1/bootstrap and source s3 bucket #14

TylerHendrickson · 2023-03-22T02:21:23Z

Ticket #1

Description

This PR provisions the S3 bucket specified in #1. Additionally, it provides bootstrapping for this new repository and its deployed service in the following ways:

PR and issue templates (using the usdigitalresponse/usdr-gost repo as a starting point)
Standard USDR repository license and Code of Conduct
CI/CD workflows using GitHub Actions (note that the QA step is currently commented out since there's no runtime code to test yet)
Datadog configuration in terraform
README with service description and (the beginnings of) documentation for developers, including for LocalStack development.

Testing

Automated and Unit Tests

Added Unit tests
- Technically there are no unit tests, but there is support for tests in the workflows :)

Manual tests for Reviewer

Added steps to test feature/functionality manually

Checklist

Provided ticket and description
Provided testing information
Provided adequate test coverage for all new code
Added PR reviewers

github-actions · 2023-03-22T05:16:26Z

Report for project: `terraform`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Validation Output


Success! The configuration is valid.

Terraform Plan 📖`success`

Show Plan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create
 <= read (data resources)

Terraform will perform the following actions:

  # aws_scheduler_schedule_group.default[0] will be created
+   resource "aws_scheduler_schedule_group" "default" {
+       arn                    = (known after apply)
+       creation_date          = (known after apply)
+       id                     = (known after apply)
+       last_modification_date = (known after apply)
+       name                   = "grants_ingest-staging"
+       name_prefix            = (known after apply)
+       state                  = (known after apply)
+       tags_all               = {
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "grants-ingest"
+           "service"    = "grants-ingest"
+           "usage"      = "workload"
        }
    }

  # module.grants_prepared_data_bucket.data.aws_iam_policy_document.aggregated_policy[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "aggregated_policy" {
+       id                        = (known after apply)
+       json                      = (known after apply)
+       override_policy_documents = []
+       source_policy_documents   = [
+           (known after apply),
        ]
    }

  # module.grants_prepared_data_bucket.data.aws_iam_policy_document.bucket_policy[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "bucket_policy" {
+       id   = (known after apply)
+       json = (known after apply)

+       statement {
+           actions   = [
+               "s3:PutObject",
            ]
+           effect    = "Deny"
+           resources = [
+               (known after apply),
            ]
+           sid       = "DenyIncorrectEncryptionHeader"

+           condition {
+               test     = "StringNotEquals"
+               values   = [
+                   "AES256",
                ]
+               variable = "s3:x-amz-server-side-encryption"
            }

+           principals {
+               identifiers = [
+                   "*",
                ]
+               type        = "*"
            }
        }
+       statement {
+           actions   = [
+               "s3:PutObject",
            ]
+           effect    = "Deny"
+           resources = [
+               (known after apply),
            ]
+           sid       = "DenyUnEncryptedObjectUploads"

+           condition {
+               test     = "Null"
+               values   = [
+                   "true",
                ]
+               variable = "s3:x-amz-server-side-encryption"
            }

+           principals {
+               identifiers = [
+                   "*",
                ]
+               type        = "*"
            }
        }
+       statement {
+           actions   = [
+               "s3:*",
            ]
+           effect    = "Deny"
+           resources = [
+               (known after apply),
+               (known after apply),
            ]
+           sid       = "ForceSSLOnlyAccess"

+           condition {
+               test     = "Bool"
+               values   = [
+                   "false",
                ]
+               variable = "aws:SecureTransport"
            }

+           principals {
+               identifiers = [
+                   "*",
                ]
+               type        = "*"
            }
        }
    }

  # module.grants_prepared_data_bucket.aws_s3_bucket.default[0] will be created
+   resource "aws_s3_bucket" "default" {
+       acceleration_status         = (known after apply)
+       acl                         = (known after apply)
+       arn                         = (known after apply)
+       bucket                      = "grantsingest-staging-grantsprepareddata-357150818708-us-west-2"
+       bucket_domain_name          = (known after apply)
+       bucket_regional_domain_name = (known after apply)
+       force_destroy               = false
+       hosted_zone_id              = (known after apply)
+       id                          = (known after apply)
+       object_lock_enabled         = false
+       policy                      = (known after apply)
+       region                      = (known after apply)
+       request_payer               = (known after apply)
+       tags                        = {
+           "Attributes" = "357150818708-us-west-2"
+           "Name"       = "grantsingest-staging-grantsprepareddata-357150818708-us-west-2"
+           "Namespace"  = "grantsingest-staging"
        }
+       tags_all                    = {
+           "Attributes" = "357150818708-us-west-2"
+           "Name"       = "grantsingest-staging-grantsprepareddata-357150818708-us-west-2"
+           "Namespace"  = "grantsingest-staging"
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "grants-ingest"
+           "service"    = "grants-ingest"
+           "usage"      = "workload"
        }
+       website_domain              = (known after apply)
+       website_endpoint            = (known after apply)

+       cors_rule {
+           allowed_headers = (known after apply)
+           allowed_methods = (known after apply)
+           allowed_origins = (known after apply)
+           expose_headers  = (known after apply)
+           max_age_seconds = (known after apply)
        }

+       grant {
+           id          = (known after apply)
+           permissions = (known after apply)
+           type        = (known after apply)
+           uri         = (known after apply)
        }

+       lifecycle_rule {
+           abort_incomplete_multipart_upload_days = (known after apply)
+           enabled                                = (known after apply)
+           id                                     = (known after apply)
+           prefix                                 = (known after apply)
+           tags                                   = (known after apply)

+           expiration {
+               date                         = (known after apply)
+               days                         = (known after apply)
+               expired_object_delete_marker = (known after apply)
            }

+           noncurrent_version_expiration {
+               days = (known after apply)
            }

+           noncurrent_version_transition {
+               days          = (known after apply)
+               storage_class = (known after apply)
            }

+           transition {
+               date          = (known after apply)
+               days          = (known after apply)
+               storage_class = (known after apply)
            }
        }

+       logging {
+           target_bucket = (known after apply)
+           target_prefix = (known after apply)
        }

+       object_lock_configuration {
+           object_lock_enabled = (known after apply)

+           rule {
+               default_retention {
+                   days  = (known after apply)
+                   mode  = (known after apply)
+                   years = (known after apply)
                }
            }
        }

+       replication_configuration {
+           role = (known after apply)

+           rules {
+               delete_marker_replication_status = (known after apply)
+               id                               = (known after apply)
+               prefix                           = (known after apply)
+               priority                         = (known after apply)
+               status                           = (known after apply)

+               destination {
+                   account_id         = (known after apply)
+                   bucket             = (known after apply)
+                   replica_kms_key_id = (known after apply)
+                   storage_class      = (known after apply)

+                   access_control_translation {
+                       owner = (known after apply)
                    }

+                   metrics {
+                       minutes = (known after apply)
+                       status  = (known after apply)
                    }

+                   replication_time {
+                       minutes = (known after apply)
+                       status  = (known after apply)
                    }
                }

+               filter {
+                   prefix = (known after apply)
+                   tags   = (known after apply)
                }

+               source_selection_criteria {
+                   sse_kms_encrypted_objects {
+                       enabled = (known after apply)
                    }
                }
            }
        }

+       server_side_encryption_configuration {
+           rule {
+               bucket_key_enabled = (known after apply)

+               apply_server_side_encryption_by_default {
+                   kms_master_key_id = (known after apply)
+                   sse_algorithm     = (known after apply)
                }
            }
        }

+       versioning {
+           enabled    = (known after apply)
+           mfa_delete = (known after apply)
        }

+       website {
+           error_document           = (known after apply)
+           index_document           = (known after apply)
+           redirect_all_requests_to = (known after apply)
+           routing_rules            = (known after apply)
        }
    }

  # module.grants_prepared_data_bucket.aws_s3_bucket_acl.default[0] will be created
+   resource "aws_s3_bucket_acl" "default" {
+       acl    = "private"
+       bucket = (known after apply)
+       id     = (known after apply)

+       access_control_policy {
+           grant {
+               permission = (known after apply)

+               grantee {
+                   display_name  = (known after apply)
+                   email_address = (known after apply)
+                   id            = (known after apply)
+                   type          = (known after apply)
+                   uri           = (known after apply)
                }
            }

+           owner {
+               display_name = (known after apply)
+               id           = (known after apply)
            }
        }
    }

  # module.grants_prepared_data_bucket.aws_s3_bucket_lifecycle_configuration.default[0] will be created
+   resource "aws_s3_bucket_lifecycle_configuration" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           id     = "rule-1"
+           status = "Enabled"

+           abort_incomplete_multipart_upload {
+               days_after_initiation = 1
            }

+           filter {
            }
        }
    }

  # module.grants_prepared_data_bucket.aws_s3_bucket_ownership_controls.default[0] will be created
+   resource "aws_s3_bucket_ownership_controls" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           object_ownership = "ObjectWriter"
        }
    }

  # module.grants_prepared_data_bucket.aws_s3_bucket_policy.default[0] will be created
+   resource "aws_s3_bucket_policy" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)
+       policy = (known after apply)
    }

  # module.grants_prepared_data_bucket.aws_s3_bucket_public_access_block.default[0] will be created
+   resource "aws_s3_bucket_public_access_block" "default" {
+       block_public_acls       = true
+       block_public_policy     = true
+       bucket                  = (known after apply)
+       id                      = (known after apply)
+       ignore_public_acls      = true
+       restrict_public_buckets = true
    }

  # module.grants_prepared_data_bucket.aws_s3_bucket_server_side_encryption_configuration.default[0] will be created
+   resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           bucket_key_enabled = false

+           apply_server_side_encryption_by_default {
+               sse_algorithm = "AES256"
            }
        }
    }

  # module.grants_prepared_data_bucket.aws_s3_bucket_versioning.default[0] will be created
+   resource "aws_s3_bucket_versioning" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       versioning_configuration {
+           mfa_delete = (known after apply)
+           status     = "Enabled"
        }
    }

  # module.grants_prepared_data_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0] will be created
+   resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
+       create_duration  = "30s"
+       destroy_duration = "30s"
+       id               = (known after apply)
    }

  # module.grants_source_data_bucket.data.aws_iam_policy_document.aggregated_policy[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "aggregated_policy" {
+       id                        = (known after apply)
+       json                      = (known after apply)
+       override_policy_documents = []
+       source_policy_documents   = [
+           (known after apply),
        ]
    }

  # module.grants_source_data_bucket.data.aws_iam_policy_document.bucket_policy[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "bucket_policy" {
+       id   = (known after apply)
+       json = (known after apply)

+       statement {
+           actions   = [
+               "s3:PutObject",
            ]
+           effect    = "Deny"
+           resources = [
+               (known after apply),
            ]
+           sid       = "DenyIncorrectEncryptionHeader"

+           condition {
+               test     = "StringNotEquals"
+               values   = [
+                   "AES256",
                ]
+               variable = "s3:x-amz-server-side-encryption"
            }

+           principals {
+               identifiers = [
+                   "*",
                ]
+               type        = "*"
            }
        }
+       statement {
+           actions   = [
+               "s3:PutObject",
            ]
+           effect    = "Deny"
+           resources = [
+               (known after apply),
            ]
+           sid       = "DenyUnEncryptedObjectUploads"

+           condition {
+               test     = "Null"
+               values   = [
+                   "true",
                ]
+               variable = "s3:x-amz-server-side-encryption"
            }

+           principals {
+               identifiers = [
+                   "*",
                ]
+               type        = "*"
            }
        }
+       statement {
+           actions   = [
+               "s3:*",
            ]
+           effect    = "Deny"
+           resources = [
+               (known after apply),
+               (known after apply),
            ]
+           sid       = "ForceSSLOnlyAccess"

+           condition {
+               test     = "Bool"
+               values   = [
+                   "false",
                ]
+               variable = "aws:SecureTransport"
            }

+           principals {
+               identifiers = [
+                   "*",
                ]
+               type        = "*"
            }
        }
    }

  # module.grants_source_data_bucket.aws_s3_bucket.default[0] will be created
+   resource "aws_s3_bucket" "default" {
+       acceleration_status         = (known after apply)
+       acl                         = (known after apply)
+       arn                         = (known after apply)
+       bucket                      = "grantsingest-staging-grantssourcedata-357150818708-us-west-2"
+       bucket_domain_name          = (known after apply)
+       bucket_regional_domain_name = (known after apply)
+       force_destroy               = false
+       hosted_zone_id              = (known after apply)
+       id                          = (known after apply)
+       object_lock_enabled         = false
+       policy                      = (known after apply)
+       region                      = (known after apply)
+       request_payer               = (known after apply)
+       tags                        = {
+           "Attributes" = "357150818708-us-west-2"
+           "Name"       = "grantsingest-staging-grantssourcedata-357150818708-us-west-2"
+           "Namespace"  = "grantsingest-staging"
        }
+       tags_all                    = {
+           "Attributes" = "357150818708-us-west-2"
+           "Name"       = "grantsingest-staging-grantssourcedata-357150818708-us-west-2"
+           "Namespace"  = "grantsingest-staging"
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "grants-ingest"
+           "service"    = "grants-ingest"
+           "usage"      = "workload"
        }
+       website_domain              = (known after apply)
+       website_endpoint            = (known after apply)

+       cors_rule {
+           allowed_headers = (known after apply)
+           allowed_methods = (known after apply)
+           allowed_origins = (known after apply)
+           expose_headers  = (known after apply)
+           max_age_seconds = (known after apply)
        }

+       grant {
+           id          = (known after apply)
+           permissions = (known after apply)
+           type        = (known after apply)
+           uri         = (known after apply)
        }

+       lifecycle_rule {
+           abort_incomplete_multipart_upload_days = (known after apply)
+           enabled                                = (known after apply)
+           id                                     = (known after apply)
+           prefix                                 = (known after apply)
+           tags                                   = (known after apply)

+           expiration {
+               date                         = (known after apply)
+               days                         = (known after apply)
+               expired_object_delete_marker = (known after apply)
            }

+           noncurrent_version_expiration {
+               days = (known after apply)
            }

+           noncurrent_version_transition {
+               days          = (known after apply)
+               storage_class = (known after apply)
            }

+           transition {
+               date          = (known after apply)
+               days          = (known after apply)
+               storage_class = (known after apply)
            }
        }

+       logging {
+           target_bucket = (known after apply)
+           target_prefix = (known after apply)
        }

+       object_lock_configuration {
+           object_lock_enabled = (known after apply)

+           rule {
+               default_retention {
+                   days  = (known after apply)
+                   mode  = (known after apply)
+                   years = (known after apply)
                }
            }
        }

+       replication_configuration {
+           role = (known after apply)

+           rules {
+               delete_marker_replication_status = (known after apply)
+               id                               = (known after apply)
+               prefix                           = (known after apply)
+               priority                         = (known after apply)
+               status                           = (known after apply)

+               destination {
+                   account_id         = (known after apply)
+                   bucket             = (known after apply)
+                   replica_kms_key_id = (known after apply)
+                   storage_class      = (known after apply)

+                   access_control_translation {
+                       owner = (known after apply)
                    }

+                   metrics {
+                       minutes = (known after apply)
+                       status  = (known after apply)
                    }

+                   replication_time {
+                       minutes = (known after apply)
+                       status  = (known after apply)
                    }
                }

+               filter {
+                   prefix = (known after apply)
+                   tags   = (known after apply)
                }

+               source_selection_criteria {
+                   sse_kms_encrypted_objects {
+                       enabled = (known after apply)
                    }
                }
            }
        }

+       server_side_encryption_configuration {
+           rule {
+               bucket_key_enabled = (known after apply)

+               apply_server_side_encryption_by_default {
+                   kms_master_key_id = (known after apply)
+                   sse_algorithm     = (known after apply)
                }
            }
        }

+       versioning {
+           enabled    = (known after apply)
+           mfa_delete = (known after apply)
        }

+       website {
+           error_document           = (known after apply)
+           index_document           = (known after apply)
+           redirect_all_requests_to = (known after apply)
+           routing_rules            = (known after apply)
        }
    }

  # module.grants_source_data_bucket.aws_s3_bucket_acl.default[0] will be created
+   resource "aws_s3_bucket_acl" "default" {
+       acl    = "private"
+       bucket = (known after apply)
+       id     = (known after apply)

+       access_control_policy {
+           grant {
+               permission = (known after apply)

+               grantee {
+                   display_name  = (known after apply)
+                   email_address = (known after apply)
+                   id            = (known after apply)
+                   type          = (known after apply)
+                   uri           = (known after apply)
                }
            }

+           owner {
+               display_name = (known after apply)
+               id           = (known after apply)
            }
        }
    }

  # module.grants_source_data_bucket.aws_s3_bucket_lifecycle_configuration.default[0] will be created
+   resource "aws_s3_bucket_lifecycle_configuration" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           id     = "rule-1"
+           status = "Enabled"

+           abort_incomplete_multipart_upload {
+               days_after_initiation = 1
            }

+           filter {
            }
        }
    }

  # module.grants_source_data_bucket.aws_s3_bucket_ownership_controls.default[0] will be created
+   resource "aws_s3_bucket_ownership_controls" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           object_ownership = "ObjectWriter"
        }
    }

  # module.grants_source_data_bucket.aws_s3_bucket_policy.default[0] will be created
+   resource "aws_s3_bucket_policy" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)
+       policy = (known after apply)
    }

  # module.grants_source_data_bucket.aws_s3_bucket_public_access_block.default[0] will be created
+   resource "aws_s3_bucket_public_access_block" "default" {
+       block_public_acls       = true
+       block_public_policy     = true
+       bucket                  = (known after apply)
+       id                      = (known after apply)
+       ignore_public_acls      = true
+       restrict_public_buckets = true
    }

  # module.grants_source_data_bucket.aws_s3_bucket_server_side_encryption_configuration.default[0] will be created
+   resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           bucket_key_enabled = false

+           apply_server_side_encryption_by_default {
+               sse_algorithm = "AES256"
            }
        }
    }

  # module.grants_source_data_bucket.aws_s3_bucket_versioning.default[0] will be created
+   resource "aws_s3_bucket_versioning" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       versioning_configuration {
+           mfa_delete = (known after apply)
+           status     = "Enabled"
        }
    }

  # module.grants_source_data_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0] will be created
+   resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
+       create_duration  = "30s"
+       destroy_duration = "30s"
+       id               = (known after apply)
    }

  # module.lambda_artifacts_bucket.data.aws_iam_policy_document.aggregated_policy[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "aggregated_policy" {
+       id                        = (known after apply)
+       json                      = (known after apply)
+       override_policy_documents = []
+       source_policy_documents   = [
+           (known after apply),
        ]
    }

  # module.lambda_artifacts_bucket.data.aws_iam_policy_document.bucket_policy[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "bucket_policy" {
+       id   = (known after apply)
+       json = (known after apply)

+       statement {
+           actions   = [
+               "s3:PutObject",
            ]
+           effect    = "Deny"
+           resources = [
+               (known after apply),
            ]
+           sid       = "DenyIncorrectEncryptionHeader"

+           condition {
+               test     = "StringNotEquals"
+               values   = [
+                   "AES256",
                ]
+               variable = "s3:x-amz-server-side-encryption"
            }

+           principals {
+               identifiers = [
+                   "*",
                ]
+               type        = "*"
            }
        }
+       statement {
+           actions   = [
+               "s3:PutObject",
            ]
+           effect    = "Deny"
+           resources = [
+               (known after apply),
            ]
+           sid       = "DenyUnEncryptedObjectUploads"

+           condition {
+               test     = "Null"
+               values   = [
+                   "true",
                ]
+               variable = "s3:x-amz-server-side-encryption"
            }

+           principals {
+               identifiers = [
+                   "*",
                ]
+               type        = "*"
            }
        }
+       statement {
+           actions   = [
+               "s3:*",
            ]
+           effect    = "Deny"
+           resources = [
+               (known after apply),
+               (known after apply),
            ]
+           sid       = "ForceSSLOnlyAccess"

+           condition {
+               test     = "Bool"
+               values   = [
+                   "false",
                ]
+               variable = "aws:SecureTransport"
            }

+           principals {
+               identifiers = [
+                   "*",
                ]
+               type        = "*"
            }
        }
    }

  # module.lambda_artifacts_bucket.aws_s3_bucket.default[0] will be created
+   resource "aws_s3_bucket" "default" {
+       acceleration_status         = (known after apply)
+       acl                         = (known after apply)
+       arn                         = (known after apply)
+       bucket                      = "grantsingest-staging-lambdaartifacts-357150818708-us-west-2"
+       bucket_domain_name          = (known after apply)
+       bucket_regional_domain_name = (known after apply)
+       force_destroy               = false
+       hosted_zone_id              = (known after apply)
+       id                          = (known after apply)
+       object_lock_enabled         = false
+       policy                      = (known after apply)
+       region                      = (known after apply)
+       request_payer               = (known after apply)
+       tags                        = {
+           "Attributes" = "357150818708-us-west-2"
+           "Name"       = "grantsingest-staging-lambdaartifacts-357150818708-us-west-2"
+           "Namespace"  = "grantsingest-staging"
        }
+       tags_all                    = {
+           "Attributes" = "357150818708-us-west-2"
+           "Name"       = "grantsingest-staging-lambdaartifacts-357150818708-us-west-2"
+           "Namespace"  = "grantsingest-staging"
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "grants-ingest"
+           "service"    = "grants-ingest"
+           "usage"      = "workload"
        }
+       website_domain              = (known after apply)
+       website_endpoint            = (known after apply)

+       cors_rule {
+           allowed_headers = (known after apply)
+           allowed_methods = (known after apply)
+           allowed_origins = (known after apply)
+           expose_headers  = (known after apply)
+           max_age_seconds = (known after apply)
        }

+       grant {
+           id          = (known after apply)
+           permissions = (known after apply)
+           type        = (known after apply)
+           uri         = (known after apply)
        }

+       lifecycle_rule {
+           abort_incomplete_multipart_upload_days = (known after apply)
+           enabled                                = (known after apply)
+           id                                     = (known after apply)
+           prefix                                 = (known after apply)
+           tags                                   = (known after apply)

+           expiration {
+               date                         = (known after apply)
+               days                         = (known after apply)
+               expired_object_delete_marker = (known after apply)
            }

+           noncurrent_version_expiration {
+               days = (known after apply)
            }

+           noncurrent_version_transition {
+               days          = (known after apply)
+               storage_class = (known after apply)
            }

+           transition {
+               date          = (known after apply)
+               days          = (known after apply)
+               storage_class = (known after apply)
            }
        }

+       logging {
+           target_bucket = (known after apply)
+           target_prefix = (known after apply)
        }

+       object_lock_configuration {
+           object_lock_enabled = (known after apply)

+           rule {
+               default_retention {
+                   days  = (known after apply)
+                   mode  = (known after apply)
+                   years = (known after apply)
                }
            }
        }

+       replication_configuration {
+           role = (known after apply)

+           rules {
+               delete_marker_replication_status = (known after apply)
+               id                               = (known after apply)
+               prefix                           = (known after apply)
+               priority                         = (known after apply)
+               status                           = (known after apply)

+               destination {
+                   account_id         = (known after apply)
+                   bucket             = (known after apply)
+                   replica_kms_key_id = (known after apply)
+                   storage_class      = (known after apply)

+                   access_control_translation {
+                       owner = (known after apply)
                    }

+                   metrics {
+                       minutes = (known after apply)
+                       status  = (known after apply)
                    }

+                   replication_time {
+                       minutes = (known after apply)
+                       status  = (known after apply)
                    }
                }

+               filter {
+                   prefix = (known after apply)
+                   tags   = (known after apply)
                }

+               source_selection_criteria {
+                   sse_kms_encrypted_objects {
+                       enabled = (known after apply)
                    }
                }
            }
        }

+       server_side_encryption_configuration {
+           rule {
+               bucket_key_enabled = (known after apply)

+               apply_server_side_encryption_by_default {
+                   kms_master_key_id = (known after apply)
+                   sse_algorithm     = (known after apply)
                }
            }
        }

+       versioning {
+           enabled    = (known after apply)
+           mfa_delete = (known after apply)
        }

+       website {
+           error_document           = (known after apply)
+           index_document           = (known after apply)
+           redirect_all_requests_to = (known after apply)
+           routing_rules            = (known after apply)
        }
    }

  # module.lambda_artifacts_bucket.aws_s3_bucket_acl.default[0] will be created
+   resource "aws_s3_bucket_acl" "default" {
+       acl    = "private"
+       bucket = (known after apply)
+       id     = (known after apply)

+       access_control_policy {
+           grant {
+               permission = (known after apply)

+               grantee {
+                   display_name  = (known after apply)
+                   email_address = (known after apply)
+                   id            = (known after apply)
+                   type          = (known after apply)
+                   uri           = (known after apply)
                }
            }

+           owner {
+               display_name = (known after apply)
+               id           = (known after apply)
            }
        }
    }

  # module.lambda_artifacts_bucket.aws_s3_bucket_lifecycle_configuration.default[0] will be created
+   resource "aws_s3_bucket_lifecycle_configuration" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           id     = "rule-1"
+           status = "Enabled"

+           abort_incomplete_multipart_upload {
+               days_after_initiation = 7
            }

+           filter {
            }
        }
    }

  # module.lambda_artifacts_bucket.aws_s3_bucket_ownership_controls.default[0] will be created
+   resource "aws_s3_bucket_ownership_controls" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           object_ownership = "ObjectWriter"
        }
    }

  # module.lambda_artifacts_bucket.aws_s3_bucket_policy.default[0] will be created
+   resource "aws_s3_bucket_policy" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)
+       policy = (known after apply)
    }

  # module.lambda_artifacts_bucket.aws_s3_bucket_public_access_block.default[0] will be created
+   resource "aws_s3_bucket_public_access_block" "default" {
+       block_public_acls       = true
+       block_public_policy     = true
+       bucket                  = (known after apply)
+       id                      = (known after apply)
+       ignore_public_acls      = true
+       restrict_public_buckets = true
    }

  # module.lambda_artifacts_bucket.aws_s3_bucket_server_side_encryption_configuration.default[0] will be created
+   resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       rule {
+           bucket_key_enabled = false

+           apply_server_side_encryption_by_default {
+               sse_algorithm = "AES256"
            }
        }
    }

  # module.lambda_artifacts_bucket.aws_s3_bucket_versioning.default[0] will be created
+   resource "aws_s3_bucket_versioning" "default" {
+       bucket = (known after apply)
+       id     = (known after apply)

+       versioning_configuration {
+           mfa_delete = (known after apply)
+           status     = "Enabled"
        }
    }

  # module.lambda_artifacts_bucket.time_sleep.wait_for_aws_s3_bucket_settings[0] will be created
+   resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
+       create_duration  = "30s"
+       destroy_duration = "30s"
+       id               = (known after apply)
    }

Plan: 28 to add, 0 to change, 0 to destroy.

Pusher: @TylerHendrickson, Action: pull_request, Workflow: Continuous Integration

as1729 · 2023-03-22T16:40:35Z

.github/ISSUE_TEMPLATE/default_issue.yml

+name: Default Issue
+description: File an issue for a new feature or bug
+title: "[Issue]: "
+projects: "Grants Team Agile Planning"


I would remove this line since Github doesn't actually parse this file correctly

as1729

Thank you! one minor change requested but otherwise this is good to go

TylerHendrickson added 11 commits March 21, 2023 20:22

Setup terraform and configure s3 buckets

91a71eb

Start documenting project development

4d92e3c

Terraform tweaks for CI/CD workflows

961432a

Add CODEOWNERS protections

1eaf607

Configure dependabot

b1ed376

Configure github issue templates (lifted from usdr-gost)

083f0cd

Configure PR template (lifted from usdr-gost)

651536c

Add CI/CD workflows

f34ade7

Tweak PR template

9970c18

Add a Taskfile

96d6bde

Disable QA step in CI workflow

2bcd99e

TylerHendrickson self-assigned this Mar 22, 2023

TylerHendrickson linked an issue Mar 22, 2023 that may be closed by this pull request

Create an S3 bucket for storing grants source data #1

Closed

TylerHendrickson added 5 commits March 21, 2023 21:22

Define CI workflow permissions

3e40b00

Remove extraneous dependency review workflow

1f7a168

Add default for var.datadog_tags

937c33b

Allow CI to write plan output to PR comments

d364b6f

Remove extraneous path in terraform fmt CI check

6a71fe8

TylerHendrickson added 8 commits March 22, 2023 01:21

Adding tf lockfile (seeing if dep review notices)

1a975bf

Fix tf caching?

2a99115

Fix tf caching?

20d5d16

Fix tf caching?

4d1816e

Fix tf caching?

ec43605

Remove debugging output

0420c4c

Reorder terraform steps around caching

b6c1307

Bump aws-actions/configure-aws-credentials to v2

e60ef36

TylerHendrickson requested review from as1729 and NatHillardUSDR March 22, 2023 07:45

TylerHendrickson enabled auto-merge (squash) March 22, 2023 16:31

as1729 reviewed Mar 22, 2023

View reviewed changes

as1729 approved these changes Mar 22, 2023

View reviewed changes

TylerHendrickson merged commit 36272cd into main Mar 22, 2023

TylerHendrickson deleted the 1/bootstrap-and-source-s3-bucket branch March 22, 2023 16:43

TylerHendrickson mentioned this pull request Mar 23, 2023

5/download grants gov archive #15

Merged

6 tasks

TylerHendrickson added enhancement New feature or request go Pull requests that update Go code terraform Pull requests that update Terraform code labels Aug 24, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1/bootstrap and source s3 bucket #14

1/bootstrap and source s3 bucket #14

TylerHendrickson commented Mar 22, 2023

github-actions bot commented Mar 22, 2023 •

edited

Loading

as1729 Mar 22, 2023

as1729 left a comment

1/bootstrap and source s3 bucket #14

1/bootstrap and source s3 bucket #14

Conversation

TylerHendrickson commented Mar 22, 2023

Ticket #1

Description

Testing

Automated and Unit Tests

Manual tests for Reviewer

Checklist

github-actions bot commented Mar 22, 2023 • edited Loading

Report for project: terraform

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

as1729 Mar 22, 2023

Choose a reason for hiding this comment

as1729 left a comment

Choose a reason for hiding this comment

github-actions bot commented Mar 22, 2023 •

edited

Loading

Report for project: `terraform`

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`