Skip to content

Print specific message if CORE row isn't found#99

Merged
AndyFlintNHS merged 6 commits intomainfrom
PRMP-723
Aug 13, 2024
Merged

Print specific message if CORE row isn't found#99
AndyFlintNHS merged 6 commits intomainfrom
PRMP-723

Conversation

@chrisbloe
Copy link
Copy Markdown
Contributor

@chrisbloe chrisbloe commented Aug 9, 2024

No description provided.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 13, 2024

Report for environment: prod

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖failure

Show Plan () 

aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0]: Refreshing state... [id=prod-ehr-repo-bucket]
data.aws_ssm_parameter.db-username: Reading...
data.aws_ssm_parameter.private_subnets: Reading...
data.aws_caller_identity.current: Reading...
data.aws_ssm_parameter.gocd_sg_id: Reading...
data.aws_ssm_parameter.repo_databases_parameter_group_name: Reading...
aws_ecs_cluster.ecs-cluster: Refreshing state... [id=arn:aws:ecs:eu-west-2:535760944720:cluster/prod-ehr-repo-ecs-cluster]
data.aws_iam_policy_document.ecs-assume-role-policy: Reading...
data.aws_ssm_parameter.db-password: Reading...
data.aws_iam_policy_document.ecs-assume-role-policy: Read complete after 0s [id=320642683]
aws_s3_bucket.ehr_repo_access_logs: Refreshing state... [id=prod-ehr-repo-access-logs]
data.aws_sns_topic.alarm_notifications: Reading...
data.aws_caller_identity.current: Read complete after 0s [id=535760944720]
aws_kms_key.ehr-repo-key: Refreshing state... [id=a3c164bb-c5ac-4ef7-999e-0000475e0176]
data.aws_sns_topic.alarm_notifications: Read complete after 1s [id=arn:aws:sns:eu-west-2:535760944720:prod-alarm-notifications-sns-topic]
data.aws_ssm_parameter.vpn_sg_id: Reading...
data.aws_ssm_parameter.private_zone_id: Reading...
data.aws_ssm_parameter.gocd_sg_id: Read complete after 1s [id=/repo/prod/user-input/external/gocd-agent-sg-id]
data.aws_ssm_parameter.private_subnets: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/deductions-core-private-subnets]
data.aws_ssm_parameter.database_subnets: Reading...
data.aws_ssm_parameter.repo_databases_parameter_group_name: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/repo-databases-parameter-group-name-version-13]
aws_s3_bucket.ehr-repo-bucket: Refreshing state... [id=prod-ehr-repo-bucket]
data.aws_ssm_parameter.environment_private_zone_id: Reading...
data.aws_ssm_parameter.db-username: Read complete after 1s [id=/repo/prod/user-input/ehr-repo-db-username]
data.aws_iam_policy_document.ehr-repo-s3-bucket: Reading...
data.aws_ssm_parameter.db-password: Read complete after 1s [id=/repo/prod/user-input/ehr-repo-db-password]
data.aws_iam_policy_document.ehr-repo-s3-bucket: Read complete after 0s [id=4137863563]
data.aws_ssm_parameter.alb_access_logs_bucket: Reading...
data.aws_iam_policy_document.ehr-repo-s3: Reading...
data.aws_iam_policy_document.ehr-repo-s3: Read complete after 0s [id=1020153983]
data.aws_ssm_parameter.deductions_private_vpc_id: Reading...
data.aws_ssm_parameter.dynamodb_name: Reading...
data.aws_ssm_parameter.vpn_sg_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/vpn-sg-id]
data.aws_ssm_parameter.deductions_core_vpc_id: Reading...
data.aws_ssm_parameter.database_subnets: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core-database-subnets]
data.aws_ssm_parameter.s3_prefix_list_id: Reading...
data.aws_ssm_parameter.environment_private_zone_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/environment-private-zone-id]
data.aws_ssm_parameter.private_zone_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/private-root-zone-id]
data.aws_vpc.mhs: Reading...
data.aws_ssm_parameter.dynamodb_prefix_list_id: Reading...
data.aws_ssm_parameter.deductions_private_vpc_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/private-vpc-id]
data.aws_ssm_parameter.alb_access_logs_bucket: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/alb-access-logs-s3-bucket-id]
data.aws_ssm_parameter.environment_public_zone_id: Reading...
aws_iam_role.ehr-repo: Refreshing state... [id=prod-ehr-repo-EcsTaskRole]
data.aws_ssm_parameter.dynamodb_name: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/ehr-transfer-tracker-db-name]
aws_cloudwatch_metric_alarm.error_log_alarm: Refreshing state... [id=prod-ehr-repo-error-logs]
aws_iam_policy.ehr-repo-s3-bucket: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-s3-bucket]
data.aws_ssm_parameter.deductions_core_vpc_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core-vpc-id]
aws_iam_policy.ehr-repo-s3: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-s3]
data.aws_ssm_parameter.s3_prefix_list_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core/s3-prefix-list-id]
aws_ssm_parameter.deductions_core_ecs_cluster_id: Refreshing state... [id=/repo/prod/output/prm-deductions-ehr-repository/deductions-core-ecs-cluster-id]
aws_db_subnet_group.db-cluster-subnet-group: Refreshing state... [id=prod-ehr-db-subnet-group]
data.aws_ssm_parameter.environment_public_zone_id: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/environment-public-zone-id]
data.aws_vpc.private_vpc: Reading...
aws_cloudwatch_log_group.log-group: Refreshing state... [id=/nhs/deductions/prod-535760944720/ehr-repo]
data.aws_iam_policy_document.ssm_policy_doc: Reading...
data.aws_iam_policy_document.ssm_policy_doc: Read complete after 0s [id=1951628828]
data.aws_iam_policy_document.ecr_policy_doc: Reading...
data.aws_iam_policy_document.ecr_policy_doc: Read complete after 0s [id=3935638853]
data.aws_iam_policy_document.logs_policy_doc: Reading...
data.aws_iam_policy_document.logs_policy_doc: Read complete after 0s [id=2047735215]
aws_kms_alias.ehr_repo_encryption: Refreshing state... [id=alias/ehr-repo-encryption-kms-key]
aws_security_group.service_to_ehr_repo: Refreshing state... [id=sg-0843b1d0b553c2023]
aws_security_group.vpn_to_db_sg: Refreshing state... [id=sg-0202aa7080b14a4fe]
aws_security_group.gocd_to_db_sg: Refreshing state... [id=sg-04a1bdc4b2d04025f]
aws_security_group.gocd_to_ehr_repo: Refreshing state... [id=sg-03ac6aa886cc858a1]
data.aws_vpc.deductions_core_vpc: Reading...
aws_alb_target_group.internal-alb-tg: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-west-2:535760944720:targetgroup/prod-ehr-repo-int-tg/ee3bb55b5e3d566e]
aws_security_group.ehr_repo_alb: Refreshing state... [id=sg-07e5606b3bcd4649d]
aws_security_group.vpn_to_ehr_repo: Refreshing state... [id=sg-0b1fbb458ed13a742]
data.aws_route53_zone.environment_public_zone: Reading...
aws_iam_policy.ssm_policy: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-ssm]
data.aws_vpc.mhs: Read complete after 2s [id=vpc-0b9256aa629d17dc2]
aws_iam_policy.ehr-ecr: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-ecr]
aws_iam_policy.ehr-logs: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-logs]
aws_iam_role_policy_attachment.ehr-repo-s3-bucket-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932284900000005]
data.aws_route53_zone.environment_public_zone: Read complete after 0s [id=Z03667822QZ8RSZRQVF9T]
aws_iam_role_policy_attachment.ehr-repo-s3-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932264800000003]
aws_ssm_parameter.service_to_ehr_repo: Refreshing state... [id=/repo/prod/output/prm-deductions-ehr-repository/service-to-ehr-repo-sg-id]
aws_cloudwatch_log_metric_filter.log_metric_filter: Refreshing state... [id=prod-ehr-repo-error-logs]
aws_security_group_rule.vpn_to_db_sg[0]: Refreshing state... [id=sgrule-2902444858]
aws_iam_role_policy_attachment.ssm_policy_attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932263800000002]
aws_acm_certificate.ehr-repo-cert: Refreshing state... [id=arn:aws:acm:eu-west-2:535760944720:certificate/3880818d-3f9e-4a1c-b002-678d4cead6ef]
aws_iam_role_policy_attachment.ehr-ecr-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932249100000001]
aws_iam_role_policy_attachment.ehr-logs: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932275100000004]
data.aws_vpc.private_vpc: Read complete after 1s
aws_route53_record.ehr-repo-cert-validation-record["ehr-repo.prod.patient-deductions.nhs.uk"]: Refreshing state... [id=Z03667822QZ8RSZRQVF9T__f4650d75793e219d9df2da1ec8a65eab.ehr-repo.prod.patient-deductions.nhs.uk._CNAME]
aws_acm_certificate_validation.ehr-repo-cert-validation: Refreshing state... [id=2023-09-06 00:40:21.735 +0000 UTC]
data.aws_vpc.deductions_core_vpc: Read complete after 2s
aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_public_access_block.ehr_repo_access_logs_access_block: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_policy.ehr_repo_permit_developer_to_see_access_logs_policy[0]: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_versioning.ehr_repo_access_logs[0]: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_policy.ehr-repo-bucket_policy: Refreshing state... [id=prod-ehr-repo-bucket]
aws_s3_bucket_versioning.ehr_repo_bucket[0]: Refreshing state... [id=prod-ehr-repo-bucket]
aws_s3_bucket_public_access_block.ehr_repo_access_block: Refreshing state... [id=prod-ehr-repo-bucket]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform planned the following actions, but then encountered a problem:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "prod-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "prod-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (2 unchanged blocks hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "prod-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "prod-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "prod-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "prod-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0] will be destroyed
  # (because aws_s3_bucket_object_lock_configuration.ehr_repo_bucket is not in configuration)
  - resource "aws_s3_bucket_object_lock_configuration" "ehr_repo_bucket" {
      - bucket                = "prod-ehr-repo-bucket" -> null
      - id                    = "prod-ehr-repo-bucket" -> null
      - object_lock_enabled   = "Enabled" -> null
        # (1 unchanged attribute hidden)

      - rule {
          - default_retention {
              - days  = 36500 -> null
              - mode  = "GOVERNANCE" -> null
              - years = 0 -> null
            }
        }
    }

  # aws_s3_bucket_policy.ehr_repo_permit_developer_to_see_access_logs_policy[0] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_developer_to_see_access_logs_policy" {
        id     = "prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = [
                            "s3:Get*",
                            "s3:ListBucket",
                        ]
                        Condition = {
                            Bool = {
                                "aws:SecureTransport" = "false"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            AWS = "arn:aws:iam::535760944720:role/RepoDeveloper"
                        }
                        Resource  = [
                            "arn:aws:s3:::prod-ehr-repo-access-logs",
                            "arn:aws:s3:::prod-ehr-repo-access-logs/*",
                        ]
                    },
                  - {
                      - Action    = "s3:PutObject"
                      - Condition = {
                          - StringEquals = {
                              - "aws:SourceAccount" = "535760944720"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "logging.s3.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::prod-ehr-repo-access-logs/*"
                      - Sid       = "S3PolicyStmt-DO-NOT-MODIFY-1710949274265"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_s3_to_write_access_logs_policy" {
        id     = "prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action    = [
                          - "s3:Get*",
                          - "s3:ListBucket",
                        ] -> "s3:PutObject"
                      ~ Principal = {
                          - AWS     = "arn:aws:iam::535760944720:role/RepoDeveloper"
                          + Service = "logging.s3.amazonaws.com"
                        }
                      ~ Resource  = [
                          - "arn:aws:s3:::prod-ehr-repo-access-logs",
                          - "arn:aws:s3:::prod-ehr-repo-access-logs/*",
                        ] -> "arn:aws:s3:::prod-ehr-repo-access-logs/s3-access-log/*"
                      + Sid       = "S3ServerAccessLogsPolicy"
                        # (2 unchanged attributes hidden)
                    },
                  - {
                      - Action    = "s3:PutObject"
                      - Condition = {
                          - StringEquals = {
                              - "aws:SourceAccount" = "535760944720"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "logging.s3.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::prod-ehr-repo-access-logs/*"
                      - Sid       = "S3PolicyStmt-DO-NOT-MODIFY-1710949274265"
                    },
                ]
              ~ Version   = "2008-10-17" -> "2012-10-17"
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "prod-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_security_group.ehr_repo_alb will be updated in-place
  ~ resource "aws_security_group" "ehr_repo_alb" {
        id                     = "sg-07e5606b3bcd4649d"
        name                   = "prod-alb-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-alb-ehr-repo"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.gocd_to_db_sg will be updated in-place
  ~ resource "aws_security_group" "gocd_to_db_sg" {
        id                     = "sg-04a1bdc4b2d04025f"
      ~ ingress                = (sensitive value)
        name                   = "prod-gocd-to-ehr-repo-db-sg"
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-gocd-to-ehr-repo-db-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.gocd_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "gocd_to_ehr_repo" {
        id                     = "sg-03ac6aa886cc858a1"
      ~ ingress                = (sensitive value)
        name                   = "prod-gocd-to-ehr-repo"
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-gocd-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.service_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "service_to_ehr_repo" {
        id                     = "sg-0843b1d0b553c2023"
        name                   = "prod-service-to-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-service-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.vpn_to_db_sg will be updated in-place
  ~ resource "aws_security_group" "vpn_to_db_sg" {
        id                     = "sg-0202aa7080b14a4fe"
        name                   = "prod-vpn-to-ehr-repo-db-sg"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-vpn-to-ehr-repo-db-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.vpn_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "vpn_to_ehr_repo" {
        id                     = "sg-0b1fbb458ed13a742"
        name                   = "prod-vpn-to-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-vpn-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

Plan: 5 to add, 10 to change, 1 to destroy.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 13, 2024

Report for environment: dev

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (0 to add, 2 to change, 0 to destroy) 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "dev-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "dev"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "dev-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "dev-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "dev"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 13, 2024

Report for environment: pre-prod

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (5 to add, 3 to change, 1 to destroy) 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "pre-prod-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "pre-prod"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "pre-prod-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (2 unchanged blocks hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "pre-prod-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "pre-prod"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "pre-prod-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "pre-prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "pre-prod-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "pre-prod-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0] will be destroyed
  # (because aws_s3_bucket_object_lock_configuration.ehr_repo_bucket is not in configuration)
  - resource "aws_s3_bucket_object_lock_configuration" "ehr_repo_bucket" {
      - bucket                = "pre-prod-ehr-repo-bucket" -> null
      - id                    = "pre-prod-ehr-repo-bucket" -> null
      - object_lock_enabled   = "Enabled" -> null
        # (1 unchanged attribute hidden)

      - rule {
          - default_retention {
              - days  = 36500 -> null
              - mode  = "GOVERNANCE" -> null
              - years = 0 -> null
            }
        }
    }

  # aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_s3_to_write_access_logs_policy" {
        id     = "pre-prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action    = [
                          - "s3:Get*",
                          - "s3:ListBucket",
                        ] -> "s3:PutObject"
                      ~ Principal = {
                          - AWS     = "arn:aws:iam::108148468272:role/RepoDeveloper"
                          + Service = "logging.s3.amazonaws.com"
                        }
                      ~ Resource  = [
                          - "arn:aws:s3:::pre-prod-ehr-repo-access-logs",
                          - "arn:aws:s3:::pre-prod-ehr-repo-access-logs/*",
                        ] -> "arn:aws:s3:::pre-prod-ehr-repo-access-logs/s3-access-log/*"
                      + Sid       = "S3ServerAccessLogsPolicy"
                        # (2 unchanged attributes hidden)
                    },
                ]
              ~ Version   = "2008-10-17" -> "2012-10-17"
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "pre-prod-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "pre-prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 5 to add, 3 to change, 1 to destroy.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 13, 2024

Report for environment: test

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (5 to add, 2 to change, 0 to destroy) 


Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "test-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "test"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "test-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "test-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "test"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "test-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "test-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "test-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "test-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "test-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "test-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 5 to add, 2 to change, 0 to destroy.

@AndyFlintNHS AndyFlintNHS merged commit 67ed0f4 into main Aug 13, 2024
@AndyFlintNHS AndyFlintNHS deleted the PRMP-723 branch August 13, 2024 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@AndyFlintNHS AndyFlintNHS AndyFlintNHS approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chrisbloe @AndyFlintNHS