This repository was archived by the owner on May 16, 2026. It is now read-only.
Fix service-repo module and exclude GitHub provider 6.7.3#275
Merged
Conversation
Exclude GitHub provider 6.7.3 which causes "Root object was present, but now absent" on github_actions_secret due to destroy_on_drift bug. Hardcode template repo name and owner in the service-repo module. Document GitHub Team plan requirement for private repos with rulesets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
State
|
| Success | 🟢 Add | 🟡 Change | Destroy |
|---|---|---|---|
| ✅ | 7 | 1 | 0 |
Affected resources by action
| Action | Resources |
|---|---|
| 🟢 | module.aws_service_infrahouse_app.github_repository_environment.cd["sandbox"] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_environment.ci["sandbox"] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_file.secrets_scanner[0] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_file.terraform_drift[0] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_file.terraform_drift_wrapper[0] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_file.vuln_scanner[0] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_ruleset.main |
| 🟡 | github_organization_settings.infrahouse |
STDOUT
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# github_organization_settings.infrahouse will be updated in-place
~ resource "github_organization_settings" "infrahouse" {
~ billing_email = "aleksandr.kuzminsky@gmail.com" -> "billing@infrahouse.com"
id = "121984263"
name = "InfraHouse"
# (24 unchanged attributes hidden)
}
# module.aws_service_infrahouse_app.github_repository_environment.cd["sandbox"] will be created
+ resource "github_repository_environment" "cd" {
+ can_admins_bypass = true
+ environment = "live-sandbox"
+ id = (known after apply)
+ prevent_self_review = false
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_environment.ci["sandbox"] will be created
+ resource "github_repository_environment" "ci" {
+ can_admins_bypass = true
+ environment = "continuous-integration-sandbox"
+ id = (known after apply)
+ prevent_self_review = false
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_file.secrets_scanner[0] will be created
+ resource "github_repository_file" "secrets_scanner" {
+ autocreate_branch_source_sha = (known after apply)
+ branch = (known after apply)
+ commit_message = "Add secrets-scanner.yml workflow"
+ commit_sha = (known after apply)
+ content = <<-EOT
# This file is managed by Terraform in github-control repository
# Do not edit this file, all changes will be overwritten
---
name: Leaked Secrets Scan
on: # yamllint disable-line rule:truthy
pull_request:
merge_group:
branches: [main]
jobs:
TruffleHog:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: TruffleHog OSS
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --only-verified
EOT
+ file = ".github/workflows/secrets-scanner.yml"
+ id = (known after apply)
+ overwrite_on_create = true
+ ref = (known after apply)
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
+ sha = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_file.terraform_drift[0] will be created
+ resource "github_repository_file" "terraform_drift" {
+ autocreate_branch_source_sha = (known after apply)
+ branch = (known after apply)
+ commit_message = "Add terraform-drift.yml workflow"
+ commit_sha = (known after apply)
+ content = <<-EOT
---
name: "Terraform Drift Detection"
on: # yamllint disable-line rule:truthy
workflow_call:
inputs:
env:
type: "string"
required: true
permissions:
id-token: "write" # This is required for requesting the JWT
contents: "write"
pull-requests: "write"
issues: "write" # Required to create and apply labels
concurrency:
group: "terraform-drift-${{ inputs.env }}"
cancel-in-progress: false
jobs:
terraform-drift:
name: "Terraform Drift Detection"
runs-on: ubuntu-24.04
environment: "continuous-integration-${{ inputs.env }}"
