Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove image syncer Prow Jobs #12294

Merged
merged 1 commit into from
Oct 30, 2024
Merged

Remove image syncer Prow Jobs #12294

merged 1 commit into from
Oct 30, 2024

Conversation

Sawthis
Copy link
Contributor

@Sawthis Sawthis commented Oct 30, 2024

Description

Changes proposed in this pull request:

  • Remove image syncer Prow Jobs and external-images.yaml as image syncer was migrated to the Github workflows.

Related issue(s)

#11384

@kyma-bot kyma-bot added cla: yes Indicates the PR's author has signed the CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. destroy labels Oct 30, 2024
@kyma-bot
Copy link
Contributor

Plan Result

CI link

⚠️ Resource Deletion will happen ⚠️

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 2 to add, 0 to change, 2 to destroy.
  • Create
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:*"\n command: [ ]\n args: [ ]"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:*"\n command: [ ]\n args: [ ]"]
  • Delete
    • module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: [ ]\n args: [ ]\n # image-syncer\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-syncer:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["\/image-syncer","--images-file=cmd/image-syncer/external-images.yaml","--target-repo-auth-key=."\],"container_name":"test",.*}$'"]
    • module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n name: sa-kyma-push-images\nspec:\n enforcementAction: deny\n match:\n kinds:\n - apiGroups: [""]\n kinds: ["Pod"]\n namespaces:\n - "default"\n parameters:\n restrictedSecrets:\n # usually provided with preset-sa-kyma-push-images\n - sa-kyma-push-images\n trustedImages:\n - image: "eu.gcr.io/sap-kyma-neighbors-dev/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\[."\/image-builder".,"--config=/config/kaniko-build-config.yaml".\],"container_name":"test",.}$'\n #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n - image: "europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n - image: "europe-docker.pkg.dev/kyma-project/prod/buildpack-go:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":.,"container_name":"test",.}$'\n # sidecar\n - image: "gcr.io/k8s-prow/sidecar:"\n command: [ ]\n args: [ ]\n # image-syncer\n - image: "europe-docker.pkg.dev/kyma-project/prod/image-syncer:"\n command:\n - /tools/entrypoint\n args: [ ]\n entrypoint_options: '^{."args":\["\/image-syncer","--images-file=cmd/image-syncer/external-images.yaml","--target-repo-auth-key=."\],"container_name":"test",.*}$'"]
Change Result (Click me)
  # module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]"] will be created
  + resource "kubectl_manifest" "constraints" {
      + api_version             = "constraints.gatekeeper.sh/v1beta1"
      + apply_only              = false
      + field_manager           = "kubectl"
      + force_conflicts         = false
      + force_new               = false
      + id                      = (known after apply)
      + kind                    = "SecretTrustedUsage"
      + live_manifest_incluster = (sensitive value)
      + live_uid                = (known after apply)
      + name                    = "sa-kyma-push-images"
      + namespace               = (known after apply)
      + server_side_apply       = false
      + uid                     = (known after apply)
      + validate_schema         = true
      + wait_for_rollout        = true
      + yaml_body               = (sensitive value)
      + yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: sa-kyma-push-images
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
                namespaces:
                - default
              parameters:
                restrictedSecrets:
                - sa-kyma-push-images
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":.*,"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":.*,"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*
                - args: []
                  command: []
                  image: gcr.io/k8s-prow/sidecar:*
        EOT
      + yaml_incluster          = (sensitive value)
    }

  # module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]\n      # image-syncer\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-syncer:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/image-syncer\",\"--images-file=cmd/image-syncer/external-images.yaml\",\"--target-repo-auth-key=.*\"\\],\"container_name\":\"test\",.*}$'"] will be destroyed
  # (because key ["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]\n      # image-syncer\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-syncer:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/image-syncer\",\"--images-file=cmd/image-syncer/external-images.yaml\",\"--target-repo-auth-key=.*\"\\],\"container_name\":\"test\",.*}$'"] is not in for_each map)
  - resource "kubectl_manifest" "constraints" {
      - api_version             = "constraints.gatekeeper.sh/v1beta1" -> null
      - apply_only              = false -> null
      - field_manager           = "kubectl" -> null
      - force_conflicts         = false -> null
      - force_new               = false -> null
      - id                      = "/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/sa-kyma-push-images" -> null
      - kind                    = "SecretTrustedUsage" -> null
      - live_manifest_incluster = (sensitive value) -> null
      - live_uid                = "9b906c62-074a-4e13-856b-865f01066e6e" -> null
      - name                    = "sa-kyma-push-images" -> null
      - server_side_apply       = false -> null
      - uid                     = "9b906c62-074a-4e13-856b-865f01066e6e" -> null
      - validate_schema         = true -> null
      - wait_for_rollout        = true -> null
      - yaml_body               = (sensitive value) -> null
      - yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: sa-kyma-push-images
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
                namespaces:
                - default
              parameters:
                restrictedSecrets:
                - sa-kyma-push-images
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":.*,"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":.*,"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*
                - args: []
                  command: []
                  image: gcr.io/k8s-prow/sidecar:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["\/image-syncer","--images-file=cmd/image-syncer/external-images.yaml","--target-repo-auth-key=.*"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/image-syncer:*
        EOT -> null
      - yaml_incluster          = (sensitive value) -> null
    }

  # module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]"] will be created
  + resource "kubectl_manifest" "constraints" {
      + api_version             = "constraints.gatekeeper.sh/v1beta1"
      + apply_only              = false
      + field_manager           = "kubectl"
      + force_conflicts         = false
      + force_new               = false
      + id                      = (known after apply)
      + kind                    = "SecretTrustedUsage"
      + live_manifest_incluster = (sensitive value)
      + live_uid                = (known after apply)
      + name                    = "sa-kyma-push-images"
      + namespace               = (known after apply)
      + server_side_apply       = false
      + uid                     = (known after apply)
      + validate_schema         = true
      + wait_for_rollout        = true
      + yaml_body               = (sensitive value)
      + yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: sa-kyma-push-images
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
                namespaces:
                - default
              parameters:
                restrictedSecrets:
                - sa-kyma-push-images
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":.*,"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":.*,"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*
                - args: []
                  command: []
                  image: gcr.io/k8s-prow/sidecar:*
        EOT
      + yaml_incluster          = (sensitive value)
    }

  # module.untrusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]\n      # image-syncer\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-syncer:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/image-syncer\",\"--images-file=cmd/image-syncer/external-images.yaml\",\"--target-repo-auth-key=.*\"\\],\"container_name\":\"test\",.*}$'"] will be destroyed
  # (because key ["# Constraint to allow only trusted usage of sa-kyma-push-images gcp service account which has permissions to write images in kyma production oci registry.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: sa-kyma-push-images\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-sa-kyma-push-images\n      - sa-kyma-push-images\n    trustedImages:\n      - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[.*\"\\/image-builder\".*,\"--config=/config/kaniko-build-config.yaml\".*\\],\"container_name\":\"test\",.*}$'\n        #kyma-dashboard-dev, kyma-dashboard-stage, kyma-dashboard-prod, post-k8s-prow-build-release and post-main-build-testimages\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":.*,\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: [ ]\n        args: [ ]\n      # image-syncer\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/image-syncer:*\"\n        command:\n          - /tools/entrypoint\n        args: [ ]\n        entrypoint_options: '^{.*\"args\":\\[\"\\/image-syncer\",\"--images-file=cmd/image-syncer/external-images.yaml\",\"--target-repo-auth-key=.*\"\\],\"container_name\":\"test\",.*}$'"] is not in for_each map)
  - resource "kubectl_manifest" "constraints" {
      - api_version             = "constraints.gatekeeper.sh/v1beta1" -> null
      - apply_only              = false -> null
      - field_manager           = "kubectl" -> null
      - force_conflicts         = false -> null
      - force_new               = false -> null
      - id                      = "/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/sa-kyma-push-images" -> null
      - kind                    = "SecretTrustedUsage" -> null
      - live_manifest_incluster = (sensitive value) -> null
      - live_uid                = "011862c9-016c-4f5a-8699-cf2d166e6b6c" -> null
      - name                    = "sa-kyma-push-images" -> null
      - server_side_apply       = false -> null
      - uid                     = "011862c9-016c-4f5a-8699-cf2d166e6b6c" -> null
      - validate_schema         = true -> null
      - wait_for_rollout        = true -> null
      - yaml_body               = (sensitive value) -> null
      - yaml_body_parsed        = <<-EOT
            apiVersion: constraints.gatekeeper.sh/v1beta1
            kind: SecretTrustedUsage
            metadata:
              name: sa-kyma-push-images
            spec:
              enforcementAction: deny
              match:
                kinds:
                - apiGroups:
                  - ""
                  kinds:
                  - Pod
                namespaces:
                - default
              parameters:
                restrictedSecrets:
                - sa-kyma-push-images
                trustedImages:
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\[.*"\/image-builder".*,"--config=/config/kaniko-build-config.yaml".*\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":.*,"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":.*,"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/buildpack-go:*
                - args: []
                  command: []
                  image: gcr.io/k8s-prow/sidecar:*
                - args: []
                  command:
                  - /tools/entrypoint
                  entrypoint_options: ^{.*"args":\["\/image-syncer","--images-file=cmd/image-syncer/external-images.yaml","--target-repo-auth-key=.*"\],"container_name":"test",.*}$
                  image: europe-docker.pkg.dev/kyma-project/prod/image-syncer:*
        EOT -> null
      - yaml_incluster          = (sensitive value) -> null
    }

Plan: 2 to add, 0 to change, 2 to destroy.

@Sawthis
Copy link
Contributor Author

Sawthis commented Oct 30, 2024

/override pre-main-test-infra-image-syncer-dry-run

@kyma-bot
Copy link
Contributor

@Sawthis: Overrode contexts on behalf of Sawthis: pre-main-test-infra-image-syncer-dry-run

In response to this:

/override pre-main-test-infra-image-syncer-dry-run

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kyma-bot kyma-bot added the lgtm Looks good to me! label Oct 30, 2024
@kyma-bot kyma-bot merged commit 9e89cdf into kyma-project:main Oct 30, 2024
6 checks passed
@kyma-bot
Copy link
Contributor

@Sawthis: Updated the job-config configmap in namespace default at cluster default using the following files:

  • key image-syncer.yaml using file ``

In response to this:

Description

Changes proposed in this pull request:

  • Remove image syncer Prow Jobs and external-images.yaml as image syncer was migrated to the Github workflows.

Related issue(s)

#11384

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kyma-bot
Copy link
Contributor

✅ Apply Result

CI link

Apply complete! Resources: 2 added, 0 changed, 2 destroyed.
Details (Click me)
Acquiring state lock. This may take a few moments...
data.kubectl_file_documents.automated_approver: Reading...
data.kubectl_file_documents.automated_approver_rules: Reading...
data.kubectl_file_documents.automated_approver_rules: Read complete after 0s [id=bf70e95238af237c504895dc5a1fda764e0501d635c5fc67d0a39fd3208dc85d]
data.kubectl_file_documents.automated_approver: Read complete after 0s [id=64bd161af081aaace4b3fbfd6256f5ec86870448c3ccb272374cdeaa2ce2f18b]
github_actions_organization_variable.gcp_kyma_project_project_id: Refreshing state... [id=GCP_KYMA_PROJECT_PROJECT_ID]
github_actions_variable.github_terraform_planner_secret_name: Refreshing state... [id=test-infra:GH_TERRAFORM_PLANNER_SECRET_NAME]
github_actions_variable.github_terraform_executor_secret_name: Refreshing state... [id=test-infra:GH_TERRAFORM_EXECUTOR_SECRET_NAME]
github_actions_organization_variable.image_builder_ado_pat_gcp_secret_name: Refreshing state... [id=IMAGE_BUILDER_ADO_PAT_GCP_SECRET_NAME]
data.github_repository.gitleaks_repository["test-infra"]: Reading...
data.github_organization.kyma-project: Reading...
data.github_repository.test_infra: Reading...
google_artifact_registry_repository.prod_docker_repository: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/prod]
google_artifact_registry_repository.docker_cache: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/cache]
google_artifact_registry_repository.docker_dev: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/dev]
google_service_account.kyma_project_image_builder: Refreshing state... [id=projects/kyma-project/serviceAccounts/azure-pipeline-image-builder@kyma-project.iam.gserviceaccount.com]
google_service_account.kyma_project_kyma_submission_pipeline: Refreshing state... [id=projects/kyma-project/serviceAccounts/kyma-submission-pipeline@kyma-project.iam.gserviceaccount.com]
google_artifact_registry_repository.dev_modules_internal: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/dev-modules-internal]
module.artifact_registry["modules-internal"].data.google_client_config.this: Reading...
module.service_account_keys_rotator.google_project_service_identity.pubsub_identity_agent: Refreshing state... [id=projects/sap-kyma-prow/services/pubsub.googleapis.com]
google_service_account.sa-prowjob-gcp-logging-client: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prowjob-gcp-logging-client@sap-kyma-prow.iam.gserviceaccount.com]
google_container_cluster.trusted_workload: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west4/clusters/trusted-workload-kyma-prow]
module.artifact_registry["modules-internal"].data.google_client_config.this: Read complete after 0s [id=projects/"kyma-project"/regions/"europe-west4"/zones/<null>]
module.service_account_keys_rotator.data.google_project.project: Reading...
google_service_account.sa-prow-deploy: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-deploy@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-gcs-plank: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gcs-plank@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gitleaks_secret_accesor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gitleaks-secret-accesor@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
module.cors_proxy.google_cloud_run_service.cors_proxy: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/cors-proxy]
google_service_account.sa-prow-pubsub: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-pubsub@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.neighbors-conduit-cli-builder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/neighbors-conduit-cli-builder@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-security-dashboard-oauth: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-security-dashboard-oauth@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.terraform-planner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.kyma-submission-pipeline: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-submission-pipeline@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.terraform_planner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-kyma-artifacts: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-artifacts@sap-kyma-prow.iam.gserviceaccount.com]
module.security_dashboard_token.data.google_project.project: Reading...
data.google_container_cluster.trusted_workload_k8s_cluster: Reading...
google_service_account.kyma-oci-image-builder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-oci-image-builder@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-dev-kyma-project: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-dev-kyma-project@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gitleaks-secret-accesor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gitleaks-secret-accesor@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-gke-kyma-integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gke-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
data.github_repository.test_infra: Read complete after 2s [id=test-infra]
google_artifact_registry_repository.dockerhub_mirror: Refreshing state... [id=projects/sap-kyma-prow/locations/europe/repositories/dockerhub-mirror]
data.google_pubsub_topic.secret-manager-notifications-topic: Reading...
module.service_account_keys_cleaner.google_service_account.service_account_keys_cleaner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.image_syncer_writer: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/image-syncer-writer@sap-kyma-prow.iam.gserviceaccount.com]
data.github_repository.gitleaks_repository["test-infra"]: Read complete after 2s [id=test-infra]
module.slack_message_sender.google_monitoring_alert_policy.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/17360148176148949136]
google_service_account.kyma-compliance-pipeline: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-compliance-pipeline@sap-kyma-prow.iam.gserviceaccount.com]
data.google_pubsub_topic.secret-manager-notifications-topic: Read complete after 0s [id=projects/sap-kyma-prow/topics/secret-manager-notifications]
google_service_account.image_syncer_reader: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/image-syncer-reader@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-kyma-project: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-project@sap-kyma-prow.iam.gserviceaccount.com]
module.cors_proxy.data.google_project.project: Reading...
module.security_dashboard_token.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
google_service_account.secrets-rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secrets-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.data.google_secret_manager_secret.common_slack_bot_token: Reading...
google_service_account.gcr-cleaner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gcr-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
module.signify_secret_rotator.data.google_project.project: Reading...
module.github_webhook_gateway.data.google_project.project: Reading...
google_service_account.firebase-adminsdk-udzxq: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/firebase-adminsdk-udzxq@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.data.google_secret_manager_secret.common_slack_bot_token: Read complete after 1s [id=projects/sap-kyma-prow/secrets/common-slack-bot-token]
google_pubsub_topic.secrets_rotator_dead_letter: Refreshing state... [id=projects/sap-kyma-prow/topics/secrets-rotator-dead-letter]
google_service_account.secret-manager-prow: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-prow@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.google_service_account.service_account_keys_rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.kyma-security-scanners: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-security-scanners@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.google_pubsub_topic.issue_labeled: Refreshing state... [id=projects/sap-kyma-prow/topics/issue-labeled]
google_service_account.control-plane: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/control-plane@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.google_service_account.github_webhook_gateway: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
module.security_dashboard_token.google_cloud_run_service.security_dashboard_token: Refreshing state... [id=locations/europe-west1/namespaces/sap-kyma-prow/services/security-dashboard-token]
google_service_account.terraform_executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.cors_proxy.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
google_service_account.secret-manager-trusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-trusted@sap-kyma-prow.iam.gserviceaccount.com]
module.signify_secret_rotator.google_service_account.signify_secret_rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/signify-rotator@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-secret-update: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-secret-update@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gencred-refresher: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gencred-refresher@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.google_service_account.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.data.google_project.project: Reading...
module.signify_secret_rotator.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
google_service_account.secret-manager-untrusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-untrusted@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.terraform-executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-gcr-kyma-project-trusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gcr-kyma-project-trusted@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.untrusted_workload_k8s_cluster: Reading...
google_service_account.counduit-cli-bucket: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/counduit-cli-bucket@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.prow_k8s_cluster: Reading...
module.github_webhook_gateway.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Reading...
google_service_account.sa-vm-kyma-integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-vm-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token]
module.github_webhook_gateway.data.google_iam_policy.noauth: Reading...
module.github_webhook_gateway.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
data.google_client_config.gcp: Reading...
google_dns_managed_zone.build_kyma: Refreshing state... [id=projects/sap-kyma-prow/managedZones/build-kyma]
module.github_webhook_gateway.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
module.security_dashboard_token.data.google_iam_policy.noauth: Reading...
module.security_dashboard_token.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
module.github_webhook_gateway.data.google_secret_manager_secret.webhook_token: Reading...
module.github_webhook_gateway.data.google_secret_manager_secret.webhook_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/sap-tools-github-backlog-webhook-secret]
module.cors_proxy.data.google_iam_policy.noauth: Reading...
module.cors_proxy.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
module.artifact_registry["modules-internal"].google_artifact_registry_repository.artifact_registry: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/modules-internal]
data.google_client_config.gcp: Read complete after 0s [id=projects/"sap-kyma-prow"/regions/"europe-west4"/zones/<null>]
module.service_account_keys_rotator.google_project_iam_binding.pubsub_project_token_creator: Refreshing state... [id=sap-kyma-prow/roles/iam.serviceAccountTokenCreator]
module.service_account_keys_cleaner.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
google_artifact_registry_repository_iam_member.dev_modules_internal_repo_admin: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/dev-modules-internal/roles/artifactregistry.repoAdmin/serviceAccount:kyma-submission-pipeline@kyma-project.iam.gserviceaccount.com]
google_service_account_iam_binding.terraform_planner_workload_identity: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com/roles/iam.workloadIdentityUser]
github_actions_variable.gcp_terraform_planner_service_account_email: Refreshing state... [id=test-infra:GCP_TERRAFORM_PLANNER_SERVICE_ACCOUNT_EMAIL]
google_storage_bucket_iam_binding.planner_state_bucket_write_access: Refreshing state... [id=b/tf-state-kyma-project/roles/storage.objectUser]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/viewer"]: Refreshing state... [id=sap-kyma-prow/roles/viewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/container.developer"]: Refreshing state... [id=sap-kyma-prow/roles/container.developer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/iam.securityReviewer"]: Refreshing state... [id=sap-kyma-prow/roles/iam.securityReviewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/storage.objectViewer"]: Refreshing state... [id=sap-kyma-prow/roles/storage.objectViewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
github_actions_variable.kyma_autobump_bot_github_token_secret_name: Refreshing state... [id=test-infra:KYMA_AUTOBUMP_BOT_GITHUB_SECRET_NAME]
github_actions_organization_variable.image_syncer_writer_service_account_email: Refreshing state... [id=IMAGE_SYNCER_WRITER_SERVICE_ACCOUNT_EMAIL]
google_artifact_registry_repository_iam_member.image_syncer_prod_repo_writer: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/prod/roles/artifactregistry.createOnPushWriter/serviceAccount:image-syncer-writer@sap-kyma-prow.iam.gserviceaccount.com]
google_artifact_registry_repository_iam_member.image_syncer_prod_repo_reader: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/prod/roles/artifactregistry.reader/serviceAccount:image-syncer-reader@sap-kyma-prow.iam.gserviceaccount.com]
github_actions_organization_variable.image_syncer_reader_service_account_email: Refreshing state... [id=IMAGE_SYNCER_READER_SERVICE_ACCOUNT_EMAIL]
data.google_container_cluster.prow_k8s_cluster: Read complete after 2s [id=projects/sap-kyma-prow/locations/europe-west3-a/clusters/prow]
module.service_account_keys_cleaner.google_cloud_run_service.service_account_keys_cleaner: Refreshing state... [id=locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-cleaner]
data.github_organization.kyma-project: Read complete after 6s [id=39153523]
module.service_account_keys_rotator.google_project_iam_member.service_account_keys_rotator_secret_version_accessor: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.secretAccessor/serviceAccount:sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.untrusted_workload_k8s_cluster: Read complete after 3s [id=projects/sap-kyma-prow/locations/europe-west3/clusters/untrusted-workload-kyma-prow]
module.service_account_keys_rotator.google_project_iam_member.service_account_keys_rotator_secret_version_viewer: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.viewer/serviceAccount:sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.google_project_iam_member.service_account_keys_rotator_secret_version_adder: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.secretVersionAdder/serviceAccount:sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.google_cloud_run_service.service_account_keys_rotator: Refreshing state... [id=locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-rotator]
module.service_account_keys_rotator.google_project_iam_member.service_account_keys_rotator: Refreshing state... [id=sap-kyma-prow/roles/iam.serviceAccountKeyAdmin/serviceAccount:sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.google_pubsub_topic_iam_binding.issue_labeled: Refreshing state... [id=projects/sap-kyma-prow/topics/issue-labeled/roles/pubsub.publisher]
data.google_container_cluster.trusted_workload_k8s_cluster: Read complete after 4s [id=projects/sap-kyma-prow/locations/europe-west4/clusters/trusted-workload-kyma-prow]
google_service_account_iam_binding.terraform_workload_identity: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com/roles/iam.workloadIdentityUser]
github_actions_variable.gcp_terraform_executor_service_account_email: Refreshing state... [id=test-infra:GCP_TERRAFORM_EXECUTOR_SERVICE_ACCOUNT_EMAIL]
google_project_iam_member.terraform_executor_prow_project_owner: Refreshing state... [id=sap-kyma-prow/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.signify_secret_rotator.google_cloud_run_service.signify_secret_rotator: Refreshing state... [id=locations/europe-west4/namespaces/sap-kyma-prow/services/signify-secret-rotator]
google_artifact_registry_repository_iam_member.dockerhub_mirror_access: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/dockerhub-mirror/roles/artifactregistry.reader/serviceAccount:azure-pipeline-image-builder@kyma-project.iam.gserviceaccount.com]
module.signify_secret_rotator.google_project_iam_member.signify_secret_rotator_secret_version_adder: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.secretVersionAdder/serviceAccount:signify-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module

# ...
# ... The maximum length of GitHub Comment is 65536, so the content is omitted by tfcmt.
# ...

ceAccounts/secrets-rotator@sap-kyma-prow.iam.gserviceaccount.com"
  "member" = "serviceAccount:secrets-rotator@sap-kyma-prow.iam.gserviceaccount.com"
  "name" = "projects/sap-kyma-prow/serviceAccounts/secrets-rotator@sap-kyma-prow.iam.gserviceaccount.com"
  "project" = "sap-kyma-prow"
  "timeouts" = null /* object */
  "unique_id" = "111348641835057382688"
}
secrets_rotator_dead_letter_topic = {
  "effective_labels" = tomap({
    "application" = "secrets-rotator"
  })
  "id" = "projects/sap-kyma-prow/topics/secrets-rotator-dead-letter"
  "ingestion_data_source_settings" = tolist([])
  "kms_key_name" = ""
  "labels" = tomap({
    "application" = "secrets-rotator"
  })
  "message_retention_duration" = "86600s"
  "message_storage_policy" = tolist([
    {
      "allowed_persistence_regions" = tolist([
        "africa-south1",
        "asia-east1",
        "asia-east2",
        "asia-northeast1",
        "asia-northeast2",
        "asia-northeast3",
        "asia-south1",
        "asia-south2",
        "asia-southeast1",
        "asia-southeast2",
        "australia-southeast1",
        "australia-southeast2",
        "europe-central2",
        "europe-north1",
        "europe-southwest1",
        "europe-west1",
        "europe-west10",
        "europe-west12",
        "europe-west2",
        "europe-west3",
        "europe-west4",
        "europe-west6",
        "europe-west8",
        "europe-west9",
        "me-central1",
        "me-central2",
        "me-west1",
        "northamerica-northeast1",
        "northamerica-northeast2",
        "southamerica-east1",
        "southamerica-west1",
        "us-central1",
        "us-central2",
        "us-east1",
        "us-east4",
        "us-east5",
        "us-east7",
        "us-south1",
        "us-west1",
        "us-west2",
        "us-west3",
        "us-west4",
        "us-west8",
      ])
    },
  ])
  "name" = "secrets-rotator-dead-letter"
  "project" = "sap-kyma-prow"
  "schema_settings" = tolist([])
  "terraform_labels" = tomap({
    "application" = "secrets-rotator"
  })
  "timeouts" = null /* object */
}
service_account_keys_cleaner = {
  "service_account_keys_cleaner_cloud_run_service" = {
    "autogenerate_revision_name" = false
    "id" = "locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-cleaner"
    "location" = "europe-west4"
    "metadata" = tolist([
      {
        "annotations" = tomap({})
        "effective_annotations" = tomap({
          "run.googleapis.com/ingress" = "all"
          "run.googleapis.com/ingress-status" = "all"
          "run.googleapis.com/operation-id" = "040b9797-b227-4cfc-a4cd-0047bb534ea6"
          "run.googleapis.com/urls" = "[\"https://service-account-keys-cleaner-351981214969.europe-west4.run.app\",\"https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app\"]"
          "serving.knative.dev/creator" = "[email protected]"
          "serving.knative.dev/lastModifier" = "[email protected]"
        })
        "effective_labels" = tomap({
          "cloud.googleapis.com/location" = "europe-west4"
        })
        "generation" = 112
        "labels" = tomap({})
        "namespace" = "sap-kyma-prow"
        "resource_version" = "AAYlm3B3/DU"
        "self_link" = "/apis/serving.knative.dev/v1/namespaces/351981214969/services/service-account-keys-cleaner"
        "terraform_labels" = tomap({})
        "uid" = "b294b2a5-1c7d-4ab2-a8e3-ad27bbb0b00c"
      },
    ])
    "name" = "service-account-keys-cleaner"
    "project" = "sap-kyma-prow"
    "status" = tolist([
      {
        "conditions" = tolist([
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "Ready"
          },
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "ConfigurationsReady"
          },
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "RoutesReady"
          },
        ])
        "latest_created_revision_name" = "service-account-keys-cleaner-00112-9g4"
        "latest_ready_revision_name" = "service-account-keys-cleaner-00112-9g4"
        "observed_generation" = 112
        "traffic" = tolist([
          {
            "latest_revision" = true
            "percent" = 100
            "revision_name" = "service-account-keys-cleaner-00112-9g4"
            "tag" = ""
            "url" = ""
          },
        ])
        "url" = "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app"
      },
    ])
    "template" = tolist([
      {
        "metadata" = tolist([
          {
            "annotations" = tomap({
              "autoscaling.knative.dev/maxScale" = "100"
            })
            "generation" = 0
            "labels" = tomap({
              "run.googleapis.com/startupProbeType" = "Default"
            })
            "name" = ""
            "namespace" = ""
            "resource_version" = ""
            "self_link" = ""
            "uid" = ""
          },
        ])
        "spec" = tolist([
          {
            "container_concurrency" = 80
            "containers" = tolist([
              {
                "args" = tolist([])
                "command" = tolist([])
                "env" = toset([
                  {
                    "name" = "APPLICATION_NAME"
                    "value" = "secrets-rotator"
                    "value_from" = tolist([])
                  },
                  {
                    "name" = "COMPONENT_NAME"
                    "value" = "service-account-keys-cleaner"
                    "value_from" = tolist([])
                  },
                  {
                    "name" = "LISTEN_PORT"
                    "value" = "8080"
                    "value_from" = tolist([])
                  },
                ])
                "env_from" = tolist([])
                "image" = "europe-docker.pkg.dev/kyma-project/prod/test-infra/service-account-keys-cleaner:v20241029-d255e05c"
                "liveness_probe" = tolist([])
                "name" = ""
                "ports" = tolist([
                  {
                    "container_port" = 8080
                    "name" = "http1"
                    "protocol" = ""
                  },
                ])
                "resources" = tolist([
                  {
                    "limits" = tomap({
                      "cpu" = "1000m"
                      "memory" = "512Mi"
                    })
                    "requests" = tomap({})
                  },
                ])
                "startup_probe" = tolist([
                  {
                    "failure_threshold" = 1
                    "grpc" = tolist([])
                    "http_get" = tolist([])
                    "initial_delay_seconds" = 0
                    "period_seconds" = 240
                    "tcp_socket" = tolist([
                      {
                        "port" = 8080
                      },
                    ])
                    "timeout_seconds" = 240
                  },
                ])
                "volume_mounts" = tolist([])
                "working_dir" = ""
              },
            ])
            "service_account_name" = "[email protected]"
            "serving_state" = ""
            "timeout_seconds" = 300
            "volumes" = tolist([])
          },
        ])
      },
    ])
    "timeouts" = null /* object */
    "traffic" = tolist([
      {
        "latest_revision" = true
        "percent" = 100
        "revision_name" = ""
        "tag" = ""
        "url" = ""
      },
    ])
  }
  "service_account_keys_cleaner_secheduler" = {
    "app_engine_http_target" = tolist([])
    "attempt_deadline" = "320s"
    "description" = "Call service account keys cleaner service, to remove old versions of secrets"
    "http_target" = tolist([
      {
        "body" = ""
        "headers" = tomap({})
        "http_method" = "GET"
        "oauth_token" = tolist([])
        "oidc_token" = tolist([
          {
            "audience" = "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app"
            "service_account_email" = "[email protected]"
          },
        ])
        "uri" = "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app/?project=sap-kyma-prow&age=24"
      },
    ])
    "id" = "projects/sap-kyma-prow/locations/europe-west3/jobs/service-account-keys-cleaner"
    "name" = "service-account-keys-cleaner"
    "paused" = false
    "project" = "sap-kyma-prow"
    "pubsub_target" = tolist([])
    "region" = "europe-west3"
    "retry_config" = tolist([])
    "schedule" = "0 0 * * 1-5"
    "state" = "ENABLED"
    "time_zone" = "Etc/UTC"
    "timeouts" = null /* object */
  }
  "service_account_keys_cleaner_service_account" = {
    "account_id" = "sa-keys-cleaner"
    "create_ignore_already_exists" = tobool(null)
    "description" = "Identity of the service account keys rotator service."
    "disabled" = false
    "display_name" = ""
    "email" = "[email protected]"
    "id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
    "member" = "serviceAccount:[email protected]"
    "name" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
    "project" = "sap-kyma-prow"
    "timeouts" = null /* object */
    "unique_id" = "101317727774651823048"
  }
}
service_account_keys_rotator = {
  "service_account_keys_rotator_cloud_run_service" = {
    "autogenerate_revision_name" = false
    "id" = "locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-rotator"
    "location" = "europe-west4"
    "metadata" = tolist([
      {
        "annotations" = tomap({})
        "effective_annotations" = tomap({
          "run.googleapis.com/ingress" = "all"
          "run.googleapis.com/ingress-status" = "all"
          "run.googleapis.com/operation-id" = "5b21c6d3-142e-4c88-abaf-d873ebf6a0f7"
          "run.googleapis.com/urls" = "[\"https://service-account-keys-rotator-351981214969.europe-west4.run.app\",\"https://service-account-keys-rotator-q25ja7ch3q-ez.a.run.app\"]"
          "serving.knative.dev/creator" = "[email protected]"
          "serving.knative.dev/lastModifier" = "[email protected]"
        })
        "effective_labels" = tomap({
          "cloud.googleapis.com/location" = "europe-west4"
        })
        "generation" = 111
        "labels" = tomap({})
        "namespace" = "sap-kyma-prow"
        "resource_version" = "AAYlm3B7uZ0"
        "self_link" = "/apis/serving.knative.dev/v1/namespaces/351981214969/services/service-account-keys-rotator"
        "terraform_labels" = tomap({})
        "uid" = "c91dbea8-bbbb-4f82-99f5-1f40befe699c"
      },
    ])
    "name" = "service-account-keys-rotator"
    "project" = "sap-kyma-prow"
    "status" = tolist([
      {
        "conditions" = tolist([
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "Ready"
          },
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "ConfigurationsReady"
          },
          {
            "message" = ""
            "reason" = ""
            "status" = "True"
            "type" = "RoutesReady"
          },
        ])
        "latest_created_revision_name" = "service-account-keys-rotator-00111-tsl"
        "latest_ready_revision_name" = "service-account-keys-rotator-00111-tsl"
        "observed_generation" = 111
        "traffic" = tolist([
          {
            "latest_revision" = true
            "percent" = 100
            "revision_name" = "service-account-keys-rotator-00111-tsl"
            "tag" = ""
            "url" = ""
          },
        ])
        "url" = "https://service-account-keys-rotator-q25ja7ch3q-ez.a.run.app"
      },
    ])
    "template" = tolist([
      {
        "metadata" = tolist([
          {
            "annotations" = tomap({
              "autoscaling.knative.dev/maxScale" = "100"
            })
            "generation" = 0
            "labels" = tomap({
              "run.googleapis.com/startupProbeType" = "Default"
            })
            "name" = ""
            "namespace" = ""
            "resource_version" = ""
            "self_link" = ""
            "uid" = ""
          },
        ])
        "spec" = tolist([
          {
            "container_concurrency" = 80
            "containers" = tolist([
              {
                "args" = tolist([])
                "command" = tolist([])
                "env" = toset([
                  {
                    "name" = "APPLICATION_NAME"
                    "value" = "secrets-rotator"
                    "value_from" = tolist([])
                  },
                  {
                    "name" = "COMPONENT_NAME"
                    "value" = "service-account-keys-rotator"
                    "value_from" = tolist([])
                  },
                  {
                    "name" = "LISTEN_PORT"
                    "value" = "8080"
                    "value_from" = tolist([])
                  },
                ])
                "env_from" = tolist([])
                "image" = "europe-docker.pkg.dev/kyma-project/prod/test-infra/rotate-service-account:v20241029-d255e05c"
                "liveness_probe" = tolist([])
                "name" = ""
                "ports" = tolist([
                  {
                    "container_port" = 8080
                    "name" = "http1"
                    "protocol" = ""
                  },
                ])
                "resources" = tolist([
                  {
                    "limits" = tomap({
                      "cpu" = "1000m"
                      "memory" = "512Mi"
                    })
                    "requests" = tomap({})
                  },
                ])
                "startup_probe" = tolist([
                  {
                    "failure_threshold" = 1
                    "grpc" = tolist([])
                    "http_get" = tolist([])
                    "initial_delay_seconds" = 0
                    "period_seconds" = 240
                    "tcp_socket" = tolist([
                      {
                        "port" = 8080
                      },
                    ])
                    "timeout_seconds" = 240
                  },
                ])
                "volume_mounts" = tolist([])
                "working_dir" = ""
              },
            ])
            "service_account_name" = "[email protected]"
            "serving_state" = ""
            "timeout_seconds" = 300
            "volumes" = tolist([])
          },
        ])
      },
    ])
    "timeouts" = null /* object */
    "traffic" = tolist([
      {
        "latest_revision" = true
        "percent" = 100
        "revision_name" = ""
        "tag" = ""
        "url" = ""
      },
    ])
  }
  "service_account_keys_rotator_service_account" = {
    "account_id" = "sa-keys-rotator"
    "create_ignore_already_exists" = tobool(null)
    "description" = "Identity of the service account keys rotator service."
    "disabled" = false
    "display_name" = ""
    "email" = "[email protected]"
    "id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
    "member" = "serviceAccount:[email protected]"
    "name" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
    "project" = "sap-kyma-prow"
    "timeouts" = null /* object */
    "unique_id" = "116267434130697196528"
  }
  "service_account_keys_rotator_service_account_iam" = {
    "condition" = tolist([])
    "etag" = "BwYlrohfiKQ="
    "id" = "sap-kyma-prow/roles/iam.serviceAccountKeyAdmin/serviceAccount:[email protected]"
    "member" = "serviceAccount:[email protected]"
    "project" = "sap-kyma-prow"
    "role" = "roles/iam.serviceAccountKeyAdmin"
  }
  "service_account_keys_rotator_subscription" = {
    "ack_deadline_seconds" = 20
    "bigquery_config" = tolist([])
    "cloud_storage_config" = tolist([])
    "dead_letter_policy" = tolist([
      {
        "dead_letter_topic" = "projects/sap-kyma-prow/topics/secrets-rotator-dead-letter"
        "max_delivery_attempts" = 15
      },
    ])
    "effective_labels" = tomap({
      "application_name" = "secrets-rotator"
    })
    "enable_exactly_once_delivery" = false
    "enable_message_ordering" = false
    "expiration_policy" = tolist([
      {
        "ttl" = "31556952s"
      },
    ])
    "filter" = "attributes.eventType = \"SECRET_ROTATE\""
    "id" = "projects/sap-kyma-prow/subscriptions/secrets-rotator-service-account-keys-rotator"
    "labels" = tomap({
      "application_name" = "secrets-rotator"
    })
    "message_retention_duration" = "604800s"
    "name" = "secrets-rotator-service-account-keys-rotator"
    "project" = "sap-kyma-prow"
    "push_config" = tolist([
      {
        "attributes" = tomap({})
        "no_wrapper" = tolist([])
        "oidc_token" = tolist([
          {
            "audience" = ""
            "service_account_email" = "[email protected]"
          },
        ])
        "push_endpoint" = "https://service-account-keys-rotator-q25ja7ch3q-ez.a.run.app"
      },
    ])
    "retain_acked_messages" = false
    "retry_policy" = tolist([
      {
        "maximum_backoff" = "600s"
        "minimum_backoff" = "300s"
      },
    ])
    "terraform_labels" = tomap({
      "application_name" = "secrets-rotator"
    })
    "timeouts" = null /* object */
    "topic" = "projects/sap-kyma-prow/topics/secret-manager-notifications"
  }
}
terraform_executor_gcp_prow_project_iam_member = {
  "condition" = tolist([])
  "etag" = "BwYlrohfiKQ="
  "id" = "sap-kyma-prow/roles/owner/serviceAccount:[email protected]"
  "member" = "serviceAccount:[email protected]"
  "project" = "sap-kyma-prow"
  "role" = "roles/owner"
}
terraform_executor_gcp_service_account = {
  "account_id" = "terraform-executor"
  "create_ignore_already_exists" = tobool(null)
  "description" = "Identity of terraform executor. It's mapped to k8s service account through workload identity."
  "disabled" = false
  "display_name" = "terraform-executor"
  "email" = "[email protected]"
  "id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
  "member" = "serviceAccount:[email protected]"
  "name" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
  "project" = "sap-kyma-prow"
  "timeouts" = null /* object */
  "unique_id" = "109665069699011807029"
}
terraform_executor_gcp_workload_identity = {
  "condition" = tolist([])
  "etag" = "BwYhcY+T+/A="
  "id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser"
  "members" = toset([
    "principal://iam.googleapis.com/projects/351981214969/locations/global/workloadIdentityPools/github-com-kyma-project/subject/repository_id:147495537:repository_owner_id:39153523:workflow:Post Apply Prod Terraform",
  ])
  "role" = "roles/iam.workloadIdentityUser"
  "service_account_id" = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
}
trusted_workload_gatekeeper = <sensitive>
untrusted_workload_gatekeeper = <sensitive>

`

@Sawthis Sawthis assigned Sawthis and unassigned akiioto Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cla: yes Indicates the PR's author has signed the CLA. destroy lgtm Looks good to me! size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants