Feature: Enables AWS XRay for Lambda's and preps App Infra #1050
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
craigzour
requested changes
Jul 2, 2025
There was a problem hiding this comment.
Awesome work 🙂
I was able to make it work in my scratch account. The errors are sometimes not easy to understand because of the provided stack trace. This may be because we need to configure something at the SDK level. At least we have the beginning of something big!
Found one blocking compatibility issue due to CommonJS vs ESM stuff.
In the Cloudwatch logs I noticed we were getting this error:
Error: Missing AWS Lambda trace data for X-Ray. Ensure Active Tracing is enabled and no subsegments are created outside the function handler.
I wonder if they could be forwarded by the Notify Slack lambda if we decide to ignore them for now.
Also, I am not sure why (yet) but I was able to get a GC Notify call that timed out while testing the Nagware lambda. Here is the stack trace that XRay reported (which is also the reason why I said that errors might not be easy to understand with this first version):
TLSSocket.socketCloseListener (node:undefined)
TLSSocket.emit (node:undefined)
anonymous (node:undefined)
TCP.done (node:undefined)
TCP.callbackTrampoline (node:undefined)
local_dev_files/upgrade_dev_env.sh
Outdated
Comment on lines
49
to
54
| else | ||
| printf "${greenColor}=> Only building ${MODULE_NAME} Terragrunt Module${reset}\n" | ||
| cd $basedir/env/cloud/$MODULE_NAME | ||
| terragrunt apply --non-interactive --log-level info -auto-approve | ||
| exit 0 | ||
| fi |
There was a problem hiding this comment.
We probably don't need this here. Or we could convert it to the run-all init --upgrade (for single module) upgrade command.
There was a problem hiding this comment.
yeah it was just a quick util I need, copy and paste from build_env and didn't really go through it much.
Comment on lines
1
to
5
| import AWSXRay from "aws-xray-sdk-core"; | ||
| // Need to wrap the http module globally before importing it | ||
| // to ensure that all outgoing HTTP requests are captured by AWS X-Ray. | ||
| AWSXRay.captureHTTPsGlobal(require("http")); | ||
|
|
There was a problem hiding this comment.
Using require causes a compatibility issue because our Lambda functions are set up with ESM.
Here is one quick solution I found online (there may be other ones though). I already tested it:
import AWSXRay from "aws-xray-sdk-core";
(async () => {
const http = await import("http");
const https = await import("https");
// These are CommonJS modules, so use .default if needed
AWSXRay.captureHTTPsGlobal(http.default || http);
AWSXRay.captureHTTPsGlobal(https.default || https);
})();
In this Lambda function I see that we are importing https so we should be tracking that specific package.
There was a problem hiding this comment.
I have a plan to redo this PR and not use the aws xray sdk but instead use the opentelemetry directly that allows for more configuration and compatability long term.
Comment on lines
1
to
5
| import AWSXRay from "aws-xray-sdk-core"; | ||
| // Need to wrap the http module globally before importing it | ||
| // to ensure that all outgoing HTTP requests are captured by AWS X-Ray. | ||
| AWSXRay.captureHTTPsGlobal(require("http")); | ||
|
|
There was a problem hiding this comment.
(Same problem I reported in the previous comment on plugging AWSXRay.captureHTTPsGlobal)
I am guessing you wanted to capture any Redis traffic that would be based on the http library. I tested it with my fix in place and I could not see anything in XRay.
I then tried to plug XRay in emailNotification.ts as a test (I figured you did not add it in this PR because we could plug XRay directly in the connectors package). I was able to see the call to the API in XRay traces.
Note: since this file is imported before we send requests to GCNotify it allows calls to their API to be caught by XRay. Maybe we could do such initialization in the main files.
|
I'm going to set this back to draft and rip out the aws xray sdk and instead go with the opentelemetry sdk. The app side is not compatible with the aws xray sdk so I thought I would just do the extra legwork upfront now and swap over all code. |
bryan-robitaille
force-pushed
the
feature/xray
branch
from
b817856 to
8184c20
Compare
Staging: lambdas✅ Terraform Init: Plan: 1 to add, 11 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# aws_iam_role_policy_attachment.lambda_xray will be created
+ resource "aws_iam_role_policy_attachment" "lambda_xray" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+ role = "iam_for_lambda"
}
# aws_lambda_function.api_end_to_end_test will be updated in-place
~ resource "aws_lambda_function" "api_end_to_end_test" {
id = "api-end-to-end-test"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (4 unchanged blocks hidden)
}
# aws_lambda_function.audit_logs will be updated in-place
~ resource "aws_lambda_function" "audit_logs" {
id = "audit-logs"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (4 unchanged blocks hidden)
}
# aws_lambda_function.audit_logs_archiver will be updated in-place
~ resource "aws_lambda_function" "audit_logs_archiver" {
id = "audit-logs-archiver"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (4 unchanged blocks hidden)
}
# aws_lambda_function.form_archiver will be updated in-place
~ resource "aws_lambda_function" "form_archiver" {
id = "form-archiver"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (4 unchanged blocks hidden)
}
# aws_lambda_function.nagware will be updated in-place
~ resource "aws_lambda_function" "nagware" {
id = "nagware"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (4 unchanged blocks hidden)
}
# aws_lambda_function.prisma_migration will be updated in-place
~ resource "aws_lambda_function" "prisma_migration" {
id = "prisma-migration"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (4 unchanged blocks hidden)
}
# aws_lambda_function.reliability will be updated in-place
~ resource "aws_lambda_function" "reliability" {
id = "reliability"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (4 unchanged blocks hidden)
}
# aws_lambda_function.reliability_dlq_consumer will be updated in-place
~ resource "aws_lambda_function" "reliability_dlq_consumer" {
id = "reliability-dlq-consumer"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (4 unchanged blocks hidden)
}
# aws_lambda_function.response_archiver will be updated in-place
~ resource "aws_lambda_function" "response_archiver" {
id = "response-archiver"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (4 unchanged blocks hidden)
}
# aws_lambda_function.submission will be updated in-place
~ resource "aws_lambda_function" "submission" {
id = "Submission"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (4 unchanged blocks hidden)
}
# aws_lambda_function.vault_integrity will be updated in-place
~ resource "aws_lambda_function" "vault_integrity" {
id = "vault-integrity"
tags = {}
# (29 unchanged attributes hidden)
~ tracing_config {
~ mode = "PassThrough" -> "Active"
}
# (2 unchanged blocks hidden)
}
Plan: 1 to add, 11 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.api_end_to_end_test_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.form_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.nagware_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.reliability_dlq_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.response_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.api_end_to_end_test"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.prisma_migration_handler"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.response_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.vault_integrity"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_logging"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_rds"]
WARN -... |
Staging: alarms✅ Terraform Init: Plan: 0 to add, 1 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_s3_bucket_lifecycle_configuration.athena_spill_bucket will be updated in-place
~ resource "aws_s3_bucket_lifecycle_configuration" "athena_spill_bucket" {
id = "gc-forms-staging-athena-spill-bucket"
~ transition_default_minimum_object_size = "varies_by_storage_class" -> "all_storage_classes_128K"
# (3 unchanged attributes hidden)
~ rule {
id = "Clear spill bucket after 1 day"
# (2 unchanged attributes hidden)
- filter {
# (1 unchanged attribute hidden)
}
# (1 unchanged block hidden)
}
}
Plan: 0 to add, 1 to change, 0 to destroy.
Warning: Invalid Attribute Combination
with aws_s3_bucket_lifecycle_configuration.athena_spill_bucket,
on athena.tf line 56, in resource "aws_s3_bucket_lifecycle_configuration" "athena_spill_bucket":
56: resource "aws_s3_bucket_lifecycle_configuration" "athena_spill_bucket" {
No attribute specified when one (and only one) of
[rule[0].filter,rule[0].prefix] is required
This will be an error in a future version of the provider
Warning: Deprecated attribute
on .terraform/modules/athena/athena_access_logs/locals.tf line 6, in locals:
6: region = data.aws_region.current.name
The attribute "name" is deprecated. Refer to the provider documentation for
details.
Warning: Argument is deprecated
with module.athena_bucket.aws_s3_bucket.this,
on .terraform/modules/athena_bucket/S3/main.tf line 8, in resource "aws_s3_bucket" "this":
8: resource "aws_s3_bucket" "this" {
lifecycle_rule is deprecated. Use the aws_s3_bucket_lifecycle_configuration
resource instead.