timeout-minutes: 15
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
REGION_JSON: "${{ vars.AWS_DEFAULT_REGION }}"
defaults:
run:
shell: "bash"
working-directory: "environments/${{ inputs.env }}"
steps:
- name: "Checkout"
uses: "actions/checkout@v6"
- name: "Extract Variables"
id: "extract_vars"
env:
REGION_JSON_CONTENT: ${{ env.REGION_JSON }}
TARGET_ENV: ${{ inputs.env }}
run: |
REGION=$(echo "$REGION_JSON_CONTENT" | jq -r ".${TARGET_ENV}")
echo "REGION=$REGION" >> "$GITHUB_OUTPUT"
- name: "Configure AWS Credentials"
uses: "aws-actions/configure-aws-credentials@v6"
with:
role-to-assume: "${{ vars.ROLE_GITHUB }}"
role-session-name: "github-actions-${{ inputs.env }}"
aws-region: "${{ steps.extract_vars.outputs.REGION }}"
- name: "Set Terraform version"
id: "terraform_version"
run: |
echo "IH_TF_VERSION=$(cat .terraform-version)" >> "$GITHUB_OUTPUT"
- name: "Setup Terraform"
uses: "hashicorp/setup-terraform@v4"
with:
terraform_version: "${{ steps.terraform_version.outputs.IH_TF_VERSION }}"
- name: "Set up Python"
uses: "actions/setup-python@v6"
with:
python-version: "3.14"
- name: "Setup Python Environment"
run: |
make bootstrap-ci
- name: "Terraform Init"
run: |
terraform init -input=false
- name: "Check if any changes are planned"
id: "check_drift"
run: |
terraform plan -no-color -input=false -detailed-exitcode
- name: Cleanup working dir
run: git clean -df
- name: "Record Config Drift Log Entry"
if: "steps.check_drift.outputs.exitcode == 2"
run: |
git \
-c user.name="${{ github.actor }}" \
-c user.email="${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" \
commit -m "Reconcile configuration drift" --allow-empty
- name: "Check for open PR with label"
id: "check_label"
if: "steps.check_drift.outputs.exitcode == 2"
run: |
LABEL="config-drift"
REPO="${{ github.repository }}"
COUNT=$(gh pr list --repo "$REPO" --label "$LABEL" --state open --json number --jq 'length')
echo "Found $COUNT open PR(s) with label '$LABEL'"
if [[ $COUNT -gt 0 ]]; then
echo "label_exists=true" >> $GITHUB_OUTPUT
else
echo "label_exists=false" >> $GITHUB_OUTPUT
fi
- name: "Create Pull Request"
if: "steps.check_label.outputs.label_exists == 'false'"
uses: "peter-evans/create-pull-request@v8"
with:
token: "${{ steps.app-token.outputs.token }}"
base: "main"
branch: "create-pull-request/config-drift"
title: "[config-drift] Reconcile Terraform configuration drift in ${{ inputs.env }}"
commit-message: "[config-drift] Configuration drift record for ${{ inputs.env }}"
team-reviewers: "devops-members"
labels: |
config-drift
EOT
+ file = ".github/workflows/terraform-drift.yml"
+ id = (known after apply)
+ overwrite_on_create = true
+ ref = (known after apply)
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
+ sha = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_file.terraform_drift_wrapper[0] will be created
+ resource "github_repository_file" "terraform_drift_wrapper" {
+ autocreate_branch_source_sha = (known after apply)
+ branch = (known after apply)
+ commit_message = "Add terraform-drift-wrapper.yml workflow"
+ commit_sha = (known after apply)
+ content = <<-EOT
---
name: "[Meta] Terraform Drift Detection"
on:
workflow_dispatch:
schedule:
# Runs daily at 10:XX AM UTC
- cron: "57 10 * * *"
jobs:
config-drift-check:
strategy:
matrix:
env: ["sandbox"]
uses: "./.github/workflows/terraform-drift.yml"
with:
env: "${{ matrix.env }}"
secrets: "inherit"
notify_on_failure:
name: "Notify #infra slack on failure"
needs: ["config-drift-check"]
if: ${{ failure() }}
runs-on: ubuntu-latest
steps:
- name: Post to Slack
uses: "slackapi/slack-github-action@v2.1.1"
with:
method: "chat.postMessage"
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel: "${{ vars.INFRA_NOTIFICATION_CHANNEL }}"
text: "❌ Terraform Drift Detection failed for ${{ github.repository }}. Check the workflow run for more details: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}."
EOT
+ file = ".github/workflows/terraform-drift-wrapper.yml"
+ id = (known after apply)
+ overwrite_on_create = true
+ ref = (known after apply)
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
+ sha = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_file.vuln_scanner[0] will be created
+ resource "github_repository_file" "vuln_scanner" {
+ autocreate_branch_source_sha = (known after apply)
+ branch = (known after apply)
+ commit_message = "Add vuln-scanner-pr.yml workflow"
+ commit_sha = (known after apply)
+ content = <<-EOT
# This file is managed by Terraform in github-control repository
# Do not edit this file, all changes will be overwritten
---
name: OSV-Scanner PR Scan
on: # yamllint disable-line rule:truthy
pull_request:
branches: [main]
merge_group:
branches: [main]
permissions:
contents: read
pull-requests: write
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
jobs:
vulnerability-check:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Detect vulnerabilities
run: |
if [ -n "${{ github.event.pull_request.number }}" ]; then
ih-github scan \
--repo ${{ github.repository }} \
--pull-request ${{ github.event.pull_request.number }}
else
ih-github scan
fi
sast-check:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.14"
- name: SAST
run: |
pip install --upgrade semgrep
if [ -n "${{ github.event.pull_request.number }}" ]; then
ih-github run \
${{ github.repository }} \
${{ github.event.pull_request.number }} \
semgrep scan --error
else
semgrep scan --error
fi
EOT
+ file = ".github/workflows/vuln-scanner-pr.yml"
+ id = (known after apply)
+ overwrite_on_create = true
+ ref = (known after apply)
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
+ sha = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_ruleset.main will be created
+ resource "github_repository_ruleset" "main" {
+ enforcement = "active"
+ etag = (known after apply)
+ id = (known after apply)
+ name = "Main Branch Protection"
+ node_id = (known after apply)
+ repository = "aws-service-infrahouse-app"
+ ruleset_id = (known after apply)
+ target = "branch"
+ bypass_actors {
+ actor_id = 1016363
+ actor_type = "Integration"
+ bypass_mode = "always"
}
+ conditions {
+ ref_name {
+ exclude = []
+ include = [
+ "~DEFAULT_BRANCH",
]
}
}
+ rules {
+ update_allows_fetch_and_merge = false
+ pull_request {
+ allowed_merge_methods = (known after apply)
+ dismiss_stale_reviews_on_push = true
+ require_code_owner_review = true
+ require_last_push_approval = false
+ required_approving_review_count = 1
+ required_review_thread_resolution = false
}
+ required_status_checks {
+ do_not_enforce_on_create = false
+ strict_required_status_checks_policy = true
+ required_check {
+ context = "Terraform Plan sandbox"
+ integration_id = 0
}
+ required_check {
+ context = "TruffleHog"
+ integration_id = 0
}
+ required_check {
+ context = "vulnerability-check"
+ integration_id = 0
}
}
}
}
Plan: 7 to add, 1 to change, 0 to destroy.
Warning: Argument is deprecated
with module.ih_8_repos.github_repository.repo,
on modules/local-repo/repos.tf line 4, in resource "github_repository" "repo":
4: has_downloads = false
This attribute is no longer in use, but it hasn't been removed yet. It will
be removed in a future version. See
https://github.com/orgs/community/discussions/102145#discussioncomment-8351756
(and 7 more similar warnings elsewhere)
Warning: Deprecated attribute
on .terraform/modules/actions-runner-pem-493370826424-uw1/data_sources.tf line 11, in data "external" "secret_value":
11: "python", "${path.module}/assets/get_secret.py", data.aws_region.current.name, aws_secretsmanager_secret.secret.id, data.aws_iam_role.caller_role.arn
The attribute "name" is deprecated. Refer to the provider documentation for
details.
(and 5 more similar warnings elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: tf.plan
To perform exactly these actions, run the following command to apply:
terraform apply "tf.plan"
Releasing state lock. This may take a few moments...
metadata
eyJzMzovL2luZnJhaG91c2UtZ2l0aHViLWNvbnRyb2wtc3RhdGUvdGVycmFmb3JtLnRmc3RhdGUiOiB7InN1Y2Nlc3MiOiB0cnVlLCAiYWRkIjogNywgImNoYW5nZSI6IDEsICJkZXN0cm95IjogMH19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
!= 6.7.3) — causesdestroy_on_driftbug ongithub_actions_secret(#2387)terraform-root-template) and owner (infrahouse) in the service-repo moduleTest plan
terraform planno longer showsdestroy_on_driftchanges on existing secretsaws-service-infrahouse-apprepo applies successfully (environments, rulesets)🤖 Generated with Claude Code