Skip to content

Add security group to valkey instance#1216

Merged
kalilsn merged 6 commits into
mainfrom
kalilsn/fix-sg
Apr 30, 2025
Merged

Add security group to valkey instance#1216
kalilsn merged 6 commits into
mainfrom
kalilsn/fix-sg

Conversation

@kalilsn

@kalilsn kalilsn commented Apr 30, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Issue(s) Resolved

#1131

High-level Explanation of PR

I created a security group to grant our platform containers access to valkey, but forgot to actually add the security group to the valkey instance. This PR fixes that.

Terraform will perform the following actions:

  # module.deployment.module.core_dependency_services.aws_elasticache_replication_group.core_valkey will be updated in-place
  ~ resource "aws_elasticache_replication_group" "core_valkey" {
        id                         = "stevie-core-valkey-production"
      ~ security_group_ids         = [
          + "sg-0e0df02a3d2a384d0",
        ]
        tags                       = {}
        # (33 unchanged attributes hidden)
    }

  # module.deployment.module.service_bastion.module.ecs_service.data.aws_ecs_task_definition.this[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_ecs_task_definition" "this" {
      + arn                      = (known after apply)
      + arn_without_revision     = (known after apply)
      + container_definitions    = (known after apply)
      + cpu                      = (known after apply)
      + enable_fault_injection   = (known after apply)
      + ephemeral_storage        = (known after apply)
      + execution_role_arn       = (known after apply)
      + family                   = (known after apply)
      + id                       = (known after apply)
      + inference_accelerator    = (known after apply)
      + ipc_mode                 = (known after apply)
      + memory                   = (known after apply)
      + network_mode             = (known after apply)
      + pid_mode                 = (known after apply)
      + placement_constraints    = (known after apply)
      + proxy_configuration      = (known after apply)
      + requires_compatibilities = (known after apply)
      + revision                 = (known after apply)
      + runtime_platform         = (known after apply)
      + status                   = (known after apply)
      + task_definition          = "stevie-bastion"
      + task_role_arn            = (known after apply)
      + volume                   = (known after apply)
    }

  # module.deployment.module.service_bastion.module.ecs_service.aws_ecs_task_definition.this[0] must be replaced
+/- resource "aws_ecs_task_definition" "this" {
      ~ arn                      = "arn:aws:ecs:us-east-1:246372085946:task-definition/stevie-bastion:155" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:246372085946:task-definition/stevie-bastion" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [
              ~ {
                  ~ environment            = [
                        # (7 unchanged elements hidden)
                        {
                            name  = "SUPABASE_URL"
                            value = "https://dsleqjuvzuoycpeotdws.supabase.co"
                        },
                      + {
                          + name  = "VALKEY_URL"
                          + value = "redis://stevie-core-valkey-production.we8a07.ng.0001.use1.cache.amazonaws.com"
                        },
                    ]
                    name                   = "bastion"
                    # (17 unchanged attributes hidden)
                },
            ] # forces replacement
        )
      ~ enable_fault_injection   = false -> (known after apply)
      ~ id                       = "stevie-bastion" -> (known after apply)
      ~ revision                 = 155 -> (known after apply)
        tags                     = {
            "Environment"         = "stevie-production"
            "LogicalName"         = "bastion"
            "Project"             = "Pubpub-v7"
            "Shortname"           = "590b"
            "ShortnameAnnotation" = "Shortname is calculated as first four characters of the sha1sum of the Logical Name."
        }
        # (10 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Test Plan

After applying, I'll connect to the bastion and install redis (apk add redis) then attempt to connect to the instance redis-cli -u $VALKEY_URL PING

@kalilsn kalilsn requested a review from 3mcd April 30, 2025 16:25
@kalilsn

kalilsn commented Apr 30, 2025
edited
Loading

Copy link
Copy Markdown
Contributor Author

This failed to apply because the valkey instance was inside the default vpc. I've modified the terraform to add a subnet group in the right vpc and put the cache in it. That changes the plan a bit, since it will cause the url to change, which forces a replacement of the ecs and bastion tasks since their env var changes.

New plan 
Terraform will perform the following actions:

  # module.deployment.module.core_dependency_services.aws_db_subnet_group.core_valkey will be created
  + resource "aws_db_subnet_group" "core_valkey" {
      + arn                     = (known after apply)
      + description             = "Managed by Terraform"
      + id                      = (known after apply)
      + name                    = "stevie_core_valkey_production"
      + name_prefix             = (known after apply)
      + subnet_ids              = [
          + "subnet-0025d514cb67884f1",
          + "subnet-099d679edaeb0e307",
        ]
      + supported_network_types = (known after apply)
      + tags                    = {
          + "Name" = "subnet group for core valkey cache instances"
        }
      + tags_all                = {
          + "Name" = "subnet group for core valkey cache instances"
        }
      + vpc_id                  = (known after apply)
    }

  # module.deployment.module.core_dependency_services.aws_elasticache_replication_group.core_valkey must be replaced
+/- resource "aws_elasticache_replication_group" "core_valkey" {
      + apply_immediately              = (known after apply)
      ~ arn                            = "arn:aws:elasticache:us-east-1:246372085946:replicationgroup:stevie-core-valkey-production" -> (known after apply)
      ~ at_rest_encryption_enabled     = "true" -> (known after apply)
      ~ auto_minor_version_upgrade     = "true" -> (known after apply)
      ~ cluster_enabled                = false -> (known after apply)
      ~ cluster_mode                   = "disabled" -> (known after apply)
      + configuration_endpoint_address = (known after apply)
      ~ data_tiering_enabled           = false -> (known after apply)
      ~ engine_version                 = "8.0" -> (known after apply)
      ~ engine_version_actual          = "8.0.1" -> (known after apply)
      + global_replication_group_id    = (known after apply)
      ~ id                             = "stevie-core-valkey-production" -> (known after apply)
      ~ ip_discovery                   = "ipv4" -> (known after apply)
      ~ maintenance_window             = "sat:03:00-sat:04:00" -> (known after apply)
      ~ member_clusters                = [
          - "stevie-core-valkey-production-001",
        ] -> (known after apply)
      ~ network_type                   = "ipv4" -> (known after apply)
      ~ num_node_groups                = 1 -> (known after apply)
      ~ primary_endpoint_address       = "stevie-core-valkey-production.we8a07.ng.0001.use1.cache.amazonaws.com" -> (known after apply)
      ~ reader_endpoint_address        = "stevie-core-valkey-production-ro.we8a07.ng.0001.use1.cache.amazonaws.com" -> (known after apply)
      ~ replicas_per_node_group        = 0 -> (known after apply)
      ~ security_group_ids             = [
          + "sg-0e0df02a3d2a384d0",
        ]
      ~ security_group_names           = [] -> (known after apply)
      - snapshot_retention_limit       = 0 -> null
      ~ snapshot_window                = "10:00-11:00" -> (known after apply)
      ~ subnet_group_name              = "default" -> "stevie_core_valkey_production" # forces replacement
      - tags                           = {} -> null
      ~ tags_all                       = {} -> (known after apply)
      ~ transit_encryption_enabled     = false -> (known after apply)
      + transit_encryption_mode        = (known after apply)
      - user_group_ids                 = [] -> null
        # (10 unchanged attributes hidden)
    }

  # module.deployment.module.service_bastion.module.ecs_service.data.aws_ecs_task_definition.this[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_ecs_task_definition" "this" {
      + arn                      = (known after apply)
      + arn_without_revision     = (known after apply)
      + container_definitions    = (known after apply)
      + cpu                      = (known after apply)
      + enable_fault_injection   = (known after apply)
      + ephemeral_storage        = (known after apply)
      + execution_role_arn       = (known after apply)
      + family                   = (known after apply)
      + id                       = (known after apply)
      + inference_accelerator    = (known after apply)
      + ipc_mode                 = (known after apply)
      + memory                   = (known after apply)
      + network_mode             = (known after apply)
      + pid_mode                 = (known after apply)
      + placement_constraints    = (known after apply)
      + proxy_configuration      = (known after apply)
      + requires_compatibilities = (known after apply)
      + revision                 = (known after apply)
      + runtime_platform         = (known after apply)
      + status                   = (known after apply)
      + task_definition          = "stevie-bastion"
      + task_role_arn            = (known after apply)
      + volume                   = (known after apply)
    }

  # module.deployment.module.service_bastion.module.ecs_service.aws_ecs_task_definition.this[0] must be replaced
+/- resource "aws_ecs_task_definition" "this" {
      ~ arn                      = "arn:aws:ecs:us-east-1:246372085946:task-definition/stevie-bastion:155" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:246372085946:task-definition/stevie-bastion" -> (known after apply)
      ~ container_definitions    = jsonencode(
            [
              - {
                  - command                = [
                      - "sh",
                      - "-c",
                      - "trap : TERM INT; sleep infinity & wait",
                    ]
                  - environment            = [
                      - {
                          - name  = "HOSTNAME"
                          - value = "0.0.0.0"
                        },
                      - {
                          - name  = "OTEL_SERVICE_NAME"
                          - value = "bastion.bastion"
                        },
                      - {
                          - name  = "PAGER"
                          - value = "less -S"
                        },
                      - {
                          - name  = "PGDATABASE"
                          - value = "stevie_production_core_postgres"
                        },
                      - {
                          - name  = "PGHOST"
                          - value = "stevie-core-postgres-production.cc1xafkddg79.us-east-1.rds.amazonaws.com"
                        },
                      - {
                          - name  = "PGPORT"
                          - value = "5432"
                        },
                      - {
                          - name  = "PGUSER"
                          - value = "stevie"
                        },
                      - {
                          - name  = "SUPABASE_URL"
                          - value = "https://dsleqjuvzuoycpeotdws.supabase.co"
                        },
                    ]
                  - essential              = true
                  - image                  = "246372085946.dkr.ecr.us-east-1.amazonaws.com/pubpub-v7:latest"
                  - interactive            = false
                  - linuxParameters        = {
                      - initProcessEnabled = true
                    }
                  - logConfiguration       = {
                      - logDriver = "awslogs"
                      - options   = {
                          - awslogs-group         = "stevie-ecs-production-container-logs"
                          - awslogs-region        = "us-east-1"
                          - awslogs-stream-prefix = "ecs"
                        }
                    }
                  - mountPoints            = []
                  - name                   = "bastion"
                  - portMappings           = []
                  - privileged             = false
                  - pseudoTerminal         = false
                  - readonlyRootFilesystem = false
                  - secrets                = [
                      - {
                          - name      = "PGPASSWORD"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:rds-db-password-stevie-production-GI4oxb"
                        },
                      - {
                          - name      = "SUPABASE_SERVICE_ROLE_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:supabase-service-role-key-stevie-production-Wzfwj5"
                        },
                    ]
                  - startTimeout           = 30
                  - stopTimeout            = 120
                  - systemControls         = []
                  - user                   = "0"
                  - volumesFrom            = []
                },
            ] # forces replacement
        ) -> (known after apply) # forces replacement
      ~ enable_fault_injection   = false -> (known after apply)
      ~ id                       = "stevie-bastion" -> (known after apply)
      ~ revision                 = 155 -> (known after apply)
        tags                     = {
            "Environment"         = "stevie-production"
            "LogicalName"         = "bastion"
            "Project"             = "Pubpub-v7"
            "Shortname"           = "590b"
            "ShortnameAnnotation" = "Shortname is calculated as first four characters of the sha1sum of the Logical Name."
        }
        # (10 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.deployment.module.service_core.module.ecs_service.data.aws_ecs_task_definition.this[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_ecs_task_definition" "this" {
      + arn                      = (known after apply)
      + arn_without_revision     = (known after apply)
      + container_definitions    = (known after apply)
      + cpu                      = (known after apply)
      + enable_fault_injection   = (known after apply)
      + ephemeral_storage        = (known after apply)
      + execution_role_arn       = (known after apply)
      + family                   = (known after apply)
      + id                       = (known after apply)
      + inference_accelerator    = (known after apply)
      + ipc_mode                 = (known after apply)
      + memory                   = (known after apply)
      + network_mode             = (known after apply)
      + pid_mode                 = (known after apply)
      + placement_constraints    = (known after apply)
      + proxy_configuration      = (known after apply)
      + requires_compatibilities = (known after apply)
      + revision                 = (known after apply)
      + runtime_platform         = (known after apply)
      + status                   = (known after apply)
      + task_definition          = "stevie-core"
      + task_role_arn            = (known after apply)
      + volume                   = (known after apply)
    }

  # module.deployment.module.service_core.module.ecs_service.aws_ecs_task_definition.this[0] must be replaced
+/- resource "aws_ecs_task_definition" "this" {
      ~ arn                      = "arn:aws:ecs:us-east-1:246372085946:task-definition/stevie-core:385" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:246372085946:task-definition/stevie-core" -> (known after apply)
      ~ container_definitions    = jsonencode(
            [
              - {
                  - dependsOn              = [
                      - {
                          - condition     = "SUCCESS"
                          - containerName = "migrations"
                        },
                    ]
                  - environment            = [
                      - {
                          - name  = "ASSETS_BUCKET_NAME"
                          - value = "assets.app.pubpub.org"
                        },
                      - {
                          - name  = "ASSETS_REGION"
                          - value = "us-east-1"
                        },
                      - {
                          - name  = "ASSETS_UPLOAD_KEY"
                          - value = "AKIATSXHLWC5ORF73VHS"
                        },
                      - {
                          - name  = "DATACITE_API_URL"
                          - value = "https://api.datacite.org"
                        },
                      - {
                          - name  = "HOSTNAME"
                          - value = "0.0.0.0"
                        },
                      - {
                          - name  = "MAILGUN_SMTP_HOST"
                          - value = "smtp.mailgun.org"
                        },
                      - {
                          - name  = "MAILGUN_SMTP_PORT"
                          - value = "465"
                        },
                      - {
                          - name  = "MAILGUN_SMTP_USERNAME"
                          - value = "v7@mg.pubpub.org"
                        },
                      - {
                          - name  = "NEXT_PUBLIC_PUBPUB_URL"
                          - value = "https://app.pubpub.org"
                        },
                      - {
                          - name  = "NEXT_PUBLIC_SUPABASE_PUBLIC_KEY"
                          - value = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImRzbGVxanV2enVveWNwZW90ZHdzIiwicm9sZSI6ImFub24iLCJpYXQiOjE2ODIzNTE0MjEsImV4cCI6MTk5NzkyNzQyMX0.3HHC0f7zlFXP77N0U8cS3blr7n6hhjqdYI6_ciQJams"
                        },
                      - {
                          - name  = "NEXT_PUBLIC_SUPABASE_URL"
                          - value = "https://dsleqjuvzuoycpeotdws.supabase.co"
                        },
                      - {
                          - name  = "OTEL_SERVICE_NAME"
                          - value = "core.core"
                        },
                      - {
                          - name  = "PGDATABASE"
                          - value = "stevie_production_core_postgres"
                        },
                      - {
                          - name  = "PGHOST"
                          - value = "stevie-core-postgres-production.cc1xafkddg79.us-east-1.rds.amazonaws.com"
                        },
                      - {
                          - name  = "PGPORT"
                          - value = "5432"
                        },
                      - {
                          - name  = "PGUSER"
                          - value = "stevie"
                        },
                      - {
                          - name  = "PUBPUB_URL"
                          - value = "https://app.pubpub.org"
                        },
                      - {
                          - name  = "SUPABASE_PUBLIC_KEY"
                          - value = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImRzbGVxanV2enVveWNwZW90ZHdzIiwicm9sZSI6ImFub24iLCJpYXQiOjE2ODIzNTE0MjEsImV4cCI6MTk5NzkyNzQyMX0.3HHC0f7zlFXP77N0U8cS3blr7n6hhjqdYI6_ciQJams"
                        },
                      - {
                          - name  = "SUPABASE_URL"
                          - value = "https://dsleqjuvzuoycpeotdws.supabase.co"
                        },
                      - {
                          - name  = "VALKEY_URL"
                          - value = "redis://stevie-core-valkey-production.we8a07.ng.0001.use1.cache.amazonaws.com"
                        },
                    ]
                  - essential              = true
                  - image                  = "246372085946.dkr.ecr.us-east-1.amazonaws.com/pubpub-v7-core:latest"
                  - interactive            = false
                  - linuxParameters        = {
                      - initProcessEnabled = true
                    }
                  - logConfiguration       = {
                      - logDriver = "awslogs"
                      - options   = {
                          - awslogs-group         = "stevie-ecs-production-container-logs"
                          - awslogs-region        = "us-east-1"
                          - awslogs-stream-prefix = "ecs"
                        }
                    }
                  - mountPoints            = []
                  - name                   = "core"
                  - portMappings           = [
                      - {
                          - containerPort = 3000
                          - hostPort      = 3000
                          - name          = "core"
                          - protocol      = "tcp"
                        },
                    ]
                  - privileged             = false
                  - pseudoTerminal         = false
                  - readonlyRootFilesystem = false
                  - secrets                = [
                      - {
                          - name      = "API_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:api-key-stevie-production-11R0K0"
                        },
                      - {
                          - name      = "ASSETS_UPLOAD_SECRET_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:asset-uploader-secret-key-stevie-production-hZOJCl"
                        },
                      - {
                          - name      = "DATACITE_PASSWORD"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:datacite-password-stevie-production-aW7q6x"
                        },
                      - {
                          - name      = "DATACITE_REPOSITORY_ID"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:datacite-repository-id-stevie-production-xU1Ucv"
                        },
                      - {
                          - name      = "GCLOUD_KEY_FILE"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:gcloud-key-file-stevie-production-KRd2x8"
                        },
                      - {
                          - name      = "HONEYCOMB_API_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:honeycombio-apikey-stevie-production-0BynA5"
                        },
                      - {
                          - name      = "JWT_SECRET"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:jwt-secret-stevie-production-vly0y0"
                        },
                      - {
                          - name      = "MAILGUN_SMTP_PASSWORD"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:mailgun-smtp-password-stevie-production-CHbvhk"
                        },
                      - {
                          - name      = "PGPASSWORD"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:rds-db-password-stevie-production-GI4oxb"
                        },
                      - {
                          - name      = "SENTRY_AUTH_TOKEN"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:sentry-auth-token-stevie-production-GI4oxb"
                        },
                      - {
                          - name      = "SUPABASE_SERVICE_ROLE_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:supabase-service-role-key-stevie-production-Wzfwj5"
                        },
                      - {
                          - name      = "SUPABASE_WEBHOOKS_API_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:supabase-webhooks-api-key-stevie-production-DNqFhc"
                        },
                    ]
                  - startTimeout           = 30
                  - stopTimeout            = 120
                  - systemControls         = []
                  - user                   = "0"
                  - volumesFrom            = []
                },
              - {
                  - command                = [
                      - "pnpm",
                      - "--filter",
                      - "core",
                      - "migrate-docker",
                    ]
                  - environment            = [
                      - {
                          - name  = "ASSETS_BUCKET_NAME"
                          - value = "assets.app.pubpub.org"
                        },
                      - {
                          - name  = "ASSETS_REGION"
                          - value = "us-east-1"
                        },
                      - {
                          - name  = "ASSETS_UPLOAD_KEY"
                          - value = "AKIATSXHLWC5ORF73VHS"
                        },
                      - {
                          - name  = "DATACITE_API_URL"
                          - value = "https://api.datacite.org"
                        },
                      - {
                          - name  = "HOSTNAME"
                          - value = "0.0.0.0"
                        },
                      - {
                          - name  = "MAILGUN_SMTP_HOST"
                          - value = "smtp.mailgun.org"
                        },
                      - {
                          - name  = "MAILGUN_SMTP_PORT"
                          - value = "465"
                        },
                      - {
                          - name  = "MAILGUN_SMTP_USERNAME"
                          - value = "v7@mg.pubpub.org"
                        },
                      - {
                          - name  = "NEXT_PUBLIC_PUBPUB_URL"
                          - value = "https://app.pubpub.org"
                        },
                      - {
                          - name  = "NEXT_PUBLIC_SUPABASE_PUBLIC_KEY"
                          - value = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImRzbGVxanV2enVveWNwZW90ZHdzIiwicm9sZSI6ImFub24iLCJpYXQiOjE2ODIzNTE0MjEsImV4cCI6MTk5NzkyNzQyMX0.3HHC0f7zlFXP77N0U8cS3blr7n6hhjqdYI6_ciQJams"
                        },
                      - {
                          - name  = "NEXT_PUBLIC_SUPABASE_URL"
                          - value = "https://dsleqjuvzuoycpeotdws.supabase.co"
                        },
                      - {
                          - name  = "OTEL_SERVICE_NAME"
                          - value = "core.migrations"
                        },
                      - {
                          - name  = "PGDATABASE"
                          - value = "stevie_production_core_postgres"
                        },
                      - {
                          - name  = "PGHOST"
                          - value = "stevie-core-postgres-production.cc1xafkddg79.us-east-1.rds.amazonaws.com"
                        },
                      - {
                          - name  = "PGPORT"
                          - value = "5432"
                        },
                      - {
                          - name  = "PGUSER"
                          - value = "stevie"
                        },
                      - {
                          - name  = "PUBPUB_URL"
                          - value = "https://app.pubpub.org"
                        },
                      - {
                          - name  = "SUPABASE_PUBLIC_KEY"
                          - value = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImRzbGVxanV2enVveWNwZW90ZHdzIiwicm9sZSI6ImFub24iLCJpYXQiOjE2ODIzNTE0MjEsImV4cCI6MTk5NzkyNzQyMX0.3HHC0f7zlFXP77N0U8cS3blr7n6hhjqdYI6_ciQJams"
                        },
                      - {
                          - name  = "SUPABASE_URL"
                          - value = "https://dsleqjuvzuoycpeotdws.supabase.co"
                        },
                      - {
                          - name  = "VALKEY_URL"
                          - value = "redis://stevie-core-valkey-production.we8a07.ng.0001.use1.cache.amazonaws.com"
                        },
                    ]
                  - essential              = false
                  - image                  = "246372085946.dkr.ecr.us-east-1.amazonaws.com/pubpub-v7:latest"
                  - interactive            = false
                  - linuxParameters        = {
                      - initProcessEnabled = true
                    }
                  - logConfiguration       = {
                      - logDriver = "awslogs"
                      - options   = {
                          - awslogs-group         = "stevie-ecs-production-container-logs"
                          - awslogs-region        = "us-east-1"
                          - awslogs-stream-prefix = "ecs"
                        }
                    }
                  - mountPoints            = []
                  - name                   = "migrations"
                  - portMappings           = []
                  - privileged             = false
                  - pseudoTerminal         = false
                  - readonlyRootFilesystem = false
                  - secrets                = [
                      - {
                          - name      = "API_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:api-key-stevie-production-11R0K0"
                        },
                      - {
                          - name      = "ASSETS_UPLOAD_SECRET_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:asset-uploader-secret-key-stevie-production-hZOJCl"
                        },
                      - {
                          - name      = "DATACITE_PASSWORD"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:datacite-password-stevie-production-aW7q6x"
                        },
                      - {
                          - name      = "DATACITE_REPOSITORY_ID"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:datacite-repository-id-stevie-production-xU1Ucv"
                        },
                      - {
                          - name      = "GCLOUD_KEY_FILE"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:gcloud-key-file-stevie-production-KRd2x8"
                        },
                      - {
                          - name      = "HONEYCOMB_API_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:honeycombio-apikey-stevie-production-0BynA5"
                        },
                      - {
                          - name      = "JWT_SECRET"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:jwt-secret-stevie-production-vly0y0"
                        },
                      - {
                          - name      = "MAILGUN_SMTP_PASSWORD"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:mailgun-smtp-password-stevie-production-CHbvhk"
                        },
                      - {
                          - name      = "PGPASSWORD"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:rds-db-password-stevie-production-GI4oxb"
                        },
                      - {
                          - name      = "SENTRY_AUTH_TOKEN"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:sentry-auth-token-stevie-production-GI4oxb"
                        },
                      - {
                          - name      = "SUPABASE_SERVICE_ROLE_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:supabase-service-role-key-stevie-production-Wzfwj5"
                        },
                      - {
                          - name      = "SUPABASE_WEBHOOKS_API_KEY"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:246372085946:secret:supabase-webhooks-api-key-stevie-production-DNqFhc"
                        },
                    ]
                  - startTimeout           = 30
                  - stopTimeout            = 120
                  - systemControls         = []
                  - user                   = "0"
                  - volumesFrom            = []
                },
              - {
                  - environment            = [
                      - {
                          - name  = "NGINX_LISTEN_PORT"
                          - value = "8080"
                        },
                      - {
                          - name  = "NGINX_PREFIX"
                          - value = "/"
                        },
                      - {
                          - name  = "NGINX_UPSTREAM_HOST"
                          - value = "127.0.0.1"
                        },
                      - {
                          - name  = "NGINX_UPSTREAM_PORT"
                          - value = "3000"
                        },
                      - {
                          - name  = "OTEL_SERVICE_NAME"
                          - value = "core.nginx"
                        },
                    ]
                  - essential              = true
                  - image                  = "246372085946.dkr.ecr.us-east-1.amazonaws.com/nginx:latest"
                  - interactive            = false
                  - linuxParameters        = {
                      - initProcessEnabled = true
                    }
                  - logConfiguration       = {
                      - logDriver = "awslogs"
                      - options   = {
                          - awslogs-group         = "stevie-ecs-production-container-logs"
                          - awslogs-region        = "us-east-1"
                          - awslogs-stream-prefix = "ecs"
                        }
                    }
                  - mountPoints            = []
                  - name                   = "nginx"
                  - portMappings           = [
                      - {
                          - containerPort = 8080
                          - hostPort      = 8080
                          - name          = "core-nginx"
                          - protocol      = "tcp"
                        },
                    ]
                  - privileged             = false
                  - pseudoTerminal         = false
                  - readonlyRootFilesystem = false
                  - startTimeout           = 30
                  - stopTimeout            = 120
                  - systemControls         = []
                  - user                   = "0"
                  - volumesFrom            = []
                },
            ] # forces replacement
        ) -> (known after apply) # forces replacement
      ~ enable_fault_injection   = false -> (known after apply)
      ~ id                       = "stevie-core" -> (known after apply)
      ~ revision                 = 385 -> (known after apply)
        tags                     = {
            "Environment"         = "stevie-production"
            "LogicalName"         = "core"
            "Project"             = "Pubpub-v7"
            "Shortname"           = "94a0"
            "ShortnameAnnotation" = "Shortname is calculated as first four characters of the sha1sum of the Logical Name."
        }
        # (10 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 4 to add, 0 to change, 3 to destroy.

@kalilsn kalilsn merged commit a3e8bb6 into main Apr 30, 2025
16 checks passed
@kalilsn kalilsn deleted the kalilsn/fix-sg branch April 30, 2025 19:09
@kalilsn

kalilsn commented Apr 30, 2025

Copy link
Copy Markdown
Contributor Author

Took some work but this is applied now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@3mcd 3mcd 3mcd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kalilsn @3mcd