(and 2 more similar warnings elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_athena_data_catalog.dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_athena_data_catalog.rds_data_catalog"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.codedeploy_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notify_slack"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ELB_5xx_error_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ELB_healthy_hosts"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.alb_ddos"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_audit_log_dead_letter_queue_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_cpu_utilization_high_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_lb_healthy_host_count"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_lb_unhealthy_host_count"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_memory_utilization_high_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_response_time_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.audit_log_dead_letter_queue_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.cognito_signin_exceeded"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ddos_detected_forms_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.ddos_detected_route53_warn[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.forms_cpu_utilization_high_warn"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.forms_memory_utilization_high_warn"]
WARN - plan.json - main - Missing Common Tags:... |
Staging: load_testing✅ Terraform Init: Plan: 0 to add, 4 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
<= read (data resources)
Terraform will perform the following actions:
# data.aws_iam_policy_document.load_test_lambda will be read during apply
# (depends on a resource or a module with changes pending)
<= data "aws_iam_policy_document" "load_test_lambda" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "ssm:GetParameters",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/form-id",
+ "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/form-private-key",
+ "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/submit-form-server-action-id",
+ "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/zitadel-app-private-key",
]
+ sid = "GetSSMParameters"
}
+ statement {
+ actions = [
+ "lambda:InvokeFunction",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:lambda:ca-central-1:687401027353:function:Submission",
]
+ sid = "InvokeSubmissionLambda"
}
}
# aws_iam_policy.load_test_lambda will be updated in-place
~ resource "aws_iam_policy" "load_test_lambda" {
id = "arn:aws:iam::687401027353:policy/LoadTestLambda"
name = "LoadTestLambda"
~ policy = jsonencode(
{
- Statement = [
- {
- Action = "ssm:GetParameters"
- Effect = "Allow"
- Resource = [
- "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/zitadel-app-private-key",
- "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/submit-form-server-action-id",
- "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/form-private-key",
- "arn:aws:ssm:ca-central-1:687401027353:parameter/load-testing/form-id",
]
- Sid = "GetSSMParameters"
},
- {
- Action = "lambda:InvokeFunction"
- Effect = "Allow"
- Resource = "arn:aws:lambda:ca-central-1:687401027353:function:Submission"
- Sid = "InvokeSubmissionLambda"
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
tags = {}
# (7 unchanged attributes hidden)
}
# aws_ssm_parameter.load_testing_form_id will be updated in-place
~ resource "aws_ssm_parameter" "load_testing_form_id" {
id = "/load-testing/form-id"
+ insecure_value = (known after apply)
name = "/load-testing/form-id"
tags = {}
~ value = (sensitive value)
~ version = 8 -> (known after apply)
# (10 unchanged attributes hidden)
}
# aws_ssm_parameter.load_testing_form_private_key will be updated in-place
~ resource "aws_ssm_parameter" "load_testing_form_private_key" {
id = "/load-testing/form-private-key"
+ insecure_value = (known after apply)
name = "/load-testing/form-private-key"
tags = {}
~ value = (sensitive value)
~ version = 11 -> (known after apply)
# (10 unchanged attributes hidden)
}
# aws_ssm_parameter.load_testing_submit_form_server_action_id_key will be updated in-place
~ resource "aws_ssm_parameter" "load_testing_submit_form_server_action_id_key" {
id = "/load-testing/submit-form-server-action-id"
+ insecure_value = (known after apply)
name = "/load-testing/submit-form-server-action-id"
tags = {}
~ value = (sensitive value)
~ version = 6 -> (known after apply)
# (10 unchanged attributes hidden)
}
Plan: 0 to add, 4 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.load_test_lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.load_test_lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_lambda_function.load_testing"]
WARN - plan.json - main - Missing Common Tags: ["aws_ssm_parameter.load_testing_form_id"]
WARN - plan.json - main - Missing Common Tags: ["aws_ssm_parameter.load_testing_form_private_key"]
WARN - plan.json - main - Missing Common Tags: ["aws_ssm_parameter.load_testing_submit_form_server_action_id_key"]
WARN - plan.json - main - Missing Common Tags: ["aws_ssm_parameter.load_testing_zitadel_app_private_key"]
26 tests, 19 passed, 7 warnings, 0 failures, 0 exceptions
|
⚠ Terrform update availableTerragrunt: 0.83.0 (using 0.82.3) |
Staging: s3✅ Terraform Init: Plan: 0 to add, 3 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_s3_bucket_lifecycle_configuration.archive_storage will be updated in-place
~ resource "aws_s3_bucket_lifecycle_configuration" "archive_storage" {
id = "forms-staging-archive-storage"
~ transition_default_minimum_object_size = "varies_by_storage_class" -> "all_storage_classes_128K"
# (3 unchanged attributes hidden)
~ rule {
id = "Clear Archive Storage after 30 days"
# (2 unchanged attributes hidden)
- filter {
# (1 unchanged attribute hidden)
}
# (1 unchanged block hidden)
}
}
# aws_s3_bucket_lifecycle_configuration.audit_logs_archive_storage will be updated in-place
~ resource "aws_s3_bucket_lifecycle_configuration" "audit_logs_archive_storage" {
id = "forms-staging-audit-logs-archive-storage"
~ transition_default_minimum_object_size = "varies_by_storage_class" -> "all_storage_classes_128K"
# (3 unchanged attributes hidden)
~ rule {
id = "Clear Audit Logs Archive Storage after 1 year and 11 months"
# (2 unchanged attributes hidden)
- filter {
# (1 unchanged attribute hidden)
}
# (1 unchanged block hidden)
}
}
# aws_s3_bucket_lifecycle_configuration.reliability_file_storage will be updated in-place
~ resource "aws_s3_bucket_lifecycle_configuration" "reliability_file_storage" {
id = "forms-staging-reliability-file-storage"
~ transition_default_minimum_object_size = "varies_by_storage_class" -> "all_storage_classes_128K"
# (3 unchanged attributes hidden)
~ rule {
id = "Clear Reliability Queue after 30 days"
# (2 unchanged attributes hidden)
- filter {
# (1 unchanged attribute hidden)
}
# (1 unchanged block hidden)
}
}
Plan: 0 to add, 3 to change, 0 to destroy.
Warning: Invalid Attribute Combination
with aws_s3_bucket_lifecycle_configuration.reliability_file_storage,
on s3.tf line 21, in resource "aws_s3_bucket_lifecycle_configuration" "reliability_file_storage":
21: resource "aws_s3_bucket_lifecycle_configuration" "reliability_file_storage" {
No attribute specified when one (and only one) of
[rule[0].filter,rule[0].prefix] is required
This will be an error in a future version of the provider
(and 2 more similar warnings elsewhere)
Warning: Argument is deprecated
with module.etl_bucket.aws_s3_bucket.this,
on .terraform/modules/etl_bucket/S3/main.tf line 8, in resource "aws_s3_bucket" "this":
8: resource "aws_s3_bucket" "this" {
logging is deprecated. Use the aws_s3_bucket_logging resource instead.
(and 11 more similar warnings elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.archive_storage"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.audit_logs_archive_storage"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.prisma_migration_storage"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.reliability_file_storage"]
WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.vault_file_storage"]
24 tests, 19 passed, 5 warnings, 0 failures, 0 exceptions
|
Staging: network✅ Terraform Init: Plan: 1 to add, 0 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_vpc_endpoint.xray will be created
+ resource "aws_vpc_endpoint" "xray" {
+ arn = (known after apply)
+ cidr_blocks = (known after apply)
+ dns_entry = (known after apply)
+ id = (known after apply)
+ ip_address_type = (known after apply)
+ network_interface_ids = (known after apply)
+ owner_id = (known after apply)
+ policy = (known after apply)
+ prefix_list_id = (known after apply)
+ private_dns_enabled = true
+ region = "ca-central-1"
+ requester_managed = (known after apply)
+ route_table_ids = (known after apply)
+ security_group_ids = [
+ "sg-089a83b7d81dff031",
]
+ service_name = "com.amazonaws.ca-central-1.xray"
+ service_region = (known after apply)
+ state = (known after apply)
+ subnet_ids = [
+ "subnet-07e38df0760d389d1",
+ "subnet-07f9debd31e48ce64",
+ "subnet-0af8e6e3cf80f582d",
]
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ vpc_endpoint_type = "Interface"
+ vpc_id = "vpc-0ad5b3739860129d0"
+ dns_options (known after apply)
+ subnet_configuration (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_default_network_acl.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_default_security_group.default"]
WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_eip.forms_natgw[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_flow_log.vpc_flow_logs[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_internet_gateway.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_nat_gateway.forms[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[1]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_private_subnet[2]"]
WARN - plan.json - main - Missing Common Tags: ["aws_route_table.forms_public_subnet"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.api_ecs"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.api_end_to_end_test_lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.connector_db"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_database"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_egress"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_load_balancer"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.forms_redis"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.glue_job"]
WARN - plan.json - main - Missing Common Tags: ["aws_security_group.idp_db"]
WARN - plan.json - main - Missing... |
Staging: app✅ Terraform Init: 🧹 Format: run ecs_iam.tfPlan: 3 to add, 0 to change, 1 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
-/+ destroy and then create replacement
Terraform will perform the following actions:
# aws_ecs_task_definition.form_viewer must be replaced
-/+ resource "aws_ecs_task_definition" "form_viewer" {
~ arn = "arn:aws:ecs:ca-central-1:687401027353:task-definition/form-viewer:2649" -> (known after apply)
~ arn_without_revision = "arn:aws:ecs:ca-central-1:687401027353:task-definition/form-viewer" -> (known after apply)
~ container_definitions = jsonencode(
~ [
~ {
+ command = [
+ "--config=/etc/ecs/ecs-default-config.yaml",
]
- environment = [
- {
- name = "AUDIT_LOG_QUEUE_URL"
- value = "https://sqs.ca-central-1.amazonaws.com/687401027353/audit_log_queue"
},
- {
- name = "COGNITO_CLIENT_ID"
- value = "17bsg3b2b7q5snon007rru264u"
},
- {
- name = "COGNITO_ENDPOINT_URL"
- value = "cognito-idp.ca-central-1.amazonaws.com/ca-central-1_Cguq9JNQ1"
},
- {
- name = "EMAIL_ADDRESS_CONTACT_US"
- value = "[email protected]"
},
- {
- name = "EMAIL_ADDRESS_SUPPORT"
- value = "[email protected]"
},
- {
- name = "HOST_URL"
- value = "https://forms-staging.cdssandbox.xyz"
},
- {
- name = "METRIC_PROVIDER"
- value = "stdout"
},
- {
- name = "NEXTAUTH_URL"
- value = "https://forms-staging.cdssandbox.xyz"
},
- {
- name = "RECAPTCHA_V3_SITE_KEY"
- value = "6LfJDN4eAAAAAGvdRF7ZnQ7ciqdo1RQnQDFmh0VY"
},
- {
- name = "REDIS_URL"
- value = "gcforms-redis-rep-group.uwpetx.ng.0001.cac1.cache.amazonaws.com"
},
- {
- name = "RELIABILITY_FILE_STORAGE"
- value = "forms-staging-reliability-file-storage"
},
- {
- name = "REPROCESS_SUBMISSION_QUEUE_URL"
- value = "https://sqs.ca-central-1.amazonaws.com/687401027353/reliability_reprocessing_queue"
},
- {
- name = "TEMPLATE_ID"
- value = "8d597a1b-a1d6-4e3c-8421-042a2b4158b7"
},
- {
- name = "TEMPORARY_TOKEN_TEMPLATE_ID"
- value = "b6885d06-d10a-422a-973f-05e274d9aa86"
},
- {
- name = "TRACER_PROVIDER"
- value = "stdout"
},
- {
- name = "ZITADEL_TRUSTED_DOMAIN"
- value = "auth.forms-staging.cdssandbox.xyz"
},
- {
- name = "ZITADEL_URL"
- value = "http://zitadel.ecs.local:8080"
},
]
+ healthCheck = {
+ command = [
+ "/healthcheck",
]
+ interval = 5
+ retries = 5
+ startPeriod = 1
+ timeout = 6
}
~ image = "687401027353.dkr.ecr.ca-central-1.amazonaws.com/form_viewer_staging" -> "amazon/aws-otel-collector"
- linuxParameters = {
- capabilities = {
- add = []
- drop = [
- "ALL",
]
}
}
~ logConfiguration = {
~ options = {
+ awslogs-create-group = "True"
~ awslogs-group = "Forms" -> "/ecs/ecs-aws-otel-sidecar-collector"
~ awslogs-stream-prefix = "ecs-form-viewer" -> "ecs"
# (1 unchanged attribute hidden)
}
# (1 unchanged attribute hidden)
}
- mountPoints = []
~ name = "form_viewer" -> "aws-otel-collector"
- portMappings = [
- {
- containerPort = 3000
- hostPort = 3000
- protocol = "tcp"
},
]
- secrets = [
- {
- name = "DATABASE_URL"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:server-database-url-0PSpE3"
},
- {
- name = "FRESHDESK_API_KEY"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:freshdesk_api_key-JVyxop"
},
- {
- name = "GC_NOTIFY_CALLBACK_BEARER_TOKEN"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_callback_bearer_token-aXJPLs"
},
- {
- name = "HCAPTCHA_SITE_VERIFY_KEY"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:hcaptcha_site_verify_key-RBb4n4"
},
- {
- name = "NOTIFY_API_KEY"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_api_key-eR3nNp"
},
- {
- name = "RECAPTCHA_V3_SECRET_KEY"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:recaptcha_secret-tTjsBo"
},
- {
- name = "SENTRY_API_KEY"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:sentry_api_key-QBmONz"
},
- {
- name = "TOKEN_SECRET"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:token_secret-n5Doyu"
},
- {
- name = "ZITADEL_ADMINISTRATION_KEY"
- valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:zitadel_administration_key-Oaki1d"
},
]
- systemControls = []
- volumesFrom = []
# (1 unchanged attribute hidden)
},
+ {
+ dependsOn = [
+ {
+ condition = "START"
+ containerName = "aws-otel-collector"
},
]
+ environment = [
+ {
+ name = "AUDIT_LOG_QUEUE_URL"
+ value = "https://sqs.ca-central-1.amazonaws.com/687401027353/audit_log_queue"
},
+ {
+ name = "COGNITO_CLIENT_ID"
+ value = "17bsg3b2b7q5snon007rru264u"
},
+ {
+ name = "COGNITO_ENDPOINT_URL"
+ value = "cognito-idp.ca-central-1.amazonaws.com/ca-central-1_Cguq9JNQ1"
},
+ {
+ name = "EMAIL_ADDRESS_CONTACT_US"
+ value = "[email protected]"
},
+ {
+ name = "EMAIL_ADDRESS_SUPPORT"
+ value = "[email protected]"
},
+ {
+ name = "HOST_URL"
+ value = "https://forms-staging.cdssandbox.xyz"
},
+ {
+ name = "METRIC_PROVIDER"
+ value = "stdout"
},
+ {
+ name = "NEXTAUTH_URL"
+ value = "https://forms-staging.cdssandbox.xyz"
},
+ {
+ name = "RECAPTCHA_V3_SITE_KEY"
+ value = "6LfJDN4eAAAAAGvdRF7ZnQ7ciqdo1RQnQDFmh0VY"
},
+ {
+ name = "REDIS_URL"
+ value = "gcforms-redis-rep-group.uwpetx.ng.0001.cac1.cache.amazonaws.com"
},
+ {
+ name = "RELIABILITY_FILE_STORAGE"
+ value = "forms-staging-reliability-file-storage"
},
+ {
+ name = "REPROCESS_SUBMISSION_QUEUE_URL"
+ value = "https://sqs.ca-central-1.amazonaws.com/687401027353/reliability_reprocessing_queue"
},
+ {
+ name = "TEMPLATE_ID"
+ value = "8d597a1b-a1d6-4e3c-8421-042a2b4158b7"
},
+ {
+ name = "TEMPORARY_TOKEN_TEMPLATE_ID"
+ value = "b6885d06-d10a-422a-973f-05e274d9aa86"
},
+ {
+ name = "TRACER_PROVIDER"
+ value = "stdout"
},
+ {
+ name = "ZITADEL_TRUSTED_DOMAIN"
+ value = "auth.forms-staging.cdssandbox.xyz"
},
+ {
+ name = "ZITADEL_URL"
+ value = "http://zitadel.ecs.local:8080"
},
]
+ essential = true
+ image = "687401027353.dkr.ecr.ca-central-1.amazonaws.com/form_viewer_staging"
+ linuxParameters = {
+ capabilities = {
+ add = []
+ drop = [
+ "ALL",
]
}
}
+ logConfiguration = {
+ logDriver = "awslogs"
+ options = {
+ awslogs-group = "Forms"
+ awslogs-region = "ca-central-1"
+ awslogs-stream-prefix = "ecs-form-viewer"
}
}
+ mountPoints = []
+ name = "form_viewer"
+ portMappings = [
+ {
+ containerPort = 3000
+ protocol = "tcp"
},
]
+ secrets = [
+ {
+ name = "DATABASE_URL"
+ valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:server-database-url-0PSpE3"
},
+ {
+ name = "FRESHDESK_API_KEY"
+ valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:freshdesk_api_key-JVyxop"
},
+ {
+ name = "GC_NOTIFY_CALLBACK_BEARER_TOKEN"
+ valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_callback_bearer_token-aXJPLs"
},
+ {
+ name = "HCAPTCHA_SITE_VERIFY_KEY"
+ valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:hcaptcha_site_verify_key-RBb4n4"
},
+ {
+ name = "NOTIFY_API_KEY"
+ valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_api_key-eR3nNp"
},
+ {
+ name = "RECAPTCHA_V3_SECRET_KEY"
+ valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:recaptcha_secret-tTjsBo"
},
+ {
+ name = "SENTRY_API_KEY"
+ valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:sentry_api_key-QBmONz"
},
+ {
+ name = "TOKEN_SECRET"
+ valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:token_secret-n5Doyu"
},
+ {
+ name = "ZITADEL_ADMINISTRATION_KEY"
+ valueFrom = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:zitadel_administration_key-Oaki1d"
},
]
+ systemControls = []
+ volumesFrom = []
},
] # forces replacement
)
~ enable_fault_injection = false -> (known after apply)
~ id = "form-viewer" -> (known after apply)
~ revision = 2649 -> (known after apply)
- tags = {} -> null
# (13 unchanged attributes hidden)
}
# aws_iam_policy.ecs_xray will be created
+ resource "aws_iam_policy" "ecs_xray" {
+ arn = (known after apply)
+ attachment_count = (known after apply)
+ description = "IAM policy for allowing X-Ray tracing"
+ id = (known after apply)
+ name = "ecs_xray"
+ name_prefix = (known after apply)
+ path = "/"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "xray:PutTraceSegments",
+ "xray:PutTelemetryRecords",
+ "xray:GetSamplingTargets",
+ "xray:GetSamplingStatisticSummaries",
+ "xray:GetSamplingRules",
+ "ssm:GetParameters",
+ "logs:PutRetentionPolicy",
+ "logs:PutLogEvents",
+ "logs:DescribeLogStreams",
+ "logs:DescribeLogGroups",
+ "logs:CreateLogStream",
+ "logs:CreateLogGroup",
]
+ Effect = "Allow"
+ Resource = "*"
},
]
+ Version = "2012-10-17"
}
)
+ policy_id = (known after apply)
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
}
# aws_iam_role_policy_attachment.ecs_xray will be created
+ resource "aws_iam_role_policy_attachment" "ecs_xray" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ role = "form-viewer"
}
Plan: 3 to add, 0 to change, 1 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_appautoscaling_target.forms[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_app.app"]
WARN - plan.json - main - Missing Common Tags: ["aws_codedeploy_deployment_group.app"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_cluster.forms"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_service.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecs_task_definition.form_viewer"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cognito"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.ecs_xray"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_secrets_manager"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.forms_sqs"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.codedeploy"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.forms"]
36 tests, 19 passed, 17 warnings, 0 failures, 0 exceptions
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary | Résumé
make upgrade_envthat allows for reinitialize the modules and update provider versionsTest instructions | Instructions pour tester la modification