Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: 5261 provision prod account #431

Merged
merged 8 commits into from
Nov 7, 2024
Merged

Conversation

Wi11Shell
Copy link
Contributor

@Wi11Shell Wi11Shell commented Nov 5, 2024

Description

Related issue: https://dvsa.atlassian.net/browse/VOL-5261

Before submitting (or marking as "ready for review")

  • Does the pull request title follow the conventional commit specification?
  • Have you performed a self-review of the code
  • Have you have added tests that prove the fix or feature is effective and working
  • Did you make sure to update any documentation relating to this change?

@Wi11Shell Wi11Shell requested a review from a team as a code owner November 5, 2024 12:43
Copy link
Contributor

github-actions bot commented Nov 6, 2024

Terraform plan for account: prod

Commit: 7679d72

Plan summary

32 to add, 6 to change, 0 to destroy

🆕 Creates

module.account.aws_s3_bucket_policy.bucket_policy
module.account.aws_signer_signing_profile.this
module.account.module.assets[0].aws_s3_bucket.this[0]
module.account.module.assets[0].aws_s3_bucket_public_access_block.this[0]
module.account.module.ecr["api"].aws_ecr_lifecycle_policy.this[0]
module.account.module.ecr["api"].aws_ecr_registry_scanning_configuration.this[0]
module.account.module.ecr["api"].aws_ecr_repository.this[0]
module.account.module.ecr["api"].aws_ecr_repository_policy.this[0]
module.account.module.ecr["cli"].aws_ecr_lifecycle_policy.this[0]
module.account.module.ecr["cli"].aws_ecr_registry_scanning_configuration.this[0]
module.account.module.ecr["cli"].aws_ecr_repository.this[0]
module.account.module.ecr["cli"].aws_ecr_repository_policy.this[0]
module.account.module.ecr["internal"].aws_ecr_lifecycle_policy.this[0]
module.account.module.ecr["internal"].aws_ecr_registry_scanning_configuration.this[0]
module.account.module.ecr["internal"].aws_ecr_repository.this[0]
module.account.module.ecr["internal"].aws_ecr_repository_policy.this[0]
module.account.module.ecr["selfserve"].aws_ecr_lifecycle_policy.this[0]
module.account.module.ecr["selfserve"].aws_ecr_registry_scanning_configuration.this[0]
module.account.module.ecr["selfserve"].aws_ecr_repository.this[0]
module.account.module.ecr["selfserve"].aws_ecr_repository_policy.this[0]
module.environment-remote-state["prep"].module.dynamodb_state_lock_policy[0].aws_iam_policy.policy[0]
module.environment-remote-state["prep"].module.dynamodb_table.aws_dynamodb_table.this[0]
module.environment-remote-state["prod"].module.dynamodb_state_lock_policy[0].aws_iam_policy.policy[0]
module.environment-remote-state["prod"].module.dynamodb_table.aws_dynamodb_table.this[0]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role.this[0]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["DynamodbStateLock"]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["PrepDynamodbStateLock"]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["ProdDynamodbStateLock"]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["ReadOnlyAccess"]
module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["S3StateLock"]
module.account.module.github[0].module.iam_github_oidc_role[0].aws_iam_role.this[0]
module.account.module.github[0].module.iam_github_oidc_role[0].aws_iam_role_policy_attachment.this["AdministratorAccess"]

📖 Reads

module.account.data.aws_iam_policy_document.s3_policy
module.account.module.ecr["api"].data.aws_iam_policy_document.repository[0]
module.account.module.ecr["cli"].data.aws_iam_policy_document.repository[0]
module.account.module.ecr["internal"].data.aws_iam_policy_document.repository[0]
module.account.module.ecr["selfserve"].data.aws_iam_policy_document.repository[0]
module.account-remote-state.module.s3[0].data.aws_iam_policy_document.combined[0]
module.account-remote-state.module.s3[0].data.aws_iam_policy_document.deny_insecure_transport[0]

🔄 Updates

module.account-remote-state.module.dynamodb_state_lock_policy[0].aws_iam_policy.policy[0]
module.account-remote-state.module.dynamodb_table.aws_dynamodb_table.this[0]
module.account-remote-state.module.s3[0].aws_s3_bucket.this[0]
module.account-remote-state.module.s3[0].aws_s3_bucket_policy.this[0]
module.account-remote-state.module.s3_state_policy[0].aws_iam_policy.policy[0]
module.account.module.github[0].module.iam_github_oidc_provider[0].aws_iam_openid_connect_provider.this[0]

Show full plan
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
 <= read (data resources)

Terraform will perform the following actions:

  # module.account.data.aws_iam_policy_document.s3_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "s3_policy" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "s3:GetObject",
            ]
          + resources = [
              + (known after apply),
            ]

          + principals {
              + identifiers = [
                  + "cloudfront.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.account.aws_s3_bucket_policy.bucket_policy will be created
  + resource "aws_s3_bucket_policy" "bucket_policy" {
      + bucket = (known after apply)
      + id     = (known after apply)
      + policy = (known after apply)
    }

  # module.account.aws_signer_signing_profile.this will be created
  + resource "aws_signer_signing_profile" "this" {
      + arn                   = (known after apply)
      + id                    = (known after apply)
      + name                  = (known after apply)
      + name_prefix           = "vol_app_"
      + platform_display_name = (known after apply)
      + platform_id           = "Notation-OCI-SHA384-ECDSA"
      + revocation_record     = (known after apply)
      + status                = (known after apply)
      + tags_all              = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + version               = (known after apply)
      + version_arn           = (known after apply)

      + signature_validity_period (known after apply)

      + signing_material (known after apply)
    }

  # module.account.module.assets[0].aws_s3_bucket.this[0] will be created
  + resource "aws_s3_bucket" "this" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "vol-app-assets"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = false
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule (known after apply)

      + grant (known after apply)

      + lifecycle_rule (known after apply)

      + logging (known after apply)

      + object_lock_configuration (known after apply)

      + replication_configuration (known after apply)

      + server_side_encryption_configuration (known after apply)

      + versioning (known after apply)

      + website (known after apply)
    }

  # module.account.module.assets[0].aws_s3_bucket_public_access_block.this[0] will be created
  + resource "aws_s3_bucket_public_access_block" "this" {
      + block_public_acls       = true
      + block_public_policy     = true
      + bucket                  = (known after apply)
      + id                      = (known after apply)
      + ignore_public_acls      = true
      + restrict_public_buckets = true
    }

  # module.account.module.ecr["api"].data.aws_iam_policy_document.repository[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "repository" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "ecr:BatchCheckLayerAvailability",
              + "ecr:BatchGetImage",
              + "ecr:DescribeImageScanFindings",
              + "ecr:DescribeImages",
              + "ecr:DescribeRepositories",
              + "ecr:GetAuthorizationToken",
              + "ecr:GetDownloadUrlForLayer",
              + "ecr:GetLifecyclePolicy",
              + "ecr:GetLifecyclePolicyPreview",
              + "ecr:GetRepositoryPolicy",
              + "ecr:ListImages",
              + "ecr:ListTagsForResource",
            ]
          + sid     = "PrivateReadOnly"

          + principals {
              + identifiers = [
                  + (known after apply),
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions = [
              + "ecr:CompleteLayerUpload",
              + "ecr:InitiateLayerUpload",
              + "ecr:PutImage",
              + "ecr:UploadLayerPart",
            ]
          + sid     = "ReadWrite"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.account.module.ecr["api"].aws_ecr_lifecycle_policy.this[0] will be created
  + resource "aws_ecr_lifecycle_policy" "this" {
      + id          = (known after apply)
      + policy      = jsonencode(
            {
              + rules = [
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 release images"
                      + rulePriority = 10
                      + selection    = {
                          + countNumber    = 5
                          + countType      = "imageCountMoreThan"
                          + tagPatternList = [
                              + "*.*.*",
                            ]
                          + tagStatus      = "tagged"
                        }
                    },
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 non-release images"
                      + rulePriority = 20
                      + selection    = {
                          + countNumber = 5
                          + countType   = "imageCountMoreThan"
                          + tagStatus   = "any"
                        }
                    },
                ]
            }
        )
      + registry_id = (known after apply)
      + repository  = "vol-app/api"
    }

  # module.account.module.ecr["api"].aws_ecr_registry_scanning_configuration.this[0] will be created
  + resource "aws_ecr_registry_scanning_configuration" "this" {
      + id          = (known after apply)
      + registry_id = (known after apply)
      + scan_type   = "ENHANCED"

      + rule {
          + scan_frequency = "SCAN_ON_PUSH"

          + repository_filter {
              + filter      = "*"
              + filter_type = "WILDCARD"
            }
        }
      + rule {
          + scan_frequency = "CONTINUOUS_SCAN"

          + repository_filter {
              + filter      = "*.*.*"
              + filter_type = "WILDCARD"
            }
        }
    }

  # module.account.module.ecr["api"].aws_ecr_repository.this[0] will be created
  + resource "aws_ecr_repository" "this" {
      + arn                  = (known after apply)
      + id                   = (known after apply)
      + image_tag_mutability = "IMMUTABLE"
      + name                 = "vol-app/api"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags_all             = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }

      + encryption_configuration {
          + encryption_type = "AES256"
          + kms_key         = (known after apply)
        }

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # module.account.module.ecr["api"].aws_ecr_repository_policy.this[0] will be created
  + resource "aws_ecr_repository_policy" "this" {
      + id          = (known after apply)
      + policy      = (known after apply)
      + registry_id = (known after apply)
      + repository  = "vol-app/api"
    }

  # module.account.module.ecr["cli"].data.aws_iam_policy_document.repository[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "repository" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "ecr:BatchCheckLayerAvailability",
              + "ecr:BatchGetImage",
              + "ecr:DescribeImageScanFindings",
              + "ecr:DescribeImages",
              + "ecr:DescribeRepositories",
              + "ecr:GetAuthorizationToken",
              + "ecr:GetDownloadUrlForLayer",
              + "ecr:GetLifecyclePolicy",
              + "ecr:GetLifecyclePolicyPreview",
              + "ecr:GetRepositoryPolicy",
              + "ecr:ListImages",
              + "ecr:ListTagsForResource",
            ]
          + sid     = "PrivateReadOnly"

          + principals {
              + identifiers = [
                  + (known after apply),
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions = [
              + "ecr:CompleteLayerUpload",
              + "ecr:InitiateLayerUpload",
              + "ecr:PutImage",
              + "ecr:UploadLayerPart",
            ]
          + sid     = "ReadWrite"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.account.module.ecr["cli"].aws_ecr_lifecycle_policy.this[0] will be created
  + resource "aws_ecr_lifecycle_policy" "this" {
      + id          = (known after apply)
      + policy      = jsonencode(
            {
              + rules = [
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 release images"
                      + rulePriority = 10
                      + selection    = {
                          + countNumber    = 5
                          + countType      = "imageCountMoreThan"
                          + tagPatternList = [
                              + "*.*.*",
                            ]
                          + tagStatus      = "tagged"
                        }
                    },
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 non-release images"
                      + rulePriority = 20
                      + selection    = {
                          + countNumber = 5
                          + countType   = "imageCountMoreThan"
                          + tagStatus   = "any"
                        }
                    },
                ]
            }
        )
      + registry_id = (known after apply)
      + repository  = "vol-app/cli"
    }

  # module.account.module.ecr["cli"].aws_ecr_registry_scanning_configuration.this[0] will be created
  + resource "aws_ecr_registry_scanning_configuration" "this" {
      + id          = (known after apply)
      + registry_id = (known after apply)
      + scan_type   = "ENHANCED"

      + rule {
          + scan_frequency = "SCAN_ON_PUSH"

          + repository_filter {
              + filter      = "*"
              + filter_type = "WILDCARD"
            }
        }
      + rule {
          + scan_frequency = "CONTINUOUS_SCAN"

          + repository_filter {
              + filter      = "*.*.*"
              + filter_type = "WILDCARD"
            }
        }
    }

  # module.account.module.ecr["cli"].aws_ecr_repository.this[0] will be created
  + resource "aws_ecr_repository" "this" {
      + arn                  = (known after apply)
      + id                   = (known after apply)
      + image_tag_mutability = "IMMUTABLE"
      + name                 = "vol-app/cli"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags_all             = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }

      + encryption_configuration {
          + encryption_type = "AES256"
          + kms_key         = (known after apply)
        }

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # module.account.module.ecr["cli"].aws_ecr_repository_policy.this[0] will be created
  + resource "aws_ecr_repository_policy" "this" {
      + id          = (known after apply)
      + policy      = (known after apply)
      + registry_id = (known after apply)
      + repository  = "vol-app/cli"
    }

  # module.account.module.ecr["internal"].data.aws_iam_policy_document.repository[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "repository" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "ecr:BatchCheckLayerAvailability",
              + "ecr:BatchGetImage",
              + "ecr:DescribeImageScanFindings",
              + "ecr:DescribeImages",
              + "ecr:DescribeRepositories",
              + "ecr:GetAuthorizationToken",
              + "ecr:GetDownloadUrlForLayer",
              + "ecr:GetLifecyclePolicy",
              + "ecr:GetLifecyclePolicyPreview",
              + "ecr:GetRepositoryPolicy",
              + "ecr:ListImages",
              + "ecr:ListTagsForResource",
            ]
          + sid     = "PrivateReadOnly"

          + principals {
              + identifiers = [
                  + (known after apply),
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions = [
              + "ecr:CompleteLayerUpload",
              + "ecr:InitiateLayerUpload",
              + "ecr:PutImage",
              + "ecr:UploadLayerPart",
            ]
          + sid     = "ReadWrite"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.account.module.ecr["internal"].aws_ecr_lifecycle_policy.this[0] will be created
  + resource "aws_ecr_lifecycle_policy" "this" {
      + id          = (known after apply)
      + policy      = jsonencode(
            {
              + rules = [
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 release images"
                      + rulePriority = 10
                      + selection    = {
                          + countNumber    = 5
                          + countType      = "imageCountMoreThan"
                          + tagPatternList = [
                              + "*.*.*",
                            ]
                          + tagStatus      = "tagged"
                        }
                    },
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 non-release images"
                      + rulePriority = 20
                      + selection    = {
                          + countNumber = 5
                          + countType   = "imageCountMoreThan"
                          + tagStatus   = "any"
                        }
                    },
                ]
            }
        )
      + registry_id = (known after apply)
      + repository  = "vol-app/internal"
    }

  # module.account.module.ecr["internal"].aws_ecr_registry_scanning_configuration.this[0] will be created
  + resource "aws_ecr_registry_scanning_configuration" "this" {
      + id          = (known after apply)
      + registry_id = (known after apply)
      + scan_type   = "ENHANCED"

      + rule {
          + scan_frequency = "SCAN_ON_PUSH"

          + repository_filter {
              + filter      = "*"
              + filter_type = "WILDCARD"
            }
        }
      + rule {
          + scan_frequency = "CONTINUOUS_SCAN"

          + repository_filter {
              + filter      = "*.*.*"
              + filter_type = "WILDCARD"
            }
        }
    }

  # module.account.module.ecr["internal"].aws_ecr_repository.this[0] will be created
  + resource "aws_ecr_repository" "this" {
      + arn                  = (known after apply)
      + id                   = (known after apply)
      + image_tag_mutability = "IMMUTABLE"
      + name                 = "vol-app/internal"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags_all             = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }

      + encryption_configuration {
          + encryption_type = "AES256"
          + kms_key         = (known after apply)
        }

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # module.account.module.ecr["internal"].aws_ecr_repository_policy.this[0] will be created
  + resource "aws_ecr_repository_policy" "this" {
      + id          = (known after apply)
      + policy      = (known after apply)
      + registry_id = (known after apply)
      + repository  = "vol-app/internal"
    }

  # module.account.module.ecr["selfserve"].data.aws_iam_policy_document.repository[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "repository" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "ecr:BatchCheckLayerAvailability",
              + "ecr:BatchGetImage",
              + "ecr:DescribeImageScanFindings",
              + "ecr:DescribeImages",
              + "ecr:DescribeRepositories",
              + "ecr:GetAuthorizationToken",
              + "ecr:GetDownloadUrlForLayer",
              + "ecr:GetLifecyclePolicy",
              + "ecr:GetLifecyclePolicyPreview",
              + "ecr:GetRepositoryPolicy",
              + "ecr:ListImages",
              + "ecr:ListTagsForResource",
            ]
          + sid     = "PrivateReadOnly"

          + principals {
              + identifiers = [
                  + (known after apply),
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions = [
              + "ecr:CompleteLayerUpload",
              + "ecr:InitiateLayerUpload",
              + "ecr:PutImage",
              + "ecr:UploadLayerPart",
            ]
          + sid     = "ReadWrite"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.account.module.ecr["selfserve"].aws_ecr_lifecycle_policy.this[0] will be created
  + resource "aws_ecr_lifecycle_policy" "this" {
      + id          = (known after apply)
      + policy      = jsonencode(
            {
              + rules = [
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 release images"
                      + rulePriority = 10
                      + selection    = {
                          + countNumber    = 5
                          + countType      = "imageCountMoreThan"
                          + tagPatternList = [
                              + "*.*.*",
                            ]
                          + tagStatus      = "tagged"
                        }
                    },
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Keep last 5 non-release images"
                      + rulePriority = 20
                      + selection    = {
                          + countNumber = 5
                          + countType   = "imageCountMoreThan"
                          + tagStatus   = "any"
                        }
                    },
                ]
            }
        )
      + registry_id = (known after apply)
      + repository  = "vol-app/selfserve"
    }

  # module.account.module.ecr["selfserve"].aws_ecr_registry_scanning_configuration.this[0] will be created
  + resource "aws_ecr_registry_scanning_configuration" "this" {
      + id          = (known after apply)
      + registry_id = (known after apply)
      + scan_type   = "ENHANCED"

      + rule {
          + scan_frequency = "SCAN_ON_PUSH"

          + repository_filter {
              + filter      = "*"
              + filter_type = "WILDCARD"
            }
        }
      + rule {
          + scan_frequency = "CONTINUOUS_SCAN"

          + repository_filter {
              + filter      = "*.*.*"
              + filter_type = "WILDCARD"
            }
        }
    }

  # module.account.module.ecr["selfserve"].aws_ecr_repository.this[0] will be created
  + resource "aws_ecr_repository" "this" {
      + arn                  = (known after apply)
      + id                   = (known after apply)
      + image_tag_mutability = "IMMUTABLE"
      + name                 = "vol-app/selfserve"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags_all             = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }

      + encryption_configuration {
          + encryption_type = "AES256"
          + kms_key         = (known after apply)
        }

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # module.account.module.ecr["selfserve"].aws_ecr_repository_policy.this[0] will be created
  + resource "aws_ecr_repository_policy" "this" {
      + id          = (known after apply)
      + policy      = (known after apply)
      + registry_id = (known after apply)
      + repository  = "vol-app/selfserve"
    }

  # module.account-remote-state.module.dynamodb_state_lock_policy[0].aws_iam_policy.policy[0] will be updated in-place
  # (imported from "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-lock-policy")
  ~ resource "aws_iam_policy" "policy" {
        arn              = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-lock-policy"
        attachment_count = 0
        description      = "Policy to allow access to the Terraform state lock"
        id               = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-lock-policy"
        name             = "vol-app-146997448015-terraform-state-lock-policy"
        name_prefix      = null
        path             = "/"
        policy           = jsonencode(
            {
                Statement = [
                    {
                        Action   = [
                            "dynamodb:DescribeTable",
                            "dynamodb:GetItem",
                            "dynamodb:PutItem",
                            "dynamodb:DeleteItem",
                        ]
                        Effect   = "Allow"
                        Resource = "arn:aws:dynamodb:eu-west-1:146997448015:table/vol-app-146997448015-terraform-state-lock"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id        = "ANPASEON3BVH4VZQ4MXXW"
        tags             = {}
      ~ tags_all         = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
    }

  # module.account-remote-state.module.dynamodb_table.aws_dynamodb_table.this[0] will be updated in-place
  # (imported from "vol-app-146997448015-terraform-state-lock")
  ~ resource "aws_dynamodb_table" "this" {
        arn                         = "arn:aws:dynamodb:eu-west-1:146997448015:table/vol-app-146997448015-terraform-state-lock"
        billing_mode                = "PAY_PER_REQUEST"
        deletion_protection_enabled = false
        hash_key                    = "LockID"
        id                          = "vol-app-146997448015-terraform-state-lock"
        name                        = "vol-app-146997448015-terraform-state-lock"
        read_capacity               = 0
        stream_arn                  = null
        stream_enabled              = false
        stream_label                = null
        stream_view_type            = null
        table_class                 = "STANDARD"
        tags                        = {
            "Name" = "vol-app-146997448015-terraform-state-lock"
        }
      ~ tags_all                    = {
            "Name"       = "vol-app-146997448015-terraform-state-lock"
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
        write_capacity              = 0

        attribute {
            name = "LockID"
            type = "S"
        }

        point_in_time_recovery {
            enabled = false
        }

      + timeouts {
          + create = "10m"
          + delete = "10m"
          + update = "60m"
        }

        ttl {
            attribute_name = null
            enabled        = false
        }
    }

  # module.account-remote-state.module.s3[0].data.aws_iam_policy_document.combined[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "combined" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = (known after apply)
    }

  # module.account-remote-state.module.s3[0].data.aws_iam_policy_document.deny_insecure_transport[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "deny_insecure_transport" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Deny"
          + resources = [
              + "arn:aws:s3:::vol-app-146997448015-terraform-state",
              + "arn:aws:s3:::vol-app-146997448015-terraform-state/*",
            ]
          + sid       = "denyInsecureTransport"

          + condition {
              + test     = "Bool"
              + values   = [
                  + "false",
                ]
              + variable = "aws:SecureTransport"
            }

          + principals {
              + identifiers = [
                  + "*",
                ]
              + type        = "*"
            }
        }
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket.this[0] will be updated in-place
  # (imported from "vol-app-146997448015-terraform-state")
  ~ resource "aws_s3_bucket" "this" {
        acceleration_status         = null
        arn                         = "arn:aws:s3:::vol-app-146997448015-terraform-state"
        bucket                      = "vol-app-146997448015-terraform-state"
        bucket_domain_name          = "vol-app-146997448015-terraform-state.s3.amazonaws.com"
        bucket_prefix               = null
        bucket_regional_domain_name = "vol-app-146997448015-terraform-state.s3.eu-west-1.amazonaws.com"
      + force_destroy               = false
        hosted_zone_id              = "Z1BKCTXD74EZPE"
        id                          = "vol-app-146997448015-terraform-state"
        object_lock_enabled         = false
        policy                      = jsonencode(
            {
                Statement = [
                    {
                        Action    = "s3:*"
                        Condition = {
                            Bool = {
                                "aws:SecureTransport" = "false"
                            }
                        }
                        Effect    = "Deny"
                        Principal = "*"
                        Resource  = [
                            "arn:aws:s3:::vol-app-146997448015-terraform-state/*",
                            "arn:aws:s3:::vol-app-146997448015-terraform-state",
                        ]
                        Sid       = "denyInsecureTransport"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        region                      = "eu-west-1"
        request_payer               = "BucketOwner"
        tags                        = {}
      ~ tags_all                    = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }

        grant {
            id          = "54ab964107a4663cef07947193d5189c97bf2ea3f2cbddd3582edce5684d0155"
            permissions = [
                "FULL_CONTROL",
            ]
            type        = "CanonicalUser"
            uri         = null
        }

        lifecycle_rule {
            abort_incomplete_multipart_upload_days = 0
            enabled                                = true
            id                                     = "lifecycle"
            prefix                                 = null
            tags                                   = {}

            noncurrent_version_expiration {
                days = 90
            }
        }

        server_side_encryption_configuration {
            rule {
                bucket_key_enabled = false

                apply_server_side_encryption_by_default {
                    kms_master_key_id = null
                    sse_algorithm     = "AES256"
                }
            }
        }

        versioning {
            enabled    = true
            mfa_delete = false
        }
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_lifecycle_configuration.this[0] will be imported
    resource "aws_s3_bucket_lifecycle_configuration" "this" {
        bucket                                 = "vol-app-146997448015-terraform-state"
        expected_bucket_owner                  = null
        id                                     = "vol-app-146997448015-terraform-state"
        transition_default_minimum_object_size = "all_storage_classes_128K"

        rule {
            id     = "lifecycle"
            prefix = null
            status = "Enabled"

            filter {
                object_size_greater_than = null
                object_size_less_than    = null
                prefix                   = null
            }

            noncurrent_version_expiration {
                newer_noncurrent_versions = null
                noncurrent_days           = 90
            }
        }
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_ownership_controls.this[0] will be imported
    resource "aws_s3_bucket_ownership_controls" "this" {
        bucket = "vol-app-146997448015-terraform-state"
        id     = "vol-app-146997448015-terraform-state"

        rule {
            object_ownership = "BucketOwnerEnforced"
        }
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_policy.this[0] will be updated in-place
  # (imported from "vol-app-146997448015-terraform-state")
  ~ resource "aws_s3_bucket_policy" "this" {
        bucket = "vol-app-146997448015-terraform-state"
        id     = "vol-app-146997448015-terraform-state"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Condition = {
                          - Bool = {
                              - "aws:SecureTransport" = "false"
                            }
                        }
                      - Effect    = "Deny"
                      - Principal = "*"
                      - Resource  = [
                          - "arn:aws:s3:::vol-app-146997448015-terraform-state/*",
                          - "arn:aws:s3:::vol-app-146997448015-terraform-state",
                        ]
                      - Sid       = "denyInsecureTransport"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_public_access_block.this[0] will be imported
    resource "aws_s3_bucket_public_access_block" "this" {
        block_public_acls       = true
        block_public_policy     = true
        bucket                  = "vol-app-146997448015-terraform-state"
        id                      = "vol-app-146997448015-terraform-state"
        ignore_public_acls      = true
        restrict_public_buckets = true
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_server_side_encryption_configuration.this[0] will be imported
    resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
        bucket                = "vol-app-146997448015-terraform-state"
        expected_bucket_owner = null
        id                    = "vol-app-146997448015-terraform-state"

        rule {
            bucket_key_enabled = false

            apply_server_side_encryption_by_default {
                kms_master_key_id = null
                sse_algorithm     = "AES256"
            }
        }
    }

  # module.account-remote-state.module.s3[0].aws_s3_bucket_versioning.this[0] will be imported
    resource "aws_s3_bucket_versioning" "this" {
        bucket                = "vol-app-146997448015-terraform-state"
        expected_bucket_owner = null
        id                    = "vol-app-146997448015-terraform-state"

        versioning_configuration {
            mfa_delete = null
            status     = "Enabled"
        }
    }

  # module.account-remote-state.module.s3_state_policy[0].aws_iam_policy.policy[0] will be updated in-place
  # (imported from "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-policy")
  ~ resource "aws_iam_policy" "policy" {
        arn              = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-policy"
        attachment_count = 0
        description      = "Policy to allow access to the Terraform state in S3"
        id               = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-policy"
        name             = "vol-app-146997448015-terraform-state-policy"
        name_prefix      = null
        path             = "/"
        policy           = jsonencode(
            {
                Statement = [
                    {
                        Action   = [
                            "s3:GetObject",
                            "s3:PutObject",
                            "s3:ListBucket",
                        ]
                        Effect   = "Allow"
                        Resource = "arn:aws:s3:::vol-app-146997448015-terraform-state"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        policy_id        = "ANPASEON3BVH3MNJOTWE7"
        tags             = {}
      ~ tags_all         = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
    }

  # module.environment-remote-state["prep"].module.dynamodb_state_lock_policy[0].aws_iam_policy.policy[0] will be created
  + resource "aws_iam_policy" "policy" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Policy to allow access to the Terraform state lock"
      + id               = (known after apply)
      + name             = "vol-app-146997448015-prep-terraform-state-lock-policy"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags_all         = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
    }

  # module.environment-remote-state["prep"].module.dynamodb_table.aws_dynamodb_table.this[0] will be created
  + resource "aws_dynamodb_table" "this" {
      + arn              = (known after apply)
      + billing_mode     = "PAY_PER_REQUEST"
      + hash_key         = "LockID"
      + id               = (known after apply)
      + name             = "vol-app-146997448015-prep-terraform-state-lock"
      + read_capacity    = (known after apply)
      + stream_arn       = (known after apply)
      + stream_enabled   = false
      + stream_label     = (known after apply)
      + stream_view_type = (known after apply)
      + tags             = {
          + "Name" = "vol-app-146997448015-prep-terraform-state-lock"
        }
      + tags_all         = {
          + "Name"       = "vol-app-146997448015-prep-terraform-state-lock"
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + write_capacity   = (known after apply)

      + attribute {
          + name = "LockID"
          + type = "S"
        }

      + point_in_time_recovery {
          + enabled = false
        }

      + server_side_encryption {
          + enabled     = false
          + kms_key_arn = (known after apply)
        }

      + timeouts {
          + create = "10m"
          + delete = "10m"
          + update = "60m"
        }

      + ttl {
          + enabled        = false
            # (1 unchanged attribute hidden)
        }
    }

  # module.environment-remote-state["prod"].module.dynamodb_state_lock_policy[0].aws_iam_policy.policy[0] will be created
  + resource "aws_iam_policy" "policy" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Policy to allow access to the Terraform state lock"
      + id               = (known after apply)
      + name             = "vol-app-146997448015-prod-terraform-state-lock-policy"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags_all         = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
    }

  # module.environment-remote-state["prod"].module.dynamodb_table.aws_dynamodb_table.this[0] will be created
  + resource "aws_dynamodb_table" "this" {
      + arn              = (known after apply)
      + billing_mode     = "PAY_PER_REQUEST"
      + hash_key         = "LockID"
      + id               = (known after apply)
      + name             = "vol-app-146997448015-prod-terraform-state-lock"
      + read_capacity    = (known after apply)
      + stream_arn       = (known after apply)
      + stream_enabled   = false
      + stream_label     = (known after apply)
      + stream_view_type = (known after apply)
      + tags             = {
          + "Name" = "vol-app-146997448015-prod-terraform-state-lock"
        }
      + tags_all         = {
          + "Name"       = "vol-app-146997448015-prod-terraform-state-lock"
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + write_capacity   = (known after apply)

      + attribute {
          + name = "LockID"
          + type = "S"
        }

      + point_in_time_recovery {
          + enabled = false
        }

      + server_side_encryption {
          + enabled     = false
          + kms_key_arn = (known after apply)
        }

      + timeouts {
          + create = "10m"
          + delete = "10m"
          + update = "60m"
        }

      + ttl {
          + enabled        = false
            # (1 unchanged attribute hidden)
        }
    }

  # module.account.module.github[0].module.iam_github_oidc_provider[0].aws_iam_openid_connect_provider.this[0] will be updated in-place
  # (imported from "arn:aws:iam::146997448015:oidc-provider/token.actions.githubusercontent.com")
  ~ resource "aws_iam_openid_connect_provider" "this" {
        arn             = "arn:aws:iam::146997448015:oidc-provider/token.actions.githubusercontent.com"
        client_id_list  = [
            "sts.amazonaws.com",
        ]
        id              = "arn:aws:iam::146997448015:oidc-provider/token.actions.githubusercontent.com"
        tags            = {}
      ~ tags_all        = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
        thumbprint_list = [
            "d89e3bd43d5d909b47a18977aa9d5ce36cee184c",
            "33e4e80807204c2b6182a3a14b591acd25b5f0db",
            "74f3a68f16524f15424927704c9506f55a9316bd",
            "6938fd4d98bab03faadb97b34396831e3780aea1",
            "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
        ]
        url             = "token.actions.githubusercontent.com"
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = [
                          + "sts:TagSession",
                          + "sts:AssumeRoleWithWebIdentity",
                        ]
                      + Condition = {
                          + "ForAllValues:StringEquals" = {
                              + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
                              + "token.actions.githubusercontent.com:iss" = "https://token.actions.githubusercontent.com"
                            }
                          + StringLike                  = {
                              + "token.actions.githubusercontent.com:sub" = [
                                  + "repo:dvsa/vol-app:pull_request",
                                  + "repo:dvsa/vol-app:pull_request",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::146997448015:oidc-provider/token.actions.githubusercontent.com"
                        }
                      + Sid       = "GithubOidcAuth"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "vol-app-github-actions-readonly-role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["DynamodbStateLock"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-lock-policy"
      + role       = "vol-app-github-actions-readonly-role"
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["PrepDynamodbStateLock"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "vol-app-github-actions-readonly-role"
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["ProdDynamodbStateLock"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "vol-app-github-actions-readonly-role"
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["ReadOnlyAccess"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
      + role       = "vol-app-github-actions-readonly-role"
    }

  # module.account.module.github[0].module.iam_github_oidc_readonly_role[0].aws_iam_role_policy_attachment.this["S3StateLock"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::146997448015:policy/vol-app-146997448015-terraform-state-policy"
      + role       = "vol-app-github-actions-readonly-role"
    }

  # module.account.module.github[0].module.iam_github_oidc_role[0].aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = [
                          + "sts:TagSession",
                          + "sts:AssumeRoleWithWebIdentity",
                        ]
                      + Condition = {
                          + "ForAllValues:StringEquals" = {
                              + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
                              + "token.actions.githubusercontent.com:iss" = "https://token.actions.githubusercontent.com"
                            }
                          + StringLike                  = {
                              + "token.actions.githubusercontent.com:sub" = [
                                  + "repo:dvsa/vol-app:ref:refs/heads/main",
                                  + "repo:dvsa/vol-app:environment:account-prod",
                                  + "repo:dvsa/vol-app:environment:prep",
                                  + "repo:dvsa/vol-app:environment:prod",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::146997448015:oidc-provider/token.actions.githubusercontent.com"
                        }
                      + Sid       = "GithubOidcAuth"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = true
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "vol-app-github-actions-role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = {
          + "Repository" = "https://github.com/dvsa/vol-app"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # module.account.module.github[0].module.iam_github_oidc_role[0].aws_iam_role_policy_attachment.this["AdministratorAccess"] will be created
  + resource "aws_iam_role_policy_attachment" "this" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
      + role       = "vol-app-github-actions-role"
    }

Plan: 11 to import, 32 to add, 6 to change, 0 to destroy.

@Wi11Shell Wi11Shell merged commit 1de9af3 into main Nov 7, 2024
19 checks passed
@Wi11Shell Wi11Shell deleted the 5261-provision-prod-account branch November 7, 2024 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants