Changes to main.tf

[jameslaneovermind]

(Do not merge)

[github-actions]

Expected Changes

cloudfront-distribution › E15V1JM5GZXBKB

--- current
+++ planned
@@ -81,7 +81,7 @@
       max_ttl: 0
       min_ttl: 0
       origin_request_policy_id: ""
-      path_pattern: /static/*
+      path_pattern: '*'
       realtime_log_config_arn: ""
       response_headers_policy_id: 8ed09a88-177f-4f37-a844-66b7b54a7cda
       smooth_streaming: false

ecs-task-definition › facial-recognition

--- current
+++ planned
@@ -1,26 +1,16 @@
-arn: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition:48
-arn_without_revision: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition
-container_definitions: '[{"cpu":1024,"environment":[],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:1234"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234,"hostPort":1234,"protocol":"tcp"}],"volumesFrom":[]}]'
+container_definitions: '[{"cpu":1024,"environment":[],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:8000"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234}],"volumesFrom":[]}]'
 cpu: "1024"
 ephemeral_storage: []
-execution_role_arn: ""
 family: facial-recognition
-id: facial-recognition
 inference_accelerator: []
-ipc_mode: ""
 memory: "2048"
 network_mode: awsvpc
-pid_mode: ""
 placement_constraints: []
 proxy_configuration: []
 requires_compatibilities:
     - FARGATE
-revision: 48
 runtime_platform: []
 skip_destroy: false
-tags: {}
-tags_all: {}
-task_role_arn: ""
 terraform_address: module.loom[0].aws_ecs_task_definition.face
 terraform_name: module.loom[0].aws_ecs_task_definition.face
 track_latest: false

ecs-task-definition › visit-counter

--- current
+++ planned
@@ -1,26 +1,16 @@
-arn: arn:aws:ecs:eu-west-2:540044833068:task-definition/visit-counter:20
-arn_without_revision: arn:aws:ecs:eu-west-2:540044833068:task-definition/visit-counter
-container_definitions: '[{"cpu":256,"environment":[],"essential":true,"healthCheck":{"command":["CMD-SHELL","curl -f http://localhost:80 || exit 1"],"interval":30,"retries":3,"timeout":5},"image":"yeasy/simple-web:latest","memory":512,"mountPoints":[],"name":"visit-counter","portMappings":[{"appProtocol":"http","containerPort":80,"hostPort":80,"protocol":"tcp"}],"volumesFrom":[]}]'
+container_definitions: '[{"cpu":256,"environment":[],"essential":true,"healthCheck":{"command":["CMD-SHELL","curl -f http://localhost:80 || exit 1"],"interval":30,"retries":3,"timeout":5},"image":"yeasy/simple-web:latest","memory":512,"mountPoints":[],"name":"visit-counter","portMappings":[{"appProtocol":"https","containerPort":8080}],"volumesFrom":[]}]'
 cpu: "256"
 ephemeral_storage: []
-execution_role_arn: ""
 family: visit-counter
-id: visit-counter
 inference_accelerator: []
-ipc_mode: ""
 memory: "512"
 network_mode: awsvpc
-pid_mode: ""
 placement_constraints: []
 proxy_configuration: []
 requires_compatibilities:
     - FARGATE
-revision: 20
 runtime_platform: []
 skip_destroy: false
-tags: {}
-tags_all: {}
-task_role_arn: ""
 terraform_address: module.loom[0].aws_ecs_task_definition.visit_counter
 terraform_name: module.loom[0].aws_ecs_task_definition.visit_counter
 track_latest: false

Unmapped Changes

Note

These changes couldn't be mapped to a real cloud resource and therefore won't be included in the blast radius calculation.

elbv2-target-group › module.loom[0].aws_lb_target_group.face

--- current
+++ planned
@@ -1,42 +1,19 @@
-arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/facial-recognition/ec95b63442f95837
-arn_suffix: targetgroup/facial-recognition/ec95b63442f95837
-connection_termination: false
 deregistration_delay: "300"
 health_check:
     - enabled: true
       healthy_threshold: 2
       interval: 40
-      matcher: "200"
-      path: /
       port: traffic-port
       protocol: HTTP
       timeout: 30
       unhealthy_threshold: 3
-id: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/facial-recognition/ec95b63442f95837
-ip_address_type: ipv4
 lambda_multi_value_headers_enabled: false
-load_balancing_algorithm_type: round_robin
-load_balancing_anomaly_mitigation: "off"
-load_balancing_cross_zone_enabled: use_load_balancer_configuration
 name: facial-recognition
-name_prefix: ""
 port: 1234
 protocol: HTTP
-protocol_version: HTTP1
 proxy_protocol_v2: false
 slow_start: 0
-stickiness:
-    - cookie_duration: 86400
-      cookie_name: ""
-      enabled: false
-      type: lb_cookie
-tags: {}
-tags_all: {}
-target_failover:
-    - {}
-target_health_state:
-    - {}
-target_type: ip
+target_type: instance
 terraform_address: module.loom[0].aws_lb_target_group.face
 terraform_name: module.loom[0].aws_lb_target_group.face
 vpc_id: vpc-01c90bfad2645fe5e

elbv2-rule › module.loom[0].aws_lb_listener_rule.face

--- current
+++ planned
@@ -5,7 +5,6 @@
       forward: []
       order: 1
       redirect: []
-      target_group_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/facial-recognition/ec95b63442f95837
       type: forward
 arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:listener-rule/app/main/e512445409281cdb/759a597259beab4e/344f86adc9b60714
 condition:

Blast Radius

Items	Edges
283	282

Open in Overmind

Risks

Health Check Port Mismatch [High]

The health check command in the ECS Task Definition (face) was updated to use port 8000 instead of the original port 1234. The current ECS Task Definition for facial-recognition indicates that the service is configured to listen on port 1234. If the application isn't reconfigured to listen on port 8000, health checks will fail, leading to the service being considered unhealthy and potentially causing service disruption.

AWS LB Target Group Type Change Impact [Medium]

Changing the AWS LB Target Group (face) target_type from ip to instance assumes underlying instances are properly configured for instance-level routing. The current state doesn't provide explicit confirmation that the configured instances are equipped or properly set up to handle this type change. If instances are not prepared for this, it could lead to routing issues or failed health checks, affecting service availability.

CloudFront Cache Behavior Path Pattern Broadening [Medium]

The CloudFront ordered_cache_behavior path pattern was changed from /static/* to *, which substantially broadens the scope of requests that CloudFront caches. This change could lead to dynamic content being cached unintentionally, as indicated by the current CloudFront distribution configuration which is primarily set up for static content in the /static/ path. If dynamic content gets cached due to this change, it could result in users receiving outdated information.

Incompatible Record Type Change for Route53 [Medium]

The AWS Route53 Record (face) type was changed from CNAME to AAAA, which introduces an IPv6 address for the service. Considering the current state doesn't explicitly confirm that all related services, including the Elastic Load Balancer and the actual service endpoints, are fully compatible and configured for IPv6, this change risks making the service inaccessible to users or systems that cannot resolve or reach IPv6 addresses.

ECS Task Definition visit_counter Port and Protocol Change [High]

The change in containerPort and appProtocol for the ECS Task Definition (visit_counter) assumes the service's compatibility with handling HTTPS traffic directly on port 8080. The current state of visit_counter shows the service running on port 80 with HTTP protocol. If the service isn't configured to handle HTTPS or listen on the new port, this could lead to traffic being routed to an unresponsive service, causing service disruptions.

Terraform AWS Provider Downgrade Potentially Losing Features [Low]

Downgrading the Terraform AWS Provider from version 5.35.0 to 5.32.1 could lead to losing out on newer features or bug fixes introduced in the later versions. While the downgrade alone doesn't directly indicate a high-impact risk without specific feature dependencies being identified, it's advisable to validate whether the current infrastructure setup or any upcoming features rely on capabilities introduced post 5.32.1 to prevent potential compatibility or functionality issues.