Skip to content

Instantly share code, notes, and snippets.

@rhoboat

rhoboat/output

Last active January 15, 2021 18:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rhoboat/0285f00a4e442358eb34ea0e2c8e0db4 to your computer and use it in GitHub Desktop.
Save rhoboat/0285f00a4e442358eb34ea0e2c8e0db4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
output
{
"format_version": "0.1",
"terraform_version": "0.12.29",
"variables": {
"ami_builder_config": {
"value": null
},
"container_cpu": {
"value": "2048"
},
"container_default_launch_type": {
"value": "FARGATE"
},
"container_max_cpu": {
"value": 2048
},
"container_max_memory": {
"value": 8192
},
"container_memory": {
"value": "8192"
},
"docker_image_builder_config": {
"value": null
},
"ec2_worker_pool_configuration": {
"value": null
},
"iam_groups": {
"value": []
},
"iam_roles": {
"value": []
},
"iam_users": {
"value": []
},
"name": {
"value": "ecs-deploy-runner"
},
"private_subnet_ids": {
"value": ["subnet-abcd1234", "subnet-bcd1234a"]
},
"shared_secrets_enabled": {
"value": false
},
"shared_secrets_kms_cmk_arn": {
"value": null
},
"snapshot_encryption_kms_cmk_arns": {
"value": {}
},
"terraform_applier_config": {
"value": {
"allowed_apply_git_refs": ["master"],
"allowed_update_variable_names": ["tag", "ami", "docker_tag", "ami_version_tag"],
"container_image": {
"docker_image": "087285199408.dkr.ecr.us-east-1.amazonaws.com/ecs-deploy-runner",
"docker_tag": "v1"
},
"environment_vars": {},
"iam_policy": {
"ACMDeployAccess": {
"actions": ["acm:*"],
"effect": "Allow",
"resources": ["*"]
},
"AutoScalingDeployAccess": {
"actions": ["autoscaling:*"],
"effect": "Allow",
"resources": ["*"]
},
"CloudTrailDeployAccess": {
"actions": ["cloudtrail:*"],
"effect": "Allow",
"resources": ["*"]
},
"CloudWatchDeployAccess": {
"actions": ["cloudwatch:*"],
"effect": "Allow",
"resources": ["*"]
},
"CloudWatchLogsDeployAccess": {
"actions": ["logs:*"],
"effect": "Allow",
"resources": ["*"]
},
"ConfigDeployAccess": {
"actions": ["config:*"],
"effect": "Allow",
"resources": ["*"]
},
"DynamoDBLocksTableAccess": {
"actions": ["dynamodb:*"],
"effect": "Allow",
"resources": ["arn:aws:dynamodb:*:*:table/terraform-locks"]
},
"EC2ServiceDeployAccess": {
"actions": ["ec2:*"],
"effect": "Allow",
"resources": ["*"]
},
"ECRDeployAccess": {
"actions": ["ecr:*"],
"effect": "Allow",
"resources": ["*"]
},
"ECSDeployAccess": {
"actions": ["ecs:*"],
"effect": "Allow",
"resources": ["*"]
},
"ELBDeployAccess": {
"actions": ["elasticloadbalancing:*"],
"effect": "Allow",
"resources": ["*"]
},
"GuardDutyReadOnlyAccess": {
"actions": ["guardduty:*"],
"effect": "Allow",
"resources": ["*"]
},
"IAMAccess": {
"actions": ["iam:*"],
"effect": "Allow",
"resources": ["*"]
},
"KMSDeployAccess": {
"actions": ["kms:*"],
"effect": "Allow",
"resources": ["*"]
},
"LambdaDeployAccess": {
"actions": ["lambda:*"],
"effect": "Allow",
"resources": ["*"]
},
"RDSDeployAccess": {
"actions": ["rds:*"],
"effect": "Allow",
"resources": ["*"]
},
"Route53DeployAccess": {
"actions": ["route53:*", "route53domains:*", "route53resolver:*"],
"effect": "Allow",
"resources": ["*"]
},
"S3DeployAccess": {
"actions": ["s3:*"],
"effect": "Allow",
"resources": ["*"]
},
"SNSDeployAccess": {
"actions": ["sns:*"],
"effect": "Allow",
"resources": ["*"]
},
"SQSDeployAccess": {
"actions": ["sqs:*"],
"effect": "Allow",
"resources": ["*"]
},
"SecretsManagerDeployAccess": {
"actions": ["secretsmanager:*"],
"effect": "Allow",
"resources": ["*"]
}
},
"infrastructure_live_repositories": ["git@github.com:gruntwork-io/refarch-demo-infrastructure-live.git"],
"infrastructure_live_repositories_regex": [],
"machine_user_git_info": {
"email": "some@email.com",
"name": "someusername"
},
"repo_access_ssh_key_secrets_manager_arn": "arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234",
"secrets_manager_env_vars": {
"GITHUB_OAUTH_TOKEN": "arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitpat-abcd1234"
}
}
},
"terraform_planner_config": {
"value": {
"container_image": {
"docker_image": "087285199408.dkr.ecr.us-east-1.amazonaws.com/ecs-deploy-runner",
"docker_tag": "v1"
},
"environment_vars": {},
"iam_policy": {
"ACMReadOnlyAccess": {
"actions": ["acm:DescribeCertificate", "acm:ListCertificates", "acm:GetCertificate", "acm:ListTagsForCertificate"],
"effect": "Allow",
"resources": ["*"]
},
"AutoScalingReadOnlyAccess": {
"actions": ["autoscaling:Describe*"],
"effect": "Allow",
"resources": ["*"]
},
"CloudTrailReadOnlyAccess": {
"actions": ["cloudtrail:Describe*", "cloudtrail:List*", "cloudtrail:Get*"],
"effect": "Allow",
"resources": ["*"]
},
"CloudWatchLogsReadOnlyAccess": {
"actions": ["logs:Get*", "logs:Describe*", "logs:List*", "logs:Filter*"],
"effect": "Allow",
"resources": ["*"]
},
"CloudWatchReadOnlyAccess": {
"actions": ["cloudwatch:Describe*", "cloudwatch:List*"],
"effect": "Allow",
"resources": ["*"]
},
"ConfigReadOnlyAccess": {
"actions": ["config:Get*", "config:Describe*", "config:List*", "config:Select*", "config:BatchGetResourceConfig"],
"effect": "Allow",
"resources": ["*"]
},
"DynamoDBLocksTableAccess": {
"actions": ["dynamodb:*"],
"effect": "Allow",
"resources": ["arn:aws:dynamodb:*:*:table/terraform-locks"]
},
"EC2ServiceReadOnlyAccess": {
"actions": ["ec2:Describe*", "ec2:Get*"],
"effect": "Allow",
"resources": ["*"]
},
"ECRReadOnlyAccess": {
"actions": ["ecr:BatchGet*", "ecr:Describe*", "ecr:Get*", "ecr:List*"],
"effect": "Allow",
"resources": ["*"]
},
"ECSReadOnlyAccess": {
"actions": ["ecs:Describe*", "ecs:List*"],
"effect": "Allow",
"resources": ["*"]
},
"ELBReadOnlyAccess": {
"actions": ["elasticloadbalancing:Describe*"],
"effect": "Allow",
"resources": ["*"]
},
"GuardDutyReadOnlyAccess": {
"actions": ["guardduty:Get*", "guardduty:List*"],
"effect": "Allow",
"resources": ["*"]
},
"IAMAccess": {
"actions": ["iam:Get*", "iam:List*", "iam:PassRole*"],
"effect": "Allow",
"resources": ["*"]
},
"KMSReadOnlyAccess": {
"actions": ["kms:Describe*", "kms:Get*", "kms:List*"],
"effect": "Allow",
"resources": ["*"]
},
"LambdaReadOnlyAccess": {
"actions": ["lambda:Get*", "lambda:List*"],
"effect": "Allow",
"resources": ["*"]
},
"RDSReadOnlyAccess": {
"actions": ["rds:Describe*", "rds:List*", "rds:Download*"],
"effect": "Allow",
"resources": ["*"]
},
"Route53ReadOnlyAccess": {
"actions": ["route53:Get*", "route53:List*", "route53:Test*", "route53domains:Check*", "route53domains:Get*", "route53domains:List*", "route53domains:View*", "route53resolver:Get*", "route53resolver:List*"],
"effect": "Allow",
"resources": ["*"]
},
"S3ReadOnlyAccess": {
"actions": ["s3:Get*", "s3:List*"],
"effect": "Allow",
"resources": ["*"]
},
"S3StateBucketAccess": {
"actions": ["s3:*"],
"effect": "Allow",
"resources": ["arn:aws:s3:::Y8zkfj-dev-ap-northeast-1-tf-state", "arn:aws:s3:::Y8zkfj-dev-ap-northeast-1-tf-state/*"]
},
"SNSReadOnlyAccess": {
"actions": ["sns:Get*", "sns:List*", "sns:Check*"],
"effect": "Allow",
"resources": ["*"]
},
"SQSReadOnlyAccess": {
"actions": ["sqs:Get*", "sqs:List*"],
"effect": "Allow",
"resources": ["*"]
},
"SecretsManagerReadOnlyAccess": {
"actions": ["secretsmanager:Get*", "secretsmanager:List*", "secretsmanager:Describe*"],
"effect": "Allow",
"resources": ["*"]
}
},
"infrastructure_live_repositories": ["git@github.com:gruntwork-io/refarch-demo-infrastructure-live.git"],
"infrastructure_live_repositories_regex": [],
"repo_access_ssh_key_secrets_manager_arn": "arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234",
"secrets_manager_env_vars": {
"GITHUB_OAUTH_TOKEN": "arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitpat-abcd1234"
}
}
},
"vpc_id": {
"value": "vpc-abcd1234"
}
},
"planned_values": {
"outputs": {
"cloudwatch_log_group_name": {
"sensitive": false,
"value": "ecs-deploy-runner"
},
"default_ecs_task_arn": {
"sensitive": false
},
"ecs_cluster_arn": {
"sensitive": false
},
"ecs_task_arns": {
"sensitive": false
},
"ecs_task_execution_role_arn": {
"sensitive": false
},
"ecs_task_families": {
"sensitive": false,
"value": {
"terraform-applier": "ecs-deploy-runner-terraform-applier",
"terraform-planner": "ecs-deploy-runner-terraform-planner"
}
},
"ecs_task_iam_roles": {
"sensitive": false
},
"ecs_task_revisions": {
"sensitive": false
},
"invoke_policy_arn": {
"sensitive": false
},
"invoker_function_arn": {
"sensitive": false
},
"security_group_allow_all_outbound_id": {
"sensitive": false
}
},
"root_module": {
"resources": [{
"address": "aws_iam_role_policy.terraform_applier[0]",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "terraform_applier",
"index": 0,
"provider_name": "aws",
"schema_version": 0,
"values": {
"name": "access-to-services",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ACMDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"acm:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"AutoScalingDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"autoscaling:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudTrailDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"cloudtrail:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"cloudwatch:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchLogsDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ConfigDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"config:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"DynamoDBLocksTableAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"dynamodb:*\",\n \"Resource\": \"arn:aws:dynamodb:*:*:table/terraform-locks\"\n },\n {\n \"Sid\": \"EC2ServiceDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"ec2:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECRDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"ecr:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"ecs:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ELBDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"elasticloadbalancing:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"GuardDutyReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"guardduty:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"IAMAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"iam:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"KMSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"LambdaDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"lambda:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"RDSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"rds:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Route53DeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"route53resolver:*\",\n \"route53domains:*\",\n \"route53:*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"S3DeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SNSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"sns:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SQSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"sqs:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SecretsManagerDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"secretsmanager:*\",\n \"Resource\": \"*\"\n }\n ]\n}",
"role": "ecs-deploy-runner-terraform-applier"
}
}, {
"address": "aws_iam_role_policy.terraform_planner[0]",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "terraform_planner",
"index": 0,
"provider_name": "aws",
"schema_version": 0,
"values": {
"name": "access-to-services",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ACMReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"acm:ListTagsForCertificate\",\n \"acm:ListCertificates\",\n \"acm:GetCertificate\",\n \"acm:DescribeCertificate\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"AutoScalingReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"autoscaling:Describe*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudTrailReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudtrail:List*\",\n \"cloudtrail:Get*\",\n \"cloudtrail:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchLogsReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:List*\",\n \"logs:Get*\",\n \"logs:Filter*\",\n \"logs:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudwatch:List*\",\n \"cloudwatch:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ConfigReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"config:Select*\",\n \"config:List*\",\n \"config:Get*\",\n \"config:Describe*\",\n \"config:BatchGetResourceConfig\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"DynamoDBLocksTableAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"dynamodb:*\",\n \"Resource\": \"arn:aws:dynamodb:*:*:table/terraform-locks\"\n },\n {\n \"Sid\": \"EC2ServiceReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:Get*\",\n \"ec2:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECRReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:List*\",\n \"ecr:Get*\",\n \"ecr:Describe*\",\n \"ecr:BatchGet*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecs:List*\",\n \"ecs:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ELBReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"elasticloadbalancing:Describe*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"GuardDutyReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"guardduty:List*\",\n \"guardduty:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"IAMAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:PassRole*\",\n \"iam:List*\",\n \"iam:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"KMSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:List*\",\n \"kms:Get*\",\n \"kms:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"LambdaReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"lambda:List*\",\n \"lambda:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"RDSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"rds:List*\",\n \"rds:Download*\",\n \"rds:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Route53ReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"route53resolver:List*\",\n \"route53resolver:Get*\",\n \"route53domains:View*\",\n \"route53domains:List*\",\n \"route53domains:Get*\",\n \"route53domains:Check*\",\n \"route53:Test*\",\n \"route53:List*\",\n \"route53:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"S3ReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:List*\",\n \"s3:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"S3StateBucketAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::Y8zkfj-dev-ap-northeast-1-tf-state/*\",\n \"arn:aws:s3:::Y8zkfj-dev-ap-northeast-1-tf-state\"\n ]\n },\n {\n \"Sid\": \"SNSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sns:List*\",\n \"sns:Get*\",\n \"sns:Check*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SQSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sqs:List*\",\n \"sqs:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SecretsManagerReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"secretsmanager:List*\",\n \"secretsmanager:Get*\",\n \"secretsmanager:Describe*\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"role": "ecs-deploy-runner-terraform-planner"
}
}],
"child_modules": [{
"resources": [{
"address": "module.ecs_deploy_runner.aws_ecs_cluster.fargate_cluster[0]",
"mode": "managed",
"type": "aws_ecs_cluster",
"name": "fargate_cluster",
"index": 0,
"provider_name": "aws",
"schema_version": 0,
"values": {
"capacity_providers": null,
"default_capacity_provider_strategy": [],
"name": "ecs-deploy-runner",
"tags": null
}
}, {
"address": "module.ecs_deploy_runner.aws_ecs_task_definition.runner[\"terraform-applier\"]",
"mode": "managed",
"type": "aws_ecs_task_definition",
"name": "runner",
"index": "terraform-applier",
"provider_name": "aws",
"schema_version": 1,
"values": {
"container_definitions": "[{\"environment\":[],\"essential\":true,\"image\":\"087285199408.dkr.ecr.us-east-1.amazonaws.com/ecs-deploy-runner:v1\",\"logConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-create-group\":\"true\",\"awslogs-group\":\"ecs-deploy-runner\",\"awslogs-region\":\"ap-northeast-1\",\"awslogs-stream-prefix\":\"ecs-deploy-runner\"}},\"name\":\"terraform-applier\",\"secrets\":[{\"name\":\"DEPLOY_SCRIPT_SSH_PRIVATE_KEY\",\"valueFrom\":\"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234\"},{\"name\":\"GITHUB_OAUTH_TOKEN\",\"valueFrom\":\"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitpat-abcd1234\"}]}]",
"cpu": "2048",
"family": "ecs-deploy-runner-terraform-applier",
"inference_accelerator": [],
"ipc_mode": null,
"memory": "8192",
"network_mode": "awsvpc",
"pid_mode": null,
"placement_constraints": [],
"proxy_configuration": [],
"requires_compatibilities": ["EC2", "FARGATE"],
"tags": null,
"volume": []
}
}, {
"address": "module.ecs_deploy_runner.aws_ecs_task_definition.runner[\"terraform-planner\"]",
"mode": "managed",
"type": "aws_ecs_task_definition",
"name": "runner",
"index": "terraform-planner",
"provider_name": "aws",
"schema_version": 1,
"values": {
"container_definitions": "[{\"environment\":[],\"essential\":true,\"image\":\"087285199408.dkr.ecr.us-east-1.amazonaws.com/ecs-deploy-runner:v1\",\"logConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-create-group\":\"true\",\"awslogs-group\":\"ecs-deploy-runner\",\"awslogs-region\":\"ap-northeast-1\",\"awslogs-stream-prefix\":\"ecs-deploy-runner\"}},\"name\":\"terraform-planner\",\"secrets\":[{\"name\":\"DEPLOY_SCRIPT_SSH_PRIVATE_KEY\",\"valueFrom\":\"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234\"},{\"name\":\"GITHUB_OAUTH_TOKEN\",\"valueFrom\":\"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitpat-abcd1234\"}]}]",
"cpu": "2048",
"family": "ecs-deploy-runner-terraform-planner",
"inference_accelerator": [],
"ipc_mode": null,
"memory": "8192",
"network_mode": "awsvpc",
"pid_mode": null,
"placement_constraints": [],
"proxy_configuration": [],
"requires_compatibilities": ["EC2", "FARGATE"],
"tags": null,
"volume": []
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role.ecs_task[\"terraform-applier\"]",
"mode": "managed",
"type": "aws_iam_role",
"name": "ecs_task",
"index": "terraform-applier",
"provider_name": "aws",
"schema_version": 0,
"values": {
"assume_role_policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ecs-tasks.amazonaws.com\"\n }\n }\n ]\n}",
"description": null,
"force_detach_policies": false,
"max_session_duration": 3600,
"name": "ecs-deploy-runner-terraform-applier",
"name_prefix": null,
"path": "/",
"permissions_boundary": null,
"tags": null
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role.ecs_task[\"terraform-planner\"]",
"mode": "managed",
"type": "aws_iam_role",
"name": "ecs_task",
"index": "terraform-planner",
"provider_name": "aws",
"schema_version": 0,
"values": {
"assume_role_policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ecs-tasks.amazonaws.com\"\n }\n }\n ]\n}",
"description": null,
"force_detach_policies": false,
"max_session_duration": 3600,
"name": "ecs-deploy-runner-terraform-planner",
"name_prefix": null,
"path": "/",
"permissions_boundary": null,
"tags": null
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role.ecs_task_execution_role",
"mode": "managed",
"type": "aws_iam_role",
"name": "ecs_task_execution_role",
"provider_name": "aws",
"schema_version": 0,
"values": {
"assume_role_policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ecs-tasks.amazonaws.com\"\n }\n }\n ]\n}",
"description": null,
"force_detach_policies": false,
"max_session_duration": 3600,
"name": "ecs-deploy-runner-task-execution-role",
"name_prefix": null,
"path": "/",
"permissions_boundary": null,
"tags": null
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role_policy.ecs_task_execution_policy",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "ecs_task_execution_policy",
"provider_name": "aws",
"schema_version": 0,
"values": {
"name": "ecs-deploy-runner-task-excution-policy",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:PutLogEvents\",\n \"logs:CreateLogStream\",\n \"logs:CreateLogGroup\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"secretsmanager:GetSecretValue\",\n \"Resource\": [\n \"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234\",\n \"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitpat-abcd1234\"\n ]\n }\n ]\n}",
"role": "ecs-deploy-runner-task-execution-role"
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role_policy.ecs_task_secrets_manager_read_policy[\"terraform-applier\"]",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "ecs_task_secrets_manager_read_policy",
"index": "terraform-applier",
"provider_name": "aws",
"schema_version": 0,
"values": {
"name": "read-secrets-manager-entries",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"secretsmanager:GetSecretValue\",\n \"Resource\": \"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234\"\n }\n ]\n}",
"role": "ecs-deploy-runner-terraform-applier"
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role_policy.invoke_deploy_runner",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "invoke_deploy_runner",
"provider_name": "aws",
"schema_version": 0,
"values": {
"name": "invoke-ecs-deploy-runner",
"name_prefix": null
}
}, {
"address": "module.ecs_deploy_runner.aws_security_group.allow_all_outbound",
"mode": "managed",
"type": "aws_security_group",
"name": "allow_all_outbound",
"provider_name": "aws",
"schema_version": 1,
"values": {
"description": "Allow all outbound traffic",
"name": "allow_all_outbound",
"name_prefix": null,
"revoke_rules_on_delete": false,
"tags": null,
"timeouts": null,
"vpc_id": "vpc-abcd1234"
}
}, {
"address": "module.ecs_deploy_runner.aws_security_group_rule.allow_all_outbound",
"mode": "managed",
"type": "aws_security_group_rule",
"name": "allow_all_outbound",
"provider_name": "aws",
"schema_version": 2,
"values": {
"cidr_blocks": ["0.0.0.0/0"],
"description": null,
"from_port": 0,
"ipv6_cidr_blocks": null,
"prefix_list_ids": null,
"protocol": "-1",
"self": false,
"to_port": 0,
"type": "egress"
}
}, {
"address": "module.ecs_deploy_runner.aws_security_group_rule.allow_all_outbound_lambda",
"mode": "managed",
"type": "aws_security_group_rule",
"name": "allow_all_outbound_lambda",
"provider_name": "aws",
"schema_version": 2,
"values": {
"cidr_blocks": ["0.0.0.0/0"],
"description": null,
"from_port": 0,
"ipv6_cidr_blocks": null,
"prefix_list_ids": null,
"protocol": "-1",
"self": false,
"to_port": 0,
"type": "egress"
}
}, {
"address": "module.ecs_deploy_runner.data.aws_iam_policy_document.invoke_deploy_runner",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "invoke_deploy_runner",
"provider_name": "aws",
"schema_version": 0,
"values": {
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["ecs:RunTask"],
"condition": [],
"effect": null,
"not_actions": null,
"not_principals": [],
"not_resources": null,
"principals": [],
"sid": null
}, {
"actions": ["iam:GetRole", "iam:PassRole"],
"condition": [],
"effect": null,
"not_actions": null,
"not_principals": [],
"not_resources": null,
"principals": [],
"resources": [],
"sid": null
}],
"version": null
}
}, {
"address": "module.ecs_deploy_runner.null_resource.task_definition_arns",
"mode": "managed",
"type": "null_resource",
"name": "task_definition_arns",
"provider_name": "null",
"schema_version": 0
}],
"address": "module.ecs_deploy_runner",
"child_modules": [{
"resources": [{
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda.aws_iam_role.lambda[0]",
"mode": "managed",
"type": "aws_iam_role",
"name": "lambda",
"index": 0,
"provider_name": "aws",
"schema_version": 0,
"values": {
"assume_role_policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"lambda.amazonaws.com\"\n }\n }\n ]\n}",
"description": null,
"force_detach_policies": false,
"max_session_duration": 3600,
"name": "ecs-deploy-runner-invoker",
"name_prefix": null,
"path": "/",
"permissions_boundary": null,
"tags": null
}
}, {
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda.aws_iam_role_policy.logging_for_lambda[0]",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "logging_for_lambda",
"index": 0,
"provider_name": "aws",
"schema_version": 0,
"values": {
"name": "ecs-deploy-runner-invoker-logging",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:PutLogEvents\",\n \"logs:CreateLogStream\",\n \"logs:CreateLogGroup\"\n ],\n \"Resource\": \"arn:aws:logs:*:*:*\"\n }\n ]\n}"
}
}, {
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda.aws_iam_role_policy.network_interfaces_for_lamda[0]",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "network_interfaces_for_lamda",
"index": 0,
"provider_name": "aws",
"schema_version": 0,
"values": {
"name": "ecs-deploy-runner-invoker-network-interfaces",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:ResetNetworkInterfaceAttribute\",\n \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:DetachNetworkInterface\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DeleteNetworkInterface\",\n \"ec2:CreateNetworkInterface\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}"
}
}, {
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda.aws_lambda_function.function[0]",
"mode": "managed",
"type": "aws_lambda_function",
"name": "function",
"index": 0,
"provider_name": "aws",
"schema_version": 0,
"values": {
"code_signing_config_arn": null,
"dead_letter_config": [],
"description": "A lambda function that provides a restricted interface to invoke the ECS deploy runner task",
"environment": [{}],
"file_system_config": [],
"filename": ".terraform/modules/ecs_deploy_runner.deploy_runner_invoker_lambda/modules/lambda/ecs-deploy-runner-invoker_lambda.zip",
"function_name": "ecs-deploy-runner-invoker",
"handler": "invoker.index.handler",
"image_config": [],
"image_uri": null,
"kms_key_arn": null,
"layers": [],
"memory_size": 128,
"package_type": "Zip",
"publish": false,
"reserved_concurrent_executions": -1,
"runtime": "python3.8",
"s3_bucket": null,
"s3_key": null,
"s3_object_version": null,
"source_code_hash": "iQe5fxuVNXwdg3/o9zfPJWc8kNZtgS7VrushD42eN48=",
"tags": null,
"timeout": 150,
"timeouts": null,
"vpc_config": [{
"subnet_ids": ["subnet-abcd1234", "subnet-bcd1234a"]
}]
}
}, {
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda.aws_security_group.lambda[0]",
"mode": "managed",
"type": "aws_security_group",
"name": "lambda",
"index": 0,
"provider_name": "aws",
"schema_version": 1,
"values": {
"description": "Security group for the lambda function ecs-deploy-runner-invoker",
"name": "ecs-deploy-runner-invoker-lambda",
"name_prefix": null,
"revoke_rules_on_delete": false,
"tags": null,
"timeouts": null,
"vpc_id": "vpc-abcd1234"
}
}],
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda"
}]
}, {
"resources": [{
"address": "module.invoke_policy.aws_iam_policy.invoke_ecs_deploy_runner",
"mode": "managed",
"type": "aws_iam_policy",
"name": "invoke_ecs_deploy_runner",
"provider_name": "aws",
"schema_version": 0,
"values": {
"description": "A policy that grants the ability to invoke the Invoker Lambda function of the ECS Deploy Runner stack. Includes monitoring permissions as well (access to describe task to see status/errors and access to the CloudWatch log stream).",
"name": "invoke-ecs-deploy-runner",
"name_prefix": null,
"path": "/"
}
}, {
"address": "module.invoke_policy.data.aws_iam_policy_document.invoke_ecs_deploy_runner",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "invoke_ecs_deploy_runner",
"provider_name": "aws",
"schema_version": 0,
"values": {
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["lambda:InvokeFunction"],
"condition": [],
"effect": null,
"not_actions": null,
"not_principals": [],
"not_resources": null,
"principals": [],
"resources": [],
"sid": "invokeDeployRunner"
}, {
"actions": ["ecs:DescribeTasks"],
"condition": [{
"test": "StringEquals",
"values": [],
"variable": "ecs:cluster"
}],
"effect": null,
"not_actions": null,
"not_principals": [],
"not_resources": null,
"principals": [],
"resources": ["*"],
"sid": "readDeployRunnerECSTask"
}, {
"actions": ["logs:GetLogEvents"],
"condition": [],
"effect": null,
"not_actions": null,
"not_principals": [],
"not_resources": null,
"principals": [],
"resources": ["arn:aws:logs:ap-northeast-1:087285199408:log-group:ecs-deploy-runner:log-stream:*"],
"sid": "streamDeployRunnerLogs"
}],
"version": null
}
}],
"address": "module.invoke_policy"
}]
}
},
"resource_changes": [{
"address": "aws_iam_role_policy.terraform_applier[0]",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "terraform_applier",
"index": 0,
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"name": "access-to-services",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ACMDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"acm:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"AutoScalingDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"autoscaling:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudTrailDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"cloudtrail:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"cloudwatch:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchLogsDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ConfigDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"config:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"DynamoDBLocksTableAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"dynamodb:*\",\n \"Resource\": \"arn:aws:dynamodb:*:*:table/terraform-locks\"\n },\n {\n \"Sid\": \"EC2ServiceDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"ec2:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECRDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"ecr:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"ecs:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ELBDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"elasticloadbalancing:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"GuardDutyReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"guardduty:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"IAMAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"iam:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"KMSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"LambdaDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"lambda:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"RDSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"rds:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Route53DeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"route53resolver:*\",\n \"route53domains:*\",\n \"route53:*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"S3DeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SNSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"sns:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SQSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"sqs:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SecretsManagerDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"secretsmanager:*\",\n \"Resource\": \"*\"\n }\n ]\n}",
