Adding ssc_cbrid_tags to infrastructure#575
Merged
Merged
Conversation
Production: api✅ Terraform Init: Plan: 0 to add, 12 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
<= read (data resources)
Terraform will perform the following actions:
# data.aws_iam_policy_document.api_policies will be read during apply
# (depends on a resource or a module with changes pending)
<= data "aws_iam_policy_document" "api_policies" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "ssm:GetParameters",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:ssm:ca-central-1:283582579564:parameter/github-secret-scanning-config",
]
}
}
# aws_ecr_repository.api will be updated in-place
~ resource "aws_ecr_repository" "api" {
id = "github-secret-scanning/api"
name = "github-secret-scanning/api"
tags = {
"CostCentre" = "github-secret-scanning-production"
"Terraform" = "true"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (2 unchanged elements hidden)
}
# (5 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
# aws_ssm_parameter.api_config will be updated in-place
~ resource "aws_ssm_parameter" "api_config" {
id = "github-secret-scanning-config"
name = "github-secret-scanning-config"
~ tags = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
~ tags_all = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
# (10 unchanged attributes hidden)
}
# module.api.aws_cloudwatch_log_group.this will be updated in-place
~ resource "aws_cloudwatch_log_group" "this" {
id = "/aws/lambda/github-secret-scanning-api"
name = "/aws/lambda/github-secret-scanning-api"
tags = {
"CostCentre" = "github-secret-scanning-production"
"Terraform" = "true"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (2 unchanged elements hidden)
}
# (6 unchanged attributes hidden)
}
# module.api.aws_iam_policy.non_vpc_policies[0] will be updated in-place
~ resource "aws_iam_policy" "non_vpc_policies" {
id = "arn:aws:iam::283582579564:policy/github-secret-scanning-api_non_vpc"
name = "github-secret-scanning-api_non_vpc"
tags = {
"CostCentre" = "github-secret-scanning-production"
"Terraform" = "true"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (2 unchanged elements hidden)
}
# (5 unchanged attributes hidden)
}
# module.api.aws_iam_policy.policies[0] will be updated in-place
~ resource "aws_iam_policy" "policies" {
id = "arn:aws:iam::283582579564:policy/github-secret-scanning-api-0"
name = "github-secret-scanning-api-0"
~ policy = jsonencode(
{
- Statement = [
- {
- Action = "ssm:GetParameters"
- Effect = "Allow"
- Resource = "arn:aws:ssm:ca-central-1:283582579564:parameter/github-secret-scanning-config"
- Sid = ""
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
tags = {
"CostCentre" = "github-secret-scanning-production"
"Terraform" = "true"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (2 unchanged elements hidden)
}
# (4 unchanged attributes hidden)
}
# module.api.aws_iam_role.this will be updated in-place
~ resource "aws_iam_role" "this" {
id = "github-secret-scanning-api"
name = "github-secret-scanning-api"
tags = {
"CostCentre" = "github-secret-scanning-production"
"Terraform" = "true"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (2 unchanged elements hidden)
}
# (8 unchanged attributes hidden)
}
# module.api.aws_lambda_function.this will be updated in-place
~ resource "aws_lambda_function" "this" {
id = "github-secret-scanning-api"
tags = {
"CostCentre" = "github-secret-scanning-production"
"Terraform" = "true"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (2 unchanged elements hidden)
}
# (22 unchanged attributes hidden)
# (4 unchanged blocks hidden)
}
# module.sentinel_forwarder.data.aws_iam_policy_document.sentinel_forwarder_lambda will be read during apply
# (depends on a resource or a module with changes pending)
<= data "aws_iam_policy_document" "sentinel_forwarder_lambda" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "logs:CreateLogStream",
+ "logs:PutLogEvents",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:logs:ca-central-1:283582579564:log-group:/aws/lambda/github-secret-scanning-sentinel:*",
]
}
+ statement {
+ actions = [
+ "xray:GetSamplingRules",
+ "xray:GetSamplingStatisticSummaries",
+ "xray:GetSamplingTargets",
+ "xray:PutTelemetryRecords",
+ "xray:PutTraceSegments",
]
+ effect = "Allow"
+ resources = [
+ "*",
]
}
+ statement {
+ actions = [
+ "ssm:GetParameter",
+ "ssm:GetParameters",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:ssm:ca-central-1:283582579564:parameter/github-secret-scanning-sentinel-auth",
]
}
}
# module.sentinel_forwarder.aws_cloudwatch_log_group.sentinel_forwarder_lambda will be updated in-place
~ resource "aws_cloudwatch_log_group" "sentinel_forwarder_lambda" {
id = "/aws/lambda/github-secret-scanning-sentinel"
name = "/aws/lambda/github-secret-scanning-sentinel"
tags = {
"CostCentre" = "github-secret-scanning-production"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (1 unchanged element hidden)
}
# (6 unchanged attributes hidden)
}
# module.sentinel_forwarder.aws_iam_policy.sentinel_forwarder_lambda will be updated in-place
~ resource "aws_iam_policy" "sentinel_forwarder_lambda" {
id = "arn:aws:iam::283582579564:policy/SentinelForwarderLambda-github-secret-scanning-sentinel"
name = "SentinelForwarderLambda-github-secret-scanning-sentinel"
~ policy = jsonencode(
{
- Statement = [
- {
- Action = [
- "logs:PutLogEvents",
- "logs:CreateLogStream",
]
- Effect = "Allow"
- Resource = "arn:aws:logs:ca-central-1:283582579564:log-group:/aws/lambda/github-secret-scanning-sentinel:*"
},
- {
- Action = [
- "xray:PutTraceSegments",
- "xray:PutTelemetryRecords",
- "xray:GetSamplingTargets",
- "xray:GetSamplingStatisticSummaries",
- "xray:GetSamplingRules",
]
- Effect = "Allow"
- Resource = "*"
},
- {
- Action = [
- "ssm:GetParameters",
- "ssm:GetParameter",
]
- Effect = "Allow"
- Resource = "arn:aws:ssm:ca-central-1:283582579564:parameter/github-secret-scanning-sentinel-auth"
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
tags = {}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
}
# (4 unchanged attributes hidden)
}
# module.sentinel_forwarder.aws_iam_role.sentinel_forwarder_lambda will be updated in-place
~ resource "aws_iam_role" "sentinel_forwarder_lambda" {
id = "SentinelForwarderLambda-github-secret-scanning-sentinel"
name = "SentinelForwarderLambda-github-secret-scanning-sentinel"
tags = {}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
}
# (8 unchanged attributes hidden)
}
# module.sentinel_forwarder.aws_lambda_function.sentinel_forwarder will be updated in-place
~ resource "aws_lambda_function" "sentinel_forwarder" {
id = "github-secret-scanning-sentinel"
tags = {
"CostCentre" = "github-secret-scanning-production"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (1 unchanged element hidden)
}
# (25 unchanged attributes hidden)
# (4 unchanged blocks hidden)
}
# module.sentinel_forwarder.aws_ssm_parameter.sentinel_forwarder_auth will be updated in-place
~ resource "aws_ssm_parameter" "sentinel_forwarder_auth" {
id = "github-secret-scanning-sentinel-auth"
name = "github-secret-scanning-sentinel-auth"
tags = {
"CostCentre" = "github-secret-scanning-production"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (1 unchanged element hidden)
}
# (10 unchanged attributes hidden)
}
Plan: 0 to add, 12 to change, 0 to destroy.
Warning: Deprecated attribute
on .terraform/modules/sentinel_forwarder/sentinel_forwarder/main.tf line 85, in resource "aws_lambda_permission" "sentinel_forwarder_cloudwatch_log_subscription":
85: principal = "logs.${data.aws_region.current.name}.amazonaws.com"
The attribute "name" is deprecated. Refer to the provider documentation for
details.
(and one more similar warning elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_cloudwatch_log_group.sentinel_forwarder_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_policy.sentinel_forwarder_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_role.sentinel_forwarder_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_lambda_function.sentinel_forwarder"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_ssm_parameter.sentinel_forwarder_auth"]
25 tests, 20 passed, 5 warnings, 0 failures, 0 exceptions
|
Production: hosted_zone✅ Terraform Init: Plan: 0 to add, 1 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_route53_zone.github_secret_scanning will be updated in-place
~ resource "aws_route53_zone" "github_secret_scanning" {
id = "Z09595232YY40XHEI9KL6"
name = "github-secret-scanning.alpha.canada.ca"
tags = {
"CostCentre" = "github-secret-scanning-production"
"Terraform" = "true"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (2 unchanged elements hidden)
}
# (7 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Releasing state lock. This may take a few moments...
Show Conftest results21 tests, 21 passed, 0 warnings, 0 failures, 0 exceptions
|
Production: alert_compromise✅ Terraform Init: Plan: 0 to add, 3 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_iam_role.group_broadcast_alert_role will be updated in-place
~ resource "aws_iam_role" "group_broadcast_alert_role" {
id = "group_broadcast_alert_role"
name = "group_broadcast_alert_role"
~ tags = {
+ "CostCentre" = "github-secret-scanning-production"
+ "Terraform" = "true"
+ "ssc_cbrid" = "22DH"
}
~ tags_all = {
+ "CostCentre" = "github-secret-scanning-production"
+ "Terraform" = "true"
+ "ssc_cbrid" = "22DH"
}
# (8 unchanged attributes hidden)
# (3 unchanged blocks hidden)
}
# aws_lambda_function.broadcast_alert will be updated in-place
~ resource "aws_lambda_function" "broadcast_alert" {
id = "broadcast_alert"
tags = {}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
}
# (31 unchanged attributes hidden)
# (4 unchanged blocks hidden)
}
# aws_ssm_parameter.notify_doc_api_key will be updated in-place
~ resource "aws_ssm_parameter" "notify_doc_api_key" {
id = "notify_doc_api_key"
name = "notify_doc_api_key"
~ tags = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
~ tags_all = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
# (10 unchanged attributes hidden)
}
Plan: 0 to add, 3 to change, 0 to destroy.
Warning: Argument is deprecated
with aws_iam_role.group_broadcast_alert_role,
on iam.tf line 4, in resource "aws_iam_role" "group_broadcast_alert_role":
4: managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
managed_policy_arns is deprecated. Use the aws_iam_role_policy_attachment
resource instead. If Terraform should exclusively manage all managed policy
attachments (the current behavior of this argument), use the
aws_iam_role_policy_attachments_exclusive resource as well.
(and one more similar warning elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_lambda_function.broadcast_alert"]
21 tests, 20 passed, 1 warning, 0 failures, 0 exceptions
|
Production: cloudfront✅ Terraform Init: Plan: 0 to add, 7 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_acm_certificate.api will be updated in-place
~ resource "aws_acm_certificate" "api" {
id = "arn:aws:acm:us-east-1:283582579564:certificate/306ce9d4-b971-4c06-9dc5-d46367b9ed30"
tags = {
"CostCentre" = "github-secret-scanning-production"
"Terraform" = "true"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (2 unchanged elements hidden)
}
# (15 unchanged attributes hidden)
# (1 unchanged block hidden)
}
# aws_cloudfront_distribution.api will be updated in-place
~ resource "aws_cloudfront_distribution" "api" {
id = "E3JW0APMFZN4DN"
tags = {
"CostCentre" = "github-secret-scanning-production"
"Terraform" = "true"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (2 unchanged elements hidden)
}
# (23 unchanged attributes hidden)
origin {
# At least one attribute in this block is (or was) sensitive,
# so its contents will not be displayed.
}
# (4 unchanged blocks hidden)
}
# aws_iam_policy.write_waf_logs will be updated in-place
~ resource "aws_iam_policy" "write_waf_logs" {
id = "arn:aws:iam::283582579564:policy/github-secret-scanning-waf-logs"
name = "github-secret-scanning-waf-logs"
~ tags = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
~ tags_all = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
# (6 unchanged attributes hidden)
}
# aws_iam_role.waf_log_role will be updated in-place
~ resource "aws_iam_role" "waf_log_role" {
id = "github-secret-scanning-waf-logs"
name = "github-secret-scanning-waf-logs"
~ tags = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
~ tags_all = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
# (8 unchanged attributes hidden)
}
# aws_kinesis_firehose_delivery_stream.api will be updated in-place
~ resource "aws_kinesis_firehose_delivery_stream" "api" {
id = "arn:aws:firehose:us-east-1:283582579564:deliverystream/aws-waf-logs-github-secret-scanning"
name = "aws-waf-logs-github-secret-scanning"
tags = {
"CostCentre" = "github-secret-scanning-production"
"Terraform" = "true"
}
~ tags_all = {
+ "ssc_cbrid" = "22DI"
# (2 unchanged elements hidden)
}
# (5 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
# aws_wafv2_regex_pattern_set.valid_uri_paths will be updated in-place
~ resource "aws_wafv2_regex_pattern_set" "valid_uri_paths" {
id = "d9c157c2-5c1f-4aeb-9e9c-da73378334b4"
name = "valid-api-paths"
~ tags = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
~ tags_all = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
# (5 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
# aws_wafv2_web_acl.api will be updated in-place
~ resource "aws_wafv2_web_acl" "api" {
id = "ff46dbec-de07-4249-8a6f-bf03d8823194"
name = "github-secret-scanning"
~ tags = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
~ tags_all = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
# (7 unchanged attributes hidden)
# (8 unchanged blocks hidden)
}
Plan: 0 to add, 7 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest results21 tests, 21 passed, 0 warnings, 0 failures, 0 exceptions
|
Production: alarms✅ Terraform Init: Plan: 0 to add, 4 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_cloudwatch_metric_alarm.api_error will be updated in-place
~ resource "aws_cloudwatch_metric_alarm" "api_error" {
id = "GitHub secret scanning: error"
~ tags = {
+ "CostCentre" = "github-secret-scanning-production"
+ "Terraform" = "true"
+ "ssc_cbrid" = "22DH"
}
~ tags_all = {
+ "CostCentre" = "github-secret-scanning-production"
+ "Terraform" = "true"
+ "ssc_cbrid" = "22DH"
}
# (18 unchanged attributes hidden)
}
# aws_cloudwatch_metric_alarm.api_secret_detected will be updated in-place
~ resource "aws_cloudwatch_metric_alarm" "api_secret_detected" {
id = "GitHub secret scanning: secret detected"
~ tags = {
+ "CostCentre" = "github-secret-scanning-production"
+ "Terraform" = "true"
+ "ssc_cbrid" = "22DH"
}
~ tags_all = {
+ "CostCentre" = "github-secret-scanning-production"
+ "Terraform" = "true"
+ "ssc_cbrid" = "22DH"
}
# (18 unchanged attributes hidden)
}
# aws_kms_key.sns_cloudwatch will be updated in-place
~ resource "aws_kms_key" "sns_cloudwatch" {
id = "17a3cee1-81fc-462c-99b7-e23b21612aa3"
~ tags = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
~ tags_all = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
# (12 unchanged attributes hidden)
}
# aws_sns_topic.cloudwatch_alarm will be updated in-place
~ resource "aws_sns_topic" "cloudwatch_alarm" {
id = "arn:aws:sns:ca-central-1:283582579564:github-secret-scanning-cloudwatch-alarm"
name = "github-secret-scanning-cloudwatch-alarm"
~ tags = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
~ tags_all = {
+ "ssc_cbrid" = "22DH"
# (2 unchanged elements hidden)
}
# (13 unchanged attributes hidden)
}
Plan: 0 to add, 4 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Releasing state lock. This may take a few moments...
Show Conftest resultsWARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.api_error"]
21 tests, 20 passed, 1 warning, 0 failures, 0 exceptions
|
wanpengyang
approved these changes
Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary | Résumé
PR to add the appropriate ssc_cbrid tags .