More multi-env fixes

[DavidS-ovm]

No description provided.

[github-actions]

Expected Changes

cloudfront-response-headers-policy › d557c300-7e8d-4192-bc43-ff52cc8bf08c

--- current
+++ planned
@@ -20,7 +20,7 @@
 custom_headers_config: []
 etag: E23ZP02F085DFQ
 id: d557c300-7e8d-4192-bc43-ff52cc8bf08c
-name: baseline
+name: baseline-terraform-example
 remove_headers_config: []
 security_headers_config: []
 server_timing_headers_config: []

cloudfront-distribution › E1502HZI8W2MD2

--- current
+++ planned
@@ -95,7 +95,7 @@
       custom_header: []
       custom_origin_config: []
       domain_name: s3-one-saved-clam20240801152542465600000006.s3.eu-west-2.amazonaws.com
-      origin_access_control_id: ""
+      origin_access_control_id: null
       origin_id: s3_one
       origin_path: ""
       origin_shield: []
@@ -106,7 +106,7 @@
       custom_header: []
       custom_origin_config: []
       domain_name: s3-one-saved-clam20240801152542465600000006.s3.eu-west-2.amazonaws.com
-      origin_access_control_id: E1W20NQLGWXEEG
+      origin_access_control_id: (known after apply)
       origin_id: s3_oac
       origin_path: ""
       origin_shield: []
@@ -129,7 +129,7 @@
             - TLSv1.1
             - TLSv1.2
       domain_name: appsync.terraform-example.modules.tf
-      origin_access_control_id: ""
+      origin_access_control_id: null
       origin_id: appsync
       origin_path: ""
       origin_shield:

cloudfront-origin-access-control › E1W20NQLGWXEEG

--- current
+++ planned
@@ -1,9 +1 @@
-description: CloudFront access to S3
-etag: ETVPDKIKX0DER
-id: E1W20NQLGWXEEG
-name: s3_oac
-origin_access_control_origin_type: s3
-signing_behavior: always
-signing_protocol: sigv4
-terraform_address: module.loom[0].module.cloudfront.aws_cloudfront_origin_access_control.this["s3_oac"]
-terraform_name: module.loom[0].module.cloudfront.aws_cloudfront_origin_access_control.this["s3_oac"]

Unmapped Changes

Note

These changes couldn't be mapped to a discoverable cloud resource and therefore won't be included in the blast radius calculation.

aws_ecs_service › module.loom[0].aws_ecs_service.face

--- current
+++ planned
@@ -1 +1,48 @@
+alarms: []
+capacity_provider_strategy:
+    - base: 0
+      capacity_provider: FARGATE
+      weight: 100
+cluster: arn:aws:ecs:eu-west-2:540044833068:cluster/example-terraform-example
+deployment_circuit_breaker: []
+deployment_controller: []
+deployment_maximum_percent: 200
+deployment_minimum_healthy_percent: 100
+desired_count: 1
+enable_ecs_managed_tags: false
+enable_execute_command: false
+force_new_deployment: null
+health_check_grace_period_seconds: null
+iam_role: (known after apply)
+id: (known after apply)
+launch_type: (known after apply)
+load_balancer:
+    - container_name: facial-recognition
+      container_port: 1234
+      elb_name: ""
+      target_group_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/facerec-terraform-example/7428ff8d1eb4eaa6
+name: facial-recognition
+network_configuration:
+    - assign_public_ip: false
+      security_groups:
+        - sg-0aa8311d87ea60770
+      subnets:
+        - subnet-00af1f54070115a74
+        - subnet-07f63bb5fe4eb9f6c
+        - subnet-095e3d51f93ed1028
+ordered_placement_strategy: []
+placement_constraints: []
+platform_version: (known after apply)
+propagate_tags: null
+scheduling_strategy: REPLICA
+service_connect_configuration: []
+service_registries: []
+tags: null
+tags_all: (known after apply)
+task_definition: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example:1
+terraform_address: module.loom[0].aws_ecs_service.face
+terraform_name: module.loom[0].aws_ecs_service.face
+timeouts: null
+triggers: (known after apply)
+volume_configuration: []
+wait_for_steady_state: false

aws_ecs_service › module.loom[0].aws_ecs_service.visit_counter

--- current
+++ planned
@@ -1 +1,48 @@
+alarms: []
+capacity_provider_strategy:
+    - base: 0
+      capacity_provider: FARGATE
+      weight: 100
+cluster: arn:aws:ecs:eu-west-2:540044833068:cluster/example-terraform-example
+deployment_circuit_breaker: []
+deployment_controller: []
+deployment_maximum_percent: 200
+deployment_minimum_healthy_percent: 100
+desired_count: 1
+enable_ecs_managed_tags: false
+enable_execute_command: false
+force_new_deployment: null
+health_check_grace_period_seconds: null
+iam_role: (known after apply)
+id: (known after apply)
+launch_type: (known after apply)
+load_balancer:
+    - container_name: visit-counter
+      container_port: 80
+      elb_name: ""
+      target_group_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/visit-counter-terraform-example/623c10e929eda530
+name: visit-counter
+network_configuration:
+    - assign_public_ip: false
+      security_groups:
+        - sg-0aa8311d87ea60770
+      subnets:
+        - subnet-00af1f54070115a74
+        - subnet-07f63bb5fe4eb9f6c
+        - subnet-095e3d51f93ed1028
+ordered_placement_strategy: []
+placement_constraints: []
+platform_version: (known after apply)
+propagate_tags: null
+scheduling_strategy: REPLICA
+service_connect_configuration: []
+service_registries: []
+tags: null
+tags_all: (known after apply)
+task_definition: arn:aws:ecs:eu-west-2:540044833068:task-definition/visit-counter-terraform-example:1
+terraform_address: module.loom[0].aws_ecs_service.visit_counter
+terraform_name: module.loom[0].aws_ecs_service.visit_counter
+timeouts: null
+triggers: (known after apply)
+volume_configuration: []
+wait_for_steady_state: false

aws_lb_listener_rule › module.loom[0].aws_lb_listener_rule.face

--- current
+++ planned
@@ -1 +1,26 @@
+action:
+    - authenticate_cognito: []
+      authenticate_oidc: []
+      fixed_response: []
+      forward: []
+      order: (known after apply)
+      redirect: []
+      target_group_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/facerec-terraform-example/7428ff8d1eb4eaa6
+      type: forward
+arn: (known after apply)
+condition:
+    - host_header:
+        - values:
+            - face-terraform-example.overmind-terraform-example.com
+      http_header: []
+      http_request_method: []
+      path_pattern: []
+      query_string: []
+      source_ip: []
+id: (known after apply)
+listener_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:listener/app/terraform-example/fb1fa96c2c59ddef/929045abf7a1e46a
+priority: 99
+tags: null
+tags_all: (known after apply)
+terraform_address: module.loom[0].aws_lb_listener_rule.face
+terraform_name: module.loom[0].aws_lb_listener_rule.face

aws_lb_listener_rule › module.loom[0].aws_lb_listener_rule.visit_counter

--- current
+++ planned
@@ -1 +1,26 @@
+action:
+    - authenticate_cognito: []
+      authenticate_oidc: []
+      fixed_response: []
+      forward: []
+      order: (known after apply)
+      redirect: []
+      target_group_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/visit-counter-terraform-example/623c10e929eda530
+      type: forward
+arn: (known after apply)
+condition:
+    - host_header:
+        - values:
+            - visits-terraform-example.overmind-terraform-example.com
+      http_header: []
+      http_request_method: []
+      path_pattern: []
+      query_string: []
+      source_ip: []
+id: (known after apply)
+listener_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:listener/app/terraform-example/fb1fa96c2c59ddef/929045abf7a1e46a
+priority: 100
+tags: null
+tags_all: (known after apply)
+terraform_address: module.loom[0].aws_lb_listener_rule.visit_counter
+terraform_name: module.loom[0].aws_lb_listener_rule.visit_counter

aws_cloudfront_origin_access_control › module.loom[0].module.cloudfront.aws_cloudfront_origin_access_control.this["terraform-example"]

--- current
+++ planned
@@ -1 +1,9 @@
+description: CloudFront access to S3
+etag: (known after apply)
+id: (known after apply)
+name: terraform-example
+origin_access_control_origin_type: s3
+signing_behavior: always
+signing_protocol: sigv4
+terraform_address: module.loom[0].module.cloudfront.aws_cloudfront_origin_access_control.this["terraform-example"]
+terraform_name: module.loom[0].module.cloudfront.aws_cloudfront_origin_access_control.this["terraform-example"]

Blast Radius

Items	Edges
27	27

Open in Overmind

Risks

Risk of Deleted CloudFront Origin Access Control 'E1W20NQLGWXEEG' [High]

The deletion of the CloudFront origin access control E1W20NQLGWXEEG which controls access to the S3 bucket (s3-one-saved-clam20240801152542465600000006) poses a significant risk. Without proper access control, content delivery from this S3 bucket might be unrestricted, potentially exposing sensitive data or leading to unauthorized access.

The current configuration includes an origin access identity for secure access, which is essential in maintaining strict security controls. Ensure that the new access control (terraform-example) replacing it has the same or improved security measures.

Additionally, verify that the new origin access control integrates seamlessly with existing policies and configurations to prevent any interruption or degradation in content delivery services.

Introduction of New ECS Service 'visit-counter' May Impact Load Balancing [Medium]

The creation of a new ECS service visit-counter with a load balancer pointing to a specific target group (visit-counter-terraform-example) introduces the risk of misconfigurations. The load balancer is configured with a container_port of 80. Ensure that the application within the ECS service listens on this port and that it is correctly registered with the target group. Any misconfiguration could lead to service unavailability or misrouted traffic.

Furthermore, the network configuration specifies that no public IP is assigned and uses specific security groups and subnets. Verify that these security groups (e.g., sg-0aa8311d87ea60770) have the appropriate inbound and outbound rules to facilitate the required traffic flow.

The current infrastructure includes multiple other ECS services and load balancer rules, and it is crucial to ensure that there are no conflicts or unexpected behaviors introduced by this new service.

Potential Instability Due to CloudFront Response Headers Policy Name Change [Medium]

Changing the name of the CloudFront response headers policy from baseline to baseline-terraform-example may introduce tracking and management issues. Although renaming an AWS resource does not directly affect its functionality, it could cause confusion or inconsistencies in automation scripts, monitoring tools, or documentation that rely on the original name.

Specifically, all references to the baseline policy within Terraform, CI/CD pipelines, and monitoring configurations should be updated to reflect the new name baseline-terraform-example. Failure to do so could result in errors or issues related to resource identification, leading to potential downtime or incorrect policy applications.

Current configuration references the policy as baseline, ensuring any dependencies or scripts reflecting this should be reviewed and updated accordingly.

Introduction of New ECS Service 'facial-recognition' May Impact Load Balancing [Medium]

The creation of a new ECS service facial-recognition with a load balancer pointing to a specific target group (facerec-terraform-example) introduces the risk of misconfigurations. The load balancer is configured with a container_port of 1234. Ensure that the application within the ECS service listens on this port and that it is correctly registered with the target group. Any misconfiguration could lead to service unavailability or misrouted traffic.

Furthermore, the network configuration specifies that no public IP is assigned and uses specific security groups and subnets. Verify that these security groups (e.g., sg-0aa8311d87ea60770) have the appropriate inbound and outbound rules to facilitate the required traffic flow.

The current infrastructure includes multiple other ECS services and load balancer rules, and it is crucial to ensure that there are no conflicts or unexpected behaviors introduced by this new service.