"role": "ecs-deploy-runner-terraform-applier"
},
"after_unknown": {
"id": true
}
}
}, {
"address": "aws_iam_role_policy.terraform_planner[0]",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "terraform_planner",
"index": 0,
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"name": "access-to-services",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ACMReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"acm:ListTagsForCertificate\",\n \"acm:ListCertificates\",\n \"acm:GetCertificate\",\n \"acm:DescribeCertificate\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"AutoScalingReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"autoscaling:Describe*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudTrailReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudtrail:List*\",\n \"cloudtrail:Get*\",\n \"cloudtrail:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchLogsReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:List*\",\n \"logs:Get*\",\n \"logs:Filter*\",\n \"logs:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudwatch:List*\",\n \"cloudwatch:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ConfigReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"config:Select*\",\n \"config:List*\",\n \"config:Get*\",\n \"config:Describe*\",\n \"config:BatchGetResourceConfig\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"DynamoDBLocksTableAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"dynamodb:*\",\n \"Resource\": \"arn:aws:dynamodb:*:*:table/terraform-locks\"\n },\n {\n \"Sid\": \"EC2ServiceReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:Get*\",\n \"ec2:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECRReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:List*\",\n \"ecr:Get*\",\n \"ecr:Describe*\",\n \"ecr:BatchGet*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecs:List*\",\n \"ecs:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ELBReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"elasticloadbalancing:Describe*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"GuardDutyReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"guardduty:List*\",\n \"guardduty:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"IAMAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:PassRole*\",\n \"iam:List*\",\n \"iam:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"KMSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:List*\",\n \"kms:Get*\",\n \"kms:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"LambdaReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"lambda:List*\",\n \"lambda:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"RDSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"rds:List*\",\n \"rds:Download*\",\n \"rds:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Route53ReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"route53resolver:List*\",\n \"route53resolver:Get*\",\n \"route53domains:View*\",\n \"route53domains:List*\",\n \"route53domains:Get*\",\n \"route53domains:Check*\",\n \"route53:Test*\",\n \"route53:List*\",\n \"route53:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"S3ReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:List*\",\n \"s3:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"S3StateBucketAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::Y8zkfj-dev-ap-northeast-1-tf-state/*\",\n \"arn:aws:s3:::Y8zkfj-dev-ap-northeast-1-tf-state\"\n ]\n },\n {\n \"Sid\": \"SNSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sns:List*\",\n \"sns:Get*\",\n \"sns:Check*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SQSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sqs:List*\",\n \"sqs:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SecretsManagerReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"secretsmanager:List*\",\n \"secretsmanager:Get*\",\n \"secretsmanager:Describe*\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"role": "ecs-deploy-runner-terraform-planner"
},
"after_unknown": {
"id": true
}
}
}, {
"address": "module.ecs_deploy_runner.aws_ecs_cluster.fargate_cluster[0]",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_ecs_cluster",
"name": "fargate_cluster",
"index": 0,
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"capacity_providers": null,
"default_capacity_provider_strategy": [],
"name": "ecs-deploy-runner",
"tags": null
},
"after_unknown": {
"arn": true,
"default_capacity_provider_strategy": [],
"id": true,
"setting": true
}
}
}, {
"address": "module.ecs_deploy_runner.aws_ecs_task_definition.runner[\"terraform-applier\"]",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_ecs_task_definition",
"name": "runner",
"index": "terraform-applier",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"container_definitions": "[{\"environment\":[],\"essential\":true,\"image\":\"087285199408.dkr.ecr.us-east-1.amazonaws.com/ecs-deploy-runner:v1\",\"logConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-create-group\":\"true\",\"awslogs-group\":\"ecs-deploy-runner\",\"awslogs-region\":\"ap-northeast-1\",\"awslogs-stream-prefix\":\"ecs-deploy-runner\"}},\"name\":\"terraform-applier\",\"secrets\":[{\"name\":\"DEPLOY_SCRIPT_SSH_PRIVATE_KEY\",\"valueFrom\":\"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234\"},{\"name\":\"GITHUB_OAUTH_TOKEN\",\"valueFrom\":\"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitpat-abcd1234\"}]}]",
"cpu": "2048",
"family": "ecs-deploy-runner-terraform-applier",
"inference_accelerator": [],
"ipc_mode": null,
"memory": "8192",
"network_mode": "awsvpc",
"pid_mode": null,
"placement_constraints": [],
"proxy_configuration": [],
"requires_compatibilities": ["EC2", "FARGATE"],
"tags": null,
"volume": []
},
"after_unknown": {
"arn": true,
"execution_role_arn": true,
"id": true,
"inference_accelerator": [],
"placement_constraints": [],
"proxy_configuration": [],
"requires_compatibilities": [false, false],
"revision": true,
"task_role_arn": true,
"volume": []
}
}
}, {
"address": "module.ecs_deploy_runner.aws_ecs_task_definition.runner[\"terraform-planner\"]",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_ecs_task_definition",
"name": "runner",
"index": "terraform-planner",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"container_definitions": "[{\"environment\":[],\"essential\":true,\"image\":\"087285199408.dkr.ecr.us-east-1.amazonaws.com/ecs-deploy-runner:v1\",\"logConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-create-group\":\"true\",\"awslogs-group\":\"ecs-deploy-runner\",\"awslogs-region\":\"ap-northeast-1\",\"awslogs-stream-prefix\":\"ecs-deploy-runner\"}},\"name\":\"terraform-planner\",\"secrets\":[{\"name\":\"DEPLOY_SCRIPT_SSH_PRIVATE_KEY\",\"valueFrom\":\"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234\"},{\"name\":\"GITHUB_OAUTH_TOKEN\",\"valueFrom\":\"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitpat-abcd1234\"}]}]",
"cpu": "2048",
"family": "ecs-deploy-runner-terraform-planner",
"inference_accelerator": [],
"ipc_mode": null,
"memory": "8192",
"network_mode": "awsvpc",
"pid_mode": null,
"placement_constraints": [],
"proxy_configuration": [],
"requires_compatibilities": ["EC2", "FARGATE"],
"tags": null,
"volume": []
},
"after_unknown": {
"arn": true,
"execution_role_arn": true,
"id": true,
"inference_accelerator": [],
"placement_constraints": [],
"proxy_configuration": [],
"requires_compatibilities": [false, false],
"revision": true,
"task_role_arn": true,
"volume": []
}
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role.ecs_task[\"terraform-applier\"]",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_iam_role",
"name": "ecs_task",
"index": "terraform-applier",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"assume_role_policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ecs-tasks.amazonaws.com\"\n }\n }\n ]\n}",
"description": null,
"force_detach_policies": false,
"max_session_duration": 3600,
"name": "ecs-deploy-runner-terraform-applier",
"name_prefix": null,
"path": "/",
"permissions_boundary": null,
"tags": null
},
"after_unknown": {
"arn": true,
"create_date": true,
"id": true,
"unique_id": true
}
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role.ecs_task[\"terraform-planner\"]",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_iam_role",
"name": "ecs_task",
"index": "terraform-planner",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"assume_role_policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ecs-tasks.amazonaws.com\"\n }\n }\n ]\n}",
"description": null,
"force_detach_policies": false,
"max_session_duration": 3600,
"name": "ecs-deploy-runner-terraform-planner",
"name_prefix": null,
"path": "/",
"permissions_boundary": null,
"tags": null
},
"after_unknown": {
"arn": true,
"create_date": true,
"id": true,
"unique_id": true
}
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role.ecs_task_execution_role",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_iam_role",
"name": "ecs_task_execution_role",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"assume_role_policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ecs-tasks.amazonaws.com\"\n }\n }\n ]\n}",
"description": null,
"force_detach_policies": false,
"max_session_duration": 3600,
"name": "ecs-deploy-runner-task-execution-role",
"name_prefix": null,
"path": "/",
"permissions_boundary": null,
"tags": null
},
"after_unknown": {
"arn": true,
"create_date": true,
"id": true,
"unique_id": true
}
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role_policy.ecs_task_execution_policy",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "ecs_task_execution_policy",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"name": "ecs-deploy-runner-task-excution-policy",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:PutLogEvents\",\n \"logs:CreateLogStream\",\n \"logs:CreateLogGroup\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"secretsmanager:GetSecretValue\",\n \"Resource\": [\n \"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234\",\n \"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitpat-abcd1234\"\n ]\n }\n ]\n}",
"role": "ecs-deploy-runner-task-execution-role"
},
"after_unknown": {
"id": true
}
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role_policy.ecs_task_secrets_manager_read_policy[\"terraform-applier\"]",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "ecs_task_secrets_manager_read_policy",
"index": "terraform-applier",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"name": "read-secrets-manager-entries",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"secretsmanager:GetSecretValue\",\n \"Resource\": \"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234\"\n }\n ]\n}",
"role": "ecs-deploy-runner-terraform-applier"
},
"after_unknown": {
"id": true
}
}
}, {
"address": "module.ecs_deploy_runner.aws_iam_role_policy.invoke_deploy_runner",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "invoke_deploy_runner",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"name": "invoke-ecs-deploy-runner",
"name_prefix": null
},
"after_unknown": {
"id": true,
"policy": true,
"role": true
}
}
}, {
"address": "module.ecs_deploy_runner.aws_security_group.allow_all_outbound",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_security_group",
"name": "allow_all_outbound",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"description": "Allow all outbound traffic",
"name": "allow_all_outbound",
"name_prefix": null,
"revoke_rules_on_delete": false,
"tags": null,
"timeouts": null,
"vpc_id": "vpc-abcd1234"
},
"after_unknown": {
"arn": true,
"egress": true,
"id": true,
"ingress": true,
"owner_id": true
}
}
}, {
"address": "module.ecs_deploy_runner.aws_security_group_rule.allow_all_outbound",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_security_group_rule",
"name": "allow_all_outbound",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"cidr_blocks": ["0.0.0.0/0"],
"description": null,
"from_port": 0,
"ipv6_cidr_blocks": null,
"prefix_list_ids": null,
"protocol": "-1",
"self": false,
"to_port": 0,
"type": "egress"
},
"after_unknown": {
"cidr_blocks": [false],
"id": true,
"security_group_id": true,
"source_security_group_id": true
}
}
}, {
"address": "module.ecs_deploy_runner.aws_security_group_rule.allow_all_outbound_lambda",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "aws_security_group_rule",
"name": "allow_all_outbound_lambda",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"cidr_blocks": ["0.0.0.0/0"],
"description": null,
"from_port": 0,
"ipv6_cidr_blocks": null,
"prefix_list_ids": null,
"protocol": "-1",
"self": false,
"to_port": 0,
"type": "egress"
},
"after_unknown": {
"cidr_blocks": [false],
"id": true,
"security_group_id": true,
"source_security_group_id": true
}
}
}, {
"address": "module.ecs_deploy_runner.data.aws_iam_policy_document.invoke_deploy_runner",
"module_address": "module.ecs_deploy_runner",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "invoke_deploy_runner",
"provider_name": "aws",
"change": {
"actions": ["read"],
"before": null,
"after": {
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["ecs:RunTask"],
"condition": [],
"effect": null,
"not_actions": null,
"not_principals": [],
"not_resources": null,
"principals": [],
"sid": null
}, {
"actions": ["iam:GetRole", "iam:PassRole"],
"condition": [],
"effect": null,
"not_actions": null,
"not_principals": [],
"not_resources": null,
"principals": [],
"resources": [],
"sid": null
}],
"version": null
},
"after_unknown": {
"id": true,
"json": true,
"statement": [{
"actions": [false],
"condition": [],
"not_principals": [],
"principals": [],
"resources": true
}, {
"actions": [false, false],
"condition": [],
"not_principals": [],
"principals": [],
"resources": [true, true, true]
}]
}
}
}, {
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda.aws_iam_role.lambda[0]",
"module_address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda",
"mode": "managed",
"type": "aws_iam_role",
"name": "lambda",
"index": 0,
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"assume_role_policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"lambda.amazonaws.com\"\n }\n }\n ]\n}",
"description": null,
"force_detach_policies": false,
"max_session_duration": 3600,
"name": "ecs-deploy-runner-invoker",
"name_prefix": null,
"path": "/",
"permissions_boundary": null,
"tags": null
},
"after_unknown": {
"arn": true,
"create_date": true,
"id": true,
"unique_id": true
}
}
}, {
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda.aws_iam_role_policy.logging_for_lambda[0]",
"module_address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "logging_for_lambda",
"index": 0,
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"name": "ecs-deploy-runner-invoker-logging",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:PutLogEvents\",\n \"logs:CreateLogStream\",\n \"logs:CreateLogGroup\"\n ],\n \"Resource\": \"arn:aws:logs:*:*:*\"\n }\n ]\n}"
},
"after_unknown": {
"id": true,
"role": true
}
}
}, {
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda.aws_iam_role_policy.network_interfaces_for_lamda[0]",
"module_address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "network_interfaces_for_lamda",
"index": 0,
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"name": "ecs-deploy-runner-invoker-network-interfaces",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:ResetNetworkInterfaceAttribute\",\n \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:DetachNetworkInterface\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DeleteNetworkInterface\",\n \"ec2:CreateNetworkInterface\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}"
},
"after_unknown": {
"id": true,
"role": true
}
}
}, {
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda.aws_lambda_function.function[0]",
"module_address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda",
"mode": "managed",
"type": "aws_lambda_function",
"name": "function",
"index": 0,
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"code_signing_config_arn": null,
"dead_letter_config": [],
"description": "A lambda function that provides a restricted interface to invoke the ECS deploy runner task",
"environment": [{}],
"file_system_config": [],
"filename": ".terraform/modules/ecs_deploy_runner.deploy_runner_invoker_lambda/modules/lambda/ecs-deploy-runner-invoker_lambda.zip",
"function_name": "ecs-deploy-runner-invoker",
"handler": "invoker.index.handler",
"image_config": [],
"image_uri": null,
"kms_key_arn": null,
"layers": [],
"memory_size": 128,
"package_type": "Zip",
"publish": false,
"reserved_concurrent_executions": -1,
"runtime": "python3.8",
"s3_bucket": null,
"s3_key": null,
"s3_object_version": null,
"source_code_hash": "iQe5fxuVNXwdg3/o9zfPJWc8kNZtgS7VrushD42eN48=",
"tags": null,
"timeout": 150,
"timeouts": null,
"vpc_config": [{
"subnet_ids": ["subnet-abcd1234", "subnet-bcd1234a"]
}]
},
"after_unknown": {
"arn": true,
"dead_letter_config": [],
"environment": [{
"variables": true
}],
"file_system_config": [],
"id": true,
"image_config": [],
"invoke_arn": true,
"last_modified": true,
"layers": [],
"qualified_arn": true,
"role": true,
"signing_job_arn": true,
"signing_profile_version_arn": true,
"source_code_size": true,
"tracing_config": true,
"version": true,
"vpc_config": [{
"security_group_ids": true,
"subnet_ids": [false, false],
"vpc_id": true
}]
}
}
}, {
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda.aws_security_group.lambda[0]",
"module_address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda",
"mode": "managed",
"type": "aws_security_group",
"name": "lambda",
"index": 0,
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"description": "Security group for the lambda function ecs-deploy-runner-invoker",
"name": "ecs-deploy-runner-invoker-lambda",
"name_prefix": null,
"revoke_rules_on_delete": false,
"tags": null,
"timeouts": null,
"vpc_id": "vpc-abcd1234"
},
"after_unknown": {
"arn": true,
"egress": true,
"id": true,
"ingress": true,
"owner_id": true
}
}
}, {
"address": "module.ecs_deploy_runner.null_resource.task_definition_arns",
"module_address": "module.ecs_deploy_runner",
"mode": "managed",
"type": "null_resource",
"name": "task_definition_arns",
"provider_name": "null",
"change": {
"actions": ["create"],
"before": null,
"after": {},
"after_unknown": {
"id": true,
"triggers": true
}
}
}, {
"address": "module.invoke_policy.aws_iam_policy.invoke_ecs_deploy_runner",
"module_address": "module.invoke_policy",
"mode": "managed",
"type": "aws_iam_policy",
"name": "invoke_ecs_deploy_runner",
"provider_name": "aws",
"change": {
"actions": ["create"],
"before": null,
"after": {
"description": "A policy that grants the ability to invoke the Invoker Lambda function of the ECS Deploy Runner stack. Includes monitoring permissions as well (access to describe task to see status/errors and access to the CloudWatch log stream).",
"name": "invoke-ecs-deploy-runner",
"name_prefix": null,
"path": "/"
},
"after_unknown": {
"arn": true,
"id": true,
"policy": true
}
}
}, {
"address": "module.invoke_policy.data.aws_iam_policy_document.invoke_ecs_deploy_runner",
"module_address": "module.invoke_policy",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "invoke_ecs_deploy_runner",
"provider_name": "aws",
"change": {
"actions": ["read"],
"before": null,
"after": {
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["lambda:InvokeFunction"],
"condition": [],
"effect": null,
"not_actions": null,
"not_principals": [],
"not_resources": null,
"principals": [],
"resources": [],
"sid": "invokeDeployRunner"
}, {
"actions": ["ecs:DescribeTasks"],
"condition": [{
"test": "StringEquals",
"values": [],
"variable": "ecs:cluster"
}],
"effect": null,
"not_actions": null,
"not_principals": [],
"not_resources": null,
"principals": [],
"resources": ["*"],
"sid": "readDeployRunnerECSTask"
}, {
"actions": ["logs:GetLogEvents"],
"condition": [],
"effect": null,
"not_actions": null,
"not_principals": [],
"not_resources": null,
"principals": [],
"resources": ["arn:aws:logs:ap-northeast-1:087285199408:log-group:ecs-deploy-runner:log-stream:*"],
"sid": "streamDeployRunnerLogs"
}],
"version": null
},
"after_unknown": {
"id": true,
"json": true,
"statement": [{
"actions": [false],
"condition": [],
"not_principals": [],
"principals": [],
"resources": [true]
}, {
"actions": [false],
"condition": [{
"values": [true]
}],
"not_principals": [],
"principals": [],
"resources": [false]
}, {
"actions": [false],
"condition": [],
"not_principals": [],
"principals": [],
"resources": [false]
}]
}
}
}],
"output_changes": {
"cloudwatch_log_group_name": {
"actions": ["create"],
"before": null,
"after": "ecs-deploy-runner",
"after_unknown": false
},
"default_ecs_task_arn": {
"actions": ["create"],
"before": null,
"after_unknown": true
},
"ecs_cluster_arn": {
"actions": ["create"],
"before": null,
"after_unknown": true
},
"ecs_task_arns": {
"actions": ["create"],
"before": null,
"after_unknown": true
},
"ecs_task_execution_role_arn": {
"actions": ["create"],
"before": null,
"after_unknown": true
},
"ecs_task_families": {
"actions": ["create"],
"before": null,
"after": {
"terraform-applier": "ecs-deploy-runner-terraform-applier",
"terraform-planner": "ecs-deploy-runner-terraform-planner"
},
"after_unknown": false
},
"ecs_task_iam_roles": {
"actions": ["create"],
"before": null,
"after_unknown": true
},
"ecs_task_revisions": {
"actions": ["create"],
"before": null,
"after_unknown": true
},
"invoke_policy_arn": {
"actions": ["create"],
"before": null,
"after_unknown": true
},
"invoker_function_arn": {
"actions": ["create"],
"before": null,
"after_unknown": true
},
"security_group_allow_all_outbound_id": {
"actions": ["create"],
"before": null,
"after_unknown": true
}
},
"prior_state": {
"format_version": "0.1",
"terraform_version": "0.12.29",
"values": {
"outputs": {
"cloudwatch_log_group_name": {
"sensitive": false,
"value": "ecs-deploy-runner"
}
},
"root_module": {
"resources": [{
"address": "data.aws_caller_identity.current",
"mode": "data",
"type": "aws_caller_identity",
"name": "current",
"provider_name": "aws",
"schema_version": 0,
"values": {
"account_id": "087285199408",
"arn": "arn:aws:iam::087285199408:user/rho",
"id": "087285199408",
"user_id": "AIDARIUU2OIYPZZ3WTZ2N"
}
}, {
"address": "data.aws_iam_policy_document.terraform_applier",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "terraform_applier",
"index": 0,
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "916523295",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ACMDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"acm:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"AutoScalingDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"autoscaling:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudTrailDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"cloudtrail:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"cloudwatch:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchLogsDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"logs:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ConfigDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"config:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"DynamoDBLocksTableAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"dynamodb:*\",\n \"Resource\": \"arn:aws:dynamodb:*:*:table/terraform-locks\"\n },\n {\n \"Sid\": \"EC2ServiceDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"ec2:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECRDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"ecr:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"ecs:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ELBDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"elasticloadbalancing:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"GuardDutyReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"guardduty:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"IAMAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"iam:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"KMSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"LambdaDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"lambda:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"RDSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"rds:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Route53DeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"route53resolver:*\",\n \"route53domains:*\",\n \"route53:*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"S3DeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SNSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"sns:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SQSDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"sqs:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SecretsManagerDeployAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"secretsmanager:*\",\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["acm:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "ACMDeployAccess"
}, {
"actions": ["autoscaling:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "AutoScalingDeployAccess"
}, {
"actions": ["cloudtrail:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "CloudTrailDeployAccess"
}, {
"actions": ["cloudwatch:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "CloudWatchDeployAccess"
}, {
"actions": ["logs:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "CloudWatchLogsDeployAccess"
}, {
"actions": ["config:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "ConfigDeployAccess"
}, {
"actions": ["dynamodb:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:dynamodb:*:*:table/terraform-locks"],
"sid": "DynamoDBLocksTableAccess"
}, {
"actions": ["ec2:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "EC2ServiceDeployAccess"
}, {
"actions": ["ecr:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "ECRDeployAccess"
}, {
"actions": ["ecs:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "ECSDeployAccess"
}, {
"actions": ["elasticloadbalancing:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "ELBDeployAccess"
}, {
"actions": ["guardduty:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "GuardDutyReadOnlyAccess"
}, {
"actions": ["iam:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "IAMAccess"
}, {
"actions": ["kms:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "KMSDeployAccess"
}, {
"actions": ["lambda:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "LambdaDeployAccess"
}, {
"actions": ["rds:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "RDSDeployAccess"
}, {
"actions": ["route53:*", "route53domains:*", "route53resolver:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "Route53DeployAccess"
}, {
"actions": ["s3:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "S3DeployAccess"
}, {
"actions": ["sns:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "SNSDeployAccess"
}, {
"actions": ["sqs:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "SQSDeployAccess"
}, {
"actions": ["secretsmanager:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "SecretsManagerDeployAccess"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.terraform_planner",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "terraform_planner",
"index": 0,
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "3151089473",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"ACMReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"acm:ListTagsForCertificate\",\n \"acm:ListCertificates\",\n \"acm:GetCertificate\",\n \"acm:DescribeCertificate\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"AutoScalingReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"autoscaling:Describe*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudTrailReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudtrail:List*\",\n \"cloudtrail:Get*\",\n \"cloudtrail:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchLogsReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:List*\",\n \"logs:Get*\",\n \"logs:Filter*\",\n \"logs:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"CloudWatchReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"cloudwatch:List*\",\n \"cloudwatch:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ConfigReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"config:Select*\",\n \"config:List*\",\n \"config:Get*\",\n \"config:Describe*\",\n \"config:BatchGetResourceConfig\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"DynamoDBLocksTableAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"dynamodb:*\",\n \"Resource\": \"arn:aws:dynamodb:*:*:table/terraform-locks\"\n },\n {\n \"Sid\": \"EC2ServiceReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:Get*\",\n \"ec2:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECRReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:List*\",\n \"ecr:Get*\",\n \"ecr:Describe*\",\n \"ecr:BatchGet*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ECSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecs:List*\",\n \"ecs:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ELBReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"elasticloadbalancing:Describe*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"GuardDutyReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"guardduty:List*\",\n \"guardduty:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"IAMAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:PassRole*\",\n \"iam:List*\",\n \"iam:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"KMSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:List*\",\n \"kms:Get*\",\n \"kms:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"LambdaReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"lambda:List*\",\n \"lambda:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"RDSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"rds:List*\",\n \"rds:Download*\",\n \"rds:Describe*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Route53ReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"route53resolver:List*\",\n \"route53resolver:Get*\",\n \"route53domains:View*\",\n \"route53domains:List*\",\n \"route53domains:Get*\",\n \"route53domains:Check*\",\n \"route53:Test*\",\n \"route53:List*\",\n \"route53:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"S3ReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:List*\",\n \"s3:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"S3StateBucketAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::Y8zkfj-dev-ap-northeast-1-tf-state/*\",\n \"arn:aws:s3:::Y8zkfj-dev-ap-northeast-1-tf-state\"\n ]\n },\n {\n \"Sid\": \"SNSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sns:List*\",\n \"sns:Get*\",\n \"sns:Check*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SQSReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"sqs:List*\",\n \"sqs:Get*\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SecretsManagerReadOnlyAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"secretsmanager:List*\",\n \"secretsmanager:Get*\",\n \"secretsmanager:Describe*\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["acm:DescribeCertificate", "acm:GetCertificate", "acm:ListCertificates", "acm:ListTagsForCertificate"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "ACMReadOnlyAccess"
}, {
"actions": ["autoscaling:Describe*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "AutoScalingReadOnlyAccess"
}, {
"actions": ["cloudtrail:Describe*", "cloudtrail:Get*", "cloudtrail:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "CloudTrailReadOnlyAccess"
}, {
"actions": ["logs:Describe*", "logs:Filter*", "logs:Get*", "logs:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "CloudWatchLogsReadOnlyAccess"
}, {
"actions": ["cloudwatch:Describe*", "cloudwatch:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "CloudWatchReadOnlyAccess"
}, {
"actions": ["config:BatchGetResourceConfig", "config:Describe*", "config:Get*", "config:List*", "config:Select*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "ConfigReadOnlyAccess"
}, {
"actions": ["dynamodb:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:dynamodb:*:*:table/terraform-locks"],
"sid": "DynamoDBLocksTableAccess"
}, {
"actions": ["ec2:Describe*", "ec2:Get*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "EC2ServiceReadOnlyAccess"
}, {
"actions": ["ecr:BatchGet*", "ecr:Describe*", "ecr:Get*", "ecr:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "ECRReadOnlyAccess"
}, {
"actions": ["ecs:Describe*", "ecs:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "ECSReadOnlyAccess"
}, {
"actions": ["elasticloadbalancing:Describe*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "ELBReadOnlyAccess"
}, {
"actions": ["guardduty:Get*", "guardduty:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "GuardDutyReadOnlyAccess"
}, {
"actions": ["iam:Get*", "iam:List*", "iam:PassRole*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "IAMAccess"
}, {
"actions": ["kms:Describe*", "kms:Get*", "kms:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "KMSReadOnlyAccess"
}, {
"actions": ["lambda:Get*", "lambda:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "LambdaReadOnlyAccess"
}, {
"actions": ["rds:Describe*", "rds:Download*", "rds:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "RDSReadOnlyAccess"
}, {
"actions": ["route53:Get*", "route53:List*", "route53:Test*", "route53domains:Check*", "route53domains:Get*", "route53domains:List*", "route53domains:View*", "route53resolver:Get*", "route53resolver:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "Route53ReadOnlyAccess"
}, {
"actions": ["s3:Get*", "s3:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "S3ReadOnlyAccess"
}, {
"actions": ["s3:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:s3:::Y8zkfj-dev-ap-northeast-1-tf-state", "arn:aws:s3:::Y8zkfj-dev-ap-northeast-1-tf-state/*"],
"sid": "S3StateBucketAccess"
}, {
"actions": ["sns:Check*", "sns:Get*", "sns:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "SNSReadOnlyAccess"
}, {
"actions": ["sqs:Get*", "sqs:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "SQSReadOnlyAccess"
}, {
"actions": ["secretsmanager:Describe*", "secretsmanager:Get*", "secretsmanager:List*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "SecretsManagerReadOnlyAccess"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_region.current",
"mode": "data",
"type": "aws_region",
"name": "current",
"provider_name": "aws",
"schema_version": 0,
"values": {
"description": "Asia Pacific (Tokyo)",
"endpoint": "ec2.ap-northeast-1.amazonaws.com",
"id": "ap-northeast-1",
"name": "ap-northeast-1"
}
}],
"child_modules": [{
"resources": [{
"address": "data.aws_regions.current",
"mode": "data",
"type": "aws_regions",
"name": "current",
"provider_name": "aws.seed",
"schema_version": 0,
"values": {
"all_regions": null,
"filter": null,
"id": "aws",
"names": ["ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"]
}
}],
"address": "module.kms_grants"
}, {
"resources": [{
"address": "data.aws_caller_identity.current",
"mode": "data",
"type": "aws_caller_identity",
"name": "current",
"provider_name": "aws",
"schema_version": 0,
"values": {
"account_id": "087285199408",
"arn": "arn:aws:iam::087285199408:user/rho",
"id": "087285199408",
"user_id": "AIDARIUU2OIYPZZ3WTZ2N"
}
}],
"address": "module.ec2_baseline",
"child_modules": [{
"resources": [{
"address": "data.aws_iam_policy.AWSSupportAccess",
"mode": "data",
"type": "aws_iam_policy",
"name": "AWSSupportAccess",
"provider_name": "aws",
"schema_version": 0,
"values": {
"arn": "arn:aws:iam::aws:policy/AWSSupportAccess",
"description": "Allows users to access the AWS Support Center.",
"id": "arn:aws:iam::aws:policy/AWSSupportAccess",
"name": "AWSSupportAccess",
"path": "/",
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"support:*\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}"
}
}, {
"address": "data.aws_iam_policy_document.allow_access_from_other_accounts",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "allow_access_from_other_accounts",
"index": 0,
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "4158822762",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"AWS\": []\n }\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["sts:AssumeRole"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [{
"identifiers": [],
"type": "AWS"
}],
"resources": [],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.billing",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "billing",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "925182535",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"billingFullAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"aws-portal:*\",\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["aws-portal:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "billingFullAccess"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.developers",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "developers",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "3393068152",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"grantFullAccessToSpecifiedServices\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": [],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "grantFullAccessToSpecifiedServices"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.developers_s3_bucket",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "developers_s3_bucket",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "3856418693",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"personalS3FolderFullRights\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::your-org-name.user-${aws:username}/*\",\n \"arn:aws:s3:::your-org-name.user-${aws:username}\"\n ]\n },\n {\n \"Sid\": \"listPersonalS3FoldersInAWSConsole\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:ListAllMyBuckets\",\n \"s3:GetBucketLocation\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["s3:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:s3:::your-org-name.user-${aws:username}", "arn:aws:s3:::your-org-name.user-${aws:username}/*"],
"sid": "personalS3FolderFullRights"
}, {
"actions": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "listPersonalS3FoldersInAWSConsole"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.full_access",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "full_access",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "910094155",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"fullAccess\",\n \"Effect\": \"Allow\",\n \"Action\": \"*\",\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "fullAccess"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.houston_cli_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "houston_cli_permissions",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "1922637622",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"execute-api:Invoke\",\n \"Resource\": [\n \"arn:aws:execute-api:*:087285199408:*/*/PUT/api/sandbox/service-catalog/cli/*\",\n \"arn:aws:execute-api:*:087285199408:*/*/POST/api/sandbox/service-catalog/cli/*\",\n \"arn:aws:execute-api:*:087285199408:*/*/PATCH/api/sandbox/service-catalog/cli/*\",\n \"arn:aws:execute-api:*:087285199408:*/*/GET/api/sandbox/service-catalog/cli/*\",\n \"arn:aws:execute-api:*:087285199408:*/*/DELETE/api/sandbox/service-catalog/cli/*\"\n ]\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["execute-api:Invoke"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:execute-api:*:087285199408:*/*/DELETE/api/sandbox/service-catalog/cli/*", "arn:aws:execute-api:*:087285199408:*/*/GET/api/sandbox/service-catalog/cli/*", "arn:aws:execute-api:*:087285199408:*/*/PATCH/api/sandbox/service-catalog/cli/*", "arn:aws:execute-api:*:087285199408:*/*/POST/api/sandbox/service-catalog/cli/*", "arn:aws:execute-api:*:087285199408:*/*/PUT/api/sandbox/service-catalog/cli/*"],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.iam_admin",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "iam_admin",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "591895058",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"iamAdmin\",\n \"Effect\": \"Allow\",\n \"Action\": \"iam:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"IamUserSelfManagementPermissionsThatDontRequireMFA\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:ListVirtualMFADevices\",\n \"iam:ListUsers\",\n \"iam:ListMFADevices\",\n \"iam:GetUser\",\n \"iam:EnableMFADevice\",\n \"iam:DeleteVirtualMFADevice\",\n \"iam:CreateVirtualMFADevice\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["iam:*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "iamAdmin"
}, {
"actions": ["iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListUsers", "iam:ListVirtualMFADevices"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "IamUserSelfManagementPermissionsThatDontRequireMFA"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.iam_user_self_mgmt",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "iam_user_self_mgmt",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "3252114938",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"iamUserSelfManagement\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:UploadSigningCertificate\",\n \"iam:UploadSSHPublicKey\",\n \"iam:UpdateUser\",\n \"iam:UpdateSSHPublicKey\",\n \"iam:UpdateLoginProfile\",\n \"iam:UpdateAccessKey\",\n \"iam:ResyncMFADevice\",\n \"iam:List*\",\n \"iam:Get*\",\n \"iam:GenerateServiceLastAccessedDetails\",\n \"iam:GenerateCredentialReport\",\n \"iam:DeleteVirtualMFADevice\",\n \"iam:DeleteSSHPublicKey\",\n \"iam:DeleteLoginProfile\",\n \"iam:DeleteAccessKey\",\n \"iam:DeactivateMFADevice\",\n \"iam:CreateLoginProfile\",\n \"iam:CreateAccessKey\",\n \"iam:ChangePassword\"\n ],\n \"Resource\": [\n \"arn:aws:iam::087285199408:user/${aws:username}\",\n \"arn:aws:iam::087285199408:mfa/${aws:username}\"\n ]\n },\n {\n \"Sid\": \"IamUserSelfManagementPermissionsThatDontRequireMFA\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:ListMFADevices\",\n \"iam:GetUser\",\n \"iam:EnableMFADevice\",\n \"iam:DeleteVirtualMFADevice\",\n \"iam:CreateVirtualMFADevice\"\n ],\n \"Resource\": [\n \"arn:aws:iam::087285199408:user/${aws:username}\",\n \"arn:aws:iam::087285199408:mfa/${aws:username}\"\n ]\n },\n {\n \"Sid\": \"MoreIamUserSelfManagementPermissionsThatDontRequireMFA\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:ListVirtualMFADevices\",\n \"iam:ListUsers\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"iamUserSelfManagementSupport\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:ListPolicyVersions\",\n \"iam:ListGroups\",\n \"iam:ListGroupPolicies\",\n \"iam:ListEntitiesForPolicy\",\n \"iam:ListAttachedGroupPolicies\",\n \"iam:GetServiceLastAccessedDetails\",\n \"iam:GetPolicyVersion\",\n \"iam:GetPolicy\",\n \"iam:GetGroupPolicy\",\n \"iam:GetAccountPasswordPolicy\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"listAllIamUsers\",\n \"Effect\": \"Allow\",\n \"Action\": \"iam:ListUsers\",\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["iam:ChangePassword", "iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:DeactivateMFADevice", "iam:DeleteAccessKey", "iam:DeleteLoginProfile", "iam:DeleteSSHPublicKey", "iam:DeleteVirtualMFADevice", "iam:GenerateCredentialReport", "iam:GenerateServiceLastAccessedDetails", "iam:Get*", "iam:List*", "iam:ResyncMFADevice", "iam:UpdateAccessKey", "iam:UpdateLoginProfile", "iam:UpdateSSHPublicKey", "iam:UpdateUser", "iam:UploadSSHPublicKey", "iam:UploadSigningCertificate"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:iam::087285199408:mfa/${aws:username}", "arn:aws:iam::087285199408:user/${aws:username}"],
"sid": "iamUserSelfManagement"
}, {
"actions": ["iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:iam::087285199408:mfa/${aws:username}", "arn:aws:iam::087285199408:user/${aws:username}"],
"sid": "IamUserSelfManagementPermissionsThatDontRequireMFA"
}, {
"actions": ["iam:ListUsers", "iam:ListVirtualMFADevices"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "MoreIamUserSelfManagementPermissionsThatDontRequireMFA"
}, {
"actions": ["iam:GetAccountPasswordPolicy", "iam:GetGroupPolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetServiceLastAccessedDetails", "iam:ListAttachedGroupPolicies", "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListPolicyVersions"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "iamUserSelfManagementSupport"
}, {
"actions": ["iam:ListUsers"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "listAllIamUsers"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.logs",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "logs",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "1356751515",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"readLogs\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"tag:Get*\",\n \"logs:StopQuery\",\n \"logs:StartQuery\",\n \"logs:List*\",\n \"logs:Get*\",\n \"logs:Filter*\",\n \"logs:Describe*\",\n \"config:Select*\",\n \"config:List*\",\n \"config:Get*\",\n \"config:Describe*\",\n \"config:Deliver*\",\n \"config:BatchGet*\",\n \"cloudtrail:Lookup*\",\n \"cloudtrail:List*\",\n \"cloudtrail:Get*\",\n \"cloudtrail:Describe*\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["cloudtrail:Describe*", "cloudtrail:Get*", "cloudtrail:List*", "cloudtrail:Lookup*", "config:BatchGet*", "config:Deliver*", "config:Describe*", "config:Get*", "config:List*", "config:Select*", "logs:Describe*", "logs:Filter*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "tag:Get*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "readLogs"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.read_only",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "read_only",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "192367354",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"readOnlyForEverything\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"workspaces:Describe*\",\n \"waf:List*\",\n \"waf:Get*\",\n \"trustedadvisor:Describe*\",\n \"tag:Get*\",\n \"swf:List*\",\n \"swf:Get*\",\n \"swf:Describe*\",\n \"swf:Count*\",\n \"storagegateway:List*\",\n \"storagegateway:Describe*\",\n \"states:List*\",\n \"states:Get*\",\n \"states:Describe*\",\n \"ssm:List*\",\n \"ssm:Get*\",\n \"ssm:Describe*\",\n \"sqs:ReceiveMessage\",\n \"sqs:ListQueues\",\n \"sqs:GetQueueUrl\",\n \"sqs:GetQueueAttributes\",\n \"sns:List*\",\n \"sns:Get*\",\n \"ses:List*\",\n \"ses:Get*\",\n \"sdb:Select*\",\n \"sdb:List*\",\n \"sdb:GetAttributes\",\n \"s3:List*\",\n \"s3:Get*\",\n \"route53domains:ListTagsForDomain\",\n \"route53domains:ListOperations\",\n \"route53domains:ListDomains\",\n \"route53domains:GetOperationDetail\",\n \"route53domains:GetDomainDetail\",\n \"route53domains:CheckDomainAvailability\",\n \"route53:List*\",\n \"route53:Get*\",\n \"resource-groups:ListGroups\",\n \"resource-groups:ListGroupResources\",\n \"redshift:ViewQueriesInConsole\",\n \"redshift:Describe*\",\n \"rds:ListTagsForResource\",\n \"rds:Download*\",\n \"rds:Describe*\",\n \"pi:Get*\",\n \"pi:Describe*\",\n \"opsworks:Get*\",\n \"opsworks:Describe*\",\n \"mobilehub:VerifyServiceRole\",\n \"mobilehub:ValidateProject\",\n \"mobilehub:ListProjects\",\n \"mobilehub:ListAvailableRegions\",\n \"mobilehub:ListAvailableFeatures\",\n \"mobilehub:GetProject\",\n \"machinelearning:Get*\",\n \"machinelearning:Describe*\",\n \"logs:TestMetricFilter\",\n \"logs:Get*\",\n \"logs:FilterLogEvents\",\n \"logs:Describe*\",\n \"lambda:List*\",\n \"lambda:Get*\",\n \"kms:List*\",\n \"kms:Get*\",\n \"kms:Describe*\",\n \"kinesisanalytics:ListApplications\",\n \"kinesisanalytics:GetApplicationState\",\n \"kinesisanalytics:DiscoverInputSchema\",\n \"kinesisanalytics:DescribeApplication\",\n \"kinesis:List*\",\n \"kinesis:Get*\",\n \"kinesis:Describe*\",\n \"iot:List*\",\n \"iot:Get*\",\n \"iot:Describe*\",\n \"inspector:PreviewAgentsForResourceGroup\",\n \"inspector:LocalizeText\",\n \"inspector:List*\",\n \"inspector:Get*\",\n \"inspector:Describe*\",\n \"iam:List*\",\n \"iam:Get*\",\n \"iam:GenerateServiceLastAccessedDetails\",\n \"iam:GenerateCredentialReport\",\n \"health:List*\",\n \"health:Get*\",\n \"health:Describe*\",\n \"glacier:ListVaults\",\n \"glacier:ListTagsForVault\",\n \"glacier:ListParts\",\n \"glacier:ListMultipartUploads\",\n \"glacier:ListJobs\",\n \"glacier:GetVaultNotifications\",\n \"glacier:GetVaultLock\",\n \"glacier:GetVaultAccessPolicy\",\n \"glacier:GetJobOutput\",\n \"glacier:GetDataRetrievalPolicy\",\n \"glacier:DescribeVault\",\n \"glacier:DescribeJob\",\n \"firehose:List*\",\n \"firehose:Describe*\",\n \"events:TestEventPattern\",\n \"events:ListTargetsByRule\",\n \"events:ListRules\",\n \"events:ListRuleNamesByTarget\",\n \"events:DescribeRule\",\n \"es:ListTags\",\n \"es:ListDomainNames\",\n \"es:ESHttpHead\",\n \"es:ESHttpGet\",\n \"es:DescribeElasticsearchDomains\",\n \"es:DescribeElasticsearchDomainConfig\",\n \"es:DescribeElasticsearchDomain\",\n \"elastictranscoder:Read*\",\n \"elastictranscoder:List*\",\n \"elasticmapreduce:List*\",\n \"elasticmapreduce:Describe*\",\n \"elasticloadbalancing:Describe*\",\n \"elasticfilesystem:Describe*\",\n \"elasticbeanstalk:RetrieveEnvironmentInfo\",\n \"elasticbeanstalk:RequestEnvironmentInfo\",\n \"elasticbeanstalk:List*\",\n \"elasticbeanstalk:Describe*\",\n \"elasticbeanstalk:Check*\",\n \"elasticache:List*\",\n \"elasticache:Describe*\",\n \"eks:List*\",\n \"eks:Describe*\",\n \"ecs:List*\",\n \"ecs:Describe*\",\n \"ecr:List*\",\n \"ecr:Get*\",\n \"ecr:Describe*\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchCheckLayerAvailability\",\n \"ec2:GetConsoleScreenshot\",\n \"ec2:GetConsoleOutput\",\n \"ec2:Describe*\",\n \"dynamodb:Scan\",\n \"dynamodb:Query\",\n \"dynamodb:ListTables\",\n \"dynamodb:GetItem\",\n \"dynamodb:DescribeTable\",\n \"dynamodb:DescribeLimits\",\n \"dynamodb:BatchGetItem\",\n \"ds:Verify*\",\n \"ds:List*\",\n \"ds:Get*\",\n \"ds:Describe*\",\n \"ds:Check*\",\n \"dms:List*\",\n \"dms:Describe*\",\n \"directconnect:Describe*\",\n \"datapipeline:ValidatePipelineDefinition\",\n \"datapipeline:QueryObjects\",\n \"datapipeline:ListPipelines\",\n \"datapipeline:GetPipelineDefinition\",\n \"datapipeline:GetAccountLimits\",\n \"datapipeline:EvaluateExpression\",\n \"datapipeline:DescribePipelines\",\n \"datapipeline:DescribeObjects\",\n \"config:List*\",\n \"config:Get*\",\n \"config:Describe*\",\n \"config:Deliver*\",\n \"codedeploy:List*\",\n \"codedeploy:Get*\",\n \"codedeploy:Batch*\",\n \"codecommit:List*\",\n \"codecommit:GitPull\",\n \"codecommit:Get*\",\n \"codecommit:BatchGetRepositories\",\n \"cloudwatch:List*\",\n \"cloudwatch:Get*\",\n \"cloudwatch:Describe*\",\n \"cloudtrail:LookupEvents\",\n \"cloudtrail:ListTags\",\n \"cloudtrail:ListPublicKeys\",\n \"cloudtrail:GetTrailStatus\",\n \"cloudtrail:DescribeTrails\",\n \"cloudsearch:List*\",\n \"cloudsearch:Describe*\",\n \"cloudfront:List*\",\n \"cloudfront:Get*\",\n \"cloudformation:List*\",\n \"cloudformation:Get*\",\n \"cloudformation:Describe*\",\n \"autoscaling:Describe*\",\n \"appstream:Get*\",\n \"application-autoscaling:Describe*\",\n \"apigateway:GET\",\n \"acm:ListTagsForCertificate\",\n \"acm:ListCertificates\",\n \"acm:GetCertificate\",\n \"acm:DescribeCertificate\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["acm:DescribeCertificate", "acm:GetCertificate", "acm:ListCertificates", "acm:ListTagsForCertificate", "apigateway:GET", "application-autoscaling:Describe*", "appstream:Get*", "autoscaling:Describe*", "cloudformation:Describe*", "cloudformation:Get*", "cloudformation:List*", "cloudfront:Get*", "cloudfront:List*", "cloudsearch:Describe*", "cloudsearch:List*", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:ListPublicKeys", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "codecommit:BatchGetRepositories", "codecommit:Get*", "codecommit:GitPull", "codecommit:List*", "codedeploy:Batch*", "codedeploy:Get*", "codedeploy:List*", "config:Deliver*", "config:Describe*", "config:Get*", "config:List*", "datapipeline:DescribeObjects", "datapipeline:DescribePipelines", "datapipeline:EvaluateExpression", "datapipeline:GetAccountLimits", "datapipeline:GetPipelineDefinition", "datapipeline:ListPipelines", "datapipeline:QueryObjects", "datapipeline:ValidatePipelineDefinition", "directconnect:Describe*", "dms:Describe*", "dms:List*", "ds:Check*", "ds:Describe*", "ds:Get*", "ds:List*", "ds:Verify*", "dynamodb:BatchGetItem", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:ListTables", "dynamodb:Query", "dynamodb:Scan", "ec2:Describe*", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:Describe*", "ecr:Get*", "ecr:List*", "ecs:Describe*", "ecs:List*", "eks:Describe*", "eks:List*", "elasticache:Describe*", "elasticache:List*", "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticfilesystem:Describe*", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:List*", "elastictranscoder:List*", "elastictranscoder:Read*", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomainConfig", "es:DescribeElasticsearchDomains", "es:ESHttpGet", "es:ESHttpHead", "es:ListDomainNames", "es:ListTags", "events:DescribeRule", "events:ListRuleNamesByTarget", "events:ListRules", "events:ListTargetsByRule", "events:TestEventPattern", "firehose:Describe*", "firehose:List*", "glacier:DescribeJob", "glacier:DescribeVault", "glacier:GetDataRetrievalPolicy", "glacier:GetJobOutput", "glacier:GetVaultAccessPolicy", "glacier:GetVaultLock", "glacier:GetVaultNotifications", "glacier:ListJobs", "glacier:ListMultipartUploads", "glacier:ListParts", "glacier:ListTagsForVault", "glacier:ListVaults", "health:Describe*", "health:Get*", "health:List*", "iam:GenerateCredentialReport", "iam:GenerateServiceLastAccessedDetails", "iam:Get*", "iam:List*", "inspector:Describe*", "inspector:Get*", "inspector:List*", "inspector:LocalizeText", "inspector:PreviewAgentsForResourceGroup", "iot:Describe*", "iot:Get*", "iot:List*", "kinesis:Describe*", "kinesis:Get*", "kinesis:List*", "kinesisanalytics:DescribeApplication", "kinesisanalytics:DiscoverInputSchema", "kinesisanalytics:GetApplicationState", "kinesisanalytics:ListApplications", "kms:Describe*", "kms:Get*", "kms:List*", "lambda:Get*", "lambda:List*", "logs:Describe*", "logs:FilterLogEvents", "logs:Get*", "logs:TestMetricFilter", "machinelearning:Describe*", "machinelearning:Get*", "mobilehub:GetProject", "mobilehub:ListAvailableFeatures", "mobilehub:ListAvailableRegions", "mobilehub:ListProjects", "mobilehub:ValidateProject", "mobilehub:VerifyServiceRole", "opsworks:Describe*", "opsworks:Get*", "pi:Describe*", "pi:Get*", "rds:Describe*", "rds:Download*", "rds:ListTagsForResource", "redshift:Describe*", "redshift:ViewQueriesInConsole", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "route53:Get*", "route53:List*", "route53domains:CheckDomainAvailability", "route53domains:GetDomainDetail", "route53domains:GetOperationDetail", "route53domains:ListDomains", "route53domains:ListOperations", "route53domains:ListTagsForDomain", "s3:Get*", "s3:List*", "sdb:GetAttributes", "sdb:List*", "sdb:Select*", "ses:Get*", "ses:List*", "sns:Get*", "sns:List*", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ListQueues", "sqs:ReceiveMessage", "ssm:Describe*", "ssm:Get*", "ssm:List*", "states:Describe*", "states:Get*", "states:List*", "storagegateway:Describe*", "storagegateway:List*", "swf:Count*", "swf:Describe*", "swf:Get*", "swf:List*", "tag:Get*", "trustedadvisor:Describe*", "waf:Get*", "waf:List*", "workspaces:Describe*"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "readOnlyForEverything"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.require_mfa_policy",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "require_mfa_policy",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "97110855",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AllowViewAccountInfo\",\n \"Effect\": \"Allow\",\n \"Action\": \"iam:ListVirtualMFADevices\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"AllowManageOwnVirtualMFADevice\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:DeleteVirtualMFADevice\",\n \"iam:CreateVirtualMFADevice\"\n ],\n \"Resource\": \"arn:aws:iam::087285199408:mfa/${aws:username}\"\n },\n {\n \"Sid\": \"AllowManageOwnUserMFA\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:ResyncMFADevice\",\n \"iam:ListMFADevices\",\n \"iam:GetUser\",\n \"iam:EnableMFADevice\",\n \"iam:DeactivateMFADevice\"\n ],\n \"Resource\": [\n \"arn:aws:iam::087285199408:user/${aws:username}\",\n \"arn:aws:iam::087285199408:mfa/${aws:username}\"\n ]\n },\n {\n \"Sid\": \"DenyAllExceptListedIfNoMFA\",\n \"Effect\": \"Deny\",\n \"NotAction\": [\n \"sts:GetSessionToken\",\n \"iam:ResyncMFADevice\",\n \"iam:ListVirtualMFADevices\",\n \"iam:ListMFADevices\",\n \"iam:GetUser\",\n \"iam:EnableMFADevice\",\n \"iam:CreateVirtualMFADevice\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\n \"aws:MultiFactorAuthPresent\": \"false\"\n }\n }\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["iam:ListVirtualMFADevices"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "AllowViewAccountInfo"
}, {
"actions": ["iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:iam::087285199408:mfa/${aws:username}"],
"sid": "AllowManageOwnVirtualMFADevice"
}, {
"actions": ["iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:iam::087285199408:mfa/${aws:username}", "arn:aws:iam::087285199408:user/${aws:username}"],
"sid": "AllowManageOwnUserMFA"
}, {
"actions": [],
"condition": [{
"test": "Bool",
"values": ["false"],
"variable": "aws:MultiFactorAuthPresent"
}],
"effect": "Deny",
"not_actions": ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken"],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "DenyAllExceptListedIfNoMFA"
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.ssh_grunt_houston_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ssh_grunt_houston_permissions",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "3944033268",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"execute-api:Invoke\",\n \"Resource\": \"arn:aws:execute-api:*:087285199408:*/*/GET/*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["execute-api:Invoke"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:execute-api:*:087285199408:*/*/GET/*"],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.ssh_grunt_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ssh_grunt_permissions",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "756429121",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:ListSSHPublicKeys\",\n \"iam:GetSSHPublicKey\",\n \"iam:GetGroup\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["iam:GetGroup", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.use_existing_iam_roles",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "use_existing_iam_roles",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "2789327271",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"useExistingIamRolesOnly\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:PassRole\",\n \"iam:ListRoles\",\n \"iam:ListRolePolicies\",\n \"iam:ListPolicyVersions\",\n \"iam:ListPolicies\",\n \"iam:ListInstanceProfilesForRole\",\n \"iam:ListInstanceProfiles\",\n \"iam:ListAttachedRolePolicies\",\n \"iam:GetRolePolicy\",\n \"iam:GetRole\",\n \"iam:GetPolicyVersion\",\n \"iam:GetPolicy\",\n \"iam:GetInstanceProfile\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["iam:GetInstanceProfile", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListPolicies", "iam:ListPolicyVersions", "iam:ListRolePolicies", "iam:ListRoles", "iam:PassRole"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": "useExistingIamRolesOnly"
}],
"version": "2012-10-17"
}
}],
"address": "module.ec2_baseline.module.ssh_grunt_policies"
}, {
"resources": [{
"address": "data.aws_iam_policy_document.cloudwatch_logs_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "cloudwatch_logs_permissions",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "161732427",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:PutLogEvents\",\n \"logs:DescribeLogStreams\",\n \"logs:DescribeLogGroups\",\n \"logs:CreateLogStream\",\n \"logs:CreateLogGroup\"\n ],\n \"Resource\": \"arn:aws:logs:*:*:*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:PutLogEvents"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:logs:*:*:*"],
"sid": ""
}],
"version": "2012-10-17"
}
}],
"address": "module.ec2_baseline.module.cloudwatch_log_aggregation"
}, {
"resources": [{
"address": "data.aws_iam_policy_document.cloudwatch_metrics_read_write_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "cloudwatch_metrics_read_write_permissions",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "1678003274",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:DescribeTags\",\n \"cloudwatch:PutMetricData\",\n \"cloudwatch:ListMetrics\",\n \"cloudwatch:GetMetricStatistics\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricData", "ec2:DescribeTags"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": ""
}],
"version": "2012-10-17"
}
}],
"address": "module.ec2_baseline.module.cloudwatch_metrics"
}]
}, {
"resources": [{
"address": "data.aws_caller_identity.current",
"mode": "data",
"type": "aws_caller_identity",
"name": "current",
"provider_name": "aws",
"schema_version": 0,
"values": {
"account_id": "087285199408",
"arn": "arn:aws:iam::087285199408:user/rho",
"id": "087285199408",
"user_id": "AIDARIUU2OIYPZZ3WTZ2N"
}
}, {
"address": "data.aws_region.current",
"mode": "data",
"type": "aws_region",
"name": "current",
"provider_name": "aws",
"schema_version": 0,
"values": {
"description": "Asia Pacific (Tokyo)",
"endpoint": "ec2.ap-northeast-1.amazonaws.com",
"id": "ap-northeast-1",
"name": "ap-northeast-1"
}
}],
"address": "module.invoke_policy"
}, {
"resources": [{
"address": "data.aws_caller_identity.current",
"mode": "data",
"type": "aws_caller_identity",
"name": "current",
"provider_name": "aws",
"schema_version": 0,
"values": {
"account_id": "087285199408",
"arn": "arn:aws:iam::087285199408:user/rho",
"id": "087285199408",
"user_id": "AIDARIUU2OIYPZZ3WTZ2N"
}
}, {
"address": "data.aws_iam_policy_document.ecs_task",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecs_task",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "320642683",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ecs-tasks.amazonaws.com\"\n }\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["sts:AssumeRole"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [{
"identifiers": ["ecs-tasks.amazonaws.com"],
"type": "Service"
}],
"resources": [],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.ecs_task_execution_policy_document",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecs_task_execution_policy_document",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "3095719035",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:PutLogEvents\",\n \"logs:CreateLogStream\",\n \"logs:CreateLogGroup\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"secretsmanager:GetSecretValue\",\n \"Resource\": [\n \"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234\",\n \"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitpat-abcd1234\"\n ]\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": ""
}, {
"actions": ["secretsmanager:GetSecretValue"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitpat-abcd1234", "arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234"],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.ecs_task_read_secrets_manager",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecs_task_read_secrets_manager",
"index": "terraform-applier",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "43635799",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"secretsmanager:GetSecretValue\",\n \"Resource\": \"arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["secretsmanager:GetSecretValue"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:gitssh-abcd1234"],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_region.current",
"mode": "data",
"type": "aws_region",
"name": "current",
"provider_name": "aws",
"schema_version": 0,
"values": {
"description": "Asia Pacific (Tokyo)",
"endpoint": "ec2.ap-northeast-1.amazonaws.com",
"id": "ap-northeast-1",
"name": "ap-northeast-1"
}
}],
"address": "module.ecs_deploy_runner",
"child_modules": [{
"resources": [{
"address": "data.aws_iam_policy_document.ecr_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecr_permissions",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "2246738896",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:ListImages\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:DescribeRepositories\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:ListImages"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.ecs_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecs_permissions",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "1784804257",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecs:UpdateContainerInstancesState\",\n \"ecs:Submit*\",\n \"ecs:StartTelemetrySession\",\n \"ecs:RegisterContainerInstance\",\n \"ecs:Poll\",\n \"ecs:DiscoverPollEndpoint\",\n \"ecs:DeregisterContainerInstance\",\n \"ecs:CreateCluster\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecs:Submit*", "ecs:UpdateContainerInstancesState"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.ecs_role",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecs_role",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "1903849331",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["sts:AssumeRole"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [{
"identifiers": ["ec2.amazonaws.com"],
"type": "Service"
}],
"resources": [],
"sid": ""
}],
"version": "2012-10-17"
}
}],
"address": "module.ecs_deploy_runner.module.ec2_ecs_cluster"
}, {
"resources": [{
"address": "data.archive_file.source_code",
"mode": "data",
"type": "archive_file",
"name": "source_code",
"index": 0,
"provider_name": "archive",
"schema_version": 0,
"values": {
"excludes": null,
"id": "cc32eb0d202084bb8725e700f98f92e5e399e098",
"output_base64sha256": "iQe5fxuVNXwdg3/o9zfPJWc8kNZtgS7VrushD42eN48=",
"output_md5": "be22385acdf6eff5d61be7b291513dc8",
"output_path": ".terraform/modules/ecs_deploy_runner.deploy_runner_invoker_lambda/modules/lambda/ecs-deploy-runner-invoker_lambda.zip",
"output_sha": "cc32eb0d202084bb8725e700f98f92e5e399e098",
"output_size": 12990,
"source": [],
"source_content": null,
"source_content_filename": null,
"source_dir": ".terraform/modules/ecs_deploy_runner/modules/ecs-deploy-runner/invoker-lambda",
"source_file": null,
"type": "zip"
}
}, {
"address": "data.aws_iam_policy_document.lambda_role",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "lambda_role",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "3693445097",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"lambda.amazonaws.com\"\n }\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["sts:AssumeRole"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [{
"identifiers": ["lambda.amazonaws.com"],
"type": "Service"
}],
"resources": [],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.logging_for_lambda",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "logging_for_lambda",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "4063422367",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"logs:PutLogEvents\",\n \"logs:CreateLogStream\",\n \"logs:CreateLogGroup\"\n ],\n \"Resource\": \"arn:aws:logs:*:*:*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["arn:aws:logs:*:*:*"],
"sid": ""
}],
"version": "2012-10-17"
}
}, {
"address": "data.aws_iam_policy_document.network_interfaces_for_lamda",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "network_interfaces_for_lamda",
"provider_name": "aws",
"schema_version": 0,
"values": {
"id": "1185433010",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:ResetNetworkInterfaceAttribute\",\n \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:DetachNetworkInterface\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DeleteNetworkInterface\",\n \"ec2:CreateNetworkInterface\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}",
"override_json": null,
"policy_id": null,
"source_json": null,
"statement": [{
"actions": ["ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ResetNetworkInterfaceAttribute"],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": ["*"],
"sid": ""
}],
"version": "2012-10-17"
}
}],
"address": "module.ecs_deploy_runner.module.deploy_runner_invoker_lambda"
}]
}, {
"resources": [{
"address": "data.aws_regions.current",
"mode": "data",
"type": "aws_regions",
"name": "current",
"provider_name": "aws.seed",
"schema_version": 0,
"values": {
"all_regions": null,
"filter": null,
"id": "aws",
"names": ["ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-1", "us-east-2", "us-west-1", "us-west-2"]
}
}],
"address": "module.shared_secrets_kms_grants"
}]
}
}
},
"configuration": {
"provider_config": {
"aws": {
"name": "aws",
"version_constraint": "\u003e= 3.13.0",
"expressions": {
"allowed_account_ids": {
"constant_value": ["087285199408"]
},
"region": {
"constant_value": "ap-northeast-1"
}
}
},
"kms_grants:aws.af_south_1": {
"name": "aws",
"alias": "af_south_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.ap_east_1": {
"name": "aws",
"alias": "ap_east_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.ap_northeast_1": {
"name": "aws",
"alias": "ap_northeast_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.ap_northeast_2": {
"name": "aws",
"alias": "ap_northeast_2",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.ap_northeast_3": {
"name": "aws",
"alias": "ap_northeast_3",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.ap_south_1": {
"name": "aws",
"alias": "ap_south_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.ap_southeast_1": {
"name": "aws",
"alias": "ap_southeast_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.ap_southeast_2": {
"name": "aws",
"alias": "ap_southeast_2",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.ca_central_1": {
"name": "aws",
"alias": "ca_central_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.cn_north_1": {
"name": "aws",
"alias": "cn_north_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.cn_northwest_1": {
"name": "aws",
"alias": "cn_northwest_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.eu_central_1": {
"name": "aws",
"alias": "eu_central_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.eu_north_1": {
"name": "aws",
"alias": "eu_north_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.eu_south_1": {
"name": "aws",
"alias": "eu_south_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.eu_west_1": {
"name": "aws",
"alias": "eu_west_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.eu_west_2": {
"name": "aws",
"alias": "eu_west_2",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.eu_west_3": {
"name": "aws",
"alias": "eu_west_3",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.me_south_1": {
"name": "aws",
"alias": "me_south_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.sa_east_1": {
"name": "aws",
"alias": "sa_east_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.seed": {
"name": "aws",
"alias": "seed",
"module_address": "kms_grants",
"expressions": {
"region": {
"references": ["var.seed_region"]
}
}
},
"kms_grants:aws.us_east_1": {
"name": "aws",
"alias": "us_east_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.us_east_2": {
"name": "aws",
"alias": "us_east_2",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.us_gov_east_1": {
"name": "aws",
"alias": "us_gov_east_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.us_gov_west_1": {
"name": "aws",
"alias": "us_gov_west_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.us_west_1": {
"name": "aws",
"alias": "us_west_1",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"kms_grants:aws.us_west_2": {
"name": "aws",
"alias": "us_west_2",
"module_address": "kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.af_south_1": {
"name": "aws",
"alias": "af_south_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.ap_east_1": {
"name": "aws",
"alias": "ap_east_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.ap_northeast_1": {
"name": "aws",
"alias": "ap_northeast_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.ap_northeast_2": {
"name": "aws",
"alias": "ap_northeast_2",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.ap_northeast_3": {
"name": "aws",
"alias": "ap_northeast_3",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.ap_south_1": {
"name": "aws",
"alias": "ap_south_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.ap_southeast_1": {
"name": "aws",
"alias": "ap_southeast_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.ap_southeast_2": {
"name": "aws",
"alias": "ap_southeast_2",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.ca_central_1": {
"name": "aws",
"alias": "ca_central_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.cn_north_1": {
"name": "aws",
"alias": "cn_north_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.cn_northwest_1": {
"name": "aws",
"alias": "cn_northwest_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.eu_central_1": {
"name": "aws",
"alias": "eu_central_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.eu_north_1": {
"name": "aws",
"alias": "eu_north_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.eu_south_1": {
"name": "aws",
"alias": "eu_south_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.eu_west_1": {
"name": "aws",
"alias": "eu_west_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.eu_west_2": {
"name": "aws",
"alias": "eu_west_2",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.eu_west_3": {
"name": "aws",
"alias": "eu_west_3",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.me_south_1": {
"name": "aws",
"alias": "me_south_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.sa_east_1": {
"name": "aws",
"alias": "sa_east_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.seed": {
"name": "aws",
"alias": "seed",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"region": {
"references": ["var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.us_east_1": {
"name": "aws",
"alias": "us_east_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.us_east_2": {
"name": "aws",
"alias": "us_east_2",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.us_gov_east_1": {
"name": "aws",
"alias": "us_gov_east_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.us_gov_west_1": {
"name": "aws",
"alias": "us_gov_west_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.us_west_1": {
"name": "aws",
"alias": "us_west_1",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
},
"shared_secrets_kms_grants:aws.us_west_2": {
"name": "aws",
"alias": "us_west_2",
"module_address": "shared_secrets_kms_grants",
"expressions": {
"allowed_account_ids": {
"references": ["var.aws_account_id"]
},
"region": {
"references": ["data.aws_regions.current", "var.seed_region"]
}
}
}
},
"root_module": {
"outputs": {
"cloudwatch_log_group_name": {
"expression": {
"references": ["module.ecs_deploy_runner.cloudwatch_log_group_name"]
},
"description": "Name of the CloudWatch Log Group used to store the log output from the Deploy Runner ECS task."
},
"default_ecs_task_arn": {
"expression": {
"references": ["module.ecs_deploy_runner.default_ecs_task_arn"]
},
"description": "AWS ARN of the default ECS Task Definition. Can be used to trigger the ECS Task directly."
},
"ecs_cluster_arn": {
"expression": {
"references": ["module.ecs_deploy_runner.ecs_cluster_arn"]
},
"description": "AWS ARN of the ECS Cluster that can be used to run the deploy runner task."
},
"ecs_task_arns": {
"expression": {
"references": ["module.ecs_deploy_runner.ecs_task_arns"]
},
"description": "Map of AWS ARNs of the ECS Task Definition. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier)."
},
"ecs_task_execution_role_arn": {
"expression": {
"references": ["module.ecs_deploy_runner.ecs_task_execution_role_arn"]
},
"description": "ECS Task execution role ARN"
},
"ecs_task_families": {
"expression": {
"references": ["module.ecs_deploy_runner.ecs_task_families"]
},
"description": "Map of the families of the ECS Task Definition that is currently live. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier)."
},
"ecs_task_iam_roles": {
"expression": {
"references": ["module.ecs_deploy_runner.ecs_task_iam_roles"]
},
"description": "Map of AWS ARNs and names of the IAM role that will be attached to the ECS task to grant it access to AWS resources. Each container will have its own IAM role. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier)."
},
"ecs_task_revisions": {
"expression": {
"references": ["module.ecs_deploy_runner.ecs_task_revisions"]
},
"description": "Map of the current revision of the ECS Task Definition that is currently live. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier)."
},
"invoke_policy_arn": {
"expression": {
"references": ["module.invoke_policy.arn"]
},
"description": "The ARN of the IAM policy that allows access to the invoke the deploy runner."
},
"invoker_function_arn": {
"expression": {
"references": ["module.ecs_deploy_runner.invoker_function_arn"]
},
"description": "AWS ARN of the invoker lambda function that can be used to invoke a deployment."
},
"security_group_allow_all_outbound_id": {
"expression": {
"references": ["module.ecs_deploy_runner.security_group_allow_all_outbound_id"]
},
"description": "Security Group ID of the ECS task"
}
},
"resources": [{
"address": "aws_iam_group_policy_attachment.attach_invoke_to_groups",
"mode": "managed",
"type": "aws_iam_group_policy_attachment",
"name": "attach_invoke_to_groups",
"provider_config_key": "aws",
"expressions": {
"group": {
"references": ["each.key"]
},
"policy_arn": {
"references": ["module.invoke_policy.arn"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["var.iam_groups", "var.iam_groups"]
}
}, {
"address": "aws_iam_role_policy.ami_builder",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "ami_builder",
"provider_config_key": "aws",
"expressions": {
"name": {
"constant_value": "access-to-services"
},
"policy": {
"references": ["data.aws_iam_policy_document.ami_builder[0]"]
},
"role": {
"references": ["module.ecs_deploy_runner.ecs_task_iam_roles"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["local.configure_ami_builder_iam_policy"]
}
}, {
"address": "aws_iam_role_policy.docker_image_builder",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "docker_image_builder",
"provider_config_key": "aws",
"expressions": {
"name": {
"constant_value": "access-to-services"
},
"policy": {
"references": ["data.aws_iam_policy_document.docker_image_builder[0]"]
},
"role": {
"references": ["module.ecs_deploy_runner.ecs_task_iam_roles"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["local.configure_docker_image_builder_iam_policy"]
}
}, {
"address": "aws_iam_role_policy.terraform_applier",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "terraform_applier",
"provider_config_key": "aws",
"expressions": {
"name": {
"constant_value": "access-to-services"
},
"policy": {
"references": ["data.aws_iam_policy_document.terraform_applier[0]"]
},
"role": {
"references": ["module.ecs_deploy_runner.ecs_task_iam_roles"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["local.configure_terraform_applier_iam_policy"]
}
}, {
"address": "aws_iam_role_policy.terraform_planner",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "terraform_planner",
"provider_config_key": "aws",
"expressions": {
"name": {
"constant_value": "access-to-services"
},
"policy": {
"references": ["data.aws_iam_policy_document.terraform_planner[0]"]
},
"role": {
"references": ["module.ecs_deploy_runner.ecs_task_iam_roles"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["local.configure_terraform_planner_iam_policy"]
}
}, {
"address": "aws_iam_role_policy_attachment.attach_invoke_to_roles",
"mode": "managed",
"type": "aws_iam_role_policy_attachment",
"name": "attach_invoke_to_roles",
"provider_config_key": "aws",
"expressions": {
"policy_arn": {
"references": ["module.invoke_policy.arn"]
},
"role": {
"references": ["each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["var.iam_roles", "var.iam_roles"]
}
}, {
"address": "aws_iam_user_policy_attachment.attach_invoke_to_users",
"mode": "managed",
"type": "aws_iam_user_policy_attachment",
"name": "attach_invoke_to_users",
"provider_config_key": "aws",
"expressions": {
"policy_arn": {
"references": ["module.invoke_policy.arn"]
},
"user": {
"references": ["each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["var.iam_users", "var.iam_users"]
}
}, {
"address": "data.aws_caller_identity.current",
"mode": "data",
"type": "aws_caller_identity",
"name": "current",
"provider_config_key": "aws",
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.ami_builder",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ami_builder",
"provider_config_key": "aws",
"schema_version": 0,
"count_expression": {
"references": ["local.configure_ami_builder_iam_policy"]
}
}, {
"address": "data.aws_iam_policy_document.docker_image_builder",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "docker_image_builder",
"provider_config_key": "aws",
"schema_version": 0,
"count_expression": {
"references": ["local.configure_docker_image_builder_iam_policy"]
}
}, {
"address": "data.aws_iam_policy_document.terraform_applier",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "terraform_applier",
"provider_config_key": "aws",
"schema_version": 0,
"count_expression": {
"references": ["local.configure_terraform_applier_iam_policy"]
}
}, {
"address": "data.aws_iam_policy_document.terraform_planner",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "terraform_planner",
"provider_config_key": "aws",
"schema_version": 0,
"count_expression": {
"references": ["local.configure_terraform_planner_iam_policy"]
}
}, {
"address": "data.aws_region.current",
"mode": "data",
"type": "aws_region",
"name": "current",
"provider_config_key": "aws",
"schema_version": 0
}],
"module_calls": {
"ec2_baseline": {
"source": "../../base/ec2-baseline",
"expressions": {
"alarms_sns_topic_arn": {
"references": ["local.should_use_ec2_worker_pool", "var.ec2_worker_pool_configuration"]
},
"ami": {
"references": ["local.should_use_ec2_worker_pool", "var.ec2_worker_pool_configuration"]
},
"ami_filters": {
"references": ["local.should_use_ec2_worker_pool", "var.ec2_worker_pool_configuration"]
},
"asg_names": {
"references": ["module.ecs_deploy_runner.ecs_ec2_worker_asg_name"]
},
"cloud_init_parts": {
"references": ["local.cloud_init_parts"]
},
"enable_asg_cloudwatch_alarms": {
"references": ["local.should_use_ec2_worker_pool", "var.ec2_worker_pool_configuration"]
},
"enable_cloudwatch_log_aggregation": {
"references": ["local.should_use_ec2_worker_pool", "var.ec2_worker_pool_configuration"]
},
"enable_cloudwatch_metrics": {
"references": ["local.should_use_ec2_worker_pool", "var.ec2_worker_pool_configuration"]
},
"enable_ssh_grunt": {
"constant_value": false
},
"external_account_ssh_grunt_role_arn": {
"constant_value": ""
},
"iam_role_name": {
"references": ["module.ecs_deploy_runner.ecs_ec2_worker_iam_role"]
},
"name": {
"references": ["var.name"]
},
"should_render_cloud_init": {
"references": ["local.should_use_ec2_worker_pool"]
}
},
"module": {
"outputs": {
"cloud_init_rendered": {
"expression": {
"references": ["var.should_render_cloud_init", "data.template_cloudinit_config.cloud_init[0]"]
},
"description": "The final rendered cloud-init config used to initialize the instance."
},
"cloudwatch_log_aggregation_policy_arn": {
"expression": {
"references": ["module.cloudwatch_log_aggregation.cloudwatch_log_aggregation_policy_arn"]
},
"description": "The ARN of the CloudWatch Logs aggregation IAM policy."
},
"cloudwatch_log_aggregation_policy_id": {
"expression": {
"references": ["module.cloudwatch_log_aggregation.cloudwatch_log_aggregation_policy_id"]
},
"description": "The ID of the CloudWatch Logs aggregation IAM policy."
},
"cloudwatch_log_aggregation_policy_name": {
"expression": {
"references": ["module.cloudwatch_log_aggregation.cloudwatch_log_aggregation_policy_name"]
},
"description": "The name of the CloudWatch Logs aggregation IAM policy."
},
"cloudwatch_logs_permissions_json": {
"expression": {
"references": ["module.cloudwatch_log_aggregation.cloudwatch_logs_permissions_json"]
},
"description": "The CloudWatch Logs aggregation IAM policy in JSON format."
},
"cloudwatch_metrics_policy_arn": {
"expression": {
"references": ["module.cloudwatch_metrics.cloudwatch_metrics_policy_arn"]
},
"description": "The ID of the CloudWatch Metrics IAM policy."
},
"cloudwatch_metrics_policy_id": {
"expression": {
"references": ["module.cloudwatch_metrics.cloudwatch_metrics_policy_id"]
},
"description": "The ID of the CloudWatch Metrics IAM policy."
},
"cloudwatch_metrics_policy_name": {
"expression": {
"references": ["module.cloudwatch_metrics.cloudwatch_metrics_policy_name"]
},
"description": "The name of the CloudWatch Metrics IAM policy."
},
"cloudwatch_metrics_read_write_permissions_json": {
"expression": {
"references": ["module.cloudwatch_metrics.cloudwatch_metrics_read_write_permissions_json"]
},
"description": "The CloudWatch Metrics IAM policy in JSON format."
},
"existing_ami": {
"expression": {
"references": ["local.use_ami_lookup", "data.aws_ami.existing[0]", "var.ami"]
},
"description": "The ID of an existing AMI that was retrieved using ami_filters, or provided as input."
},
"ssh_grunt_permissions_json": {
"expression": {
"references": ["module.ssh_grunt_policies.ssh_grunt_permissions"]
},
"description": "The ssh-grunt IAM policy in JSON format."
}
},
"resources": [{
"address": "aws_iam_role_policy.cloudwatch_log_aggregation",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "cloudwatch_log_aggregation",
"provider_config_key": "ec2_baseline:aws",
"expressions": {
"name": {
"constant_value": "cloudwatch-log-aggregation"
},
"policy": {
"references": ["module.cloudwatch_log_aggregation.cloudwatch_logs_permissions_json"]
},
"role": {
"references": ["var.iam_role_name"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.enable_cloudwatch_log_aggregation"]
}
}, {
"address": "aws_iam_role_policy.custom_cloudwatch_metrics",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "custom_cloudwatch_metrics",
"provider_config_key": "ec2_baseline:aws",
"expressions": {
"name": {
"constant_value": "custom-cloudwatch-metrics"
},
"policy": {
"references": ["module.cloudwatch_metrics.cloudwatch_metrics_read_write_permissions_json"]
},
"role": {
"references": ["var.iam_role_name"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.enable_cloudwatch_metrics"]
}
}, {
"address": "aws_iam_role_policy.ssh_grunt_permissions",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "ssh_grunt_permissions",
"provider_config_key": "ec2_baseline:aws",
"expressions": {
"name": {
"constant_value": "ssh-grunt-permissions"
},
"policy": {
"references": ["var.external_account_ssh_grunt_role_arn", "module.ssh_grunt_policies.ssh_grunt_permissions", "module.ssh_grunt_policies.allow_access_to_other_accounts"]
},
"role": {
"references": ["var.iam_role_name"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.enable_ssh_grunt"]
}
}, {
"address": "data.aws_ami.existing",
"mode": "data",
"type": "aws_ami",
"name": "existing",
"provider_config_key": "ec2_baseline:aws",
"expressions": {
"most_recent": {
"constant_value": true
},
"owners": {
"references": ["var.ami_filters"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["local.use_ami_lookup"]
}
}, {
"address": "data.aws_caller_identity.current",
"mode": "data",
"type": "aws_caller_identity",
"name": "current",
"provider_config_key": "ec2_baseline:aws",
"schema_version": 0
}, {
"address": "data.template_cloudinit_config.cloud_init",
"mode": "data",
"type": "template_cloudinit_config",
"name": "cloud_init",
"provider_config_key": "ec2_baseline:template",
"expressions": {
"base64_encode": {
"constant_value": true
},
"gzip": {
"constant_value": true
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.should_render_cloud_init"]
}
}],
"module_calls": {
"cloudwatch_log_aggregation": {
"source": "git::git@github.com:gruntwork-io/terraform-aws-monitoring.git//modules/logs/cloudwatch-log-aggregation-iam-policy?ref=v0.24.0",
"expressions": {
"create_resources": {
"constant_value": false
},
"name_prefix": {
"references": ["var.name"]
}
},
"module": {
"outputs": {
"cloudwatch_log_aggregation_policy_arn": {
"expression": {
"references": ["var.create_resources", "aws_iam_policy.cloudwatch_log_aggregation[0]"]
}
},
"cloudwatch_log_aggregation_policy_id": {
"expression": {
"references": ["var.create_resources", "aws_iam_policy.cloudwatch_log_aggregation[0]"]
}
},
"cloudwatch_log_aggregation_policy_name": {
"expression": {
"references": ["var.create_resources", "aws_iam_policy.cloudwatch_log_aggregation[0]"]
}
},
"cloudwatch_logs_permissions_json": {
"expression": {
"references": ["data.aws_iam_policy_document.cloudwatch_logs_permissions"]
}
}
},
"resources": [{
"address": "aws_iam_policy.cloudwatch_log_aggregation",
"mode": "managed",
"type": "aws_iam_policy",
"name": "cloudwatch_log_aggregation",
"provider_config_key": "cloudwatch_log_aggregation:aws",
"expressions": {
"description": {
"constant_value": "A policy that grants the ability to write data to CloudWatch Logs, which you need to use CloudWatch for log aggregation"
},
"name": {
"references": ["var.name_prefix"]
},
"policy": {
"references": ["data.aws_iam_policy_document.cloudwatch_logs_permissions"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "data.aws_iam_policy_document.cloudwatch_logs_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "cloudwatch_logs_permissions",
"provider_config_key": "cloudwatch_log_aggregation:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:DescribeLogGroups"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["arn:aws:logs:*:*:*"]
}
}]
},
"schema_version": 0
}],
"variables": {
"create_resources": {
"default": true,
"description": "If you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module."
},
"name_prefix": {
"description": "A name that uniquely identified in which context this module is being invoked. This also helps to avoid creating two resources with the same name from different terraform applies."
}
}
}
},
"cloudwatch_metrics": {
"source": "git::git@github.com:gruntwork-io/terraform-aws-monitoring.git//modules/metrics/cloudwatch-custom-metrics-iam-policy?ref=v0.24.0",
"expressions": {
"create_resources": {
"constant_value": false
},
"name_prefix": {
"references": ["var.name"]
}
},
"module": {
"outputs": {
"cloudwatch_metrics_policy_arn": {
"expression": {
"references": ["var.create_resources", "aws_iam_policy.cloudwatch_metrics_read_write[0]"]
}
},
"cloudwatch_metrics_policy_id": {
"expression": {
"references": ["var.create_resources", "aws_iam_policy.cloudwatch_metrics_read_write[0]"]
}
},
"cloudwatch_metrics_policy_name": {
"expression": {
"references": ["var.create_resources", "aws_iam_policy.cloudwatch_metrics_read_write[0]"]
}
},
"cloudwatch_metrics_read_write_permissions_json": {
"expression": {
"references": ["data.aws_iam_policy_document.cloudwatch_metrics_read_write_permissions"]
}
}
},
"resources": [{
"address": "aws_iam_policy.cloudwatch_metrics_read_write",
"mode": "managed",
"type": "aws_iam_policy",
"name": "cloudwatch_metrics_read_write",
"provider_config_key": "cloudwatch_metrics:aws",
"expressions": {
"description": {
"constant_value": "A policy that grants the ability to read and write data CloudWatch metrics"
},
"name": {
"references": ["var.name_prefix"]
},
"policy": {
"references": ["data.aws_iam_policy_document.cloudwatch_metrics_read_write_permissions"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "data.aws_iam_policy_document.cloudwatch_metrics_read_write_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "cloudwatch_metrics_read_write_permissions",
"provider_config_key": "cloudwatch_metrics:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["cloudwatch:PutMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2:DescribeTags"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
}
}]
},
"schema_version": 0
}],
"variables": {
"create_resources": {
"default": true,
"description": "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if this module should create anything or not."
},
"name_prefix": {
"description": "A name that uniquely identified in which context this module is being invoked. This also helps to avoid creating two resources with the same name from different terraform applies."
}
}
}
},
"high_asg_cpu_usage_alarms": {
"source": "git::git@github.com:gruntwork-io/terraform-aws-monitoring.git//modules/alarms/asg-cpu-alarms?ref=v0.24.0",
"expressions": {
"alarm_sns_topic_arns": {
"references": ["var.alarms_sns_topic_arn"]
},
"asg_names": {
"references": ["var.asg_names"]
},
"create_resources": {
"references": ["var.enable_asg_cloudwatch_alarms"]
},
"num_asg_names": {
"references": ["var.num_asg_names"]
}
},
"module": {
"resources": [{
"address": "aws_cloudwatch_metric_alarm.asg_high_cpu_utilization",
"mode": "managed",
"type": "aws_cloudwatch_metric_alarm",
"name": "asg_high_cpu_utilization",
"provider_config_key": "high_asg_cpu_usage_alarms:aws",
"expressions": {
"alarm_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"alarm_description": {
"references": ["var.asg_names", "count.index"]
},
"alarm_name": {
"references": ["var.asg_names", "count.index"]
},
"comparison_operator": {
"constant_value": "GreaterThanThreshold"
},
"dimensions": {
"references": ["var.asg_names", "count.index"]
},
"evaluation_periods": {
"references": ["var.high_cpu_utilization_evaluation_periods"]
},
"insufficient_data_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"metric_name": {
"constant_value": "CPUUtilization"
},
"namespace": {
"constant_value": "AWS/EC2"
},
"ok_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"period": {
"references": ["var.high_cpu_utilization_period"]
},
"statistic": {
"references": ["var.high_cpu_utilization_statistic"]
},
"tags": {
"references": ["var.tags"]
},
"threshold": {
"references": ["var.high_cpu_utilization_threshold"]
},
"unit": {
"constant_value": "Percent"
}
},
"schema_version": 1,
"count_expression": {
"references": ["var.create_resources", "var.num_asg_names"]
}
}],
"variables": {
"alarm_sns_topic_arns": {
"description": "A list of SNS topic ARNs to notify when the ELB alarms change to ALARM, OK, or INSUFFICIENT_DATA state"
},
"asg_names": {
"description": "The name of the ASG"
},
"create_resources": {
"default": true,
"description": "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if this module should create anything or not."
},
"high_cpu_utilization_evaluation_periods": {
"default": 1,
"description": "The number of periods over which data is compared to the specified threshold."
},
"high_cpu_utilization_period": {
"default": 300,
"description": "The period, in seconds, over which to measure the CPU utilization percentage"
},
"high_cpu_utilization_statistic": {
"default": "Average",
"description": "The statistic to apply to the alarm's associated metric. [SampleCount, Average, Sum, Minimum, Maximum]"
},
"high_cpu_utilization_threshold": {
"default": 90,
"description": "Trigger an alarm if the EC2 Instances in this ASG have a CPU utilization percentage above this threshold"
},
"num_asg_names": {
"description": "The number of names in var.asg_names. We should be able to compute this automatically, but can't due to a Terraform limitation (https://github.com/hashicorp/terraform/issues/4149)."
},
"tags": {
"default": {},
"description": "A map of tags to apply to the metric alarm. The key is the tag name and the value is the tag value."
}
}
}
},
"high_asg_disk_usage_root_volume_alarms": {
"source": "git::git@github.com:gruntwork-io/terraform-aws-monitoring.git//modules/alarms/asg-disk-alarms?ref=v0.24.0",
"expressions": {
"alarm_sns_topic_arns": {
"references": ["var.alarms_sns_topic_arn"]
},
"asg_names": {
"references": ["var.asg_names"]
},
"create_resources": {
"references": ["var.enable_asg_cloudwatch_alarms"]
},
"file_system": {
"constant_value": "/dev/xvda1"
},
"mount_path": {
"constant_value": "/"
},
"num_asg_names": {
"references": ["var.num_asg_names"]
}
},
"module": {
"resources": [{
"address": "aws_cloudwatch_metric_alarm.asg_high_disk_utilization",
"mode": "managed",
"type": "aws_cloudwatch_metric_alarm",
"name": "asg_high_disk_utilization",
"provider_config_key": "high_asg_disk_usage_root_volume_alarms:aws",
"expressions": {
"alarm_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"alarm_description": {
"references": ["var.asg_names", "count.index"]
},
"alarm_name": {
"references": ["var.asg_names", "count.index", "var.file_system", "var.mount_path"]
},
"comparison_operator": {
"constant_value": "GreaterThanThreshold"
},
"dimensions": {
"references": ["var.asg_names", "count.index", "var.file_system", "var.mount_path"]
},
"evaluation_periods": {
"references": ["var.high_disk_utilization_evaluation_periods"]
},
"insufficient_data_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"metric_name": {
"constant_value": "DiskSpaceUtilization"
},
"namespace": {
"constant_value": "System/Linux"
},
"ok_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"period": {
"references": ["var.high_disk_utilization_period"]
},
"statistic": {
"references": ["var.high_disk_utilization_statistic"]
},
"tags": {
"references": ["var.tags"]
},
"threshold": {
"references": ["var.high_disk_utilization_threshold"]
},
"treat_missing_data": {
"references": ["var.treat_missing_data"]
},
"unit": {
"constant_value": "Percent"
}
},
"schema_version": 1,
"count_expression": {
"references": ["var.create_resources", "var.num_asg_names"]
}
}],
"variables": {
"alarm_sns_topic_arns": {
"description": "A list of SNS topic ARNs to notify when the ELB alarms change to ALARM, OK, or INSUFFICIENT_DATA state"
},
"asg_names": {
"description": "The name of the ASG"
},
"create_resources": {
"default": true,
"description": "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if this module should create anything or not."
},
"file_system": {
"description": "The file system being monitored (e.g. /dev/disk/foo)"
},
"high_disk_utilization_evaluation_periods": {
"default": 1,
"description": "The number of periods over which data is compared to the specified threshold."
},
"high_disk_utilization_period": {
"default": 300,
"description": "The period, in seconds, over which to measure the disk utilization percentage"
},
"high_disk_utilization_statistic": {
"default": "Maximum",
"description": "The statistic to apply to the alarm's associated metric. [SampleCount, Average, Sum, Minimum, Maximum]"
},
"high_disk_utilization_threshold": {
"default": 90,
"description": "Trigger an alarm if the EC2 Instances in this ASG have a disk utilization percentage above this threshold"
},
"mount_path": {
"description": "The mount path of the file system being monitored (e.g. /)"
},
"num_asg_names": {
"description": "The number of names in var.asg_names. We should be able to compute this automatically, but can't due to a Terraform limitation (https://github.com/hashicorp/terraform/issues/4149)."
},
"tags": {
"default": {},
"description": "A map of tags to apply to the metric alarm. The key is the tag name and the value is the tag value."
},
"treat_missing_data": {
"default": "missing",
"description": "Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://goo.gl/cxzXOV. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'."
}
}
}
},
"high_asg_memory_usage_alarms": {
"source": "git::git@github.com:gruntwork-io/terraform-aws-monitoring.git//modules/alarms/asg-memory-alarms?ref=v0.24.0",
"expressions": {
"alarm_sns_topic_arns": {
"references": ["var.alarms_sns_topic_arn"]
},
"asg_names": {
"references": ["var.asg_names"]
},
"create_resources": {
"references": ["var.enable_asg_cloudwatch_alarms"]
},
"num_asg_names": {
"references": ["var.num_asg_names"]
}
},
"module": {
"resources": [{
"address": "aws_cloudwatch_metric_alarm.asg_high_memory_utilization",
"mode": "managed",
"type": "aws_cloudwatch_metric_alarm",
"name": "asg_high_memory_utilization",
"provider_config_key": "high_asg_memory_usage_alarms:aws",
"expressions": {
"alarm_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"alarm_description": {
"references": ["var.asg_names", "count.index"]
},
"alarm_name": {
"references": ["var.asg_names", "count.index"]
},
"comparison_operator": {
"constant_value": "GreaterThanThreshold"
},
"dimensions": {
"references": ["var.asg_names", "count.index"]
},
"evaluation_periods": {
"references": ["var.high_memory_utilization_evaluation_periods"]
},
"insufficient_data_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"metric_name": {
"constant_value": "MemoryUtilization"
},
"namespace": {
"constant_value": "System/Linux"
},
"ok_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"period": {
"references": ["var.high_memory_utilization_period"]
},
"statistic": {
"references": ["var.high_memory_utilization_statistic"]
},
"tags": {
"references": ["var.tags"]
},
"threshold": {
"references": ["var.high_memory_utilization_threshold"]
},
"unit": {
"constant_value": "Percent"
}
},
"schema_version": 1,
"count_expression": {
"references": ["var.create_resources", "var.num_asg_names"]
}
}],
"variables": {
"alarm_sns_topic_arns": {
"description": "A list of SNS topic ARNs to notify when the ELB alarms change to ALARM, OK, or INSUFFICIENT_DATA state"
},
"asg_names": {
"description": "The name of the ASG"
},
"create_resources": {
"default": true,
"description": "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if this module should create anything or not."
},
"high_memory_utilization_evaluation_periods": {
"default": 1,
"description": "The number of periods over which data is compared to the specified threshold."
},
"high_memory_utilization_period": {
"default": 300,
"description": "The period, in seconds, over which to measure the memory utilization percentage"
},
"high_memory_utilization_statistic": {
"default": "Maximum",
"description": "The statistic to apply to the alarm's associated metric. [SampleCount, Average, Sum, Minimum, Maximum]"
},
"high_memory_utilization_threshold": {
"default": 90,
"description": "Trigger an alarm if the EC2 Instances in this ASG have a memory utilization percentage above this threshold"
},
"num_asg_names": {
"description": "The number of names in var.asg_names. We should be able to compute this automatically, but can't due to a Terraform limitation (https://github.com/hashicorp/terraform/issues/4149)."
},
"tags": {
"default": {},
"description": "A map of tags to apply to the metric alarm. The key is the tag name and the value is the tag value."
}
}
}
},
"high_instance_cpu_usage_alarms": {
"source": "git::git@github.com:gruntwork-io/terraform-aws-monitoring.git//modules/alarms/ec2-cpu-alarms?ref=v0.24.0",
"expressions": {
"alarm_sns_topic_arns": {
"references": ["var.alarms_sns_topic_arn"]
},
"create_resources": {
"references": ["var.enable_instance_cloudwatch_alarms"]
},
"instance_count": {
"constant_value": 1
},
"instance_ids": {
"references": ["var.instance_id"]
}
},
"module": {
"resources": [{
"address": "aws_cloudwatch_metric_alarm.ec2_high_cpu_utilization",
"mode": "managed",
"type": "aws_cloudwatch_metric_alarm",
"name": "ec2_high_cpu_utilization",
"provider_config_key": "high_instance_cpu_usage_alarms:aws",
"expressions": {
"alarm_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"alarm_description": {
"references": ["var.instance_ids", "count.index"]
},
"alarm_name": {
"references": ["var.instance_ids", "count.index"]
},
"comparison_operator": {
"constant_value": "GreaterThanThreshold"
},
"dimensions": {
"references": ["var.instance_ids", "count.index"]
},
"evaluation_periods": {
"references": ["var.high_cpu_utilization_evaluation_periods"]
},
"insufficient_data_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"metric_name": {
"constant_value": "CPUUtilization"
},
"namespace": {
"constant_value": "AWS/EC2"
},
"ok_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"period": {
"references": ["var.high_cpu_utilization_period"]
},
"statistic": {
"references": ["var.high_cpu_utilization_statistic"]
},
"tags": {
"references": ["var.tags"]
},
"threshold": {
"references": ["var.high_cpu_utilization_threshold"]
},
"unit": {
"constant_value": "Percent"
}
},
"schema_version": 1,
"count_expression": {
"references": ["var.create_resources", "var.instance_count"]
}
}],
"variables": {
"alarm_sns_topic_arns": {
"description": "A list of SNS topic ARNs to notify when the ELB alarms change to ALARM, OK, or INSUFFICIENT_DATA state"
},
"create_resources": {
"default": true,
"description": "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if this module should create anything or not."
},
"high_cpu_utilization_evaluation_periods": {
"default": 1,
"description": "The number of periods over which data is compared to the specified threshold."
},
"high_cpu_utilization_period": {
"default": 300,
"description": "The period, in seconds, over which to measure the CPU utilization percentage."
},
"high_cpu_utilization_statistic": {
"default": "Average",
"description": "The statistic to apply to the alarm's associated metric. [SampleCount, Average, Sum, Minimum, Maximum]"
},
"high_cpu_utilization_threshold": {
"default": 90,
"description": "Trigger an alarm if an EC2 Instance has a CPU utilization percentage above this threshold."
},
"instance_count": {
"description": "The number of instances in var.instance_ids. This should be computable, but a Terraform bug prevents this: https://github.com/hashicorp/terraform/issues/5322."
},
"instance_ids": {
"description": "A list of EC2 Instance ids to monitor"
},
"tags": {
"default": {},
"description": "A map of tags to apply to the metric alarm. The key is the tag name and the value is the tag value."
}
}
}
},
"high_instance_disk_usage_alarms": {
"source": "git::git@github.com:gruntwork-io/terraform-aws-monitoring.git//modules/alarms/ec2-disk-alarms?ref=v0.24.0",
"expressions": {
"alarm_sns_topic_arns": {
"references": ["var.alarms_sns_topic_arn"]
},
"create_resources": {
"references": ["var.enable_instance_cloudwatch_alarms"]
},
"file_system": {
"constant_value": "/dev/xvda1"
},
"instance_count": {
"constant_value": 1
},
"instance_ids": {
"references": ["var.instance_id"]
},
"mount_path": {
"constant_value": "/"
}
},
"module": {
"resources": [{
"address": "aws_cloudwatch_metric_alarm.ec2_high_disk_utilization",
"mode": "managed",
"type": "aws_cloudwatch_metric_alarm",
"name": "ec2_high_disk_utilization",
"provider_config_key": "high_instance_disk_usage_alarms:aws",
"expressions": {
"alarm_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"alarm_description": {
"references": ["var.instance_ids", "count.index"]
},
"alarm_name": {
"references": ["var.instance_ids", "count.index", "var.file_system", "var.mount_path"]
},
"comparison_operator": {
"constant_value": "GreaterThanThreshold"
},
"dimensions": {
"references": ["var.instance_ids", "count.index", "var.file_system", "var.mount_path"]
},
"evaluation_periods": {
"references": ["var.high_disk_utilization_evaluation_periods"]
},
"insufficient_data_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"metric_name": {
"constant_value": "DiskSpaceUtilization"
},
"namespace": {
"constant_value": "System/Linux"
},
"ok_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"period": {
"references": ["var.high_disk_utilization_period"]
},
"statistic": {
"references": ["var.high_disk_utilization_statistic"]
},
"tags": {
"references": ["var.tags"]
},
"threshold": {
"references": ["var.high_disk_utilization_threshold"]
},
"unit": {
"constant_value": "Percent"
}
},
"schema_version": 1,
"count_expression": {
"references": ["var.create_resources", "var.instance_count"]
}
}],
"variables": {
"alarm_sns_topic_arns": {
"description": "A list of SNS topic ARNs to notify when the ELB alarms change to ALARM, OK, or INSUFFICIENT_DATA state"
},
"create_resources": {
"default": true,
"description": "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if this module should create anything or not."
},
"file_system": {
"description": "The file system being monitored (e.g. /dev/disk/foo)"
},
"high_disk_utilization_evaluation_periods": {
"default": 1,
"description": "The number of periods over which data is compared to the specified threshold."
},
"high_disk_utilization_period": {
"default": 300,
"description": "The period, in seconds, over which to measure the disk utilization percentage."
},
"high_disk_utilization_statistic": {
"default": "Maximum",
"description": "The statistic to apply to the alarm's associated metric. [SampleCount, Average, Sum, Minimum, Maximum]"
},
"high_disk_utilization_threshold": {
"default": 90,
"description": "Trigger an alarm if an EC2 Instance has a disk utilization percentage above this threshold."
},
"instance_count": {
"description": "The number of instances in var.instance_ids. This should be computable, but a Terraform bug prevents this: https://github.com/hashicorp/terraform/issues/5322."
},
"instance_ids": {
"description": "A list of EC2 Instance ids to monitor"
},
"mount_path": {
"description": "The mount path of the file system being monitored (e.g. /)"
},
"tags": {
"default": {},
"description": "A map of tags to apply to the metric alarm. The key is the tag name and the value is the tag value."
}
}
}
},
"high_instance_memory_usage_alarms": {
"source": "git::git@github.com:gruntwork-io/terraform-aws-monitoring.git//modules/alarms/ec2-memory-alarms?ref=v0.24.0",
"expressions": {
"alarm_sns_topic_arns": {
"references": ["var.alarms_sns_topic_arn"]
},
"create_resources": {
"references": ["var.enable_instance_cloudwatch_alarms"]
},
"instance_count": {
"constant_value": 1
},
"instance_ids": {
"references": ["var.instance_id"]
}
},
"module": {
"resources": [{
"address": "aws_cloudwatch_metric_alarm.ec2_high_memory_utilization",
"mode": "managed",
"type": "aws_cloudwatch_metric_alarm",
"name": "ec2_high_memory_utilization",
"provider_config_key": "high_instance_memory_usage_alarms:aws",
"expressions": {
"alarm_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"alarm_description": {
"references": ["var.instance_ids", "count.index"]
},
"alarm_name": {
"references": ["var.instance_ids", "count.index"]
},
"comparison_operator": {
"constant_value": "GreaterThanThreshold"
},
"dimensions": {
"references": ["var.instance_ids", "count.index"]
},
"evaluation_periods": {
"references": ["var.high_memory_utilization_evaluation_periods"]
},
"insufficient_data_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"metric_name": {
"constant_value": "MemoryUtilization"
},
"namespace": {
"constant_value": "System/Linux"
},
"ok_actions": {
"references": ["var.alarm_sns_topic_arns"]
},
"period": {
"references": ["var.high_memory_utilization_period"]
},
"statistic": {
"references": ["var.high_memory_utilization_statistic"]
},
"tags": {
"references": ["var.tags"]
},
"threshold": {
"references": ["var.high_memory_utilization_threshold"]
},
"unit": {
"constant_value": "Percent"
}
},
"schema_version": 1,
"count_expression": {
"references": ["var.create_resources", "var.instance_count"]
}
}],
"variables": {
"alarm_sns_topic_arns": {
"description": "A list of SNS topic ARNs to notify when the ELB alarms change to ALARM, OK, or INSUFFICIENT_DATA state"
},
"create_resources": {
"default": true,
"description": "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if this module should create anything or not."
},
"high_memory_utilization_evaluation_periods": {
"default": 1,
"description": "The number of periods over which data is compared to the specified threshold."
},
"high_memory_utilization_period": {
"default": 300,
"description": "The period, in seconds, over which to measure the memory utilization percentage."
},
"high_memory_utilization_statistic": {
"default": "Average",
"description": "The statistic to apply to the alarm's associated metric. [SampleCount, Average, Sum, Minimum, Maximum]"
},
"high_memory_utilization_threshold": {
"default": 90,
"description": "Trigger an alarm if an EC2 Instance has a memory utilization percentage above this threshold."
},
"instance_count": {
"description": "The number of instances in var.instance_ids. This should be computable, but a Terraform bug prevents this: https://github.com/hashicorp/terraform/issues/5322."
},
"instance_ids": {
"description": "A list of EC2 Instance ids to monitor"
},
"tags": {
"default": {},
"description": "A map of tags to apply to the metric alarm. The key is the tag name and the value is the tag value."
}
}
}
},
"ssh_grunt_policies": {
"source": "git::git@github.com:gruntwork-io/module-security.git//modules/iam-policies?ref=v0.44.5",
"expressions": {
"allow_access_to_other_account_arns": {
"references": ["var.external_account_ssh_grunt_role_arn", "var.external_account_ssh_grunt_role_arn"]
},
"aws_account_id": {
"references": ["data.aws_caller_identity.current"]
},
"iam_policy_should_require_mfa": {
"constant_value": false
},
"trust_policy_should_require_mfa": {
"constant_value": false
}
},
"module": {
"outputs": {
"allow_access_from_other_accounts": {
"expression": {
"references": ["data.aws_iam_policy_document.allow_access_from_other_accounts", "data.aws_iam_policy_document.allow_access_via_saml"]
}
},
"allow_access_to_all_other_accounts": {
"expression": {
"references": ["data.aws_iam_policy_document.allow_access_to_all_other_accounts"]
}
},
"allow_access_to_other_accounts": {
"expression": {
"references": ["data.aws_iam_policy_document.allow_access_to_other_accounts"]
}
},
"allow_auto_deploy_from_other_accounts": {
"expression": {
"references": ["data.aws_iam_policy_document.allow_auto_deploy_from_other_accounts"]
}
},
"auto_deploy_permissions": {
"expression": {
"references": ["data.aws_iam_policy_document.auto_deploy_permissions"]
}
},
"billing": {
"expression": {
"references": ["data.aws_iam_policy_document.billing"]
}
},
"developers": {
"expression": {
"references": ["data.aws_iam_policy_document.developers"]
}
},
"developers_s3_bucket": {
"expression": {
"references": ["data.aws_iam_policy_document.developers_s3_bucket"]
}
},
"full_access": {
"expression": {
"references": ["data.aws_iam_policy_document.full_access"]
}
},
"houston_cli_permissions": {
"expression": {
"references": ["data.aws_iam_policy_document.houston_cli_permissions"]
}
},
"iam_admin": {
"expression": {
"references": ["data.aws_iam_policy_document.iam_admin"]
}
},
"iam_user_self_mgmt": {
"expression": {
"references": ["data.aws_iam_policy_document.iam_user_self_mgmt"]
}
},
"logs": {
"expression": {
"references": ["data.aws_iam_policy_document.logs"]
}
},
"read_only": {
"expression": {
"references": ["data.aws_iam_policy_document.read_only"]
}
},
"require_mfa_policy": {
"expression": {
"references": ["data.aws_iam_policy_document.require_mfa_policy"]
}
},
"ssh_grunt_houston_permissions": {
"expression": {
"references": ["data.aws_iam_policy_document.ssh_grunt_houston_permissions"]
}
},
"ssh_grunt_permissions": {
"expression": {
"references": ["data.aws_iam_policy_document.ssh_grunt_permissions"]
}
},
"support": {
"expression": {
"references": ["data.aws_iam_policy.AWSSupportAccess"]
}
},
"use_existing_iam_roles": {
"expression": {
"references": ["data.aws_iam_policy_document.use_existing_iam_roles"]
}
}
},
"resources": [{
"address": "data.aws_iam_policy.AWSSupportAccess",
"mode": "data",
"type": "aws_iam_policy",
"name": "AWSSupportAccess",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"arn": {
"constant_value": "arn:aws:iam::aws:policy/AWSSupportAccess"
}
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.allow_access_from_other_accounts",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "allow_access_from_other_accounts",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["sts:AssumeRole"]
},
"effect": {
"constant_value": "Allow"
},
"principals": [{
"identifiers": {
"references": ["var.allow_access_from_other_account_arns"]
},
"type": {
"constant_value": "AWS"
}
}]
}]
},
"schema_version": 0,
"count_expression": {
"references": ["var.allow_access_from_saml"]
}
}, {
"address": "data.aws_iam_policy_document.allow_access_to_all_other_accounts",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "allow_access_to_all_other_accounts",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["sts:AssumeRole"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"references": ["var.allow_access_to_other_account_arns"]
}
}]
},
"schema_version": 0,
"count_expression": {
"references": ["var.allow_access_to_other_account_arns"]
}
}, {
"address": "data.aws_iam_policy_document.allow_access_to_other_accounts",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "allow_access_to_other_accounts",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["sts:AssumeRole", "sts:TagSession"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"references": ["each.value"]
}
}]
},
"schema_version": 0,
"for_each_expression": {
"references": ["var.allow_access_to_other_account_arns"]
}
}, {
"address": "data.aws_iam_policy_document.allow_access_via_saml",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "allow_access_via_saml",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["sts:AssumeRoleWithSAML"]
},
"effect": {
"constant_value": "Allow"
},
"principals": [{
"identifiers": {
"references": ["var.allow_access_from_saml_arns"]
},
"type": {
"constant_value": "Federated"
}
}]
}]
},
"schema_version": 0,
"count_expression": {
"references": ["var.allow_access_from_saml"]
}
}, {
"address": "data.aws_iam_policy_document.allow_auto_deploy_from_other_accounts",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "allow_auto_deploy_from_other_accounts",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["sts:AssumeRole", "sts:TagSession"]
},
"effect": {
"constant_value": "Allow"
},
"principals": [{
"identifiers": {
"references": ["var.allow_auto_deploy_from_other_account_arns"]
},
"type": {
"constant_value": "AWS"
}
}]
}]
},
"schema_version": 0,
"count_expression": {
"references": ["var.auto_deploy_permissions", "var.allow_auto_deploy_from_other_account_arns"]
}
}, {
"address": "data.aws_iam_policy_document.auto_deploy_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "auto_deploy_permissions",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"references": ["var.auto_deploy_permissions"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
}
}]
},
"schema_version": 0,
"count_expression": {
"references": ["var.auto_deploy_permissions"]
}
}, {
"address": "data.aws_iam_policy_document.billing",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "billing",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["aws-portal:*"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "billingFullAccess"
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.developers",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "developers",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"references": ["var.dev_permitted_services"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "grantFullAccessToSpecifiedServices"
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.developers_s3_bucket",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "developers_s3_bucket",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["s3:*"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"references": ["var.dev_s3_bucket_prefix", "var.dev_s3_bucket_prefix"]
},
"sid": {
"constant_value": "personalS3FolderFullRights"
}
}, {
"actions": {
"constant_value": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "listPersonalS3FoldersInAWSConsole"
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.full_access",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "full_access",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["*"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "fullAccess"
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.houston_cli_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "houston_cli_permissions",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["execute-api:Invoke"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"references": ["var.houston_region", "var.aws_account_id", "var.houston_users_api_id", "var.houston_stage", "var.houston_region", "var.aws_account_id", "var.houston_users_api_id", "var.houston_stage", "var.houston_region", "var.aws_account_id", "var.houston_users_api_id", "var.houston_stage", "var.houston_region", "var.aws_account_id", "var.houston_users_api_id", "var.houston_stage", "var.houston_region", "var.aws_account_id", "var.houston_users_api_id", "var.houston_stage"]
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.iam_admin",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "iam_admin",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["iam:*"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "iamAdmin"
}
}, {
"actions": {
"constant_value": ["iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListUsers", "iam:ListVirtualMFADevices"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "IamUserSelfManagementPermissionsThatDontRequireMFA"
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.iam_user_self_mgmt",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "iam_user_self_mgmt",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["iam:ChangePassword", "iam:CreateAccessKey", "iam:CreateLoginProfile", "iam:DeactivateMFADevice", "iam:DeleteAccessKey", "iam:DeleteLoginProfile", "iam:DeleteSSHPublicKey", "iam:DeleteVirtualMFADevice", "iam:GenerateCredentialReport", "iam:GenerateServiceLastAccessedDetails", "iam:Get*", "iam:List*", "iam:ResyncMFADevice", "iam:UpdateAccessKey", "iam:UpdateLoginProfile", "iam:UpdateSSHPublicKey", "iam:UpdateUser", "iam:UploadSigningCertificate", "iam:UploadSSHPublicKey"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"references": ["var.aws_account_id", "var.aws_account_id"]
},
"sid": {
"constant_value": "iamUserSelfManagement"
}
}, {
"actions": {
"constant_value": ["iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"references": ["var.aws_account_id", "var.aws_account_id"]
},
"sid": {
"constant_value": "IamUserSelfManagementPermissionsThatDontRequireMFA"
}
}, {
"actions": {
"constant_value": ["iam:ListUsers", "iam:ListVirtualMFADevices"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "MoreIamUserSelfManagementPermissionsThatDontRequireMFA"
}
}, {
"actions": {
"constant_value": ["iam:GetAccountPasswordPolicy", "iam:GetGroupPolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetServiceLastAccessedDetails", "iam:ListAttachedGroupPolicies", "iam:ListEntitiesForPolicy", "iam:ListGroups", "iam:ListGroupPolicies", "iam:ListPolicyVersions"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "iamUserSelfManagementSupport"
}
}, {
"actions": {
"constant_value": ["iam:ListUsers"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "listAllIamUsers"
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.logs",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "logs",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["cloudtrail:Describe*", "cloudtrail:Get*", "cloudtrail:List*", "cloudtrail:Lookup*", "config:BatchGet*", "config:Deliver*", "config:Describe*", "config:Get*", "config:List*", "config:Select*", "logs:Describe*", "logs:Filter*", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery", "tag:Get*"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "readLogs"
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.read_only",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "read_only",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["acm:DescribeCertificate", "acm:GetCertificate", "acm:ListCertificates", "acm:ListTagsForCertificate", "apigateway:GET", "application-autoscaling:Describe*", "appstream:Get*", "autoscaling:Describe*", "cloudformation:Describe*", "cloudformation:Get*", "cloudformation:List*", "cloudfront:Get*", "cloudfront:List*", "cloudsearch:Describe*", "cloudsearch:List*", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:ListPublicKeys", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "codecommit:BatchGetRepositories", "codecommit:Get*", "codecommit:GitPull", "codecommit:List*", "codedeploy:Batch*", "codedeploy:Get*", "codedeploy:List*", "config:Deliver*", "config:Describe*", "config:Get*", "config:List*", "datapipeline:DescribeObjects", "datapipeline:DescribePipelines", "datapipeline:EvaluateExpression", "datapipeline:GetAccountLimits", "datapipeline:GetPipelineDefinition", "datapipeline:ListPipelines", "datapipeline:QueryObjects", "datapipeline:ValidatePipelineDefinition", "directconnect:Describe*", "dms:Describe*", "dms:List*", "ds:Check*", "ds:Describe*", "ds:Get*", "ds:List*", "ds:Verify*", "dynamodb:BatchGetItem", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:ListTables", "dynamodb:Query", "dynamodb:Scan", "ec2:Describe*", "ec2:GetConsoleOutput", "ec2:GetConsoleScreenshot", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:Describe*", "ecr:Get*", "ecr:List*", "ecs:Describe*", "ecs:List*", "eks:Describe*", "eks:List*", "elasticache:Describe*", "elasticache:List*", "elasticbeanstalk:Check*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticbeanstalk:RequestEnvironmentInfo", "elasticbeanstalk:RetrieveEnvironmentInfo", "elasticfilesystem:Describe*", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:List*", "elastictranscoder:List*", "elastictranscoder:Read*", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomainConfig", "es:DescribeElasticsearchDomains", "es:ESHttpGet", "es:ESHttpHead", "es:ListDomainNames", "es:ListTags", "events:DescribeRule", "events:ListRuleNamesByTarget", "events:ListRules", "events:ListTargetsByRule", "events:TestEventPattern", "firehose:Describe*", "firehose:List*", "glacier:DescribeJob", "glacier:DescribeVault", "glacier:GetDataRetrievalPolicy", "glacier:GetJobOutput", "glacier:GetVaultAccessPolicy", "glacier:GetVaultLock", "glacier:GetVaultNotifications", "glacier:ListJobs", "glacier:ListMultipartUploads", "glacier:ListParts", "glacier:ListTagsForVault", "glacier:ListVaults", "health:Describe*", "health:Get*", "health:List*", "iam:GenerateCredentialReport", "iam:GenerateServiceLastAccessedDetails", "iam:Get*", "iam:List*", "inspector:Describe*", "inspector:Get*", "inspector:List*", "inspector:LocalizeText", "inspector:PreviewAgentsForResourceGroup", "iot:Describe*", "iot:Get*", "iot:List*", "kinesis:Describe*", "kinesis:Get*", "kinesis:List*", "kinesisanalytics:DescribeApplication", "kinesisanalytics:DiscoverInputSchema", "kinesisanalytics:GetApplicationState", "kinesisanalytics:ListApplications", "kms:Describe*", "kms:Get*", "kms:List*", "lambda:Get*", "lambda:List*", "logs:Describe*", "logs:FilterLogEvents", "logs:Get*", "logs:TestMetricFilter", "machinelearning:Describe*", "machinelearning:Get*", "mobilehub:GetProject", "mobilehub:ListAvailableFeatures", "mobilehub:ListAvailableRegions", "mobilehub:ListProjects", "mobilehub:ValidateProject", "mobilehub:VerifyServiceRole", "opsworks:Describe*", "opsworks:Get*", "pi:Get*", "pi:Describe*", "rds:Describe*", "rds:ListTagsForResource", "rds:Download*", "redshift:Describe*", "redshift:ViewQueriesInConsole", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "route53:Get*", "route53:List*", "route53domains:CheckDomainAvailability", "route53domains:GetDomainDetail", "route53domains:GetOperationDetail", "route53domains:ListDomains", "route53domains:ListOperations", "route53domains:ListTagsForDomain", "s3:Get*", "s3:List*", "sdb:GetAttributes", "sdb:List*", "sdb:Select*", "ses:Get*", "ses:List*", "sns:Get*", "sns:List*", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ListQueues", "sqs:ReceiveMessage", "ssm:Describe*", "ssm:Get*", "ssm:List*", "states:Describe*", "states:Get*", "states:List*", "storagegateway:Describe*", "storagegateway:List*", "swf:Count*", "swf:Describe*", "swf:Get*", "swf:List*", "tag:Get*", "trustedadvisor:Describe*", "waf:Get*", "waf:List*", "workspaces:Describe*"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "readOnlyForEverything"
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.require_mfa_policy",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "require_mfa_policy",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["iam:ListVirtualMFADevices"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "AllowViewAccountInfo"
}
}, {
"actions": {
"constant_value": ["iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"references": ["var.aws_account_id"]
},
"sid": {
"constant_value": "AllowManageOwnVirtualMFADevice"
}
}, {
"actions": {
"constant_value": ["iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ResyncMFADevice"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"references": ["var.aws_account_id", "var.aws_account_id"]
},
"sid": {
"constant_value": "AllowManageOwnUserMFA"
}
}, {
"condition": [{
"test": {
"constant_value": "Bool"
},
"values": {
"constant_value": ["false"]
},
"variable": {
"constant_value": "aws:MultiFactorAuthPresent"
}
}],
"effect": {
"constant_value": "Deny"
},
"not_actions": {
"constant_value": ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken"]
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "DenyAllExceptListedIfNoMFA"
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.ssh_grunt_houston_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ssh_grunt_houston_permissions",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["execute-api:Invoke"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"references": ["var.houston_region", "var.aws_account_id", "var.houston_users_api_id", "var.houston_stage", "var.houston_path"]
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.ssh_grunt_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ssh_grunt_permissions",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["iam:GetGroup", "iam:ListSSHPublicKeys", "iam:GetSSHPublicKey"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.use_existing_iam_roles",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "use_existing_iam_roles",
"provider_config_key": "ssh_grunt_policies:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["iam:GetInstanceProfile", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListInstanceProfiles", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListPolicies", "iam:ListPolicyVersions", "iam:ListRoles", "iam:ListRolePolicies", "iam:PassRole"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "useExistingIamRolesOnly"
}
}]
},
"schema_version": 0
}],
"variables": {
"allow_access_from_other_account_arns": {
"default": [],
"description": "A list of IAM ARNs from other AWS accounts that will be allowed to access this account."
},
"allow_access_from_saml": {
"default": false,
"description": "A flag to indicate if access will be delegated to SAML providers. The ARNs of the specific IdPs to trust are specified through the allow_access_from_saml_arns variable below. "
},
"allow_access_from_saml_arns": {
"default": [],
"description": "A list of IAM Identity Provider ARNs that access to this account will be delegated to. This variable is only used if allow_access_from_saml is true."
},
"allow_access_to_other_account_arns": {
"default": {},
"description": "A map of lists of IAM roles in other accounts that IAM users in this account should be able to assume. Use group names as keys, and a corresponding list of roles for that group as the value. One IAM policy allowing sts:AssumeRole will be created for each key. If the corresponding list has more than one ARN, the policy will be created with AssumeRole permission for each ARN in the list."
},
"allow_auto_deploy_from_other_account_arns": {
"default": [],
"description": "A list of IAM ARNs from other AWS accounts that will be allowed to assume the auto deploy IAM role that has the permissions in var.auto_deploy_permissions."
},
"auto_deploy_permissions": {
"default": [],
"description": "A list of IAM permissions (e.g. ec2:*) which will be granted for automated deployment."
},
"aws_account_id": {
"description": "The ID of the AWS Account."
},
"cloudtrail_kms_key_arn": {
"default": null,
"description": "The ARN of a KMS CMK used to encrypt CloudTrail logs. If set, the logs policy will include permissions to decrypt using this CMK."
},
"dev_permitted_services": {
"default": [],
"description": "A list of AWS services for which the developers will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value [\"ec2\",\"machinelearning\"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. If you need to grant iam privileges, just grant the user Full Access."
},
"dev_s3_bucket_prefix": {
"default": "your-org-name.user-",
"description": "The prefix of the S3 Bucket Name to which an individual IAM User will have full access. For example, if the prefix is acme.user-, then IAM User john.doe will have access to S3 Bucket acme.user-john.doe."
},
"houston_path": {
"default": "*",
"description": "The path to allow requests to in the Houston API."
},
"houston_region": {
"default": "*",
"description": "The AWS region where Houston is deployed (e.g., us-east-1)."
},
"houston_stage": {
"default": "*",
"description": "The API Gateway stage to use for Houston."
},
"houston_users_api_id": {
"default": "*",
"description": "The ID API Gateway has assigned to the Houston API."
},
"iam_policy_should_require_mfa": {
"default": true,
"description": "If set to true, all the Policies created by this module that are used to grant IAM permissions will require an MFA Token to be present. Use var.trust_policy_should_require_mfa to require MFA for IAM Role Trust Policies."
},
"trust_policy_should_require_mfa": {
"default": true,
"description": "If set to true, all the Policies created by this module that are used as Trust Policies for IAM Roles (this that allow sts:AssumeRole) will require an MFA Token to be present to assume that IAM Role. Use var.iam_policy_should_require_mfa to require MFA for all other types of Policies."
}
}
}
}
},
"variables": {
"alarms_sns_topic_arn": {
"default": [],
"description": "The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. Required if enable_cloudwatch_alarms is true."
},
"ami": {
"default": null,
"description": "The ID of an AMI to use for deploying servers. This provides a convenience function for choosing between looking up an AMI with filters, or returning a hard coded AMI ID. Used if var.ami_filters is null."
},
"ami_filters": {
"default": null,
"description": "Properties on the AMI that can be used to lookup a prebuilt AMI."
},
"asg_names": {
"default": [],
"description": "The list of names of the autoscaling group to use when setting up CloudWatch alarms. Required if enable_asg_cloudwatch_alarms is true."
},
"cloud_init_parts": {
"default": {},
"description": "Cloud init scripts to run on the host while it boots. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax."
},
"enable_asg_cloudwatch_alarms": {
"default": false,
"description": "Set to true to enable basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. Use this for an autoscaling group, and use enable_asg_cloudwatch_alarms for an instance. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn."
},
"enable_cloudwatch_log_aggregation": {
"default": true,
"description": "Set to true to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch."
},
"enable_cloudwatch_metrics": {
"default": true,
"description": "Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/metrics/cloudwatch-memory-disk-metrics-scripts to get memory and disk metrics in CloudWatch for your host."
},
"enable_instance_cloudwatch_alarms": {
"default": false,
"description": "Set to true to enable basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. Use this for an instance, and use enable_asg_cloudwatch_alarms for an ASG. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn."
},
"enable_ssh_grunt": {
"default": true,
"description": "Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/module-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups."
},
"external_account_ssh_grunt_role_arn": {
"default": "",
"description": "If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain)."
},
"iam_role_name": {
"default": "",
"description": "The name of an IAM role to use for the various IAM policies created in this module, including ssh-grunt permissions, CloudWatch Metrics, and CloudWatch Logs. This variable is required if any of the following variables are true: enable_ssh_grunt, enable_cloudwatch_metrics, enable_cloudwatch_log_aggregation."
},
"instance_id": {
"default": "",
"description": "The ID of the instance to use when setting up CloudWatch alarms. Required if enable_instance_cloudwatch_alarms is true."
},
"name": {
"description": "A name to apply to the resources created by this template."
},
"num_asg_names": {
"default": 0,
"description": "The number of names in var.asg_names. We should be able to compute this automatically, but can't due to a Terraform limitation (https://github.com/hashicorp/terraform/issues/4149)."
},
"should_render_cloud_init": {
"default": true,
"description": "If true, combine the parts in var.cloud_init_parts using a template_cloudinit_config data source and provide the rendered result as an output. If false, no output will be rendered. If true, cloud_init_parts is required. Defaults to true."
}
}
}
},
"ecs_deploy_runner": {
"source": "git::git@github.com:gruntwork-io/module-ci.git//modules/ecs-deploy-runner?ref=v0.29.5",
"expressions": {
"container_cpu": {
"references": ["var.container_cpu"]
},
"container_default_launch_type": {
"references": ["var.container_default_launch_type"]
},
"container_images": {
"references": ["module.standard_config.container_images"]
},
"container_max_cpu": {
"references": ["var.container_max_cpu"]
},
"container_max_memory": {
"references": ["var.container_max_memory"]
},
"container_memory": {
"references": ["var.container_memory"]
},
"ec2_worker_pool_configuration": {
"references": ["local.ec2_worker_pool_configuration"]
},
"name": {
"references": ["var.name"]
},
"vpc_id": {
"references": ["var.vpc_id"]
},
"vpc_subnet_ids": {
"references": ["var.private_subnet_ids"]
}
},
"module": {
"outputs": {
"cloudwatch_log_group_name": {
"expression": {
"references": ["local.cloudwatch_log_group_name"]
},
"description": "Name of the CloudWatch Log Group used to store the log output from the Deploy Runner ECS task."
},
"default_ecs_task_arn": {
"expression": {
"references": ["local.default_ecs_task_arn"]
},
"description": "AWS ARN of the default ECS Task Definition. Can be used to trigger the ECS Task directly."
},
"ecs_cluster_arn": {
"expression": {
"references": ["local.ecs_cluster_arn"]
},
"description": "AWS ARN of the ECS Cluster that can be used to run the deploy runner task."
},
"ecs_ec2_worker_asg_name": {
"expression": {
"references": ["module.ec2_ecs_cluster.ecs_cluster_asg_name"]
},
"description": "Name of the Autoscaling Group associated with the EC2 worker pool of the ECS Cluster that can be used to run the deploy runner task."
},
"ecs_ec2_worker_iam_role": {
"expression": {
"references": ["module.ec2_ecs_cluster.ecs_instance_iam_role_name", "module.ec2_ecs_cluster.ecs_instance_iam_role_arn"]
},
"description": "AWS ARN and name of the IAM role associated with the EC2 worker pool of the ECS Cluster that can be used to run the deploy runner task."
},
"ecs_task_arns": {
"expression": {
"references": ["aws_ecs_task_definition.runner"]
},
"description": "Map of AWS ARNs of the ECS Task Definition. Each entry corresponds to an entry in the var.container_images input map, with the keys aligned."
},
"ecs_task_execution_role_arn": {
"expression": {
"references": ["aws_iam_role.ecs_task_execution_role"]
},
"description": "ECS Task execution role ARN"
},
"ecs_task_families": {
"expression": {
"references": ["aws_ecs_task_definition.runner"]
},
"description": "Map of the families of the ECS Task Definition that is currently live. Each entry corresponds to an entry in the var.container_images input map, with the keys aligned."
},
"ecs_task_iam_roles": {
"expression": {
"references": ["aws_iam_role.ecs_task"]
},
"description": "Map of AWS ARNs and names of the IAM role that will be attached to the ECS task to grant it access to AWS resources. Each container will have its own IAM role, and each entry in this map corresponds to an entry in the var.container_images input map, with the keys aligned."
},
"ecs_task_revisions": {
"expression": {
"references": ["aws_ecs_task_definition.runner"]
},
"description": "Map of the current revision of the ECS Task Definition that is live. Each entry corresponds to an entry in the var.container_images input map, with the keys aligned."
},
"invoker_function_arn": {
"expression": {
"references": ["module.deploy_runner_invoker_lambda.function_arn"]
},
"description": "AWS ARN of the invoker lambda function that can be used to invoke a deployment."
},
"security_group_allow_all_outbound_id": {
"expression": {
"references": ["aws_security_group.allow_all_outbound"]
},
"description": "Security Group ID of the ECS task"
}
},
"resources": [{
"address": "aws_ecs_cluster.fargate_cluster",
"mode": "managed",
"type": "aws_ecs_cluster",
"name": "fargate_cluster",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"name": {
"references": ["var.name"]
},
"tags": {
"references": ["var.custom_tags"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.ec2_worker_pool_configuration"]
}
}, {
"address": "aws_ecs_task_definition.runner",
"mode": "managed",
"type": "aws_ecs_task_definition",
"name": "runner",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"container_definitions": {
"references": ["each.key", "each.value", "each.value", "each.value", "data.aws_region.current", "local.cloudwatch_log_group_name", "local.cloudwatch_log_prefix", "each.value", "var.repository_credentials_secrets_manager_arn", "var.repository_credentials_secrets_manager_arn"]
},
"cpu": {
"references": ["var.container_cpu"]
},
"execution_role_arn": {
"references": ["aws_iam_role.ecs_task_execution_role"]
},
"family": {
"references": ["var.name", "each.key"]
},
"memory": {
"references": ["var.container_memory"]
},
"network_mode": {
"constant_value": "awsvpc"
},
"requires_compatibilities": {
"constant_value": ["FARGATE", "EC2"]
},
"tags": {
"references": ["var.custom_tags"]
},
"task_role_arn": {
"references": ["aws_iam_role.ecs_task", "each.key"]
}
},
"schema_version": 1,
"for_each_expression": {
"references": ["var.container_images"]
}
}, {
"address": "aws_iam_role.ecs_task",
"mode": "managed",
"type": "aws_iam_role",
"name": "ecs_task",
"provider_config_key": "ecs_deploy_runner:aws",
"provisioners": [{
"type": "local-exec",
"expressions": {
"command": {
"constant_value": "echo 'Sleeping for 15 seconds to wait for IAM role to be created'; sleep 15"
}
}
}],
"expressions": {
"assume_role_policy": {
"references": ["data.aws_iam_policy_document.ecs_task"]
},
"name": {
"references": ["var.name", "each.key"]
},
"tags": {
"references": ["var.custom_tags"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["var.container_images"]
}
}, {
"address": "aws_iam_role.ecs_task_execution_role",
"mode": "managed",
"type": "aws_iam_role",
"name": "ecs_task_execution_role",
"provider_config_key": "ecs_deploy_runner:aws",
"provisioners": [{
"type": "local-exec",
"expressions": {
"command": {
"constant_value": "echo 'Sleeping for 15 seconds to wait for IAM role to be created'; sleep 15"
}
}
}],
"expressions": {
"assume_role_policy": {
"references": ["data.aws_iam_policy_document.ecs_task"]
},
"name": {
"references": ["var.name"]
},
"tags": {
"references": ["var.custom_tags"]
}
},
"schema_version": 0
}, {
"address": "aws_iam_role_policy.ecs_task_execution_policy",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "ecs_task_execution_policy",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"name": {
"references": ["var.name"]
},
"policy": {
"references": ["data.aws_iam_policy_document.ecs_task_execution_policy_document"]
},
"role": {
"references": ["aws_iam_role.ecs_task_execution_role"]
}
},
"schema_version": 0
}, {
"address": "aws_iam_role_policy.ecs_task_secrets_manager_read_policy",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "ecs_task_secrets_manager_read_policy",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"name": {
"constant_value": "read-secrets-manager-entries"
},
"policy": {
"references": ["data.aws_iam_policy_document.ecs_task_read_secrets_manager", "each.key"]
},
"role": {
"references": ["aws_iam_role.ecs_task", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.containers_with_additional_secrets_manager_arns"]
}
}, {
"address": "aws_iam_role_policy.invoke_deploy_runner",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "invoke_deploy_runner",
"provider_config_key": "ecs_deploy_runner:aws",
"provisioners": [{
"type": "local-exec",
"expressions": {
"command": {
"constant_value": "echo 'Sleeping for 30 seconds to wait for IAM role to be created'; sleep 30"
}
}
}],
"expressions": {
"name": {
"references": ["var.name"]
},
"policy": {
"references": ["data.aws_iam_policy_document.invoke_deploy_runner"]
},
"role": {
"references": ["module.deploy_runner_invoker_lambda.iam_role_id"]
}
},
"schema_version": 0
}, {
"address": "aws_security_group.allow_all_outbound",
"mode": "managed",
"type": "aws_security_group",
"name": "allow_all_outbound",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"description": {
"constant_value": "Allow all outbound traffic"
},
"name": {
"constant_value": "allow_all_outbound"
},
"tags": {
"references": ["var.custom_tags"]
},
"vpc_id": {
"references": ["var.vpc_id"]
}
},
"schema_version": 1
}, {
"address": "aws_security_group_rule.allow_all_outbound",
"mode": "managed",
"type": "aws_security_group_rule",
"name": "allow_all_outbound",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"cidr_blocks": {
"constant_value": ["0.0.0.0/0"]
},
"from_port": {
"constant_value": 0
},
"protocol": {
"constant_value": -1
},
"security_group_id": {
"references": ["aws_security_group.allow_all_outbound"]
},
"to_port": {
"constant_value": 0
},
"type": {
"constant_value": "egress"
}
},
"schema_version": 2
}, {
"address": "aws_security_group_rule.allow_all_outbound_lambda",
"mode": "managed",
"type": "aws_security_group_rule",
"name": "allow_all_outbound_lambda",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"cidr_blocks": {
"constant_value": ["0.0.0.0/0"]
},
"from_port": {
"constant_value": 0
},
"protocol": {
"constant_value": -1
},
"security_group_id": {
"references": ["module.deploy_runner_invoker_lambda.security_group_id"]
},
"to_port": {
"constant_value": 0
},
"type": {
"constant_value": "egress"
}
},
"schema_version": 2
}, {
"address": "null_resource.task_definition_arns",
"mode": "managed",
"type": "null_resource",
"name": "task_definition_arns",
"provider_config_key": "ecs_deploy_runner:null",
"expressions": {
"triggers": {
"references": ["aws_ecs_task_definition.runner"]
}
},
"schema_version": 0
}, {
"address": "data.aws_caller_identity.current",
"mode": "data",
"type": "aws_caller_identity",
"name": "current",
"provider_config_key": "ecs_deploy_runner:aws",
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.ecs_task",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecs_task",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["sts:AssumeRole"]
},
"effect": {
"constant_value": "Allow"
},
"principals": [{
"identifiers": {
"constant_value": ["ecs-tasks.amazonaws.com"]
},
"type": {
"constant_value": "Service"
}
}]
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.ecs_task_execution_policy_document",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecs_task_execution_policy_document",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.ecs_task_read_secrets_manager",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecs_task_read_secrets_manager",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["secretsmanager:GetSecretValue"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"references": ["each.value"]
}
}]
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.containers_with_additional_secrets_manager_arns"]
}
}, {
"address": "data.aws_iam_policy_document.invoke_deploy_runner",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "invoke_deploy_runner",
"provider_config_key": "ecs_deploy_runner:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["ecs:RunTask"]
},
"resources": {
"references": ["null_resource.task_definition_arns"]
}
}, {
"actions": {
"constant_value": ["iam:PassRole", "iam:GetRole"]
},
"resources": {
"references": ["aws_iam_role.ecs_task_execution_role", "aws_iam_role.ecs_task"]
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_region.current",
"mode": "data",
"type": "aws_region",
"name": "current",
"provider_config_key": "ecs_deploy_runner:aws",
"schema_version": 0
}],
"module_calls": {
"deploy_runner_invoker_lambda": {
"source": "git::git@github.com:gruntwork-io/package-lambda.git//modules/lambda?ref=v0.8.1",
"expressions": {
"description": {
"constant_value": "A lambda function that provides a restricted interface to invoke the ECS deploy runner task"
},
"environment_variables": {
"references": ["local.ecs_cluster_arn", "local.default_container_name", "aws_ecs_task_definition.runner", "var.container_images", "var.vpc_subnet_ids", "aws_security_group.allow_all_outbound", "local.cloudwatch_log_group_name", "local.cloudwatch_log_prefix", "var.container_max_cpu", "var.container_max_memory", "var.container_default_launch_type"]
},
"handler": {
"constant_value": "invoker.index.handler"
},
"memory_size": {
"constant_value": 128
},
"name": {
"references": ["var.name"]
},
"run_in_vpc": {
"constant_value": true
},
"runtime": {
"constant_value": "python3.8"
},
"source_path": {
"references": ["path.module"]
},
"subnet_ids": {
"references": ["var.vpc_subnet_ids"]
},
"tags": {
"references": ["var.custom_tags"]
},
"timeout": {
"constant_value": 150
},
"vpc_id": {
"references": ["var.vpc_id"]
}
},
"module": {
"outputs": {
"function_arn": {
"expression": {
"references": ["aws_lambda_function.function"]
}
},
"function_name": {
"expression": {
"references": ["aws_lambda_function.function"]
}
},
"iam_role_arn": {
"expression": {
"references": ["aws_iam_role.lambda"]
}
},
"iam_role_id": {
"expression": {
"references": ["aws_iam_role.lambda"]
}
},
"invoke_arn": {
"expression": {
"references": ["aws_lambda_function.function"]
}
},
"qualified_arn": {
"expression": {
"references": ["aws_lambda_function.function"]
}
},
"security_group_id": {
"expression": {
"references": ["aws_security_group.lambda"]
}
},
"version": {
"expression": {
"references": ["aws_lambda_function.function"]
}
}
},
"resources": [{
"address": "aws_iam_role.lambda",
"mode": "managed",
"type": "aws_iam_role",
"name": "lambda",
"provider_config_key": "deploy_runner_invoker_lambda:aws",
"expressions": {
"assume_role_policy": {
"references": ["data.aws_iam_policy_document.lambda_role"]
},
"name": {
"references": ["var.name"]
},
"permissions_boundary": {
"references": ["var.lambda_role_permissions_boundary_arn"]
},
"tags": {
"references": ["var.tags"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "aws_iam_role_policy.logging_for_lambda",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "logging_for_lambda",
"provider_config_key": "deploy_runner_invoker_lambda:aws",
"expressions": {
"name": {
"references": ["var.name"]
},
"policy": {
"references": ["data.aws_iam_policy_document.logging_for_lambda"]
},
"role": {
"references": ["var.create_resources", "aws_iam_role.lambda[0]"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "aws_iam_role_policy.network_interfaces_for_lamda",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "network_interfaces_for_lamda",
"provider_config_key": "deploy_runner_invoker_lambda:aws",
"expressions": {
"name": {
"references": ["var.name"]
},
"policy": {
"references": ["data.aws_iam_policy_document.network_interfaces_for_lamda"]
},
"role": {
"references": ["var.create_resources", "aws_iam_role.lambda[0]"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources", "var.run_in_vpc"]
}
}, {
"address": "aws_lambda_function.function",
"mode": "managed",
"type": "aws_lambda_function",
"name": "function",
"provider_config_key": "deploy_runner_invoker_lambda:aws",
"expressions": {
"description": {
"references": ["var.description"]
},
"environment": [{
"variables": {
"references": ["var.environment_variables"]
}
}],
"filename": {
"references": ["var.source_path", "local.zip_file_path"]
},
"function_name": {
"references": ["var.name"]
},
"handler": {
"references": ["var.handler"]
},
"kms_key_arn": {
"references": ["var.kms_key_arn"]
},
"layers": {
"references": ["var.layers"]
},
"memory_size": {
"references": ["var.memory_size"]
},
"publish": {
"references": ["var.enable_versioning"]
},
"reserved_concurrent_executions": {
"references": ["var.reserved_concurrent_executions"]
},
"role": {
"references": ["var.create_resources", "aws_iam_role.lambda[0]"]
},
"runtime": {
"references": ["var.runtime"]
},
"s3_bucket": {
"references": ["var.source_path", "var.s3_bucket"]
},
"s3_key": {
"references": ["var.source_path", "var.s3_key"]
},
"s3_object_version": {
"references": ["var.source_path", "var.s3_object_version"]
},
"source_code_hash": {
"references": ["var.source_path", "local.source_code_hash"]
},
"tags": {
"references": ["var.tags"]
},
"timeout": {
"references": ["var.timeout"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
},
"depends_on": ["aws_iam_role_policy.network_interfaces_for_lamda"]
}, {
"address": "aws_security_group.lambda",
"mode": "managed",
"type": "aws_security_group",
"name": "lambda",
"provider_config_key": "deploy_runner_invoker_lambda:aws",
"expressions": {
"description": {
"references": ["var.name"]
},
"name": {
"references": ["var.name"]
},
"tags": {
"references": ["var.tags"]
},
"vpc_id": {
"references": ["var.vpc_id"]
}
},
"schema_version": 1,
"count_expression": {
"references": ["var.create_resources", "var.run_in_vpc"]
}
}, {
"address": "data.archive_file.source_code",
"mode": "data",
"type": "archive_file",
"name": "source_code",
"provider_config_key": "deploy_runner_invoker_lambda:archive",
"expressions": {
"output_path": {
"references": ["var.zip_output_path", "path.module", "var.name", "var.zip_output_path"]
},
"source_dir": {
"references": ["var.source_path"]
},
"type": {
"constant_value": "zip"
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources", "var.skip_zip", "var.source_path"]
}
}, {
"address": "data.aws_iam_policy_document.lambda_role",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "lambda_role",
"provider_config_key": "deploy_runner_invoker_lambda:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["sts:AssumeRole"]
},
"effect": {
"constant_value": "Allow"
},
"principals": [{
"identifiers": {
"constant_value": ["lambda.amazonaws.com"]
},
"type": {
"constant_value": "Service"
}
}]
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.logging_for_lambda",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "logging_for_lambda",
"provider_config_key": "deploy_runner_invoker_lambda:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["arn:aws:logs:*:*:*"]
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.network_interfaces_for_lamda",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "network_interfaces_for_lamda",
"provider_config_key": "deploy_runner_invoker_lambda:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:DetachNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ResetNetworkInterfaceAttribute"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
}
}]
},
"schema_version": 0
}, {
"address": "data.template_file.hash_from_source_code_zip",
"mode": "data",
"type": "template_file",
"name": "hash_from_source_code_zip",
"provider_config_key": "deploy_runner_invoker_lambda:template",
"expressions": {
"template": {
"references": ["var.source_path"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources", "var.skip_zip"]
}
}],
"variables": {
"create_resources": {
"default": true,
"description": "Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if this module should create anything or not."
},
"dead_letter_target_arn": {
"default": null,
"description": "The ARN of an SNS topic or an SQS queue to notify when invocation of a Lambda function fails. If this option is used, you must grant this function's IAM role (the ID is outputted as iam_role_id) access to write to the target object, which means allowing either the sns:Publish or sqs:SendMessage action on this ARN, depending on which service is targeted."
},
"description": {
"default": null,
"description": "A description of what the Lambda function does."
},
"enable_versioning": {
"default": false,
"description": "Set to true to enable versioning for this Lambda function. This allows you to use aliases to refer to execute different versions of the function in different environments. Note that an alternative way to run Lambda functions in multiple environments is to version your Terraform code."
},
"environment_variables": {
"default": {
"EnvVarPlaceHolder": "Placeholder"
},
"description": "A map of environment variables to pass to the Lambda function. AWS will automatically encrypt these with KMS and decrypt them when running the function."
},
"handler": {
"description": "The function entrypoint in your code. This is typically the name of a function or method in your code that AWS will execute when this Lambda function is triggered."
},
"kms_key_arn": {
"default": null,
"description": "A custom KMS key to use to encrypt and decrypt Lambda function environment variables. Leave it blank to use the default KMS key provided in your AWS account."
},
"lambda_role_permissions_boundary_arn": {
"default": null,
"description": "The ARN of the policy that is used to set the permissions boundary for the IAM role for the lambda"
},
"layers": {
"default": [],
"description": "The list of Lambda Layer Version ARNs to attach to your Lambda Function. You can have a maximum of 5 Layers attached to each function."
},
"memory_size": {
"description": "The maximum amount of memory, in MB, your Lambda function will be able to use at runtime. Can be set in 64MB increments from 128MB up to 1536MB. Note that the amount of CPU power given to a Lambda function is proportional to the amount of memory you request, so a Lambda function with 256MB of memory has twice as much CPU power as one with 128MB."
},
"name": {
"description": "The name of the Lambda function. Used to namespace all resources created by this module."
},
"reserved_concurrent_executions": {
"default": null,
"description": "The amount of reserved concurrent executions for this lambda function or -1 if unreserved."
},
"run_in_vpc": {
"default": false,
"description": "Set to true to give your Lambda function access to resources within a VPC."
},
"runtime": {
"description": "The runtime environment for the Lambda function (e.g. nodejs, python2.7, java8). See https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime for all possible values."
},
"s3_bucket": {
"default": null,
"description": "An S3 bucket location containing the function's deployment package. Exactly one of var.source_path or the var.s3_xxx variables must be specified."
},
"s3_key": {
"default": null,
"description": "The path within var.s3_bucket where the deployment package is located. Exactly one of var.source_path or the var.s3_xxx variables must be specified."
},
"s3_object_version": {
"default": null,
"description": "The version of the path in var.s3_key to use as the deployment package. Exactly one of var.source_path or the var.s3_xxx variables must be specified."
},
"skip_zip": {
"default": false,
"description": "Set to true to skip zip archive creation and assume that var.source_path points to a pregenerated zip archive."
},
"source_path": {
"default": null,
"description": "The path to the directory that contains your Lambda function source code. This code will be zipped up and uploaded to Lambda as your deployment package. If var.skip_zip is set to true, then this is assumed to be the path to an already-zipped file, and it will be uploaded directly to Lambda as a deployment package. Exactly one of var.source_path or the var.s3_xxx variables must be specified."
},
"subnet_ids": {
"default": [],
"description": "A list of subnet IDs the Lambda function should be able to access within your VPC. Only used if var.run_in_vpc is true."
},
"tags": {
"default": {},
"description": "A map of tags to apply to the Lambda function."
},
"timeout": {
"description": "The maximum amount of time, in seconds, your Lambda function will be allowed to run. Must be between 1 and 300 seconds."
},
"vpc_id": {
"default": null,
"description": "The ID of the VPC the Lambda function should be able to access. Only used if var.run_in_vpc is true."
},
"zip_output_path": {
"default": null,
"description": "The path to store the output zip file of your source code. If empty, defaults to module path. This should be the full path to the zip file, not a directory."
}
}
}
},
"ec2_ecs_cluster": {
"source": "git::git@github.com:gruntwork-io/module-ecs.git//modules/ecs-cluster?ref=v0.21.0",
"expressions": {
"cluster_instance_ami": {
"references": ["local.non_null_worker_config"]
},
"cluster_instance_keypair_name": {
"constant_value": null
},
"cluster_instance_type": {
"references": ["local.non_null_worker_config"]
},
"cluster_instance_user_data": {
"references": ["local.non_null_worker_config"]
},
"cluster_instance_user_data_base64": {
"references": ["local.non_null_worker_config"]
},
"cluster_max_size": {
"references": ["local.non_null_worker_config"]
},
"cluster_min_size": {
"references": ["local.non_null_worker_config"]
},
"cluster_name": {
"references": ["var.name"]
},
"create_resources": {
"references": ["var.ec2_worker_pool_configuration"]
},
"custom_tags_ec2_instances": {
"references": ["var.custom_tags"]
},
"custom_tags_security_group": {
"references": ["var.custom_tags"]
},
"vpc_id": {
"references": ["var.vpc_id"]
},
"vpc_subnet_ids": {
"references": ["var.vpc_subnet_ids"]
}
},
"module": {
"outputs": {
"ecs_cluster_arn": {
"expression": {
"references": ["var.create_resources", "aws_ecs_cluster.ecs[0]"]
},
"depends_on": ["aws_autoscaling_group.ecs"]
},
"ecs_cluster_asg_name": {
"expression": {
"references": ["var.create_resources", "aws_autoscaling_group.ecs[0]"]
}
},
"ecs_cluster_launch_configuration_id": {
"expression": {
"references": ["var.create_resources", "aws_launch_configuration.ecs[0]"]
}
},
"ecs_cluster_name": {
"expression": {
"references": ["var.create_resources", "aws_ecs_cluster.ecs[0]"]
},
"depends_on": ["aws_autoscaling_group.ecs"]
},
"ecs_instance_iam_role_arn": {
"expression": {
"references": ["var.create_resources", "aws_iam_role.ecs[0]"]
}
},
"ecs_instance_iam_role_id": {
"expression": {
"references": ["var.create_resources", "aws_iam_role.ecs[0]"]
}
},
"ecs_instance_iam_role_name": {
"expression": {
"references": ["var.create_resources", "aws_iam_role.ecs[0]"]
}
},
"ecs_instance_security_group_id": {
"expression": {
"references": ["var.create_resources", "aws_security_group.ecs[0]"]
}
}
},
"resources": [{
"address": "aws_autoscaling_group.ecs",
"mode": "managed",
"type": "aws_autoscaling_group",
"name": "ecs",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"launch_configuration": {
"references": ["aws_launch_configuration.ecs[0]"]
},
"max_size": {
"references": ["var.cluster_max_size"]
},
"min_size": {
"references": ["var.cluster_min_size"]
},
"name": {
"references": ["var.cluster_name"]
},
"protect_from_scale_in": {
"references": ["var.autoscaling_termination_protection"]
},
"termination_policies": {
"references": ["var.termination_policies"]
},
"vpc_zone_identifier": {
"references": ["var.vpc_subnet_ids"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "aws_ecs_capacity_provider.capacity_provider",
"mode": "managed",
"type": "aws_ecs_capacity_provider",
"name": "capacity_provider",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"auto_scaling_group_provider": [{
"auto_scaling_group_arn": {
"references": ["aws_autoscaling_group.ecs[0]"]
},
"managed_scaling": [{
"maximum_scaling_step_size": {
"references": ["var.capacity_provider_max_scale_step"]
},
"minimum_scaling_step_size": {
"references": ["var.capacity_provider_min_scale_step"]
},
"status": {
"constant_value": "ENABLED"
},
"target_capacity": {
"references": ["var.capacity_provider_target"]
}
}],
"managed_termination_protection": {
"references": ["var.autoscaling_termination_protection"]
}
}],
"name": {
"references": ["var.cluster_name"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources", "var.capacity_provider_enabled"]
}
}, {
"address": "aws_ecs_cluster.ecs",
"mode": "managed",
"type": "aws_ecs_cluster",
"name": "ecs",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"capacity_providers": {
"references": ["aws_ecs_capacity_provider.capacity_provider"]
},
"name": {
"references": ["var.cluster_name"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "aws_iam_instance_profile.ecs",
"mode": "managed",
"type": "aws_iam_instance_profile",
"name": "ecs",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"name": {
"references": ["var.cluster_name"]
},
"role": {
"references": ["aws_iam_role.ecs[0]"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "aws_iam_role.ecs",
"mode": "managed",
"type": "aws_iam_role",
"name": "ecs",
"provider_config_key": "ec2_ecs_cluster:aws",
"provisioners": [{
"type": "local-exec",
"expressions": {
"command": {
"constant_value": "echo 'Sleeping for 15 seconds to wait for IAM role to be created'; sleep 15"
}
}
}],
"expressions": {
"assume_role_policy": {
"references": ["data.aws_iam_policy_document.ecs_role"]
},
"name": {
"references": ["var.cluster_name"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "aws_iam_role_policy.ecr",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "ecr",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"name": {
"references": ["var.cluster_name"]
},
"policy": {
"references": ["data.aws_iam_policy_document.ecr_permissions"]
},
"role": {
"references": ["aws_iam_role.ecs[0]"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "aws_iam_role_policy.ecs",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "ecs",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"name": {
"references": ["var.cluster_name"]
},
"policy": {
"references": ["data.aws_iam_policy_document.ecs_permissions"]
},
"role": {
"references": ["aws_iam_role.ecs[0]"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "aws_launch_configuration.ecs",
"mode": "managed",
"type": "aws_launch_configuration",
"name": "ecs",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"iam_instance_profile": {
"references": ["aws_iam_instance_profile.ecs[0]"]
},
"image_id": {
"references": ["var.cluster_instance_ami"]
},
"instance_type": {
"references": ["var.cluster_instance_type"]
},
"key_name": {
"references": ["var.cluster_instance_keypair_name"]
},
"name_prefix": {
"references": ["var.cluster_name"]
},
"placement_tenancy": {
"references": ["var.cluster_instance_spot_price", "var.tenancy"]
},
"root_block_device": [{
"encrypted": {
"references": ["var.cluster_instance_root_volume_encrypted"]
},
"volume_size": {
"references": ["var.cluster_instance_root_volume_size"]
},
"volume_type": {
"references": ["var.cluster_instance_root_volume_type"]
}
}],
"security_groups": {
"references": ["aws_security_group.ecs[0]"]
},
"spot_price": {
"references": ["var.cluster_instance_spot_price"]
},
"user_data": {
"references": ["var.cluster_instance_user_data"]
},
"user_data_base64": {
"references": ["var.cluster_instance_user_data_base64"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "aws_security_group.ecs",
"mode": "managed",
"type": "aws_security_group",
"name": "ecs",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"description": {
"references": ["var.cluster_name"]
},
"name": {
"references": ["var.cluster_name"]
},
"tags": {
"references": ["var.custom_tags_security_group"]
},
"vpc_id": {
"references": ["var.vpc_id"]
}
},
"schema_version": 1,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "aws_security_group_rule.allow_inbound_from_alb",
"mode": "managed",
"type": "aws_security_group_rule",
"name": "allow_inbound_from_alb",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"from_port": {
"constant_value": 32768
},
"protocol": {
"constant_value": "tcp"
},
"security_group_id": {
"references": ["aws_security_group.ecs[0]"]
},
"source_security_group_id": {
"references": ["var.alb_security_group_ids", "count.index"]
},
"to_port": {
"constant_value": 65535
},
"type": {
"constant_value": "ingress"
}
},
"schema_version": 2,
"count_expression": {
"references": ["var.create_resources", "var.alb_security_group_ids"]
}
}, {
"address": "aws_security_group_rule.allow_inbound_ssh_from_cidr",
"mode": "managed",
"type": "aws_security_group_rule",
"name": "allow_inbound_ssh_from_cidr",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"cidr_blocks": {
"references": ["var.allow_ssh_from_cidr_blocks"]
},
"from_port": {
"references": ["var.ssh_port"]
},
"protocol": {
"constant_value": "tcp"
},
"security_group_id": {
"references": ["aws_security_group.ecs[0]"]
},
"to_port": {
"references": ["var.ssh_port"]
},
"type": {
"constant_value": "ingress"
}
},
"schema_version": 2,
"count_expression": {
"references": ["var.create_resources", "var.allow_ssh_from_cidr_blocks"]
}
}, {
"address": "aws_security_group_rule.allow_inbound_ssh_from_security_group",
"mode": "managed",
"type": "aws_security_group_rule",
"name": "allow_inbound_ssh_from_security_group",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"from_port": {
"references": ["var.ssh_port"]
},
"protocol": {
"constant_value": "tcp"
},
"security_group_id": {
"references": ["aws_security_group.ecs[0]"]
},
"source_security_group_id": {
"references": ["var.allow_ssh_from_security_group_ids", "count.index"]
},
"to_port": {
"references": ["var.ssh_port"]
},
"type": {
"constant_value": "ingress"
}
},
"schema_version": 2,
"count_expression": {
"references": ["var.create_resources", "var.allow_ssh_from_security_group_ids"]
}
}, {
"address": "aws_security_group_rule.allow_outbound_all",
"mode": "managed",
"type": "aws_security_group_rule",
"name": "allow_outbound_all",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"cidr_blocks": {
"constant_value": ["0.0.0.0/0"]
},
"from_port": {
"constant_value": 0
},
"protocol": {
"constant_value": "-1"
},
"security_group_id": {
"references": ["aws_security_group.ecs[0]"]
},
"to_port": {
"constant_value": 0
},
"type": {
"constant_value": "egress"
}
},
"schema_version": 2,
"count_expression": {
"references": ["var.create_resources"]
}
}, {
"address": "data.aws_iam_policy_document.ecr_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecr_permissions",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:ListImages"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.ecs_permissions",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecs_permissions",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecs:Submit*", "ecs:UpdateContainerInstancesState"]
},
"effect": {
"constant_value": "Allow"
},
"resources": {
"constant_value": ["*"]
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.ecs_role",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "ecs_role",
"provider_config_key": "ec2_ecs_cluster:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["sts:AssumeRole"]
},
"effect": {
"constant_value": "Allow"
},
"principals": [{
"identifiers": {
"constant_value": ["ec2.amazonaws.com"]
},
"type": {
"constant_value": "Service"
}
}]
}]
},
"schema_version": 0
}],
"variables": {
"alb_security_group_ids": {
"default": [],
"description": "A list of Security Group IDs of the ALBs which will send traffic to this ECS Cluster."
},
"allow_ssh_from_cidr_blocks": {
"default": [],
"description": "The IP address ranges in CIDR format from which to allow incoming SSH requests to the ECS instances."
},
"allow_ssh_from_security_group_ids": {
"default": [],
"description": "The IDs of security groups from which to allow incoming SSH requests to the ECS instances."
},
"autoscaling_termination_protection": {
"default": false,
"description": "Protect EC2 instances running ECS tasks from being terminated due to scale in (spot instances do not support lifecycle modifications)"
},
"capacity_provider_enabled": {
"default": false,
"description": "Enable a capacity provider to autoscale the EC2 ASG created for this ECS cluster"
},
"capacity_provider_max_scale_step": {
"default": 10,
"description": "Maximum step adjustment size to the ASG's desired instance count"
},
"capacity_provider_min_scale_step": {
"default": 1,
"description": "Minimum step adjustment size to the ASG's desired instance count"
},
"capacity_provider_target": {
"default": 75,
"description": "Target cluster utilization for the capacity provider; a number from 1 to 100."
},
"cluster_instance_ami": {
"description": "The AMI to run on each of the ECS Cluster's EC2 Instances."
},
"cluster_instance_keypair_name": {
"description": "The EC2 Keypair name used to SSH into the ECS Cluster's EC2 Instances."
},
"cluster_instance_root_volume_encrypted": {
"default": false,
"description": "Set to true to encrypt the root block devices for the ECS cluster's EC2 instances"
},
"cluster_instance_root_volume_size": {
"default": 40,
"description": "The size in GB of the root volume for each of the ECS Cluster's EC2 Instances"
},
"cluster_instance_root_volume_type": {
"default": "gp2",
"description": "The volume type for the root volume for each of the ECS Cluster's EC2 Instances. Can be standard, gp2, or io1"
},
"cluster_instance_spot_price": {
"default": null,
"description": "If set to a non-empty string EC2 Spot Instances will be requested for the ECS Cluster. The value is the maximum bid price for the instance on the EC2 Spot Market."
},
"cluster_instance_type": {
"description": "The type of EC2 instance to run for each of the ECS Cluster's EC2 Instances (e.g. t2.medium)."
},
"cluster_instance_user_data": {
"default": null,
"description": "The User Data script to run on each of the ECS Cluster's EC2 Instances on their first boot."
},
"cluster_instance_user_data_base64": {
"default": null,
"description": "The base64-encoded User Data script to run on the server when it is booting. This can be used to pass binary User Data, such as a gzipped cloud-init script. If you wish to pass in plain text (e.g., typical Bash script) for User Data, use var.cluster_instance_user_data instead."
},
"cluster_max_size": {
"description": "The maximum number of EC2 Instances that must be running for this ECS Cluster. We recommend making this twice var.cluster_min_size, even if you don't plan on scaling the cluster up and down, as the extra capacity will be used to deploy udpates to the cluster."
},
"cluster_min_size": {
"description": "The minimum number of EC2 Instances launchable for this ECS Cluster. Useful for auto-scaling limits."
},
"cluster_name": {
"description": "The name of the ECS cluster (e.g. ecs-prod). This is used to namespace all the resources created by these templates."
},
"create_resources": {
"default": true,
"description": "If you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module."
},
"custom_tags_ec2_instances": {
"default": [],
"description": "A list of custom tags to apply to the EC2 Instances in this ASG. Each item in this list should be a map with the parameters key, value, and propagate_at_launch."
},
"custom_tags_security_group": {
"default": {},
"description": "A map of custom tags to apply to the Security Group for this ECS Cluster. The key is the tag name and the value is the tag value."
},
"ssh_port": {
"default": 22,
"description": "The port to use for SSH access."
},
"tenancy": {
"default": "default",
"description": "The tenancy of the servers in this cluster. Must be one of: default, dedicated, or host."
},
"termination_policies": {
"default": ["OldestInstance"],
"description": "A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are OldestInstance, NewestInstance, OldestLaunchConfiguration, ClosestToNextInstanceHour, OldestLaunchTemplate, AllocationStrategy, Default. If you specify more than one policy, the ASG will try each one in turn, use it to select the instance(s) to terminate, and if more than one instance matches the criteria, then use the next policy to try to break the tie. E.g., If you use ['OldestInstance', 'ClosestToNextInstanceHour'] and and there were two instances with exactly the same launch time, then the ASG would try the next policy, which is to terminate the one closest to the next instance hour in billing."
},
"vpc_id": {
"description": "The ID of the VPC in which the ECS Cluster's EC2 Instances will reside."
},
"vpc_subnet_ids": {
"description": "A list of the subnets into which the ECS Cluster's EC2 Instances will be launched. These should usually be all private subnets and include one in each AWS Availability Zone."
}
}
}
}
},
"variables": {
"cloudwatch_log_group_name": {
"default": null,
"description": "A custom name to set for the CloudWatch Log Group used to stream the container logs. When null, the Log Group will default to var.name."
},
"container_cpu": {
"default": 1024,
"description": "The default CPU units for the instances that Fargate will spin up. The invoker allows users to override the CPU at run time, but this value will be used if the user provides no value for the CPU. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size."
},
"container_default_launch_type": {
"default": "FARGATE",
"description": "The default launch type of the ECS deploy runner workers. This launch type will be used if it is not overridden during invocation of the lambda function. Must be FARGATE or EC2."
},
"container_images": {
"description": "Map of names to docker image (repo and tag) to use for the ECS task. Each entry corresponds to a different ECS task definition that can be used for infrastructure pipelines. The key corresponds to a user defined name that can be used with the invoker function to determine which task definition to use."
},
"container_max_cpu": {
"default": 2048,
"description": "The maximum CPU units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function."
},
"container_max_memory": {
"default": 8192,
"description": "The maximum memory units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function."
},
"container_memory": {
"default": 2048,
"description": "The default memory units for the instances that Fargate will spin up. The invoker allows users to override the memory at run time, but this value will be used if the user provides no value for memory. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size."
},
"custom_tags": {
"default": {},
"description": "A map of custom tags to apply to all the resources created in this module. The key is the tag name and the value is the tag value."
},
"ec2_worker_pool_configuration": {
"default": null,
"description": "Worker configuration of a EC2 worker pool for the ECS cluster. If null, no EC2 worker pool will be allocated and the deploy runner will be in Fargate only mode."
},
"name": {
"default": "ecs-deploy-runner",
"description": "Name of this instance of the deploy runner stack. Used to namespace all resources."
},
"repository_credentials_secrets_manager_arn": {
"default": null,
"description": "The ARN of a AWS Secrets Manager secret containing credentials to access the private repository. See the docs for details on the format of the secret: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html. Note that appropriate secrets manager permissions need to be added to the task execution role for this to work."
},
"secrets_manager_kms_key_arn": {
"default": null,
"description": "ARN of the KMS Key used to encrypt the AWS Secrets Manager entries. Note that if this variable is provided, this module will grant read and decrypt access to the KMS key to the ECS task. Only required if a custom KMS key was used to encrypt the secrets manager entry."
},
"vpc_id": {
"description": "AWS ID of the VPC where the ECS task and invoker lambda should run."
},
"vpc_subnet_ids": {
"description": "List of VPC Subnet IDs where the ECS task and invoker lambda should run."
}
}
}
},
"invoke_policy": {
"source": "git::git@github.com:gruntwork-io/module-ci.git//modules/ecs-deploy-runner-invoke-iam-policy?ref=v0.29.5",
"expressions": {
"deploy_runner_cloudwatch_log_group_name": {
"references": ["module.ecs_deploy_runner.cloudwatch_log_group_name"]
},
"deploy_runner_ecs_cluster_arn": {
"references": ["module.ecs_deploy_runner.ecs_cluster_arn"]
},
"deploy_runner_invoker_lambda_function_arn": {
"references": ["module.ecs_deploy_runner.invoker_function_arn"]
},
"name": {
"references": ["var.name"]
}
},
"module": {
"outputs": {
"arn": {
"expression": {
"references": ["aws_iam_policy.invoke_ecs_deploy_runner"]
},
"description": "The ARN of the IAM policy created with the permissions for invoking the ECS Deploy Runner."
},
"id": {
"expression": {
"references": ["aws_iam_policy.invoke_ecs_deploy_runner"]
},
"description": "The AWS ID of the IAM policy created with the permissions for invoking the ECS Deploy Runner."
},
"name": {
"expression": {
"references": ["aws_iam_policy.invoke_ecs_deploy_runner"]
},
"description": "The name of the IAM policy created with the permissions for invoking the ECS Deploy Runner."
}
},
"resources": [{
"address": "aws_iam_policy.invoke_ecs_deploy_runner",
"mode": "managed",
"type": "aws_iam_policy",
"name": "invoke_ecs_deploy_runner",
"provider_config_key": "invoke_policy:aws",
"expressions": {
"description": {
"constant_value": "A policy that grants the ability to invoke the Invoker Lambda function of the ECS Deploy Runner stack. Includes monitoring permissions as well (access to describe task to see status/errors and access to the CloudWatch log stream)."
},
"name": {
"references": ["var.name"]
},
"policy": {
"references": ["data.aws_iam_policy_document.invoke_ecs_deploy_runner"]
}
},
"schema_version": 0
}, {
"address": "data.aws_caller_identity.current",
"mode": "data",
"type": "aws_caller_identity",
"name": "current",
"provider_config_key": "invoke_policy:aws",
"schema_version": 0
}, {
"address": "data.aws_iam_policy_document.invoke_ecs_deploy_runner",
"mode": "data",
"type": "aws_iam_policy_document",
"name": "invoke_ecs_deploy_runner",
"provider_config_key": "invoke_policy:aws",
"expressions": {
"statement": [{
"actions": {
"constant_value": ["lambda:InvokeFunction"]
},
"resources": {
"references": ["var.deploy_runner_invoker_lambda_function_arn"]
},
"sid": {
"constant_value": "invokeDeployRunner"
}
}, {
"actions": {
"constant_value": ["ecs:DescribeTasks"]
},
"condition": [{
"test": {
"constant_value": "StringEquals"
},
"values": {
"references": ["var.deploy_runner_ecs_cluster_arn"]
},
"variable": {
"constant_value": "ecs:cluster"
}
}],
"resources": {
"constant_value": ["*"]
},
"sid": {
"constant_value": "readDeployRunnerECSTask"
}
}, {
"actions": {
"constant_value": ["logs:GetLogEvents"]
},
"resources": {
"references": ["data.aws_region.current", "data.aws_caller_identity.current", "var.deploy_runner_cloudwatch_log_group_name"]
},
"sid": {
"constant_value": "streamDeployRunnerLogs"
}
}]
},
"schema_version": 0
}, {
"address": "data.aws_region.current",
"mode": "data",
"type": "aws_region",
"name": "current",
"provider_config_key": "invoke_policy:aws",
"schema_version": 0
}],
"variables": {
"deploy_runner_cloudwatch_log_group_name": {
"description": "The name of the CloudWatch Log Group that is used to store the logs for the ECS Deploy Runner tasks."
},
"deploy_runner_ecs_cluster_arn": {
"description": "ARN of the ECS Cluster that is used to run the ECS Deploy Runner tasks."
},
"deploy_runner_invoker_lambda_function_arn": {
"description": "ARN of the AWS Lambda function that can be used to invoke the ECS Deploy Runner."
},
"name": {
"default": "invoke-ecs-deploy-runner",
"description": "The name to use for the IAM policy that is created."
}
}
}
},
"kms_grants": {
"source": "git::git@github.com:gruntwork-io/module-security.git//modules/kms-grant-multi-region?ref=v0.44.5",
"expressions": {
"aws_account_id": {
"references": ["data.aws_caller_identity.current"]
},
"kms_grant_regions": {
"references": ["local.kms_grant_regions"]
},
"kms_grants": {
"references": ["local.kms_grants"]
}
},
"module": {
"resources": [{
"address": "aws_kms_grant.grants_for_af_south_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_af_south_1",
"provider_config_key": "kms_grants:aws.af_south_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_af_south_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_east_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_east_1",
"provider_config_key": "kms_grants:aws.ap_east_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_east_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_northeast_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_northeast_1",
"provider_config_key": "kms_grants:aws.ap_northeast_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_northeast_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_northeast_2",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_northeast_2",
"provider_config_key": "kms_grants:aws.ap_northeast_2",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_northeast_2", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_northeast_3",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_northeast_3",
"provider_config_key": "kms_grants:aws.ap_northeast_3",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_northeast_3", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_south_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_south_1",
"provider_config_key": "kms_grants:aws.ap_south_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_south_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_southeast_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_southeast_1",
"provider_config_key": "kms_grants:aws.ap_southeast_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_southeast_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_southeast_2",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_southeast_2",
"provider_config_key": "kms_grants:aws.ap_southeast_2",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_southeast_2", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ca_central_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ca_central_1",
"provider_config_key": "kms_grants:aws.ca_central_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ca_central_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_cn_north_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_cn_north_1",
"provider_config_key": "kms_grants:aws.cn_north_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_cn_north_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_cn_northwest_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_cn_northwest_1",
"provider_config_key": "kms_grants:aws.cn_northwest_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_cn_northwest_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_central_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_central_1",
"provider_config_key": "kms_grants:aws.eu_central_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_central_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_north_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_north_1",
"provider_config_key": "kms_grants:aws.eu_north_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_north_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_south_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_south_1",
"provider_config_key": "kms_grants:aws.eu_south_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_south_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_west_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_west_1",
"provider_config_key": "kms_grants:aws.eu_west_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_west_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_west_2",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_west_2",
"provider_config_key": "kms_grants:aws.eu_west_2",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_west_2", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_west_3",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_west_3",
"provider_config_key": "kms_grants:aws.eu_west_3",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_west_3", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_me_south_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_me_south_1",
"provider_config_key": "kms_grants:aws.me_south_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_me_south_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_sa_east_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_sa_east_1",
"provider_config_key": "kms_grants:aws.sa_east_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_sa_east_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_east_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_east_1",
"provider_config_key": "kms_grants:aws.us_east_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_east_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_east_2",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_east_2",
"provider_config_key": "kms_grants:aws.us_east_2",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_east_2", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_gov_east_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_gov_east_1",
"provider_config_key": "kms_grants:aws.us_gov_east_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_gov_east_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_gov_west_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_gov_west_1",
"provider_config_key": "kms_grants:aws.us_gov_west_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_gov_west_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_west_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_west_1",
"provider_config_key": "kms_grants:aws.us_west_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_west_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_west_2",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_west_2",
"provider_config_key": "kms_grants:aws.us_west_2",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_west_2", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "null_resource.dependency_getter",
"mode": "managed",
"type": "null_resource",
"name": "dependency_getter",
"provider_config_key": "kms_grants:null",
"expressions": {
"triggers": {
"references": ["var.dependencies"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.kms_grant_regions"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_af_south_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_af_south_1",
"provider_config_key": "kms_grants:aws.af_south_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_east_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_east_1",
"provider_config_key": "kms_grants:aws.ap_east_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_northeast_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_northeast_1",
"provider_config_key": "kms_grants:aws.ap_northeast_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_northeast_2",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_northeast_2",
"provider_config_key": "kms_grants:aws.ap_northeast_2",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_northeast_3",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_northeast_3",
"provider_config_key": "kms_grants:aws.ap_northeast_3",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_south_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_south_1",
"provider_config_key": "kms_grants:aws.ap_south_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_southeast_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_southeast_1",
"provider_config_key": "kms_grants:aws.ap_southeast_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_southeast_2",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_southeast_2",
"provider_config_key": "kms_grants:aws.ap_southeast_2",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ca_central_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ca_central_1",
"provider_config_key": "kms_grants:aws.ca_central_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_cn_north_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_cn_north_1",
"provider_config_key": "kms_grants:aws.cn_north_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_cn_northwest_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_cn_northwest_1",
"provider_config_key": "kms_grants:aws.cn_northwest_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_central_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_central_1",
"provider_config_key": "kms_grants:aws.eu_central_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_north_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_north_1",
"provider_config_key": "kms_grants:aws.eu_north_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_south_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_south_1",
"provider_config_key": "kms_grants:aws.eu_south_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_west_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_west_1",
"provider_config_key": "kms_grants:aws.eu_west_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_west_2",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_west_2",
"provider_config_key": "kms_grants:aws.eu_west_2",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_west_3",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_west_3",
"provider_config_key": "kms_grants:aws.eu_west_3",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_me_south_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_me_south_1",
"provider_config_key": "kms_grants:aws.me_south_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_sa_east_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_sa_east_1",
"provider_config_key": "kms_grants:aws.sa_east_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_east_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_east_1",
"provider_config_key": "kms_grants:aws.us_east_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_east_2",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_east_2",
"provider_config_key": "kms_grants:aws.us_east_2",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_gov_east_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_gov_east_1",
"provider_config_key": "kms_grants:aws.us_gov_east_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_gov_west_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_gov_west_1",
"provider_config_key": "kms_grants:aws.us_gov_west_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_west_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_west_1",
"provider_config_key": "kms_grants:aws.us_west_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_west_2",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_west_2",
"provider_config_key": "kms_grants:aws.us_west_2",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_regions.current",
"mode": "data",
"type": "aws_regions",
"name": "current",
"provider_config_key": "kms_grants:aws.seed",
"schema_version": 0
}],
"variables": {
"aws_account_id": {
"description": "The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables."
},
"dependencies": {
"default": [],
"description": "Create a dependency between the resources in this module to the interpolated values in this list (and thus the source resources). In other words, the resources in this module will now depend on the resources backing the values in this list such that those resources need to be created before the resources in this module, and the resources in this module need to be destroyed before the resources in the list."
},
"kms_grant_regions": {
"description": "The map of names of KMS grants to the region where the key resides in. There should be a one to one mapping between entries in this map and the entries of the kms_grants map. This is used to workaround a terraform limitation where the for_each value can not depend on resources."
},
"kms_grants": {
"description": "Create the specified KMS grants to allow entities to use the KMS key without modifying the KMS policy or IAM. This is necessary to allow AWS services (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of grant name to grant properties. The name must be unique per account."
},
"opt_in_regions": {
"default": null,
"description": "Creates resources in the specified regions. Note that the region must be enabled on your AWS account. Regions that are not enabled are automatically filtered from this list."
},
"seed_region": {
"default": "us-east-1",
"description": "The AWS Region to use as a seed to discover other regions."
}
}
}
},
"shared_secrets_kms_grants": {
"source": "git::git@github.com:gruntwork-io/module-security.git//modules/kms-grant-multi-region?ref=v0.44.5",
"expressions": {
"aws_account_id": {
"references": ["data.aws_caller_identity.current"]
},
"kms_grant_regions": {
"references": ["local.shared_secrets_kms_grant_regions"]
},
"kms_grants": {
"references": ["local.shared_secrets_kms_grants"]
}
},
"module": {
"resources": [{
"address": "aws_kms_grant.grants_for_af_south_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_af_south_1",
"provider_config_key": "shared_secrets_kms_grants:aws.af_south_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_af_south_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_east_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_east_1",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_east_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_east_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_northeast_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_northeast_1",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_northeast_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_northeast_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_northeast_2",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_northeast_2",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_northeast_2",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_northeast_2", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_northeast_3",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_northeast_3",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_northeast_3",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_northeast_3", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_south_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_south_1",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_south_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_south_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_southeast_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_southeast_1",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_southeast_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_southeast_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ap_southeast_2",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ap_southeast_2",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_southeast_2",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ap_southeast_2", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_ca_central_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_ca_central_1",
"provider_config_key": "shared_secrets_kms_grants:aws.ca_central_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_ca_central_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_cn_north_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_cn_north_1",
"provider_config_key": "shared_secrets_kms_grants:aws.cn_north_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_cn_north_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_cn_northwest_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_cn_northwest_1",
"provider_config_key": "shared_secrets_kms_grants:aws.cn_northwest_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_cn_northwest_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_central_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_central_1",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_central_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_central_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_north_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_north_1",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_north_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_north_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_south_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_south_1",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_south_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_south_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_west_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_west_1",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_west_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_west_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_west_2",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_west_2",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_west_2",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_west_2", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_eu_west_3",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_eu_west_3",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_west_3",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_eu_west_3", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_me_south_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_me_south_1",
"provider_config_key": "shared_secrets_kms_grants:aws.me_south_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_me_south_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_sa_east_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_sa_east_1",
"provider_config_key": "shared_secrets_kms_grants:aws.sa_east_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_sa_east_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_east_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_east_1",
"provider_config_key": "shared_secrets_kms_grants:aws.us_east_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_east_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_east_2",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_east_2",
"provider_config_key": "shared_secrets_kms_grants:aws.us_east_2",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_east_2", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_gov_east_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_gov_east_1",
"provider_config_key": "shared_secrets_kms_grants:aws.us_gov_east_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_gov_east_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_gov_west_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_gov_west_1",
"provider_config_key": "shared_secrets_kms_grants:aws.us_gov_west_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_gov_west_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_west_1",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_west_1",
"provider_config_key": "shared_secrets_kms_grants:aws.us_west_1",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_west_1", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "aws_kms_grant.grants_for_us_west_2",
"mode": "managed",
"type": "aws_kms_grant",
"name": "grants_for_us_west_2",
"provider_config_key": "shared_secrets_kms_grants:aws.us_west_2",
"expressions": {
"grantee_principal": {
"references": ["var.kms_grants", "each.key"]
},
"key_id": {
"references": ["data.aws_kms_key.by_loose_id_us_west_2", "each.key"]
},
"name": {
"references": ["each.key"]
},
"operations": {
"references": ["var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
},
"depends_on": ["null_resource.dependency_getter"]
}, {
"address": "null_resource.dependency_getter",
"mode": "managed",
"type": "null_resource",
"name": "dependency_getter",
"provider_config_key": "shared_secrets_kms_grants:null",
"expressions": {
"triggers": {
"references": ["var.dependencies"]
}
},
"schema_version": 0,
"count_expression": {
"references": ["var.kms_grant_regions"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_af_south_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_af_south_1",
"provider_config_key": "shared_secrets_kms_grants:aws.af_south_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_east_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_east_1",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_east_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_northeast_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_northeast_1",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_northeast_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_northeast_2",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_northeast_2",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_northeast_2",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_northeast_3",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_northeast_3",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_northeast_3",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_south_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_south_1",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_south_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_southeast_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_southeast_1",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_southeast_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ap_southeast_2",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ap_southeast_2",
"provider_config_key": "shared_secrets_kms_grants:aws.ap_southeast_2",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_ca_central_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_ca_central_1",
"provider_config_key": "shared_secrets_kms_grants:aws.ca_central_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_cn_north_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_cn_north_1",
"provider_config_key": "shared_secrets_kms_grants:aws.cn_north_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_cn_northwest_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_cn_northwest_1",
"provider_config_key": "shared_secrets_kms_grants:aws.cn_northwest_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_central_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_central_1",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_central_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_north_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_north_1",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_north_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_south_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_south_1",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_south_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_west_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_west_1",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_west_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_west_2",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_west_2",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_west_2",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_eu_west_3",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_eu_west_3",
"provider_config_key": "shared_secrets_kms_grants:aws.eu_west_3",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_me_south_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_me_south_1",
"provider_config_key": "shared_secrets_kms_grants:aws.me_south_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_sa_east_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_sa_east_1",
"provider_config_key": "shared_secrets_kms_grants:aws.sa_east_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_east_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_east_1",
"provider_config_key": "shared_secrets_kms_grants:aws.us_east_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_east_2",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_east_2",
"provider_config_key": "shared_secrets_kms_grants:aws.us_east_2",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_gov_east_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_gov_east_1",
"provider_config_key": "shared_secrets_kms_grants:aws.us_gov_east_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_gov_west_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_gov_west_1",
"provider_config_key": "shared_secrets_kms_grants:aws.us_gov_west_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_west_1",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_west_1",
"provider_config_key": "shared_secrets_kms_grants:aws.us_west_1",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_kms_key.by_loose_id_us_west_2",
"mode": "data",
"type": "aws_kms_key",
"name": "by_loose_id_us_west_2",
"provider_config_key": "shared_secrets_kms_grants:aws.us_west_2",
"expressions": {
"key_id": {
"references": ["null_resource.dependency_getter", "var.kms_grants", "each.key", "var.kms_grants", "each.key"]
}
},
"schema_version": 0,
"for_each_expression": {
"references": ["local.region_grants"]
}
}, {
"address": "data.aws_regions.current",
"mode": "data",
"type": "aws_regions",
"name": "current",
"provider_config_key": "shared_secrets_kms_grants:aws.seed",
"schema_version": 0
}],
"variables": {
"aws_account_id": {
"description": "The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables."
},
"dependencies": {
"default": [],
"description": "Create a dependency between the resources in this module to the interpolated values in this list (and thus the source resources). In other words, the resources in this module will now depend on the resources backing the values in this list such that those resources need to be created before the resources in this module, and the resources in this module need to be destroyed before the resources in the list."
},
"kms_grant_regions": {
"description": "The map of names of KMS grants to the region where the key resides in. There should be a one to one mapping between entries in this map and the entries of the kms_grants map. This is used to workaround a terraform limitation where the for_each value can not depend on resources."
},
"kms_grants": {
"description": "Create the specified KMS grants to allow entities to use the KMS key without modifying the KMS policy or IAM. This is necessary to allow AWS services (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of grant name to grant properties. The name must be unique per account."
},
"opt_in_regions": {
"default": null,
"description": "Creates resources in the specified regions. Note that the region must be enabled on your AWS account. Regions that are not enabled are automatically filtered from this list."
},
"seed_region": {
"default": "us-east-1",
"description": "The AWS Region to use as a seed to discover other regions."
}
}
}
},
"standard_config": {
"source": "git::git@github.com:gruntwork-io/module-ci.git//modules/ecs-deploy-runner-standard-configuration?ref=v0.29.5",
"expressions": {
"ami_builder": {
"references": ["var.ami_builder_config", "var.ami_builder_config", "var.ami_builder_config", "var.ami_builder_config", "var.ami_builder_config", "var.ami_builder_config", "var.ami_builder_config"]
},
"docker_image_builder": {
"references": ["var.docker_image_builder_config", "var.docker_image_builder_config", "var.docker_image_builder_config", "var.docker_image_builder_config", "var.docker_image_builder_config", "var.docker_image_builder_config", "var.docker_image_builder_config", "var.docker_image_builder_config", "var.docker_image_builder_config", "var.docker_image_builder_config", "var.docker_image_builder_config", "var.docker_image_builder_config"]
},
"terraform_applier": {
"references": ["var.terraform_applier_config", "var.terraform_applier_config", "var.terraform_applier_config", "var.terraform_applier_config", "var.terraform_applier_config", "var.terraform_applier_config", "var.terraform_applier_config", "var.terraform_applier_config", "var.terraform_applier_config", "var.terraform_applier_config", "var.terraform_applier_config"]
},
"terraform_planner": {
"references": ["var.terraform_planner_config", "var.terraform_planner_config", "var.terraform_planner_config", "var.terraform_planner_config", "var.terraform_planner_config", "var.terraform_planner_config", "var.terraform_planner_config"]
}
},
"module": {
"outputs": {
"container_images": {
"expression": {
"references": ["local.container_images"]
},
"description": "Configuration map for the ecs-deploy-runner module that can be passed straight in as the container_images input variable."
}
},
"variables": {
"ami_builder": {
"description": "Configuration options for the ami-builder container of the ECS deploy runner stack. This container will be used for building AMIs in the CI/CD pipeline with packer. Set to `null` to disable this container."
},
"docker_image_builder": {
"description": "Configuration options for the docker-image-builder container of the ECS deploy runner stack. This container will be used for building docker images in the CI/CD pipeline. Set to `null` to disable this container."
},
"terraform_applier": {
"description": "Configuration options for the terraform-applier container of the ECS deploy runner stack. This container will be used for running infrastructure deployment actions (including automated variable updates) in the CI/CD pipeline with Terraform / Terragrunt. Set to `null` to disable this container."
},
"terraform_planner": {
"description": "Configuration options for the terraform-planner container of the ECS deploy runner stack. This container will be used for running infrastructure plan (including validate) actions in the CI/CD pipeline with Terraform / Terragrunt. Set to `null` to disable this container."
}
}
}
}
},
"variables": {
"ami_builder_config": {
"description": "Configuration options for the ami-builder container of the ECS deploy runner stack. This container will be used for building AMIs in the CI/CD pipeline using packer. Set to `null` to disable this container."
},
"container_cpu": {
"default": 1024,
"description": "The default CPU units for the instances that Fargate will spin up. The invoker allows users to override the CPU at run time, but this value will be used if the user provides no value for the CPU. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size."
},
"container_default_launch_type": {
"default": "FARGATE",
"description": "The default launch type of the ECS deploy runner workers. This launch type will be used if it is not overridden during invocation of the lambda function. Must be FARGATE or EC2."
},
"container_max_cpu": {
"default": 2048,
"description": "The maximum CPU units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function."
},
"container_max_memory": {
"default": 8192,
"description": "The maximum memory units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function."
},
"container_memory": {
"default": 2048,
"description": "The default memory units for the instances that Fargate will spin up. The invoker allows users to override the memory at run time, but this value will be used if the user provides no value for memory. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size."
},
"docker_image_builder_config": {
"description": "Configuration options for the docker-image-builder container of the ECS deploy runner stack. This container will be used for building docker images in the CI/CD pipeline. Set to `null` to disable this container."
},
"ec2_worker_pool_configuration": {
"default": null,
"description": "Worker configuration of a EC2 worker pool for the ECS cluster. An EC2 worker pool supports caching of Docker images, so your builds may run faster, whereas Fargate is serverless, so you have no persistent EC2 instances to manage and pay for. If null, no EC2 worker pool will be allocated and the deploy runner will be in Fargate only mode. Note that when this variable is set, this example module will automatically lookup and use the base ECS optimized AMI that AWS provides."
},
"iam_groups": {
"default": [],
"description": "List of AWS IAM groups that should be given access to invoke the deploy runner."
},
"iam_roles": {
"default": [],
"description": "List of AWS IAM roles that should be given access to invoke the deploy runner."
},
"iam_users": {
"default": [],
"description": "List of AWS IAM usernames that should be given access to invoke the deploy runner."
},
"name": {
"default": "ecs-deploy-runner",
"description": "Name of this instance of the deploy runner stack. Used to namespace all resources."
},
"private_subnet_ids": {
"description": "List of IDs of private subnets that can be used for running the ECS task and Lambda function."
},
"shared_secrets_enabled": {
"default": false,
"description": "If true, this module will create grants for a given shared secrets KMS key. You must pass a value for shared_secrets_kms_cmk_arn if this is set to true. Defaults to false."
},
"shared_secrets_kms_cmk_arn": {
"default": null,
"description": "The ARN of the KMS CMK used for sharing AWS Secrets Manager secrets between accounts."
},
"snapshot_encryption_kms_cmk_arns": {
"default": {},
"description": "Map of names to ARNs of KMS CMKs that are used to encrypt snapshots (including AMIs). This module will create the necessary KMS key grants to allow the respective deploy containers access to utilize the keys for managing the encrypted snapshots. The keys are arbitrary names that are used to identify the key."
},
"terraform_applier_config": {
"description": "Configuration options for the terraform-applier container of the ECS deploy runner stack. This container will be used for running infrastructure deployment actions (including automated variable updates) in the CI/CD pipeline with Terraform / Terragrunt. Set to `null` to disable this container."
},
"terraform_planner_config": {
"description": "Configuration options for the terraform-planner container of the ECS deploy runner stack. This container will be used for running infrastructure plan (including validate) actions in the CI/CD pipeline with Terraform / Terragrunt. Set to `null` to disable this container."
},
"vpc_id": {
"description": "ID of the VPC where the ECS task and Lambda function should run."
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment