marke destructive fields as immutable#19
Merged
Merged
Conversation
Ravion Module Publish PlanDry run only. No Ravion API mutations were made.
Diffsrvn-acm-certificate 0.2.0 -> 0.2.1--- remote
+++ compiled
label: AWS account & region
type: section
- id: aws_account_id
+ immutable: true
label: AWS account
required: true
type: string
values: $values:ravion/aws_accounts
- description: Must be the same region as the load balancer, or us-east-1 for CloudFront.
id: aws_region
+ immutable: true
label: Region
required: true
type: string
@@
type: string
- description: Primary fully qualified domain name for the ACM certificate.
id: domain_name
+ immutable: true
label: Domain name
placeholder: api.example.com
required: true
@@
- add_button_label: Add secondary domain
description: Additional fully qualified domain names to include on the certificate.
id: subject_alternative_names
+ immutable: true
label: Subject alternative names
placeholder: www.example.com
type: string_array
@@
- default: false
description: Use only when the domain already has a Route53 public hosted zone and all primary/SAN validation records belong in that zone.
id: route53_validation_records_creation_enabled
+ immutable: true
label: Create Route53 validation records
type: boolean
- description: Public hosted zone used for validation records. Required when Route53 validation records are enabled.
id: route53_zone_id
+ immutable: true
label: Route53 hosted zone ID
patterns:
- message: Use a valid Route53 hosted zone ID, for example Z1234567890ABC.
@@
- collapsible: true
description: Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
id: ravion_state_backend_workspace
+ immutable: true
label: Ravion Terraform workspace name
type: string
- collapsible: true
@@
- [AWS Certificate Manager DNS validation](https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html)
- [AWS Certificate Manager certificates for CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html)
- - [Source module](https://github.com/flightcontrolhq/modules/tree/rvn-acm-certificate@0.2.0/security/acm_certificate)
+ - [Source module](https://github.com/flightcontrolhq/modules/tree/rvn-acm-certificate@0.2.1/security/acm_certificate)
stack:
pipelines:
change:
@@
base_path: security/acm_certificate
branch: main
execution_environment_id: << module.input.execution_environment_id >>
- ref: rvn-acm-certificate@0.2.0
+ ref: rvn-acm-certificate@0.2.1
repo: https://github.com/flightcontrolhq/modules
stack_id: <<stack.id>>
terraform_variables:rvn-aws-iam-role 0.1.1 -> 0.1.2--- remote
+++ compiled
label: AWS account & region
type: section
- id: aws_account_id
+ immutable: true
label: AWS account
required: true
type: string
values: $values:ravion/aws_accounts
- id: aws_region
+ immutable: true
label: Region
required: true
type: string
@@
- default: <<project.given_id>>-<<environment.given_id>>-<<module.given_id>>
description: Name of the IAM role. AWS IAM role names must be unique in the account.
id: name
+ immutable: true
label: Role name
patterns:
- message: "Use 1-64 characters: letters, numbers, plus, equals, comma, period, at, underscore, or hyphen."
@@
default: /
description: IAM path for the role. Most roles should use the root path.
id: path
+ immutable: true
label: Path
patterns:
- message: Start and end with a slash, for example / or /service-roles/.
@@
- default: false
description: Create an IAM instance profile for EC2 instances to use this role.
id: instance_profile_creation_enabled
+ immutable: true
label: Create instance profile
type: boolean
- description: Instance profile name. Defaults to the role name when empty.
id: instance_profile_name
+ immutable: true
label: Instance profile name
patterns:
- message: "Use 1-128 characters: letters, numbers, plus, equals, comma, period, at, underscore, or hyphen."
@@
type: string
- description: IAM path for the instance profile. Defaults to the role path when empty.
id: instance_profile_path
+ immutable: true
label: Instance profile path
patterns:
- message: Start and end with a slash, for example / or /service-roles/.
@@
- collapsible: true
description: Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
id: ravion_state_backend_workspace
+ immutable: true
label: Ravion Terraform workspace name
type: string
- collapsible: true
@@
- [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)
- [IAM JSON policy elements](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html)
- [IAM permissions boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
- - [Source module](https://github.com/flightcontrolhq/modules/tree/rvn-aws-iam-role@0.1.1/security/iam)
+ - [Source module](https://github.com/flightcontrolhq/modules/tree/rvn-aws-iam-role@0.1.2/security/iam)
stack:
pipelines:
change:
@@
base_path: security/iam
branch: main
execution_environment_id: << module.input.execution_environment_id >>
- ref: rvn-aws-iam-role@0.1.1
+ ref: rvn-aws-iam-role@0.1.2
repo: https://github.com/flightcontrolhq/modules
stack_id: <<stack.id>>
terraform_variables:rvn-aws-network 0.1.0 -> 0.1.1--- remote
+++ compiled
label: AWS account & region
type: section
- id: aws_account_id
+ immutable: true
label: AWS account
required: true
type: string
values: $values:ravion/aws_accounts
- description: Recommend anything but us-east-1 as it has the most outages.
id: aws_region
+ immutable: true
label: Region
required: true
type: string
@@
- default: <<project.given_id>>-<<environment.given_id>>
description: Name prefix for all resources created by this module.
id: name
+ immutable: true
label: Name slug
patterns:
- message: The name must be 1-36 characters, contain only lowercase letters, numbers, and hyphens, and start and end with a letter or number.
