr-repo-bucket]
aws_s3_bucket_policy.ehr-repo-bucket_policy: Refreshing state... [id=prod-ehr-repo-bucket]
aws_s3_bucket_public_access_block.ehr_repo_access_block: Refreshing state... [id=prod-ehr-repo-bucket]
aws_s3_bucket_public_access_block.ehr_repo_access_logs_access_block: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_policy.ehr_repo_permit_developer_to_see_access_logs_policy[0]: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_versioning.ehr_repo_access_logs[0]: Refreshing state... [id=prod-ehr-repo-access-logs]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform planned the following actions, but then encountered a problem:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "prod-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "prod-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (2 unchanged blocks hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "prod-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "prod-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "prod-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "prod-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0] will be destroyed
  # (because aws_s3_bucket_object_lock_configuration.ehr_repo_bucket is not in configuration)
  - resource "aws_s3_bucket_object_lock_configuration" "ehr_repo_bucket" {
      - bucket                = "prod-ehr-repo-bucket" -> null
      - id                    = "prod-ehr-repo-bucket" -> null
      - object_lock_enabled   = "Enabled" -> null
        # (1 unchanged attribute hidden)

      - rule {
          - default_retention {
              - days  = 36500 -> null
              - mode  = "GOVERNANCE" -> null
              - years = 0 -> null
            }
        }
    }

  # aws_s3_bucket_policy.ehr_repo_permit_developer_to_see_access_logs_policy[0] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_developer_to_see_access_logs_policy" {
        id     = "prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = [
                            "s3:Get*",
                            "s3:ListBucket",
                        ]
                        Condition = {
                            Bool = {
                                "aws:SecureTransport" = "false"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            AWS = "arn:aws:iam::535760944720:role/RepoDeveloper"
                        }
                        Resource  = [
                            "arn:aws:s3:::prod-ehr-repo-access-logs",
                            "arn:aws:s3:::prod-ehr-repo-access-logs/*",
                        ]
                    },
                  - {
                      - Action    = "s3:PutObject"
                      - Condition = {
                          - StringEquals = {
                              - "aws:SourceAccount" = "535760944720"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "logging.s3.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::prod-ehr-repo-access-logs/*"
                      - Sid       = "S3PolicyStmt-DO-NOT-MODIFY-1710949274265"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_s3_to_write_access_logs_policy" {
        id     = "prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action    = [
                          - "s3:Get*",
                          - "s3:ListBucket",
                        ] -> "s3:PutObject"
                      ~ Principal = {
                          - AWS     = "arn:aws:iam::535760944720:role/RepoDeveloper"
                          + Service = "logging.s3.amazonaws.com"
                        }
                      ~ Resource  = [
                          - "arn:aws:s3:::prod-ehr-repo-access-logs",
                          - "arn:aws:s3:::prod-ehr-repo-access-logs/*",
                        ] -> "arn:aws:s3:::prod-ehr-repo-access-logs/s3-access-log/*"
                      + Sid       = "S3ServerAccessLogsPolicy"
                        # (2 unchanged attributes hidden)
                    },
                  - {
                      - Action    = "s3:PutObject"
                      - Condition = {
                          - StringEquals = {
                              - "aws:SourceAccount" = "535760944720"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "logging.s3.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::prod-ehr-repo-access-logs/*"
                      - Sid       = "S3PolicyStmt-DO-NOT-MODIFY-1710949274265"
                    },
                ]
              ~ Version   = "2008-10-17" -> "2012-10-17"
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "prod-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_security_group.ehr_repo_alb will be updated in-place
  ~ resource "aws_security_group" "ehr_repo_alb" {
        id                     = "sg-07e5606b3bcd4649d"
        name                   = "prod-alb-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-alb-ehr-repo"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.gocd_to_db_sg will be updated in-place
  ~ resource "aws_security_group" "gocd_to_db_sg" {
        id                     = "sg-04a1bdc4b2d04025f"
      ~ ingress                = (sensitive value)
        name                   = "prod-gocd-to-ehr-repo-db-sg"
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-gocd-to-ehr-repo-db-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.gocd_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "gocd_to_ehr_repo" {
        id                     = "sg-03ac6aa886cc858a1"
      ~ ingress                = (sensitive value)
        name                   = "prod-gocd-to-ehr-repo"
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-gocd-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.service_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "service_to_ehr_repo" {
        id                     = "sg-0843b1d0b553c2023"
        name                   = "prod-service-to-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-service-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.vpn_to_db_sg will be updated in-place
  ~ resource "aws_security_group" "vpn_to_db_sg" {
        id                     = "sg-0202aa7080b14a4fe"
        name                   = "prod-vpn-to-ehr-repo-db-sg"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-vpn-to-ehr-repo-db-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.vpn_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "vpn_to_ehr_repo" {
        id                     = "sg-0b1fbb458ed13a742"
        name                   = "prod-vpn-to-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-vpn-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

Plan: 5 to add, 10 to change, 1 to destroy.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 7, 2024

Report for environment: dev

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (5 to add, 2 to change, 0 to destroy) 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "dev-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "dev"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "dev-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "dev-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "dev"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "dev-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "dev-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "dev-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "dev-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "dev-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "dev-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 5 to add, 2 to change, 0 to destroy.

chrisbloe-nhse
chrisbloe-nhse approved these changes Aug 7, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@chrisbloe-nhse chrisbloe-nhse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, these changes look like the others - merging to roll out to dev :)

@chrisbloe-nhse chrisbloe-nhse merged commit eb8d689 into main Aug 7, 2024
@chrisbloe-nhse chrisbloe-nhse deleted the PRMP-620 branch August 7, 2024 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@chrisbloe-nhse chrisbloe-nhse chrisbloe-nhse approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joefong-nhs @chrisbloe-nhse @chrisbloe