New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tf(deps): bump hashicorp/google from 4.65.2 to 4.67.0 in /configs/terraform/secrets-leaks-log-scanner #7787
Merged
kyma-bot
merged 1 commit into
main
from
dependabot/terraform/configs/terraform/secrets-leaks-log-scanner/hashicorp/google-4.67.0
Jun 1, 2023
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [hashicorp/google](https://github.com/hashicorp/terraform-provider-google) from 4.65.2 to 4.67.0. - [Release notes](https://github.com/hashicorp/terraform-provider-google/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-google/blob/main/CHANGELOG.md) - [Commits](hashicorp/terraform-provider-google@v4.65.2...v4.67.0) --- updated-dependencies: - dependency-name: hashicorp/google dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
area/dependency
Issues or PRs related to dependency changes
kind/chore
Categorizes issue or PR as related to a chore.
terraform
Issues or PRs related to terraform.
labels
May 30, 2023
kyma-bot
added
size/M
Denotes a PR that changes 30-99 lines, ignoring generated files.
no-changes
labels
May 30, 2023
Plan Result
|
✅ Apply Succeeded
Details (Click me)data.google_client_config.gcp: Reading...
data.google_container_cluster.prow_k8s_cluster: Reading...
data.google_container_cluster.tekton_k8s_cluster: Reading...
module.terraform_executor_gcp_service_account.google_service_account.terraform_executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.untrusted_workload_k8s_cluster: Reading...
data.google_container_cluster.trusted_workload_k8s_cluster: Reading...
data.google_client_config.gcp: Read complete after 0s [id=projects/"sap-kyma-prow"/regions/"europe-west4"/zones/<null>]
data.google_container_cluster.prow_k8s_cluster: Read complete after 0s [id=projects/sap-kyma-prow/locations/europe-west3-a/clusters/prow]
data.google_container_cluster.tekton_k8s_cluster: Read complete after 1s [id=projects/sap-kyma-prow/locations/europe-west4/clusters/tekton]
module.prow_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Reading...
module.prow_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/prow/**.yaml"]: Reading...
module.prow_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/prow/**.yaml"]: Read complete after 0s [id=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
module.prow_gatekeeper.data.kubectl_file_documents.gatekeeper: Reading...
module.prow_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Read complete after 0s [id=5b3a4f4c27e588b7f9aefeb7caad50497b6c947ee312fe430446dff5c810fd6c]
module.prow_gatekeeper.data.kubectl_file_documents.gatekeeper: Read complete after 0s [id=dc39d54a3fa7ea8c38399850c255006d127216f312696358a6b52c8fa4afa801]
data.google_container_cluster.untrusted_workload_k8s_cluster: Read complete after 1s [id=projects/sap-kyma-prow/locations/europe-west3/clusters/untrusted-workload-kyma-prow]
data.google_container_cluster.trusted_workload_k8s_cluster: Read complete after 1s [id=projects/sap-kyma-prow/locations/europe-west3/clusters/trusted-workload-kyma-prow]
module.tekton_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../tekton/deployments/gatekeeper-constraints/**.yaml"]: Reading...
module.tekton_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../tekton/deployments/gatekeeper-constraints/**.yaml"]: Read complete after 0s [id=52507a6b3cc8faadb69b744f7cb223e9cc5ccbb6e6abe6fdc3bade397df3e14d]
module.tekton_gatekeeper.data.kubectl_file_documents.gatekeeper: Reading...
module.tekton_gatekeeper.data.kubectl_file_documents.gatekeeper: Read complete after 0s [id=dc39d54a3fa7ea8c38399850c255006d127216f312696358a6b52c8fa4afa801]
module.prow_gatekeeper.kubectl_manifest.constraint_templates["apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: secrettrustedusage\n annotations:\n metadata.gatekeeper.sh/title: \"Secret Trusted Usage\"\n metadata.gatekeeper.sh/version: 1.0.0\n description: >-\n Controls any Pod ability to use restricted secret.\nspec:\n crd:\n spec:\n names:\n kind: SecretTrustedUsage\n validation:\n openAPIV3Schema:\n type: object\n description: >-\n Controls any Pod ability to use use restricted secret.\n properties:\n labels:\n type: array\n description: >-\n A list of labels and values the object must specify.\n items:\n type: object\n properties:\n key:\n type: string\n description: >-\n The required label.\n allowedRegex:\n type: string\n description: >-\n Regular expression the label's value must match. The value must contain one exact match for\n the regular expression.\n restrictedSecrets:\n type: array\n description: >-\n A list of restricted secrets.\n items:\n type: string\n description: >-\n The restricted secret name.\n trustedServiceAccounts:\n type: array\n description: >-\n A list of trusted service accounts. If a Pod match criteria from trustedServiceAccount, it is allowed to use restricted secret.\n items:\n type: string\n description: >-\n The trusted service account name.\n trustedImages:\n type: array\n description: >-\n A list of trusted images. If a Pod match criteria from trustedImage, it is allowed to use restricted secret.\n items:\n type: object\n description: >-\n The trusted image criteria.\n properties:\n image:\n type: string\n description: >-\n The container trusted image name.\n command:\n type: array\n description: >-\n The list of container trusted commands to run.\n items:\n type: string\n description: >-\n The trusted command to run.\n args:\n type: array\n description: >-\n The trusted arguments to pass to the command.\n items:\n type: string\n description: >-\n The trusted argument to pass to the command.\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package kubernetes.secrettrustedusage\n \n import future.keywords.contains\n import future.keywords.if\n import future.keywords.in\n \n # Report violation if the container is using a restricted secret and does not match trusted usage criteria.\n # Violation is check if secret is used in env.envFrom container spec.\n violation[{\"msg\": msg}] {\n some k\n # Iterate over all containers in the pod.\n container := input_containers[_]\n \n # Check if the container is using a restricted secret.\n container.envFrom[_].secretRef.name == input.parameters.restrictedSecrets[k]\n \n # Check if container is not matching trusted usage criteria.\n not trustedUsages(container)\n \n # Format violation message.\n msg := sprintf(\"Container %v is not allowed to use restricted secret: %v.\", [container.name, input.parameters.restrictedSecrets[k]])\n }\n \n # Report violation if the container is using a restricted secret and does not match trusted usage criteria.\n # Violation is check if secret is used in env.valueFrom container spec.\n violation[{\"msg\": msg}] {\n some k\n # Iterate over all containers in the pod.\n container := input_containers[_]\n \n # Check if the container is using a restricted secret.\n container.env[_].valueFrom.secretKeyRef.name == input.parameters.restrictedSecrets[k]\n \n # Check if container is not matching trusted usage criteria.\n not trustedUsages(container)\n \n # Format violation message.\n msg := sprintf(\"Container %v is not allowed to use restricted secret: %v.\", [container.name, input.parameters.restrictedSecrets[k]])\n }\n \n # Report violation if the container is using a restricted secret and does not match trusted usage criteria.\n # Violation is check if secret is mount as volume.\n violation[{\"msg\": msg}] {\n some k, j\n # Iterate over all containers in the pod.\n container := input_containers[_]\n \n # Check if the container is using a restricted secret.\n input.review.object.spec.volumes[j].secret.secretName == input.parameters.restrictedSecrets[k]\n container.volumeMounts[_].name == input.review.object.spec.volumes[j].name\n \n # Check if container is not matching trusted usage criteria.\n not trustedUsages(container)\n \n # Format violation message.\n msg := sprintf(\"Container %v is not allowed to use restricted secret: %v.\", [container.name, input.parameters.restrictedSecrets[k]])\n }\n \n trustedUsages(container) {\n some j\n trustedSA := object.get(input.parameters, \"trustedServiceAccounts\", [input.review.object.spec.serviceAccountName])\n input.review.object.spec.serviceAccountName == trustedSA[_]\n glob.match(input.parameters.trustedImages[j].image, null, container.image)\n checkCommand(container, input.parameters.trustedImages[j])\n checkArgs(container, input.parameters.trustedImages[j])\n checkLabels(input.review.object, input.parameters)\n }\n \n # Check if trusted usage criteria does not define required labels.\n # Function evaluate too true if required labels are not defined.\n checkLabels(reviewObject, inputParameters) if {\n paramLabels := object.get(inputParameters, \"labels\", [])\n \n # Check if the required labels array is empty.\n count(paramLabels) == 0\n \n # Getting pod labels to prevent unused variable error.\n _ := object.get(reviewObject.metadata, \"labels\", [])\n }\n \n # Check if the pod has required labels.\n checkLabels(reviewObject, inputParameters) if {\n # Check if the required labels array is not empty.\n paramLabels := object.get(inputParameters, \"labels\", [])\n count(paramLabels) > 0\n \n # Check if the pod labels array is not empty.\n reviewLabels := object.get(reviewObject.metadata, \"labels\", [])\n count(reviewLabels) > 0\n \n # Check if the pod has required labels.\n value := reviewLabels[key]\n expected := input.parameters.labels[_]\n expected.key == key\n \n # Check if the label value matches the regular expression.\n # If the required label does not define allowedRegex, use default value \".*\" to match any value.\n reg := object.get(expected, \"allowedRegex\", \".*\")\n regex.match(reg, value)\n }\n \n # Check if trusted usage criteria does not define trusted commands.\n checkCommand(container, trustedImage) if {\n trustedCommand := object.get(trustedImage, \"command\", [])\n count(trustedCommand) == 0\n \n # Getting container command to prevent unused variable error.\n _ := object.get(container, \"command\", [])\n }\n \n # Check if the container is using a trusted commands.\n # Function evaluate too true if the container is using exactly the same trusted commands.\n # Number and order of commands must match.\n checkCommand(container, trustedImage) if {\n trustedCommand := object.get(trustedImage, \"command\", [])\n containerCommand := object.get(container, \"command\", [])\n count(containerCommand) == count(trustedCommand)\n \n # Allow using wildcard to match variable part of the command.\n glob.match(trustedCommand[i], null, containerCommand[i])\n }\n \n # Check if trusted usage criteria does not define trusted arguments.\n checkArgs(container, trustedImage) if {\n trustedArgs := object.get(trustedImage, \"args\", [])\n count(trustedArgs) == 0\n \n # Getting container args to prevent unused variable error.\n _ := object.get(container, \"args\", [])\n }\n \n # Check if the container is using a trusted arguments.\n # Function evaluate too true if the container is using exactly the same trusted arguments.\n # Number and order of commands must match.\n checkArgs(container, trustedImage) if {\n trustedArgs := object.get(trustedImage, \"args\", [])\n containerArgs := object.get(container, \"args\", [])\n count(containerArgs) == count(trustedArgs)\n \n # Allow using wildcard to match variable part of the argument.\n glob.match(trustedArgs[i], null, containerArgs[i])\n }\n \n # Get all pod containers.\n input_containers contains c if {\n c := input.review.object.spec.containers[_]\n }\n \n # Get all pod init containers.\n input_containers contains c if {\n c := input.review.object.spec.initContainers[_]\n }"]: Refreshing state... [id=/apis/templates.gatekeeper.sh/v1/constrainttemplates/secrettrustedusage]
module.prow_gatekeeper.kubectl_manifest.constraint_templates["apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: serviceaccounttrustedusage\n annotations:\n metadata.gatekeeper.sh/title: \"ServiceAccount Trusted Usage\"\n metadata.gatekeeper.sh/version: 1.0.0\n description: >-\n Controls a k8s workloads ability to use use restricted service accounts.\n Workloads controlled by this constraint template are: ReplicationController, ReplicaSet, Deployment, StatefulSet, DaemonSet, Job, CronJob, Pod.\nspec:\n crd:\n spec:\n names:\n kind: ServiceAccountTrustedUsage\n validation:\n openAPIV3Schema:\n type: object\n description: >-\n Controls a k8s workloads ability to use use restricted service accounts.\n properties:\n labels:\n type: array\n description: >-\n A list of labels and values the object must specify.\n items:\n type: object\n properties:\n key:\n type: string\n description: >-\n The required label.\n allowedRegex:\n type: string\n description: >-\n Regular expression the label's value must match. The value must contain one exact match for\n the regular expression.\n restrictedServiceAccounts:\n type: array\n description: >-\n A list of restricted service accounts.\n items:\n type: string\n description: >-\n The restricted service account name.\n trustedImages:\n type: array\n description: >-\n A list of trusted images. If a Pod match criteria from trustedImage, it is allowed to use restricted secret.\n items:\n type: object\n description: >-\n The trusted image criteria.\n properties:\n image:\n type: string\n description: >-\n The container trusted image name.\n command:\n type: array\n description: >-\n The list of container trusted commands to run.\n items:\n type: string\n description: >-\n The trusted command to run.\n args:\n type: array\n description: >-\n The trusted arguments to pass to the command.\n items:\n type: string\n description: >-\n The trusted argument to pass to the command.\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package kubernetes.serviceaccounttrustedusage\n \n import future.keywords.contains\n import future.keywords.if\n import future.keywords.in\n \n # Report violation if the pod is using a restricted service account and does not match trusted usage criteria.\n \n violation contains {\"msg\": msg} if {\n some k\n # Iterate over all containers in the pod.\n \n container := input_containers[_]\n \n # Check if the pod is using a restricted service account.\n \n get_service_account(input.review.object) == input.parameters.restrictedServiceAccounts[k]\n \n # Check if the pod is not matching trusted usage criteria.\n \n not trustedUsages(container)\n \n # Format the violation message.\n \n msg := sprintf(\"Container %v is not allowed to use restricted service account: %v.\", [container.name, input.parameters.restrictedServiceAccounts[k]])\n }\n \n # trustedUsages function checks if the pod is matching trusted usage criteria.\n # Trusted usage criteria are defined in the constraint template parameters.\n \n trustedUsages(container) if {\n some j\n \n # Check if the container is using a trusted image.\n \n glob.match(input.parameters.trustedImages[j].image, null, container.image)\n \n # Check if the container is using a trusted commands.\n \n checkCommand(container, input.parameters.trustedImages[j])\n \n # Check if the container is using a trusted arguments.\n \n checkArgs(container, input.parameters.trustedImages[j])\n \n # Check if the container has required labels.\n \n checkLabels(input.review.object, input.parameters)\n }\n \n # Check if trusted usage criteria does not define required labels.\n # Function evaluate too true if required labels are not defined.\n \n checkLabels(reviewObject, inputParameters) if {\n # Get the required labels from the constraint template parameters.\n # If the required labels are not defined, return empty array.\n # Empty array is required to prevent undefined expression result.\n \n paramLabels := object.get(inputParameters, \"labels\", [])\n \n # Check if the required labels array is empty.\n \n count(paramLabels) == 0\n \n # Getting pod labels to prevent unused variable error.\n \n _ := object.get(reviewObject.metadata, \"labels\", [])\n }\n \n # Check if the pod has required labels.\n checkLabels(reviewObject, inputParameters) if {\n # Check if the required labels array is not empty.\n paramLabels := object.get(inputParameters, \"labels\", [])\n count(paramLabels) > 0\n \n # Check if the pod labels array is not empty.\n reviewLabels := object.get(reviewObject.metadata, \"labels\", [])\n count(reviewLabels) > 0\n \n # Check if the pod has all required labels.\n value := reviewLabels[key]\n expected := input.parameters.labels[_]\n expected.key == key\n \n # Check if the pod label value matches the required labels regular expression.\n # If the required label does not define allowedRegex, use default value \".*\" to match any value.\n reg := object.get(expected, \"allowedRegex\", \".*\")\n regex.match(reg, value)\n }\n \
# ...
# ... The maximum length of GitHub Comment is 65536, so the content is omitted by tfcmt.
# ...
ainerArgs) == count(trustedArgs)\n \n # Allow using wildcard to match variable part of the argument.\n glob.match(trustedArgs[i], null, containerArgs[i])\n }\n \n # Get service account name from different type of k8s resources.\n get_service_account(obj) = spec if {\n obj.kind == \"Pod\"\n spec := obj.spec.serviceAccountName\n }\n \n get_service_account(obj) = spec if {\n obj.kind == \"ReplicationController\"\n spec := obj.spec.template.spec.serviceAccountName\n }\n \n get_service_account(obj) = spec if {\n obj.kind == \"ReplicaSet\"\n spec := obj.spec.template.spec.serviceAccountName\n }\n \n get_service_account(obj) = spec if {\n obj.kind == \"Deployment\"\n spec := obj.spec.template.spec.serviceAccountName\n }\n \n get_service_account(obj) = spec if {\n obj.kind == \"StatefulSet\"\n spec := obj.spec.template.spec.serviceAccountName\n }\n \n get_service_account(obj) = spec if {\n obj.kind == \"DaemonSet\"\n spec := obj.spec.template.spec.serviceAccountName\n }\n \n get_service_account(obj) = spec if {\n obj.kind == \"Job\"\n spec := obj.spec.template.spec.serviceAccountName\n }\n \n get_service_account(obj) = spec if {\n obj.kind == \"CronJob\"\n spec := obj.spec.jobTemplate.spec.template.spec.serviceAccountName\n }\n \n # Get all pod containers.\n input_containers contains c if {\n c := input.review.object.spec.containers[_]\n }\n \n # Get all pod init containers.\n input_containers contains c if {\n c := input.review.object.spec.initContainers[_]\n }"]: Refreshing state... [id=/apis/templates.gatekeeper.sh/v1/constrainttemplates/serviceaccounttrustedusage]
google_project_iam_member.terraform_executor_owner: Refreshing state... [id=sap-kyma-prow-workloads/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/secrets/gatekeeper-webhook-server-cert"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/secrets/gatekeeper-webhook-server-cert]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/configs.config.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/configs.config.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/serviceaccounts/gatekeeper-admin"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/serviceaccounts/gatekeeper-admin]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/mutatorpodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/mutatorpodstatuses.status.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplates.templates.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplates.templates.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/resourcequotas/gatekeeper-critical-pods"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/resourcequotas/gatekeeper-critical-pods]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplatepodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplatepodstatuses.status.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignimage.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignimage.mutations.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/providers.externaldata.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/providers.externaldata.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/roles/gatekeeper-manager-role"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/roles/gatekeeper-manager-role]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constraintpodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constraintpodstatuses.status.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/gatekeeper-validating-webhook-configuration"]: Refreshing state... [id=/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/gatekeeper-validating-webhook-configuration]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/rolebindings/gatekeeper-manager-rolebinding"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/rolebindings/gatekeeper-manager-rolebinding]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplate.expansion.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplate.expansion.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/gatekeeper-mutating-webhook-configuration"]: Refreshing state... [id=/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/gatekeeper-mutating-webhook-configuration]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assign.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assign.mutations.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/modifyset.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/modifyset.mutations.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-audit"]: Refreshing state... [id=/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-audit]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplatepodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplatepodstatuses.status.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/gatekeeper-manager-rolebinding"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/gatekeeper-manager-rolebinding]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/policy/v1/namespaces/gatekeeper-system/poddisruptionbudgets/gatekeeper-controller-manager"]: Refreshing state... [id=/apis/policy/v1/namespaces/gatekeeper-system/poddisruptionbudgets/gatekeeper-controller-manager]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/services/gatekeeper-webhook-service"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/services/gatekeeper-webhook-service]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-controller-manager"]: Refreshing state... [id=/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-controller-manager]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignmetadata.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignmetadata.mutations.gatekeeper.sh]
module.untrusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/clusterroles/gatekeeper-manager-role"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/clusterroles/gatekeeper-manager-role]
module.untrusted_workload_terraform_executor_k8s_service_account.kubernetes_secret.terraform_executor: Refreshing state... [id=default/terraform-executor]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/gatekeeper-validating-webhook-configuration"]: Refreshing state... [id=/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/gatekeeper-validating-webhook-configuration]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-controller-manager"]: Refreshing state... [id=/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-controller-manager]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/rolebindings/gatekeeper-manager-rolebinding"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/rolebindings/gatekeeper-manager-rolebinding]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/modifyset.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/modifyset.mutations.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/gatekeeper-manager-rolebinding"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/gatekeeper-manager-rolebinding]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/mutatorpodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/mutatorpodstatuses.status.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplate.expansion.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplate.expansion.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/configs.config.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/configs.config.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/services/gatekeeper-webhook-service"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/services/gatekeeper-webhook-service]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/roles/gatekeeper-manager-role"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/roles/gatekeeper-manager-role]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/serviceaccounts/gatekeeper-admin"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/serviceaccounts/gatekeeper-admin]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constraintpodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constraintpodstatuses.status.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplates.templates.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplates.templates.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplatepodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplatepodstatuses.status.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignimage.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignimage.mutations.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignmetadata.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignmetadata.mutations.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assign.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assign.mutations.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/secrets/gatekeeper-webhook-server-cert"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/secrets/gatekeeper-webhook-server-cert]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-audit"]: Refreshing state... [id=/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-audit]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/providers.externaldata.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/providers.externaldata.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/gatekeeper-mutating-webhook-configuration"]: Refreshing state... [id=/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/gatekeeper-mutating-webhook-configuration]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplatepodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplatepodstatuses.status.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/policy/v1/namespaces/gatekeeper-system/poddisruptionbudgets/gatekeeper-controller-manager"]: Refreshing state... [id=/apis/policy/v1/namespaces/gatekeeper-system/poddisruptionbudgets/gatekeeper-controller-manager]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/resourcequotas/gatekeeper-critical-pods"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/resourcequotas/gatekeeper-critical-pods]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/clusterroles/gatekeeper-manager-role"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/clusterroles/gatekeeper-manager-role]
module.trusted_workload_terraform_executor_k8s_service_account.kubernetes_secret.terraform_executor: Refreshing state... [id=default/terraform-executor]
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.
Warning: "default_secret_name" is no longer applicable for Kubernetes v1.24.0 and above
with module.trusted_workload_terraform_executor_k8s_service_account.kubernetes_service_account.terraform_executor,
on ../../../../development/terraform-executor/terraform/modules/k8s-terraform-executor/main.tf line 15, in resource "kubernetes_service_account" "terraform_executor":
15: resource "kubernetes_service_account" "terraform_executor" {
Starting from version 1.24.0 Kubernetes does not automatically generate a
token for service accounts, in this case, "default_secret_name" will be empty
(and 2 more similar warnings elsewhere)
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
tekton_gatekeeper = <sensitive>
tekton_terraform_executor_k8s_service_account = {
"terraform_executor_k8s_service_account" = {
"automount_service_account_token" = true
"default_secret_name" = ""
"id" = "default/terraform-executor"
"image_pull_secret" = toset([])
"metadata" = tolist([
{
"annotations" = tomap({
"iam.gke.io/gcp-service-account" = "terraform-executor@sap-kyma-prow.iam.gserviceaccount.com"
})
"generate_name" = ""
"generation" = 0
"labels" = tomap({})
"name" = "terraform-executor"
"namespace" = "default"
"resource_version" = "128307926"
"uid" = "51d95a38-fc8f-434f-bcb4-fa84ce96db29"
},
])
"secret" = toset([])
"timeouts" = null /* object */
}
}
terraform_executor_gcp_service_account = <sensitive>
trusted_workload_gatekeeper = <sensitive>
trusted_workload_terraform_executor_k8s_service_account = {
"terraform_executor_k8s_service_account" = {
"automount_service_account_token" = true
"default_secret_name" = ""
"id" = "default/terraform-executor"
"image_pull_secret" = toset([])
"metadata" = tolist([
{
"annotations" = tomap({
"iam.gke.io/gcp-service-account" = "terraform-executor@sap-kyma-prow.iam.gserviceaccount.com"
})
"generate_name" = ""
"generation" = 0
"labels" = tomap({})
"name" = "terraform-executor"
"namespace" = "default"
"resource_version" = "604056833"
"uid" = "802f1b39-dbf0-4429-9612-cbc74ca7bccf"
},
])
"secret" = toset([])
"timeouts" = null /* object */
}
}
untrusted_workload_gatekeeper = <sensitive>
untrusted_workload_terraform_executor_k8s_service_account = {
"terraform_executor_k8s_service_account" = {
"automount_service_account_token" = true
"default_secret_name" = ""
"id" = "default/terraform-executor"
"image_pull_secret" = toset([])
"metadata" = tolist([
{
"annotations" = tomap({
"iam.gke.io/gcp-service-account" = "terraform-executor@sap-kyma-prow.iam.gserviceaccount.com"
})
"generate_name" = ""
"generation" = 0
"labels" = tomap({})
"name" = "terraform-executor"
"namespace" = "default"
"resource_version" = "599762309"
"uid" = "e14bae6f-2239-4e1d-8b99-708e3c63c19c"
},
])
"secret" = toset([])
"timeouts" = null /* object */
}
}
|
/retest |
halamix2
approved these changes
Jun 1, 2023
neighbors-dev-bot
approved these changes
Jun 1, 2023
neighbors-dev-bot
added
the
auto-approved
Denotes a PR that was approved by automation.
label
Jun 1, 2023
kyma-bot
deleted the
dependabot/terraform/configs/terraform/secrets-leaks-log-scanner/hashicorp/google-4.67.0
branch
June 1, 2023 08:56
✅ Apply Succeeded
Details (Click me)data.google_secret_manager_secret.gh_tools_kyma_bot_token: Reading...
google_service_account.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
data.google_secret_manager_secret.common_slack_bot_token: Reading...
google_storage_bucket.kyma_prow_logs_secured: Refreshing state... [id=kyma-prow-logs-secured]
google_service_account.github_issue_finder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-issue-finder@sap-kyma-prow.iam.gserviceaccount.com]
data.google_storage_bucket.kyma_prow_logs: Reading...
google_service_account.secrets_leak_detector: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
google_monitoring_alert_policy.secrets_leak_log_scanner: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/15677332264241438988]
google_monitoring_alert_policy.github_issue_finder: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/15999866418925089607]
google_monitoring_alert_policy.github_issue_creator: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/9821277804074506500]
data.google_storage_bucket.kyma_prow_logs: Read complete after 0s [id=kyma-prow-logs]
google_service_account.gcs_bucket_mover: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
data.google_project.project: Reading...
data.google_secret_manager_secret.gh_tools_kyma_bot_token: Read complete after 1s [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token]
data.google_secret_manager_secret.common_slack_bot_token: Read complete after 1s [id=projects/sap-kyma-prow/secrets/common-slack-bot-token]
google_service_account.secrets_leak_log_scanner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secrets-leak-log-scanner@sap-kyma-prow.iam.gserviceaccount.com]
google_monitoring_alert_policy.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/16641435238811176146]
google_service_account.github_issue_creator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-issue-creator@sap-kyma-prow.iam.gserviceaccount.com]
google_monitoring_alert_policy.gcs_bucket_mover: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/5579410898419231270]
google_storage_bucket_iam_member.kyma_prow_logs_secured_object_admin: Refreshing state... [id=b/kyma-prow-logs-secured/roles/storage.objectAdmin/serviceAccount:gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
google_storage_bucket_iam_member.kyma_prow_logs_viewer: Refreshing state... [id=b/kyma-prow-logs/roles/storage.objectViewer/serviceAccount:gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
data.google_iam_policy.run_invoker: Reading...
google_storage_bucket_iam_member.kyma_prow_logs_object_admin: Refreshing state... [id=b/kyma-prow-logs/roles/storage.objectAdmin/serviceAccount:gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
google_secret_manager_secret_iam_member.gh_issue_creator_gh_tools_kyma_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token/roles/secretmanager.secretAccessor/serviceAccount:github-issue-creator@sap-kyma-prow.iam.gserviceaccount.com]
data.google_iam_policy.run_invoker: Read complete after 0s [id=735823064]
google_storage_bucket_iam_member.secrets_leak_detector: Refreshing state... [id=b/kyma-prow-logs/roles/storage.objectViewer/serviceAccount:secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
google_secret_manager_secret_iam_member.slack_msg_sender_common_slack_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/common-slack-bot-token/roles/secretmanager.secretAccessor/serviceAccount:slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
google_cloud_run_service.secrets_leak_log_scanner: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/secrets-leak-log-scanner]
google_cloud_run_service.gcs_bucket_mover: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/gcs-bucket-mover]
google_secret_manager_secret_iam_member.gh_issue_finder_gh_tools_kyma_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token/roles/secretmanager.secretAccessor/serviceAccount:github-issue-finder@sap-kyma-prow.iam.gserviceaccount.com]
google_cloud_run_service_iam_policy.secrets_leak_log_scanner: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/secrets-leak-log-scanner]
google_cloud_run_service_iam_policy.gcs_bucket_mover: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/gcs-bucket-mover]
google_cloud_run_service.slack_message_sender: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/slack-message-sender]
google_cloud_run_service.github_issue_creator: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-creator]
google_cloud_run_service_iam_policy.slack_message_sender: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/slack-message-sender]
google_cloud_run_service_iam_policy.github_issue_creator: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/github-issue-creator]
data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
google_project_iam_member.project_log_writer: Refreshing state... [id=projects/sap-kyma-prow/roles/logging.logWriter/serviceAccount:secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.project_workflows_invoker: Refreshing state... [id=projects/sap-kyma-prow/roles/workflows.invoker/serviceAccount:secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
google_cloud_run_service.github_issue_finder: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-finder]
google_cloud_run_service_iam_policy.github_issue_finder: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/github-issue-finder]
data.template_file.scan_logs_for_secrets_yaml: Reading...
data.template_file.scan_logs_for_secrets_yaml: Read complete after 0s [id=dcbef9488681987e8a9c24044636fe27acb15ea295bb5c102da628aab0fa79ec]
google_workflows_workflow.secrets_leak_detector: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west3/workflows/secrets-leak-detector]
google_eventarc_trigger.secrets_leak_detector_workflow: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west3/triggers/secrets-leak-detector]
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
|
✅ Apply Succeeded
Details (Click me)module.terraform_executor_gcp_service_account.google_service_account.terraform_executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
data.google_client_config.gcp: Reading...
data.google_client_config.gcp: Read complete after 0s [id=projects/"sap-kyma-prow"/regions/"europe-west4"/zones/<null>]
data.google_container_cluster.prow_k8s_cluster: Reading...
data.google_container_cluster.trusted_workload_k8s_cluster: Reading...
data.google_container_cluster.untrusted_workload_k8s_cluster: Reading...
data.google_container_cluster.tekton_k8s_cluster: Reading...
data.google_container_cluster.prow_k8s_cluster: Read complete after 0s [id=projects/sap-kyma-prow/locations/europe-west3-a/clusters/prow]
data.google_container_cluster.tekton_k8s_cluster: Read complete after 0s [id=projects/sap-kyma-prow/locations/europe-west4/clusters/tekton]
data.google_container_cluster.trusted_workload_k8s_cluster: Read complete after 0s [id=projects/sap-kyma-prow/locations/europe-west3/clusters/trusted-workload-kyma-prow]
data.google_container_cluster.untrusted_workload_k8s_cluster: Read complete after 1s [id=projects/sap-kyma-prow/locations/europe-west3/clusters/untrusted-workload-kyma-prow]
google_project_iam_member.terraform_executor_owner: Refreshing state... [id=sap-kyma-prow-workloads/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.tekton_terraform_executor_k8s_service_account.kubernetes_service_account.terraform_executor: Refreshing state... [id=default/terraform-executor]
module.prow_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/prow/**.yaml"]: Reading...
module.terraform_executor_gcp_service_account.google_service_account_iam_binding.terraform_workload_identity: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com/roles/iam.workloadIdentityUser]
module.prow_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Reading...
module.prow_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/prow/**.yaml"]: Read complete after 0s [id=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
module.terraform_executor_gcp_service_account.google_project_iam_member.terraform_executor_owner: Refreshing state... [id=sap-kyma-prow/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.untrusted_workload_gatekeeper.data.kubectl_file_documents.gatekeeper: Reading...
module.prow_gatekeeper.data.kubectl_file_documents.gatekeeper: Reading...
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/workloads/**.yaml"]: Reading...
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/untrusted/**.yaml"]: Reading...
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/workloads/**.yaml"]: Read complete after 0s [id=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/untrusted/**.yaml"]: Read complete after 0s [id=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
module.tekton_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Reading...
module.tekton_gatekeeper.data.kubectl_file_documents.gatekeeper: Reading...
module.tekton_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Read complete after 0s [id=5b3a4f4c27e588b7f9aefeb7caad50497b6c947ee312fe430446dff5c810fd6c]
module.tekton_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../tekton/deployments/gatekeeper-constraints/**.yaml"]: Reading...
module.tekton_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../tekton/deployments/gatekeeper-constraints/**.yaml"]: Read complete after 0s [id=52507a6b3cc8faadb69b744f7cb223e9cc5ccbb6e6abe6fdc3bade397df3e14d]
module.prow_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Read complete after 0s [id=5b3a4f4c27e588b7f9aefeb7caad50497b6c947ee312fe430446dff5c810fd6c]
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Reading...
module.untrusted_workload_terraform_executor_k8s_service_account.kubernetes_service_account.terraform_executor: Refreshing state... [id=default/terraform-executor]
module.untrusted_workload_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Read complete after 0s [id=5b3a4f4c27e588b7f9aefeb7caad50497b6c947ee312fe430446dff5c810fd6c]
module.trusted_workload_gatekeeper.data.kubectl_file_documents.gatekeeper: Reading...
module.trusted_workload_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Reading...
module.trusted_workload_gatekeeper.data.kubectl_path_documents.constraint_templates_path["../../../../opa/gatekeeper/constraint-templates/**.yaml"]: Read complete after 0s [id=5b3a4f4c27e588b7f9aefeb7caad50497b6c947ee312fe430446dff5c810fd6c]
module.trusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/workloads/**.yaml"]: Reading...
module.trusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/workloads/**.yaml"]: Read complete after 0s [id=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
module.trusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/trusted/**.yaml"]: Reading...
module.trusted_workload_gatekeeper.data.kubectl_path_documents.constraints_path["../../../../prow/cluster/resources/gatekeeper-constraints/trusted/**.yaml"]: Read complete after 0s [id=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
module.tekton_gatekeeper.kubectl_manifest.constraint_templates["apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: secrettrustedusage\n annotations:\n metadata.gatekeeper.sh/title: \"Secret Trusted Usage\"\n metadata.gatekeeper.sh/version: 1.0.0\n description: >-\n Controls any Pod ability to use restricted secret.\nspec:\n crd:\n spec:\n names:\n kind: SecretTrustedUsage\n validation:\n openAPIV3Schema:\n type: object\n description: >-\n Controls any Pod ability to use use restricted secret.\n properties:\n labels:\n type: array\n description: >-\n A list of labels and values the object must specify.\n items:\n type: object\n properties:\n key:\n type: string\n description: >-\n The required label.\n allowedRegex:\n type: string\n description: >-\n Regular expression the label's value must match. The value must contain one exact match for\n the regular expression.\n restrictedSecrets:\n type: array\n description: >-\n A list of restricted secrets.\n items:\n type: string\n description: >-\n The restricted secret name.\n trustedServiceAccounts:\n type: array\n description: >-\n A list of trusted service accounts. If a Pod match criteria from trustedServiceAccount, it is allowed to use restricted secret.\n items:\n type: string\n description: >-\n The trusted service account name.\n trustedImages:\n type: array\n description: >-\n A list of trusted images. If a Pod match criteria from trustedImage, it is allowed to use restricted secret.\n items:\n type: object\n description: >-\n The trusted image criteria.\n properties:\n image:\n type: string\n description: >-\n The container trusted image name.\n command:\n type: array\n description: >-\n The list of container trusted commands to run.\n items:\n type: string\n description: >-\n The trusted command to run.\n args:\n type: array\n description: >-\n The trusted arguments to pass to the command.\n items:\n type: string\n description: >-\n The trusted argument to pass to the command.\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package kubernetes.secrettrustedusage\n \n import future.keywords.contains\n import future.keywords.if\n import future.keywords.in\n \n # Report violation if the container is using a restricted secret and does not match trusted usage criteria.\n # Violation is check if secret is used in env.envFrom container spec.\n violation[{\"msg\": msg}] {\n some k\n # Iterate over all containers in the pod.\n container := input_containers[_]\n \n # Check if the container is using a restricted secret.\n container.envFrom[_].secretRef.name == input.parameters.restrictedSecrets[k]\n \n # Check if container is not matching trusted usage criteria.\n not trustedUsages(container)\n \n # Format violation message.\n msg := sprintf(\"Container %v is not allowed to use restricted secret: %v.\", [container.name, input.parameters.restrictedSecrets[k]])\n }\n \n # Report violation if the container is using a restricted secret and does not match trusted usage criteria.\n # Violation is check if secret is used in env.valueFrom container spec.\n violation[{\"msg\": msg}] {\n some k\n # Iterate over all containers in the pod.\n container := input_containers[_]\n \n # Check if the container is using a restricted secret.\n container.env[_].valueFrom.secretKeyRef.name == input.parameters.restrictedSecrets[k]\n \n # Check if container is not matching trusted usage criteria.\n not trustedUsages(container)\n \n # Format violation message.\n msg := sprintf(\"Container %v is not allowed to use restricted secret: %v.\", [container.name, input.parameters.restrictedSecrets[k]])\n }\n \n # Report violation if the container is using a restricted secret and does not match trusted usage criteria.\n # Violation is check if secret is mount as volume.\n violation[{\"msg\": msg}] {\n some k, j\n # Iterate over all containers in the pod.\n container := input_containers[_]\n \n # Check if the container is using a restricted secret.\n input.review.object.spec.volumes[j].secret.secretName == input.parameters.restrictedSecrets[k]\n container.volumeMounts[_].name == input.review.object.spec.volumes[j].name\n \n # Check if container is not matching trusted usage criteria.\n not trustedUsages(container)\n \n # Format violation message.\n msg := sprintf(\"Container %v is not allowed to use restricted secret: %v.\", [container.name, input.parameters.restrictedSecrets[k]])\n }\n \n trustedUsages(container) {\n some j\n trustedSA := object.get(input.parameters, \"trustedServiceAccounts\", [input.review.object.spec.serviceAccountName])\n input.review.object.spec.serviceAccountName == trustedSA[_]\n glob.match(input.parameters.trustedImages[j].image, null, container.image)\n checkCommand(container, input.parameters.trustedImages[j])\n checkArgs(container, input.parameters.trustedImages[j])\n checkLabels(input.review.object, input.parameters)\n }\n \n # Check if trusted usage criteria does not define required labels.\n # Function evaluate too true if required labels are not defined.\n checkLabels(reviewObject, inputParameters) if {\n paramLabels := object.get(inputParameters, \"labels\", [])\n \n # Check if the required labels array is empty.\n count(paramLabels) == 0\n \n # Getting pod labels to prevent unused variable error.\n _ := object.get(reviewObject.metadata, \"labels\", [])\n }\n \n # Check if the pod has required labels.\n checkLabels(reviewObject, inputParameters) if {\n # Check if the required labels array is not empty.\n paramLabels := object.get(inputParameters, \"labels\", [])\n count(paramLabels) > 0\n \n # Check if the pod labels array is not empty.\n reviewLabels := object.get(reviewObject.metadata, \"labels\", [])\n count(reviewLabels) > 0\n \n # Check if the pod has required labels.\n value := reviewLabels[key]\n expected := input.parameters.labels[_]\n expected.key == key\n \n # Check if the label value matches the regular expression.\n # If the required label does not define allowedRegex, use default value \".*\" to match any value.\n reg := object.get(expected, \"allowedRegex\", \".*\")\n regex.match(reg, value)\n }\n \n # Check if trusted usage criteria does not define trusted commands.\n checkCommand(container, trustedImage) if {\n trustedCommand := object.get(trustedImage, \"command\", [])\n count(trustedCommand) == 0\n \n # Getting container command to prevent unused variable error.\n _ := object.get(container, \"command\", [])\n }\n \n # Check if the container is using a trusted commands.\n # Function evaluate too true if the container is using exactly the same trusted commands.\n # Number and order of commands must match.\n checkCommand(container, trustedImage) if {\n trustedCommand := object.get(trustedImage, \"command\", [])\n containerCommand := object.get(container, \"command\", [])\n count(containerCommand) == count(trustedCommand)\n \n # Allow using wildcard to match variable part of the command.\n glob.match(trustedCommand[i], null, containerCommand[i])\n }\n \n # Check if trusted usage criteria does not define trusted arguments.\n checkArgs(container, trustedImage) if {\n trustedArgs := object.get(trustedImage, \"args\", [])\n count(trustedArgs) == 0\n \n # Getting container args to prevent unused variable error.\n _ := object.get(container, \"args\", [])\n }\n \n # Check if the container is using a trusted arguments.\n # Function evaluate too true if the container is using exactly the same trusted arguments.\n # Number and order of commands must match.\n checkArgs(container, trustedImage) if {\n trustedArgs := object.get(trustedImage, \"args\", [])\n containerArgs := object.get(container, \"args\", [])\n count(containerArgs) == count(trustedArgs)\n \n # Allow using wildcard to match variable part of the argument.\n glob.match(trustedArgs[i], null, containerArgs[i])\n }\n \n # Get all pod containers.\n input_containers contains c if {\n c := input.review.object.spec.containers[_]\n }\n \n # Get all pod init containers.\n input_containers contains c if {\n c := input.review.object.spec.initContainers[_]\n }"]: Refreshing state... [id=/apis/templates.gatekeeper.sh/v1/constrainttemplates/secrettrustedusage]
module.tekton_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on tekton cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: ServiceAccountTrustedUsage\nmetadata:\n name: tekton-image-builder-sa-trusted-usage\nspec:\n enforcementAction: warn\n match:\n kinds:\n - apiGroups: [\"\"]\n kinds: [\"Pod\"]\n parameters:\n restrictedServiceAccounts:\n - image-builder\n trustedImages:\n - image: \"eu.gcr.io/sap-kyma-neighbors-dev/image-builder:*\"\n command:\n - /tekton/bin/entrypoint\n args:\n - -wait_file\n - /tekton/downward/ready\n - -wait_file_content\n - -post_file\n - /tekton/run/0/out\n - -termination_path\n - /tekton/termination\n - -step_metadata_dir\n - /tekton/run/0/status\n - -entrypoint\n - /image-builder\n - --\n - '--name=*'\n - '--config=*'\n - '--context=*'\n - '--dockerfile=*'\n - --log-dir=/\n - image: \"gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/entrypoint:*\"\n command:\n - /ko-app/entrypoint\n - init\n - /ko-app/entrypoint\n - /tekton/bin/entrypoint\n - step-build-image"]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/serviceaccounttrustedusages/tekton-image-builder-sa-trusted-usage]
module.tekton_gatekeeper.kubectl_manifest.constraint_templates["apiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n name: serviceaccounttrustedusage\n annotations:\n metadata.gatekeeper.sh/title: \"ServiceAccount Trusted Usage\"\n metadata.gatekeeper.sh/version: 1.0.0\n description: >-\n Controls a k8s workloads ability to use use restricted service accounts.\n Workloads controlled by this constraint template are: ReplicationController, ReplicaSet, Deployment, StatefulSet, DaemonSet, Job, CronJob, Pod.\nspec:\n crd:\n spec:\n names:\n kind: ServiceAccountTrustedUsage\n validation:\n openAPIV3Schema:\n type: object\n description: >-\n Controls a k8s workloads ability to use use restricted service accounts.\n properties:\n labels:\n type: array\n description: >-\n A list of labels and values the object must specify.\n items:\n type: object\n properties:\n key:\n type: string\n description: >-\n The required label.\n allowedRegex:\n type: string\n description: >-\n Regular expression the label's value must match. The value must contain one exact match for\n the regular expression.\n
# ...
# ... The maximum length of GitHub Comment is 65536, so the content is omitted by tfcmt.
# ...
tate... [id=/api/v1/namespaces/gatekeeper-system/resourcequotas/gatekeeper-critical-pods]
module.prow_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/configs.config.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/configs.config.gatekeeper.sh]
module.prow_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/providers.externaldata.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/providers.externaldata.gatekeeper.sh]
module.prow_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignimage.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignimage.mutations.gatekeeper.sh]
module.prow_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/mutatorpodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/mutatorpodstatuses.status.gatekeeper.sh]
module.prow_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assign.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assign.mutations.gatekeeper.sh]
module.prow_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/services/gatekeeper-webhook-service"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/services/gatekeeper-webhook-service]
module.prow_gatekeeper.kubectl_manifest.gatekeeper["/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-controller-manager"]: Refreshing state... [id=/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-controller-manager]
module.prow_gatekeeper.kubectl_manifest.gatekeeper["/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/gatekeeper-validating-webhook-configuration"]: Refreshing state... [id=/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/gatekeeper-validating-webhook-configuration]
module.prow_gatekeeper.kubectl_manifest.gatekeeper["/apis/policy/v1/namespaces/gatekeeper-system/poddisruptionbudgets/gatekeeper-controller-manager"]: Refreshing state... [id=/apis/policy/v1/namespaces/gatekeeper-system/poddisruptionbudgets/gatekeeper-controller-manager]
module.prow_gatekeeper.kubectl_manifest.gatekeeper["/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-audit"]: Refreshing state... [id=/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-audit]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/serviceaccounts/gatekeeper-admin"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/serviceaccounts/gatekeeper-admin]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/gatekeeper-mutating-webhook-configuration"]: Refreshing state... [id=/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/gatekeeper-mutating-webhook-configuration]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/configs.config.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/configs.config.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/gatekeeper-validating-webhook-configuration"]: Refreshing state... [id=/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/gatekeeper-validating-webhook-configuration]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-controller-manager"]: Refreshing state... [id=/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-controller-manager]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assign.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assign.mutations.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/policy/v1/namespaces/gatekeeper-system/poddisruptionbudgets/gatekeeper-controller-manager"]: Refreshing state... [id=/apis/policy/v1/namespaces/gatekeeper-system/poddisruptionbudgets/gatekeeper-controller-manager]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/mutatorpodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/mutatorpodstatuses.status.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/gatekeeper-manager-rolebinding"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/gatekeeper-manager-rolebinding]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/services/gatekeeper-webhook-service"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/services/gatekeeper-webhook-service]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/rolebindings/gatekeeper-manager-rolebinding"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/rolebindings/gatekeeper-manager-rolebinding]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/modifyset.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/modifyset.mutations.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplates.templates.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplates.templates.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constraintpodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constraintpodstatuses.status.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/secrets/gatekeeper-webhook-server-cert"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/secrets/gatekeeper-webhook-server-cert]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplate.expansion.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplate.expansion.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/clusterroles/gatekeeper-manager-role"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/clusterroles/gatekeeper-manager-role]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignimage.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignimage.mutations.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplatepodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplatepodstatuses.status.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignmetadata.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignmetadata.mutations.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/roles/gatekeeper-manager-role"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/roles/gatekeeper-manager-role]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/providers.externaldata.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/providers.externaldata.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplatepodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplatepodstatuses.status.gatekeeper.sh]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-audit"]: Refreshing state... [id=/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-audit]
module.tekton_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/resourcequotas/gatekeeper-critical-pods"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/resourcequotas/gatekeeper-critical-pods]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assign.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assign.mutations.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplate.expansion.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplate.expansion.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/rolebindings/gatekeeper-manager-rolebinding"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/rolebindings/gatekeeper-manager-rolebinding]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/services/gatekeeper-webhook-service"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/services/gatekeeper-webhook-service]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplatepodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/expansiontemplatepodstatuses.status.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignimage.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignimage.mutations.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/resourcequotas/gatekeeper-critical-pods"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/resourcequotas/gatekeeper-critical-pods]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/policy/v1/namespaces/gatekeeper-system/poddisruptionbudgets/gatekeeper-controller-manager"]: Refreshing state... [id=/apis/policy/v1/namespaces/gatekeeper-system/poddisruptionbudgets/gatekeeper-controller-manager]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/gatekeeper-manager-rolebinding"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/gatekeeper-manager-rolebinding]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplatepodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplatepodstatuses.status.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/gatekeeper-validating-webhook-configuration"]: Refreshing state... [id=/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/gatekeeper-validating-webhook-configuration]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignmetadata.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/assignmetadata.mutations.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/roles/gatekeeper-manager-role"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/namespaces/gatekeeper-system/roles/gatekeeper-manager-role]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/configs.config.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/configs.config.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/gatekeeper-mutating-webhook-configuration"]: Refreshing state... [id=/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/gatekeeper-mutating-webhook-configuration]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/serviceaccounts/gatekeeper-admin"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/serviceaccounts/gatekeeper-admin]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplates.templates.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constrainttemplates.templates.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/providers.externaldata.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/providers.externaldata.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-controller-manager"]: Refreshing state... [id=/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-controller-manager]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constraintpodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/constraintpodstatuses.status.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system/secrets/gatekeeper-webhook-server-cert"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system/secrets/gatekeeper-webhook-server-cert]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-audit"]: Refreshing state... [id=/apis/apps/v1/namespaces/gatekeeper-system/deployments/gatekeeper-audit]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/mutatorpodstatuses.status.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/mutatorpodstatuses.status.gatekeeper.sh]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/rbac.authorization.k8s.io/v1/clusterroles/gatekeeper-manager-role"]: Refreshing state... [id=/apis/rbac.authorization.k8s.io/v1/clusterroles/gatekeeper-manager-role]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/api/v1/namespaces/gatekeeper-system"]: Refreshing state... [id=/api/v1/namespaces/gatekeeper-system]
module.trusted_workload_gatekeeper.kubectl_manifest.gatekeeper["/apis/apiextensions.k8s.io/v1/customresourcedefinitions/modifyset.mutations.gatekeeper.sh"]: Refreshing state... [id=/apis/apiextensions.k8s.io/v1/customresourcedefinitions/modifyset.mutations.gatekeeper.sh]
module.trusted_workload_terraform_executor_k8s_service_account.kubernetes_secret.terraform_executor: Refreshing state... [id=default/terraform-executor]
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.
Warning: "default_secret_name" is no longer applicable for Kubernetes v1.24.0 and above
with module.untrusted_workload_terraform_executor_k8s_service_account.kubernetes_service_account.terraform_executor,
on ../../../../development/terraform-executor/terraform/modules/k8s-terraform-executor/main.tf line 15, in resource "kubernetes_service_account" "terraform_executor":
15: resource "kubernetes_service_account" "terraform_executor" {
Starting from version 1.24.0 Kubernetes does not automatically generate a
token for service accounts, in this case, "default_secret_name" will be empty
(and 2 more similar warnings elsewhere)
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
tekton_gatekeeper = <sensitive>
tekton_terraform_executor_k8s_service_account = {
"terraform_executor_k8s_service_account" = {
"automount_service_account_token" = true
"default_secret_name" = ""
"id" = "default/terraform-executor"
"image_pull_secret" = toset([])
"metadata" = tolist([
{
"annotations" = tomap({
"iam.gke.io/gcp-service-account" = "terraform-executor@sap-kyma-prow.iam.gserviceaccount.com"
})
"generate_name" = ""
"generation" = 0
"labels" = tomap({})
"name" = "terraform-executor"
"namespace" = "default"
"resource_version" = "128307926"
"uid" = "51d95a38-fc8f-434f-bcb4-fa84ce96db29"
},
])
"secret" = toset([])
"timeouts" = null /* object */
}
}
terraform_executor_gcp_service_account = <sensitive>
trusted_workload_gatekeeper = <sensitive>
trusted_workload_terraform_executor_k8s_service_account = {
"terraform_executor_k8s_service_account" = {
"automount_service_account_token" = true
"default_secret_name" = ""
"id" = "default/terraform-executor"
"image_pull_secret" = toset([])
"metadata" = tolist([
{
"annotations" = tomap({
"iam.gke.io/gcp-service-account" = "terraform-executor@sap-kyma-prow.iam.gserviceaccount.com"
})
"generate_name" = ""
"generation" = 0
"labels" = tomap({})
"name" = "terraform-executor"
"namespace" = "default"
"resource_version" = "604056833"
"uid" = "802f1b39-dbf0-4429-9612-cbc74ca7bccf"
},
])
"secret" = toset([])
"timeouts" = null /* object */
}
}
untrusted_workload_gatekeeper = <sensitive>
untrusted_workload_terraform_executor_k8s_service_account = {
"terraform_executor_k8s_service_account" = {
"automount_service_account_token" = true
"default_secret_name" = ""
"id" = "default/terraform-executor"
"image_pull_secret" = toset([])
"metadata" = tolist([
{
"annotations" = tomap({
"iam.gke.io/gcp-service-account" = "terraform-executor@sap-kyma-prow.iam.gserviceaccount.com"
})
"generate_name" = ""
"generation" = 0
"labels" = tomap({})
"name" = "terraform-executor"
"namespace" = "default"
"resource_version" = "599762309"
"uid" = "e14bae6f-2239-4e1d-8b99-708e3c63c19c"
},
])
"secret" = toset([])
"timeouts" = null /* object */
}
}
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/dependency
Issues or PRs related to dependency changes
auto-approved
Denotes a PR that was approved by automation.
kind/chore
Categorizes issue or PR as related to a chore.
lgtm
Looks good to me!
no-changes
size/M
Denotes a PR that changes 30-99 lines, ignoring generated files.
terraform
Issues or PRs related to terraform.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bumps hashicorp/google from 4.65.2 to 4.67.0.
Release notes
Sourced from hashicorp/google's releases.
Changelog
Sourced from hashicorp/google's changelog.
Commits
f02aca4
ga - 4.67.0 - release notes (#14709)1c0e254
Revert "Replaced users.list api with users.get api to increase efficiency." (...ca82db5
Add retry for internal 160009 errors (#8017) (#14727)18e51a1
Move files to tpgiamresource package (#7984) (#14697)105265a
Added nil guard to blue green settings in google_container_node_pool (#7996) ...d04b2ea
Update hostname from required to default_from_api (#8002) (#14690)1ec1001
Skip Sweeper for firestore_document (#7991) (#14689)6c33c86
Updated description of 'query_string_length' (#7987) (#14687)a300687
Remove sample for Storage release (#7944) (#14685)fe3da36
compute - bump network_performance_config to ga (#7985) (#14678)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)