Print specific message if CORE row isn't found

[chrisbloe]

No description provided.

[github-actions]

Report for environment: prod

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.

Terraform Plan 📖failure

Show Plan ()

aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0]: Refreshing state... [id=prod-ehr-repo-bucket]
data.aws_ssm_parameter.db-username: Reading...
data.aws_ssm_parameter.private_subnets: Reading...
data.aws_caller_identity.current: Reading...
data.aws_ssm_parameter.gocd_sg_id: Reading...
data.aws_ssm_parameter.repo_databases_parameter_group_name: Reading...
aws_ecs_cluster.ecs-cluster: Refreshing state... [id=arn:aws:ecs:eu-west-2:535760944720:cluster/prod-ehr-repo-ecs-cluster]
data.aws_iam_policy_document.ecs-assume-role-policy: Reading...
data.aws_ssm_parameter.db-password: Reading...
data.aws_iam_policy_document.ecs-assume-role-policy: Read complete after 0s [id=320642683]
aws_s3_bucket.ehr_repo_access_logs: Refreshing state... [id=prod-ehr-repo-access-logs]
data.aws_sns_topic.alarm_notifications: Reading...
data.aws_caller_identity.current: Read complete after 0s [id=535760944720]
aws_kms_key.ehr-repo-key: Refreshing state... [id=a3c164bb-c5ac-4ef7-999e-0000475e0176]
data.aws_sns_topic.alarm_notifications: Read complete after 1s [id=arn:aws:sns:eu-west-2:535760944720:prod-alarm-notifications-sns-topic]
data.aws_ssm_parameter.vpn_sg_id: Reading...
data.aws_ssm_parameter.private_zone_id: Reading...
data.aws_ssm_parameter.gocd_sg_id: Read complete after 1s [id=/repo/prod/user-input/external/gocd-agent-sg-id]
data.aws_ssm_parameter.private_subnets: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/deductions-core-private-subnets]
data.aws_ssm_parameter.database_subnets: Reading...
data.aws_ssm_parameter.repo_databases_parameter_group_name: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/repo-databases-parameter-group-name-version-13]
aws_s3_bucket.ehr-repo-bucket: Refreshing state... [id=prod-ehr-repo-bucket]
data.aws_ssm_parameter.environment_private_zone_id: Reading...
data.aws_ssm_parameter.db-username: Read complete after 1s [id=/repo/prod/user-input/ehr-repo-db-username]
data.aws_iam_policy_document.ehr-repo-s3-bucket: Reading...
data.aws_ssm_parameter.db-password: Read complete after 1s [id=/repo/prod/user-input/ehr-repo-db-password]
data.aws_iam_policy_document.ehr-repo-s3-bucket: Read complete after 0s [id=4137863563]
data.aws_ssm_parameter.alb_access_logs_bucket: Reading...
data.aws_iam_policy_document.ehr-repo-s3: Reading...
data.aws_iam_policy_document.ehr-repo-s3: Read complete after 0s [id=1020153983]
data.aws_ssm_parameter.deductions_private_vpc_id: Reading...
data.aws_ssm_parameter.dynamodb_name: Reading...
data.aws_ssm_parameter.vpn_sg_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/vpn-sg-id]
data.aws_ssm_parameter.deductions_core_vpc_id: Reading...
data.aws_ssm_parameter.database_subnets: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core-database-subnets]
data.aws_ssm_parameter.s3_prefix_list_id: Reading...
data.aws_ssm_parameter.environment_private_zone_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/environment-private-zone-id]
data.aws_ssm_parameter.private_zone_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/private-root-zone-id]
data.aws_vpc.mhs: Reading...
data.aws_ssm_parameter.dynamodb_prefix_list_id: Reading...
data.aws_ssm_parameter.deductions_private_vpc_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/private-vpc-id]
data.aws_ssm_parameter.alb_access_logs_bucket: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/alb-access-logs-s3-bucket-id]
data.aws_ssm_parameter.environment_public_zone_id: Reading...
aws_iam_role.ehr-repo: Refreshing state... [id=prod-ehr-repo-EcsTaskRole]
data.aws_ssm_parameter.dynamodb_name: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/ehr-transfer-tracker-db-name]
aws_cloudwatch_metric_alarm.error_log_alarm: Refreshing state... [id=prod-ehr-repo-error-logs]
aws_iam_policy.ehr-repo-s3-bucket: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-s3-bucket]
data.aws_ssm_parameter.deductions_core_vpc_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core-vpc-id]
aws_iam_policy.ehr-repo-s3: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-s3]
data.aws_ssm_parameter.s3_prefix_list_id: Read complete after 0s [id=/repo/prod/output/prm-deductions-infra/deductions-core/s3-prefix-list-id]
aws_ssm_parameter.deductions_core_ecs_cluster_id: Refreshing state... [id=/repo/prod/output/prm-deductions-ehr-repository/deductions-core-ecs-cluster-id]
aws_db_subnet_group.db-cluster-subnet-group: Refreshing state... [id=prod-ehr-db-subnet-group]
data.aws_ssm_parameter.environment_public_zone_id: Read complete after 1s [id=/repo/prod/output/prm-deductions-infra/environment-public-zone-id]
data.aws_vpc.private_vpc: Reading...
aws_cloudwatch_log_group.log-group: Refreshing state... [id=/nhs/deductions/prod-535760944720/ehr-repo]
data.aws_iam_policy_document.ssm_policy_doc: Reading...
data.aws_iam_policy_document.ssm_policy_doc: Read complete after 0s [id=1951628828]
data.aws_iam_policy_document.ecr_policy_doc: Reading...
data.aws_iam_policy_document.ecr_policy_doc: Read complete after 0s [id=3935638853]
data.aws_iam_policy_document.logs_policy_doc: Reading...
data.aws_iam_policy_document.logs_policy_doc: Read complete after 0s [id=2047735215]
aws_kms_alias.ehr_repo_encryption: Refreshing state... [id=alias/ehr-repo-encryption-kms-key]
aws_security_group.service_to_ehr_repo: Refreshing state... [id=sg-0843b1d0b553c2023]
aws_security_group.vpn_to_db_sg: Refreshing state... [id=sg-0202aa7080b14a4fe]
aws_security_group.gocd_to_db_sg: Refreshing state... [id=sg-04a1bdc4b2d04025f]
aws_security_group.gocd_to_ehr_repo: Refreshing state... [id=sg-03ac6aa886cc858a1]
data.aws_vpc.deductions_core_vpc: Reading...
aws_alb_target_group.internal-alb-tg: Refreshing state... [id=arn:aws:elasticloadbalancing:eu-west-2:535760944720:targetgroup/prod-ehr-repo-int-tg/ee3bb55b5e3d566e]
aws_security_group.ehr_repo_alb: Refreshing state... [id=sg-07e5606b3bcd4649d]
aws_security_group.vpn_to_ehr_repo: Refreshing state... [id=sg-0b1fbb458ed13a742]
data.aws_route53_zone.environment_public_zone: Reading...
aws_iam_policy.ssm_policy: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-ssm]
data.aws_vpc.mhs: Read complete after 2s [id=vpc-0b9256aa629d17dc2]
aws_iam_policy.ehr-ecr: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-repo-ecr]
aws_iam_policy.ehr-logs: Refreshing state... [id=arn:aws:iam::535760944720:policy/prod-ehr-logs]
aws_iam_role_policy_attachment.ehr-repo-s3-bucket-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932284900000005]
data.aws_route53_zone.environment_public_zone: Read complete after 0s [id=Z03667822QZ8RSZRQVF9T]
aws_iam_role_policy_attachment.ehr-repo-s3-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932264800000003]
aws_ssm_parameter.service_to_ehr_repo: Refreshing state... [id=/repo/prod/output/prm-deductions-ehr-repository/service-to-ehr-repo-sg-id]
aws_cloudwatch_log_metric_filter.log_metric_filter: Refreshing state... [id=prod-ehr-repo-error-logs]
aws_security_group_rule.vpn_to_db_sg[0]: Refreshing state... [id=sgrule-2902444858]
aws_iam_role_policy_attachment.ssm_policy_attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932263800000002]
aws_acm_certificate.ehr-repo-cert: Refreshing state... [id=arn:aws:acm:eu-west-2:535760944720:certificate/3880818d-3f9e-4a1c-b002-678d4cead6ef]
aws_iam_role_policy_attachment.ehr-ecr-attach: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932249100000001]
aws_iam_role_policy_attachment.ehr-logs: Refreshing state... [id=prod-ehr-repo-EcsTaskRole-20211108114932275100000004]
data.aws_vpc.private_vpc: Read complete after 1s
aws_route53_record.ehr-repo-cert-validation-record["ehr-repo.prod.patient-deductions.nhs.uk"]: Refreshing state... [id=Z03667822QZ8RSZRQVF9T__f4650d75793e219d9df2da1ec8a65eab.ehr-repo.prod.patient-deductions.nhs.uk._CNAME]
aws_acm_certificate_validation.ehr-repo-cert-validation: Refreshing state... [id=2023-09-06 00:40:21.735 +0000 UTC]
data.aws_vpc.deductions_core_vpc: Read complete after 2s
aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_public_access_block.ehr_repo_access_logs_access_block: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_policy.ehr_repo_permit_developer_to_see_access_logs_policy[0]: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_versioning.ehr_repo_access_logs[0]: Refreshing state... [id=prod-ehr-repo-access-logs]
aws_s3_bucket_policy.ehr-repo-bucket_policy: Refreshing state... [id=prod-ehr-repo-bucket]
aws_s3_bucket_versioning.ehr_repo_bucket[0]: Refreshing state... [id=prod-ehr-repo-bucket]
aws_s3_bucket_public_access_block.ehr_repo_access_block: Refreshing state... [id=prod-ehr-repo-bucket]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform planned the following actions, but then encountered a problem:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "prod-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "prod-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (2 unchanged blocks hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "prod-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "prod-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "prod-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "prod-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0] will be destroyed
  # (because aws_s3_bucket_object_lock_configuration.ehr_repo_bucket is not in configuration)
  - resource "aws_s3_bucket_object_lock_configuration" "ehr_repo_bucket" {
      - bucket                = "prod-ehr-repo-bucket" -> null
      - id                    = "prod-ehr-repo-bucket" -> null
      - object_lock_enabled   = "Enabled" -> null
        # (1 unchanged attribute hidden)

      - rule {
          - default_retention {
              - days  = 36500 -> null
              - mode  = "GOVERNANCE" -> null
              - years = 0 -> null
            }
        }
    }

  # aws_s3_bucket_policy.ehr_repo_permit_developer_to_see_access_logs_policy[0] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_developer_to_see_access_logs_policy" {
        id     = "prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = [
                            "s3:Get*",
                            "s3:ListBucket",
                        ]
                        Condition = {
                            Bool = {
                                "aws:SecureTransport" = "false"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            AWS = "arn:aws:iam::535760944720:role/RepoDeveloper"
                        }
                        Resource  = [
                            "arn:aws:s3:::prod-ehr-repo-access-logs",
                            "arn:aws:s3:::prod-ehr-repo-access-logs/*",
                        ]
                    },
                  - {
                      - Action    = "s3:PutObject"
                      - Condition = {
                          - StringEquals = {
                              - "aws:SourceAccount" = "535760944720"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "logging.s3.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::prod-ehr-repo-access-logs/*"
                      - Sid       = "S3PolicyStmt-DO-NOT-MODIFY-1710949274265"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_s3_to_write_access_logs_policy" {
        id     = "prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action    = [
                          - "s3:Get*",
                          - "s3:ListBucket",
                        ] -> "s3:PutObject"
                      ~ Principal = {
                          - AWS     = "arn:aws:iam::535760944720:role/RepoDeveloper"
                          + Service = "logging.s3.amazonaws.com"
                        }
                      ~ Resource  = [
                          - "arn:aws:s3:::prod-ehr-repo-access-logs",
                          - "arn:aws:s3:::prod-ehr-repo-access-logs/*",
                        ] -> "arn:aws:s3:::prod-ehr-repo-access-logs/s3-access-log/*"
                      + Sid       = "S3ServerAccessLogsPolicy"
                        # (2 unchanged attributes hidden)
                    },
                  - {
                      - Action    = "s3:PutObject"
                      - Condition = {
                          - StringEquals = {
                              - "aws:SourceAccount" = "535760944720"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "logging.s3.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::prod-ehr-repo-access-logs/*"
                      - Sid       = "S3PolicyStmt-DO-NOT-MODIFY-1710949274265"
                    },
                ]
              ~ Version   = "2008-10-17" -> "2012-10-17"
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "prod-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_security_group.ehr_repo_alb will be updated in-place
  ~ resource "aws_security_group" "ehr_repo_alb" {
        id                     = "sg-07e5606b3bcd4649d"
        name                   = "prod-alb-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-alb-ehr-repo"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.gocd_to_db_sg will be updated in-place
  ~ resource "aws_security_group" "gocd_to_db_sg" {
        id                     = "sg-04a1bdc4b2d04025f"
      ~ ingress                = (sensitive value)
        name                   = "prod-gocd-to-ehr-repo-db-sg"
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-gocd-to-ehr-repo-db-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.gocd_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "gocd_to_ehr_repo" {
        id                     = "sg-03ac6aa886cc858a1"
      ~ ingress                = (sensitive value)
        name                   = "prod-gocd-to-ehr-repo"
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-gocd-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.service_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "service_to_ehr_repo" {
        id                     = "sg-0843b1d0b553c2023"
        name                   = "prod-service-to-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-service-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.vpn_to_db_sg will be updated in-place
  ~ resource "aws_security_group" "vpn_to_db_sg" {
        id                     = "sg-0202aa7080b14a4fe"
        name                   = "prod-vpn-to-ehr-repo-db-sg"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-vpn-to-ehr-repo-db-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

  # aws_security_group.vpn_to_ehr_repo will be updated in-place
  ~ resource "aws_security_group" "vpn_to_ehr_repo" {
        id                     = "sg-0b1fbb458ed13a742"
        name                   = "prod-vpn-to-ehr-repo"
      + revoke_rules_on_delete = false
        tags                   = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "prod"
            "Name"        = "prod-vpn-to-ehr-repo-sg"
        }
        # (8 unchanged attributes hidden)

      - timeouts {}
    }

Plan: 5 to add, 10 to change, 1 to destroy.

[github-actions]

Report for environment: dev

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (0 to add, 2 to change, 0 to destroy)

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "dev-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "dev"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "dev-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "dev-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "dev"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

[github-actions]

Report for environment: pre-prod

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (5 to add, 3 to change, 1 to destroy)

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "pre-prod-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "pre-prod"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "pre-prod-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (2 unchanged blocks hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "pre-prod-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "pre-prod"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "pre-prod-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "pre-prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "pre-prod-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "pre-prod-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_object_lock_configuration.ehr_repo_bucket[0] will be destroyed
  # (because aws_s3_bucket_object_lock_configuration.ehr_repo_bucket is not in configuration)
  - resource "aws_s3_bucket_object_lock_configuration" "ehr_repo_bucket" {
      - bucket                = "pre-prod-ehr-repo-bucket" -> null
      - id                    = "pre-prod-ehr-repo-bucket" -> null
      - object_lock_enabled   = "Enabled" -> null
        # (1 unchanged attribute hidden)

      - rule {
          - default_retention {
              - days  = 36500 -> null
              - mode  = "GOVERNANCE" -> null
              - years = 0 -> null
            }
        }
    }

  # aws_s3_bucket_policy.ehr_repo_permit_s3_to_write_access_logs_policy will be updated in-place
  ~ resource "aws_s3_bucket_policy" "ehr_repo_permit_s3_to_write_access_logs_policy" {
        id     = "pre-prod-ehr-repo-access-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action    = [
                          - "s3:Get*",
                          - "s3:ListBucket",
                        ] -> "s3:PutObject"
                      ~ Principal = {
                          - AWS     = "arn:aws:iam::108148468272:role/RepoDeveloper"
                          + Service = "logging.s3.amazonaws.com"
                        }
                      ~ Resource  = [
                          - "arn:aws:s3:::pre-prod-ehr-repo-access-logs",
                          - "arn:aws:s3:::pre-prod-ehr-repo-access-logs/*",
                        ] -> "arn:aws:s3:::pre-prod-ehr-repo-access-logs/s3-access-log/*"
                      + Sid       = "S3ServerAccessLogsPolicy"
                        # (2 unchanged attributes hidden)
                    },
                ]
              ~ Version   = "2008-10-17" -> "2012-10-17"
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "pre-prod-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "pre-prod-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 5 to add, 3 to change, 1 to destroy.

[github-actions]

Report for environment: test

Terraform Format and Style 🖌success

Format Output

Terraform Initialization ⚙️success

Initialization Output

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding hashicorp/aws versions matching "3.75.1"...
- Installing hashicorp/aws v3.75.1...
- Installed hashicorp/aws v3.75.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (5 to add, 2 to change, 0 to destroy)

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_s3_bucket.ehr-repo-bucket will be updated in-place
  ~ resource "aws_s3_bucket" "ehr-repo-bucket" {
        id                          = "test-ehr-repo-bucket"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "test"
        }
        # (12 unchanged attributes hidden)

      - logging {
          - target_bucket = "test-ehr-repo-access-logs" -> null
          - target_prefix = "s3-access-log/" -> null
        }

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket.ehr_repo_access_logs will be updated in-place
  ~ resource "aws_s3_bucket" "ehr_repo_access_logs" {
        id                          = "test-ehr-repo-access-logs"
        tags                        = {
            "CreatedBy"   = "prm-deductions-ehr-repository"
            "Environment" = "test"
        }
        # (12 unchanged attributes hidden)

      - server_side_encryption_configuration {
          - rule {
              - bucket_key_enabled = false -> null

              - apply_server_side_encryption_by_default {
                  - sse_algorithm     = "AES256" -> null
                    # (1 unchanged attribute hidden)
                }
            }
        }

        # (1 unchanged block hidden)
    }

  # aws_s3_bucket_acl.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_acl" "ehr-repo-bucket" {
      + acl    = "private"
      + bucket = "test-ehr-repo-bucket"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_acl.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_acl" "ehr_repo_access_logs" {
      + acl    = "private"
      + bucket = "test-ehr-repo-access-logs"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_logging.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_logging" "ehr-repo-bucket" {
      + bucket        = "test-ehr-repo-bucket"
      + id            = (known after apply)
      + target_bucket = "test-ehr-repo-access-logs"
      + target_prefix = "s3-access-log/"
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr-repo-bucket will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr-repo-bucket" {
      + bucket = "test-ehr-repo-bucket"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

  # aws_s3_bucket_server_side_encryption_configuration.ehr_repo_access_logs will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_repo_access_logs" {
      + bucket = "test-ehr-repo-access-logs"
      + id     = (known after apply)

      + rule {
          + apply_server_side_encryption_by_default {
              + sse_algorithm     = "AES256"
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 5 to add, 2 to change, 0 to destroy.