Terraform provider and AWS upgrade to #420
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bryan-robitaille
force-pushed
the
aws-terraform-provider-upgrade
branch
from
17ed50c
to
8af68d9
Compare
Staging: alarms❌ Terraform Init: Show Init resultsInitializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
Downloading git::https://github.com/cds-snc/terraform-modules.git?ref=v6.1.3 for athena...
- athena in .terraform/modules/athena/athena_access_logs
Downloading git::https://github.com/cds-snc/terraform-modules.git?ref=v3.0.0 for athena_bucket...
- athena_bucket in .terraform/modules/athena_bucket/S3
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Reusing previous version of hashicorp/random from the dependency lock file
- Reusing previous version of hashicorp/archive from the dependency lock file
- Installing hashicorp/random v3.4.3...
- Installed hashicorp/random v3.4.3 (signed by HashiCorp)
- Installing hashicorp/archive v2.4.0...
- Installed hashicorp/archive v2.4.0 (signed by HashiCorp)
Error: Failed to query available provider packages
Could not retrieve the list of available versions for provider hashicorp/aws:
locked provider registry.terraform.io/hashicorp/aws 4.67.0 does not match
configured version constraint >= 3.36.0, < 4.0.0, 4.67.0; must use terraform
init -upgrade to allow selection of new versions
time=2023-09-13T13:58:28Z level=error msg=Terraform invocation failed in /home/runner/work/forms-terraform/forms-terraform/env/cloud/alarms/.terragrunt-cache/XgbkfD_g71Av_4AqP1IjvLb28sU/-syjFrdAaB-6kNXhMmF1nXBOp7o/alarms prefix=[/home/runner/work/forms-terraform/forms-terraform/env/cloud/alarms]
time=2023-09-13T13:58:28Z level=error msg=1 error occurred:
* [/home/runner/work/forms-terraform/forms-terraform/env/cloud/alarms/.terragrunt-cache/XgbkfD_g71Av_4AqP1IjvLb28sU/-syjFrdAaB-6kNXhMmF1nXBOp7o/alarms] exit status 1
Show Validate resultsError: missing or corrupted provider plugins:
- registry.terraform.io/hashicorp/aws: there is no package for registry.terraform.io/hashicorp/aws 4.67.0 cached in .terraform/providers
- registry.terraform.io/hashicorp/random: the cached package for registry.terraform.io/hashicorp/random 3.4.3 (in .terraform/providers) does not match any of the checksums recorded in the dependency lock file
time=2023-09-13T13:58:35Z level=error msg=Terraform invocation failed in /home/runner/work/forms-terraform/forms-terraform/env/cloud/alarms/.terragrunt-cache/XgbkfD_g71Av_4AqP1IjvLb28sU/-syjFrdAaB-6kNXhMmF1nXBOp7o/alarms prefix=[/home/runner/work/forms-terraform/forms-terraform/env/cloud/alarms]
time=2023-09-13T13:58:35Z level=error msg=1 error occurred:
* [/home/runner/work/forms-terraform/forms-terraform/env/cloud/alarms/.terragrunt-cache/XgbkfD_g71Av_4AqP1IjvLb28sU/-syjFrdAaB-6kNXhMmF1nXBOp7o/alarms] exit status 1
Show planError: Required plugins are not installed
The installed provider plugins are not consistent with the packages selected
in the dependency lock file:
- registry.terraform.io/hashicorp/aws: there is no package for registry.terraform.io/hashicorp/aws 4.67.0 cached in .terraform/providers
- registry.terraform.io/hashicorp/random: the cached package for registry.terraform.io/hashicorp/random 3.4.3 (in .terraform/providers) does not match any of the checksums recorded in the dependency lock file
Terraform uses external plugins to integrate with a variety of different
infrastructure services. To download the plugins required for this
configuration, run:
terraform init
time=2023-09-13T13:58:47Z level=error msg=Terraform invocation failed in /home/runner/work/forms-terraform/forms-terraform/env/cloud/alarms/.terragrunt-cache/XgbkfD_g71Av_4AqP1IjvLb28sU/-syjFrdAaB-6kNXhMmF1nXBOp7o/alarms prefix=[/home/runner/work/forms-terraform/forms-terraform/env/cloud/alarms]
time=2023-09-13T13:58:47Z level=error msg=1 error occurred:
* [/home/runner/work/forms-terraform/forms-terraform/env/cloud/alarms/.terragrunt-cache/XgbkfD_g71Av_4AqP1IjvLb28sU/-syjFrdAaB-6kNXhMmF1nXBOp7o/alarms] exit status 1
