terraform-plan
terraform-plan copied to clipboard
Published
20 hours ago •
cds-snc
cds-snc
feat: Allow adding optional arguments to terraform/grunt plan
Summary | Résumé
I'd like to be able to pass additional arguments to the terraform/terragrunt plan step. I've created a new input called args that just appends whatever's there to the end of the plan command.
I have no idea what I'm doing.
Test instructions | Instructions pour tester la modification
Reference latest version in a github workflow (I'll be testing w/ notification-terraform) and pass an argument as required.
Test init-fail
❌ Terraform Init: failed
❌ Terraform Validate: failed
✅ Terraform Format: success
❌ Terraform Plan: failed
❌ Conftest: failed
Show Init results
Initializing the backend...
Initializing provider plugins...
- Finding latest version of foo/bar...
Error: Failed to query available provider packages
Could not retrieve the list of available versions for provider foo/bar:
provider registry registry.terraform.io does not have a provider named
registry.terraform.io/foo/bar
All modules should specify their required_providers so that external
consumers will get the correct providers when using a module. To see which
modules are currently depending on foo/bar, run the following command:
terraform providers
Show Validate results
Error: Missing required provider
This configuration requires provider registry.terraform.io/foo/bar, but that
provider isn't available. You may be able to install it automatically by
running:
terraform init
Show plan
Error: Inconsistent dependency lock file
The following dependency selections recorded in the lock file are
inconsistent with the current configuration:
- provider registry.terraform.io/foo/bar: required by this configuration but no version is selected
To make the initial dependency selections that will initialize the dependency
lock file, run:
terraform init
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Test skip-fmt
✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Plan: success
✅ Conftest: success
Plan: 1 to add, 0 to change, 0 to destroy
Show summary
| CHANGE | RESOURCE |
|---|---|
| add | random_id.id |
| CHANGE | OUTPUT |
|---|---|
| add | id |
Show plan
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# random_id.id will be created
+ resource "random_id" "id" {
+ b64_std = (known after apply)
+ b64_url = (known after apply)
+ byte_length = 8
+ dec = (known after apply)
+ hex = (known after apply)
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ id = (known after apply)
Warning: Duplicate required provider
on skip-fmt.tf line 11:
11: resource "random_id" "id" {
Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest results
20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions
Test skip-plan
✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
Test validate-fail
✅ Terraform Init: success
❌ Terraform Validate: failed
✅ Terraform Format: success
❌ Terraform Plan: failed
❌ Conftest: failed
Show Validate results
Error: Reference to undeclared input variable
on validate-fail.tf line 4, in resource "random_id" "foo":
4: foo = var.bar
An input variable with the name "bar" has not been declared. This variable
can be declared with a variable "bar" {} block.
Show plan
Error: Reference to undeclared input variable
on validate-fail.tf line 4, in resource "random_id" "foo":
4: foo = var.bar
An input variable with the name "bar" has not been declared. This variable
can be declared with a variable "bar" {} block.
Test format-error
✅ Terraform Init: success
✅ Terraform Validate: success
❌ Terraform Format: failed
✅ Terraform Plan: success
✅ Conftest: success
🧹 Format: run terraform fmt to fix the following:
format-error.tf
Plan: 1 to add, 0 to change, 0 to destroy
Show summary
| CHANGE | RESOURCE |
|---|---|
| add | random_id.id |
Show plan
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# random_id.id will be created
+ resource "random_id" "id" {
+ b64_std = (known after apply)
+ b64_url = (known after apply)
+ byte_length = 8
+ dec = (known after apply)
+ hex = (known after apply)
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Warning: Duplicate required provider
on format-error.tf line 11:
11: resource "random_id" "id" {
Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest results
20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions
Test invalid
✅ Terraform Init: success
❌ Terraform Validate: failed
❌ Terraform Format: failed
❌ Terraform Plan: failed
❌ Conftest: failed
Show Validate results
Warning: Duplicate required provider
on invalid.tf line 11:
11: resource "random_id" "id" {
Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.
Error: Missing required argument
on invalid.tf line 11, in resource "random_id" "id":
11: resource "random_id" "id" {
The argument "byte_length" is required, but no definition was found.
Error: Unsupported argument
on invalid.tf line 12, in resource "random_id" "id":
12: muffin = "blueberry"
An argument named "muffin" is not expected here.
🧹 Format: run terraform fmt to fix the following:
invalid.tf
Show plan
Warning: Duplicate required provider
on invalid.tf line 11:
11: resource "random_id" "id" {
Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.
Error: Missing required argument
on invalid.tf line 11, in resource "random_id" "id":
11: resource "random_id" "id" {
The argument "byte_length" is required, but no definition was found.
Error: Unsupported argument
on invalid.tf line 12, in resource "random_id" "id":
12: muffin = "blueberry"
An argument named "muffin" is not expected here.
Test changes
✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success
Plan: 1 to add, 0 to change, 0 to destroy
Show summary
| CHANGE | RESOURCE |
|---|---|
| add | random_id.id |
| CHANGE | OUTPUT |
|---|---|
| add | id |
Show plan
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# random_id.id will be created
+ resource "random_id" "id" {
+ b64_std = (known after apply)
+ b64_url = (known after apply)
+ byte_length = 8
+ dec = (known after apply)
+ hex = (known after apply)
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ id = (known after apply)
Warning: Duplicate required provider
on changes.tf line 11:
11: resource "random_id" "id" {
Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest results
20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions
Test skip-conftest
✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
Plan: 1 to add, 0 to change, 0 to destroy
Show summary
| CHANGE | RESOURCE |
|---|---|
| add | random_id.id |
| CHANGE | OUTPUT |
|---|---|
| add | id |
Show plan
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# random_id.id will be created
+ resource "random_id" "id" {
+ b64_std = (known after apply)
+ b64_url = (known after apply)
+ byte_length = 8
+ dec = (known after apply)
+ hex = (known after apply)
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ id = (known after apply)
Warning: Duplicate required provider
on skip-conftest.tf line 11:
11: resource "random_id" "id" {
Provider "registry.terraform.io/hashicorp/random" was implicitly required via
resource "random_id.id", but listed in required_providers as "test". Either
the local name in required_providers must match the resource name, or the
"test" provider must be assigned within the resource block.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Test import
✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success
Plan: 2 to import, 1 to add, 0 to change, 0 to destroy
Show summary
| CHANGE | RESOURCE |
|---|---|
| import | aws_cloudwatch_log_group.controltower-notificationforwarder |
aws_sns_topic.controltower-notificationforwarder |
|
| add | aws_cloudwatch_log_group.topic |
Show plan
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_cloudwatch_log_group.controltower-notificationforwarder will be imported
resource "aws_cloudwatch_log_group" "controltower-notificationforwarder" {
arn = "arn:aws:logs:ca-central-1:124044056575:log-group:/aws/lambda/aws-controltower-NotificationForwarder"
id = "/aws/lambda/aws-controltower-NotificationForwarder"
log_group_class = "STANDARD"
name = "/aws/lambda/aws-controltower-NotificationForwarder"
retention_in_days = 14
skip_destroy = false
tags = {}
tags_all = {}
}
# aws_cloudwatch_log_group.topic will be created
+ resource "aws_cloudwatch_log_group" "topic" {
+ arn = (known after apply)
+ id = (known after apply)
+ log_group_class = (known after apply)
+ name = "topic"
+ name_prefix = (known after apply)
+ retention_in_days = 14
+ skip_destroy = false
+ tags_all = (known after apply)
}
# aws_sns_topic.controltower-notificationforwarder will be imported
resource "aws_sns_topic" "controltower-notificationforwarder" {
application_success_feedback_sample_rate = 0
arn = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
content_based_deduplication = false
fifo_topic = false
firehose_success_feedback_sample_rate = 0
http_success_feedback_sample_rate = 0
id = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
lambda_success_feedback_sample_rate = 0
name = "internal-sre-alert"
owner = "124044056575"
policy = jsonencode(
{
Id = "SNS Access Policy"
Statement = [
{
Action = [
"SNS:Subscribe",
"SNS:SetTopicAttributes",
"SNS:RemovePermission",
"SNS:Receive",
"SNS:Publish",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:AddPermission",
]
Condition = {
StringEquals = {
"aws:SourceOwner" = "124044056575"
}
}
Effect = "Allow"
Principal = {
AWS = "*"
}
Resource = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
Sid = "AllowAccountToUse"
},
{
Action = "SNS:Publish"
Condition = {
StringEquals = {
"aws:SourceAccount" = "124044056575"
}
}
Effect = "Allow"
Principal = {
Service = "cloudwatch.amazonaws.com"
}
Resource = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
Sid = "AllowCloudWatchToPublish"
},
{
Action = "SNS:Publish"
Condition = {
ArnEquals = {
"aws:SourceArn" = "arn:aws:events:ca-central-1:124044056575:rule/internal-sre-alerts-abuse-rule"
}
}
Effect = "Allow"
Principal = {
Service = "events.amazonaws.com"
}
Resource = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
Sid = "AllowAbuseEventsToPublish"
},
{
Action = "SNS:Publish"
Condition = {
StringEquals = {
"aws:SourceAccount" = "124044056575"
}
}
Effect = "Allow"
Principal = {
Service = "budgets.amazonaws.com"
}
Resource = "arn:aws:sns:ca-central-1:124044056575:internal-sre-alert"
Sid = "AllowBudgetEventsToPublish"
},
]
Version = "2012-10-17"
}
)
signature_version = 0
sqs_success_feedback_sample_rate = 0
tags = {
"CostCentre" = "SRE"
"Terraform" = "true"
"managed_by" = "AFT"
}
tags_all = {
"CostCentre" = "SRE"
"Terraform" = "true"
"managed_by" = "AFT"
}
}
Plan: 2 to import, 1 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.controltower-notificationforwarder"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.topic"]
21 tests, 19 passed, 2 warnings, 0 failures, 0 exceptions
Test truncate-plan
✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success
Plan: 36 to add, 0 to change, 0 to destroy
Show summary
| CHANGE | RESOURCE |
|---|---|
| add | module.rds.aws_cloudwatch_log_group.log_exports["postgresql"] |
module.rds.aws_cloudwatch_log_group.proxy |
|
module.rds.aws_db_proxy.proxy |
|
module.rds.aws_db_proxy_default_target_group.this |
|
module.rds.aws_db_proxy_target.target |
|
module.rds.aws_db_subnet_group.rds |
|
module.rds.aws_iam_policy.read_connection_string |
|
module.rds.aws_iam_role.rds_proxy |
|
module.rds.aws_iam_role_policy_attachment.read_connection_string |
|
module.rds.aws_rds_cluster.cluster |
|
module.rds.aws_rds_cluster_instance.instances[0] |
|
module.rds.aws_rds_cluster_instance.instances[1] |
|
module.rds.aws_rds_cluster_instance.instances[2] |
|
module.rds.aws_secretsmanager_secret.connection_string |
|
module.rds.aws_secretsmanager_secret.proxy_connection_string |
|
module.rds.aws_secretsmanager_secret_version.connection_string |
|
module.rds.aws_secretsmanager_secret_version.proxy_connection_string |
|
module.rds.aws_security_group.rds_proxy |
|
module.rds.random_string.random |
|
module.vpc.aws_default_network_acl.default |
|
module.vpc.aws_default_route_table.default |
|
module.vpc.aws_default_security_group.default |
|
module.vpc.aws_internet_gateway.gw |
|
module.vpc.aws_nat_gateway.nat_gw[0] |
|
module.vpc.aws_network_acl.main |
|
module.vpc.aws_network_acl_rule.block_rdp[0] |
|
module.vpc.aws_network_acl_rule.block_ssh[0] |
|
module.vpc.aws_route.private_nat_gateway[0] |
|
module.vpc.aws_route.public_internet_gateway |
|
module.vpc.aws_route_table.private[0] |
|
module.vpc.aws_route_table.public |
|
module.vpc.aws_route_table_association.private[0] |
|
module.vpc.aws_route_table_association.public[0] |
|
module.vpc.aws_subnet.private[0] |
|
module.vpc.aws_subnet.public[0] |
|
module.vpc.aws_vpc.main |
✂ Warning: plan has been truncated! See the full plan in the logs.
Show plan
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# module.rds.data.aws_iam_policy_document.read_connection_string will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "read_connection_string" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "secretsmanager:DescribeSecret",
+ "secretsmanager:GetResourcePolicy",
+ "secretsmanager:GetSecretValue",
+ "secretsmanager:ListSecretVersionIds",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
+ sid = "0"
}
+ statement {
+ actions = [
+ "secretsmanager:ListSecrets",
]
+ effect = "Allow"
+ resources = [
+ "*",
]
+ sid = "1"
}
+ statement {
+ actions = [
+ "kms:Decrypt",
]
+ effect = "Allow"
+ resources = [
+ "*",
]
+ sid = "2"
+ condition {
+ test = "StringEquals"
+ values = [
+ "secretsmanager.ca-central-1.amazonaws.com",
]
+ variable = "kms:ViaService"
}
}
}
# module.rds.aws_cloudwatch_log_group.log_exports["postgresql"] will be created
+ resource "aws_cloudwatch_log_group" "log_exports" {
+ arn = (known after apply)
+ id = (known after apply)
+ log_group_class = (known after apply)
+ name = "/aws/rds/cluster/test-rds-cluster/postgresql"
+ name_prefix = (known after apply)
+ retention_in_days = 7
+ skip_destroy = false
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-cluster"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-cluster"
+ "Terraform" = "true"
}
}
# module.rds.aws_cloudwatch_log_group.proxy will be created
+ resource "aws_cloudwatch_log_group" "proxy" {
+ arn = (known after apply)
+ id = (known after apply)
+ log_group_class = (known after apply)
+ name = "/aws/rds/proxy/test-rds-proxy"
+ name_prefix = (known after apply)
+ retention_in_days = 14
+ skip_destroy = false
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds_proxy_logs"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds_proxy_logs"
+ "Terraform" = "true"
}
}
# module.rds.aws_db_proxy.proxy will be created
+ resource "aws_db_proxy" "proxy" {
+ arn = (known after apply)
+ debug_logging = false
+ endpoint = (known after apply)
+ engine_family = "POSTGRESQL"
+ id = (known after apply)
+ idle_client_timeout = 1800
+ name = "test-rds-proxy"
+ require_tls = true
+ role_arn = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-rds-proxy"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-rds-proxy"
+ "Terraform" = "true"
}
+ vpc_security_group_ids = (known after apply)
+ vpc_subnet_ids = (known after apply)
+ auth {
+ auth_scheme = "SECRETS"
+ client_password_auth_type = (known after apply)
+ description = "The database connection string"
+ iam_auth = "DISABLED"
+ secret_arn = (known after apply)
}
}
# module.rds.aws_db_proxy_default_target_group.this will be created
+ resource "aws_db_proxy_default_target_group" "this" {
+ arn = (known after apply)
+ db_proxy_name = "test-rds-proxy"
+ id = (known after apply)
+ name = (known after apply)
}
# module.rds.aws_db_proxy_target.target will be created
+ resource "aws_db_proxy_target" "target" {
+ db_cluster_identifier = (known after apply)
+ db_proxy_name = "test-rds-proxy"
+ endpoint = (known after apply)
+ id = (known after apply)
+ port = (known after apply)
+ rds_resource_id = (known after apply)
+ target_arn = (known after apply)
+ target_group_name = (known after apply)
+ tracked_cluster_id = (known after apply)
+ type = (known after apply)
}
# module.rds.aws_db_subnet_group.rds will be created
+ resource "aws_db_subnet_group" "rds" {
+ arn = (known after apply)
+ description = "Managed by Terraform"
+ id = (known after apply)
+ name = "test-rds-subnet-group"
+ name_prefix = (known after apply)
+ subnet_ids = (known after apply)
+ supported_network_types = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-subnet-group"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-subnet-group"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.rds.aws_iam_policy.read_connection_string will be created
+ resource "aws_iam_policy" "read_connection_string" {
+ arn = (known after apply)
+ attachment_count = (known after apply)
+ id = (known after apply)
+ name = "test-rdsReadConnectionString"
+ name_prefix = (known after apply)
+ path = "/"
+ policy = (known after apply)
+ policy_id = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
}
# module.rds.aws_iam_role.rds_proxy will be created
+ resource "aws_iam_role" "rds_proxy" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "rds.amazonaws.com"
}
+ Sid = "RDSAssume"
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "test-rds_rds_proxy"
+ name_prefix = (known after apply)
+ path = "/"
+ tags = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
+ unique_id = (known after apply)
}
# module.rds.aws_iam_role_policy_attachment.read_connection_string will be created
+ resource "aws_iam_role_policy_attachment" "read_connection_string" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ role = "test-rds_rds_proxy"
}
# module.rds.aws_rds_cluster.cluster will be created
+ resource "aws_rds_cluster" "cluster" {
+ allocated_storage = (known after apply)
+ allow_major_version_upgrade = false
+ apply_immediately = false
+ arn = (known after apply)
+ availability_zones = (known after apply)
+ backtrack_window = 0
+ backup_retention_period = 7
+ cluster_identifier = "test-rds-cluster"
+ cluster_identifier_prefix = (known after apply)
+ cluster_members = (known after apply)
+ cluster_resource_id = (known after apply)
+ copy_tags_to_snapshot = true
+ database_name = "foo"
+ db_cluster_parameter_group_name = (known after apply)
+ db_subnet_group_name = "test-rds-subnet-group"
+ db_system_id = (known after apply)
+ delete_automated_backups = true
+ deletion_protection = true
+ enable_global_write_forwarding = false
+ enable_http_endpoint = false
+ enable_local_write_forwarding = false
+ enabled_cloudwatch_logs_exports = [
+ "postgresql",
]
+ endpoint = (known after apply)
+ engine = "aurora-postgresql"
+ engine_mode = "provisioned"
+ engine_version = "14.5"
+ engine_version_actual = (known after apply)
+ final_snapshot_identifier = (known after apply)
+ hosted_zone_id = (known after apply)
+ iam_database_authentication_enabled = false
+ iam_roles = (known after apply)
+ id = (known after apply)
+ kms_key_id = (known after apply)
+ master_password = (sensitive value)
+ master_user_secret = (known after apply)
+ master_user_secret_kms_key_id = (known after apply)
+ master_username = "probably"
+ network_type = (known after apply)
+ port = (known after apply)
+ preferred_backup_window = "07:00-09:00"
+ preferred_maintenance_window = "sun:06:00-sun:07:00"
+ reader_endpoint = (known after apply)
+ skip_final_snapshot = false
+ storage_encrypted = true
+ storage_type = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-cluster"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-cluster"
+ "Terraform" = "true"
}
+ vpc_security_group_ids = (known after apply)
}
# module.rds.aws_rds_cluster_instance.instances[0] will be created
+ resource "aws_rds_cluster_instance" "instances" {
+ apply_immediately = (known after apply)
+ arn = (known after apply)
+ auto_minor_version_upgrade = true
+ availability_zone = (known after apply)
+ ca_cert_identifier = (known after apply)
+ cluster_identifier = (known after apply)
+ copy_tags_to_snapshot = false
+ db_parameter_group_name = (known after apply)
+ db_subnet_group_name = "test-rds-subnet-group"
+ dbi_resource_id = (known after apply)
+ endpoint = (known after apply)
+ engine = "aurora-postgresql"
+ engine_version = "14.5"
+ engine_version_actual = (known after apply)
+ id = (known after apply)
+ identifier = "test-rds-instance-0"
+ identifier_prefix = (known after apply)
+ instance_class = "db.t3.medium"
+ kms_key_id = (known after apply)
+ monitoring_interval = 0
+ monitoring_role_arn = (known after apply)
+ network_type = (known after apply)
+ performance_insights_enabled = true
+ performance_insights_kms_key_id = (known after apply)
+ performance_insights_retention_period = (known after apply)
+ port = (known after apply)
+ preferred_backup_window = (known after apply)
+ preferred_maintenance_window = (known after apply)
+ promotion_tier = 0
+ publicly_accessible = (known after apply)
+ storage_encrypted = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-0"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-0"
+ "Terraform" = "true"
}
+ writer = (known after apply)
}
# module.rds.aws_rds_cluster_instance.instances[1] will be created
+ resource "aws_rds_cluster_instance" "instances" {
+ apply_immediately = (known after apply)
+ arn = (known after apply)
+ auto_minor_version_upgrade = true
+ availability_zone = (known after apply)
+ ca_cert_identifier = (known after apply)
+ cluster_identifier = (known after apply)
+ copy_tags_to_snapshot = false
+ db_parameter_group_name = (known after apply)
+ db_subnet_group_name = "test-rds-subnet-group"
+ dbi_resource_id = (known after apply)
+ endpoint = (known after apply)
+ engine = "aurora-postgresql"
+ engine_version = "14.5"
+ engine_version_actual = (known after apply)
+ id = (known after apply)
+ identifier = "test-rds-instance-1"
+ identifier_prefix = (known after apply)
+ instance_class = "db.t3.medium"
+ kms_key_id = (known after apply)
+ monitoring_interval = 0
+ monitoring_role_arn = (known after apply)
+ network_type = (known after apply)
+ performance_insights_enabled = true
+ performance_insights_kms_key_id = (known after apply)
+ performance_insights_retention_period = (known after apply)
+ port = (known after apply)
+ preferred_backup_window = (known after apply)
+ preferred_maintenance_window = (known after apply)
+ promotion_tier = 0
+ publicly_accessible = (known after apply)
+ storage_encrypted = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-1"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-1"
+ "Terraform" = "true"
}
+ writer = (known after apply)
}
# module.rds.aws_rds_cluster_instance.instances[2] will be created
+ resource "aws_rds_cluster_instance" "instances" {
+ apply_immediately = (known after apply)
+ arn = (known after apply)
+ auto_minor_version_upgrade = true
+ availability_zone = (known after apply)
+ ca_cert_identifier = (known after apply)
+ cluster_identifier = (known after apply)
+ copy_tags_to_snapshot = false
+ db_parameter_group_name = (known after apply)
+ db_subnet_group_name = "test-rds-subnet-group"
+ dbi_resource_id = (known after apply)
+ endpoint = (known after apply)
+ engine = "aurora-postgresql"
+ engine_version = "14.5"
+ engine_version_actual = (known after apply)
+ id = (known after apply)
+ identifier = "test-rds-instance-2"
+ identifier_prefix = (known after apply)
+ instance_class = "db.t3.medium"
+ kms_key_id = (known after apply)
+ monitoring_interval = 0
+ monitoring_role_arn = (known after apply)
+ network_type = (known after apply)
+ performance_insights_enabled = true
+ performance_insights_kms_key_id = (known after apply)
+ performance_insights_retention_period = (known after apply)
+ port = (known after apply)
+ preferred_backup_window = (known after apply)
+ preferred_maintenance_window = (known after apply)
+ promotion_tier = 0
+ publicly_accessible = (known after apply)
+ storage_encrypted = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-2"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-2"
+ "Terraform" = "true"
}
+ writer = (known after apply)
}
# module.rds.aws_secretsmanager_secret.connection_string will be created
+ resource "aws_secretsmanager_secret" "connection_string" {
+ arn = (known after apply)
+ force_overwrite_replica_secret = false
+ id = (known after apply)
+ name = (known after apply)
+ name_prefix = (known after apply)
+ policy = (known after apply)
+ recovery_window_in_days = 30
+ tags = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
}
# module.rds.aws_secretsmanager_secret.proxy_connection_string will be created
+ resource "aws_secretsmanager_secret" "proxy_connection_string" {
+ arn = (known after apply)
+ force_overwrite_replica_secret = false
+ id = (known after apply)
+ name = (known after apply)
+ name_prefix = (known after apply)
+ policy = (known after apply)
+ recovery_window_in_days = 30
+ tags = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
}
# module.rds.aws_secretsmanager_secret_version.connection_string will be created
+ resource "aws_secretsmanager_secret_version" "connection_string" {
+ arn = (known after apply)
+ id = (known after apply)
+ secret_id = (known after apply)
+ secret_string = (sensitive value)
+ version_id = (known after apply)
+ version_stages = (known after apply)
}
# module.rds.aws_secretsmanager_secret_version.proxy_connection_string will be created
+ resource "aws_secretsmanager_secret_version" "proxy_connection_string" {
+ arn = (known after apply)
+ id = (known after apply)
+ secret_id = (known after apply)
+ secret_string = (sensitive value)
+ version_id = (known after apply)
+ version_stages = (known after apply)
}
# module.rds.aws_security_group.rds_proxy will be created
+ resource "aws_security_group" "rds_proxy" {
+ arn = (known after apply)
+ description = "The Security group that allows communication between the proxy and the database"
+ egress = [
+ {
+ cidr_blocks = []
+ description = ""
+ from_port = 5432
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = true
+ to_port = 5432
},
]
+ id = (known after apply)
+ ingress = [
+ {
+ cidr_blocks = []
+ description = ""
+ from_port = 5432
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = true
+ to_port = 5432
},
]
+ name = "test-rds_rds_proxy_sg"
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds_rds_proxy_sg"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds_rds_proxy_sg"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.rds.random_string.random will be created
+ resource "random_string" "random" {
+ id = (known after apply)
+ length = 6
+ lower = true
+ min_lower = 0
+ min_numeric = 0
+ min_special = 0
+ min_upper = 0
+ number = true
+ numeric = true
+ result = (known after apply)
+ special = false
+ upper = false
}
# module.vpc.aws_default_network_acl.default will be created
+ resource "aws_default_network_acl" "default" {
+ arn = (known after apply)
+ default_network_acl_id = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_default_nacl"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_default_nacl"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_default_route_table.default will be created
+ resource "aws_default_route_table" "default" {
+ arn = (known after apply)
+ default_route_table_id = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ route = []
+ tags = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
+ "name" = "vpc_default_route_table"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
+ "name" = "vpc_default_route_table"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_default_security_group.default will be created
+ resource "aws_default_security_group" "default" {
+ arn = (known after apply)
+ description = (known after apply)
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = (known after apply)
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_default_sg"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_default_sg"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_internet_gateway.gw will be created
+ resource "aws_internet_gateway" "gw" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_internet_gateway"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_internet_gateway"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_nat_gateway.nat_gw[0] will be created
+ resource "aws_nat_gateway" "nat_gw" {
+ association_id = (known after apply)
+ connectivity_type = "private"
+ id = (known after apply)
+ network_interface_id = (known after apply)
+ private_ip = (known after apply)
+ public_ip = (known after apply)
+ secondary_private_ip_address_count = (known after apply)
+ secondary_private_ip_addresses = (known after apply)
+ subnet_id = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "vpc-natgw-0"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "vpc-natgw-0"
+ "Terraform" = "true"
}
}
# module.vpc.aws_network_acl.main will be created
+ resource "aws_network_acl" "main" {
+ arn = (known after apply)
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ owner_id = (known after apply)
+ subnet_ids = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_main_nacl"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_main_nacl"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_network_acl_rule.block_rdp[0] will be created
+ resource "aws_network_acl_rule" "block_rdp" {
+ cidr_block = "0.0.0.0/0"
+ egress = false
+ from_port = 3389
+ id = (known after apply)
+ network_acl_id = (known after apply)
+ protocol = "tcp"
+ rule_action = "deny"
+ rule_number = 51
+ to_port = 3389
}
# module.vpc.aws_network_acl_rule.block_ssh[0] will be created
+ resource "aws_network_acl_rule" "block_ssh" {
+ cidr_block = "0.0.0.0/0"
+ egress = false
+ from_port = 22
+ id = (known after apply)
+ network_acl_id = (known after apply)
+ protocol = "tcp"
+ rule_action = "deny"
+ rule_number = 50
+ to_port = 22
}
# module.vpc.aws_route.private_nat_gateway[0] will be created
+ resource "aws_route" "private_nat_gateway" {
+ destination_cidr_block = "0.0.0.0/0"
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ nat_gateway_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known...
Show Conftest results
20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions
Test conftest-deny
✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
❌ Conftest: failed
Plan: 36 to add, 0 to change, 0 to destroy
Show summary
| CHANGE | RESOURCE |
|---|---|
| add | module.rds.aws_cloudwatch_log_group.log_exports["postgresql"] |
module.rds.aws_cloudwatch_log_group.proxy |
|
module.rds.aws_db_proxy.proxy |
|
module.rds.aws_db_proxy_default_target_group.this |
|
module.rds.aws_db_proxy_target.target |
|
module.rds.aws_db_subnet_group.rds |
|
module.rds.aws_iam_policy.read_connection_string |
|
module.rds.aws_iam_role.rds_proxy |
|
module.rds.aws_iam_role_policy_attachment.read_connection_string |
|
module.rds.aws_rds_cluster.cluster |
|
module.rds.aws_rds_cluster_instance.instances[0] |
|
module.rds.aws_rds_cluster_instance.instances[1] |
|
module.rds.aws_rds_cluster_instance.instances[2] |
|
module.rds.aws_secretsmanager_secret.connection_string |
|
module.rds.aws_secretsmanager_secret.proxy_connection_string |
|
module.rds.aws_secretsmanager_secret_version.connection_string |
|
module.rds.aws_secretsmanager_secret_version.proxy_connection_string |
|
module.rds.aws_security_group.rds_proxy |
|
module.rds.random_string.random |
|
module.vpc.aws_default_network_acl.default |
|
module.vpc.aws_default_route_table.default |
|
module.vpc.aws_default_security_group.default |
|
module.vpc.aws_internet_gateway.gw |
|
module.vpc.aws_nat_gateway.nat_gw[0] |
|
module.vpc.aws_network_acl.main |
|
module.vpc.aws_network_acl_rule.block_rdp[0] |
|
module.vpc.aws_network_acl_rule.block_ssh[0] |
|
module.vpc.aws_route.private_nat_gateway[0] |
|
module.vpc.aws_route.public_internet_gateway |
|
module.vpc.aws_route_table.private[0] |
|
module.vpc.aws_route_table.public |
|
module.vpc.aws_route_table_association.private[0] |
|
module.vpc.aws_route_table_association.public[0] |
|
module.vpc.aws_subnet.private[0] |
|
module.vpc.aws_subnet.public[0] |
|
module.vpc.aws_vpc.main |
✂ Warning: plan has been truncated! See the full plan in the logs.
Show plan
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# module.rds.data.aws_iam_policy_document.read_connection_string will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "read_connection_string" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "secretsmanager:DescribeSecret",
+ "secretsmanager:GetResourcePolicy",
+ "secretsmanager:GetSecretValue",
+ "secretsmanager:ListSecretVersionIds",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
+ sid = "0"
}
+ statement {
+ actions = [
+ "secretsmanager:ListSecrets",
]
+ effect = "Allow"
+ resources = [
+ "*",
]
+ sid = "1"
}
+ statement {
+ actions = [
+ "kms:Decrypt",
]
+ effect = "Allow"
+ resources = [
+ "*",
]
+ sid = "2"
+ condition {
+ test = "StringEquals"
+ values = [
+ "secretsmanager.ca-central-1.amazonaws.com",
]
+ variable = "kms:ViaService"
}
}
}
# module.rds.aws_cloudwatch_log_group.log_exports["postgresql"] will be created
+ resource "aws_cloudwatch_log_group" "log_exports" {
+ arn = (known after apply)
+ id = (known after apply)
+ log_group_class = (known after apply)
+ name = "/aws/rds/cluster/test-rds-cluster/postgresql"
+ name_prefix = (known after apply)
+ retention_in_days = 7
+ skip_destroy = false
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-cluster"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-cluster"
+ "Terraform" = "true"
}
}
# module.rds.aws_cloudwatch_log_group.proxy will be created
+ resource "aws_cloudwatch_log_group" "proxy" {
+ arn = (known after apply)
+ id = (known after apply)
+ log_group_class = (known after apply)
+ name = "/aws/rds/proxy/test-rds-proxy"
+ name_prefix = (known after apply)
+ retention_in_days = 14
+ skip_destroy = false
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds_proxy_logs"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds_proxy_logs"
+ "Terraform" = "true"
}
}
# module.rds.aws_db_proxy.proxy will be created
+ resource "aws_db_proxy" "proxy" {
+ arn = (known after apply)
+ debug_logging = false
+ endpoint = (known after apply)
+ engine_family = "POSTGRESQL"
+ id = (known after apply)
+ idle_client_timeout = 1800
+ name = "test-rds-proxy"
+ require_tls = true
+ role_arn = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-rds-proxy"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-rds-proxy"
+ "Terraform" = "true"
}
+ vpc_security_group_ids = (known after apply)
+ vpc_subnet_ids = (known after apply)
+ auth {
+ auth_scheme = "SECRETS"
+ client_password_auth_type = (known after apply)
+ description = "The database connection string"
+ iam_auth = "DISABLED"
+ secret_arn = (known after apply)
}
}
# module.rds.aws_db_proxy_default_target_group.this will be created
+ resource "aws_db_proxy_default_target_group" "this" {
+ arn = (known after apply)
+ db_proxy_name = "test-rds-proxy"
+ id = (known after apply)
+ name = (known after apply)
}
# module.rds.aws_db_proxy_target.target will be created
+ resource "aws_db_proxy_target" "target" {
+ db_cluster_identifier = (known after apply)
+ db_proxy_name = "test-rds-proxy"
+ endpoint = (known after apply)
+ id = (known after apply)
+ port = (known after apply)
+ rds_resource_id = (known after apply)
+ target_arn = (known after apply)
+ target_group_name = (known after apply)
+ tracked_cluster_id = (known after apply)
+ type = (known after apply)
}
# module.rds.aws_db_subnet_group.rds will be created
+ resource "aws_db_subnet_group" "rds" {
+ arn = (known after apply)
+ description = "Managed by Terraform"
+ id = (known after apply)
+ name = "test-rds-subnet-group"
+ name_prefix = (known after apply)
+ subnet_ids = (known after apply)
+ supported_network_types = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-subnet-group"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-subnet-group"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.rds.aws_iam_policy.read_connection_string will be created
+ resource "aws_iam_policy" "read_connection_string" {
+ arn = (known after apply)
+ attachment_count = (known after apply)
+ id = (known after apply)
+ name = "test-rdsReadConnectionString"
+ name_prefix = (known after apply)
+ path = "/"
+ policy = (known after apply)
+ policy_id = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
}
# module.rds.aws_iam_role.rds_proxy will be created
+ resource "aws_iam_role" "rds_proxy" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ Service = "rds.amazonaws.com"
}
+ Sid = "RDSAssume"
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "test-rds_rds_proxy"
+ name_prefix = (known after apply)
+ path = "/"
+ tags = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
+ unique_id = (known after apply)
}
# module.rds.aws_iam_role_policy_attachment.read_connection_string will be created
+ resource "aws_iam_role_policy_attachment" "read_connection_string" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ role = "test-rds_rds_proxy"
}
# module.rds.aws_rds_cluster.cluster will be created
+ resource "aws_rds_cluster" "cluster" {
+ allocated_storage = (known after apply)
+ allow_major_version_upgrade = false
+ apply_immediately = false
+ arn = (known after apply)
+ availability_zones = (known after apply)
+ backtrack_window = 0
+ backup_retention_period = 7
+ cluster_identifier = "test-rds-cluster"
+ cluster_identifier_prefix = (known after apply)
+ cluster_members = (known after apply)
+ cluster_resource_id = (known after apply)
+ copy_tags_to_snapshot = true
+ database_name = "foo"
+ db_cluster_parameter_group_name = (known after apply)
+ db_subnet_group_name = "test-rds-subnet-group"
+ db_system_id = (known after apply)
+ delete_automated_backups = true
+ deletion_protection = true
+ enable_global_write_forwarding = false
+ enable_http_endpoint = false
+ enable_local_write_forwarding = false
+ enabled_cloudwatch_logs_exports = [
+ "postgresql",
]
+ endpoint = (known after apply)
+ engine = "aurora-postgresql"
+ engine_mode = "provisioned"
+ engine_version = "13.3"
+ engine_version_actual = (known after apply)
+ final_snapshot_identifier = (known after apply)
+ hosted_zone_id = (known after apply)
+ iam_database_authentication_enabled = false
+ iam_roles = (known after apply)
+ id = (known after apply)
+ kms_key_id = (known after apply)
+ master_password = (sensitive value)
+ master_user_secret = (known after apply)
+ master_user_secret_kms_key_id = (known after apply)
+ master_username = "cal"
+ network_type = (known after apply)
+ port = (known after apply)
+ preferred_backup_window = "07:00-09:00"
+ preferred_maintenance_window = "sun:06:00-sun:07:00"
+ reader_endpoint = (known after apply)
+ skip_final_snapshot = false
+ storage_encrypted = true
+ storage_type = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-cluster"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-cluster"
+ "Terraform" = "true"
}
+ vpc_security_group_ids = (known after apply)
}
# module.rds.aws_rds_cluster_instance.instances[0] will be created
+ resource "aws_rds_cluster_instance" "instances" {
+ apply_immediately = (known after apply)
+ arn = (known after apply)
+ auto_minor_version_upgrade = true
+ availability_zone = (known after apply)
+ ca_cert_identifier = (known after apply)
+ cluster_identifier = (known after apply)
+ copy_tags_to_snapshot = false
+ db_parameter_group_name = (known after apply)
+ db_subnet_group_name = "test-rds-subnet-group"
+ dbi_resource_id = (known after apply)
+ endpoint = (known after apply)
+ engine = "aurora-postgresql"
+ engine_version = "13.3"
+ engine_version_actual = (known after apply)
+ id = (known after apply)
+ identifier = "test-rds-instance-0"
+ identifier_prefix = (known after apply)
+ instance_class = "db.t3.medium"
+ kms_key_id = (known after apply)
+ monitoring_interval = 0
+ monitoring_role_arn = (known after apply)
+ network_type = (known after apply)
+ performance_insights_enabled = true
+ performance_insights_kms_key_id = (known after apply)
+ performance_insights_retention_period = (known after apply)
+ port = (known after apply)
+ preferred_backup_window = (known after apply)
+ preferred_maintenance_window = (known after apply)
+ promotion_tier = 0
+ publicly_accessible = (known after apply)
+ storage_encrypted = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-0"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-0"
+ "Terraform" = "true"
}
+ writer = (known after apply)
}
# module.rds.aws_rds_cluster_instance.instances[1] will be created
+ resource "aws_rds_cluster_instance" "instances" {
+ apply_immediately = (known after apply)
+ arn = (known after apply)
+ auto_minor_version_upgrade = true
+ availability_zone = (known after apply)
+ ca_cert_identifier = (known after apply)
+ cluster_identifier = (known after apply)
+ copy_tags_to_snapshot = false
+ db_parameter_group_name = (known after apply)
+ db_subnet_group_name = "test-rds-subnet-group"
+ dbi_resource_id = (known after apply)
+ endpoint = (known after apply)
+ engine = "aurora-postgresql"
+ engine_version = "13.3"
+ engine_version_actual = (known after apply)
+ id = (known after apply)
+ identifier = "test-rds-instance-1"
+ identifier_prefix = (known after apply)
+ instance_class = "db.t3.medium"
+ kms_key_id = (known after apply)
+ monitoring_interval = 0
+ monitoring_role_arn = (known after apply)
+ network_type = (known after apply)
+ performance_insights_enabled = true
+ performance_insights_kms_key_id = (known after apply)
+ performance_insights_retention_period = (known after apply)
+ port = (known after apply)
+ preferred_backup_window = (known after apply)
+ preferred_maintenance_window = (known after apply)
+ promotion_tier = 0
+ publicly_accessible = (known after apply)
+ storage_encrypted = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-1"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-1"
+ "Terraform" = "true"
}
+ writer = (known after apply)
}
# module.rds.aws_rds_cluster_instance.instances[2] will be created
+ resource "aws_rds_cluster_instance" "instances" {
+ apply_immediately = (known after apply)
+ arn = (known after apply)
+ auto_minor_version_upgrade = true
+ availability_zone = (known after apply)
+ ca_cert_identifier = (known after apply)
+ cluster_identifier = (known after apply)
+ copy_tags_to_snapshot = false
+ db_parameter_group_name = (known after apply)
+ db_subnet_group_name = "test-rds-subnet-group"
+ dbi_resource_id = (known after apply)
+ endpoint = (known after apply)
+ engine = "aurora-postgresql"
+ engine_version = "13.3"
+ engine_version_actual = (known after apply)
+ id = (known after apply)
+ identifier = "test-rds-instance-2"
+ identifier_prefix = (known after apply)
+ instance_class = "db.t3.medium"
+ kms_key_id = (known after apply)
+ monitoring_interval = 0
+ monitoring_role_arn = (known after apply)
+ network_type = (known after apply)
+ performance_insights_enabled = true
+ performance_insights_kms_key_id = (known after apply)
+ performance_insights_retention_period = (known after apply)
+ port = (known after apply)
+ preferred_backup_window = (known after apply)
+ preferred_maintenance_window = (known after apply)
+ promotion_tier = 0
+ publicly_accessible = (known after apply)
+ storage_encrypted = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-2"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds-instance-2"
+ "Terraform" = "true"
}
+ writer = (known after apply)
}
# module.rds.aws_secretsmanager_secret.connection_string will be created
+ resource "aws_secretsmanager_secret" "connection_string" {
+ arn = (known after apply)
+ force_overwrite_replica_secret = false
+ id = (known after apply)
+ name = (known after apply)
+ name_prefix = (known after apply)
+ policy = (known after apply)
+ recovery_window_in_days = 30
+ tags = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
}
# module.rds.aws_secretsmanager_secret.proxy_connection_string will be created
+ resource "aws_secretsmanager_secret" "proxy_connection_string" {
+ arn = (known after apply)
+ force_overwrite_replica_secret = false
+ id = (known after apply)
+ name = (known after apply)
+ name_prefix = (known after apply)
+ policy = (known after apply)
+ recovery_window_in_days = 30
+ tags = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
}
}
# module.rds.aws_secretsmanager_secret_version.connection_string will be created
+ resource "aws_secretsmanager_secret_version" "connection_string" {
+ arn = (known after apply)
+ id = (known after apply)
+ secret_id = (known after apply)
+ secret_string = (sensitive value)
+ version_id = (known after apply)
+ version_stages = (known after apply)
}
# module.rds.aws_secretsmanager_secret_version.proxy_connection_string will be created
+ resource "aws_secretsmanager_secret_version" "proxy_connection_string" {
+ arn = (known after apply)
+ id = (known after apply)
+ secret_id = (known after apply)
+ secret_string = (sensitive value)
+ version_id = (known after apply)
+ version_stages = (known after apply)
}
# module.rds.aws_security_group.rds_proxy will be created
+ resource "aws_security_group" "rds_proxy" {
+ arn = (known after apply)
+ description = "The Security group that allows communication between the proxy and the database"
+ egress = [
+ {
+ cidr_blocks = []
+ description = ""
+ from_port = 5432
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = true
+ to_port = 5432
},
]
+ id = (known after apply)
+ ingress = [
+ {
+ cidr_blocks = []
+ description = ""
+ from_port = 5432
+ ipv6_cidr_blocks = []
+ prefix_list_ids = []
+ protocol = "tcp"
+ security_groups = []
+ self = true
+ to_port = 5432
},
]
+ name = "test-rds_rds_proxy_sg"
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds_rds_proxy_sg"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "test-rds_rds_proxy_sg"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.rds.random_string.random will be created
+ resource "random_string" "random" {
+ id = (known after apply)
+ length = 6
+ lower = true
+ min_lower = 0
+ min_numeric = 0
+ min_special = 0
+ min_upper = 0
+ number = true
+ numeric = true
+ result = (known after apply)
+ special = false
+ upper = false
}
# module.vpc.aws_default_network_acl.default will be created
+ resource "aws_default_network_acl" "default" {
+ arn = (known after apply)
+ default_network_acl_id = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_default_nacl"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_default_nacl"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_default_route_table.default will be created
+ resource "aws_default_route_table" "default" {
+ arn = (known after apply)
+ default_route_table_id = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ route = []
+ tags = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
+ "name" = "vpc_default_route_table"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Terraform" = "true"
+ "name" = "vpc_default_route_table"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_default_security_group.default will be created
+ resource "aws_default_security_group" "default" {
+ arn = (known after apply)
+ description = (known after apply)
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = (known after apply)
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_default_sg"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_default_sg"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_internet_gateway.gw will be created
+ resource "aws_internet_gateway" "gw" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_internet_gateway"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_internet_gateway"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_nat_gateway.nat_gw[0] will be created
+ resource "aws_nat_gateway" "nat_gw" {
+ association_id = (known after apply)
+ connectivity_type = "private"
+ id = (known after apply)
+ network_interface_id = (known after apply)
+ private_ip = (known after apply)
+ public_ip = (known after apply)
+ secondary_private_ip_address_count = (known after apply)
+ secondary_private_ip_addresses = (known after apply)
+ subnet_id = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "vpc-natgw-0"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "vpc-natgw-0"
+ "Terraform" = "true"
}
}
# module.vpc.aws_network_acl.main will be created
+ resource "aws_network_acl" "main" {
+ arn = (known after apply)
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ owner_id = (known after apply)
+ subnet_ids = (known after apply)
+ tags = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_main_nacl"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "cal"
+ "Name" = "vpc_main_nacl"
+ "Terraform" = "true"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_network_acl_rule.block_rdp[0] will be created
+ resource "aws_network_acl_rule" "block_rdp" {
+ cidr_block = "0.0.0.0/0"
+ egress = false
+ from_port = 3389
+ id = (known after apply)
+ network_acl_id = (known after apply)
+ protocol = "tcp"
+ rule_action = "deny"
+ rule_number = 51
+ to_port = 3389
}
# module.vpc.aws_network_acl_rule.block_ssh[0] will be created
+ resource "aws_network_acl_rule" "block_ssh" {
+ cidr_block = "0.0.0.0/0"
+ egress = false
+ from_port = 22
+ id = (known after apply)
+ network_acl_id = (known after apply)
+ protocol = "tcp"
+ rule_action = "deny"
+ rule_number = 50
+ to_port = 22
}
# module.vpc.aws_route.private_nat_gateway[0] will be created
+ resource "aws_route" "private_nat_gateway" {
+ destination_cidr_block = "0.0.0.0/0"
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ nat_gateway_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known...
Show Conftest results
FAIL - plan.json - main - Postgresql main password > 8 characters: ["module.rds.aws_rds_cluster.cluster"]
20 tests, 19 passed, 0 warnings, 1 failure, 0 exceptions