Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow adding optional arguments to terraform/grunt plan #322

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

ben851
Copy link

@ben851 ben851 commented Apr 19, 2024

Summary | Résumé

I'd like to be able to pass additional arguments to the terraform/terragrunt plan step. I've created a new input called args that just appends whatever's there to the end of the plan command.

I have no idea what I'm doing.

Test instructions | Instructions pour tester la modification

Reference latest version in a github workflow (I'll be testing w/ notification-terraform) and pass an argument as required.

@ben851 ben851 requested a review from patheard April 19, 2024 18:42
Copy link

Test init-fail

❌   Terraform Init: failed
❌   Terraform Validate: failed
✅   Terraform Format: success
❌   Terraform Plan: failed
❌   Conftest: failed

Show Init results
Initializing the backend...

Initializing provider plugins...
- Finding latest version of foo/bar...

Error: Failed to query available provider packages

Could not retrieve the list of available versions for provider foo/bar:
provider registry registry.terraform.io does not have a provider named
registry.terraform.io/foo/bar

All modules should specify their required_providers so that external
consumers will get the correct providers when using a module. To see which
modules are currently depending on foo/bar, run the following command:
    terraform providers

Show Validate results
Error: Missing required provider

This configuration requires provider registry.terraform.io/foo/bar, but that
provider isn't available. You may be able to install it automatically by
running:
  terraform init
Show plan
Error: Inconsistent dependency lock file

The following dependency selections recorded in the lock file are
inconsistent with the current configuration:
  - provider registry.terraform.io/foo/bar: required by this configuration but no version is selected

To make the initial dependency selections that will initialize the dependency
lock file, run:
  terraform init

Copy link

Test skip-fmt

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 1 to add, 0 to change, 0 to destroy
Show summary
CHANGE RESOURCE
add random_id.id
CHANGE OUTPUT
add id
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # random_id.id will be created
  + resource "random_id" "id" {
      + b64_std     = (known after apply)
      + b64_url     = (known after apply)
      + byte_length = 8
      + dec         = (known after apply)
      + hex         = (known after apply)
      + id          = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + id = (known after apply)

Warning: Duplicate required provider

  on skip-fmt.tf line 11:
  11: resource "random_id" "id" {

Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions

Copy link

Test skip-plan

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success

Copy link

Test validate-fail

✅   Terraform Init: success
❌   Terraform Validate: failed
✅   Terraform Format: success
❌   Terraform Plan: failed
❌   Conftest: failed

Show Validate results
Error: Reference to undeclared input variable

  on validate-fail.tf line 4, in resource "random_id" "foo":
   4:     foo = var.bar

An input variable with the name "bar" has not been declared. This variable
can be declared with a variable "bar" {} block.
Show plan
Error: Reference to undeclared input variable

  on validate-fail.tf line 4, in resource "random_id" "foo":
   4:     foo = var.bar

An input variable with the name "bar" has not been declared. This variable
can be declared with a variable "bar" {} block.

Copy link

Test format-error

✅   Terraform Init: success
✅   Terraform Validate: success
❌   Terraform Format: failed
✅   Terraform Plan: success
✅   Conftest: success

🧹   Format: run terraform fmt to fix the following:

format-error.tf
Plan: 1 to add, 0 to change, 0 to destroy
Show summary
CHANGE RESOURCE
add random_id.id
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # random_id.id will be created
  + resource "random_id" "id" {
      + b64_std     = (known after apply)
      + b64_url     = (known after apply)
      + byte_length = 8
      + dec         = (known after apply)
      + hex         = (known after apply)
      + id          = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Warning: Duplicate required provider

  on format-error.tf line 11:
  11: resource "random_id" "id" {

Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions

Copy link

Test invalid

✅   Terraform Init: success
❌   Terraform Validate: failed
❌   Terraform Format: failed
❌   Terraform Plan: failed
❌   Conftest: failed

Show Validate results
Warning: Duplicate required provider

  on invalid.tf line 11:
  11: resource "random_id" "id" {

Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.

Error: Missing required argument

  on invalid.tf line 11, in resource "random_id" "id":
  11: resource "random_id" "id" {

The argument "byte_length" is required, but no definition was found.

Error: Unsupported argument

  on invalid.tf line 12, in resource "random_id" "id":
  12:     muffin = "blueberry"

An argument named "muffin" is not expected here.

🧹   Format: run terraform fmt to fix the following:

invalid.tf
Show plan
Warning: Duplicate required provider

  on invalid.tf line 11:
  11: resource "random_id" "id" {

Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.

Error: Missing required argument

  on invalid.tf line 11, in resource "random_id" "id":
  11: resource "random_id" "id" {

The argument "byte_length" is required, but no definition was found.

Error: Unsupported argument

  on invalid.tf line 12, in resource "random_id" "id":
  12:     muffin = "blueberry"

An argument named "muffin" is not expected here.

Copy link

Test changes

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 1 to add, 0 to change, 0 to destroy
Show summary
CHANGE RESOURCE
add random_id.id
CHANGE OUTPUT
add id
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # random_id.id will be created
  + resource "random_id" "id" {
      + b64_std     = (known after apply)
      + b64_url     = (known after apply)
      + byte_length = 8
      + dec         = (known after apply)
      + hex         = (known after apply)
      + id          = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + id = (known after apply)

Warning: Duplicate required provider

  on changes.tf line 11:
  11: resource "random_id" "id" {

Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions

Copy link

Test skip-conftest

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success

Plan: 1 to add, 0 to change, 0 to destroy
Show summary
CHANGE RESOURCE
add random_id.id
CHANGE OUTPUT
add id
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # random_id.id will be created
  + resource "random_id" "id" {
      + b64_std     = (known after apply)
      + b64_url     = (known after apply)
      + byte_length = 8
      + dec         = (known after apply)
      + hex         = (known after apply)
      + id          = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + id = (known after apply)

Warning: Duplicate required provider

  on skip-conftest.tf line 11:
  11: resource "random_id" "id" {

Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Copy link

Test import

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 2 to import, 1 to add, 0 to change, 0 to destroy
Show summary
CHANGE RESOURCE
import aws_cloudwatch_log_group.controltower-notificationforwarder
aws_sns_topic.controltower-notificationforwarder
add aws_cloudwatch_log_group.topic
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_cloudwatch_log_group.controltower-notificationforwarder will be imported
    resource "aws_cloudwatch_log_group" "controltower-notificationforwarder" {
        arn               = "arn:aws:logs:ca-central-1:124044056575:log-group:/aws/lambda/aws-controltower-NotificationForwarder"
        id                = "/aws/lambda/aws-controltower-NotificationForwarder"
        log_group_class   = "STANDARD"
        name              = "/aws/lambda/aws-controltower-NotificationForwarder"
        retention_in_days = 14
        skip_destroy      = false
        tags              = {}
        tags_all          = {}
    }

  # aws_cloudwatch_log_group.topic will be created
  + resource "aws_cloudwatch_log_group" "topic" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "topic"
      + name_prefix       = (known after apply)
      + retention_in_days = 14
      + skip_destroy      = false
      + tags_all          = (known after apply)
    }

  # aws_sns_topic.controltower-notificationforwarder will be imported
    resource "aws_sns_topic" "controltower-notificationforwarder" {
        application_success_feedback_sample_rate = 0
        arn                                      = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
        content_based_deduplication              = false
        fifo_topic                               = false
        firehose_success_feedback_sample_rate    = 0
        http_success_feedback_sample_rate        = 0
        id                                       = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
        lambda_success_feedback_sample_rate      = 0
        name                                     = "internal-sre-alert"
        owner                                    = "124044056575"
        policy                                   = jsonencode(
            {
                Id        = "SNS Access Policy"
                Statement = [
                    {
                        Action    = [
                            "SNS:Subscribe",
                            "SNS:SetTopicAttributes",
                            "SNS:RemovePermission",
                            "SNS:Receive",
                            "SNS:Publish",
                            "SNS:ListSubscriptionsByTopic",
                            "SNS:GetTopicAttributes",
                            "SNS:AddPermission",
                        ]
                        Condition = {
                            StringEquals = {
                                "aws:SourceOwner" = "124044056575"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            AWS = "*"
                        }
                        Resource  = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
                        Sid       = "AllowAccountToUse"
                    },
                    {
                        Action    = "SNS:Publish"
                        Condition = {
                            StringEquals = {
                                "aws:SourceAccount" = "124044056575"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            Service = "cloudwatch.amazonaws.com"
                        }
                        Resource  = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
                        Sid       = "AllowCloudWatchToPublish"
                    },
                    {
                        Action    = "SNS:Publish"
                        Condition = {
                            ArnEquals = {
                                "aws:SourceArn" = "arn:aws:events:ca-central-1:124044056575:rule/internal-sre-alerts-abuse-rule"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            Service = "events.amazonaws.com"
                        }
                        Resource  = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
                        Sid       = "AllowAbuseEventsToPublish"
                    },
                    {
                        Action    = "SNS:Publish"
                        Condition = {
                            StringEquals = {
                                "aws:SourceAccount" = "124044056575"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            Service = "budgets.amazonaws.com"
                        }
                        Resource  = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
                        Sid       = "AllowBudgetEventsToPublish"
                    },
                ]
                Version   = "2012-10-17"
            }
        )
        signature_version                        = 0
        sqs_success_feedback_sample_rate         = 0
        tags                                     = {
            "CostCentre" = "SRE"
            "Terraform"  = "true"
            "managed_by" = "AFT"
        }
        tags_all                                 = {
            "CostCentre" = "SRE"
            "Terraform"  = "true"
            "managed_by" = "AFT"
        }
    }

Plan: 2 to import, 1 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.controltower-notificationforwarder"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.topic"]

21 tests, 19 passed, 2 warnings, 0 failures, 0 exceptions

Copy link

Test truncate-plan

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 36 to add, 0 to change, 0 to destroy
Show summary
CHANGE RESOURCE
add module.rds.aws_cloudwatch_log_group.log_exports["postgresql"]
module.rds.aws_cloudwatch_log_group.proxy
module.rds.aws_db_proxy.proxy
module.rds.aws_db_proxy_default_target_group.this
module.rds.aws_db_proxy_target.target
module.rds.aws_db_subnet_group.rds
module.rds.aws_iam_policy.read_connection_string
module.rds.aws_iam_role.rds_proxy
module.rds.aws_iam_role_policy_attachment.read_connection_string
module.rds.aws_rds_cluster.cluster
module.rds.aws_rds_cluster_instance.instances[0]
module.rds.aws_rds_cluster_instance.instances[1]
module.rds.aws_rds_cluster_instance.instances[2]
module.rds.aws_secretsmanager_secret.connection_string
module.rds.aws_secretsmanager_secret.proxy_connection_string
module.rds.aws_secretsmanager_secret_version.connection_string
module.rds.aws_secretsmanager_secret_version.proxy_connection_string
module.rds.aws_security_group.rds_proxy
module.rds.random_string.random
module.vpc.aws_default_network_acl.default
module.vpc.aws_default_route_table.default
module.vpc.aws_default_security_group.default
module.vpc.aws_internet_gateway.gw
module.vpc.aws_nat_gateway.nat_gw[0]
module.vpc.aws_network_acl.main
module.vpc.aws_network_acl_rule.block_rdp[0]
module.vpc.aws_network_acl_rule.block_ssh[0]
module.vpc.aws_route.private_nat_gateway[0]
module.vpc.aws_route.public_internet_gateway
module.vpc.aws_route_table.private[0]
module.vpc.aws_route_table.public
module.vpc.aws_route_table_association.private[0]
module.vpc.aws_route_table_association.public[0]
module.vpc.aws_subnet.private[0]
module.vpc.aws_subnet.public[0]
module.vpc.aws_vpc.main

✂   Warning: plan has been truncated! See the full plan in the logs.

Show plan
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # module.rds.data.aws_iam_policy_document.read_connection_string will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "read_connection_string" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "secretsmanager:DescribeSecret",
              + "secretsmanager:GetResourcePolicy",
              + "secretsmanager:GetSecretValue",
              + "secretsmanager:ListSecretVersionIds",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "0"
        }
      + statement {
          + actions   = [
              + "secretsmanager:ListSecrets",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "1"
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "2"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "secretsmanager.ca-central-1.amazonaws.com",
                ]
              + variable = "kms:ViaService"
            }
        }
    }

  # module.rds.aws_cloudwatch_log_group.log_exports["postgresql"] will be created
  + resource "aws_cloudwatch_log_group" "log_exports" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "/aws/rds/cluster/test-rds-cluster/postgresql"
      + name_prefix       = (known after apply)
      + retention_in_days = 7
      + skip_destroy      = false
      + tags              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + tags_all          = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_cloudwatch_log_group.proxy will be created
  + resource "aws_cloudwatch_log_group" "proxy" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "/aws/rds/proxy/test-rds-proxy"
      + name_prefix       = (known after apply)
      + retention_in_days = 14
      + skip_destroy      = false
      + tags              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_proxy_logs"
          + "Terraform"  = "true"
        }
      + tags_all          = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_proxy_logs"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_db_proxy.proxy will be created
  + resource "aws_db_proxy" "proxy" {
      + arn                    = (known after apply)
      + debug_logging          = false
      + endpoint               = (known after apply)
      + engine_family          = "POSTGRESQL"
      + id                     = (known after apply)
      + idle_client_timeout    = 1800
      + name                   = "test-rds-proxy"
      + require_tls            = true
      + role_arn               = (known after apply)
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-rds-proxy"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-rds-proxy"
          + "Terraform"  = "true"
        }
      + vpc_security_group_ids = (known after apply)
      + vpc_subnet_ids         = (known after apply)

      + auth {
          + auth_scheme               = "SECRETS"
          + client_password_auth_type = (known after apply)
          + description               = "The database connection string"
          + iam_auth                  = "DISABLED"
          + secret_arn                = (known after apply)
        }
    }

  # module.rds.aws_db_proxy_default_target_group.this will be created
  + resource "aws_db_proxy_default_target_group" "this" {
      + arn           = (known after apply)
      + db_proxy_name = "test-rds-proxy"
      + id            = (known after apply)
      + name          = (known after apply)
    }

  # module.rds.aws_db_proxy_target.target will be created
  + resource "aws_db_proxy_target" "target" {
      + db_cluster_identifier = (known after apply)
      + db_proxy_name         = "test-rds-proxy"
      + endpoint              = (known after apply)
      + id                    = (known after apply)
      + port                  = (known after apply)
      + rds_resource_id       = (known after apply)
      + target_arn            = (known after apply)
      + target_group_name     = (known after apply)
      + tracked_cluster_id    = (known after apply)
      + type                  = (known after apply)
    }

  # module.rds.aws_db_subnet_group.rds will be created
  + resource "aws_db_subnet_group" "rds" {
      + arn                     = (known after apply)
      + description             = "Managed by Terraform"
      + id                      = (known after apply)
      + name                    = "test-rds-subnet-group"
      + name_prefix             = (known after apply)
      + subnet_ids              = (known after apply)
      + supported_network_types = (known after apply)
      + tags                    = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-subnet-group"
          + "Terraform"  = "true"
        }
      + tags_all                = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-subnet-group"
          + "Terraform"  = "true"
        }
      + vpc_id                  = (known after apply)
    }

  # module.rds.aws_iam_policy.read_connection_string will be created
  + resource "aws_iam_policy" "read_connection_string" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + id               = (known after apply)
      + name             = "test-rdsReadConnectionString"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags             = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all         = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_iam_role.rds_proxy will be created
  + resource "aws_iam_role" "rds_proxy" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "rds.amazonaws.com"
                        }
                      + Sid       = "RDSAssume"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "test-rds_rds_proxy"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all              = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + unique_id             = (known after apply)
    }

  # module.rds.aws_iam_role_policy_attachment.read_connection_string will be created
  + resource "aws_iam_role_policy_attachment" "read_connection_string" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "test-rds_rds_proxy"
    }

  # module.rds.aws_rds_cluster.cluster will be created
  + resource "aws_rds_cluster" "cluster" {
      + allocated_storage                   = (known after apply)
      + allow_major_version_upgrade         = false
      + apply_immediately                   = false
      + arn                                 = (known after apply)
      + availability_zones                  = (known after apply)
      + backtrack_window                    = 0
      + backup_retention_period             = 7
      + cluster_identifier                  = "test-rds-cluster"
      + cluster_identifier_prefix           = (known after apply)
      + cluster_members                     = (known after apply)
      + cluster_resource_id                 = (known after apply)
      + copy_tags_to_snapshot               = true
      + database_name                       = "foo"
      + db_cluster_parameter_group_name     = (known after apply)
      + db_subnet_group_name                = "test-rds-subnet-group"
      + db_system_id                        = (known after apply)
      + delete_automated_backups            = true
      + deletion_protection                 = true
      + enable_global_write_forwarding      = false
      + enable_http_endpoint                = false
      + enable_local_write_forwarding       = false
      + enabled_cloudwatch_logs_exports     = [
          + "postgresql",
        ]
      + endpoint                            = (known after apply)
      + engine                              = "aurora-postgresql"
      + engine_mode                         = "provisioned"
      + engine_version                      = "14.5"
      + engine_version_actual               = (known after apply)
      + final_snapshot_identifier           = (known after apply)
      + hosted_zone_id                      = (known after apply)
      + iam_database_authentication_enabled = false
      + iam_roles                           = (known after apply)
      + id                                  = (known after apply)
      + kms_key_id                          = (known after apply)
      + master_password                     = (sensitive value)
      + master_user_secret                  = (known after apply)
      + master_user_secret_kms_key_id       = (known after apply)
      + master_username                     = "probably"
      + network_type                        = (known after apply)
      + port                                = (known after apply)
      + preferred_backup_window             = "07:00-09:00"
      + preferred_maintenance_window        = "sun:06:00-sun:07:00"
      + reader_endpoint                     = (known after apply)
      + skip_final_snapshot                 = false
      + storage_encrypted                   = true
      + storage_type                        = (known after apply)
      + tags                                = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + tags_all                            = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + vpc_security_group_ids              = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[0] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "14.5"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-0"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = (known after apply)
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-0"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-0"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[1] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "14.5"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-1"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = (known after apply)
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-1"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-1"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[2] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "14.5"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-2"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = (known after apply)
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-2"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-2"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_secretsmanager_secret.connection_string will be created
  + resource "aws_secretsmanager_secret" "connection_string" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = (known after apply)
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags                           = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all                       = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_secretsmanager_secret.proxy_connection_string will be created
  + resource "aws_secretsmanager_secret" "proxy_connection_string" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = (known after apply)
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags                           = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all                       = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_secretsmanager_secret_version.connection_string will be created
  + resource "aws_secretsmanager_secret_version" "connection_string" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

  # module.rds.aws_secretsmanager_secret_version.proxy_connection_string will be created
  + resource "aws_secretsmanager_secret_version" "proxy_connection_string" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

  # module.rds.aws_security_group.rds_proxy will be created
  + resource "aws_security_group" "rds_proxy" {
      + arn                    = (known after apply)
      + description            = "The Security group that allows communication between the proxy and the database"
      + egress                 = [
          + {
              + cidr_blocks      = []
              + description      = ""
              + from_port        = 5432
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = true
              + to_port          = 5432
            },
        ]
      + id                     = (known after apply)
      + ingress                = [
          + {
              + cidr_blocks      = []
              + description      = ""
              + from_port        = 5432
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = true
              + to_port          = 5432
            },
        ]
      + name                   = "test-rds_rds_proxy_sg"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_rds_proxy_sg"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_rds_proxy_sg"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.rds.random_string.random will be created
  + resource "random_string" "random" {
      + id          = (known after apply)
      + length      = 6
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

  # module.vpc.aws_default_network_acl.default will be created
  + resource "aws_default_network_acl" "default" {
      + arn                    = (known after apply)
      + default_network_acl_id = (known after apply)
      + id                     = (known after apply)
      + owner_id               = (known after apply)
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_nacl"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_nacl"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_default_route_table.default will be created
  + resource "aws_default_route_table" "default" {
      + arn                    = (known after apply)
      + default_route_table_id = (known after apply)
      + id                     = (known after apply)
      + owner_id               = (known after apply)
      + route                  = []
      + tags                   = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
          + "name"       = "vpc_default_route_table"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
          + "name"       = "vpc_default_route_table"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_default_security_group.default will be created
  + resource "aws_default_security_group" "default" {
      + arn                    = (known after apply)
      + description            = (known after apply)
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = (known after apply)
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_sg"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_sg"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_internet_gateway.gw will be created
  + resource "aws_internet_gateway" "gw" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_internet_gateway"
          + "Terraform"  = "true"
        }
      + tags_all = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_internet_gateway"
          + "Terraform"  = "true"
        }
      + vpc_id   = (known after apply)
    }

  # module.vpc.aws_nat_gateway.nat_gw[0] will be created
  + resource "aws_nat_gateway" "nat_gw" {
      + association_id                     = (known after apply)
      + connectivity_type                  = "private"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-0"
          + "Terraform"  = "true"
        }
      + tags_all                           = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-0"
          + "Terraform"  = "true"
        }
    }

  # module.vpc.aws_network_acl.main will be created
  + resource "aws_network_acl" "main" {
      + arn        = (known after apply)
      + egress     = (known after apply)
      + id         = (known after apply)
      + ingress    = (known after apply)
      + owner_id   = (known after apply)
      + subnet_ids = (known after apply)
      + tags       = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_main_nacl"
          + "Terraform"  = "true"
        }
      + tags_all   = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_main_nacl"
          + "Terraform"  = "true"
        }
      + vpc_id     = (known after apply)
    }

  # module.vpc.aws_network_acl_rule.block_rdp[0] will be created
  + resource "aws_network_acl_rule" "block_rdp" {
      + cidr_block     = "0.0.0.0/0"
      + egress         = false
      + from_port      = 3389
      + id             = (known after apply)
      + network_acl_id = (known after apply)
      + protocol       = "tcp"
      + rule_action    = "deny"
      + rule_number    = 51
      + to_port        = 3389
    }

  # module.vpc.aws_network_acl_rule.block_ssh[0] will be created
  + resource "aws_network_acl_rule" "block_ssh" {
      + cidr_block     = "0.0.0.0/0"
      + egress         = false
      + from_port      = 22
      + id             = (known after apply)
      + network_acl_id = (known after apply)
      + protocol       = "tcp"
      + rule_action    = "deny"
      + rule_number    = 50
      + to_port        = 22
    }

  # module.vpc.aws_route.private_nat_gateway[0] will be created
  + resource "aws_route" "private_nat_gateway" {
      + destination_cidr_block = "0.0.0.0/0"
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + nat_gateway_id         = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known...
Show Conftest results
20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions

Copy link

Test conftest-deny

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
❌   Conftest: failed

Plan: 36 to add, 0 to change, 0 to destroy
Show summary
CHANGE RESOURCE
add module.rds.aws_cloudwatch_log_group.log_exports[&quot;postgresql&quot;]
module.rds.aws_cloudwatch_log_group.proxy
module.rds.aws_db_proxy.proxy
module.rds.aws_db_proxy_default_target_group.this
module.rds.aws_db_proxy_target.target
module.rds.aws_db_subnet_group.rds
module.rds.aws_iam_policy.read_connection_string
module.rds.aws_iam_role.rds_proxy
module.rds.aws_iam_role_policy_attachment.read_connection_string
module.rds.aws_rds_cluster.cluster
module.rds.aws_rds_cluster_instance.instances[0]
module.rds.aws_rds_cluster_instance.instances[1]
module.rds.aws_rds_cluster_instance.instances[2]
module.rds.aws_secretsmanager_secret.connection_string
module.rds.aws_secretsmanager_secret.proxy_connection_string
module.rds.aws_secretsmanager_secret_version.connection_string
module.rds.aws_secretsmanager_secret_version.proxy_connection_string
module.rds.aws_security_group.rds_proxy
module.rds.random_string.random
module.vpc.aws_default_network_acl.default
module.vpc.aws_default_route_table.default
module.vpc.aws_default_security_group.default
module.vpc.aws_internet_gateway.gw
module.vpc.aws_nat_gateway.nat_gw[0]
module.vpc.aws_network_acl.main
module.vpc.aws_network_acl_rule.block_rdp[0]
module.vpc.aws_network_acl_rule.block_ssh[0]
module.vpc.aws_route.private_nat_gateway[0]
module.vpc.aws_route.public_internet_gateway
module.vpc.aws_route_table.private[0]
module.vpc.aws_route_table.public
module.vpc.aws_route_table_association.private[0]
module.vpc.aws_route_table_association.public[0]
module.vpc.aws_subnet.private[0]
module.vpc.aws_subnet.public[0]
module.vpc.aws_vpc.main

✂   Warning: plan has been truncated! See the full plan in the logs.

Show plan
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # module.rds.data.aws_iam_policy_document.read_connection_string will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "read_connection_string" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "secretsmanager:DescribeSecret",
              + "secretsmanager:GetResourcePolicy",
              + "secretsmanager:GetSecretValue",
              + "secretsmanager:ListSecretVersionIds",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "0"
        }
      + statement {
          + actions   = [
              + "secretsmanager:ListSecrets",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "1"
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "2"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "secretsmanager.ca-central-1.amazonaws.com",
                ]
              + variable = "kms:ViaService"
            }
        }
    }

  # module.rds.aws_cloudwatch_log_group.log_exports["postgresql"] will be created
  + resource "aws_cloudwatch_log_group" "log_exports" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "/aws/rds/cluster/test-rds-cluster/postgresql"
      + name_prefix       = (known after apply)
      + retention_in_days = 7
      + skip_destroy      = false
      + tags              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + tags_all          = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_cloudwatch_log_group.proxy will be created
  + resource "aws_cloudwatch_log_group" "proxy" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "/aws/rds/proxy/test-rds-proxy"
      + name_prefix       = (known after apply)
      + retention_in_days = 14
      + skip_destroy      = false
      + tags              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_proxy_logs"
          + "Terraform"  = "true"
        }
      + tags_all          = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_proxy_logs"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_db_proxy.proxy will be created
  + resource "aws_db_proxy" "proxy" {
      + arn                    = (known after apply)
      + debug_logging          = false
      + endpoint               = (known after apply)
      + engine_family          = "POSTGRESQL"
      + id                     = (known after apply)
      + idle_client_timeout    = 1800
      + name                   = "test-rds-proxy"
      + require_tls            = true
      + role_arn               = (known after apply)
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-rds-proxy"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-rds-proxy"
          + "Terraform"  = "true"
        }
      + vpc_security_group_ids = (known after apply)
      + vpc_subnet_ids         = (known after apply)

      + auth {
          + auth_scheme               = "SECRETS"
          + client_password_auth_type = (known after apply)
          + description               = "The database connection string"
          + iam_auth                  = "DISABLED"
          + secret_arn                = (known after apply)
        }
    }

  # module.rds.aws_db_proxy_default_target_group.this will be created
  + resource "aws_db_proxy_default_target_group" "this" {
      + arn           = (known after apply)
      + db_proxy_name = "test-rds-proxy"
      + id            = (known after apply)
      + name          = (known after apply)
    }

  # module.rds.aws_db_proxy_target.target will be created
  + resource "aws_db_proxy_target" "target" {
      + db_cluster_identifier = (known after apply)
      + db_proxy_name         = "test-rds-proxy"
      + endpoint              = (known after apply)
      + id                    = (known after apply)
      + port                  = (known after apply)
      + rds_resource_id       = (known after apply)
      + target_arn            = (known after apply)
      + target_group_name     = (known after apply)
      + tracked_cluster_id    = (known after apply)
      + type                  = (known after apply)
    }

  # module.rds.aws_db_subnet_group.rds will be created
  + resource "aws_db_subnet_group" "rds" {
      + arn                     = (known after apply)
      + description             = "Managed by Terraform"
      + id                      = (known after apply)
      + name                    = "test-rds-subnet-group"
      + name_prefix             = (known after apply)
      + subnet_ids              = (known after apply)
      + supported_network_types = (known after apply)
      + tags                    = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-subnet-group"
          + "Terraform"  = "true"
        }
      + tags_all                = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-subnet-group"
          + "Terraform"  = "true"
        }
      + vpc_id                  = (known after apply)
    }

  # module.rds.aws_iam_policy.read_connection_string will be created
  + resource "aws_iam_policy" "read_connection_string" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + id               = (known after apply)
      + name             = "test-rdsReadConnectionString"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags             = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all         = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_iam_role.rds_proxy will be created
  + resource "aws_iam_role" "rds_proxy" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "rds.amazonaws.com"
                        }
                      + Sid       = "RDSAssume"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "test-rds_rds_proxy"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all              = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + unique_id             = (known after apply)
    }