|
⚠ Terrform update availableTerragrunt: 0.51.0 (using 0.50.15) |
Staging: network✅ Terraform Init: Plan: 0 to add, 2 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_security_group.forms_database will be updated in-place
~ resource "aws_security_group" "forms_database" {
id = "sg-0b80bb714d886b8ff"
~ ingress = [
- {
- cidr_blocks = []
- description = ""
- from_port = 5432
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = [
- "sg-0328cae235e1dce04",
]
- self = false
- to_port = 5432
},
- {
- cidr_blocks = []
- description = "Security group rule for Forms DB ingress"
- from_port = 5432
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = [
- "sg-0554e1d0a9da92168",
]
- self = false
- to_port = 5432
},
+ {
+ cidr_blocks = []
+ from_port = 5432
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = [
+ "sg-0328cae235e1dce04",
]
+ self = false
+ to_port = 5432
},
]
name = "forms-database"
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (7 unchanged attributes hidden)
}
# aws_security_group.forms_redis will be updated in-place
~ resource "aws_security_group" "forms_redis" {
id = "sg-092fddfbbac0e15aa"
~ ingress = [
- {
- cidr_blocks = []
- description = ""
- from_port = 6379
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = [
- "sg-0328cae235e1dce04",
]
- self = false
- to_port = 6379
},
- {
- cidr_blocks = []
- description = "Security group rule for Forms Redis ingress"
- from_port = 6379
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "tcp"
- security_groups = [
- "sg-0554e1d0a9da92168",
]
- self = false
- to_port = 6379
},
+ {
+ cidr_blocks = []
+ from_port = 6379
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = [
+ "sg-0328cae235e1dce04",
]
+ self = false
+ to_port = 6379
},
]
name = "forms-redis"
tags = {
"CostCentre" = "forms-platform-staging"
"Terraform" = "true"
}
# (7 unchanged attributes hidden)
}
Plan: 0 to add, 2 to change, 0 to destroy.
Warning: Deprecated Resource
with data.aws_subnet_ids.ecr_endpoint_available,
on network.tf line 68, in data "aws_subnet_ids" "ecr_endpoint_available":
68: data "aws_subnet_ids" "ecr_endpoint_available" {
The aws_subnet_ids data source has been deprecated and will be removed in a
future version. Use the aws_subnets data source instead:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets
(and 3 more similar warnings elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Releasing state lock. This may take a few moments...
Show Conftest results18 tests, 18 passed, 0 warnings, 0 failures, 0 exceptions
|
Staging: load_balancer✅ Terraform Init: Plan: 4 to add, 1 to change, 2 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
~ update in-place
- destroy
Terraform will perform the following actions:
# aws_lb.form_viewer will be updated in-place
~ resource "aws_lb" "form_viewer" {
id = "arn:aws:elasticloadbalancing:ca-central-1:687401027353:loadbalancer/app/form-viewer/5e6bc2d9ab810b68"
name = "form-viewer"
tags = {
"CostCentre" = "forms-platform-staging"
"Name" = "form_viewer"
"Terraform" = "true"
}
# (22 unchanged attributes hidden)
~ access_logs {
~ enabled = true -> false
# (2 unchanged attributes hidden)
}
# (3 unchanged blocks hidden)
}
# aws_s3_bucket_acl.firehose_waf_logs will be created
+ resource "aws_s3_bucket_acl" "firehose_waf_logs" {
+ acl = "private"
+ bucket = "forms-staging-terraform-waf-logs"
+ id = (known after apply)
}
# aws_s3_bucket_lifecycle_configuration.lifecycle_rules will be created
+ resource "aws_s3_bucket_lifecycle_configuration" "lifecycle_rules" {
+ bucket = "forms-staging-terraform-waf-logs"
+ id = (known after apply)
+ rule {
+ id = "lifecycle_firehose_waf_logs"
+ status = "Enabled"
+ expiration {
+ days = 90
+ expired_object_delete_marker = (known after apply)
}
}
}
# aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership will be created
+ resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" {
+ bucket = "forms-staging-terraform-waf-logs"
+ id = (known after apply)
+ rule {
+ object_ownership = "BucketOwnerPreferred"
}
}
# aws_s3_bucket_server_side_encryption_configuration.firehose_waf_logs will be created
+ resource "aws_s3_bucket_server_side_encryption_configuration" "firehose_waf_logs" {
+ bucket = "forms-staging-terraform-waf-logs"
+ id = (known after apply)
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
}
}
}
# aws_shield_protection.alb will be destroyed
# (because aws_shield_protection.alb is not in configuration)
- resource "aws_shield_protection" "alb" {
- arn = "arn:aws:shield::687401027353:protection/0cca3ef1-8edc-4180-8740-febba699a5b2" -> null
- id = "0cca3ef1-8edc-4180-8740-febba699a5b2" -> null
- name = "LoadBalancer" -> null
- resource_arn = "arn:aws:elasticloadbalancing:ca-central-1:687401027353:loadbalancer/app/form-viewer/5e6bc2d9ab810b68" -> null
- tags = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- tags_all = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
}
# aws_shield_protection.route53_hosted_zone will be destroyed
# (because aws_shield_protection.route53_hosted_zone is not in configuration)
- resource "aws_shield_protection" "route53_hosted_zone" {
- arn = "arn:aws:shield::687401027353:protection/84aef9e9-74ea-4dfc-bc40-ff3f3ca3700c" -> null
- id = "84aef9e9-74ea-4dfc-bc40-ff3f3ca3700c" -> null
- name = "Route53HostedZone" -> null
- resource_arn = "arn:aws:route53:::hostedzone/Z05990652HOQ0SGHD81ZC" -> null
- tags = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
- tags_all = {
- "CostCentre" = "forms-platform-staging"
- "Terraform" = "true"
} -> null
}
Plan: 4 to add, 1 to change, 2 to destroy.
Warning: Argument is deprecated
with aws_wafv2_web_acl.forms_acl,
on waf.tf line 11, in resource "aws_wafv2_web_acl" "forms_acl":
11: resource "aws_wafv2_web_acl" "forms_acl" {
Use rule_action_override instead
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Releasing state lock. This may take a few moments...
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_wafv2_regex_pattern_set.forms_base_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_wafv2_regex_pattern_set.valid_app_uri_paths"]
19 tests, 17 passed, 2 warnings, 0 failures, 0 exceptions
|
Staging: app✅ Terraform Init: Show planResource actions are indicated with the following symbols:
+ create
Terraform planned the following actions, but then encountered a problem:
# aws_s3_bucket_acl.archive_storage_acl will be created
+ resource "aws_s3_bucket_acl" "archive_storage_acl" {
+ acl = "private"
+ bucket = "forms-staging-archive-storage"
+ id = (known after apply)
}
# aws_s3_bucket_acl.reliability_file_storage_s3_acl will be created
+ resource "aws_s3_bucket_acl" "reliability_file_storage_s3_acl" {
+ acl = "private"
+ bucket = "forms-staging-reliability-file-storage"
+ id = (known after apply)
}
# aws_s3_bucket_acl.vault_file_storage_acl will be created
+ resource "aws_s3_bucket_acl" "vault_file_storage_acl" {
+ acl = "private"
+ bucket = "forms-staging-vault-file-storage"
+ id = (known after apply)
}
# aws_s3_bucket_lifecycle_configuration.lifecycle_rules_archive_storage will be created
+ resource "aws_s3_bucket_lifecycle_configuration" "lifecycle_rules_archive_storage" {
+ bucket = "forms-staging-archive-storage"
+ id = (known after apply)
+ rule {
+ id = "lifecycle_archive_storage"
+ status = "Enabled"
+ expiration {
+ days = 30
+ expired_object_delete_marker = (known after apply)
}
}
}
# aws_s3_bucket_lifecycle_configuration.lifecycle_rules_reliability_file_storage will be created
+ resource "aws_s3_bucket_lifecycle_configuration" "lifecycle_rules_reliability_file_storage" {
+ bucket = "forms-staging-reliability-file-storage"
+ id = (known after apply)
+ rule {
+ id = "lifecycle_reliability_file_storage"
+ status = "Enabled"
+ expiration {
+ days = 30
+ expired_object_delete_marker = (known after apply)
}
}
}
# aws_s3_bucket_ownership_controls.archive_storage_s3_bucket_acl_ownership will be created
+ resource "aws_s3_bucket_ownership_controls" "archive_storage_s3_bucket_acl_ownership" {
+ bucket = "forms-staging-archive-storage"
+ id = (known after apply)
+ rule {
+ object_ownership = "BucketOwnerPreferred"
}
}
# aws_s3_bucket_ownership_controls.reliability_file_s3_bucket_acl_ownership will be created
+ resource "aws_s3_bucket_ownership_controls" "reliability_file_s3_bucket_acl_ownership" {
+ bucket = "forms-staging-reliability-file-storage"
+ id = (known after apply)
+ rule {
+ object_ownership = "BucketOwnerPreferred"
}
}
# aws_s3_bucket_ownership_controls.vault_file_s3_bucket_acl_ownership will be created
+ resource "aws_s3_bucket_ownership_controls" "vault_file_s3_bucket_acl_ownership" {
+ bucket = "forms-staging-vault-file-storage"
+ id = (known after apply)
+ rule {
+ object_ownership = "BucketOwnerPreferred"
}
}
# aws_s3_bucket_server_side_encryption_configuration.archive_storage will be created
+ resource "aws_s3_bucket_server_side_encryption_configuration" "archive_storage" {
+ bucket = "forms-staging-archive-storage"
+ id = (known after apply)
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
}
}
}
# aws_s3_bucket_server_side_encryption_configuration.reliability_file_storage will be created
+ resource "aws_s3_bucket_server_side_encryption_configuration" "reliability_file_storage" {
+ bucket = "forms-staging-reliability-file-storage"
+ id = (known after apply)
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
}
}
}
# aws_s3_bucket_server_side_encryption_configuration.vault_file_storage will be created
+ resource "aws_s3_bucket_server_side_encryption_configuration" "vault_file_storage" {
+ bucket = "forms-staging-vault-file-storage"
+ id = (known after apply)
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
}
}
}
# aws_s3_bucket_versioning.vault_file_storage_versioning will be created
+ resource "aws_s3_bucket_versioning" "vault_file_storage_versioning" {
+ bucket = "forms-staging-vault-file-storage"
+ id = (known after apply)
+ versioning_configuration {
+ mfa_delete = (known after apply)
+ status = "Enabled"
}
}
Plan: 12 to add, 0 to change, 0 to destroy.
Releasing state lock. This may take a few moments...
Error: reading ECS Task Definition (form-viewer): ClientException: Unable to describe task definition.
with aws_ecs_task_definition.form_viewer,
on ecs.tf line 56, in resource "aws_ecs_task_definition" "form_viewer":
56: resource "aws_ecs_task_definition" "form_viewer" {
time=2023-09-18T13:08:17Z level=error msg=Terraform invocation failed in /home/runner/work/forms-terraform/forms-terraform/env/cloud/app/.terragrunt-cache/K54TG7zAX8DTTyqwBYHSG8Hho6I/-syjFrdAaB-6kNXhMmF1nXBOp7o/app prefix=[/home/runner/work/forms-terraform/forms-terraform/env/cloud/app]
time=2023-09-18T13:08:17Z level=error msg=1 error occurred:
* [/home/runner/work/forms-terraform/forms-terraform/env/cloud/app/.terragrunt-cache/K54TG7zAX8DTTyqwBYHSG8Hho6I/-syjFrdAaB-6kNXhMmF1nXBOp7o/app] exit status 1
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary | Résumé
AWS and Terraform provider upgrade draft
Test instructions:
tfenvto help manage terraform version withbrew install tfenvandtfenv use 1.5.0usage doc for more details.RaphaelKeita-scratchor you may request a scratch account (contact core team or patheard).export AWS_ACCOUNTID and APP_ENV=[Name]_scratchexport AWS_SECRET_ACCESS_KEY=xxx export AWS_SESSION_TOKEN=XXXX.envand add all required environment variables valuesaws/appand runterragrunt applyenv/cloudin each of the following foldersKms, Network, rds, redis, dynamoDB, sqs, hostedzone, ecr, appterragrunt init -upgradeandterragrunt apply. Caution Before deploying the app module make sure to pull and push an app docker image into theECRrepository (slack me)Remarks
During the deployment of the lambda infrastructure, a problem was identified. Upon investigation, it was found that the V4.9.0 version of the terraform aws provider does not yet support Node.js v16, which is the current version in staging. The solution was to change the Node.js runtime version to v14 for lambdas functions.
Acceptance Criteria: