chore(deps): update google-github-actions/auth digest to 6fc4af4 #129
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
|
Terraform plan in examples/06-minimal-aws-terraform-bootstrap No changes. Your infrastructure matches the configuration.📝 Plan generated in terraform-plan-06-minimal-aws-terraform-bootstrap #121 |
|
Terraform plan in examples/02-minimal-gcp-tf-bootstrap No changes. Your infrastructure matches the configuration.📝 Plan generated in terraform-plan-02-minimal-gcp-tf-bootstrap #252 |
|
Terraform plan in examples/05-aws-complete Plan: 135 to add, 0 to change, 0 to destroy.Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# data.aws_eks_cluster.main will be read during apply
# (depends on a resource or a module with changes pending)
<= data "aws_eks_cluster" "main" {
+ arn = (known after apply)
+ certificate_authority = (known after apply)
+ cluster_id = (known after apply)
+ created_at = (known after apply)
+ enabled_cluster_log_types = (known after apply)
+ endpoint = (known after apply)
+ id = (known after apply)
+ identity = (known after apply)
+ kubernetes_network_config = (known after apply)
+ name = "complete-example-prod"
+ outpost_config = (known after apply)
+ platform_version = (known after apply)
+ role_arn = (known after apply)
+ status = (known after apply)
+ tags = (known after apply)
+ version = (known after apply)
+ vpc_config = (known after apply)
}
# data.aws_iam_policy_document.allow_command_exec will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "allow_command_exec" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "kms:Decrypt",
+ "ssmmessages:CreateControlChannel",
+ "ssmmessages:CreateDataChannel",
+ "ssmmessages:OpenControlChannel",
+ "ssmmessages:OpenDataChannel",
]
+ resources = [
+ "*",
]
}
+ statement {
+ actions = [
+ "logs:DescribeLogGroups",
]
+ resources = [
+ "*",
]
}
+ statement {
+ actions = [
+ "logs:CreateLogStream",
+ "logs:DescribeLogStreams",
+ "logs:PutLogEvents",
]
+ resources = [
+ (known after apply),
]
}
}
# data.aws_iam_policy_document.loki_ecs_task_execution_role will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "loki_ecs_task_execution_role" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "ecr:GetAuthorizationToken",
]
+ effect = "Allow"
+ resources = [
+ "*",
]
+ sid = "AllowECSToAuthenticateToECRInCentralAccount"
}
+ statement {
+ actions = [
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:BatchGetImage",
+ "ecr:GetDownloadUrlForLayer",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
+ sid = "AllowECSToPullImage"
}
+ statement {
+ actions = [
+ "logs:CreateLogStream",
+ "logs:DescribeLogStreams",
+ "logs:PutLogEvents",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
+ sid = "AllowECSToWriteLogsToCloudWatchLogs"
}
}
# data.aws_iam_policy_document.loki_storage will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "loki_storage" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "s3:DeleteObject",
+ "s3:GetObject",
+ "s3:ListBucket",
+ "s3:PutObject",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
+ (known after apply),
]
+ sid = "AllowLokiStorageChunksS3"
}
}
# aws_alb.nginx_ingress will be created
+ resource "aws_alb" "nginx_ingress" {
+ arn = (known after apply)
+ arn_suffix = (known after apply)
+ desync_mitigation_mode = "defensive"
+ dns_name = (known after apply)
+ drop_invalid_header_fields = true
+ enable_deletion_protection = false
+ enable_http2 = true
+ enable_tls_version_and_cipher_suite_headers = false
+ enable_waf_fail_open = false
+ enable_xff_client_port = false
+ id = (known after apply)
+ idle_timeout = 60
+ internal = false
+ ip_address_type = (known after apply)
+ load_balancer_type = "application"
+ name = "nginx-ingress"
+ preserve_host_header = false
+ security_groups = (known after apply)
+ subnets = (known after apply)
+ tags_all = (known after apply)
+ vpc_id = (known after apply)
+ xff_header_processing_mode = "append"
+ zone_id = (known after apply)
+ access_logs {
+ bucket = (known after apply)
+ enabled = true
+ prefix = "alb"
}
+ subnet_mapping (known after apply)
}
# aws_alb_listener.https will be created
+ resource "aws_alb_listener" "https" {
+ arn = (known after apply)
+ certificate_arn = (known after apply)
+ id = (known after apply)
+ load_balancer_arn = (known after apply)
+ port = 443
+ protocol = "HTTPS"
+ ssl_policy = "ELBSecurityPolicy-FS-1-2-2019-08"
+ tags_all = (known after apply)
+ default_action {
+ order = (known after apply)
+ type = "fixed-response"
+ fixed_response {
+ content_type = "text/plain"
+ status_code = "404"
}
}
}
# aws_alb_listener.nginx_ingress will be created
+ resource "aws_alb_listener" "nginx_ingress" {
+ arn = (known after apply)
+ id = (known after apply)
+ load_balancer_arn = (known after apply)
+ port = 80
+ protocol = "HTTP"
+ ssl_policy = (known after apply)
+ tags_all = (known after apply)
+ default_action {
+ order = (known after apply)
+ type = "redirect"
+ redirect {
+ host = "#{host}"
+ path = "/#{path}"
+ port = "443"
+ protocol = "HTTPS"
+ query = "#{query}"
+ status_code = "HTTP_301"
}
}
}
# aws_alb_listener_rule.nginx_ingress will be created
+ resource "aws_alb_listener_rule" "nginx_ingress" {
+ arn = (known after apply)
+ id = (known after apply)
+ listener_arn = (known after apply)
+ priority = (known after apply)
+ tags_all = (known after apply)
+ action {
+ order = (known after apply)
+ target_group_arn = (known after apply)
+ type = "forward"
}
+ condition {
+ host_header {
+ values = [
+ "*.terraform.pipetail.cloud",
+ "terraform.pipetail.cloud",
]
}
}
}
# aws_alb_target_group.nginx_ingress will be created
+ resource "aws_alb_target_group" "nginx_ingress" {
+ arn = (known after apply)
+ arn_suffix = (known after apply)
+ connection_termination = false
+ deregistration_delay = "300"
+ id = (known after apply)
+ ip_address_type = (known after apply)
+ lambda_multi_value_headers_enabled = false
+ load_balancing_algorithm_type = (known after apply)
+ load_balancing_cross_zone_enabled = (known after apply)
+ name = (known after apply)
+ name_prefix = "nginx"
+ port = 30080
+ preserve_client_ip = (known after apply)
+ protocol = "HTTP"
+ protocol_version = (known after apply)
+ proxy_protocol_v2 = false
+ slow_start = 0
+ tags_all = (known after apply)
+ target_type = "instance"
+ vpc_id = (known after apply)
+ health_check {
+ enabled = true
+ healthy_threshold = 5
+ interval = 30
+ matcher = "200"
+ path = "/healthz"
+ port = "traffic-port"
+ protocol = "HTTP"
+ timeout = 5
+ unhealthy_threshold = 2
}
+ stickiness (known after apply)
+ target_failover (known after apply)
}
# aws_budgets_budget.cost will be created
+ resource "aws_budgets_budget" "cost" {
+ account_id = (known after apply)
+ arn = (known after apply)
+ budget_type = "COST"
+ cost_filters = (known after apply)
+ id = (known after apply)
+ limit_amount = "100"
+ limit_unit = "USD"
+ name = "overall-cost"
+ name_prefix = (known after apply)
+ time_period_end = "2087-06-15_00:00"
+ time_period_start = (known after apply)
+ time_unit = "MONTHLY"
+ cost_filter (known after apply)
+ cost_types (known after apply)
+ notification {
+ comparison_operator = "GREATER_THAN"
+ notification_type = "ACTUAL"
+ subscriber_email_addresses = [
+ "[email protected]",
]
+ subscriber_sns_topic_arns = []
+ threshold = 90
+ threshold_type = "PERCENTAGE"
}
}
# aws_cloudtrail.main will be created
+ resource "aws_cloudtrail" "main" {
+ arn = (known after apply)
+ enable_log_file_validation = true
+ enable_logging = true
+ home_region = (known after apply)
+ id = (known after apply)
+ include_global_service_events = true
+ is_multi_region_trail = true
+ is_organization_trail = false
+ name = "complete-example-main"
+ s3_bucket_name = (known after apply)
+ tags_all = (known after apply)
}
# aws_cloudwatch_log_group.command_execution will be created
+ resource "aws_cloudwatch_log_group" "command_execution" {
+ arn = (known after apply)
+ id = (known after apply)
+ kms_key_id = (known after apply)
+ name = "ecs-command-execution"
+ name_prefix = (known after apply)
+ retention_in_days = 30
+ skip_destroy = false
+ tags_all = (known after apply)
}
# aws_cloudwatch_log_group.loki will be created
+ resource "aws_cloudwatch_log_group" "loki" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "loki"
+ name_prefix = (known after apply)
+ retention_in_days = 30
+ skip_destroy = false
+ tags_all = (known after apply)
}
# aws_ecr_repository.grafana will be created
+ resource "aws_ecr_repository" "grafana" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "MUTABLE"
+ name = "grafana"
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags_all = (known after apply)
+ image_scanning_configuration {
+ scan_on_push = true
}
}
# aws_ecs_cluster.grafana will be created
+ resource "aws_ecs_cluster" "grafana" {
+ arn = (known after apply)
+ capacity_providers = (known after apply)
+ id = (known after apply)
+ name = "grafana"
+ tags = {
+ "ManagedBy" = "Terraform"
+ "Name" = "grafana"
}
+ tags_all = {
+ "ManagedBy" = "Terraform"
+ "Name" = "grafana"
}
+ configuration {
+ execute_command_configuration {
+ kms_key_id = (known after apply)
+ logging = "OVERRIDE"
+ log_configuration {
+ cloud_watch_encryption_enabled = true
+ cloud_watch_log_group_name = "ecs-command-execution"
}
}
}
+ default_capacity_provider_strategy (known after apply)
+ setting {
+ name = "containerInsights"
+ value = "enabled"
}
}
# aws_ecs_service.loki will be created
+ resource "aws_ecs_service" "loki" {
+ cluster = "grafana"
+ deployment_maximum_percent = 200
+ deployment_minimum_healthy_percent = 100
+ desired_count = 1
+ enable_ecs_managed_tags = false
+ enable_execute_command = true
+ iam_role = (known after apply)
+ id = (known after apply)
+ launch_type = "FARGATE"
+ name = "loki"
+ platform_version = (known after apply)
+ scheduling_strategy = "REPLICA"
+ tags_all = (known after apply)
+ task_definition = (known after apply)
+ triggers = (known after apply)
+ wait_for_steady_state = false
+ network_configuration {
+ assign_public_ip = false
+ security_groups = (known after apply)
+ subnets = (known after apply)
}
+ service_registries {
+ registry_arn = (known after apply)
}
}
# aws_ecs_task_definition.loki will be created
+ resource "aws_ecs_task_definition" "loki" {
+ arn = (known after apply)
+ arn_without_revision = (known after apply)
+ container_definitions = jsonencode(
[
+ {
+ essential = true
+ image = "175912345102.dkr.ecr.eu-west-1.amazonaws.com/grafana:loki-2.6.1-arm64"
+ logConfiguration = {
+ logDriver = "awslogs"
+ options = {
+ awslogs-group = "loki"
+ awslogs-region = "eu-west-1"
+ awslogs-stream-prefix = "loki"
}
}
+ name = "loki"
+ portMappings = [
+ {
+ containerPort = 3100
+ hostPort = 3100
+ protocol = "tcp"
},
]
},
]
)
+ cpu = "4096"
+ execution_role_arn = (known after apply)
+ family = "loki_task_definition"
+ id = (known after apply)
+ memory = "8192"
+ network_mode = "awsvpc"
+ requires_compatibilities = [
+ "FARGATE",
]
+ revision = (known after apply)
+ skip_destroy = false
+ tags_all = (known after apply)
+ task_role_arn = (known after apply)
+ runtime_platform {
+ cpu_architecture = "ARM64"
}
}
# aws_elasticache_parameter_group.redis will be created
+ resource "aws_elasticache_parameter_group" "redis" {
+ arn = (known after apply)
+ description = "Managed by Terraform"
+ family = "redis6.x"
+ id = (known after apply)
+ name = "redis6-x"
+ tags_all = (known after apply)
+ parameter {
+ name = "activerehashing"
+ value = "yes"
}
}
# aws_elasticache_replication_group.redis will be created
+ resource "aws_elasticache_replication_group" "redis" {
+ apply_immediately = (known after apply)
+ arn = (known after apply)
+ at_rest_encryption_enabled = (known after apply)
+ auto_minor_version_upgrade = (known after apply)
+ automatic_failover_enabled = true
+ cluster_enabled = (known after apply)
+ configuration_endpoint_address = (known after apply)
+ data_tiering_enabled = (known after apply)
+ description = "redis cluster"
+ engine = "redis"
+ engine_version = "6.2"
+ engine_version_actual = (known after apply)
+ global_replication_group_id = (known after apply)
+ id = (known after apply)
+ maintenance_window = (known after apply)
+ member_clusters = (known after apply)
+ multi_az_enabled = false
+ node_type = "cache.t4g.small"
+ num_cache_clusters = 2
+ num_node_groups = (known after apply)
+ number_cache_clusters = (known after apply)
+ parameter_group_name = "redis6-x"
+ port = 6379
+ preferred_cache_cluster_azs = [
+ "eu-west-1a",
+ "eu-west-1b",
]
+ primary_endpoint_address = (known after apply)
+ reader_endpoint_address = (known after apply)
+ replicas_per_node_group = (known after apply)
+ replication_group_description = (known after apply)
+ replication_group_id = "*************"
+ security_group_ids = (known after apply)
+ security_group_names = (known after apply)
+ snapshot_window = (known after apply)
+ subnet_group_name = "complete-example-main-vpc"
+ tags_all = (known after apply)
+ transit_encryption_enabled = (known after apply)
+ cluster_mode (known after apply)
}
# aws_iam_group.eks_access_administrator will be created
+ resource "aws_iam_group" "eks_access_administrator" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "eks-administrators"
+ path = "/"
+ unique_id = (known after apply)
}
# aws_iam_group_policy_attachment.eks_access_administrator will be created
+ resource "aws_iam_group_policy_attachment" "eks_access_administrator" {
+ group = "eks-administrators"
+ id = (known after apply)
+ policy_arn = (known after apply)
}
# aws_iam_policy.eks_access_administrator_allow_assume will be created
+ resource "aws_iam_policy" "eks_access_administrator_allow_assume" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "eks_administrator_allow_assume"
+ name_prefix = (known after apply)
+ path = "/"
+ policy = (known after apply)
+ policy_id = (known after apply)
+ tags_all = (known after apply)
}
# aws_iam_policy.eks_kubeconfig will be created
+ resource "aws_iam_policy" "eks_kubeconfig" {
+ arn = (known after apply)
+ description = "allow obtaining of kubeconfig for all EKS clusters"
+ id = (known after apply)
+ name = "eks_kubeconfig"
+ name_prefix = (known after apply)
+ path = "/"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "eks:DescribeCluster",
]
+ Effect = "Allow"
+ Resource = [
+ "*",
]
},
]
+ Version = "2012-10-17"
}
)
+ policy_id = (known after apply)
+ tags_all = (known after apply)
}
# aws_iam_role.eks_access_administrator will be created
+ resource "aws_iam_role" "eks_access_administrator" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ AWS = [
+ "arn:aws:iam::175912345102:root",
]
}
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "eks_administrator"
+ name_prefix = (known after apply)
+ path = "/"
+ role_last_used = (known after apply)
+ tags_all = (known after apply)
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# aws_iam_role.loki_ecs_task will be created
+ resource "aws_iam_role" "loki_ecs_task" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ecs-tasks.amazonaws.com"
}
+ Sid = "AllowECSTasksToAssumeRole"
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "loki-ecs-task"
+ name_prefix = (known after apply)
+ path = "/"
+ role_last_used = (known after apply)
+ tags_all = (known after apply)
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# aws_iam_role.loki_ecs_task_execution will be created
+ resource "aws_iam_role" "loki_ecs_task_execution" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "ecs-tasks.amazonaws.com"
}
+ Sid = "AllowECSTasksToAssumeRole"
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "loki-ecs-task-execution"
+ name_prefix = (known after apply)
+ path = "/"
+ role_last_used = (known after apply)
+ tags_all = (known after apply)
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# aws_iam_role_policy.loki_ecs_task_command_exec will be created
+ resource "aws_iam_role_policy" "loki_ecs_task_command_exec" {
+ id = (known after apply)
+ name = "loki-ecs-command-exec"
+ policy = (known after apply)
+ role = "loki-ecs-task"
}
# aws_iam_role_policy.loki_ecs_task_execution will be created
+ resource "aws_iam_role_policy" "loki_ecs_task_execution" {
+ id = (known after apply)
+ name = "loki-ecs-task-execution"
+ policy = (known after apply)
+ role = "loki-ecs-task-execution"
}
# aws_iam_role_policy.loki_storage will be created
+ resource "aws_iam_role_policy" "loki_storage" {
+ id = (known after apply)
+ name = "loki-storage-access"
+ policy = (known after apply)
+ role = "loki-ecs-task"
}
# aws_iam_role_policy_attachment.eks_access_administrator_kubeconfig will be created
+ resource "aws_iam_role_policy_attachment" "eks_access_administrator_kubeconfig" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ role = "eks_administrator"
}
# aws_iam_role_policy_attachment.loki_ecs_task_execution will be created
+ resource "aws_iam_role_policy_attachment" "loki_ecs_task_execution" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+ role = "loki-ecs-task-execution"
}
# aws_kms_key.main will be created
+ resource "aws_kms_key" "main" {
+ arn = (known after apply)
+ bypass_policy_lockout_safety_check = false
+ customer_master_key_spec = "*****************"
+ deletion_window_in_days = 10
+ description = "Shared KMS key"
+ enable_key_rotation = true
+ id = (known after apply)
+ is_enabled = true
+ key_id = (known after apply)
+ key_usage = "ENCRYPT_DECRYPT"
+ multi_region = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "kms:*"
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::175912345102:root"
}
+ Resource = "*"
+ Sid = "Allow everything in this AWS account to use this KMS key"
},
+ {
+ Action = [
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
+ "kms:Encrypt*",
+ "kms:Describe*",
+ "kms:Decrypt*",
]
+ Effect = "Allow"
+ Principal = {
+ Service = "logs.eu-west-1.amazonaws.com"
}
+ Resource = "*"
+ Sid = "Allow cloudwatch log group encryption"
},
]
+ Version = "2012-10-17"
}
)
+ tags_all = (known after apply)
}
# aws_route53_record.api["A"] will be created
+ resource "aws_route53_record" "api" {
+ allow_overwrite = (known after apply)
+ fqdn = (known after apply)
+ id = (known after apply)
+ name = "api.terraform.pipetail.cloud"
+ type = "A"
+ zone_id = "********************"
+ alias {
+ evaluate_target_health = false
+ name = (known after apply)
+ zone_id = (known after apply)
}
}
# aws_route53_record.api["AAAA"] will be created
+ resource "aws_route53_record" "api" {
+ allow_overwrite = (known after apply)
+ fqdn = (known after apply)
+ id = (known after apply)
+ name = "api.terraform.pipetail.cloud"
+ type = "AAAA"
+ zone_id = "********************"
+ alias {
+ evaluate_target_health = false
+ name = (known after apply)
+ zone_id = (known after apply)
}
}
# aws_s3_bucket.cloudtrail will be created
+ resource "aws_s3_bucket" "cloudtrail" {
+ acceleration_status = (known after apply)
+ acl = (known after apply)
+ arn = (known after apply)
+ bucket = "complete-example-cloudtrail"
+ bucket_domain_name = (known after apply)
+ bucket_prefix = (known after apply)
+ bucket_regional_domain_name = (known after apply)
+ force_destroy = true
+ hosted_zone_id = (known after apply)
+ id = (known after apply)
+ object_lock_enabled = (known after apply)
+ policy = (known after apply)
+ region = (known after apply)
+ request_payer = (known after apply)
+ tags_all = (known after apply)
+ website_domain = (known after apply)
+ website_endpoint = (known after apply)
+ cors_rule (known after apply)
+ grant (known after apply)
+ lifecycle_rule (known after apply)
+ logging (known after apply)
+ object_lock_configuration (known after apply)
+ replication_configuration (known after apply)
+ server_side_encryption_configuration (known after apply)
+ versioning (known after apply)
+ website (known after apply)
}
# aws_s3_bucket_policy.cloudtrail will be created
+ resource "aws_s3_bucket_policy" "cloudtrail" {
+ bucket = (known after apply)
+ id = (known after apply)
+ policy = (known after apply)
}
# aws_s3_bucket_public_access_block.cloudtrail will be created
+ resource "aws_s3_bucket_public_access_block" "cloudtrail" {
+ block_public_acls = true
+ block_public_policy = true
+ bucket = (known after apply)
+ id = (known after apply)
+ ignore_public_acls = true
+ restrict_public_buckets = true
}
# aws_s3_bucket_server_side_encryption_configuration.cloudtrail will be created
+ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" {
+ bucket = "complete-example-cloudtrail"
+ id = (known after apply)
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
# (1 unchanged attribute hidden)
}
}
}
# aws_service_discovery_private_dns_namespace.loki will be created
+ resource "aws_service_discovery_private_dns_namespace" "loki" {
+ arn = (known after apply)
+ description = "Service discovery local domain for grafana loki"
+ hosted_zone = (known after apply)
+ id = (known after apply)
+ name = "grafana.local"
+ tags_all = (known after apply)
+ vpc = (known after apply)
}
# aws_service_discovery_service.loki will be created
+ resource "aws_service_discovery_service" "loki" {
+ arn = (known after apply)
+ force_destroy = false
+ id = (known after apply)
+ name = "loki"
+ namespace_id = (known after apply)
+ tags_all = (known after apply)
+ type = (known after apply)
+ dns_config {
+ namespace_id = (known after apply)
+ routing_policy = "MULTIVALUE"
+ dns_records {
+ ttl = 10
+ type = "A"
}
}
}
# helm_release.nginx_ingress will be created
+ resource "helm_release" "nginx_ingress" {
+ atomic = true
+ chart = "ingress-nginx"
+ cleanup_on_fail = false
+ create_namespace = true
+ dependency_update = false
+ disable_crd_hooks = false
+ disable_openapi_validation = false
+ disable_webhooks = false
+ force_update = false
+ id = (known after apply)
+ lint = false
+ manifest = (known after apply)
+ max_history = 0
+ metadata = (known after apply)
+ name = "nginx-ingress"
+ namespace = "nginx-ingress"
+ pass_credentials = false
+ recreate_pods = false
+ render_subchart_notes = true
+ replace = false
+ repository = "https://kubernetes.github.io/ingress-nginx"
+ reset_values = false
+ reuse_values = false
+ skip_crds = false
+ status = "deployed"
+ timeout = 300
+ values = [
+ <<-EOT
controller:
replicaCount: 3
resources:
limits:
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: "10254"
prometheus.io/scheme: "http"
log: "true"
podLabels:
app: nginx-ingress
release: nginx-prod
ingressClass: "nginx"
publishService:
enabled: true
metrics:
enabled: true
service:
externalTrafficPolicy: Cluster
type: NodePort
nodePorts:
http: 30080
https: 30443
admissionWebhooks:
enabled: false
config:
proxy-body-size: "500M"
proxy-buffer-size: "256k"
use-forwarded-headers: "true"
client-header-buffer-size: "256k"
defaultBackend:
enabled: true
EOT,
]
+ verify = false
+ version = "4.6.1"
+ wait = true
+ wait_for_jobs = false
}
# module.certificate.aws_acm_certificate.main will be created
+ resource "aws_acm_certificate" "main" {
+ arn = (known after apply)
+ domain_name = "*.terraform.pipetail.cloud"
+ domain_validation_options = [
+ {
+ domain_name = "*.terraform.pipetail.cloud"
+ resource_record_name = (known after apply)
+ resource_record_type = (known after apply)
+ resource_record_value = (known after apply)
},
+ {
+ domain_name = "terraform.pipetail.cloud"
+ resource_record_name = (known after apply)
+ resource_record_type = (known after apply)
+ resource_record_value = (known after apply)
},
]
+ id = (known after apply)
+ key_algorithm = (known after apply)
+ not_after = (known after apply)
+ not_before = (known after apply)
+ pending_renewal = (known after apply)
+ renewal_eligibility = (known after apply)
+ renewal_summary = (known after apply)
+ status = (known after apply)
+ subject_alternative_names = [
+ "*.terraform.pipetail.cloud",
+ "terraform.pipetail.cloud",
]
+ tags_all = (known after apply)
+ type = (known after apply)
+ validation_emails = (known after apply)
+ validation_method = "DNS"
+ options (known after apply)
}
# module.certificate.aws_acm_certificate.virginia will be created
+ resource "aws_acm_certificate" "virginia" {
+ arn = (known after apply)
+ domain_name = "*.terraform.pipetail.cloud"
+ domain_validation_options = [
+ {
+ domain_name = "*.terraform.pipetail.cloud"
+ resource_record_name = (known after apply)
+ resource_record_type = (known after apply)
+ resource_record_value = (known after apply)
},
+ {
+ domain_name = "terraform.pipetail.cloud"
+ resource_record_name = (known after apply)
+ resource_record_type = (known after apply)
+ resource_record_value = (known after apply)
},
]
+ id = (known after apply)
+ key_algorithm = (known after apply)
+ not_after = (known after apply)
+ not_before = (known after apply)
+ pending_renewal = (known after apply)
+ renewal_eligibility = (known after apply)
+ renewal_summary = (known after apply)
+ status = (known after apply)
+ subject_alternative_names = [
+ "*.terraform.pipetail.cloud",
+ "terraform.pipetail.cloud",
]
+ tags_all = (known after apply)
+ type = (known after apply)
+ validation_emails = (known after apply)
+ validation_method = "DNS"
+ options (known after apply)
}
# module.certificate.aws_acm_certificate_validation.main will be created
+ resource "aws_acm_certificate_validation" "main" {
+ certificate_arn = (known after apply)
+ id = (known after apply)
+ validation_record_fqdns = (known after apply)
}
# module.certificate.aws_route53_record.validation["*.terraform.pipetail.cloud"] will be created
+ resource "aws_route53_record" "validation" {
+ allow_overwrite = true
+ fqdn = (known after apply)
+ id = (known after apply)
+ name = (known after apply)
+ records = (known after apply)
+ ttl = 60
+ type = (known after apply)
+ zone_id = "********************"
}
# module.certificate.aws_route53_record.validation["terraform.pipetail.cloud"] will be created
+ resource "aws_route53_record" "validation" {
+ allow_overwrite = true
+ fqdn = (known after apply)
+ id = (known after apply)
+ name = (known after apply)
+ records = (known after apply)
+ ttl = 60
+ type = (known after apply)
+ zone_id = "********************"
}
# module.eks.aws_kms_alias.secrets_encryption will be created
+ resource "aws_kms_alias" "secrets_encryption" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "alias/eks_complete-example-prod_encryption"
+ name_prefix = (known after apply)
+ target_key_arn = (known after apply)
+ target_key_id = (known after apply)
}
# module.eks.aws_security_group_rule.eks_workers_to_eks_workers_all will be created
+ resource "aws_security_group_rule" "eks_workers_to_eks_workers_all" {
+ description = "EKS between workers all traffic"
+ from_port = 0
+ id = (known after apply)
+ protocol = "-1"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ self = false
+ source_security_group_id = (known after apply)
+ to_port = 0
+ type = "ingress"
}
# module.eks.aws_security_group_rule.ingress["http"] will be created
+ resource "aws_security_group_rule" "ingress" {
+ description = "Ingress to EKS Worker nodes"
+ from_port = 30080
+ id = (known after apply)
+ protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ self = false
+ source_security_group_id = (known after apply)
+ to_port = 30080
+ type = "ingress"
}
# module.eks.aws_security_group_rule.ingress["https"] will be created
+ resource "aws_security_group_rule" "ingress" {
+ description = "Ingress to EKS Worker nodes"
+ from_port = 30443
+ id = (known after apply)
+ protocol = "tcp"
+ security_group_id = (known after apply)
+ security_group_rule_id = (known after apply)
+ self = false
+ source_security_group_id = (known after apply)
+ to_port = 30443
+ type = "ingress"
}
# module.elb_logs.data.aws_iam_policy_document.combined[0] will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "combined" {
+ id = (known after apply)
+ json = (known after apply)
+ source_policy_documents = (known after apply)
}
# module.elb_logs.data.aws_iam_policy_document.deny_insecure_transport[0] will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "deny_insecure_transport" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "s3:*",
]
+ effect = "Deny"
+ resources = [
+ (known after apply),
+ (known after apply),
]
+ sid = "denyInsecureTransport"
+ condition {
+ test = "Bool"
+ values = [
+ "false",
]
+ variable = "aws:SecureTransport"
}
+ principals {
+ identifiers = [
+ "*",
]
+ type = "*"
}
}
}
# module.elb_logs.data.aws_iam_policy_document.elb_log_delivery[0] will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "elb_log_delivery" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "s3:PutObject",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
+ sid = "ELBRegionEu-West-1"
+ principals {
+ identifiers = [
+ "arn:aws:iam::156460612806:root",
]
+ type = "AWS"
}
}
+ statement {
+ actions = [
+ "s3:PutObject",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
# (1 unchanged attribute hidden)
+ principals {
+ identifiers = [
+ "logdelivery.elasticloadbalancing.amazonaws.com",
]
+ type = "Service"
}
}
}
# module.elb_logs.aws_s3_bucket.this[0] will be created
+ resource "aws_s3_bucket" "this" {
+ acceleration_status = (known after apply)
+ acl = (known after apply)
+ arn = (known after apply)
+ bucket = "complete-example-elb-logs"
+ bucket_domain_name = (known after apply)
+ bucket_prefix = (known after apply)
+ bucket_regional_domain_name = (known after apply)
+ force_destroy = true
+ hosted_zone_id = (known after apply)
+ id = (known after apply)
+ object_lock_enabled = false
+ policy = (known after apply)
+ region = (known after apply)
+ request_payer = (known after apply)
+ tags_all = (known after apply)
+ website_domain = (known after apply)
+ website_endpoint = (known after apply)
+ cors_rule (known after apply)
+ grant (known after apply)
+ lifecycle_rule (known after apply)
+ logging (known after apply)
+ object_lock_configuration (known after apply)
+ replication_configuration (known after apply)
+ server_side_encryption_configuration (known after apply)
+ versioning (known after apply)
+ website (known after apply)
}
# module.elb_logs.aws_s3_bucket_acl.this[0] will be created
+ resource "aws_s3_bucket_acl" "this" {
+ acl = "log-delivery-write"
+ bucket = (known after apply)
+ id = (known after apply)
+ access_control_policy (known after apply)
}
# module.elb_logs.aws_s3_bucket_ownership_controls.this[0] will be created
+ resource "aws_s3_bucket_ownership_controls" "this" {
+ bucket = (known after apply)
+ id = (known after apply)
+ rule {
+ object_ownership = "ObjectWriter"
}
}
# module.elb_logs.aws_s3_bucket_policy.this[0] will be created
+ resource "aws_s3_bucket_policy" "this" {
+ bucket = (known after apply)
+ id = (known after apply)
+ policy = (known after apply)
}
# module.elb_logs.aws_s3_bucket_public_access_block.this[0] will be created
+ resource "aws_s3_bucket_public_access_block" "this" {
+ block_public_acls = true
+ block_public_policy = true
+ bucket = (known after apply)
+ id = (known after apply)
+ ignore_public_acls = true
+ restrict_public_buckets = true
}
# module.elb_logs.aws_s3_bucket_server_side_encryption_configuration.this[0] will be created
+ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+ bucket = (known after apply)
+ id = (known after apply)
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
# (1 unchanged attribute hidden)
}
}
}
# module.loki_storage.aws_s3_bucket.this[0] will be created
+ resource "aws_s3_bucket" "this" {
+ acceleration_status = (known after apply)
+ acl = (known after apply)
+ arn = (known after apply)
+ bucket = "complete-example-loki-data"
+ bucket_domain_name = (known after apply)
Plan is too large to fit in a PR comment. See the full plan in the workflow log.📝 Plan generated in terraform-plan-05-aws-complete #165 |
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/google-github-actions-auth-digest
branch
from
9baac46
to
5d53717
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/google-github-actions-auth-digest
branch
from
5d53717
to
7ea1cc2
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/google-github-actions-auth-digest
branch
from
7ea1cc2
to
b8d3649
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/google-github-actions-auth-digest
branch
from
b8d3649
to
bbf47a6
Compare
renovate
bot
force-pushed
the
renovate/google-github-actions-auth-digest
branch
from
bbf47a6
to
31b72b9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/google-github-actions-auth-digest
branch
from
31b72b9
to
5816382
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/google-github-actions-auth-digest
branch
from
5816382
to
1acf6a3
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/google-github-actions-auth-digest
branch
from
1acf6a3
to
3c42c82
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
67e9c72->6fc4af4Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.