chore: change instance type #2

Navapon · 2025-01-24T17:09:15Z

Try change instance type

github-actions · 2025-01-24T17:09:47Z

Change detected in the following directories: `community-days/live/introduction-ec2` 🚀

Terraform Initialization ⚙️ success

Terraform Plan 📖 success

[command]/home/runner/work/_temp/89070aac-0b06-43d4-863a-5db7490a7aa6/terraform-bin plan -no-color -input=false
data.aws_ami.al2023_arm64: Reading...
data.aws_ami.al2023_arm64: Read complete after 1s [id=ami-0108a6e81eb53e799]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_instance.community_demo will be created
  + resource "aws_instance" "community_demo" {
      + ami                                  = "ami-0108a6e81eb53e799"
      + arn                                  = (known after apply)
      + associate_public_ip_address          = true
      + availability_zone                    = (known after apply)
      + cpu_core_count                       = (known after apply)
      + cpu_threads_per_core                 = (known after apply)
      + disable_api_stop                     = (known after apply)
      + disable_api_termination              = (known after apply)
      + ebs_optimized                        = (known after apply)
      + enable_primary_ipv6                  = (known after apply)
      + get_password_data                    = false
      + host_id                              = (known after apply)
      + host_resource_group_arn              = (known after apply)
      + iam_instance_profile                 = (known after apply)
      + id                                   = (known after apply)
      + instance_initiated_shutdown_behavior = (known after apply)
      + instance_lifecycle                   = (known after apply)
      + instance_state                       = (known after apply)
      + instance_type                        = "t4g.large"
      + ipv6_address_count                   = (known after apply)
      + ipv6_addresses                       = (known after apply)
      + key_name                             = (known after apply)
      + monitoring                           = (known after apply)
      + outpost_arn                          = (known after apply)
      + password_data                        = (known after apply)
      + placement_group                      = (known after apply)
      + placement_partition_number           = (known after apply)
      + primary_network_interface_id         = (known after apply)
      + private_dns                          = (known after apply)
      + private_ip                           = (known after apply)
      + public_dns                           = (known after apply)
      + public_ip                            = (known after apply)
      + secondary_private_ips                = (known after apply)
      + security_groups                      = (known after apply)
      + source_dest_check                    = true
      + spot_instance_request_id             = (known after apply)
      + subnet_id                            = (known after apply)
      + tags                                 = {
          + "Project" = "community-days"
          + "Team"    = null
        }
      + tags_all                             = (known after apply)
      + tenancy                              = (known after apply)
      + user_data                            = (known after apply)
      + user_data_base64                     = (known after apply)
      + user_data_replace_on_change          = false
      + vpc_security_group_ids               = (known after apply)

      + capacity_reservation_specification (known after apply)

      + cpu_options (known after apply)

      + ebs_block_device (known after apply)

      + enclave_options (known after apply)

      + ephemeral_block_device (known after apply)

      + instance_market_options (known after apply)

      + maintenance_options (known after apply)

      + metadata_options (known after apply)

      + network_interface (known after apply)

      + private_dns_name_options (known after apply)

      + root_block_device {
          + delete_on_termination = true
          + device_name           = (known after apply)
          + encrypted             = (known after apply)
          + iops                  = (known after apply)
          + kms_key_id            = (known after apply)
          + tags_all              = (known after apply)
          + throughput            = (known after apply)
          + volume_id             = (known after apply)
          + volume_size           = 30
          + volume_type           = "gp3"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
::debug::Terraform exited with code 0.
::debug::stdout: data.aws_ami.al2023_arm64: Reading...%0Adata.aws_ami.al2023_arm64: Read complete after 1s [id=ami-0108a6e81eb53e799]%0A%0ATerraform used the selected providers to generate the following execution%0Aplan. Resource actions are indicated with the following symbols:%0A  + create%0A%0ATerraform will perform the following actions:%0A%0A  # aws_instance.community_demo will be created%0A  + resource "aws_instance" "community_demo" {%0A      + ami                                  = "ami-0108a6e81eb53e799"%0A      + arn                                  = (known after apply)%0A      + associate_public_ip_address          = true%0A      + availability_zone                    = (known after apply)%0A      + cpu_core_count                       = (known after apply)%0A      + cpu_threads_per_core                 = (known after apply)%0A      + disable_api_stop                     = (known after apply)%0A      + disable_api_termination              = (known after apply)%0A      + ebs_optimized                        = (known after apply)%0A      + enable_primary_ipv6                  = (known after apply)%0A      + get_password_data                    = false%0A      + host_id                              = (known after apply)%0A      + host_resource_group_arn              = (known after apply)%0A      + iam_instance_profile                 = (known after apply)%0A      + id                                   = (known after apply)%0A      + instance_initiated_shutdown_behavior = (known after apply)%0A      + instance_lifecycle                   = (known after apply)%0A      + instance_state                       = (known after apply)%0A      + instance_type                        = "t4g.large"%0A      + ipv6_address_count                   = (known after apply)%0A      + ipv6_addresses                       = (known after apply)%0A      + key_name                             = (known after apply)%0A      + monitoring                           = (known after apply)%0A      + outpost_arn                          = (known after apply)%0A      + password_data                        = (known after apply)%0A      + placement_group                      = (known after apply)%0A      + placement_partition_number           = (known after apply)%0A      + primary_network_interface_id         = (known after apply)%0A      + private_dns                          = (known after apply)%0A      + private_ip                           = (known after apply)%0A      + public_dns                           = (known after apply)%0A      + public_ip                            = (known after apply)%0A      + secondary_private_ips                = (known after apply)%0A      + security_groups                      = (known after apply)%0A      + source_dest_check                    = true%0A      + spot_instance_request_id             = (known after apply)%0A      + subnet_id                            = (known after apply)%0A      + tags                                 = {%0A          + "Project" = "community-days"%0A          + "Team"    = null%0A        }%0A      + tags_all                             = (known after apply)%0A      + tenancy                              = (known after apply)%0A      + user_data                            = (known after apply)%0A      + user_data_base64                     = (known after apply)%0A      + user_data_replace_on_change          = false%0A      + vpc_security_group_ids               = (known after apply)%0A%0A      + capacity_reservation_specification (known after apply)%0A%0A      + cpu_options (known after apply)%0A%0A      + ebs_block_device (known after apply)%0A%0A      + enclave_options (known after apply)%0A%0A      + ephemeral_block_device (known after apply)%0A%0A      + instance_market_options (known after apply)%0A%0A      + maintenance_options (known after apply)%0A%0A      + metadata_options (known after apply)%0A%0A      + network_interface (known after apply)%0A%0A      + private_dns_name_options (known after apply)%0A%0A      + root_block_device {%0A          + delete_on_termination = true%0A          + device_name           = (known after apply)%0A          + encrypted             = (known after apply)%0A          + iops                  = (known after apply)%0A          + kms_key_id            = (known after apply)%0A          + tags_all              = (known after apply)%0A          + throughput            = (known after apply)%0A          + volume_id             = (known after apply)%0A          + volume_size           = 30%0A          + volume_type           = "gp3"%0A        }%0A    }%0A%0APlan: 1 to add, 0 to change, 0 to destroy.%0A%0A─────────────────────────────────────────────────────────────────────────────%0A%0ANote: You didn't use the -out option to save this plan, so Terraform can't%0Aguarantee to take exactly these actions if you run "terraform apply" now.%0A
::debug::stderr: 
::debug::exitcode: 0

Pushed by: @Navapon, Action: pull_request

github-actions · 2025-01-24T17:11:17Z

Run pre-commit at community-days/live/introduction-ec2
Location: /home/runner/work/terraform-precommit/terraform-precommit/community-days/live/introduction-ec2

[INFO] Initializing environment for https://github.com/pre-commit/pre-commit-hooks.
[INFO] Initializing environment for https://github.com/gitleaks/gitleaks.
[INFO] Initializing environment for https://github.com/antonbabenko/pre-commit-terraform.
[INFO] Installing environment for https://github.com/pre-commit/pre-commit-hooks.
[INFO] Once installed this environment will be reused.
[INFO] This may take a few minutes...
[INFO] Installing environment for https://github.com/gitleaks/gitleaks.
[INFO] Once installed this environment will be reused.
[INFO] This may take a few minutes...
check yaml...........................................(no files to check)Skipped
fix end of files.........................................................Passed
trim trailing whitespace.................................................Passed
check for added large files..............................................Passed
detect private key.......................................................Passed
Detect hardcoded secrets.................................................Passed
Terraform fmt............................................................Passed
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Failed
- hook id: terraform_tflint
- exit code: 2

�[0m�[32mCommand 'tflint --init' successfully done:�[0m
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.10.0)
Installing "aws" plugin...
Installed "aws" (source: github.com/terraform-linters/tflint-ruleset-aws, version: 0.37.0)



�[0m�[33mTFLint in community-days/live/introduction-ec2/:�[0m
4 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on main.tf line 1:

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.10.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on main.tf line 19:
  19: resource "aws_instance" "community_demo" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.10.0/docs/rules/terraform_required_providers.md

Warning: Module should include an empty outputs.tf file (terraform_standard_module_structure)

  on outputs.tf line 1:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.10.0/docs/rules/terraform_standard_module_structure.md

Warning: Module should include an empty variables.tf file (terraform_standard_module_structure)

  on variables.tf line 1:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.10.0/docs/rules/terraform_standard_module_structure.md

Terraform validate.......................................................Passed
Terraform validate with trivy............................................Failed
- hook id: terraform_trivy
- exit code: 1

2025-01-24T17:11:04Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-24T17:11:04Z	INFO	[misconfig] Need to update the built-in checks
2025-01-24T17:11:04Z	INFO	[misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-24T17:11:06Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-24T17:11:06Z	INFO	Detected config files	num=2

main.tf (terraform)
===================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 main.tf:19-35
────────────────────────────────────────
  19 ┌ resource "aws_instance" "community_demo" {
  20 │   instance_type = "t4g.large"
  21 │   # instance_type = var.instance_type
  22 │   ami = data.aws_ami.al2023_arm64.id
  23 │ 
  24 │   associate_public_ip_address = true
  25 │ 
  26 │   root_block_device {
  27 └     volume_size = 30
  ..   
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 main.tf:19-35
────────────────────────────────────────
  19 ┌ resource "aws_instance" "community_demo" {
  20 │   instance_type = "t4g.large"
  21 │   # instance_type = var.instance_type
  22 │   ami = data.aws_ami.al2023_arm64.id
  23 │ 
  24 │   associate_public_ip_address = true
  25 │ 
  26 │   root_block_device {
  27 └     volume_size = 30
  ..   
────────────────────────────────────────

Checkov..................................................................Failed
- hook id: terraform_checkov
- exit code: 1

_               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By Prisma Cloud | version: 3.2.352 
Update available 3.2.352 -> 3.2.357
Run pip3 install -U checkov to update 


terraform scan results:

Passed checks: 1, Failed checks: 5, Skipped checks: 0

Check: CKV_AWS_46: "Ensure no hard-coded secrets exist in EC2 user data"
	PASSED for resource: aws_instance.community_demo
	File: /main.tf:19-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/secrets-policies/bc-aws-secrets-1
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.community_demo
	File: /main.tf:19-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		19 | resource "aws_instance" "community_demo" {
		20 |   instance_type = "t4g.large"
		21 |   # instance_type = var.instance_type
		22 |   ami = data.aws_ami.al2023_arm64.id
		23 | 
		24 |   associate_public_ip_address = true
		25 | 
		26 |   root_block_device {
		27 |     volume_size = 30
		28 |     volume_type = "gp3"
		29 |   }
		30 | 
		31 |   tags = {
		32 |     "Project" = "community-days",
		33 |     "Team"    = ""
		34 |   }
		35 | }

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: aws_instance.community_demo
	File: /main.tf:19-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances

		19 | resource "aws_instance" "community_demo" {
		20 |   instance_type = "t4g.large"
		21 |   # instance_type = var.instance_type
		22 |   ami = data.aws_ami.al2023_arm64.id
		23 | 
		24 |   associate_public_ip_address = true
		25 | 
		26 |   root_block_device {
		27 |     volume_size = 30
		28 |     volume_type = "gp3"
		29 |   }
		30 | 
		31 |   tags = {
		32 |     "Project" = "community-days",
		33 |     "Team"    = ""
		34 |   }
		35 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.community_demo
	File: /main.tf:19-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		19 | resource "aws_instance" "community_demo" {
		20 |   instance_type = "t4g.large"
		21 |   # instance_type = var.instance_type
		22 |   ami = data.aws_ami.al2023_arm64.id
		23 | 
		24 |   associate_public_ip_address = true
		25 | 
		26 |   root_block_device {
		27 |     volume_size = 30
		28 |     volume_type = "gp3"
		29 |   }
		30 | 
		31 |   tags = {
		32 |     "Project" = "community-days",
		33 |     "Team"    = ""
		34 |   }
		35 | }

Check: CKV_AWS_88: "EC2 instance should not have public IP."
	FAILED for resource: aws_instance.community_demo
	File: /main.tf:19-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-12

		19 | resource "aws_instance" "community_demo" {
		20 |   instance_type = "t4g.large"
		21 |   # instance_type = var.instance_type
		22 |   ami = data.aws_ami.al2023_arm64.id
		23 | 
		24 |   associate_public_ip_address = true
		25 | 
		26 |   root_block_device {
		27 |     volume_size = 30
		28 |     volume_type = "gp3"
		29 |   }
		30 | 
		31 |   tags = {
		32 |     "Project" = "community-days",
		33 |     "Team"    = ""
		34 |   }
		35 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.community_demo
	File: /main.tf:19-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		19 | resource "aws_instance" "community_demo" {
		20 |   instance_type = "t4g.large"
		21 |   # instance_type = var.instance_type
		22 |   ami = data.aws_ami.al2023_arm64.id
		23 | 
		24 |   associate_public_ip_address = true
		25 | 
		26 |   root_block_device {
		27 |     volume_size = 30
		28 |     volume_type = "gp3"
		29 |   }
		30 | 
		31 |   tags = {
		32 |     "Project" = "community-days",
		33 |     "Team"    = ""
		34 |   }
		35 | }

Infracost breakdown......................................................Passed
- hook id: infracost_breakdown
- duration: 1.3s

2025-01-24T17:11:15Z INFO Autodetected 1 Terraform project across 1 root module
2025-01-24T17:11:15Z INFO Found Terraform project "main" at directory "." using Terraform var files "prod.tfvars", "dev.tfvars"


Running in "community-days/live"

Summary: {
  "totalDetectedResources": 0,
  "totalSupportedResources": 0,
  "totalUnsupportedResources": 0,
  "totalUsageBasedResources": 0,
  "totalNoPriceResources": 0,
  "unsupportedResourceCounts": {},
  "noPriceResourceCounts": {}
}

Total Monthly Cost:        0 USD
Total Monthly Cost (diff): 0 USD

chore: change instance type

0d5a428

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore: change instance type #2

chore: change instance type #2

Uh oh!

Navapon commented Jan 24, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Jan 24, 2025

Uh oh!

github-actions bot commented Jan 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

chore: change instance type #2

Are you sure you want to change the base?

chore: change instance type #2

Uh oh!

Conversation

Navapon commented Jan 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Jan 24, 2025

Change detected in the following directories: community-days/live/introduction-ec2 🚀

Terraform Initialization ⚙️ success

Terraform Plan 📖 success

Uh oh!

github-actions bot commented Jan 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Navapon commented Jan 24, 2025 •

edited

Loading

Change detected in the following directories: `community-days/live/introduction-ec2` 🚀