PLT-9274 - Atlantis EC2 instance and subsequent infrastructure to support it.

[Fentonhaslam]

Summary by CodeRabbit

• New Features
  • Introduced infrastructure management for EC2 instances including networking and IAM roles.
  • Configured Amazon Elastic Container Registry (ECR) with repository lifecycle policies.
  • Defined security group settings for the Atlantis application.
  • Managed AWS key pair creation and configuration.
  • Set up an Application Load Balancer (ALB) with associated networking and security settings.
  • Managed AWS ACM certificate creation with domain validation and tagging.

[coderabbitai]

Walkthrough

The recent changes in the us-east-1 region for the Atlantis management suite involve the introduction of new configurations for managing EC2 instances, ECR repositories, security groups, key pairs, ALBs, and ACM certificates. These updates aim to enhance the management and deployment capabilities within the AWS environment, leveraging Terraform for infrastructure as code.

Changes

File Path	Change Summary
.../atlantis/ec2/terragrunt.hcl	Introduced configurations for managing EC2 instances.
.../atlantis/ecr/terragrunt.hcl	Introduced functionality to define and configure an Amazon Elastic Container Registry (ECR) repository.
.../atlantis/security-group/terragrunt.hcl	Introduced functionality to define a security group for the Atlantis application.
.../atlantis/key-pair/terragrunt.hcl	Introduced functionality for managing an AWS key pair.
.../atlantis/alb/terragrunt.hcl	Configured an Application Load Balancer (ALB) using Terraform.
.../atlantis/acm/terragrunt.hcl	Introduced functionality to manage the creation of an AWS ACM (Amazon Certificate Manager) certificate.
.../ecr/terragrunt.hcl	Introduced a new include block and a locals block.

Poem

🐇✨
In the cloud so vast and wide,
Atlantis thrives with Terraform's tide.
Security, balance, keys, and more,
A suite of changes we adore.
🌟🌐

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository from git and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[Fentonhaslam]

atlantis plan

[Fentonhaslam]

atlantis apply -d infra/us-east-1/mgmt/atlantis/ecr

[coderabbitai]

Review Status

Actionable comments generated: 3

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between f56fb53 and d44f50a.

Files selected for processing (3)

• infra/us-east-1/mgmt/atlantis/ec2/terragrunt.hcl (1 hunks)
• infra/us-east-1/mgmt/atlantis/ecr/terragrunt.hcl (1 hunks)
• infra/us-east-1/mgmt/atlantis/security-group/terragrunt.hcl (1 hunks)

Additional comments: 8

infra/us-east-1/mgmt/atlantis/security-group/terragrunt.hcl (3)

• 1-13: The locals block is well-structured, providing a clear hierarchy and reuse of variables. It's good to see the use of find_in_parent_folders to keep the configuration DRY.
• 15-17: The terraform block specifies the source of the security group module. Ensure that the referenced version v5.1.0 of the terraform-aws-security-group module is compatible with the rest of the infrastructure and Terraform version in use.
• 24-26: The dependency block for the VPC is correctly set up to reference the VPC configuration. However, ensure that the VPC configuration is applied and has the necessary outputs, especially vpc_id, which is used in the inputs block.

infra/us-east-1/mgmt/atlantis/ec2/terragrunt.hcl (2)

• 1-12: The locals block is well-structured and follows the same pattern as the security-group configuration, which is good for consistency across modules.
• 14-16: The terraform block specifies the source of the EC2 instance module. Ensure that the referenced version v5.6.0 of the terraform-aws-ec2-instance module is compatible with the Terraform version in use.

infra/us-east-1/mgmt/atlantis/ecr/terragrunt.hcl (3)

• 1-39: The locals block is consistent with the other modules, and the lifecycle policy is well-defined with clear rules for managing the ECR repository images.
• 41-43: The terraform block specifies the source of the ECR module. Ensure that the referenced version v1.6.0 of the terraform-aws-ecr module is compatible with the Terraform version in use.
• 45-48: The inputs block correctly sets up the ECR repository with a lifecycle policy. Ensure that the repository_name is unique and follows any naming conventions that may be in place.

[coderabbitai]

The inputs block defines ingress rules with CIDR blocks set to 0.0.0.0/0, which allows unrestricted access. This is a potential security risk. Recommend restricting the ingress to only necessary IP ranges.

-  computed_ingress_cidr_blocks = ["0.0.0.0/0"]
-  ingress_cidr_blocks          = ["0.0.0.0/0"]
+  computed_ingress_cidr_blocks = ["<restricted-ip-range>"]
+  ingress_cidr_blocks          = ["<restricted-ip-range>"]

---

Committable suggestion

❗ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	inputs = {
	vpc_id = dependency.vpc.outputs.vpc_id
	computed_ingress_cidr_blocks = ["0.0.0.0/0"]
	ingress_cidr_blocks = ["0.0.0.0/0"]
	}
	inputs = {
	vpc_id = dependency.vpc.outputs.vpc_id
	computed_ingress_cidr_blocks = ["<restricted-ip-range>"]
	ingress_cidr_blocks = ["<restricted-ip-range>"]
	}

[coderabbitai]

The verification process has consistently shown that there is no output for security_group_id in the terragrunt.hcl file within the security group configuration directory. This suggests that the review comment is correct in stating that the security group configuration needs to have the necessary outputs, especially security_group_id, which is not currently present.

Analysis chain

The dependency block for the security group is correctly set up. Ensure that the security group configuration is applied and has the necessary outputs, especially security_group_id, which is used in the inputs block.

Scripts Executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Verify that the security group configuration has been applied and outputs the necessary security_group_id.
rg --type hcl 'output "security_group_id"' infra/us-east-1/mgmt/atlantis/security-group

Length of output: 117

---

---

Script:

#!/bin/bash
# Verify that the security group configuration has the necessary output "security_group_id".
rg 'output "security_group_id"' infra/us-east-1/mgmt/atlantis/security-group

Length of output: 78

---

---

Script:

#!/bin/bash
# List all HCL files in the security group configuration directory to ensure we are not missing any files.
fd '\.hcl$' infra/us-east-1/mgmt/atlantis/security-group

Length of output: 118

---

---

Script:

#!/bin/bash
# Check the contents of the terragrunt.hcl file in the security group configuration directory for the output "security_group_id".
cat infra/us-east-1/mgmt/atlantis/security-group/terragrunt.hcl | rg 'output "security_group_id"'

Length of output: 99

[coderabbitai]

The inputs block sets up the EC2 instance with a t2.micro instance type and an IAM role with AdministratorAccess. This is a potential security risk as it grants broad permissions to the EC2 instance. Recommend using a least privilege role specific to the instance's needs.

-      AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
+      # Replace with a policy that follows the principle of least privilege
+      CustomLimitedAccess = "arn:aws:iam::aws:policy/CustomLimitedAccessPolicy"

---

Committable suggestion

❗ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	inputs = {
	name = local.name
	instance_type = "t2.micro"
	create_iam_instance_profile = true
	iam_role_description = "IAM role for EC2 instance"
	iam_role_policies = {
	AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
	}
	subnet_id = dependency.vpc.outputs.public_subnets[0]
	vpc_security_group_ids = [dependency.security_group.outputs.security_group_id]
	inputs = {
	name = local.name
	instance_type = "t2.micro"
	create_iam_instance_profile = true
	iam_role_description = "IAM role for EC2 instance"
	iam_role_policies = {
	# Replace with a policy that follows the principle of least privilege
	CustomLimitedAccess = "arn:aws:iam::aws:policy/CustomLimitedAccessPolicy"
	}
	subnet_id = dependency.vpc.outputs.public_subnets[0]
	vpc_security_group_ids = [dependency.security_group.outputs.security_group_id]

</details>
<!-- suggestion_end -->

<!-- This is an auto-generated comment by CodeRabbit -->

[Fentonhaslam]

atlantis apply

[Fentonhaslam]

atlantis unlock

[Fentonhaslam]

atlantis plan

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between d44f50a and 885c64b.

Files selected for processing (1)

• infra/us-east-1/mgmt/atlantis/ec2/terragrunt.hcl (1 hunks)

Files skipped from review as they are similar to previous changes (1)

• infra/us-east-1/mgmt/atlantis/ec2/terragrunt.hcl

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 885c64b and 896caa1.

Files selected for processing (1)

• infra/us-east-1/mgmt/atlantis/ec2/terragrunt.hcl (1 hunks)

Files skipped from review as they are similar to previous changes (1)

• infra/us-east-1/mgmt/atlantis/ec2/terragrunt.hcl

[Fentonhaslam]

atlantis apply -d infra/us-east-1/mgmt/atlantis/ec2

[Fentonhaslam]

atlantis apply -d infra/us-east-1/mgmt/atlantis/ec2

[Fentonhaslam]

atlantis unlock

[iog-sc-bot]

Failed to delete PR locks

[Fentonhaslam]

atlantis apply -d infra/us-east-1/mgmt/atlantis/alb

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 82d2c01 and 7827459.

Files selected for processing (1)

• infra/us-east-1/mgmt/atlantis/alb/terragrunt.hcl (1 hunks)

Files skipped from review as they are similar to previous changes (1)

• infra/us-east-1/mgmt/atlantis/alb/terragrunt.hcl

[Fentonhaslam]

atlantis plan

[Fentonhaslam]

atlantis apply -d infra/us-east-1/mgmt/atlantis/alb

[Fentonhaslam]

atlantis show -d infra/us-east-1/mgmt/atlantis/key-pair

[iog-sc-bot]

Error: unknown command "show".
Run 'atlantis --help' for usage.
Available commands(--allow-commands): version, plan, apply, unlock, approve_policies

[Fentonhaslam]

atlantis apply

[Fentonhaslam]

atlantis unlock

[Fentonhaslam]

atlantis plan

[Fentonhaslam]

atlantis apply

[iog-sc-bot]

Ran Apply for 6 projects:

1. dir: infra/us-east-1/mgmt/atlantis/key-pair workspace: default
2. dir: infra/us-east-1/mgmt/atlantis/acm workspace: default
3. dir: infra/us-east-1/mgmt/atlantis/ecr workspace: default
4. dir: infra/us-east-1/mgmt/atlantis/ec2 workspace: default
5. dir: infra/us-east-1/mgmt/atlantis/alb workspace: default
6. dir: infra/us-east-1/mgmt/atlantis/security-group workspace: default

1. dir: infra/us-east-1/mgmt/atlantis/key-pair workspace: default

Show Output

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

key_pair_arn = "arn:aws:ec2:us-east-1:677160962006:key-pair/scde-atlantis-kp"
key_pair_fingerprint = "e7:8f:be:57:8d:71:1e:b6:9b:50:98:54:4e:7d:7d:37"
key_pair_id = "key-0c7a5b72d8805804a"
key_pair_name = "scde-atlantis-kp"
private_key_id = "19f7310653d8eb5bfb002386149ab1e46cacaa88"
private_key_openssh = <sensitive>
private_key_pem = <sensitive>
public_key_fingerprint_md5 = "51:c8:69:89:e8:87:98:9d:c8:79:ef:24:4a:52:06:76"
public_key_fingerprint_sha256 = "SHA256:4a1q/OWQb7ajWkS7T68sfW+zewTYyisgiLU6hX3tAW4"
public_key_openssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3iBHN4u65Uba57ou0joY3EQQDMBoN6r5tvAGcDbYo4YIw/6snEH7LnGFBmWz1Lpt8RJiZ0u3eZA7xKlFsmxLkOTg3S/Yk82Y08MIT8nWNFBNHQtVlPDuld3FdNebxX9AY0DrO/Bi/Mtqj1jYtlri6ld7p15O0hv2VNRGoZNjQWrHFmXPGAeSekYeB6nsDaQV5twk1FBxznbRLtThvRjjydNNKQcrAlLdhDIesSU84FrX+Zm3Dpe0UG363AgPq27zMjmKjIA3OXy7jjt10OBBo58a4GAdPn99s7AlddKoyTL9ZW81dLCrP18MBe2sPY9FWvPxW+bsQ3mNonjqFR8EbKyXRzV5chcAoGdp2cA+lJVSJaR1MuMcJVtM85MEHkb69mb09V1Ix5BwAfHYIy2fsaRk5xJZsSzFbHgpJg0CmJli8Xi+vszr0iV0sdbKwJgjtvbrDfe+gx50Z6fTQEvsXPr/1qFmAhhdpDN4fEhqX0SmyzPGVXXV70cUA7ZP6zrOetVU3H1fbKvOdOHTcUilSkkS39KU1xApdj6v0kEYsaMMwjRW+fGDhAoi/0Wgtye/4h+YKcu1g7ZK2Soo/Tid5pHVTdYwR19+AyoIUAc+QbzisXBo5VzIgcXscVaeNVJkQIAy/QcjTAPPH2qJN1LqaLKEu6Yp8aKO7pYmS3S74Kw=="
public_key_pem = <<EOT
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt4gRzeLuuVG2ue6LtI6G
NxEEAzAaDeq+bbwBnA22KOGCMP+rJxB+y5xhQZls9S6bfESYmdLt3mQO8SpRbJsS
5Dk4N0v2JPNmNPDCE/J1jRQTR0LVZTw7pXdxXTXm8V/QGNA6zvwYvzLao9Y2LZa4
upXe6deTtIb9lTURqGTY0FqxxZlzxgHknpGHgep7A2kFebcJNRQcc520S7U4b0Y4
8nTTSkHKwJS3YQyHrElPOBa1/mZtw6XtFBt+twID6tu8zI5ioyANzl8u447ddDgQ
aOfGuBgHT5/fbOwJXXSqMky/WVvNXSwqz9fDAXtrD2PRVrz8Vvm7EN5jaJ46hUfB
Gysl0c1eXIXAKBnadnAPpSVUiWkdTLjHCVbTPOTBB5G+vZm9PVdSMeQcAHx2CMtn
7GkZOcSWbEsxWx4KSYNApiZYvF4vr7M69IldLHWysCYI7b26w33voMedGen00BL7
Fz6/9ahZgIYXaQzeHxIal9EpsszxlV11e9HFAO2T+s6znrVVNx9X2yrznTh03FIp
UpJEt/SlNcQKXY+r9JBGLGjDMI0Vvnxg4QKIv9FoLcnv+IfmCnLtYO2StkqKP04n
eaR1U3WMEdffgMqCFAHPkG84rFwaOVcyIHF7HFWnjVSZECAMv0HI0wDzx9qiTdS6
miyhLumKfGiju6WJkt0u+CsCAwEAAQ==
-----END PUBLIC KEY-----
EOT

---

2. dir: infra/us-east-1/mgmt/atlantis/acm workspace: default

Show Output

time=2024-01-19T10:48:37Z level=warning msg=No double-slash (//) found in source URL /terraform-aws-modules/terraform-aws-acm.git. Relative paths in downloaded Terraform code may not work.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

acm_certificate_arn = "arn:aws:acm:us-east-1:677160962006:certificate/b360289d-9c8d-441c-877b-d56f20fbc339"
acm_certificate_domain_validation_options = [
  {
    "domain_name" = "atlantis-ec2.scdev.aws.iohkdev.io"
    "resource_record_name" = "_1c934b66f42d41ba3037ffbabf0fcba1.atlantis-ec2.scdev.aws.iohkdev.io."
    "resource_record_type" = "CNAME"
    "resource_record_value" = "_6852d372bfcca6fdad4e4247d6e7c13c.mhbtsbpdnt.acm-validations.aws."
  },
]
acm_certificate_status = "ISSUED"
acm_certificate_validation_emails = []
distinct_domain_names = tolist([
  "atlantis-ec2.scdev.aws.iohkdev.io",
])
validation_domains = tolist([
  {
    "domain_name" = "atlantis-ec2.scdev.aws.iohkdev.io"
    "resource_record_name" = "_1c934b66f42d41ba3037ffbabf0fcba1.atlantis-ec2.scdev.aws.iohkdev.io."
    "resource_record_type" = "CNAME"
    "resource_record_value" = "_6852d372bfcca6fdad4e4247d6e7c13c.mhbtsbpdnt.acm-validations.aws."
  },
])
validation_route53_record_fqdns = [
  "_1c934b66f42d41ba3037ffbabf0fcba1.atlantis-ec2.scdev.aws.iohkdev.io",
]

---

3. dir: infra/us-east-1/mgmt/atlantis/ecr workspace: default

Apply Error

Show Output

running "terragrunt apply $PLANFILE" in "/atlantis-data/repos/input-output-hk/sc-dev-platform/121/default/infra/us-east-1/mgmt/atlantis/ecr": exit status 1: running "terragrunt apply $PLANFILE" in "/atlantis-data/repos/input-output-hk/sc-dev-platform/121/default/infra/us-east-1/mgmt/atlantis/ecr": 
time=2024-01-19T10:48:37Z level=warning msg=No double-slash (//) found in source URL /terraform-aws-modules/terraform-aws-ecr.git. Relative paths in downloaded Terraform code may not work.
aws_ecr_repository.this[0]: Creating...
╷
│ Error: creating ECR Repository (scde): RepositoryAlreadyExistsException: The repository with name 'scde' already exists in the registry with id '677160962006'
│ 
│   with aws_ecr_repository.this[0],
│   on main.tf line 138, in resource "aws_ecr_repository" "this":
│  138: resource "aws_ecr_repository" "this" {
│ 
╵
time=2024-01-19T10:49:04Z level=error msg=Terraform invocation failed in /atlantis-data/repos/input-output-hk/sc-dev-platform/121/default/infra/us-east-1/mgmt/atlantis/ecr/.terragrunt-cache/CtRGPuK1ykKEI5YIt2YezBHXidw/2Wjc5Mf9WenPnlVdrxT3snzTDbs prefix=[/atlantis-data/repos/input-output-hk/sc-dev-platform/121/default/infra/us-east-1/mgmt/atlantis/ecr] 
time=2024-01-19T10:49:04Z level=error msg=1 error occurred:
	* [/atlantis-data/repos/input-output-hk/sc-dev-platform/121/default/infra/us-east-1/mgmt/atlantis/ecr/.terragrunt-cache/CtRGPuK1ykKEI5YIt2YezBHXidw/2Wjc5Mf9WenPnlVdrxT3snzTDbs] exit status 1

---

4. dir: infra/us-east-1/mgmt/atlantis/ec2 workspace: default

Show Output

time=2024-01-19T10:48:38Z level=warning msg=No double-slash (//) found in source URL /terraform-aws-modules/terraform-aws-vpc.git. Relative paths in downloaded Terraform code may not work. prefix=[/atlantis-data/repos/input-output-hk/sc-dev-platform/121/default/infra/us-east-1/mgmt/vpc] 
time=2024-01-19T10:49:08Z level=warning msg=No double-slash (//) found in source URL /terraform-aws-modules/terraform-aws-ec2-instance.git. Relative paths in downloaded Terraform code may not work.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

ami = "ami-02aead0a55359d6ec"
arn = "arn:aws:ec2:us-east-1:677160962006:instance/i-0899e81b556a77bd0"
availability_zone = "us-east-1a"
capacity_reservation_specification = tolist([
  {
    "capacity_reservation_preference" = "open"
    "capacity_reservation_target" = tolist([])
  },
])
ebs_block_device = toset([])
ephemeral_block_device = toset([])
iam_instance_profile_arn = "arn:aws:iam::677160962006:instance-profile/atlantis-20240117195316072100000002"
iam_instance_profile_id = "atlantis-20240117195316072100000002"
iam_instance_profile_unique = "AIPAZ3KPQI7LF27YGXMGF"
iam_role_arn = "arn:aws:iam::677160962006:role/atlantis-20240117195315844800000001"
iam_role_name = "atlantis-20240117195315844800000001"
iam_role_unique_id = "AROAZ3KPQI7LHL72N3GBH"
id = "i-0899e81b556a77bd0"
instance_state = "running"
ipv6_addresses = tolist([])
outpost_arn = ""
password_data = ""
primary_network_interface_id = "eni-0d05fa96ad0770fe1"
private_dns = "ip-10-100-8-233.ec2.internal"
private_ip = "10.100.8.233"
public_dns = "ec2-3-86-40-110.compute-1.amazonaws.com"
public_ip = "3.86.40.110"
root_block_device = tolist([
  {
    "delete_on_termination" = true
    "device_name" = "/dev/xvda"
    "encrypted" = false
    "iops" = 100
    "kms_key_id" = ""
    "tags" = tomap({})
    "throughput" = 0
    "volume_id" = "vol-055ecfcde8877f36e"
    "volume_size" = 8
    "volume_type" = "gp2"
  },
])
tags_all = tomap({
  "Environment" = "mgmt"
  "Name" = "atlantis"
  "Organization" = "iog"
  "Project" = "scde"
  "Terraform" = "true"
  "Tribe" = "smartcontracts"
})

---

5. dir: infra/us-east-1/mgmt/atlantis/alb workspace: default

Show Output

time=2024-01-19T10:48:38Z level=warning msg=No double-slash (//) found in source URL /terraform-aws-modules/terraform-aws-vpc.git. Relative paths in downloaded Terraform code may not work. prefix=[/atlantis-data/repos/input-output-hk/sc-dev-platform/121/default/infra/us-east-1/mgmt/vpc] 
time=2024-01-19T10:48:38Z level=warning msg=No double-slash (//) found in source URL /terraform-aws-modules/terraform-aws-acm.git. Relative paths in downloaded Terraform code may not work. prefix=[/atlantis-data/repos/input-output-hk/sc-dev-platform/121/default/infra/us-east-1/mgmt/atlantis/acm] 
time=2024-01-19T10:48:38Z level=warning msg=No double-slash (//) found in source URL /terraform-aws-modules/terraform-aws-ec2-instance.git. Relative paths in downloaded Terraform code may not work. prefix=[/atlantis-data/repos/input-output-hk/sc-dev-platform/121/default/infra/us-east-1/mgmt/atlantis/ec2] 
time=2024-01-19T10:49:07Z level=warning msg=No double-slash (//) found in source URL /terraform-aws-modules/terraform-aws-alb.git. Relative paths in downloaded Terraform code may not work.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

arn = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d"
arn_suffix = "app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d"
dns_name = "atlantis-mgmt-smartcontracts-alb-329464703.us-east-1.elb.amazonaws.com"
id = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d"
listener_rules = {}
listeners = {
  "http-https-redirect" = {
    "alpn_policy" = tostring(null)
    "arn" = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/d272a1aa9789abc6"
    "certificate_arn" = tostring(null)
    "default_action" = tolist([
      {
        "authenticate_cognito" = tolist([])
        "authenticate_oidc" = tolist([])
        "fixed_response" = tolist([])
        "forward" = tolist([])
        "order" = 1
        "redirect" = tolist([
          {
            "host" = "#{host}"
            "path" = "/#{path}"
            "port" = "443"
            "protocol" = "HTTPS"
            "query" = "#{query}"
            "status_code" = "HTTP_301"
          },
        ])
        "target_group_arn" = ""
        "type" = "redirect"
      },
    ])
    "id" = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/d272a1aa9789abc6"
    "load_balancer_arn" = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d"
    "mutual_authentication" = tolist([])
    "port" = 80
    "protocol" = "HTTP"
    "ssl_policy" = ""
    "tags" = tomap({
      "terraform-aws-modules" = "alb"
    })
    "tags_all" = tomap({
      "Environment" = "mgmt"
      "Organization" = "iog"
      "Project" = "scde"
      "Terraform" = "true"
      "Tribe" = "smartcontracts"
      "terraform-aws-modules" = "alb"
    })
    "timeouts" = null /* object */
  }
  "https" = {
    "alpn_policy" = tostring(null)
    "arn" = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/c84f2ee31ae7433c"
    "certificate_arn" = "arn:aws:acm:us-east-1:677160962006:certificate/b360289d-9c8d-441c-877b-d56f20fbc339"
    "default_action" = tolist([
      {
        "authenticate_cognito" = tolist([])
        "authenticate_oidc" = tolist([])
        "fixed_response" = tolist([])
        "forward" = tolist([])
        "order" = 1
        "redirect" = tolist([])
        "target_group_arn" = "arn:aws:elasticloadbalancing:us-east-1:677160962006:targetgroup/atlantis-ec2/87e14a26ffc2f145"
        "type" = "forward"
      },
    ])
    "id" = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/c84f2ee31ae7433c"
    "load_balancer_arn" = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d"
    "mutual_authentication" = tolist([
      {
        "ignore_client_certificate_expiry" = false
        "mode" = "off"
        "trust_store_arn" = ""
      },
    ])
    "port" = 443
    "protocol" = "HTTPS"
    "ssl_policy" = "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"
    "tags" = tomap({
      "terraform-aws-modules" = "alb"
    })
    "tags_all" = tomap({
      "Environment" = "mgmt"
      "Organization" = "iog"
      "Project" = "scde"
      "Terraform" = "true"
      "Tribe" = "smartcontracts"
      "terraform-aws-modules" = "alb"
    })
    "timeouts" = null /* object */
  }
}
route53_records = {
  "A" = {
    "alias" = tolist([
      {
        "evaluate_target_health" = true
        "name" = "atlantis-mgmt-smartcontracts-alb-329464703.us-east-1.elb.amazonaws.com"
        "zone_id" = "Z35SXDOTRQ7X7K"
      },
    ])
    "allow_overwrite" = tobool(null)
    "cidr_routing_policy" = tolist([])
    "failover_routing_policy" = tolist([])
    "fqdn" = "atlantis-ec2.scdev.aws.iohkdev.io"
    "geolocation_routing_policy" = tolist([])
    "health_check_id" = ""
    "id" = "Z10147571DRRDCJXSER5Y_atlantis-ec2_A"
    "latency_routing_policy" = tolist([])
    "multivalue_answer_routing_policy" = false
    "name" = "atlantis-ec2"
    "records" = toset([])
    "set_identifier" = ""
    "ttl" = 0
    "type" = "A"
    "weighted_routing_policy" = tolist([])
    "zone_id" = "Z10147571DRRDCJXSER5Y"
  }
  "AAA" = {
    "alias" = tolist([
      {
        "evaluate_target_health" = true
        "name" = "atlantis-mgmt-smartcontracts-alb-329464703.us-east-1.elb.amazonaws.com"
        "zone_id" = "Z35SXDOTRQ7X7K"
      },
    ])
    "allow_overwrite" = tobool(null)
    "cidr_routing_policy" = tolist([])
    "failover_routing_policy" = tolist([])
    "fqdn" = "atlantis-ec2.scdev.aws.iohkdev.io"
    "geolocation_routing_policy" = tolist([])
    "health_check_id" = ""
    "id" = "Z10147571DRRDCJXSER5Y_atlantis-ec2_AAAA"
    "latency_routing_policy" = tolist([])
    "multivalue_answer_routing_policy" = false
    "name" = "atlantis-ec2"
    "records" = toset([])
    "set_identifier" = ""
    "ttl" = 0
    "type" = "AAAA"
    "weighted_routing_policy" = tolist([])
    "zone_id" = "Z10147571DRRDCJXSER5Y"
  }
}
security_group_arn = "arn:aws:ec2:us-east-1:677160962006:security-group/sg-023fc92822411454a"
security_group_id = "sg-023fc92822411454a"
target_groups = {
  "atlantis-ec2" = {
    "arn" = "arn:aws:elasticloadbalancing:us-east-1:677160962006:targetgroup/atlantis-ec2/87e14a26ffc2f145"
    "arn_suffix" = "targetgroup/atlantis-ec2/87e14a26ffc2f145"
    "connection_termination" = tobool(null)
    "deregistration_delay" = "300"
    "health_check" = tolist([
      {
        "enabled" = true
        "healthy_threshold" = 5
        "interval" = 30
        "matcher" = "200"
        "path" = "/healthz"
        "port" = "4141"
        "protocol" = "HTTP"
        "timeout" = 5
        "unhealthy_threshold" = 2
      },
    ])
    "id" = "arn:aws:elasticloadbalancing:us-east-1:677160962006:targetgroup/atlantis-ec2/87e14a26ffc2f145"
    "ip_address_type" = "ipv4"
    "lambda_multi_value_headers_enabled" = false
    "load_balancing_algorithm_type" = "round_robin"
    "load_balancing_anomaly_mitigation" = "off"
    "load_balancing_cross_zone_enabled" = "true"
    "name" = "atlantis-ec2"
    "name_prefix" = ""
    "port" = 4141
    "preserve_client_ip" = tostring(null)
    "protocol" = "HTTP"
    "protocol_version" = "HTTP1"
    "proxy_protocol_v2" = false
    "slow_start" = 0
    "stickiness" = tolist([
      {
        "cookie_duration" = 86400
        "cookie_name" = ""
        "enabled" = false
        "type" = "lb_cookie"
      },
    ])
    "tags" = tomap({
      "terraform-aws-modules" = "alb"
    })
    "tags_all" = tomap({
      "Environment" = "mgmt"
      "Organization" = "iog"
      "Project" = "scde"
      "Terraform" = "true"
      "Tribe" = "smartcontracts"
      "terraform-aws-modules" = "alb"
    })
    "target_failover" = tolist([
      {
        "on_deregistration" = tostring(null)
        "on_unhealthy" = tostring(null)
      },
    ])
    "target_health_state" = tolist([
      {
        "enable_unhealthy_connection_termination" = tobool(null)
      },
    ])
    "target_type" = "instance"
    "vpc_id" = "vpc-05d9f25d63d8ffb04"
  }
}
zone_id = "Z35SXDOTRQ7X7K"

---

6. dir: infra/us-east-1/mgmt/atlantis/security-group workspace: default

time=2024-01-19T10:48:59Z level=warning msg=No double-slash (//) found in source URL /terraform-aws-modules/terraform-aws-vpc.git. Relative paths in downloaded Terraform code may not work. prefix=[/atlantis-data/repos/input-output-hk/sc-dev-platform/121/default/infra/us-east-1/mgmt/vpc] 

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

security_group_arn = "arn:aws:ec2:us-east-1:677160962006:security-group/sg-0e60b9696d130d49e"
security_group_description = "Security Group managed by Terraform"
security_group_id = "sg-0e60b9696d130d49e"
security_group_name = "scde-20240117080847589900000001"
security_group_owner_id = "677160962006"
security_group_vpc_id = "vpc-05d9f25d63d8ffb04"

---

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 7827459 and 365c70a.

Files selected for processing (2)

• infra/us-east-1/mgmt/atlantis/alb/terragrunt.hcl (1 hunks)
• infra/us-east-1/mgmt/ecr/terragrunt.hcl (1 hunks)

Files skipped from review due to trivial changes (1)

• infra/us-east-1/mgmt/ecr/terragrunt.hcl

Files skipped from review as they are similar to previous changes (1)

• infra/us-east-1/mgmt/atlantis/alb/terragrunt.hcl

[iog-sc-bot]

Ran Plan for 6 projects:

1. dir: infra/us-east-1/mgmt/atlantis/acm workspace: default
2. dir: infra/us-east-1/mgmt/atlantis/key-pair workspace: default
3. dir: infra/us-east-1/mgmt/atlantis/security-group workspace: default
4. dir: infra/us-east-1/mgmt/atlantis/alb workspace: default
5. dir: infra/us-east-1/mgmt/atlantis/ec2 workspace: default
6. dir: infra/us-east-1/mgmt/ecr workspace: default

4. dir: infra/us-east-1/mgmt/atlantis/alb workspace: default

Show Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement
+/- create replacement and then destroy

Terraform will perform the following actions:

  # aws_lb.this[0] must be replaced
-/+ resource "aws_lb" "this" {
!       arn                                                          = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d" -> (known after apply)
!       arn_suffix                                                   = "app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d" -> (known after apply)
!       dns_name                                                     = "atlantis-mgmt-smartcontracts-alb-329464703.us-east-1.elb.amazonaws.com" -> (known after apply)
-       enable_cross_zone_load_balancing                             = true -> null
+       enforce_security_group_inbound_rules_on_private_link_traffic = (known after apply)
!       id                                                           = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d" -> (known after apply)
!       internal                                                     = false -> (known after apply)
!       ip_address_type                                              = "ipv4" -> (known after apply)
!       name                                                         = "atlantis-mgmt-smartcontracts-alb" -> "atlantis-ec2-alb" # forces replacement
+       name_prefix                                                  = (known after apply)
!       security_groups                                              = [
-           "sg-023fc92822411454a",
        ] -> (known after apply)
        tags                                                         = {
            "terraform-aws-modules" = "alb"
        }
!       vpc_id                                                       = "vpc-05d9f25d63d8ffb04" -> (known after apply)
!       zone_id                                                      = "Z35SXDOTRQ7X7K" -> (known after apply)
        # (13 unchanged attributes hidden)

-       access_logs {
-           enabled = false -> null
        }

-       connection_logs {
-           enabled = false -> null
        }

-       subnet_mapping {
-           subnet_id = "subnet-06b0cea9c49f5b5aa" -> null
        }
-       subnet_mapping {
-           subnet_id = "subnet-07b8a937d49c2a72a" -> null
        }

        # (1 unchanged block hidden)
    }

  # aws_lb_listener.this["http-https-redirect"] must be replaced
-/+ resource "aws_lb_listener" "this" {
!       arn               = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/d272a1aa9789abc6" -> (known after apply)
!       id                = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/d272a1aa9789abc6" -> (known after apply)
!       load_balancer_arn = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d" # forces replacement -> (known after apply) # forces replacement
+       ssl_policy        = (known after apply)
        tags              = {
            "terraform-aws-modules" = "alb"
        }
        # (3 unchanged attributes hidden)

!       default_action {
!           order = 1 -> (known after apply)
            # (1 unchanged attribute hidden)

            # (1 unchanged block hidden)
        }
    }

  # aws_lb_listener.this["https"] must be replaced
-/+ resource "aws_lb_listener" "this" {
!       arn               = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/c84f2ee31ae7433c" -> (known after apply)
!       id                = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/c84f2ee31ae7433c" -> (known after apply)
!       load_balancer_arn = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d" # forces replacement -> (known after apply) # forces replacement
        tags              = {
            "terraform-aws-modules" = "alb"
        }
        # (5 unchanged attributes hidden)

!       default_action {
!           order            = 1 -> (known after apply)
            # (2 unchanged attributes hidden)
        }

-       mutual_authentication {
-           ignore_client_certificate_expiry = false -> null
-           mode                             = "off" -> null
        }
    }

  # aws_route53_record.this["A"] will be updated in-place
!   resource "aws_route53_record" "this" {
        id                               = "Z10147571DRRDCJXSER5Y_atlantis-ec2_A"
        name                             = "atlantis-ec2"
        # (6 unchanged attributes hidden)

!       alias {
!           name                   = "atlantis-mgmt-smartcontracts-alb-329464703.us-east-1.elb.amazonaws.com" -> (known after apply)
!           zone_id                = "Z35SXDOTRQ7X7K" -> (known after apply)
            # (1 unchanged attribute hidden)
        }
    }

  # aws_route53_record.this["AAA"] will be updated in-place
!   resource "aws_route53_record" "this" {
        id                               = "Z10147571DRRDCJXSER5Y_atlantis-ec2_AAAA"
        name                             = "atlantis-ec2"
        # (6 unchanged attributes hidden)

!       alias {
!           name                   = "atlantis-mgmt-smartcontracts-alb-329464703.us-east-1.elb.amazonaws.com" -> (known after apply)
!           zone_id                = "Z35SXDOTRQ7X7K" -> (known after apply)
            # (1 unchanged attribute hidden)
        }
    }

  # aws_security_group.this[0] must be replaced
+/- resource "aws_security_group" "this" {
!       arn                    = "arn:aws:ec2:us-east-1:677160962006:security-group/sg-023fc92822411454a" -> (known after apply)
!       description            = "Security group for atlantis-mgmt-smartcontracts-alb application load balancer" -> "Security group for atlantis-ec2-alb application load balancer" # forces replacement
!       egress                 = [
-           {
-               cidr_blocks      = [
-                   "10.100.0.0/16",
                ]
-               description      = ""
-               from_port        = 0
-               ipv6_cidr_blocks = []
-               prefix_list_ids  = []
-               protocol         = "-1"
-               security_groups  = []
-               self             = false
-               to_port          = 0
            },
        ] -> (known after apply)
!       id                     = "sg-023fc92822411454a" -> (known after apply)
!       ingress                = [
-           {
-               cidr_blocks      = [
-                   "0.0.0.0/0",
                ]
-               description      = "HTTP web traffic"
-               from_port        = 80
-               ipv6_cidr_blocks = []
-               prefix_list_ids  = []
-               protocol         = "tcp"
-               security_groups  = []
-               self             = false
-               to_port          = 82
            },
-           {
-               cidr_blocks      = [
-                   "0.0.0.0/0",
                ]
-               description      = "HTTPS web traffic"
-               from_port        = 443
-               ipv6_cidr_blocks = []
-               prefix_list_ids  = []
-               protocol         = "tcp"
-               security_groups  = []
-               self             = false
-               to_port          = 445
            },
        ] -> (known after apply)
!       name                   = "atlantis-mgmt-smartcontracts-alb-20240117195316750200000001" -> (known after apply)
!       name_prefix            = "atlantis-mgmt-smartcontracts-alb-" -> "atlantis-ec2-alb-" # forces replacement
!       owner_id               = "677160962006" -> (known after apply)
        tags                   = {
            "terraform-aws-modules" = "alb"
        }
        # (3 unchanged attributes hidden)
    }

  # aws_vpc_security_group_egress_rule.this["all"] must be replaced
-/+ resource "aws_vpc_security_group_egress_rule" "this" {
!       arn                    = "arn:aws:ec2:us-east-1:677160962006:security-group-rule/sgr-098bd884fb4d2c6ee" -> (known after apply)
!       id                     = "sgr-098bd884fb4d2c6ee" -> (known after apply)
!       security_group_id      = "sg-023fc92822411454a" # forces replacement -> (known after apply) # forces replacement
!       security_group_rule_id = "sgr-098bd884fb4d2c6ee" -> (known after apply)
        tags                   = {
            "terraform-aws-modules" = "alb"
        }
        # (3 unchanged attributes hidden)
    }

  # aws_vpc_security_group_ingress_rule.this["all_http"] must be replaced
-/+ resource "aws_vpc_security_group_ingress_rule" "this" {
!       arn                    = "arn:aws:ec2:us-east-1:677160962006:security-group-rule/sgr-0521ddb8439620bbb" -> (known after apply)
!       id                     = "sgr-0521ddb8439620bbb" -> (known after apply)
!       security_group_id      = "sg-023fc92822411454a" # forces replacement -> (known after apply) # forces replacement
!       security_group_rule_id = "sgr-0521ddb8439620bbb" -> (known after apply)
        tags                   = {
            "terraform-aws-modules" = "alb"
        }
        # (6 unchanged attributes hidden)
    }

  # aws_vpc_security_group_ingress_rule.this["all_https"] must be replaced
-/+ resource "aws_vpc_security_group_ingress_rule" "this" {
!       arn                    = "arn:aws:ec2:us-east-1:677160962006:security-group-rule/sgr-0b821f73104adbb94" -> (known after apply)
!       id                     = "sgr-0b821f73104adbb94" -> (known after apply)
!       security_group_id      = "sg-023fc92822411454a" # forces replacement -> (known after apply) # forces replacement
!       security_group_rule_id = "sgr-0b821f73104adbb94" -> (known after apply)
        tags                   = {
            "terraform-aws-modules" = "alb"
        }
        # (6 unchanged attributes hidden)
    }

Plan: 7 to add, 2 to change, 7 to destroy.

Changes to Outputs:
!   arn                = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d" -> (known after apply)
!   arn_suffix         = "app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d" -> (known after apply)
!   dns_name           = "atlantis-mgmt-smartcontracts-alb-329464703.us-east-1.elb.amazonaws.com" -> (known after apply)
!   id                 = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d" -> (known after apply)
!   listeners          = {
!       http-https-redirect = {
!           arn                   = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/d272a1aa9789abc6" -> (known after apply)
!           default_action        = [
!               {
!                   order                = 1 -> (known after apply)
!                   target_group_arn     = "" -> null
                    # (6 unchanged attributes hidden)
                },
            ]
!           id                    = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/d272a1aa9789abc6" -> (known after apply)
!           load_balancer_arn     = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d" -> (known after apply)
!           mutual_authentication = [] -> (known after apply)
!           ssl_policy            = "" -> (known after apply)
            tags                  = {
                terraform-aws-modules = "alb"
            }
            # (6 unchanged attributes hidden)
        }
!       https               = {
!           arn                   = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/c84f2ee31ae7433c" -> (known after apply)
!           default_action        = [
!               {
!                   order                = 1 -> (known after apply)
                    # (7 unchanged attributes hidden)
                },
            ]
!           id                    = "arn:aws:elasticloadbalancing:us-east-1:677160962006:listener/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d/c84f2ee31ae7433c" -> (known after apply)
!           load_balancer_arn     = "arn:aws:elasticloadbalancing:us-east-1:677160962006:loadbalancer/app/atlantis-mgmt-smartcontracts-alb/648e5a511365f99d" -> (known after apply)
!           mutual_authentication = [
-               {
-                   ignore_client_certificate_expiry = false
-                   mode                             = "off"
-                   trust_store_arn                  = ""
                },
            ] -> (known after apply)
            tags                  = {
                terraform-aws-modules = "alb"
            }
            # (7 unchanged attributes hidden)
        }
    }
!   route53_records    = {
!       A   = {
!           alias                            = [
!               {
!                   name                   = "atlantis-mgmt-smartcontracts-alb-329464703.us-east-1.elb.amazonaws.com" -> (known after apply)
!                   zone_id                = "Z35SXDOTRQ7X7K" -> (known after apply)
                    # (1 unchanged attribute hidden)
                },
            ]
            id                               = "Z10147571DRRDCJXSER5Y_atlantis-ec2_A"
            name                             = "atlantis-ec2"
            # (14 unchanged attributes hidden)
        }
!       AAA = {
!           alias                            = [
!               {
!                   name                   = "atlantis-mgmt-smartcontracts-alb-329464703.us-east-1.elb.amazonaws.com" -> (known after apply)
!                   zone_id                = "Z35SXDOTRQ7X7K" -> (known after apply)
                    # (1 unchanged attribute hidden)
                },
            ]
            id                               = "Z10147571DRRDCJXSER5Y_atlantis-ec2_AAAA"
            name                             = "atlantis-ec2"
            # (14 unchanged attributes hidden)
        }
    }
!   security_group_arn = "arn:aws:ec2:us-east-1:677160962006:security-group/sg-023fc92822411454a" -> (known after apply)
!   security_group_id  = "sg-023fc92822411454a" -> (known after apply)
!   zone_id            = "Z35SXDOTRQ7X7K" -> (known after apply)

• ▶️ To apply this plan, comment:
  • atlantis apply -d infra/us-east-1/mgmt/atlantis/alb
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d infra/us-east-1/mgmt/atlantis/alb

Plan: 7 to add, 2 to change, 7 to destroy.

---

6. dir: infra/us-east-1/mgmt/ecr workspace: default

Show Output

time=2024-01-19T10:52:45Z level=warning msg=No double-slash (//) found in source URL /terraform-aws-modules/terraform-aws-ecr.git. Relative paths in downloaded Terraform code may not work.

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 4.22.0"...
- Installing hashicorp/aws v5.33.0...
- Installed hashicorp/aws v5.33.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!
data.aws_caller_identity.current: Reading...
data.aws_partition.current: Reading...
data.aws_partition.current: Read complete after 0s [id=aws]
data.aws_caller_identity.current: Read complete after 0s [id=677160962006]
data.aws_iam_policy_document.repository[0]: Reading...
data.aws_iam_policy_document.repository[0]: Read complete after 0s [id=3792795651]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_ecr_lifecycle_policy.this[0] will be created
+   resource "aws_ecr_lifecycle_policy" "this" {
+       id          = (known after apply)
+       policy      = jsonencode(
            {
+               rules = [
+                   {
+                       action       = {
+                           type = "expire"
                        }
+                       description  = "keep last 20 images"
+                       rulePriority = 10
+                       selection    = {
+                           countNumber = 20
+                           countType   = "imageCountMoreThan"
+                           tagStatus   = "any"
                        }
                    },
+                   {
+                       action       = {
+                           type = "expire"
                        }
+                       description  = "Expire untagged images older than 14 days"
+                       rulePriority = 1
+                       selection    = {
+                           countNumber = 1
+                           countType   = "sinceImagePushed"
+                           countUnit   = "days"
+                           tagStatus   = "untagged"
                        }
                    },
                ]
            }
        )
+       registry_id = (known after apply)
+       repository  = "scde"
    }

  # aws_ecr_repository.this[0] will be created
+   resource "aws_ecr_repository" "this" {
+       arn                  = (known after apply)
+       id                   = (known after apply)
+       image_tag_mutability = "IMMUTABLE"
+       name                 = "scde"
+       registry_id          = (known after apply)
+       repository_url       = (known after apply)
+       tags_all             = {
+           "Environment"  = "mgmt"
+           "Organization" = "iog"
+           "Project"      = "scde"
+           "Terraform"    = "true"
+           "Tribe"        = "smartcontracts"
        }

+       encryption_configuration {
+           encryption_type = "AES256"
+           kms_key         = (known after apply)
        }

+       image_scanning_configuration {
+           scan_on_push = true
        }
    }

  # aws_ecr_repository_policy.this[0] will be created
+   resource "aws_ecr_repository_policy" "this" {
+       id          = (known after apply)
+       policy      = jsonencode(
            {
+               Statement = [
+                   {
+                       Action    = [
+                           "ecr:ListTagsForResource",
+                           "ecr:ListImages",
+                           "ecr:GetRepositoryPolicy",
+                           "ecr:GetLifecyclePolicyPreview",
+                           "ecr:GetLifecyclePolicy",
+                           "ecr:GetDownloadUrlForLayer",
+                           "ecr:GetAuthorizationToken",
+                           "ecr:DescribeRepositories",
+                           "ecr:DescribeImages",
+                           "ecr:DescribeImageScanFindings",
+                           "ecr:BatchGetImage",
+                           "ecr:BatchCheckLayerAvailability",
                        ]
+                       Effect    = "Allow"
+                       Principal = {
+                           AWS = "arn:aws:iam::677160962006:root"
                        }
+                       Sid       = "PrivateReadOnly"
                    },
                ]
+               Version   = "2012-10-17"
            }
        )
+       registry_id = (known after apply)
+       repository  = "scde"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
+   repository_arn         = (known after apply)
+   repository_registry_id = (known after apply)
+   repository_url         = (known after apply)

• ▶️ To apply this plan, comment:
  • atlantis apply -d infra/us-east-1/mgmt/ecr
• 🚮 To delete this plan click here
• 🔁 To plan this project again, comment:
  • atlantis plan -d infra/us-east-1/mgmt/ecr

Plan: 3 to add, 0 to change, 0 to destroy.

---

• ⏩ To apply all unapplied plans from this pull request, comment:
  • atlantis apply
• 🚮 To delete all plans and locks for the PR, comment:
  • atlantis unlock

[renebarbosafl]

You can get this from dependency outputs. We are managing that zone using Terraform.
See: https://github.com/input-output-hk/sc-dev-platform/blob/main/infra/global/route53/zones/terragrunt.hcl

[renebarbosafl]

I don't think it's necessary. Terragrunt is adding these tags automatically.
See: https://github.com/input-output-hk/sc-dev-platform/blob/main/infra/terragrunt.hcl#L70

[renebarbosafl]

Where is the command to start the atlantis container itself?
How are you starting it?