  # module.rds.aws_iam_role_policy_attachment.read_connection_string will be created
  + resource "aws_iam_role_policy_attachment" "read_connection_string" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "test-rds_rds_proxy"
    }

  # module.rds.aws_rds_cluster.cluster will be created
  + resource "aws_rds_cluster" "cluster" {
      + allocated_storage                   = (known after apply)
      + allow_major_version_upgrade         = false
      + apply_immediately                   = false
      + arn                                 = (known after apply)
      + availability_zones                  = (known after apply)
      + backtrack_window                    = 0
      + backup_retention_period             = 7
      + cluster_identifier                  = "test-rds-cluster"
      + cluster_identifier_prefix           = (known after apply)
      + cluster_members                     = (known after apply)
      + cluster_resource_id                 = (known after apply)
      + copy_tags_to_snapshot               = true
      + database_name                       = "foo"
      + db_cluster_parameter_group_name     = (known after apply)
      + db_subnet_group_name                = "test-rds-subnet-group"
      + db_system_id                        = (known after apply)
      + delete_automated_backups            = true
      + deletion_protection                 = true
      + enable_global_write_forwarding      = false
      + enable_http_endpoint                = false
      + enable_local_write_forwarding       = false
      + enabled_cloudwatch_logs_exports     = [
          + "postgresql",
        ]
      + endpoint                            = (known after apply)
      + engine                              = "aurora-postgresql"
      + engine_mode                         = "provisioned"
      + engine_version                      = "13.3"
      + engine_version_actual               = (known after apply)
      + final_snapshot_identifier           = (known after apply)
      + hosted_zone_id                      = (known after apply)
      + iam_database_authentication_enabled = false
      + iam_roles                           = (known after apply)
      + id                                  = (known after apply)
      + kms_key_id                          = (known after apply)
      + master_password                     = (sensitive value)
      + master_user_secret                  = (known after apply)
      + master_user_secret_kms_key_id       = (known after apply)
      + master_username                     = "cal"
      + network_type                        = (known after apply)
      + port                                = (known after apply)
      + preferred_backup_window             = "07:00-09:00"
      + preferred_maintenance_window        = "sun:06:00-sun:07:00"
      + reader_endpoint                     = (known after apply)
      + skip_final_snapshot                 = false
      + storage_encrypted                   = true
      + storage_type                        = (known after apply)
      + tags                                = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + tags_all                            = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-cluster"
          + "Terraform"  = "true"
        }
      + vpc_security_group_ids              = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[0] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "13.3"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-0"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = (known after apply)
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-0"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-0"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[1] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "13.3"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-1"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = (known after apply)
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-1"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-1"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_rds_cluster_instance.instances[2] will be created
  + resource "aws_rds_cluster_instance" "instances" {
      + apply_immediately                     = (known after apply)
      + arn                                   = (known after apply)
      + auto_minor_version_upgrade            = true
      + availability_zone                     = (known after apply)
      + ca_cert_identifier                    = (known after apply)
      + cluster_identifier                    = (known after apply)
      + copy_tags_to_snapshot                 = false
      + db_parameter_group_name               = (known after apply)
      + db_subnet_group_name                  = "test-rds-subnet-group"
      + dbi_resource_id                       = (known after apply)
      + endpoint                              = (known after apply)
      + engine                                = "aurora-postgresql"
      + engine_version                        = "13.3"
      + engine_version_actual                 = (known after apply)
      + id                                    = (known after apply)
      + identifier                            = "test-rds-instance-2"
      + identifier_prefix                     = (known after apply)
      + instance_class                        = "db.t3.medium"
      + kms_key_id                            = (known after apply)
      + monitoring_interval                   = 0
      + monitoring_role_arn                   = (known after apply)
      + network_type                          = (known after apply)
      + performance_insights_enabled          = true
      + performance_insights_kms_key_id       = (known after apply)
      + performance_insights_retention_period = (known after apply)
      + port                                  = (known after apply)
      + preferred_backup_window               = (known after apply)
      + preferred_maintenance_window          = (known after apply)
      + promotion_tier                        = 0
      + publicly_accessible                   = (known after apply)
      + storage_encrypted                     = (known after apply)
      + tags                                  = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-2"
          + "Terraform"  = "true"
        }
      + tags_all                              = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds-instance-2"
          + "Terraform"  = "true"
        }
      + writer                                = (known after apply)
    }

  # module.rds.aws_secretsmanager_secret.connection_string will be created
  + resource "aws_secretsmanager_secret" "connection_string" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = (known after apply)
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags                           = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all                       = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_secretsmanager_secret.proxy_connection_string will be created
  + resource "aws_secretsmanager_secret" "proxy_connection_string" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = (known after apply)
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags                           = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
      + tags_all                       = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
        }
    }

  # module.rds.aws_secretsmanager_secret_version.connection_string will be created
  + resource "aws_secretsmanager_secret_version" "connection_string" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

