Approve production TF plans before deployment #370

TylerHendrickson · 2023-09-26T01:10:13Z

Description

This PR modifies the reusable terraform-apply.yml workflow to include configuration parameters that target a specific deployment environment. Although we do not require approval before deploying to Staging (because PRs essentially act as the review-and-approve step), it's useful to have a chance to review Terraform plans before they are applied to Production. Along with these changes, a staging deployment environment is now configured on this repository, without any explicit protection rules, and specified in the deploy-staging.yml workflow when calling terraform-apply.yml. The production environment, which does have protection rules, is specified in the deploy-production.yml eworkflow when calling terraform-apply.yml.

Altogether, the factors considered for allowing automated deployments are:

Staging:
- Plans are generated and reviewed as part of the PR approval process. This is unchanged.
- Plans are applied after merge, without additional approval requirements.
Production:
- Plans are generated when a release is published. This is unchanged.
- The workflow waits for approval before allowing the "Deploy to Production" step to run. This allows approvers the opportunity to review the plan (and reject it if something doesn't look right).
- The plan is applied once/if approval is granted.

Testing

You can review the test workflow runs used to simulate deployment scenarios here.

Manual tests for Reviewer

Added steps to test feature/functionality manually

Checklist

Provided ticket and description
Provided testing information
Provided adequate test coverage for all new code
Added PR reviewers

github-actions · 2023-09-26T01:15:59Z

Terraform Summary

Step	Result
🖌 Terraform Format & Style	✅
⚙️ Terraform Initialization	✅
🤖 Terraform Validation	✅
📖 Terraform Plan	✅

Output

Validation Output

Success! The configuration is valid.

Plan Output

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.PublishGrantEvents.module.lambda_function.aws_lambda_function.this[0] has changed
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-PublishGrantEvents"
      ~ last_modified                  = "2023-09-19T21:59:56.970+0000" -> "2023-09-19T22:00:09.171+0000"
        # (23 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # datadog_metric_metadata.custom["grants_ingest.DownloadFFISSpreadsheet.source_size"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.DownloadFFISSpreadsheet.source_size"
-       type            = "gauge" -> null
        # (6 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.DownloadGrantsGovDB.source_size"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.DownloadGrantsGovDB.source_size"
-       type            = "gauge" -> null
        # (6 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.ExtractGrantsGovDBToXML.xml.extracted"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.ExtractGrantsGovDBToXML.xml.extracted"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.ExtractGrantsGovDBToXML.xml.uploaded"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.ExtractGrantsGovDBToXML.xml.uploaded"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.PersistFFISData.opportunity.saved"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.PersistFFISData.opportunity.saved"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.PersistGrantsGovXMLDB.opportunity.failed"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.PersistGrantsGovXMLDB.opportunity.failed"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.PersistGrantsGovXMLDB.opportunity.saved"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.PersistGrantsGovXMLDB.opportunity.saved"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.PublishGrantEvents.event.published"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.PublishGrantEvents.event.published"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.PublishGrantEvents.grant_data.invalid"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.PublishGrantEvents.grant_data.invalid"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.PublishGrantEvents.invocation_batch_size"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.PublishGrantEvents.invocation_batch_size"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.PublishGrantEvents.item_image.build"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.PublishGrantEvents.item_image.build"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.PublishGrantEvents.item_image.malformatted_field"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.PublishGrantEvents.item_image.malformatted_field"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.PublishGrantEvents.record.failed"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.PublishGrantEvents.record.failed"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.SplitFFISSpreadsheet.opportunity.created"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.SplitFFISSpreadsheet.opportunity.created"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.SplitFFISSpreadsheet.spreadsheet.row_count"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.SplitFFISSpreadsheet.spreadsheet.row_count"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.SplitGrantsGovXMLDB.opportunity.created"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.SplitGrantsGovXMLDB.opportunity.created"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.SplitGrantsGovXMLDB.opportunity.failed"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.SplitGrantsGovXMLDB.opportunity.failed"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.SplitGrantsGovXMLDB.opportunity.skipped"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.SplitGrantsGovXMLDB.opportunity.skipped"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # datadog_metric_metadata.custom["grants_ingest.SplitGrantsGovXMLDB.opportunity.updated"] will be updated in-place
  ~ resource "datadog_metric_metadata" "custom" {
        id              = "grants_ingest.SplitGrantsGovXMLDB.opportunity.updated"
-       type            = "gauge" -> null
        # (5 unchanged attributes hidden)
    }

  # module.DownloadFFISSpreadsheet.module.lambda_artifact.aws_s3_object.lambda_function must be replaced
-/+ resource "aws_s3_object" "lambda_function" {
      ~ bucket_key_enabled     = false -> (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "d43fc8e940afd525587a9ea081545d30-3" -> (known after apply)
      ~ id                     = "bb79af5de11ca141bfe21982869b66ce.zip" -> (known after apply)
      ~ key                    = "bb79af5de11ca141bfe21982869b66ce.zip" -> "3a1177181ecb464ebed4d5db3246ee38.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "MqP5ziIZUmB8LXnEnPlsvwEvdGWD1568" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.DownloadFFISSpreadsheet.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-DownloadFFISSpreadsheet"
      ~ last_modified                  = "2023-09-19T18:48:44.000+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-DownloadFFISSpreadsheet:18" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-DownloadFFISSpreadsheet:18/invocations" -> (known after apply)
      ~ s3_key                         = "bb79af5de11ca141bfe21982869b66ce.zip" -> "3a1177181ecb464ebed4d5db3246ee38.zip"
        tags                           = {}
      ~ version                        = "18" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_TAGS"                      = "git.commit.sha:60c2bb3b862986864eb4b251161c8caa968ee93c,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:downloadffisspreadsheet" -> "git.commit.sha:400389ab37d2f4f84da401a6db130bf68dde98fb,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:downloadffisspreadsheet"
              ~ "DD_VERSION"                   = "60c2bb3b862986864eb4b251161c8caa968ee93c" -> "400389ab37d2f4f84da401a6db130bf68dde98fb"
                # (11 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.DownloadFFISSpreadsheet.module.lambda_function.aws_lambda_permission.current_version_triggers["SQSQueueNotification"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "SQSQueueNotification" -> (known after apply)
      ~ qualifier           = "18" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (4 unchanged attributes hidden)
    }

  # module.DownloadGrantsGovDB.module.lambda_artifact.aws_s3_object.lambda_function must be replaced
-/+ resource "aws_s3_object" "lambda_function" {
      ~ bucket_key_enabled     = false -> (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "992ef24049433aa7b9cb6dc689894570-3" -> (known after apply)
      ~ id                     = "c222e14e48a0c8af026b3c7dfba43555.zip" -> (known after apply)
      ~ key                    = "c222e14e48a0c8af026b3c7dfba43555.zip" -> "edb764d279c0123d8e8538c425ee1e1c.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "ji6Uj2_NEsUhJR69jgS9peAtwTgzklUQ" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.DownloadGrantsGovDB.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-DownloadGrantsGovDB"
      ~ last_modified                  = "2023-09-19T18:47:48.000+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-DownloadGrantsGovDB:18" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-DownloadGrantsGovDB:18/invocations" -> (known after apply)
      ~ s3_key                         = "c222e14e48a0c8af026b3c7dfba43555.zip" -> "edb764d279c0123d8e8538c425ee1e1c.zip"
        tags                           = {}
      ~ version                        = "18" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_TAGS"                        = "git.commit.sha:60c2bb3b862986864eb4b251161c8caa968ee93c,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:downloadgrantsgovdb" -> "git.commit.sha:400389ab37d2f4f84da401a6db130bf68dde98fb,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:downloadgrantsgovdb"
              ~ "DD_VERSION"                     = "60c2bb3b862986864eb4b251161c8caa968ee93c" -> "400389ab37d2f4f84da401a6db130bf68dde98fb"
                # (12 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.DownloadGrantsGovDB.module.lambda_function.aws_lambda_permission.current_version_triggers["Schedule"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "Schedule" -> (known after apply)
      ~ qualifier           = "18" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.EnqueueFFISDownload.module.lambda_artifact.aws_s3_object.lambda_function must be replaced
-/+ resource "aws_s3_object" "lambda_function" {
      ~ bucket_key_enabled     = false -> (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "aa3ae7bf941f1232f8fd59772e22b318-3" -> (known after apply)
      ~ id                     = "0dd9af7bd61fa71cf92bb8dc7b8ce86c.zip" -> (known after apply)
      ~ key                    = "0dd9af7bd61fa71cf92bb8dc7b8ce86c.zip" -> "d428deef7f712d87f2496c423935917a.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "bPohGHsW9rRVutvx1mGfLene9IxuoDQp" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.EnqueueFFISDownload.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-EnqueueFFISDownload"
      ~ last_modified                  = "2023-09-19T18:48:50.482+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-EnqueueFFISDownload:18" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-EnqueueFFISDownload:18/invocations" -> (known after apply)
      ~ s3_key                         = "0dd9af7bd61fa71cf92bb8dc7b8ce86c.zip" -> "d428deef7f712d87f2496c423935917a.zip"
        tags                           = {}
      ~ version                        = "18" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_TAGS"                      = "git.commit.sha:60c2bb3b862986864eb4b251161c8caa968ee93c,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:enqueueffisdownload" -> "git.commit.sha:400389ab37d2f4f84da401a6db130bf68dde98fb,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:enqueueffisdownload"
              ~ "DD_VERSION"                   = "60c2bb3b862986864eb4b251161c8caa968ee93c" -> "400389ab37d2f4f84da401a6db130bf68dde98fb"
                # (11 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.EnqueueFFISDownload.module.lambda_function.aws_lambda_permission.current_version_triggers["S3BucketNotification"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "S3BucketNotification" -> (known after apply)
      ~ qualifier           = "18" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.ExtractGrantsGovDBToXML.module.lambda_artifact.aws_s3_object.lambda_function must be replaced
-/+ resource "aws_s3_object" "lambda_function" {
      ~ bucket_key_enabled     = false -> (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "fd9705b7d3afdc8ab85c6d435eebefb7-3" -> (known after apply)
      ~ id                     = "881ccea79d5c6ddeffedced99f3070e6.zip" -> (known after apply)
      ~ key                    = "881ccea79d5c6ddeffedced99f3070e6.zip" -> "4691a81b2c15045cf0758fa762e627a8.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "CEssk4SQzSv4SKuENhL3nu6gO7X8PkU7" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.ExtractGrantsGovDBToXML.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-ExtractGrantsGovDBToXML"
      ~ last_modified                  = "2023-09-19T18:47:48.000+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-ExtractGrantsGovDBToXML:18" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-ExtractGrantsGovDBToXML:18/invocations" -> (known after apply)
      ~ s3_key                         = "881ccea79d5c6ddeffedced99f3070e6.zip" -> "4691a81b2c15045cf0758fa762e627a8.zip"
        tags                           = {}
      ~ version                        = "18" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_TAGS"                      = "git.commit.sha:60c2bb3b862986864eb4b251161c8caa968ee93c,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:extractgrantsgovdbtoxml" -> "git.commit.sha:400389ab37d2f4f84da401a6db130bf68dde98fb,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:extractgrantsgovdbtoxml"
              ~ "DD_VERSION"                   = "60c2bb3b862986864eb4b251161c8caa968ee93c" -> "400389ab37d2f4f84da401a6db130bf68dde98fb"
                # (11 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.ExtractGrantsGovDBToXML.module.lambda_function.aws_lambda_permission.current_version_triggers["S3BucketNotification"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "S3BucketNotification" -> (known after apply)
      ~ qualifier           = "18" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.PersistFFISData.module.lambda_artifact.aws_s3_object.lambda_function must be replaced
-/+ resource "aws_s3_object" "lambda_function" {
      ~ bucket_key_enabled     = false -> (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "68da3ff739a1d83e58ccb702e7b7fa16-3" -> (known after apply)
      ~ id                     = "f3720fbd2a28aafaa8532e0854a64b3a.zip" -> (known after apply)
      ~ key                    = "f3720fbd2a28aafaa8532e0854a64b3a.zip" -> "0b3b558ffa9fe7ef4eeb739946679ef7.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "qflee7T51P2Ku7LO9Skd3GdH0yuZAVWv" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.PersistFFISData.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-PersistFFISData"
      ~ last_modified                  = "2023-09-19T18:47:48.000+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-PersistFFISData:18" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-PersistFFISData:18/invocations" -> (known after apply)
      ~ s3_key                         = "f3720fbd2a28aafaa8532e0854a64b3a.zip" -> "0b3b558ffa9fe7ef4eeb739946679ef7.zip"
        tags                           = {}
      ~ version                        = "18" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_TAGS"                       = "git.commit.sha:60c2bb3b862986864eb4b251161c8caa968ee93c,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:persistffisdata" -> "git.commit.sha:400389ab37d2f4f84da401a6db130bf68dde98fb,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:persistffisdata"
              ~ "DD_VERSION"                    = "60c2bb3b862986864eb4b251161c8caa968ee93c" -> "400389ab37d2f4f84da401a6db130bf68dde98fb"
                # (11 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.PersistFFISData.module.lambda_function.aws_lambda_permission.current_version_triggers["S3BucketNotification"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "S3BucketNotification" -> (known after apply)
      ~ qualifier           = "18" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.PersistGrantsGovXMLDB.module.lambda_artifact.aws_s3_object.lambda_function must be replaced
-/+ resource "aws_s3_object" "lambda_function" {
      ~ bucket_key_enabled     = false -> (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "b81ed2ef113f518d91da7720aa705157-3" -> (known after apply)
      ~ id                     = "f492ac908257b3418ef751c11246c2a9.zip" -> (known after apply)
      ~ key                    = "f492ac908257b3418ef751c11246c2a9.zip" -> "bb4123251f0ddc6c89dd250e8231301d.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "OK1iZ3u_oU_HcDwJ4q5kUYVY6C7._EuZ" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.PersistGrantsGovXMLDB.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-PersistGrantsGovXMLDB"
      ~ last_modified                  = "2023-09-19T18:47:48.000+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-PersistGrantsGovXMLDB:18" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-PersistGrantsGovXMLDB:18/invocations" -> (known after apply)
      ~ s3_key                         = "f492ac908257b3418ef751c11246c2a9.zip" -> "bb4123251f0ddc6c89dd250e8231301d.zip"
        tags                           = {}
      ~ version                        = "18" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_TAGS"                       = "git.commit.sha:60c2bb3b862986864eb4b251161c8caa968ee93c,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:persistgrantsgovxmldb" -> "git.commit.sha:400389ab37d2f4f84da401a6db130bf68dde98fb,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:persistgrantsgovxmldb"
              ~ "DD_VERSION"                    = "60c2bb3b862986864eb4b251161c8caa968ee93c" -> "400389ab37d2f4f84da401a6db130bf68dde98fb"
                # (11 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.PersistGrantsGovXMLDB.module.lambda_function.aws_lambda_permission.current_version_triggers["S3BucketNotification"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "S3BucketNotification" -> (known after apply)
      ~ qualifier           = "18" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.PublishGrantEvents.module.lambda_artifact.aws_s3_object.lambda_function must be replaced
-/+ resource "aws_s3_object" "lambda_function" {
      ~ bucket_key_enabled     = false -> (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "7c0cb184e10aa35a23af4d93bb601011-3" -> (known after apply)
      ~ id                     = "4b2700a24108879a65e88fb6865ac499.zip" -> (known after apply)
      ~ key                    = "4b2700a24108879a65e88fb6865ac499.zip" -> "ce41b37da25ba73c2cb38d572e9acb37.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "JjT5wdZNYxuHq7Utwge4dvDy5TzTHe1." -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.PublishGrantEvents.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-PublishGrantEvents"
      ~ last_modified                  = "2023-09-19T22:00:09.171+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-PublishGrantEvents:19" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-PublishGrantEvents:19/invocations" -> (known after apply)
      ~ s3_key                         = "4b2700a24108879a65e88fb6865ac499.zip" -> "ce41b37da25ba73c2cb38d572e9acb37.zip"
        tags                           = {}
      ~ version                        = "19" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_TAGS"                      = "git.commit.sha:60c2bb3b862986864eb4b251161c8caa968ee93c,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:publishgrantevents" -> "git.commit.sha:400389ab37d2f4f84da401a6db130bf68dde98fb,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:publishgrantevents"
              ~ "DD_VERSION"                   = "60c2bb3b862986864eb4b251161c8caa968ee93c" -> "400389ab37d2f4f84da401a6db130bf68dde98fb"
                # (11 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.PublishGrantEvents.module.lambda_function.aws_lambda_permission.current_version_triggers["dynamodb"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "dynamodb" -> (known after apply)
      ~ qualifier           = "19" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.ReceiveFFISEmail.module.lambda_artifact.aws_s3_object.lambda_function must be replaced
-/+ resource "aws_s3_object" "lambda_function" {
      ~ bucket_key_enabled     = false -> (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "afca81e3dac6dc7f090e4db09548b56c-3" -> (known after apply)
      ~ id                     = "c7ff490a7fec1c960ff6c71cc3482771.zip" -> (known after apply)
      ~ key                    = "c7ff490a7fec1c960ff6c71cc3482771.zip" -> "86b19102e9c5d1ad069edc474ce4d0d4.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "zC7lQ03UjYvB6rpHDH1J_H6Xwk6L92er" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.ReceiveFFISEmail.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-ReceiveFFISEmail"
      ~ last_modified                  = "2023-09-19T18:47:48.000+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-ReceiveFFISEmail:17" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-ReceiveFFISEmail:17/invocations" -> (known after apply)
      ~ s3_key                         = "c7ff490a7fec1c960ff6c71cc3482771.zip" -> "86b19102e9c5d1ad069edc474ce4d0d4.zip"
        tags                           = {}
      ~ version                        = "17" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_TAGS"                        = "git.commit.sha:60c2bb3b862986864eb4b251161c8caa968ee93c,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:receiveffisemail" -> "git.commit.sha:400389ab37d2f4f84da401a6db130bf68dde98fb,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:receiveffisemail"
              ~ "DD_VERSION"                     = "60c2bb3b862986864eb4b251161c8caa968ee93c" -> "400389ab37d2f4f84da401a6db130bf68dde98fb"
                # (12 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.ReceiveFFISEmail.module.lambda_function.aws_lambda_permission.current_version_triggers["S3BucketNotification"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "S3BucketNotification" -> (known after apply)
      ~ qualifier           = "17" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.SplitFFISSpreadsheet.module.lambda_artifact.aws_s3_object.lambda_function must be replaced
-/+ resource "aws_s3_object" "lambda_function" {
      ~ bucket_key_enabled     = false -> (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "09eb5588a4c6f531150d64c6e348fce5-3" -> (known after apply)
      ~ id                     = "586e352871949de85be5aed2e2bd475a.zip" -> (known after apply)
      ~ key                    = "586e352871949de85be5aed2e2bd475a.zip" -> "b9bf6f7e51c82a2c444d3c8e3c85a978.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "WLHab9C5tRpap0b5kcbiK4GCyDLuEheX" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.SplitFFISSpreadsheet.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-SplitFFISSpreadsheet"
      ~ last_modified                  = "2023-09-19T18:48:50.581+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-SplitFFISSpreadsheet:18" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-SplitFFISSpreadsheet:18/invocations" -> (known after apply)
      ~ s3_key                         = "586e352871949de85be5aed2e2bd475a.zip" -> "b9bf6f7e51c82a2c444d3c8e3c85a978.zip"
        tags                           = {}
      ~ version                        = "18" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_TAGS"                          = "git.commit.sha:60c2bb3b862986864eb4b251161c8caa968ee93c,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:splitffisspreadsheet" -> "git.commit.sha:400389ab37d2f4f84da401a6db130bf68dde98fb,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:splitffisspreadsheet"
              ~ "DD_VERSION"                       = "60c2bb3b862986864eb4b251161c8caa968ee93c" -> "400389ab37d2f4f84da401a6db130bf68dde98fb"
                # (14 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.SplitFFISSpreadsheet.module.lambda_function.aws_lambda_permission.current_version_triggers["S3BucketNotification"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "S3BucketNotification" -> (known after apply)
      ~ qualifier           = "18" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.SplitGrantsGovXMLDB.module.lambda_artifact.aws_s3_object.lambda_function must be replaced
-/+ resource "aws_s3_object" "lambda_function" {
      ~ bucket_key_enabled     = false -> (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "82a95b3a4a4990c1b791f2e8cffb9eb0-3" -> (known after apply)
      ~ id                     = "c54c0c99ea193845bc78a6c250f81561.zip" -> (known after apply)
      ~ key                    = "c54c0c99ea193845bc78a6c250f81561.zip" -> "f56d7e949ba37af8e0a8b6764d1e3fcd.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "v_c5dtV99j3dR.KKSdrrmtMv8cvZD3EY" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # module.SplitGrantsGovXMLDB.module.lambda_function.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "grants_ingest-SplitGrantsGovXMLDB"
      ~ last_modified                  = "2023-09-19T18:47:48.000+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-SplitGrantsGovXMLDB:18" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:grants_ingest-SplitGrantsGovXMLDB:18/invocations" -> (known after apply)
      ~ s3_key                         = "c54c0c99ea193845bc78a6c250f81561.zip" -> "f56d7e949ba37af8e0a8b6764d1e3fcd.zip"
        tags                           = {}
      ~ version                        = "18" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_TAGS"                          = "git.commit.sha:60c2bb3b862986864eb4b251161c8caa968ee93c,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:splitgrantsgovxmldb" -> "git.commit.sha:400389ab37d2f4f84da401a6db130bf68dde98fb,git.repository_url:github.com/usdigitalresponse/grants-ingest,handlername:splitgrantsgovxmldb"
              ~ "DD_VERSION"                       = "60c2bb3b862986864eb4b251161c8caa968ee93c" -> "400389ab37d2f4f84da401a6db130bf68dde98fb"
                # (14 unchanged elements hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.SplitGrantsGovXMLDB.module.lambda_function.aws_lambda_permission.current_version_triggers["S3BucketNotification"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "S3BucketNotification" -> (known after apply)
      ~ qualifier           = "18" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

Plan: 20 to add, 29 to change, 20 to destroy.

Pusher: @TylerHendrickson, Action: pull_request_target, Workflow: Continuous Integration

TylerHendrickson added 3 commits September 26, 2023 00:52

Fix typo in job name

31b5085

Add approval step

ca84da6

Add a workflow just for testing

9460c6c

TylerHendrickson self-assigned this Sep 26, 2023

github-actions bot added the github Repository automation and configuration label Sep 26, 2023

Satisfy steps requirement for approval jobs

0370854

TylerHendrickson temporarily deployed to production September 26, 2023 01:13 — with GitHub Actions Inactive

Trigger another run

c5b01a0

TylerHendrickson had a problem deploying to production September 26, 2023 01:15 — with GitHub Actions Failure

Add test dependencies

1e0fba3

TylerHendrickson had a problem deploying to production September 26, 2023 01:16 — with GitHub Actions Failure

TylerHendrickson temporarily deployed to production September 26, 2023 01:17 — with GitHub Actions Inactive

TylerHendrickson temporarily deployed to production September 26, 2023 01:19 — with GitHub Actions Inactive

TylerHendrickson added 2 commits September 26, 2023 01:20

Remove test workflow

af76c9a

Re-add test workflow to check staging approval flow

2e2f860

TylerHendrickson temporarily deployed to staging September 26, 2023 01:37 — with GitHub Actions Inactive

TylerHendrickson added 3 commits September 26, 2023 01:39

Remove test workflow

9689cb7

Remove approval step

fba8607

Integrate deployments with environment protection rules

7b8088b

TylerHendrickson added the skip-changelog Excludes a pull request from release notes label Sep 26, 2023

TylerHendrickson marked this pull request as ready for review September 26, 2023 01:52

TylerHendrickson requested a review from a team as a code owner September 26, 2023 01:52

Merge branch 'main' into feat/approve-production-tf-plans

43cfa8c

TylerHendrickson enabled auto-merge (squash) September 26, 2023 02:51

Allow workflow egress to storage.googleapis.com:443

937b0c3

TylerHendrickson requested a review from as1729 September 26, 2023 03:16

Merge branch 'main' into feat/approve-production-tf-plans

3538f66

as1729 approved these changes Sep 27, 2023

View reviewed changes

Merge branch 'main' into feat/approve-production-tf-plans

ed54847

Merge branch 'main' into feat/approve-production-tf-plans

400389a

TylerHendrickson merged commit c4b3e06 into main Sep 27, 2023
17 checks passed

TylerHendrickson deleted the feat/approve-production-tf-plans branch September 27, 2023 18:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Approve production TF plans before deployment #370

Approve production TF plans before deployment #370

TylerHendrickson commented Sep 26, 2023 •

edited

Loading

github-actions bot commented Sep 26, 2023 •

edited

Loading

Approve production TF plans before deployment #370

Approve production TF plans before deployment #370

Conversation

TylerHendrickson commented Sep 26, 2023 • edited Loading

Description

Testing

Manual tests for Reviewer

Checklist

github-actions bot commented Sep 26, 2023 • edited Loading

Terraform Summary

Output

TylerHendrickson commented Sep 26, 2023 •

edited

Loading

github-actions bot commented Sep 26, 2023 •

edited

Loading