@@
- default: 10.0.0.0/16
description: The IPv4 CIDR block for the VPC.
id: vpc_cidr
+ immutable: true
label: VPC CIDR
required: false
type: string
@@
- collapsible: true
description: Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
id: ravion_state_backend_workspace
+ immutable: true
label: Ravion Terraform workspace name
type: string
- collapsible: true
@@
- **VPC Flow Logs** for network traffic monitoring and SOC 2 compliance
- **VPC Peering** to connect with existing VPCs across accounts or regions
- Terraform source: [flightcontrolhq/modules/networking/vpc](https://github.com/flightcontrolhq/modules/tree/rvn-aws-network@0.1.0/networking/vpc)
+ Terraform source: [flightcontrolhq/modules/networking/vpc](https://github.com/flightcontrolhq/modules/tree/rvn-aws-network@0.1.1/networking/vpc)
## Use cases
@@
base_path: networking/vpc
branch: main
execution_environment_id: << module.input.execution_environment_id >>
- ref: rvn-aws-network@0.1.0
+ ref: rvn-aws-network@0.1.1
repo: https://github.com/flightcontrolhq/modules
stack_id: <<stack.id>>
terraform_variables:rvn-aws-static 0.1.1 -> 0.1.2--- remote
+++ compiled
label: AWS account & region
type: section
- id: aws_account_id
+ immutable: true
label: AWS account
required: true
type: string
@@
- default: us-east-1
description: Region for the S3 bucket. CloudFront and KVS always use us-east-1.
id: aws_region
+ immutable: true
label: Region
required: true
type: string
@@
- default: <<project.given_id>>-<<environment.given_id>>-<<module.given_id>>
description: Name for the bucket and other resources' prefix. Must be globally unique.
id: name
+ immutable: true
label: Name slug
patterns:
- message: "Use a valid S3 bucket name: lowercase letters, numbers, hyphens, and periods; start and end with a letter or number."
@@
- collapsible: true
description: Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
id: ravion_state_backend_workspace
+ immutable: true
label: Ravion Terraform workspace name
type: string
- collapsible: true
@@
Every deployment is versioned. The deploy step promotes an S3 directory by updating the CloudFront KeyValueStore active pointer. CloudFront rewrites viewer requests to the active version prefix before it reads from S3.
- Terraform source: [flightcontrolhq/modules/hosting/static_site](https://github.com/flightcontrolhq/modules/tree/rvn-aws-static@0.1.1/hosting/static_site)
+ Terraform source: [flightcontrolhq/modules/hosting/static_site](https://github.com/flightcontrolhq/modules/tree/rvn-aws-static@0.1.2/hosting/static_site)
## Use cases
@@
base_path: hosting/static_site
branch: main
execution_environment_id: << module.input.execution_environment_id >>
- ref: rvn-aws-static@0.1.1
+ ref: rvn-aws-static@0.1.2
repo: https://github.com/flightcontrolhq/modules
stack_id: <<stack.id>>
terraform_variables:rvn-ecs-cluster 0.1.1 -> 0.1.2--- remote
+++ compiled
inputs:
- id: network
+ immutable: true
label: VPC network
mapped_inputs:
- id: section_aws
@@
type: section
- default: << ref.input.aws_account_id >>
id: aws_account_id
+ immutable: true
label: AWS account
type: string
values: $values:ravion/aws_accounts
- default: << ref.input.aws_region >>
description: AWS region for this module. If unset in Terraform, the provider region is used.
id: aws_region
+ immutable: true
label: Region
type: string
values: $values:aws/regions
@@
type: section
- default: <<ref.stack.output.vpc_id>>
id: vpc_id
+ immutable: true
label: VPC ID
required: true
type: string
@@
default: <<ref.stack.output.private_subnet_ids>>
description: Required by Terraform. Used for private workloads and private load balancers.
id: private_subnet_ids
+ immutable: true
label: Private subnet IDs
required: true
type: string_array
@@
default: <<ref.stack.output.public_subnet_ids>>
description: Used for public load balancers. Terraform defaults to [] when no public load balancer is enabled.
id: public_subnet_ids
+ immutable: true
label: Public subnet IDs
placeholder: subnet-...
type: string_array
@@
- default: <<project.given_id>>-<<environment.given_id>>
description: Name prefix for all resources. Terraform requires 1-28 characters so generated ALB names fit AWS limits.
id: name
+ immutable: true
label: Name slug
patterns:
- message: The name must be 1-28 characters, contain only lowercase letters, numbers, and hyphens, and start and end with a letter or number.
@@
- collapsible: true
description: Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
id: ravion_state_backend_workspace
+ immutable: true
label: Ravion Terraform workspace name
type: string
- collapsible: true
@@
- **Public and private Network Load Balancers** for TCP/UDP and static IP use cases
- **CloudWatch Container Insights** dashboard metrics for production visibility
- Terraform source: [flightcontrolhq/modules/compute/ecs_cluster](https://github.com/flightcontrolhq/modules/tree/rvn-ecs-cluster@0.1.1/compute/ecs_cluster)
+ Terraform source: [flightcontrolhq/modules/compute/ecs_cluster](https://github.com/flightcontrolhq/modules/tree/rvn-ecs-cluster@0.1.2/compute/ecs_cluster)
## Use cases
@@
base_path: compute/ecs_cluster
branch: main
execution_environment_id: << module.input.execution_environment_id >>
- ref: rvn-ecs-cluster@0.1.1
+ ref: rvn-ecs-cluster@0.1.2
repo: https://github.com/flightcontrolhq/modules
stack_id: <<stack.id>>
terraform_variables:rvn-ecs-web 0.4.0 -> 0.4.1--- remote
+++ compiled
label: ECS cluster
type: section
- id: cluster
+ immutable: true
label: ECS cluster
mapped_inputs:
- default: <<ref.input.aws_account_id>>
id: aws_account_id
+ immutable: true
label: AWS account
type: string
values: $values:ravion/aws_accounts
- default: <<ref.input.aws_region>>
id: aws_region
+ immutable: true
label: Region
type: string
values: $values:aws/regions
@@
values: $values:ravion/execution_environments
- default: <<ref.stack.output.cluster_arn>>
id: cluster_arn
+ immutable: true
label: Cluster ARN
required: true
type: string
- default: <<ref.input.vpc_id>>
id: vpc_id
+ immutable: true
label: VPC ID
required: true
type: string
@@
default: <<ref.input.private_subnet_ids>>
description: Private subnets available from the selected ECS cluster network.
id: private_subnet_ids
+ immutable: true
label: Private subnet IDs
required: true
type: string_array
@@
default: <<ref.input.public_subnet_ids>>
description: Public subnets available from the selected ECS cluster network.
id: public_subnet_ids
+ immutable: true
label: Public subnet IDs
type: string_array
- add_button_label: Add subnet ID
@@
default: <<ref.input.private_subnet_ids>>
description: Legacy service subnet override. Leave blank to derive subnets from the public/private service setting.
id: subnet_ids
+ immutable: true
label: Private subnet IDs
required: false
type: string_array
@@
type: section
- default: <<ref.stack.output.fargate_capacity_provider_name>>
id: fargate_capacity_provider_name
+ immutable: true
label: Fargate capacity provider
type: string
- default: <<ref.stack.output.fargate_spot_capacity_provider_name>>
id: fargate_spot_capacity_provider_name
+ immutable: true
label: Fargate spot capacity provider
type: string
- default: ""
description: EC2 capacity provider name from the selected cluster. Required only when using EC2 capacity.
id: ec2_capacity_provider_name
+ immutable: true
label: EC2 capacity provider
required: false
show_when:
@@
type: section
- default: <<ref.stack.output.public_alb_http_listener_arn>>
id: public_alb_http_listener_arn
+ immutable: true
label: Public ALB HTTP listener ARN
type: string
- collapsible: true
default: <<ref.stack.output.public_alb_https_listener_arn>>
description: HTTPS listener ARN from the selected public ALB. Ravion uses it when present, otherwise falls back to HTTP.
id: public_alb_https_listener_arn
+ immutable: true
label: Public ALB HTTPS listener ARN
required: false
type: string
- default: <<ref.stack.output.public_alb_security_group_id>>
id: public_alb_security_group_id
+ immutable: true
label: Public ALB security group ID
type: string
- default: <<ref.stack.output.private_alb_http_listener_arn>>
id: private_alb_http_listener_arn
+ immutable: true
label: Private ALB HTTP listener ARN
type: string
- collapsible: true
default: <<ref.stack.output.private_alb_https_listener_arn>>
description: HTTPS listener ARN from the selected private ALB. Ravion uses it when present, otherwise falls back to HTTP.
id: private_alb_https_listener_arn
+ immutable: true
label: Private ALB HTTPS listener ARN
required: false
type: string
- default: <<ref.stack.output.private_alb_security_group_id>>
id: private_alb_security_group_id
+ immutable: true
label: Private ALB security group ID
type: string
required: true
@@
- default: <<project.given_id>>-<<environment.given_id>>-<<module.given_id>>
description: Name for the ECS service and related resources.
id: name
+ immutable: true
label: Service name
patterns:
- message: Use 1-255 letters, numbers, underscores, or hyphens, starting with a letter or number.
@@
- default: 80
description: Port the web container listens on.
id: container_port
+ immutable: true
label: Container port
max: 65535
min: 1
@@
- collapsible: true
description: Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
id: ravion_state_backend_workspace
+ immutable: true
label: Ravion Terraform workspace name
type: string
- collapsible: true
@@
The module is intentionally focused on web services behind an Application Load Balancer. It uses the selected ECS cluster to inherit AWS account, region, VPC, subnets, capacity providers, load balancer listeners, and load balancer security groups.
- Terraform source: [flightcontrolhq/modules/compute/ecs_service](https://github.com/flightcontrolhq/modules/tree/rvn-ecs-web@0.4.0/compute/ecs_service)
+ Terraform source: [flightcontrolhq/modules/compute/ecs_service](https://github.com/flightcontrolhq/modules/tree/rvn-ecs-web@0.4.1/compute/ecs_service)
## Use cases
@@
base_path: compute/ecs_service
branch: main
execution_environment_id: << module.input.execution_environment_id >>
- ref: rvn-ecs-web@0.4.0
+ ref: rvn-ecs-web@0.4.1
repo: https://github.com/flightcontrolhq/modules
stack_id: <<stack.id>>
terraform_variables:rvn-rds 0.2.0 -> 0.2.1--- remote
+++ compiled
- collapsible: true
description: Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
id: ravion_state_backend_workspace
+ immutable: true
label: Ravion Terraform workspace name
type: string
- collapsible: true
@@
- [RDS DB instance classes](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html)
- [RDS security](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html)
- [RDS monitoring](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Monitoring.html)
- - [Terraform source](https://github.com/flightcontrolhq/modules/tree/rvn-rds@0.2.0/database/rds)
+ - [Terraform source](https://github.com/flightcontrolhq/modules/tree/rvn-rds@0.2.1/database/rds)
stack:
pipelines:
change:
@@
base_path: database/rds
branch: main
execution_environment_id: << module.input.execution_environment_id >>
- ref: rvn-rds@0.2.0
+ ref: rvn-rds@0.2.1
repo: https://github.com/flightcontrolhq/modules
stack_id: <<stack.id>>
terraform_variables: |
Member
Author
|
@greptile |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Greptile Summary
This PR adds
immutable: trueto foundational identity, target, and state inputs across all module definitions, and documents the immutability policy in the agent skill guide.aws_account_id,aws_region,ravion_state_backend_workspace, and the network-ref template fields (vpc_id, subnet IDs) are now immutable;advanced_terraform_variablesandexecution_environment_idare correctly left mutable per the new SKILL.md rule.name/vpc_cidr, ACM certificate domain fields and validation settings, IAM role name/path/instance-profile fields, static site bucket name, ECS cluster network ref and name, and ECS service cluster ref + all mapped fallback fields (ARNs, subnet IDs, capacity provider names, ALB SG IDs), service name, andcontainer_portare all marked immutable.immutable: true, which must never be marked immutable, and module-specific lists for reference.Confidence Score: 5/5
All changes are additive YAML metadata annotations with no logic changes; immutability selections are consistent with the documented policy across all eleven files.
Every field marked immutable matches the SKILL.md taxonomy, the two mandatory exclusions (execution_environment_id and advanced_terraform_variables) are correctly left mutable in every location they appear, and the shared partials propagate the constraint to all downstream modules automatically.
No files require special attention.
Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[Module Input] --> B{Is it a foundational\nidentity/state field?} B -- Yes --> C[Mark immutable: true] B -- No --> D{Is it execution_environment_id\nor advanced_terraform_variables?} D -- Yes --> E[Leave mutable — explicit exclusion] D -- No --> F{Is it an operational/\nproduct-level control?} F -- Yes --> G[Leave mutable] F -- No --> H{Is it a ref-derived\ninfrastructure identity field?} H -- Yes --> C H -- No --> G subgraph "Always Immutable" I[aws_account_id] J[aws_region] K[ravion_state_backend_workspace] L[vpc_id / subnet IDs / ARNs] M[cluster/service/bucket name] N[vpc_cidr] end subgraph "Always Mutable" O[execution_environment_id] P[advanced_terraform_variables] Q[NAT / peering / flow logs / CloudFront settings] R[health checks / autoscaling / tags / IAM policies] end C --> I & J & K & L & M & N E --> O & P G --> Q & RReviews (2): Last reviewed commit: "remove a bunch" | Re-trigger Greptile