  # module.rds.aws_secretsmanager_secret_version.proxy_connection_string will be created
  + resource "aws_secretsmanager_secret_version" "proxy_connection_string" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

  # module.rds.aws_security_group.rds_proxy will be created
  + resource "aws_security_group" "rds_proxy" {
      + arn                    = (known after apply)
      + description            = "The Security group that allows communication between the proxy and the database"
      + egress                 = [
          + {
              + cidr_blocks      = []
              + description      = ""
              + from_port        = 5432
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = true
              + to_port          = 5432
            },
        ]
      + id                     = (known after apply)
      + ingress                = [
          + {
              + cidr_blocks      = []
              + description      = ""
              + from_port        = 5432
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = true
              + to_port          = 5432
            },
        ]
      + name                   = "test-rds_rds_proxy_sg"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_rds_proxy_sg"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "test-rds_rds_proxy_sg"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.rds.random_string.random will be created
  + resource "random_string" "random" {
      + id          = (known after apply)
      + length      = 6
      + lower       = true
      + min_lower   = 0
      + min_numeric = 0
      + min_special = 0
      + min_upper   = 0
      + number      = true
      + numeric     = true
      + result      = (known after apply)
      + special     = false
      + upper       = false
    }

  # module.vpc.aws_default_network_acl.default will be created
  + resource "aws_default_network_acl" "default" {
      + arn                    = (known after apply)
      + default_network_acl_id = (known after apply)
      + id                     = (known after apply)
      + owner_id               = (known after apply)
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_nacl"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_nacl"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_default_route_table.default will be created
  + resource "aws_default_route_table" "default" {
      + arn                    = (known after apply)
      + default_route_table_id = (known after apply)
      + id                     = (known after apply)
      + owner_id               = (known after apply)
      + route                  = []
      + tags                   = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
          + "name"       = "vpc_default_route_table"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Terraform"  = "true"
          + "name"       = "vpc_default_route_table"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_default_security_group.default will be created
  + resource "aws_default_security_group" "default" {
      + arn                    = (known after apply)
      + description            = (known after apply)
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = (known after apply)
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_sg"
          + "Terraform"  = "true"
        }
      + tags_all               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_default_sg"
          + "Terraform"  = "true"
        }
      + vpc_id                 = (known after apply)
    }

  # module.vpc.aws_internet_gateway.gw will be created
  + resource "aws_internet_gateway" "gw" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_internet_gateway"
          + "Terraform"  = "true"
        }
      + tags_all = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_internet_gateway"
          + "Terraform"  = "true"
        }
      + vpc_id   = (known after apply)
    }

  # module.vpc.aws_nat_gateway.nat_gw[0] will be created
  + resource "aws_nat_gateway" "nat_gw" {
      + association_id                     = (known after apply)
      + connectivity_type                  = "private"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-0"
          + "Terraform"  = "true"
        }
      + tags_all                           = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc-natgw-0"
          + "Terraform"  = "true"
        }
    }

  # module.vpc.aws_network_acl.main will be created
  + resource "aws_network_acl" "main" {
      + arn        = (known after apply)
      + egress     = (known after apply)
      + id         = (known after apply)
      + ingress    = (known after apply)
      + owner_id   = (known after apply)
      + subnet_ids = (known after apply)
      + tags       = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_main_nacl"
          + "Terraform"  = "true"
        }
      + tags_all   = {
          + "CostCentre" = "cal"
          + "Name"       = "vpc_main_nacl"
          + "Terraform"  = "true"
        }
      + vpc_id     = (known after apply)
    }

  # module.vpc.aws_network_acl_rule.block_rdp[0] will be created
  + resource "aws_network_acl_rule" "block_rdp" {
      + cidr_block     = "0.0.0.0/0"
      + egress         = false
      + from_port      = 3389
      + id             = (known after apply)
      + network_acl_id = (known after apply)
      + protocol       = "tcp"
      + rule_action    = "deny"
      + rule_number    = 51
      + to_port        = 3389
    }

  # module.vpc.aws_network_acl_rule.block_ssh[0] will be created
  + resource "aws_network_acl_rule" "block_ssh" {
      + cidr_block     = "0.0.0.0/0"
      + egress         = false
      + from_port      = 22
      + id             = (known after apply)
      + network_acl_id = (known after apply)
      + protocol       = "tcp"
      + rule_action    = "deny"
      + rule_number    = 50
      + to_port        = 22
    }

  # module.vpc.aws_route.private_nat_gateway[0] will be created
  + resource "aws_route" "private_nat_gateway" {
      + destination_cidr_block = "0.0.0.0/0"
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + nat_gateway_id         = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known...
Show Conftest results
FAIL - plan.json - main - Postgresql main password > 8 characters: ["module.rds.aws_rds_cluster.cluster"]

20 tests, 19 passed, 0 warnings, 1 failure, 0 exceptions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant