diff --git a/README.md b/README.md index 922db07..14392f4 100644 --- a/README.md +++ b/README.md @@ -26,3 +26,6 @@ rebecaa linn : She does x86 (get context for ARM) cd ~/.aws/ +terraform plan -out=plan.out | tee terraform_plan.log + + diff --git a/main.tf b/main.tf index 2cf4540..998ba99 100644 --- a/main.tf +++ b/main.tf @@ -145,12 +145,11 @@ module "windows" { } userdata = "userdata/winrm.ps1" build_environment_variables = [ - for proxy_var in keys(local.proxy_env_vars) : - { - name = proxy_var, - value = lookup(local.proxy_env_vars, proxy_var), - type = "PLAINTEXT" - } + for proxy_var in keys(local.proxy_env_vars) : { + name = proxy_var + value = lookup(local.proxy_env_vars, proxy_var) + type = "PLAINTEXT" + } ] ansible_repo = data.aws_codecommit_repository.ansible goss_repo = data.aws_codecommit_repository.goss @@ -159,4 +158,4 @@ module "windows" { vpc_config = local.vpc_config source_ami = "ami-012fffaddacaa52ff" # x86_64 compatible AMI instance_type = "t2.xlarge" # x86_64 compatible instance type -} +} \ No newline at end of file diff --git a/plan.out b/plan.out new file mode 100644 index 0000000..af85f38 Binary files /dev/null and b/plan.out differ diff --git a/terraform_plan.log b/terraform_plan.log new file mode 100644 index 0000000..273a4ad --- /dev/null +++ b/terraform_plan.log @@ -0,0 +1,734 @@ +random_uuid.random: Refreshing state... [id=08230846-acc4-7788-94df-5730ed20c008] +random_password.winrm: Refreshing state... [id=none] +module.rhel.module.codepipeline_iam_role.data.aws_partition.current: Reading... +module.windows.module.codepipeline_iam_role.data.aws_partition.current: Reading... +module.windows.module.codecommit_infrastructure_source_repo.data.aws_codecommit_repository.existing_repository[0]: Reading... +module.rhel.module.codepipeline_iam_role.data.aws_region.current: Reading... +data.aws_codecommit_repository.ansible: Reading... +module.rhel.module.codepipeline_kms.data.aws_caller_identity.current: Reading... +module.windows.data.aws_region.current: Reading... +module.rhel.module.codepipeline_iam_role.data.aws_caller_identity.current: Reading... +aws_security_group.allow_amznlinux_cdn: Refreshing state... [id=sg-0d4fe49450ff203c5] +module.rhel.module.codepipeline_iam_role.data.aws_partition.current: Read complete after 0s [id=aws-us-gov] +module.rhel.module.codepipeline_iam_role.data.aws_region.current: Read complete after 0s [id=us-gov-west-1] +module.main.aws_iam_user.build_user: Refreshing state... [id=linux-image-pipeline-demo] +module.windows.data.aws_caller_identity.current: Reading... +module.windows.data.aws_region.current: Read complete after 0s [id=us-gov-west-1] +module.windows.module.codepipeline_iam_role.data.aws_partition.current: Read complete after 0s [id=aws-us-gov] +module.windows.data.aws_iam_policy_document.packer_config: Reading... +module.windows.module.codepipeline_iam_role.data.aws_iam_policy_document.codepipeline_assume_role: Reading... +module.windows.data.aws_iam_policy_document.packer_config: Read complete after 0s [id=3551102859] +aws_s3_bucket.rhel_x86_codepipeline_bucket: Refreshing state... [id=rhel-x86-codepipeline-bucket] +module.windows.module.codepipeline_iam_role.data.aws_iam_policy_document.codepipeline_assume_role: Read complete after 0s [id=3692184226] +module.windows.module.codepipeline_kms.data.aws_caller_identity.current: Reading... +module.rhel.data.aws_partition.current: Reading... +module.rhel.data.aws_partition.current: Read complete after 0s [id=aws-us-gov] +module.windows.module.codepipeline_iam_role.data.aws_caller_identity.current: Reading... +module.rhel.module.codepipeline_iam_role.data.aws_caller_identity.current: Read complete after 0s [id=229685449397] +aws_iam_role.rhel_x86_ec2_role: Refreshing state... [id=rhel-x86-image-pipeline-demo-ec2-role] +module.rhel.module.codepipeline_kms.data.aws_caller_identity.current: Read complete after 0s [id=229685449397] +data.aws_iam_policy_document.s3_access: Reading... +data.aws_iam_policy_document.s3_access: Read complete after 0s [id=3125787031] +module.rhel.module.codepipeline_iam_role.data.aws_iam_policy_document.codepipeline_assume_role: Reading... +module.rhel.module.codepipeline_iam_role.data.aws_iam_policy_document.codepipeline_assume_role: Read complete after 0s [id=3692184226] +data.aws_iam_policy_document.key_policy_combined: Reading... +data.aws_iam_policy_document.key_policy_combined: Read complete after 0s [id=846027144] +module.rhel.data.aws_region.current: Reading... +module.rhel.data.aws_region.current: Read complete after 0s [id=us-gov-west-1] +module.rhel.module.codepipeline_kms.data.aws_region.current: Reading... +module.rhel.module.codepipeline_kms.data.aws_region.current: Read complete after 0s [id=us-gov-west-1] +aws_iam_role.rhel_x86_codepipeline_role: Refreshing state... [id=rhel-x86-image-pipeline-demo-codepipeline-role] +module.windows.data.aws_caller_identity.current: Read complete after 0s [id=229685449397] +module.windows.data.aws_partition.current: Reading... +module.windows.data.aws_partition.current: Read complete after 0s [id=aws-us-gov] +module.rhel.module.codecommit_infrastructure_source_repo.data.aws_codecommit_repository.existing_repository[0]: Reading... +module.windows.module.codepipeline_kms.data.aws_caller_identity.current: Read complete after 0s [id=229685449397] +module.windows.module.codepipeline_iam_role.data.aws_region.current: Reading... +module.windows.module.codepipeline_iam_role.data.aws_region.current: Read complete after 0s [id=us-gov-west-1] +module.rhel.data.aws_caller_identity.current: Reading... +module.windows.module.codepipeline_iam_role.data.aws_caller_identity.current: Read complete after 0s [id=229685449397] +data.aws_codecommit_repository.goss: Reading... +aws_s3_bucket.state_bucket: Refreshing state... [id=inf-test-08230846-acc4-7788-94df-5730ed20c008] +module.windows.module.codecommit_infrastructure_source_repo.data.aws_codecommit_repository.existing_repository[0]: Read complete after 0s [id=windows-image-pipeline] +module.windows.module.codepipeline_kms.data.aws_region.current: Reading... +module.windows.module.codepipeline_kms.data.aws_region.current: Read complete after 0s [id=us-gov-west-1] +module.rhel.data.aws_iam_policy_document.packer_config: Reading... +module.rhel.data.aws_iam_policy_document.packer_config: Read complete after 0s [id=3551102859] +data.aws_codecommit_repository.ansible: Read complete after 0s [id=image-pipeline-ansible-playbooks] +aws_vpc_security_group_egress_rule.allow_all_traffic_ipv4: Refreshing state... [id=sgr-04e2d889ac94874f9] +module.rhel.data.aws_caller_identity.current: Read complete after 0s [id=229685449397] +aws_vpc_security_group_ingress_rule.allow_all_between_self: Refreshing state... [id=sgr-0798aee6a92629f23] +module.windows.aws_iam_user.build_user: Refreshing state... [id=windows-image-pipeline-demo] +module.windows.data.aws_iam_policy_document.codecommit_access: Reading... +module.windows.data.aws_iam_policy_document.codecommit_access: Read complete after 0s [id=2251139946] +module.rhel.data.aws_iam_policy_document.codecommit_access: Reading... +module.rhel.data.aws_iam_policy_document.codecommit_access: Read complete after 0s [id=2959897913] +module.windows.module.codepipeline_kms.aws_kms_key.encryption_key: Refreshing state... [id=498724ae-3fb1-46b0-bc26-1481e0551e24] +module.rhel.module.codecommit_infrastructure_source_repo.data.aws_codecommit_repository.existing_repository[0]: Read complete after 0s [id=linux-image-pipeline] +module.windows.module.s3_artifacts_bucket.aws_s3_bucket.codepipeline_bucket: Refreshing state... [id=windows-image-pipeline-demo20240731183313147900000004] +module.windows.module.codepipeline_iam_role.aws_iam_role.codepipeline_role[0]: Refreshing state... [id=windows-image-pipeline-demo-codepipeline-role] +data.aws_codecommit_repository.goss: Read complete after 0s [id=image-pipeline-goss-testing] +module.windows.aws_security_group.packer[0]: Refreshing state... [id=sg-0f44a32ec4f632e46] +module.rhel.aws_security_group.packer[0]: Refreshing state... [id=sg-0b0257658ccc48e91] +module.rhel.aws_iam_user.build_user: Refreshing state... [id=rhel-image-pipeline-demo] +module.windows.aws_iam_access_key.build_user: Refreshing state... [id=AKIATK6SR2K26VSLDEU2] +module.windows.aws_iam_user_policy.build_user["packer_permissions"]: Refreshing state... [id=windows-image-pipeline-demo:windows-image-pipeline-demo-build-user] +module.windows.aws_iam_user_policy.build_user["build_permissions"]: Refreshing state... [id=windows-image-pipeline-demo:windows-image-pipeline-demo-build-user] +module.windows.aws_iam_user_policy.build_user["repo_permissions"]: Refreshing state... [id=windows-image-pipeline-demo:windows-image-pipeline-demo-build-user] +module.rhel.module.codepipeline_kms.aws_kms_key.encryption_key: Refreshing state... [id=87f2048e-dba4-449f-b12e-47c9315f7fd8] +module.rhel.module.s3_artifacts_bucket.aws_s3_bucket.codepipeline_bucket: Refreshing state... [id=rhel-image-pipeline-demo20240731182105707600000002] +module.rhel.module.codepipeline_iam_role.aws_iam_role.codepipeline_role[0]: Refreshing state... [id=rhel-image-pipeline-demo-codepipeline-role] +module.windows.aws_vpc_security_group_egress_rule.allow_all_traffic_ipv6[0]: Refreshing state... [id=sgr-098fc1ba59f1bc41f] +module.windows.aws_vpc_security_group_egress_rule.allow_all_traffic_ipv4[0]: Refreshing state... [id=sgr-0d4418ddbcdc66473] +module.windows.aws_vpc_security_group_ingress_rule.allow_all_ssh_ipv4[0]: Refreshing state... [id=sgr-00b2eedf2aeb1635e] +module.windows.aws_security_group_rule.sg_rule[0]: Refreshing state... [id=sgrule-3783982558] +module.rhel.aws_iam_access_key.build_user: Refreshing state... [id=AKIATK6SR2K2XLXHMYAK] +module.rhel.aws_iam_user_policy.build_user["repo_permissions"]: Refreshing state... [id=rhel-image-pipeline-demo:rhel-image-pipeline-demo-build-user] +module.rhel.aws_iam_user_policy.build_user["build_permissions"]: Refreshing state... [id=rhel-image-pipeline-demo:rhel-image-pipeline-demo-build-user] +module.rhel.aws_iam_user_policy.build_user["packer_permissions"]: Refreshing state... [id=rhel-image-pipeline-demo:rhel-image-pipeline-demo-build-user] +module.rhel.aws_security_group_rule.sg_rule[0]: Refreshing state... [id=sgrule-3008455558] +module.rhel.aws_vpc_security_group_ingress_rule.allow_all_ssh_ipv4[0]: Refreshing state... [id=sgr-0a487204fb0d2e5a2] +module.rhel.aws_vpc_security_group_egress_rule.allow_all_traffic_ipv4[0]: Refreshing state... [id=sgr-0ff7e2528e30416c0] +module.rhel.aws_vpc_security_group_egress_rule.allow_all_traffic_ipv6[0]: Refreshing state... [id=sgr-019d0f102cdadfa77] +module.windows.module.codepipeline_iam_role.aws_iam_policy.vpc_config[0]: Refreshing state... [id=arn:aws-us-gov:iam::229685449397:policy/windows-image-pipeline-demo-vpc-access] +module.rhel.module.codepipeline_iam_role.aws_iam_policy.vpc_config[0]: Refreshing state... [id=arn:aws-us-gov:iam::229685449397:policy/rhel-image-pipeline-demo-vpc-access] +module.windows.module.codepipeline_kms.data.aws_iam_policy_document.kms_key_policy_doc: Reading... +module.windows.module.codepipeline_kms.data.aws_iam_policy_document.kms_key_policy_doc: Read complete after 0s [id=2351423905] +module.windows.aws_ssm_parameter.parameters["goss_profile"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/goss_profile] +module.windows.aws_ssm_parameter.parameters["vpc_id"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/vpc_id] +module.windows.aws_ssm_parameter.parameters["region"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/region] +module.windows.aws_ssm_parameter.parameters["troubleshoot"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/troubleshoot] +module.windows.aws_ssm_parameter.parameters["source_ami"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/source_ami] +module.windows.aws_ssm_parameter.parameters["ami_name"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/ami_name] +module.windows.aws_ssm_parameter.parameters["instance_type"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/instance_type] +module.windows.aws_ssm_parameter.parameters["security_group_ids"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/security_group_ids] +module.windows.aws_ssm_parameter.parameters["userdata"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/userdata] +module.windows.aws_ssm_parameter.parameters["subnets"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/subnets] +module.windows.aws_ssm_parameter.parameters["parameters"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/parameters] +module.windows.aws_ssm_parameter.parameters["shared_accounts"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/shared_accounts] +module.windows.aws_ssm_parameter.parameters["secrets"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/secrets] +module.windows.aws_ssm_parameter.parameters["playbook"]: Refreshing state... [id=/image-pipeline/windows-image-pipeline-demo/playbook] +module.rhel.module.codepipeline_kms.data.aws_iam_policy_document.kms_key_policy_doc: Reading... +module.rhel.module.codepipeline_kms.data.aws_iam_policy_document.kms_key_policy_doc: Read complete after 0s [id=4103588423] +module.rhel.aws_ssm_parameter.parameters["subnets"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/subnets] +module.rhel.aws_ssm_parameter.parameters["ami_name"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/ami_name] +module.rhel.aws_ssm_parameter.parameters["userdata"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/userdata] +module.rhel.aws_ssm_parameter.parameters["playbook"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/playbook] +module.rhel.aws_ssm_parameter.parameters["goss_profile"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/goss_profile] +module.rhel.aws_ssm_parameter.parameters["vpc_id"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/vpc_id] +module.rhel.aws_ssm_parameter.parameters["shared_accounts"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/shared_accounts] +module.rhel.aws_ssm_parameter.parameters["instance_type"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/instance_type] +module.rhel.aws_ssm_parameter.parameters["parameters"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/parameters] +module.rhel.aws_ssm_parameter.parameters["source_ami"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/source_ami] +module.rhel.aws_ssm_parameter.parameters["ssh_user"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/ssh_user] +module.rhel.aws_ssm_parameter.parameters["troubleshoot"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/troubleshoot] +module.rhel.aws_ssm_parameter.parameters["security_group_ids"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/security_group_ids] +module.rhel.aws_ssm_parameter.parameters["region"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/region] +module.rhel.aws_ssm_parameter.parameters["keyname"]: Refreshing state... [id=/image-pipeline/rhel-image-pipeline-demo/keyname] +module.windows.module.codepipeline_iam_role.aws_iam_role_policy_attachment.codepipeline_vpc_role_attach[0]: Refreshing state... [id=windows-image-pipeline-demo-codepipeline-role-20240731183315526100000005] +module.rhel.module.codepipeline_iam_role.aws_iam_role_policy_attachment.codepipeline_vpc_role_attach[0]: Refreshing state... [id=rhel-image-pipeline-demo-codepipeline-role-20240731182109075500000005] +aws_iam_policy.rhel_x86_codepipeline_permissions: Refreshing state... [id=arn:aws-us-gov:iam::229685449397:policy/rhel-x86-codepipeline-permissions] +aws_iam_policy.rhel_x86_ec2_permissions: Refreshing state... [id=arn:aws-us-gov:iam::229685449397:policy/rhel-x86-ec2-permissions] +aws_s3_bucket_server_side_encryption_configuration.state_bucket_encryption: Refreshing state... [id=inf-test-08230846-acc4-7788-94df-5730ed20c008] +module.windows.module.s3_artifacts_bucket.aws_s3_bucket_public_access_block.codepipeline_bucket_access: Refreshing state... [id=windows-image-pipeline-demo20240731183313147900000004] +module.windows.module.s3_artifacts_bucket.data.aws_iam_policy_document.bucket_policy_doc_codepipeline_bucket: Reading... +module.windows.module.s3_artifacts_bucket.data.aws_iam_policy_document.bucket_policy_doc_codepipeline_bucket: Read complete after 0s [id=202927436] +module.windows.module.s3_artifacts_bucket.aws_s3_bucket_server_side_encryption_configuration.codepipeline_bucket_encryption: Refreshing state... [id=windows-image-pipeline-demo20240731183313147900000004] +module.windows.module.s3_artifacts_bucket.aws_s3_bucket_logging.codepipeline_bucket_logging: Refreshing state... [id=windows-image-pipeline-demo20240731183313147900000004] +module.windows.module.s3_artifacts_bucket.aws_s3_bucket_versioning.codepipeline_bucket_versioning: Refreshing state... [id=windows-image-pipeline-demo20240731183313147900000004] +module.rhel.module.s3_artifacts_bucket.aws_s3_bucket_server_side_encryption_configuration.codepipeline_bucket_encryption: Refreshing state... [id=rhel-image-pipeline-demo20240731182105707600000002] +module.rhel.module.s3_artifacts_bucket.aws_s3_bucket_versioning.codepipeline_bucket_versioning: Refreshing state... [id=rhel-image-pipeline-demo20240731182105707600000002] +module.rhel.module.s3_artifacts_bucket.data.aws_iam_policy_document.bucket_policy_doc_codepipeline_bucket: Reading... +module.rhel.module.s3_artifacts_bucket.data.aws_iam_policy_document.bucket_policy_doc_codepipeline_bucket: Read complete after 0s [id=2668657987] +module.rhel.module.s3_artifacts_bucket.aws_s3_bucket_public_access_block.codepipeline_bucket_access: Refreshing state... [id=rhel-image-pipeline-demo20240731182105707600000002] +module.rhel.module.s3_artifacts_bucket.aws_s3_bucket_logging.codepipeline_bucket_logging: Refreshing state... [id=rhel-image-pipeline-demo20240731182105707600000002] +module.windows.module.s3_artifacts_bucket.aws_s3_bucket_policy.bucket_policy_codepipeline_bucket: Refreshing state... [id=windows-image-pipeline-demo20240731183313147900000004] +aws_iam_role_policy_attachment.rhel_x86_codepipeline_role_attachment: Refreshing state... [id=rhel-x86-image-pipeline-demo-codepipeline-role-20240731182108994100000003] +aws_iam_role_policy_attachment.rhel_x86_ec2_role_attachment: Refreshing state... [id=rhel-x86-image-pipeline-demo-ec2-role-20240731182108998300000004] +module.rhel.module.s3_artifacts_bucket.aws_s3_bucket_policy.bucket_policy_codepipeline_bucket: Refreshing state... [id=rhel-image-pipeline-demo20240731182105707600000002] +module.rhel.module.codebuild_terraform.aws_codebuild_project.terraform_codebuild_project["test"]: Refreshing state... [id=arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:project/rhel-image-pipeline-demo-test] +module.rhel.module.codebuild_terraform.aws_codebuild_project.terraform_codebuild_project["build"]: Refreshing state... [id=arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:project/rhel-image-pipeline-demo-build] +module.windows.module.codebuild_terraform.aws_codebuild_project.terraform_codebuild_project["test"]: Refreshing state... [id=arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:project/windows-image-pipeline-demo-test] +module.windows.module.codebuild_terraform.aws_codebuild_project.terraform_codebuild_project["build"]: Refreshing state... [id=arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:project/windows-image-pipeline-demo-build] +module.windows.module.codepipeline_terraform.aws_codepipeline.terraform_pipeline: Refreshing state... [id=windows-image-pipeline-demo-pipeline] +module.rhel.module.codepipeline_terraform.aws_codepipeline.terraform_pipeline: Refreshing state... [id=rhel-image-pipeline-demo-pipeline] + +Terraform used the selected providers to generate the following execution +plan. Resource actions are indicated with the following symbols: + + create + - destroy + <= read (data resources) + +Terraform will perform the following actions: + + # aws_kms_alias.rhel_x86_codepipeline_alias will be created + + resource "aws_kms_alias" "rhel_x86_codepipeline_alias" { + + arn = (known after apply) + + id = (known after apply) + + name = "alias/rhel-x86-codepipeline-key" + + name_prefix = (known after apply) + + target_key_arn = (known after apply) + + target_key_id = (known after apply) + } + + # aws_kms_key.rhel_x86_codepipeline_key will be created + + resource "aws_kms_key" "rhel_x86_codepipeline_key" { + + arn = (known after apply) + + bypass_policy_lockout_safety_check = false + + customer_master_key_spec = "SYMMETRIC_DEFAULT" + + description = "KMS key for RHEL x86 CodePipeline" + + enable_key_rotation = true + + id = (known after apply) + + is_enabled = true + + key_id = (known after apply) + + key_usage = "ENCRYPT_DECRYPT" + + multi_region = (known after apply) + + policy = jsonencode( + { + + Statement = [ + + { + + Action = "kms:*" + + Effect = "Allow" + + Principal = { + + AWS = "arn:aws-us-gov:iam::229685449397:root" + } + + Resource = "*" + + Sid = "Enable IAM User Permissions" + }, + + { + + Action = [ + + "kms:Update*", + + "kms:UntagResource", + + "kms:TagResource", + + "kms:ScheduleKeyDeletion", + + "kms:RotateKeyOnDemand", + + "kms:Revoke*", + + "kms:Put*", + + "kms:List*", + + "kms:Get*", + + "kms:Enable*", + + "kms:Disable*", + + "kms:Describe*", + + "kms:Delete*", + + "kms:Create*", + + "kms:CancelKeyDeletion", + ] + + Effect = "Allow" + + Principal = { + + AWS = [ + + "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-ec2-role", + + "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role", + + "arn:aws-us-gov:iam::229685449397:role/rhel-arm-image-pipeline-demo-codepipeline-role", + ] + } + + Resource = "*" + + Sid = "Allow access for Key Administrators" + }, + + { + + Action = [ + + "kms:ReEncrypt*", + + "kms:GenerateDataKey*", + + "kms:Encrypt", + + "kms:DescribeKey", + + "kms:Decrypt", + ] + + Effect = "Allow" + + Principal = { + + AWS = [ + + "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-ec2-role", + + "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role", + + "arn:aws-us-gov:iam::229685449397:role/rhel-arm-image-pipeline-demo-codepipeline-role", + ] + } + + Resource = "*" + + Sid = "Allow use of the key" + }, + + { + + Action = [ + + "kms:RevokeGrant", + + "kms:ListGrants", + + "kms:CreateGrant", + ] + + Condition = { + + Bool = { + + "kms:GrantIsForAWSResource" = "true" + } + } + + Effect = "Allow" + + Principal = { + + AWS = [ + + "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-ec2-role", + + "arn:aws-us-gov:iam::229685449397:role/rhel-x86-image-pipeline-demo-codepipeline-role", + + "arn:aws-us-gov:iam::229685449397:role/rhel-arm-image-pipeline-demo-codepipeline-role", + ] + } + + Resource = "*" + + Sid = "Allow attachment of persistent resources" + }, + ] + + Version = "2012-10-17" + } + ) + + rotation_period_in_days = (known after apply) + + tags_all = (known after apply) + } + + # aws_s3_bucket_server_side_encryption_configuration.rhel_x86_codepipeline_bucket_sse will be created + + resource "aws_s3_bucket_server_side_encryption_configuration" "rhel_x86_codepipeline_bucket_sse" { + + bucket = "rhel-x86-codepipeline-bucket" + + id = (known after apply) + + + rule { + + apply_server_side_encryption_by_default { + + kms_master_key_id = (known after apply) + + sse_algorithm = "aws:kms" + } + } + } + + # module.main.aws_iam_user.build_user will be destroyed + # (because aws_iam_user.build_user is not in configuration) + - resource "aws_iam_user" "build_user" { + - arn = "arn:aws-us-gov:iam::229685449397:user/tf-pipeline/linux-image-pipeline-demo" -> null + - force_destroy = false -> null + - id = "linux-image-pipeline-demo" -> null + - name = "linux-image-pipeline-demo" -> null + - path = "/tf-pipeline/" -> null + - tags = { + - "Account_ID" = "229685449397" + - "Project_Name" = "linux-image-pipeline-demo" + - "Region" = "us-gov-west-1" + } -> null + - tags_all = { + - "Account_ID" = "229685449397" + - "Project_Name" = "linux-image-pipeline-demo" + - "Region" = "us-gov-west-1" + } -> null + - unique_id = "AIDATK6SR2K2UPEEDXTG7" -> null + # (1 unchanged attribute hidden) + } + + # module.rhel.aws_secretsmanager_secret.credentials will be created + + resource "aws_secretsmanager_secret" "credentials" { + + arn = (known after apply) + + force_overwrite_replica_secret = false + + id = (known after apply) + + name = "rhel-image-pipeline-demo-aws-credentials" + + name_prefix = (known after apply) + + policy = (known after apply) + + recovery_window_in_days = 30 + + tags_all = (known after apply) + + + replica (known after apply) + } + + # module.rhel.aws_secretsmanager_secret_version.credentials will be created + + resource "aws_secretsmanager_secret_version" "credentials" { + + arn = (known after apply) + + id = (known after apply) + + secret_id = (known after apply) + + secret_string = (sensitive value) + + version_id = (known after apply) + + version_stages = (known after apply) + } + + # module.windows.aws_secretsmanager_secret.credentials will be created + + resource "aws_secretsmanager_secret" "credentials" { + + arn = (known after apply) + + force_overwrite_replica_secret = false + + id = (known after apply) + + name = "windows-image-pipeline-demo-aws-credentials" + + name_prefix = (known after apply) + + policy = (known after apply) + + recovery_window_in_days = 30 + + tags_all = (known after apply) + + + replica (known after apply) + } + + # module.windows.aws_secretsmanager_secret.secrets["winrm_credentials"] will be created + + resource "aws_secretsmanager_secret" "secrets" { + + arn = (known after apply) + + force_overwrite_replica_secret = false + + id = (known after apply) + + name = "/image-pipeline/windows-image-pipeline-demo/winrm_credentials" + + name_prefix = (known after apply) + + policy = (known after apply) + + recovery_window_in_days = 30 + + tags_all = (known after apply) + + + replica (known after apply) + } + + # module.windows.aws_secretsmanager_secret_version.credentials will be created + + resource "aws_secretsmanager_secret_version" "credentials" { + + arn = (known after apply) + + id = (known after apply) + + secret_id = (known after apply) + + secret_string = (sensitive value) + + version_id = (known after apply) + + version_stages = (known after apply) + } + + # module.windows.aws_secretsmanager_secret_version.secrets["winrm_credentials"] will be created + + resource "aws_secretsmanager_secret_version" "secrets" { + + arn = (known after apply) + + id = (known after apply) + + secret_id = (known after apply) + + secret_string = (sensitive value) + + version_id = (known after apply) + + version_stages = (known after apply) + } + + # module.rhel.module.codepipeline_iam_role.data.aws_iam_policy_document.codepipeline_policy will be read during apply + # (config refers to values not yet known) + <= data "aws_iam_policy_document" "codepipeline_policy" { + + id = (known after apply) + + json = (known after apply) + + minified_json = (known after apply) + + + statement { + + actions = [ + + "secretsmanager:GetSecretValue", + ] + + effect = "Allow" + + resources = [ + + (known after apply), + ] + } + + statement { + + actions = [ + + "s3:*", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:s3:::inf-test-08230846-acc4-7788-94df-5730ed20c008/*", + + "arn:aws-us-gov:s3:::rhel-image-pipeline-demo20240731182105707600000002/*", + ] + } + + statement { + + actions = [ + + "ssm:*", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:ssm:us-gov-west-1:229685449397:parameter/image-pipeline/rhel-image-pipeline-demo/*", + ] + } + + statement { + + actions = [ + + "secretsmanager:*", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:secretsmanager:us-gov-west-1:229685449397:secret:/image-pipeline/rhel-image-pipeline-demo/*", + ] + } + + statement { + + actions = [ + + "kms:Decrypt", + + "kms:DescribeKey", + + "kms:Encrypt", + + "kms:GenerateDataKey*", + + "kms:ReEncrypt*", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:kms:us-gov-west-1:229685449397:key/87f2048e-dba4-449f-b12e-47c9315f7fd8", + ] + } + + statement { + + actions = [ + + "ec2:ImportKeyPair", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:ec2:us-gov-west-1:229685449397:key-pair/rhel-image-pipeline-demo-deployer-key", + ] + } + + statement { + + actions = [ + + "codecommit:BatchGetCommits", + + "codecommit:BatchGetRepositories", + + "codecommit:CreateCommit", + + "codecommit:GetBranch", + + "codecommit:GetCommit", + + "codecommit:GetRepository", + + "codecommit:GetUploadArchiveStatus", + + "codecommit:GitPull", + + "codecommit:GitPush", + + "codecommit:ListBranches", + + "codecommit:ListRepositories", + + "codecommit:UploadArchive", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:image-pipeline-ansible-playbooks", + + "arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:image-pipeline-goss-testing", + + "arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:linux-image-pipeline", + ] + } + + statement { + + actions = [ + + "codebuild:BatchGetBuilds", + + "codebuild:BatchGetProjects", + + "codebuild:StartBuild", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:project/rhel-image-pipeline-demo*", + ] + } + + statement { + + actions = [ + + "codebuild:BatchPutTestCases", + + "codebuild:CreateReport", + + "codebuild:CreateReportGroup", + + "codebuild:UpdateReport", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:report-group/rhel-image-pipeline-demo*", + ] + } + + statement { + + actions = [ + + "dynamodb:*", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:dynamodb:us-gov-west-1:229685449397:table/tf_remote_state", + ] + } + + statement { + + actions = [ + + "logs:CreateLogGroup", + + "logs:CreateLogStream", + + "logs:PutLogEvents", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:logs:us-gov-west-1:229685449397:log-group:*", + ] + } + + statement { + + actions = [ + + "ec2:*", + ] + + effect = "Allow" + + resources = [ + + "*", + ] + } + } + + # module.rhel.module.codepipeline_iam_role.aws_iam_policy.codepipeline_policy[0] will be created + + resource "aws_iam_policy" "codepipeline_policy" { + + arn = (known after apply) + + attachment_count = (known after apply) + + description = "Policy to allow codepipeline to execute" + + id = (known after apply) + + name = "rhel-image-pipeline-demo-codepipeline-policy" + + name_prefix = (known after apply) + + path = "/" + + policy = (known after apply) + + policy_id = (known after apply) + + tags = { + + "Account_ID" = "229685449397" + + "Project_Name" = "rhel-image-pipeline-demo" + + "Region" = "us-gov-west-1" + } + + tags_all = { + + "Account_ID" = "229685449397" + + "Project_Name" = "rhel-image-pipeline-demo" + + "Region" = "us-gov-west-1" + } + } + + # module.rhel.module.codepipeline_iam_role.aws_iam_role_policy_attachment.codepipeline_role_attach[0] will be created + + resource "aws_iam_role_policy_attachment" "codepipeline_role_attach" { + + id = (known after apply) + + policy_arn = (known after apply) + + role = "rhel-image-pipeline-demo-codepipeline-role" + } + + # module.windows.module.codepipeline_iam_role.data.aws_iam_policy_document.codepipeline_policy will be read during apply + # (config refers to values not yet known) + <= data "aws_iam_policy_document" "codepipeline_policy" { + + id = (known after apply) + + json = (known after apply) + + minified_json = (known after apply) + + + statement { + + actions = [ + + "secretsmanager:GetSecretValue", + ] + + effect = "Allow" + + resources = [ + + (known after apply), + ] + } + + statement { + + actions = [ + + "s3:*", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:s3:::inf-test-08230846-acc4-7788-94df-5730ed20c008/*", + + "arn:aws-us-gov:s3:::windows-image-pipeline-demo20240731183313147900000004/*", + ] + } + + statement { + + actions = [ + + "ssm:*", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:ssm:us-gov-west-1:229685449397:parameter/image-pipeline/windows-image-pipeline-demo/*", + ] + } + + statement { + + actions = [ + + "secretsmanager:*", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:secretsmanager:us-gov-west-1:229685449397:secret:/image-pipeline/windows-image-pipeline-demo/*", + ] + } + + statement { + + actions = [ + + "kms:Decrypt", + + "kms:DescribeKey", + + "kms:Encrypt", + + "kms:GenerateDataKey*", + + "kms:ReEncrypt*", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:kms:us-gov-west-1:229685449397:key/498724ae-3fb1-46b0-bc26-1481e0551e24", + ] + } + + statement { + + actions = [ + + "ec2:ImportKeyPair", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:ec2:us-gov-west-1:229685449397:key-pair/windows-image-pipeline-demo-deployer-key", + ] + } + + statement { + + actions = [ + + "codecommit:BatchGetCommits", + + "codecommit:BatchGetRepositories", + + "codecommit:CreateCommit", + + "codecommit:GetBranch", + + "codecommit:GetCommit", + + "codecommit:GetRepository", + + "codecommit:GetUploadArchiveStatus", + + "codecommit:GitPull", + + "codecommit:GitPush", + + "codecommit:ListBranches", + + "codecommit:ListRepositories", + + "codecommit:UploadArchive", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:image-pipeline-ansible-playbooks", + + "arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:image-pipeline-goss-testing", + + "arn:aws-us-gov:codecommit:us-gov-west-1:229685449397:windows-image-pipeline", + ] + } + + statement { + + actions = [ + + "codebuild:BatchGetBuilds", + + "codebuild:BatchGetProjects", + + "codebuild:StartBuild", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:project/windows-image-pipeline-demo*", + ] + } + + statement { + + actions = [ + + "codebuild:BatchPutTestCases", + + "codebuild:CreateReport", + + "codebuild:CreateReportGroup", + + "codebuild:UpdateReport", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:codebuild:us-gov-west-1:229685449397:report-group/windows-image-pipeline-demo*", + ] + } + + statement { + + actions = [ + + "dynamodb:*", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:dynamodb:us-gov-west-1:229685449397:table/tf_remote_state", + ] + } + + statement { + + actions = [ + + "logs:CreateLogGroup", + + "logs:CreateLogStream", + + "logs:PutLogEvents", + ] + + effect = "Allow" + + resources = [ + + "arn:aws-us-gov:logs:us-gov-west-1:229685449397:log-group:*", + ] + } + + statement { + + actions = [ + + "ec2:*", + ] + + effect = "Allow" + + resources = [ + + "*", + ] + } + } + + # module.windows.module.codepipeline_iam_role.aws_iam_policy.codepipeline_policy[0] will be created + + resource "aws_iam_policy" "codepipeline_policy" { + + arn = (known after apply) + + attachment_count = (known after apply) + + description = "Policy to allow codepipeline to execute" + + id = (known after apply) + + name = "windows-image-pipeline-demo-codepipeline-policy" + + name_prefix = (known after apply) + + path = "/" + + policy = (known after apply) + + policy_id = (known after apply) + + tags = { + + "Account_ID" = "229685449397" + + "Project_Name" = "windows-image-pipeline-demo" + + "Region" = "us-gov-west-1" + } + + tags_all = { + + "Account_ID" = "229685449397" + + "Project_Name" = "windows-image-pipeline-demo" + + "Region" = "us-gov-west-1" + } + } + + # module.windows.module.codepipeline_iam_role.aws_iam_role_policy_attachment.codepipeline_role_attach[0] will be created + + resource "aws_iam_role_policy_attachment" "codepipeline_role_attach" { + + id = (known after apply) + + policy_arn = (known after apply) + + role = "windows-image-pipeline-demo-codepipeline-role" + } + +Plan: 13 to add, 0 to change, 1 to destroy. + +───────────────────────────────────────────────────────────────────────────── + +Saved the plan to: plan.out + +To perform exactly these actions, run the following command to apply: + terraform apply "plan.out"