Revert "Revert "feat: use Lambda and Cloudwatch Logs to send reviewedalarms to Slack channels (#421)" (#426)" #428
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
⚠ Terrform update availableTerraform: 1.5.2 (using 1.4.2)
Terragrunt: 0.48.1 (using 0.46.3) |
Staging: cognito✅ Terraform Init: Plan: 0 to add, 2 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_cloudwatch_log_group.cognito_email_sender will be updated in-place
~ resource "aws_cloudwatch_log_group" "cognito_email_sender" {
id = "/aws/lambda/Cognito_Email_Sender"
+ kms_key_id = "arn:aws:kms:ca-central-1:687401027353:key/c5c2a1c2-c092-4fa1-8daf-3414f3511b1d"
name = "/aws/lambda/Cognito_Email_Sender"
~ retention_in_days = 0 -> 90
tags = {}
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.cognito_pre_sign_up will be updated in-place
~ resource "aws_cloudwatch_log_group" "cognito_pre_sign_up" {
id = "/aws/lambda/Cognito_Pre_Sign_Up"
+ kms_key_id = "arn:aws:kms:ca-central-1:687401027353:key/c5c2a1c2-c092-4fa1-8daf-3414f3511b1d"
name = "/aws/lambda/Cognito_Pre_Sign_Up"
~ retention_in_days = 0 -> 90
tags = {}
# (2 unchanged attributes hidden)
}
Plan: 0 to add, 2 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.cognito_email_sender"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.cognito_pre_sign_up"]
WARN - plan.json - main - Missing Common Tags: ["aws_cognito_user_pool.forms"]
20 tests, 17 passed, 3 warnings, 0 failures, 0 exceptions
|
bryan-robitaille
approved these changes
Jul 11, 2023
Staging: app✅ Terraform Init: Plan: 10 to add, 15 to change, 10 to destroyShow summary
✂ Warning: plan has been truncated! See the full plan in the logs. Show planResource actions are indicated with the following symbols:
~ update in-place
-/+ destroy and then create replacement
<= read (data resources)
Terraform will perform the following actions:
# data.aws_iam_policy_document.lambda_app_invoke will be read during apply
# (depends on a resource or a module with changes pending)
<= data "aws_iam_policy_document" "lambda_app_invoke" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "lambda:InvokeFunction",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:lambda:ca-central-1:687401027353:function:Submission",
]
}
}
# data.template_file.form_viewer_task will be read during apply
# (depends on a resource or a module with changes pending)
<= data "template_file" "form_viewer_task" {
+ id = (known after apply)
+ rendered = (known after apply)
+ template = jsonencode(
[
+ {
+ environment = [
+ {
+ name = "METRIC_PROVIDER"
+ value = "${metric_provider}"
},
+ {
+ name = "TRACER_PROVIDER"
+ value = "${tracer_provider}"
},
+ {
+ name = "SUBMISSION_API"
+ value = "${submission_api}"
},
+ {
+ name = "NEXTAUTH_URL"
+ value = "${nextauth_url}"
},
+ {
+ name = "REDIS_URL"
+ value = "${redis_url}"
},
+ {
+ name = "RELIABILITY_FILE_STORAGE"
+ value = "${reliability_file_storage}"
},
+ {
+ name = "RECAPTCHA_V3_SITE_KEY"
+ value = "${recaptcha_public}"
},
+ {
+ name = "TEMPORARY_TOKEN_TEMPLATE_ID"
+ value = "${gc_temp_token_template_id}"
},
+ {
+ name = "TEMPLATE_ID"
+ value = "${gc_template_id}"
},
+ {
+ name = "VAULT_FILE_STORAGE"
+ value = "${vault_file_storage}"
},
+ {
+ name = "COGNITO_ENDPOINT_URL"
+ value = "${cognito_endpoint_url}"
},
+ {
+ name = "COGNITO_CLIENT_ID"
+ value = "${cognito_client_id}"
},
+ {
+ name = "EMAIL_ADDRESS_CONTACT_US"
+ value = "${email_address_contact_us}"
},
+ {
+ name = "EMAIL_ADDRESS_SUPPORT"
+ value = "${email_address_support}"
},
+ {
+ name = "REPROCESS_SUBMISSION_QUEUE_URL"
+ value = "${reprocess_submission_queue}"
},
+ {
+ name = "AUDIT_LOG_QUEUE_URL"
+ value = "${audit_log_queue_url}"
},
]
+ image = "${image}"
+ linuxParameters = {
+ capabilities = {
+ drop = [
+ "ALL",
]
}
}
+ logConfiguration = {
+ logDriver = "awslogs"
+ options = {
+ awslogs-group = "${awslogs-group}"
+ awslogs-region = "${awslogs-region}"
+ awslogs-stream-prefix = "${awslogs-stream-prefix}"
}
}
+ name = "form_viewer"
+ portMappings = [
+ {
+ containerPort = 3000
},
]
+ secrets = [
+ {
+ name = "NOTIFY_API_KEY"
+ valueFrom = "${notify_api_key}"
},
+ {
+ name = "RECAPTCHA_V3_SECRET_KEY"
+ valueFrom = "${recaptcha_secret}"
},
+ {
+ name = "GOOGLE_CLIENT_ID"
+ valueFrom = "${google_client_id}"
},
+ {
+ name = "GOOGLE_CLIENT_SECRET"
+ valueFrom = "${google_client_secret}"
},
+ {
+ name = "DATABASE_URL"
+ valueFrom = "${database_url}"
},
+ {
+ name = "TOKEN_SECRET"
+ valueFrom = "${token_secret}"
},
+ {
+ name = "GC_NOTIFY_CALLBACK_BEARER_TOKEN"
+ valueFrom = "${gc_notify_callback_bearer_token}"
},
]
},
]
)
+ vars = {
+ "audit_log_queue_url" = "https://sqs.ca-central-1.amazonaws.com/687401027353/audit_log_queue"
+ "awslogs-group" = "Forms"
+ "awslogs-region" = "ca-central-1"
+ "awslogs-stream-prefix" = "ecs-form-viewer"
+ "cognito_client_id" = "17bsg3b2b7q5snon007rru264u"
+ "cognito_endpoint_url" = "cognito-idp.ca-central-1.amazonaws.com/ca-central-1_Cguq9JNQ1"
+ "database_url" = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:server-database-url-0PSpE3"
+ "email_address_contact_us" = "[email protected]"
+ "email_address_support" = "[email protected]"
+ "gc_notify_callback_bearer_token" = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:gc_notify_callback_bearer_token-wZbg6S"
+ "gc_temp_token_template_id" = "b6885d06-d10a-422a-973f-05e274d9aa86"
+ "gc_template_id" = "8d597a1b-a1d6-4e3c-8421-042a2b4158b7"
+ "google_client_id" = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:google_client_id-wRtgIh"
+ "google_client_secret" = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:google_client_secret-tePLmK"
+ "image" = "687401027353.dkr.ecr.ca-central-1.amazonaws.com/form_viewer_staging"
+ "metric_provider" = "stdout"
+ "nextauth_url" = "https://forms-staging.cdssandbox.xyz"
+ "notify_api_key" = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_api_key-nV4keR"
+ "recaptcha_public" = "6LfJDN4eAAAAAGvdRF7ZnQ7ciqdo1RQnQDFmh0VY"
+ "recaptcha_secret" = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:recaptcha_secret-spUZxB"
+ "redis_url" = "gcforms-redis-rep-group.uwpetx.ng.0001.cac1.cache.amazonaws.com"
+ "reliability_file_storage" = "forms-staging-reliability-file-storage"
+ "reprocess_submission_queue" = "https://sqs.ca-central-1.amazonaws.com/687401027353/reprocess_submission_queue.fifo"
+ "submission_api" = "arn:aws:lambda:ca-central-1:687401027353:function:Submission"
+ "token_secret" = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:token_secret-UyxxRR"
+ "tracer_provider" = "stdout"
+ "vault_file_storage" = "forms-staging-vault-file-storage"
}
}
# aws_cloudwatch_log_group.archive_form_templates will be updated in-place
~ resource "aws_cloudwatch_log_group" "archive_form_templates" {
id = "/aws/lambda/ArchiveFormTemplates"
+ kms_key_id = "arn:aws:kms:ca-central-1:687401027353:key/c5c2a1c2-c092-4fa1-8daf-3414f3511b1d"
name = "/aws/lambda/ArchiveFormTemplates"
~ retention_in_days = 0 -> 90
tags = {}
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.archiver will be updated in-place
~ resource "aws_cloudwatch_log_group" "archiver" {
id = "/aws/lambda/Archiver"
+ kms_key_id = "arn:aws:kms:ca-central-1:687401027353:key/c5c2a1c2-c092-4fa1-8daf-3414f3511b1d"
name = "/aws/lambda/Archiver"
~ retention_in_days = 0 -> 90
tags = {}
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.audit_logs will be updated in-place
~ resource "aws_cloudwatch_log_group" "audit_logs" {
id = "/aws/lambda/AuditLogs"
+ kms_key_id = "arn:aws:kms:ca-central-1:687401027353:key/c5c2a1c2-c092-4fa1-8daf-3414f3511b1d"
name = "/aws/lambda/AuditLogs"
~ retention_in_days = 0 -> 90
tags = {}
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.dead_letter_queue_consumer will be updated in-place
~ resource "aws_cloudwatch_log_group" "dead_letter_queue_consumer" {
id = "/aws/lambda/DeadLetterQueueConsumer"
+ kms_key_id = "arn:aws:kms:ca-central-1:687401027353:key/c5c2a1c2-c092-4fa1-8daf-3414f3511b1d"
name = "/aws/lambda/DeadLetterQueueConsumer"
~ retention_in_days = 0 -> 90
tags = {}
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.nagware will be updated in-place
~ resource "aws_cloudwatch_log_group" "nagware" {
id = "/aws/lambda/Nagware"
+ kms_key_id = "arn:aws:kms:ca-central-1:687401027353:key/c5c2a1c2-c092-4fa1-8daf-3414f3511b1d"
name = "/aws/lambda/Nagware"
~ retention_in_days = 0 -> 90
tags = {}
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.reliability will be updated in-place
~ resource "aws_cloudwatch_log_group" "reliability" {
id = "/aws/lambda/Reliability"
+ kms_key_id = "arn:aws:kms:ca-central-1:687401027353:key/c5c2a1c2-c092-4fa1-8daf-3414f3511b1d"
name = "/aws/lambda/Reliability"
~ retention_in_days = 0 -> 90
tags = {}
# (2 unchanged attributes hidden)
}
# aws_cloudwatch_log_group.submission will be updated in-place
~ resource "aws_cloudwatch_log_group" "submission" {
id = "/aws/lambda/Submission"
+ kms_key_id = "arn:aws:kms:ca-central-1:687401027353:key/c5c2a1c2-c092-4fa1-8daf-3414f3511b1d"
name = "/aws/lambda/Submission"
~ retention_in_days = 0 -> 90
tags = {}
# (2 unchanged attributes hidden)
}
# aws_ecs_task_definition.form_viewer must be replaced
-/+ resource "aws_ecs_task_definition" "form_viewer" {
~ arn = "arn:aws:ecs:ca-central-1:687401027353:task-definition/form-viewer:1187" -> (known after apply)
~ container_definitions = jsonencode(
[
- {
- cpu = 0
- environment = [
- {
- name = "AUDIT_LOG_QUEUE_URL"
- value = "https://sqs.ca-central-1.amazonaws.com/687401027353/audit_log_queue"
},
- {
- name = "COGNITO_CLIENT_ID"
- value = "17bsg3b2b7q5snon007rru264u"
},
- {
- name = "COGNITO_ENDPOINT_URL"
- value = "cognito-idp.ca-central-1.amazonaws.com/ca-central-1_Cguq9JNQ1"
},
- {
- name = "EMAIL_ADDRESS_CONTACT_US"
- value = "[email protected]"
},
- {
- name = "EMAIL_ADDRESS_SUPPORT"
- value = "[email protected]"
},
- {
- name = "METRIC_PROVIDER"
- value = "stdout"
},
- {
- name = "NEXTAUTH_URL"
- value = "https://forms-staging.cdssandbox.xyz"
},
- {
- name = "RECAPTCHA_V3_SITE_KEY"
- value = "6LfJDN4eAAAAAGvdRF7ZnQ7ciqdo1RQnQDFmh0VY"
},
- {
- name = "REDIS_URL"
- value = "gcforms-redis-rep-group.uwpetx.ng.0001.cac1.cache.amazonaws.com"
},
- {
- name = "RELIABILITY_FILE_STORAGE"
- value = "forms-staging-reliability-file-storage"
},
- {
- name = "REPROCESS_SUBMISSION_QUEUE_URL"
- value = "https://sqs.ca-central-1.amazonaws.com/687401027353/reprocess_submission_queue.fifo"
},
- {
- name = "SUBMISSION_API"
- value = "arn:aws:lambda:ca-central-1:687401027353:function:Submission"
},
- {
- name = "TEMPLATE_ID"
- value = "8d597a1b-a1d6-4e3c-8421-042a2b4158b7"
},
- {
- name = "TEMPORARY_TOKEN_TEMPLATE_ID"
- value = "b6885d06-d10a-422a-973f-05e274d9aa86"
},
- {
- name = "TRACER_PROVIDER"
- value = "stdout"
},
- {
- name = "VAULT_FILE_STORAGE"
- value = "forms-staging-vault-file-storage"
},
]
- essential = true
- image = "687401027353.dkr.ecr.ca-central-1.amazonaws.com/form_viewer_staging"
- linuxParameters = {
- capabilities = {
- drop = [
- "ALL",
]
}
}
- logConfiguration = {
- logDriver = "awslogs"
- options = {
- awslogs-group = "Forms"
- awslogs-region = "ca-central-1"
- awslogs-stream-prefix = "ecs-form-viewer"
}
}
- mountPoints = []
- name = "form_viewer"
- portMappings = [
- {
- containerPort = 3000
- hostPort = 3000
- protocol = "tcp"
},
]
- secrets = [
- {
- name = "NOTIFY_API_KEY"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_api_key-nV4keR"
},
- {
- name = "RECAPTCHA_V3_SECRET_KEY"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:recaptcha_secret-spUZxB"
},
- {
- name = "GOOGLE_CLIENT_ID"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:google_client_id-wRtgIh"
},
- {
- name = "GOOGLE_CLIENT_SECRET"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:google_client_secret-tePLmK"
},
- {
- name = "DATABASE_URL"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:server-database-url-0PSpE3"
},
- {
- name = "TOKEN_SECRET"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:token_secret-UyxxRR"
},
- {
- name = "GC_NOTIFY_CALLBACK_BEARER_TOKEN"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:gc_notify_callback_bearer_token-wZbg6S"
},
]
- volumesFrom = []
},
] # forces replacement
) -> (known after apply)
~ id = "form-viewer" -> (known after apply)
~ revision = 1187 -> (known after apply)
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (9 unchanged attributes hidden)
}
# aws_iam_policy.lambda_app_invoke will be updated in-place
~ resource "aws_iam_policy" "lambda_app_invoke" {
id = "arn:aws:iam::687401027353:policy/lambda_app_invoke"
name = "lambda_app_invoke"
~ policy = jsonencode(
{
- Statement = [
- {
- Action = "lambda:InvokeFunction"
- Effect = "Allow"
- Resource = "arn:aws:lambda:ca-central-1:687401027353:function:Submission"
- Sid = ""
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (5 unchanged attributes hidden)
}
# aws_lambda_function.archive_form_templates will be updated in-place
~ resource "aws_lambda_function" "archive_form_templates" {
id = "ArchiveFormTemplates"
~ last_modified = "2023-06-12T12:23:36.000+0000" -> (known after apply)
~ layers = [
- "arn:aws:lambda:ca-central-1:687401027353:layer:archive_form_templates_lib_packages:1",
- "arn:aws:lambda:ca-central-1:687401027353:layer:archive_form_templates_node_packages:11",
] -> (known after apply)
~ source_code_hash = "hnxlZxxv2yMpRiU2heu1IEjtP7oUET2AuVuU080nMrY=" -> "X/5IZ2OGKUQN37O1Tmg8PkYLrDM/SAqY03rH0V1L2kI="
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (17 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
# aws_lambda_function.archiver will be updated in-place
~ resource "aws_lambda_function" "archiver" {
id = "Archiver"
~ last_modified = "2023-06-12T12:23:13.000+0000" -> (known after apply)
~ layers = [
- "arn:aws:lambda:ca-central-1:687401027353:layer:archiver_lib_packages:1",
- "arn:aws:lambda:ca-central-1:687401027353:layer:archiver_node_packages:13",
] -> (known after apply)
~ source_code_hash = "hLD1VyqKvQbwDSWFL9xJSY0DUcLlim2/1ndj+Pn6Mxg=" -> "vwHjhQrsPx8fZZidqMjPr3SW1xFf6m7PhHc0MazA8sg="
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (17 unchanged attributes hidden)
~ environment {
~ variables = {
- "SNS_ERROR_TOPIC_ARN" = "arn:aws:sns:ca-central-1:687401027353:alert-critical" -> null
# (4 unchanged elements hidden)
}
}
# (1 unchanged block hidden)
}
# aws_lambda_function.audit_logs will be updated in-place
~ resource "aws_lambda_function" "audit_logs" {
id = "AuditLogs"
~ last_modified = "2023-06-12T12:23:06.000+0000" -> (known after apply)
~ layers = [
- "arn:aws:lambda:ca-central-1:687401027353:layer:audit_logs_node_packages:11",
] -> (known after apply)
~ source_code_hash = "mQxl9VyA225PSewrwN8mLiOZ88cPwt8x7u+sHaB61sw=" -> "dz/hiI3NAvrDiFbBVhWJMEVMbZaeSTcKWRylyMmsgS4="
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (17 unchanged attributes hidden)
~ environment {
~ variables = {
- "SNS_ERROR_TOPIC_ARN" = "arn:aws:sns:ca-central-1:687401027353:alert-critical" -> null
# (1 unchanged element hidden)
}
}
# (1 unchanged block hidden)
}
# aws_lambda_function.dead_letter_queue_consumer will be updated in-place
~ resource "aws_lambda_function" "dead_letter_queue_consumer" {
id = "DeadLetterQueueConsumer"
~ last_modified = "2023-06-12T12:23:23.000+0000" -> (known after apply)
~ layers = [
- "arn:aws:lambda:ca-central-1:687401027353:layer:dead_letter_queue_consumer_node_packages:16",
] -> (known after apply)
~ source_code_hash = "foRV3lpc4SINNhjayLX6INifc2STyOWRNaFtpkd3TVU=" -> "JtYX8fs/YYLYUWLyIzHuhzXzUYGwZM197QWkRX0vWQQ="
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (17 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
# aws_lambda_function.nagware will be updated in-place
~ resource "aws_lambda_function" "nagware" {
id = "Nagware"
~ last_modified = "2023-06-12T12:23:20.000+0000" -> (known after apply)
~ layers = [
- "arn:aws:lambda:ca-central-1:687401027353:layer:nagware_lib_packages:5",
- "arn:aws:lambda:ca-central-1:687401027353:layer:nagware_node_packages:12",
] -> (known after apply)
~ source_code_hash = "1lkuh9DDwBCy2u7F8o99BFbRx4RLeIJBsnfZSA30Q+8=" -> "KV3xLPu+DWc3BFhNIlq75cxyiHYFjLP0Qw4QfK4eizc="
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (17 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
# aws_lambda_function.reliability will be updated in-place
~ resource "aws_lambda_function" "reliability" {
id = "Reliability"
~ last_modified = "2023-06-12T12:23:30.000+0000" -> (known after apply)
~ layers = [
- "arn:aws:lambda:ca-central-1:687401027353:layer:reliability_lib_packages:105",
- "arn:aws:lambda:ca-central-1:687401027353:layer:reliability_node_packages:124",
] -> (known after apply)
~ source_code_hash = "t+G8MFgtikOTRdsRP0aYBZ4OuDIznmWAjqNqKUwa5r4=" -> "d1H2vViWng4wr/UhadHYkofFXtgLHYCn9cFpRLWaZ58="
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (17 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
# aws_lambda_function.submission will be updated in-place
~ resource "aws_lambda_function" "submission" {
id = "Submission"
~ last_modified = "2023-06-14T14:25:16.735+0000" -> (known after apply)
~ source_code_hash = "hSCfbKw7q4M+8gD0yMwbyj0sokLcpx3x9zmhk0kCWVc=" -> "b34iP8b96YSo/uaGe2HGr4eRddz2WWr7ytvGO9/FPmM="
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (18 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
# aws_lambda_layer_version.archive_form_templates_lib must be replaced
-/+ resource "aws_lambda_layer_version" "archive_form_templates_lib" {
~ arn = "arn:aws:lambda:ca-central-1:687401027353:layer:archive_form_templates_lib_packages:1" -> (known after apply)
- compatible_architectures = [] -> null
~ created_date = "2023-04-24T12:57:54.961+0000" -> (known after apply)
~ id = "arn:aws:lambda:ca-central-1:687401027353:layer:archive_form_templates_lib_packages:1" -> (known after apply)
~ layer_arn = "arn:aws:lambda:ca-central-1:687401027353:layer:archive_form_templates_lib_packages" -> (known after apply)
+ signing_job_arn = (known after apply)
+ signing_profile_version_arn = (known after apply)
~ source_code_hash = "sJbaO6Ury4AeD8hZC7rT5XJ1qzzVQFJoL6uRYKXZ0qw=" -> "Wcj95c2XyEFG8Xs6C4qfO3t2Leg5zjBkiyF1MxJxOSo=" # forces replacement
~ source_code_size = 1321 -> (known after apply)
~ version = "1" -> (known after apply)
# (4 unchanged attributes hidden)
}
# aws_lambda_layer_version.archive_form_templates_nodejs must be replaced
-/+ resource "aws_lambda_layer_version" "archive_form_templates_nodejs" {
~ arn = "arn:aws:lambda:ca-central-1:687401027353:layer:archive_form_templates_node_packages:11" -> (known after apply)
- compatible_architectures = [] -> null
~ created_date = "2023-06-12T12:23:35.555+0000" -> (known after apply)
~ id = "arn:aws:lambda:ca-central-1:687401027353:layer:archive_form_templates_node_packages:11" -> (known after apply)
~ layer_arn = "arn:aws:lambda:ca-central-1:687401027353:layer:archive_form_templates_node_packages" -> (known after apply)
+ signing_job_arn = (known after apply)
+ signing_profile_version_arn = (known after apply)
~ source_code_hash = "QomxpGKEye2uPjHF8h9CaZIo6KG9LMtzNOqu1suwaNQ=" -> "f2p3c94G3L6jYURXgO+w3kfQqNa5wWgeartQ0/vdw/0=" # forces replacement
~ source_code_size = 2340296 -> (known after apply)
~ version = "11" -> (known after apply)
# (4 unchanged attributes hidden)
}
# aws_lambda_layer_version.archiver_nodejs must be replaced
-/+ resource "aws_lambda_layer_version" "archiver_nodejs" {
~ arn = "arn:aws:lambda:ca-central-1:687401027353:layer:archiver_node_packages:13" -> (known after apply)
- compatible_architectures = [] -> null
~ created_date = "2023-06-12T12:23:13.059+0000" -> (known after apply)
~ id = "arn:aws:lambda:ca-central-1:687401027353:layer:archiver_node_packages:13" -> (known after apply)
~ layer_arn = "arn:aws:lambda:ca-central-1:687401027353:layer:archiver_node_packages" -> (known after apply)
+ signing_job_arn = (known after apply)
+ signing_profile_version_arn = (known after apply)
~ source_code_hash = "0iu7Y6ZEpuIAEHEjbIv/z6INYO7XHHhYB4FiprtA0v0=" -> "DbAEHzOTFUsc3lunJi1wiQ3jMDrBZH3u4sabdZbeoVc=" # forces replacement
~ source_code_size = 4927315 -> (known after apply)
~ version = "13" -> (known after apply)
# (4 unchanged attributes hidden)
}
# aws_lambda_layer_version.audit_logs_lib must be replaced
-/+ resource "aws_lambda_layer_version" "audit_logs_lib" {
~ arn = "arn:aws:lambda:ca-central-1:687401027353:layer:audit_logs_node_packages:11" -> (known after apply)
- compatible_architectures = [] -> null
~ created_date = "2023-06-12T12:23:06.277+0000" -> (known after apply)
~ id = "arn:aws:lambda:ca-central-1:687401027353:layer:audit_logs_node_packages:11" -> (known after...Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.cron_2am_every_day"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.cron_3am_every_day"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.cron_4am_every_day"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.cron_5am_every_business_day"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"]
28 tests, 17 passed, 11 warnings, 0 failures, 0 exceptions
|
Staging: alarms✅ Terraform Init: Plan: 16 to add, 0 to change, 17 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
- destroy
-/+ destroy and then create replacement
Terraform will perform the following actions:
# aws_cloudwatch_log_group.notify_slack will be created
+ resource "aws_cloudwatch_log_group" "notify_slack" {
+ arn = (known after apply)
+ id = (known after apply)
+ kms_key_id = "arn:aws:kms:ca-central-1:687401027353:key/c5c2a1c2-c092-4fa1-8daf-3414f3511b1d"
+ name = "/aws/lambda/NotifySlackSNS"
+ retention_in_days = 90
+ tags_all = (known after apply)
}
# aws_cloudwatch_log_metric_filter.application_error will be destroyed
# (because aws_cloudwatch_log_metric_filter.application_error is not in configuration)
- resource "aws_cloudwatch_log_metric_filter" "application_error" {
- id = "ApplicationError" -> null
- log_group_name = "Forms" -> null
- name = "ApplicationError" -> null
- pattern = "Error" -> null
- metric_transformation {
- default_value = "0" -> null
- dimensions = {} -> null
- name = "ApplicationError" -> null
- namespace = "forms" -> null
- unit = "None" -> null
- value = "1" -> null
}
}
# aws_cloudwatch_log_metric_filter.expired_bearer_token will be destroyed
# (because aws_cloudwatch_log_metric_filter.expired_bearer_token is not in configuration)
- resource "aws_cloudwatch_log_metric_filter" "expired_bearer_token" {
- id = "ExpiredBearerToken" -> null
- log_group_name = "Forms" -> null
- name = "ExpiredBearerToken" -> null
- pattern = "expired bearer token" -> null
- metric_transformation {
- dimensions = {} -> null
- name = "ExpiredBearerToken" -> null
- namespace = "forms" -> null
- unit = "None" -> null
- value = "1" -> null
}
}
# aws_cloudwatch_log_metric_filter.five_hundred_response will be destroyed
# (because aws_cloudwatch_log_metric_filter.five_hundred_response is not in configuration)
- resource "aws_cloudwatch_log_metric_filter" "five_hundred_response" {
- id = "500Response" -> null
- log_group_name = "Forms" -> null
- name = "500Response" -> null
- pattern = "\"HTTP/1.1 5\"" -> null
- metric_transformation {
- default_value = "0" -> null
- dimensions = {} -> null
- name = "500Response" -> null
- namespace = "forms" -> null
- unit = "None" -> null
- value = "1" -> null
}
}
# aws_cloudwatch_log_metric_filter.generate_temporary_token_api_failure will be destroyed
# (because aws_cloudwatch_log_metric_filter.generate_temporary_token_api_failure is not in configuration)
- resource "aws_cloudwatch_log_metric_filter" "generate_temporary_token_api_failure" {
- id = "GenerateTemporaryTokenApiFailure" -> null
- log_group_name = "Forms" -> null
- name = "GenerateTemporaryTokenApiFailure" -> null
- pattern = "Failed to generate temporary token" -> null
- metric_transformation {
- dimensions = {} -> null
- name = "GenerateTemporaryTokenApiFailure" -> null
- namespace = "forms" -> null
- unit = "None" -> null
- value = "1" -> null
}
}
# aws_cloudwatch_log_metric_filter.request_temporary_token_api_using_unauthorized_email_address will be destroyed
# (because aws_cloudwatch_log_metric_filter.request_temporary_token_api_using_unauthorized_email_address is not in configuration)
- resource "aws_cloudwatch_log_metric_filter" "request_temporary_token_api_using_unauthorized_email_address" {
- id = "RequestTemporaryTokenApiUsingUnauthorizedEmailAddress" -> null
- log_group_name = "Forms" -> null
- name = "RequestTemporaryTokenApiUsingUnauthorizedEmailAddress" -> null
- pattern = "\"An email address with no access to any form has been locked out\"" -> null
- metric_transformation {
- dimensions = {} -> null
- name = "RequestTemporaryTokenApiUsingUnauthorizedEmailAddress" -> null
- namespace = "forms" -> null
- unit = "None" -> null
- value = "1" -> null
}
}
# aws_cloudwatch_log_subscription_filter.archiver_log_stream will be created
+ resource "aws_cloudwatch_log_subscription_filter" "archiver_log_stream" {
+ destination_arn = (known after apply)
+ distribution = "ByLogStream"
+ filter_pattern = "{($.level = \"warn\") || ($.level = \"error\")}"
+ id = (known after apply)
+ log_group_name = "/aws/lambda/Archiver"
+ name = "archiver_log_stream"
+ role_arn = (known after apply)
}
# aws_cloudwatch_log_subscription_filter.audit_log_stream will be created
+ resource "aws_cloudwatch_log_subscription_filter" "audit_log_stream" {
+ destination_arn = (known after apply)
+ distribution = "ByLogStream"
+ filter_pattern = "{($.level = \"warn\") || ($.level = \"error\")}"
+ id = (known after apply)
+ log_group_name = "/aws/lambda/AuditLogs"
+ name = "audit_log_stream"
+ role_arn = (known after apply)
}
# aws_cloudwatch_log_subscription_filter.dlq_consumer_log_stream will be created
+ resource "aws_cloudwatch_log_subscription_filter" "dlq_consumer_log_stream" {
+ destination_arn = (known after apply)
+ distribution = "ByLogStream"
+ filter_pattern = "{($.level = \"warn\") || ($.level = \"error\")}"
+ id = (known after apply)
+ log_group_name = "/aws/lambda/DeadLetterQueueConsumer"
+ name = "dql_consumer_log_stream"
+ role_arn = (known after apply)
}
# aws_cloudwatch_log_subscription_filter.forms_app_log_stream will be created
+ resource "aws_cloudwatch_log_subscription_filter" "forms_app_log_stream" {
+ destination_arn = (known after apply)
+ distribution = "ByLogStream"
+ filter_pattern = "{($.level = \"warn\") || ($.level = \"error\")}"
+ id = (known after apply)
+ log_group_name = "Forms"
+ name = "forms_app_log_stream"
+ role_arn = (known after apply)
}
# aws_cloudwatch_log_subscription_filter.forms_unhandled_error_steam will be created
+ resource "aws_cloudwatch_log_subscription_filter" "forms_unhandled_error_steam" {
+ destination_arn = (known after apply)
+ distribution = "ByLogStream"
+ filter_pattern = "Error -level"
+ id = (known after apply)
+ log_group_name = "Forms"
+ name = "forms_unhandled_error_stream"
+ role_arn = (known after apply)
}
# aws_cloudwatch_log_subscription_filter.nagware_log_stream will be created
+ resource "aws_cloudwatch_log_subscription_filter" "nagware_log_stream" {
+ destination_arn = (known after apply)
+ distribution = "ByLogStream"
+ filter_pattern = "{($.level = \"warn\") || ($.level = \"error\")}"
+ id = (known after apply)
+ log_group_name = "/aws/lambda/Nagware"
+ name = "nagware_log_stream"
+ role_arn = (known after apply)
}
# aws_cloudwatch_log_subscription_filter.reliability_log_stream will be created
+ resource "aws_cloudwatch_log_subscription_filter" "reliability_log_stream" {
+ destination_arn = (known after apply)
+ distribution = "ByLogStream"
+ filter_pattern = "{($.level = \"warn\") || ($.level = \"error\")}"
+ id = (known after apply)
+ log_group_name = "/aws/lambda/Reliability"
+ name = "reliability_log_stream"
+ role_arn = (known after apply)
}
# aws_cloudwatch_log_subscription_filter.template_archiver_log_stream will be created
+ resource "aws_cloudwatch_log_subscription_filter" "template_archiver_log_stream" {
+ destination_arn = (known after apply)
+ distribution = "ByLogStream"
+ filter_pattern = "{($.level = \"warn\") || ($.level = \"error\")}"
+ id = (known after apply)
+ log_group_name = "/aws/lambda/ArchiveFormTemplates"
+ name = "template_archiver_log_stream"
+ role_arn = (known after apply)
}
# aws_cloudwatch_metric_alarm.application_error_warn will be destroyed
# (because aws_cloudwatch_metric_alarm.application_error_warn is not in configuration)
- resource "aws_cloudwatch_metric_alarm" "application_error_warn" {
- actions_enabled = true -> null
- alarm_actions = [
- "arn:aws:sns:ca-central-1:687401027353:alert-warning",
] -> null
- alarm_description = "End User Forms Warning - An error message was detected in the ECS logs" -> null
- alarm_name = "ApplicationErrorWarn" -> null
- arn = "arn:aws:cloudwatch:ca-central-1:687401027353:alarm:ApplicationErrorWarn" -> null
- comparison_operator = "GreaterThanThreshold" -> null
- datapoints_to_alarm = 0 -> null
- dimensions = {} -> null
- evaluation_periods = 1 -> null
- id = "ApplicationErrorWarn" -> null
- insufficient_data_actions = [] -> null
- metric_name = "ApplicationError" -> null
- namespace = "forms" -> null
- ok_actions = [] -> null
- period = 60 -> null
- statistic = "Sum" -> null
- tags = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- tags_all = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- threshold = 0 -> null
- treat_missing_data = "notBreaching" -> null
}
# aws_cloudwatch_metric_alarm.expired_bearer_token will be destroyed
# (because aws_cloudwatch_metric_alarm.expired_bearer_token is not in configuration)
- resource "aws_cloudwatch_metric_alarm" "expired_bearer_token" {
- actions_enabled = true -> null
- alarm_actions = [
- "arn:aws:sns:ca-central-1:687401027353:alert-warning",
] -> null
- alarm_description = "End User Forms Warning - An expired bearer token has been used" -> null
- alarm_name = "ExpiredBearerToken" -> null
- arn = "arn:aws:cloudwatch:ca-central-1:687401027353:alarm:ExpiredBearerToken" -> null
- comparison_operator = "GreaterThanThreshold" -> null
- datapoints_to_alarm = 0 -> null
- dimensions = {} -> null
- evaluation_periods = 1 -> null
- id = "ExpiredBearerToken" -> null
- insufficient_data_actions = [] -> null
- metric_name = "ExpiredBearerToken" -> null
- namespace = "forms" -> null
- ok_actions = [
- "arn:aws:sns:ca-central-1:687401027353:alert-ok",
] -> null
- period = 60 -> null
- statistic = "SampleCount" -> null
- tags = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- tags_all = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- threshold = 0 -> null
- treat_missing_data = "notBreaching" -> null
}
# aws_cloudwatch_metric_alarm.five_hundred_response_warn will be destroyed
# (because aws_cloudwatch_metric_alarm.five_hundred_response_warn is not in configuration)
- resource "aws_cloudwatch_metric_alarm" "five_hundred_response_warn" {
- actions_enabled = true -> null
- alarm_actions = [
- "arn:aws:sns:ca-central-1:687401027353:alert-warning",
] -> null
- alarm_description = "End User Forms Warning - A 5xx HTML error was detected coming from the Forms." -> null
- alarm_name = "500ResponseWarn" -> null
- arn = "arn:aws:cloudwatch:ca-central-1:687401027353:alarm:500ResponseWarn" -> null
- comparison_operator = "GreaterThanThreshold" -> null
- datapoints_to_alarm = 0 -> null
- dimensions = {} -> null
- evaluation_periods = 1 -> null
- id = "500ResponseWarn" -> null
- insufficient_data_actions = [] -> null
- metric_name = "500Response" -> null
- namespace = "forms" -> null
- ok_actions = [] -> null
- period = 60 -> null
- statistic = "Sum" -> null
- tags = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- tags_all = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- threshold = 0 -> null
- treat_missing_data = "notBreaching" -> null
}
# aws_cloudwatch_metric_alarm.generate_temporary_token_api_failure will be destroyed
# (because aws_cloudwatch_metric_alarm.generate_temporary_token_api_failure is not in configuration)
- resource "aws_cloudwatch_metric_alarm" "generate_temporary_token_api_failure" {
- actions_enabled = true -> null
- alarm_actions = [
- "arn:aws:sns:ca-central-1:687401027353:alert-warning",
] -> null
- alarm_description = "End User Forms Warning - Failed to generate temporary token too many times" -> null
- alarm_name = "GenerateTemporaryTokenApiFailure" -> null
- arn = "arn:aws:cloudwatch:ca-central-1:687401027353:alarm:GenerateTemporaryTokenApiFailure" -> null
- comparison_operator = "GreaterThanThreshold" -> null
- datapoints_to_alarm = 0 -> null
- dimensions = {} -> null
- evaluation_periods = 1 -> null
- id = "GenerateTemporaryTokenApiFailure" -> null
- insufficient_data_actions = [] -> null
- metric_name = "GenerateTemporaryTokenApiFailure" -> null
- namespace = "forms" -> null
- ok_actions = [
- "arn:aws:sns:ca-central-1:687401027353:alert-ok",
] -> null
- period = 300 -> null
- statistic = "SampleCount" -> null
- tags = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- tags_all = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- threshold = 5 -> null
- treat_missing_data = "notBreaching" -> null
}
# aws_cloudwatch_metric_alarm.request_temporary_token_api_using_unauthorized_email_address will be destroyed
# (because aws_cloudwatch_metric_alarm.request_temporary_token_api_using_unauthorized_email_address is not in configuration)
- resource "aws_cloudwatch_metric_alarm" "request_temporary_token_api_using_unauthorized_email_address" {
- actions_enabled = true -> null
- alarm_actions = [
- "arn:aws:sns:ca-central-1:687401027353:alert-warning",
] -> null
- alarm_description = "End User Forms Warning - Someone tried to request a temporary token using an unauthorized email address" -> null
- alarm_name = "RequestTemporaryTokenApiUsingUnauthorizedEmailAddress" -> null
- arn = "arn:aws:cloudwatch:ca-central-1:687401027353:alarm:RequestTemporaryTokenApiUsingUnauthorizedEmailAddress" -> null
- comparison_operator = "GreaterThanThreshold" -> null
- datapoints_to_alarm = 0 -> null
- dimensions = {} -> null
- evaluation_periods = 1 -> null
- id = "RequestTemporaryTokenApiUsingUnauthorizedEmailAddress" -> null
- insufficient_data_actions = [] -> null
- metric_name = "RequestTemporaryTokenApiUsingUnauthorizedEmailAddress" -> null
- namespace = "forms" -> null
- ok_actions = [
- "arn:aws:sns:ca-central-1:687401027353:alert-ok",
] -> null
- period = 60 -> null
- statistic = "SampleCount" -> null
- tags = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- tags_all = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- threshold = 0 -> null
- treat_missing_data = "notBreaching" -> null
}
# aws_cloudwatch_metric_alarm.temporary_token_generated_outside_canada_warn will be destroyed
# (because aws_cloudwatch_metric_alarm.temporary_token_generated_outside_canada_warn is not in configuration)
- resource "aws_cloudwatch_metric_alarm" "temporary_token_generated_outside_canada_warn" {
- actions_enabled = true -> null
- alarm_actions = [
- "arn:aws:sns:ca-central-1:687401027353:alert-warning",
] -> null
- alarm_description = "End User Forms Warning - A temporary token has been generated from outside Canada" -> null
- alarm_name = "TemporaryTokenGeneratedOutsideCanadaWarn" -> null
- arn = "arn:aws:cloudwatch:ca-central-1:687401027353:alarm:TemporaryTokenGeneratedOutsideCanadaWarn" -> null
- comparison_operator = "GreaterThanThreshold" -> null
- datapoints_to_alarm = 0 -> null
- dimensions = {
- "Region" = "ca-central-1"
- "Rule" = "TemporaryTokenGeneratedOutsideCanada"
- "WebACL" = "GCForms"
} -> null
- evaluation_periods = 1 -> null
- id = "TemporaryTokenGeneratedOutsideCanadaWarn" -> null
- insufficient_data_actions = [] -> null
- metric_name = "CountedRequests" -> null
- namespace = "AWS/WAFV2" -> null
- ok_actions = [
- "arn:aws:sns:ca-central-1:687401027353:alert-ok",
] -> null
- period = 300 -> null
- statistic = "SampleCount" -> null
- tags = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- tags_all = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- threshold = 0 -> null
- treat_missing_data = "notBreaching" -> null
}
# aws_lambda_function.notify_slack will be created
+ resource "aws_lambda_function" "notify_slack" {
+ architectures = (known after apply)
+ arn = (known after apply)
+ filename = "/tmp/notify_slack.zip"
+ function_name = "NotifySlackSNS"
+ handler = "notify_slack.handler"
+ id = (known after apply)
+ invoke_arn = (known after apply)
+ last_modified = (known after apply)
+ memory_size = 128
+ package_type = "Zip"
+ publish = false
+ qualified_arn = (known after apply)
+ reserved_concurrent_executions = -1
+ role = "arn:aws:iam::687401027353:role/NotifySlackLambda"
+ runtime = "nodejs14.x"
+ signing_job_arn = (known after apply)
+ signing_profile_version_arn = (known after apply)
+ source_code_hash = "GdvVvwAbuRQRTbbH3HDeuEAij45Imr/ZGIutpDGticg="
+ source_code_size = (known after apply)
+ tags = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ timeout = 3
+ version = (known after apply)
+ environment {
+ variables = {
+ "ENVIRONMENT" = "Staging"
+ "SLACK_WEBHOOK" = (sensitive value)
}
}
+ tracing_config {
+ mode = "PassThrough"
}
}
# aws_lambda_function.notify_slack_sns will be destroyed
# (because aws_lambda_function.notify_slack_sns is not in configuration)
- resource "aws_lambda_function" "notify_slack_sns" {
- architectures = [
- "x86_64",
] -> null
- arn = "arn:aws:lambda:ca-central-1:687401027353:function:NotifySlackSNS" -> null
- filename = "/tmp/notify_slack.zip" -> null
- function_name = "NotifySlackSNS" -> null
- handler = "notify_slack.handler" -> null
- id = "NotifySlackSNS" -> null
- invoke_arn = "arn:aws:apigateway:ca-central-1:lambda:path/2015-03-31/functions/arn:aws:lambda:ca-central-1:687401027353:function:NotifySlackSNS/invocations" -> null
- last_modified = "2021-12-17T17:27:39.963+0000" -> null
- layers = [] -> null
- memory_size = 128 -> null
- package_type = "Zip" -> null
- publish = false -> null
- qualified_arn = "arn:aws:lambda:ca-central-1:687401027353:function:NotifySlackSNS:$LATEST" -> null
- reserved_concurrent_executions = -1 -> null
- role = "arn:aws:iam::687401027353:role/NotifySlackLambda" -> null
- runtime = "nodejs14.x" -> null
- source_code_hash = "6XRQfs4IrBYOXmuSBBJW/kVNbqQQb5+/1TeXMTlyrM8=" -> null
- source_code_size = 1053 -> null
- tags = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- tags_all = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- timeout = 3 -> null
- version = "$LATEST" -> null
- environment {
- variables = {
- "ENVIRONMENT" = "Staging"
- "SLACK_WEBHOOK" = (sensitive value)
} -> null
}
- tracing_config {
- mode = "PassThrough" -> null
}
}
# aws_lambda_permission.allow_cloudwatch_to_run_lambda will be created
+ resource "aws_lambda_permission" "allow_cloudwatch_to_run_lambda" {
+ action = "lambda:InvokeFunction"
+ function_name = "NotifySlackSNS"
+ id = (known after apply)
+ principal = "events.amazonaws.com"
+ source_arn = "arn:aws:ssm:ca-central-1:687401027353:log-group:*:*"
+ statement_id = "AllowExecutionFromCloudWatch"
}
# aws_sns_topic_subscription.topic_critical must be replaced
-/+ resource "aws_sns_topic_subscription" "topic_critical" {
~ arn = "arn:aws:sns:ca-central-1:687401027353:alert-critical:9eb13517-91ba-4866-9e39-6f9e190deb96" -> (known after apply)
~ confirmation_was_authenticated = true -> (known after apply)
~ endpoint = "arn:aws:lambda:ca-central-1:687401027353:function:NotifySlackSNS" # forces replacement -> (known after apply)
~ id = "arn:aws:sns:ca-central-1:687401027353:alert-critical:9eb13517-91ba-4866-9e39-6f9e190deb96" -> (known after apply)
~ owner_id = "687401027353" -> (known after apply)
~ pending_confirmation = false -> (known after apply)
# (5 unchanged attributes hidden)
}
# aws_sns_topic_subscription.topic_ok must be replaced
-/+ resource "aws_sns_topic_subscription" "topic_ok" {
~ arn = "arn:aws:sns:ca-central-1:687401027353:alert-ok:6537d517-9d16-4f1f-9aab-6f5b0953a91d" -> (known after apply)
~ confirmation_was_authenticated = true -> (known after apply)
~ endpoint = "arn:aws:lambda:ca-central-1:687401027353:function:NotifySlackSNS" # forces replacement -> (known after apply)
~ id = "arn:aws:sns:ca-central-1:687401027353:alert-ok:6537d517-9d16-4f1f-9aab-6f5b0953a91d" -> (known after apply)
~ owner_id = "687401027353" -> (known after apply)
~ pending_confirmation = false -> (known after apply)
# (5 unchanged attributes hidden)
}
# aws_sns_topic_subscription.topic_ok_us_east must be replaced
-/+ resource "aws_sns_topic_subscription" "topic_ok_us_east" {
~ arn = "arn:aws:sns:us-east-1:687401027353:alert-ok:a3badcf8-bda9-471b-9e74-d1d5eac9a72a" -> (known after apply)
~ confirmation_was_authenticated = true -> (known after apply)
~ endpoint = "arn:aws:lambda:ca-central-1:687401027353:function:NotifySlackSNS" # forces replacement -> (known after apply)
~ id = "arn:aws:sns:us-east-1:687401027353:alert-ok:a3badcf8-bda9-471b-9e74-d1d5eac9a72a" -> (known after apply)
~ owner_id = "687401027353" -> (known after apply)
~ pending_confirmation = false -> (known after apply)
# (5 unchanged attributes hidden)
}
# aws_sns_topic_subscription.topic_warning must be replaced
-/+ resource "aws_sns_topic_subscription" "topic_warning" {
~ arn = "arn:aws:sns:ca-central-1:687401027353:alert-warning:6953bf9d-51af-440b-a4ae-c955c152134c" -> (known after apply)
~ confirmation_was_authenticated = true -> (known after apply)
~ endpoint = "arn:aws:lambda:ca-central-1:687401027353:function:NotifySlackSNS" # forces replacement -> (known after apply)
~ id = "arn:aws:sns:ca-central-1:687401027353:alert-warning:6953bf9d-51af-440b-a4ae-c955c152134c" -> (known after apply)
~ owner_id = "687401027353" -> (known after apply)
~ pending_confirmation = false -> (known after apply)
# (5 unchanged attributes hidden)
}
# aws_sns_topic_subscription.topic_warning_us_east must be replaced
-/+ resource "aws_sns_topic_subscription" "topic_warning_us_east" {
~ arn = "arn:aws:sns:us-east-1:687401027353:alert-warning:7ef8bc25-4ce7-483f-9c80-fdb930d80b96" -> (known after apply)
~ confirmation_was_authenticated = true -> (known after apply)
~ endpoint = "arn:aws:lambda:ca-central-1:687401027353:function:NotifySlackSNS" # forces replacement -> (known after apply)
~ id = "arn:aws:sns:us-east-1:687401027353:alert-warning:7ef8bc25-4ce7-483f-9c80-fdb930d80b96" -> (known after apply)
~ owner_id = "687401027353" -> (known after apply)
~ pending_confirmation = false -> (known after apply)
# (5 unchanged attributes hidden)
}
Plan: 16 to add, 0 to change, 17 to destroy.
Warning: Argument is deprecated
with module.athena_bucket.aws_s3_bucket.this,
on .terraform/modules/athena_bucket/S3/main.tf line 8, in resource "aws_s3_bucket" "this":
8: resource "aws_s3_bucket" "this" {
Use the aws_s3_bucket_versioning resource instead
(and 8 more similar warnings elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notify_slack"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.alb_ddos"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.route53_ddos"]
20 tests, 17 passed, 3 warnings, 0 failures, 0 exceptions
|
bryan-robitaille
added a commit
that referenced
this pull request
Aug 16, 2023
* chore: new workflow for full infrastructure plan against staging (#424) * feat: use Lambda and Cloudwatch Logs to send reviewed alarms to Slack channels (#421) * add cloudwatch logs expiry * rename slack lambda function * add cloudwatch expiry to cognito lambdas * update lambda for new streams * remove redundant alarms * create log subscriptions for all lambdas * reliability and submission lambda error processing * add error property * Nagware updates * archive form responses updates * dlq consumer * update yarn lock for archive form responses * update slack messaging to include more info * archive form templates updates * audit logs processor lambda updates * formatting * fix cloudwatch block scope * removed included file in lib package for nagware lambda because it does not exist anymore * fix security issues and add permissions * missed kms entry on resource * add missing input var * Add missing vars on alarm module * typo in module def for alarms * fix typo * fixed few issues --------- Co-authored-by: Bryan Robitaille <[email protected]> * Revert "feat: use Lambda and Cloudwatch Logs to send reviewed alarms to Slack channels (#421)" (#426) This reverts commit 7f502df. * Revert "Revert "feat: use Lambda and Cloudwatch Logs to send reviewed alarms to Slack channels (#421)" (#426)" (#428) This reverts commit 063e411. * fix: permission for Cloudwatch to run Notify Slack lambda (#429) * fix: permission for Cloudwatch to run Notify Slack lambda (second attempt) (#430) * fix: Terraform module version reference (#427) Update the Terraform module version references so they are in the correct format. This will allow Renovate dependency PRs to update them module versions without stripping the `//sub-directory` path. * feat: added missing cloudwatch subscription filter for submission logs (#431) * feat: added missing cloudwatch subscription filter for submission logs * chore: remove reliability queue alarm that is not needed anymore * chore: format all console logs in JSON (#432) * fix: multiple issues with NotifySlack lambda (#434) * chore(deps): update all non-major github action dependencies (#418) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update all non-major docker images (#417) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update WAF rules to support newly added URIs (#433) * updated regex pattern to support newly added uris * add page * fix typo in resource name * fix undo introduced typo * try updating resource type to wafv1 where regex_pattern_strings is supported else will fallback on regular regex_string template * disabled waf regex till provider is merged (#435) * Attempt to fix waf limit exceeded error (#437) * updated regex pattern to support newly added uris * add page * fix typo in resource name * fix undo introduced typo * try updating resource type to wafv1 where regex_pattern_strings is supported else will fallback on regular regex_string template * reset staging state:disabled regex till the provider upgrade is merged * attempt to fix waf limit exceeded error * renamed rule * fix undeclared resource name * attempt to fix resource name mismatch * Fix/add missing regex comp (#438) * updated regex pattern to support newly added uris * add page * fix typo in resource name * fix undo introduced typo * try updating resource type to wafv1 where regex_pattern_strings is supported else will fallback on regular regex_string template * reset staging state:disabled regex till the provider upgrade is merged * attempt to fix waf limit exceeded error * renamed rule * fix undeclared resource name * attempt to fix resource name mismatch * add missing regex component to match path * removed duplicated expression * removed duplicate expression * Fix WAF InvalidParameterException (#439) * updated regex pattern to support newly added uris * add page * fix typo in resource name * fix undo introduced typo * try updating resource type to wafv1 where regex_pattern_strings is supported else will fallback on regular regex_string template * reset staging state:disabled regex till the provider upgrade is merged * attempt to fix waf limit exceeded error * renamed rule * fix undeclared resource name * attempt to fix resource name mismatch * add missing regex component to match path * removed duplicated expression * removed duplicate expression * refactor capture group, and restricted capture for home page * fix invalid syntax (#441) * Restore missing output for lambda function name (#443) * feat: nagware sends email to all template associated users (#442) * feat: nagware sends email to all template associated users * fix: spelling * Feature/alarm for privileges (#445) * Remove unknown error ref * Add events to listen for by subscriber * fix destructuring * Feat/dontnagtestresponse (#449) * feat: delete overdue draft form responses and dont nag Signed-off-by: Daine Trinidad <[email protected]> * chore: reverting some changes for lockfile Signed-off-by: Daine Trinidad <[email protected]> * chore: some cleanup Signed-off-by: Daine Trinidad <[email protected]> * chore: re-adding template file that got lost during merge Signed-off-by: Daine Trinidad <[email protected]> * chore: removing file again for cleaner diff and history Signed-off-by: Daine Trinidad <[email protected]> * chore: fixed file refactor Signed-off-by: Daine Trinidad <[email protected]> * fix: refactor missed the terraform file; fixed the new name for the file Signed-off-by: Daine Trinidad <[email protected]> * fix: horrible typo, missing 's' Signed-off-by: Daine Trinidad <[email protected]> * fix: move var declaration inside try catch & comment cleanup Signed-off-by: Daine Trinidad <[email protected]> --------- Signed-off-by: Daine Trinidad <[email protected]> * doc: update readme to inform about signed commits on this repo (#450) * feat: added severity level to alarms being sent to Slack (#451) * add path for profile (#453) * chore(deps): update all non-major github action dependencies (#447) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update all non-major docker images (#446) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): lock file maintenance (#419) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Bump version * update version * refactor: rework Nagware warning message being sent to Slack (#457) * fix: nagware notification layout (#460) * Host header fix (#461) --------- Signed-off-by: Daine Trinidad <[email protected]> Co-authored-by: Clément JANIN <[email protected]> Co-authored-by: Pat Heard <[email protected]> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Raphael <[email protected]> Co-authored-by: Dave Samojlenko <[email protected]> Co-authored-by: Daine Trinidad <[email protected]> Co-authored-by: Tim Arney <[email protected]>
craigzour
added a commit
that referenced
this pull request
Aug 17, 2023
* chore: new workflow for full infrastructure plan against staging (#424) * feat: use Lambda and Cloudwatch Logs to send reviewed alarms to Slack channels (#421) * add cloudwatch logs expiry * rename slack lambda function * add cloudwatch expiry to cognito lambdas * update lambda for new streams * remove redundant alarms * create log subscriptions for all lambdas * reliability and submission lambda error processing * add error property * Nagware updates * archive form responses updates * dlq consumer * update yarn lock for archive form responses * update slack messaging to include more info * archive form templates updates * audit logs processor lambda updates * formatting * fix cloudwatch block scope * removed included file in lib package for nagware lambda because it does not exist anymore * fix security issues and add permissions * missed kms entry on resource * add missing input var * Add missing vars on alarm module * typo in module def for alarms * fix typo * fixed few issues --------- Co-authored-by: Bryan Robitaille <[email protected]> * Revert "feat: use Lambda and Cloudwatch Logs to send reviewed alarms to Slack channels (#421)" (#426) This reverts commit 7f502df. * Revert "Revert "feat: use Lambda and Cloudwatch Logs to send reviewed alarms to Slack channels (#421)" (#426)" (#428) This reverts commit 063e411. * fix: permission for Cloudwatch to run Notify Slack lambda (#429) * fix: permission for Cloudwatch to run Notify Slack lambda (second attempt) (#430) * fix: Terraform module version reference (#427) Update the Terraform module version references so they are in the correct format. This will allow Renovate dependency PRs to update them module versions without stripping the `//sub-directory` path. * feat: added missing cloudwatch subscription filter for submission logs (#431) * feat: added missing cloudwatch subscription filter for submission logs * chore: remove reliability queue alarm that is not needed anymore * chore: format all console logs in JSON (#432) * fix: multiple issues with NotifySlack lambda (#434) * chore(deps): update all non-major github action dependencies (#418) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update all non-major docker images (#417) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * Update WAF rules to support newly added URIs (#433) * updated regex pattern to support newly added uris * add page * fix typo in resource name * fix undo introduced typo * try updating resource type to wafv1 where regex_pattern_strings is supported else will fallback on regular regex_string template * disabled waf regex till provider is merged (#435) * Attempt to fix waf limit exceeded error (#437) * updated regex pattern to support newly added uris * add page * fix typo in resource name * fix undo introduced typo * try updating resource type to wafv1 where regex_pattern_strings is supported else will fallback on regular regex_string template * reset staging state:disabled regex till the provider upgrade is merged * attempt to fix waf limit exceeded error * renamed rule * fix undeclared resource name * attempt to fix resource name mismatch * Fix/add missing regex comp (#438) * updated regex pattern to support newly added uris * add page * fix typo in resource name * fix undo introduced typo * try updating resource type to wafv1 where regex_pattern_strings is supported else will fallback on regular regex_string template * reset staging state:disabled regex till the provider upgrade is merged * attempt to fix waf limit exceeded error * renamed rule * fix undeclared resource name * attempt to fix resource name mismatch * add missing regex component to match path * removed duplicated expression * removed duplicate expression * Fix WAF InvalidParameterException (#439) * updated regex pattern to support newly added uris * add page * fix typo in resource name * fix undo introduced typo * try updating resource type to wafv1 where regex_pattern_strings is supported else will fallback on regular regex_string template * reset staging state:disabled regex till the provider upgrade is merged * attempt to fix waf limit exceeded error * renamed rule * fix undeclared resource name * attempt to fix resource name mismatch * add missing regex component to match path * removed duplicated expression * removed duplicate expression * refactor capture group, and restricted capture for home page * fix invalid syntax (#441) * Restore missing output for lambda function name (#443) * feat: nagware sends email to all template associated users (#442) * feat: nagware sends email to all template associated users * fix: spelling * Feature/alarm for privileges (#445) * Remove unknown error ref * Add events to listen for by subscriber * fix destructuring * Feat/dontnagtestresponse (#449) * feat: delete overdue draft form responses and dont nag Signed-off-by: Daine Trinidad <[email protected]> * chore: reverting some changes for lockfile Signed-off-by: Daine Trinidad <[email protected]> * chore: some cleanup Signed-off-by: Daine Trinidad <[email protected]> * chore: re-adding template file that got lost during merge Signed-off-by: Daine Trinidad <[email protected]> * chore: removing file again for cleaner diff and history Signed-off-by: Daine Trinidad <[email protected]> * chore: fixed file refactor Signed-off-by: Daine Trinidad <[email protected]> * fix: refactor missed the terraform file; fixed the new name for the file Signed-off-by: Daine Trinidad <[email protected]> * fix: horrible typo, missing 's' Signed-off-by: Daine Trinidad <[email protected]> * fix: move var declaration inside try catch & comment cleanup Signed-off-by: Daine Trinidad <[email protected]> --------- Signed-off-by: Daine Trinidad <[email protected]> * doc: update readme to inform about signed commits on this repo (#450) * feat: added severity level to alarms being sent to Slack (#451) * add path for profile (#453) * chore(deps): update all non-major github action dependencies (#447) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update all non-major docker images (#446) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): lock file maintenance (#419) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * refactor: rework Nagware warning message being sent to Slack (#457) * fix: nagware notification layout (#460) * Host header fix (#461) * release: 3.2.0 (#458) * fix: use valid ReCaptcha site key for production environment (#462) * release 3.2.1 --------- Signed-off-by: Daine Trinidad <[email protected]> Co-authored-by: Bryan Robitaille <[email protected]> Co-authored-by: Bryan Robitaille <[email protected]> Co-authored-by: Pat Heard <[email protected]> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Raphael <[email protected]> Co-authored-by: Dave Samojlenko <[email protected]> Co-authored-by: Daine Trinidad <[email protected]> Co-authored-by: Tim Arney <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CANNOT BE MERGED UNTIL MANUAL RESOURCES MIGRATION IS NOT COMPLETED
This reverts commit 063e411.
Summary | Résumé