Updated health check

[dylanratcliffe]

No description provided.

[github-actions]

Expected Changes

iam-role › terraform-example

--- current
+++ planned
@@ -1,7 +1,7 @@
 arn: arn:aws:iam::540044833068:role/terraform-example
-assume_role_policy: '{"Statement":[{"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"token.actions.githubusercontent.com:aud":"sts.amazonaws.com"},"StringLike":{"token.actions.githubusercontent.com:sub":"repo:overmindtech/terraform-example:*"}},"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::540044833068:oidc-provider/token.actions.githubusercontent.com"},"Sid":"AllowGithubOIDC"},{"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"app.terraform.io:aud":"aws.workload.identity"},"StringLike":{"app.terraform.io:sub":"organization:Overmind:project:Example:workspace:terraform-example:run_phase:*"}},"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::540044833068:oidc-provider/app.terraform.io"},"Sid":"AllowTerraformOIDC"}],"Version":"2012-10-17"}'
+assume_role_policy: '{"Statement":[{"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"token.actions.githubusercontent.com:aud":"sts.amazonaws.com"},"StringLike":{"token.actions.githubusercontent.com:sub":"repo:overmindtech/terraform-example:*"}},"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::540044833068:oidc-provider/token.actions.githubusercontent.com"},"Sid":"AllowGithubOIDC"}],"Version":"2012-10-17"}'
 create_date: "2023-08-18T13:48:07Z"
-description: This is the role used by terraform running on github actions or Terraform Cloud to deploy.
+description: This is the role used by terraform running on github actions to deploy.
 force_detach_policies: false
 id: terraform-example
 inline_policy:

ecs-task-definition › facial-recognition

--- current
+++ planned
@@ -1,26 +1,16 @@
-arn: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition:48
-arn_without_revision: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition
-container_definitions: '[{"cpu":1024,"environment":[],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:1234"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234,"hostPort":1234,"protocol":"tcp"}],"volumesFrom":[]}]'
+container_definitions: '[{"cpu":1024,"environment":[],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:8080"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234}],"volumesFrom":[]}]'
 cpu: "1024"
 ephemeral_storage: []
-execution_role_arn: ""
 family: facial-recognition
-id: facial-recognition
 inference_accelerator: []
-ipc_mode: ""
 memory: "2048"
 network_mode: awsvpc
-pid_mode: ""
 placement_constraints: []
 proxy_configuration: []
 requires_compatibilities:
     - FARGATE
-revision: 48
 runtime_platform: []
 skip_destroy: false
-tags: {}
-tags_all: {}
-task_role_arn: ""
 terraform_address: module.loom[0].aws_ecs_task_definition.face
 terraform_name: module.loom[0].aws_ecs_task_definition.face
 track_latest: false

Unmapped Changes

Note

These changes couldn't be mapped to a discoverable cloud resource and therefore won't be included in the blast radius calculation.

aws_iam_openid_connect_provider › tfc_provider

--- current
+++ planned
@@ -1,11 +1 @@
-arn: arn:aws:iam::540044833068:oidc-provider/app.terraform.io
-client_id_list:
-    - aws.workload.identity
-id: arn:aws:iam::540044833068:oidc-provider/app.terraform.io
-tags: {}
-tags_all: {}
-terraform_address: aws_iam_openid_connect_provider.tfc_provider
-terraform_name: tfc_provider
-thumbprint_list:
-    - 9e99a48a9960b14926bb7f3b02e22da2b0ab7280
-url: app.terraform.io

aws_ecs_service › module.loom[0].aws_ecs_service.face

--- current
+++ planned
@@ -41,7 +41,6 @@
 service_registries: []
 tags: {}
 tags_all: {}
-task_definition: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition:48
 terraform_address: module.loom[0].aws_ecs_service.face
 terraform_name: module.loom[0].aws_ecs_service.face
 triggers: {}

Blast Radius

Items	Edges
32	33

Open in Overmind

Risks

Change in Health Check Command for Facial-Recognition App [High]

The health check command for the facial-recognition ECS task has been changed from checking the localhost on port 1234 to port 8080. If the application is only operating on port 1234 as per the port mapping configuration, this might result in failed health checks, leading to the ECS task being marked as unhealthy and causing potential downtime or degraded performance.

Affected Application: facial-recognition available at face.overmind-terraform-example.com

Reduced Role Scope for Terraform IAM Role [Medium]

The assume role policy for the IAM role terraform-example has been modified to remove the assumption from terraform.io. This means that only GitHub Actions can assume this role, which may limit the ability to deploy using Terraform Cloud, potentially impacting automation routines that rely on Terraform Cloud.

Affected Application: This might affect the overall automation and deployment processes for all managed infrastructure, including the facial-recognition and visit-counter applications.