Add assumable IAM role for GitHub Actions workflows

[kunduso]

This PR implements an assumable IAM role architecture that allows GitHub Actions workflows to assume AWS roles with temporary credentials instead of using long-lived access keys.

Changes Made

• Added github-actions-role.tf with assumable IAM role and trust policy
• Updated ASG EC2 role with sts:AssumeRole permission
• Modified user data script to configure AWS CLI with role assumption
• Updated EFS and SSM configurations for compatibility

Security Benefits

• Eliminates need for long-lived AWS access keys
• Uses temporary credentials with 1-hour session duration
• Follows AWS security best practices for CI/CD

Closes #24

[github-actions]

💰 Infracost report

Monthly estimate increased by $1 📈

Changed project	Baseline cost	Usage cost*	Total change	New monthly cost
kunduso-org/github-self-hosted-...azon-ec2-terraform/TFplan.JSON	+$1	-	+$1 (+1%)	$131

*Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options.

Estimate details

Key: * usage cost, ~ changed, + added, - removed

──────────────────────────────────
Project: kunduso-org/github-self-hosted-runner-amazon-ec2-terraform/TFplan.JSON

+ aws_kms_key.ssm_parameters
  +$1

    + Customer master key
      +$1

    + Requests
      Monthly cost depends on usage
        +$0.03 per 10k requests

    + ECC GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

    + RSA GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

+ aws_cloudwatch_log_group.github_runner
  Monthly cost depends on usage

    + Data ingested
      Monthly cost depends on usage
        +$0.50 per GB

    + Archival Storage
      Monthly cost depends on usage
        +$0.03 per GB

    + Insights queries data scanned
      Monthly cost depends on usage
        +$0.005 per GB

Monthly cost change for kunduso-org/github-self-hosted-runner-amazon-ec2-terraform/TFplan.JSON
Amount:  +$1 ($130 → $131)
Percent: +1%

──────────────────────────────────
Key: * usage cost, ~ changed, + added, - removed

*Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options.

60 cloud resources were detected:
∙ 11 were estimated
∙ 49 were free

Infracost estimate: Monthly estimate increased by $1 ↑
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃ Changed project                                                  ┃ Baseline cost ┃ Usage cost* ┃ Total change ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━╋━━━━━━━━━━━━━━┫
┃ kunduso-org/github-self-hosted-...azon-ec2-terraform/TFplan.JSON ┃           +$1 ┃           - ┃    +$1 (+1%) ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━┻━━━━━━━━━━━━━━┛

_{This comment will be updated when code changes.}

[github-actions]

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

Show Plan

terraform
aws_security_group.lambda: Refreshing state... [id=sg-09efac711d1a4f657]
aws_iam_role.lambda_deregistration: Refreshing state... [id=github-self-hosted-runner-lambda-deregistration-role]
aws_kms_key_policy.encrypt_ssm: Refreshing state... [id=939dab50-f649-40ed-9372-33b812e93be3]
aws_lambda_function.runner_deregistration: Refreshing state... [id=github-self-hosted-runner-deregistration]
aws_autoscaling_lifecycle_hook.runner_termination: Refreshing state... [id=github-self-hosted-runner-termination-hook]
aws_sqs_queue.dlq: Refreshing state... [id=https://sqs.us-west-2.amazonaws.com/743794601996/github-self-hosted-runner-lambda-dlq]
aws_kms_alias.encrypt_sns: Refreshing state... [id=alias/github-self-hosted-runner-encrypt-sns]
aws_sns_topic_subscription.runner_lifecycle: Refreshing state... [id=arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle:a97e4ab2-5d9f-4f41-b401-fcccb3fae625]
aws_iam_role_policy_attachment.lambda_vpc_execution: Refreshing state... [id=github-self-hosted-runner-lambda-deregistration-role-20250823150045064900000002]
aws_kms_key.encrypt_efs: Refreshing state... [id=57161dac-ea94-435b-bdd4-6bb40a54de92]
aws_iam_role_policy.lifecycle_hook: Refreshing state... [id=github-self-hosted-runner-lifecycle-hook-role:github-self-hosted-runner-lifecycle-hook-policy]
aws_cloudwatch_log_group.github_runner_lifecycle: Refreshing state... [id=/github-self-hosted-runner/lifecycle]
aws_ssm_parameter.deregistration_script: Refreshing state... [id=/github-self-hosted-runner/deregistration-script]
module.vpc.data.aws_availability_zones.available: Reading...
aws_kms_alias.encrypt_lambda: Refreshing state... [id=alias/github-self-hosted-runner-encryption]
aws_iam_role.lifecycle_hook: Refreshing state... [id=github-self-hosted-runner-lifecycle-hook-role]
aws_kms_key.encrypt_ssm: Refreshing state... [id=939dab50-f649-40ed-9372-33b812e93be3]
aws_kms_key_policy.encrypt_lambda: Refreshing state... [id=6df8fd54-93d4-4771-a855-6d8bba252528]
aws_iam_role_policy.lambda_deregistration: Refreshing state... [id=github-self-hosted-runner-lambda-deregistration-role:github-self-hosted-runner-lambda-deregistration-policy]
aws_kms_key.encrypt_lambda: Refreshing state... [id=6df8fd54-93d4-4771-a855-6d8bba252528]
aws_kms_key.encrypt_sns: Refreshing state... [id=79376031-6274-4fe8-8c1b-01ab85054087]
aws_kms_alias.encrypt_efs: Refreshing state... [id=alias/github-self-hosted-runner-encrypt-efs]
module.vpc.data.aws_availability_zones.available: Read complete after 0s [id=us-west-2]
aws_kms_key_policy.encrypt_sns: Refreshing state... [id=79376031-6274-4fe8-8c1b-01ab85054087]
aws_lambda_layer_version.lambda_layer_pyjwt: Refreshing state... [id=arn:aws:lambda:us-west-2:743794601996:layer:pyjwt:7]
aws_lambda_permission.sns_invoke: Refreshing state... [id=AllowExecutionFromSNS]
aws_sns_topic.runner_lifecycle: Refreshing state... [id=arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle]
aws_kms_key_policy.encrypt_efs: Refreshing state... [id=57161dac-ea94-435b-bdd4-6bb40a54de92]
aws_efs_file_system.github_runner_work: Refreshing state... [id=fs-0b55e9a7011bf7c90]
aws_security_group_rule.lambda_egress: Refreshing state... [id=sgrule-3195649409]
aws_kms_alias.encrypt_ssm: Refreshing state... [id=alias/github-self-hosted-runner-encrypt-ssm]
data.aws_caller_identity.current: Reading...
aws_kms_key.cloudwatch_kms_key: Refreshing state... [id=a725a4e2-3f6c-4a07-ac88-25baafbe7b76]
data.aws_caller_identity.current: Read complete after 0s [id=743794601996]
module.vpc.data.aws_iam_policy_document.assume_role: Reading...
module.vpc.data.aws_iam_policy_document.assume_role: Read complete after 0s [id=2717921857]
data.aws_availability_zones.available: Reading...
module.vpc.aws_vpc.this: Refreshing state... [id=vpc-0f94d52581179e6b3]
module.vpc.aws_eip.nat_gateway[0]: Refreshing state... [id=eipalloc-001340df10b3e1b97]
module.vpc.aws_eip.nat_gateway[1]: Refreshing state... [id=eipalloc-0e79188509e4f565a]
module.vpc.aws_kms_key.custom_kms_key[0]: Refreshing state... [id=a3fd4228-613d-487c-89c6-74f2235bdd36]
aws_iam_policy.github_actions_state: Refreshing state... [id=arn:aws:iam::743794601996:policy/github-self-hosted-runner-github-actions-state-policy]
module.vpc.data.aws_caller_identity.current: Reading...
data.aws_availability_zones.available: Read complete after 0s [id=us-west-2]
data.aws_ami.ubuntu: Reading...
aws_iam_role.github_runner: Refreshing state... [id=github-self-hosted-runner-ec2-role]
aws_kms_key.github_runner_secrets: Refreshing state... [id=c77ff6db-241d-4e88-9317-17c07d0ca952]
module.vpc.data.aws_caller_identity.current: Read complete after 0s [id=743794601996]
data.aws_iam_policy_document.ssm_kms: Reading...
data.aws_iam_policy_document.ssm_kms: Read complete after 0s [id=3292091877]
module.vpc.aws_iam_role.vpc_flow_log_role[0]: Refreshing state... [id=github-self-hosted-runner-vpc-flow-role]
aws_iam_instance_profile.github_runner: Refreshing state... [id=github-self-hosted-runner-ec2-profile]
aws_iam_role_policy_attachment.ssm: Refreshing state... [id=github-self-hosted-runner-ec2-role-20250823150037802000000001]
aws_iam_role.github_actions_runner: Refreshing state... [id=github-self-hosted-runner-github-actions-runner-role]
aws_kms_key_policy.encrypt_cloudwatch: Refreshing state... [id=a725a4e2-3f6c-4a07-ac88-25baafbe7b76]
aws_kms_alias.key: Refreshing state... [id=alias/github-self-hosted-runner]
aws_iam_policy.cloudwatch_logs: Refreshing state... [id=arn:aws:iam::743794601996:policy/github-self-hosted-runner-cloudwatch-logs-policy]
module.vpc.aws_kms_key_policy.encrypt_log[0]: Refreshing state... [id=a3fd4228-613d-487c-89c6-74f2235bdd36]
module.vpc.aws_kms_alias.key[0]: Refreshing state... [id=alias/github-self-hosted-runner-encrypt-flow-log]
module.vpc.aws_cloudwatch_log_group.network_flow_logging[0]: Refreshing state... [id=github-self-hosted-runner-flow-logs]
aws_iam_role_policy_attachment.github_actions_admin: Refreshing state... [id=github-self-hosted-runner-github-actions-runner-role-20250823150045535900000004]
aws_iam_role_policy_attachment.github_actions_state: Refreshing state... [id=github-self-hosted-runner-github-actions-runner-role-20250823150045310200000003]
aws_iam_role_policy_attachment.cloudwatch_logs: Refreshing state... [id=github-self-hosted-runner-ec2-role-20250823150055004200000007]
aws_kms_alias.github_runner_secrets: Refreshing state... [id=alias/github-self-hosted-runner-secret]
aws_kms_key_policy.encrypt_secret: Refreshing state... [id=c77ff6db-241d-4e88-9317-17c07d0ca952]
aws_secretsmanager_secret.github_runner_credentials: Refreshing state... [id=arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo]
data.aws_ami.ubuntu: Read complete after 0s [id=ami-065778886ef8ec7c8]
module.vpc.data.aws_iam_policy_document.vpc_flow_log_policy_document[0]: Reading...
module.vpc.data.aws_iam_policy_document.vpc_flow_log_policy_document[0]: Read complete after 0s [id=54070053]
module.vpc.aws_iam_role_policy.vpc_flow_log_role_policy[0]: Refreshing state... [id=github-self-hosted-runner-vpc-flow-role:github-self-hosted-runner-vpc-flow-policy]
aws_iam_policy.github_runner: Refreshing state... [id=arn:aws:iam::743794601996:policy/github-self-hosted-runner-ec2-policy]
aws_secretsmanager_secret_version.github_runner_credentials: Refreshing state... [id=arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo|terraform-20250823150048623300000006]
aws_iam_role_policy_attachment.github_runner: Refreshing state... [id=github-self-hosted-runner-ec2-role-2025082315011670590000000c]
module.vpc.aws_default_security_group.default: Refreshing state... [id=sg-059fed260f3f7d461]
module.vpc.aws_route_table.private[1]: Refreshing state... [id=rtb-044fac8abc330694a]
module.vpc.aws_flow_log.network_flow_logging[0]: Refreshing state... [id=fl-0ea1bdd10867b211d]
module.vpc.aws_internet_gateway.this_igw[0]: Refreshing state... [id=igw-0a0d939ec05e85391]
module.vpc.aws_subnet.private[0]: Refreshing state... [id=subnet-0da9beaf2e436c556]
module.vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-0febf2c2af76e2c79]
module.vpc.aws_route_table.public[0]: Refreshing state... [id=rtb-03bf97d42f9a82730]
module.vpc.aws_route_table.private[0]: Refreshing state... [id=rtb-09d2063d896d96860]
module.vpc.aws_subnet.public[1]: Refreshing state... [id=subnet-09651f70f6184babe]
aws_security_group.github_runner: Refreshing state... [id=sg-079a81840121b7da7]
module.vpc.aws_subnet.private[1]: Refreshing state... [id=subnet-03e1ed051e9e071c1]
aws_security_group.efs: Refreshing state... [id=sg-024a1e389c84b48ea]
aws_security_group_rule.github_runner_egress: Refreshing state... [id=sgrule-3110254434]
aws_launch_template.github_runner: Refreshing state... [id=lt-0fc3f2cf8d3ca7905]
module.vpc.aws_route.internet_route[0]: Refreshing state... [id=r-rtb-03bf97d42f9a827301080289494]
module.vpc.aws_nat_gateway.public[1]: Refreshing state... [id=nat-0a26d68751d3c1b6f]
module.vpc.aws_nat_gateway.public[0]: Refreshing state... [id=nat-0f2a89d17c306f450]
aws_security_group_rule.efs_ingress: Refreshing state... [id=sgrule-1720110692]
module.vpc.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-0d7d71401df749b1a]
module.vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0ef5f4bbe527d85a1]
module.vpc.aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-03caad7157f63b8cd]
module.vpc.aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-028d25a5848086fff]
aws_efs_mount_target.github_runner_work[1]: Refreshing state... [id=fsmt-080b547fe91291e3b]
aws_efs_mount_target.github_runner_work[0]: Refreshing state... [id=fsmt-06593fb53f8c2522f]
module.vpc.aws_route.private_route[0]: Refreshing state... [id=r-rtb-09d2063d896d968601080289494]
module.vpc.aws_route.private_route[1]: Refreshing state... [id=r-rtb-044fac8abc330694a1080289494]
aws_ssm_parameter.nat_gateway_public_ips: Refreshing state... [id=/github-self-hosted-runner-ip-address]
aws_autoscaling_group.github_runner: Refreshing state... [id=github-self-hosted-runner-asg]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_autoscaling_group.github_runner will be updated in-place
  ~ resource "aws_autoscaling_group" "github_runner" {
        id                               = "github-self-hosted-runner-asg"
        name                             = "github-self-hosted-runner-asg"
        # (31 unchanged attributes hidden)

      ~ launch_template {
            id      = "lt-0fc3f2cf8d3ca7905"
            name    = "github-self-hosted-runner2025082315022253420000000f"
          ~ version = "3" -> (known after apply)
        }

        # (3 unchanged blocks hidden)
    }

  # aws_autoscaling_lifecycle_hook.runner_termination will be destroyed
  # (because aws_autoscaling_lifecycle_hook.runner_termination is not in configuration)
  - resource "aws_autoscaling_lifecycle_hook" "runner_termination" {
      - autoscaling_group_name  = "github-self-hosted-runner-asg" -> null
      - default_result          = "ABANDON" -> null
      - heartbeat_timeout       = 300 -> null
      - id                      = "github-self-hosted-runner-termination-hook" -> null
      - lifecycle_transition    = "autoscaling:EC2_INSTANCE_TERMINATING" -> null
      - name                    = "github-self-hosted-runner-termination-hook" -> null
      - notification_target_arn = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle" -> null
      - role_arn                = "arn:aws:iam::743794601996:role/github-self-hosted-runner-lifecycle-hook-role" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_cloudwatch_log_group.github_runner will be created
  + resource "aws_cloudwatch_log_group" "github_runner" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + kms_key_id        = "arn:aws:kms:us-west-2:743794601996:key/a725a4e2-3f6c-4a07-ac88-25baafbe7b76"
      + log_group_class   = (known after apply)
      + name              = "/github-runner/github-self-hosted-runner/log"
      + name_prefix       = (known after apply)
      + retention_in_days = 365
      + skip_destroy      = false
      + tags              = {
          + "Name" = "github-self-hosted-runner-logs"
        }
      + tags_all          = {
          + "Name"   = "github-self-hosted-runner-logs"
          + "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        }
    }

  # aws_cloudwatch_log_group.github_runner_lifecycle will be destroyed
  # (because aws_cloudwatch_log_group.github_runner_lifecycle is not in configuration)
  - resource "aws_cloudwatch_log_group" "github_runner_lifecycle" {
      - arn               = "arn:aws:logs:us-west-2:743794601996:log-group:/github-self-hosted-runner/lifecycle" -> null
      - id                = "/github-self-hosted-runner/lifecycle" -> null
      - kms_key_id        = "arn:aws:kms:us-west-2:743794601996:key/a725a4e2-3f6c-4a07-ac88-25baafbe7b76" -> null
      - log_group_class   = "STANDARD" -> null
      - name              = "/github-self-hosted-runner/lifecycle" -> null
      - retention_in_days = 365 -> null
      - skip_destroy      = false -> null
      - tags              = {
          - "Name" = "github-self-hosted-runner-lifecycle-logs"
        } -> null
      - tags_all          = {
          - "Name"   = "github-self-hosted-runner-lifecycle-logs"
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
        # (1 unchanged attribute hidden)
    }

  # aws_iam_policy.cloudwatch_logs will be updated in-place
  ~ resource "aws_iam_policy" "cloudwatch_logs" {
        id               = "arn:aws:iam::743794601996:policy/github-self-hosted-runner-cloudwatch-logs-policy"
        name             = "github-self-hosted-runner-cloudwatch-logs-policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "logs:CreateLogGroup",
                          - "logs:CreateLogStream",
                          - "logs:PutLogEvents",
                          - "logs:DescribeLogStreams",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:logs:us-west-2:743794601996:log-group:/github-self-hosted-runner/lifecycle",
                          - "arn:aws:logs:us-west-2:743794601996:log-group:/github-self-hosted-runner/lifecycle:*",
                        ]
                    },
                  - {
                      - Action   = [
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:DescribeKey",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-west-2:743794601996:key/a725a4e2-3f6c-4a07-ac88-25baafbe7b76"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # aws_iam_policy.github_runner will be updated in-place
  ~ resource "aws_iam_policy" "github_runner" {
        id               = "arn:aws:iam::743794601996:policy/github-self-hosted-runner-ec2-policy"
        name             = "github-self-hosted-runner-ec2-policy"
      ~ policy           = jsonencode(
          ~ {
              ~ Statement = [
                    # (3 unchanged elements hidden)
                    {
                        Action   = [
                            "sts:AssumeRole",
                        ]
                        Effect   = "Allow"
                        Resource = "arn:aws:iam::743794601996:role/github-self-hosted-runner-github-actions-runner-role"
                    },
                  - {
                      - Action   = [
                          - "ssm:GetParameter",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:ssm:us-west-2:743794601996:parameter/github-self-hosted-runner/deregistration-script"
                    },
                  - {
                      - Action   = [
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-west-2:743794601996:key/939dab50-f649-40ed-9372-33b812e93be3"
                    },
                  - {
                      - Action   = [
                          - "kms:Decrypt",
                          - "kms:DescribeKey",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-west-2:743794601996:key/57161dac-ea94-435b-bdd4-6bb40a54de92"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # aws_iam_role.lambda_deregistration will be destroyed
  # (because aws_iam_role.lambda_deregistration is not in configuration)
  - resource "aws_iam_role" "lambda_deregistration" {
      - arn                   = "arn:aws:iam::743794601996:role/github-self-hosted-runner-lambda-deregistration-role" -> null
      - assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "lambda.amazonaws.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - create_date           = "2025-08-23T15:00:37Z" -> null
      - force_detach_policies = false -> null
      - id                    = "github-self-hosted-runner-lambda-deregistration-role" -> null
      - managed_policy_arns   = [
          - "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole",
        ] -> null
      - max_session_duration  = 3600 -> null
      - name                  = "github-self-hosted-runner-lambda-deregistration-role" -> null
      - path                  = "/" -> null
      - tags                  = {} -> null
      - tags_all              = {
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
      - unique_id             = "AROA22LM46AGKJSCOHWPS" -> null
        # (3 unchanged attributes hidden)

      - inline_policy {
          - name   = "github-self-hosted-runner-lambda-deregistration-policy" -> null
          - policy = jsonencode(
                {
                  - Statement = [
                      - {
                          - Action   = [
                              - "logs:CreateLogGroup",
                              - "logs:CreateLogStream",
                              - "logs:PutLogEvents",
                              - "logs:DescribeLogStreams",
                            ]
                          - Effect   = "Allow"
                          - Resource = "arn:aws:logs:us-west-2:*:*"
                        },
                      - {
                          - Action   = [
                              - "secretsmanager:GetSecretValue",
                            ]
                          - Effect   = "Allow"
                          - Resource = [
                              - "arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo",
                            ]
                        },
                      - {
                          - Action   = [
                              - "kms:Decrypt",
                            ]
                          - Effect   = "Allow"
                          - Resource = "arn:aws:kms:us-west-2:743794601996:key/c77ff6db-241d-4e88-9317-17c07d0ca952"
                        },
                      - {
                          - Action   = [
                              - "logs:CreateLogStream",
                              - "logs:PutLogEvents",
                            ]
                          - Effect   = "Allow"
                          - Resource = [
                              - "arn:aws:logs:us-west-2:743794601996:log-group:/github-self-hosted-runner/lifecycle:*",
                            ]
                        },
                      - {
                          - Action   = [
                              - "autoscaling:CompleteLifecycleAction",
                            ]
                          - Effect   = "Allow"
                          - Resource = [
                              - "arn:aws:autoscaling:us-west-2:743794601996:autoScalingGroup:6901c764-d51d-4900-af39-78d2e1ba7311:autoScalingGroupName/github-self-hosted-runner-asg",
                            ]
                        },
                      - {
                          - Action   = [
                              - "sqs:SendMessage",
                            ]
                          - Effect   = "Allow"
                          - Resource = [
                              - "arn:aws:sqs:us-west-2:743794601996:github-self-hosted-runner-lambda-dlq",
                            ]
                        },
                    ]
                  - Version   = "2012-10-17"
                }
            ) -> null
        }
    }

  # aws_iam_role.lifecycle_hook will be destroyed
  # (because aws_iam_role.lifecycle_hook is not in configuration)
  - resource "aws_iam_role" "lifecycle_hook" {
      - arn                   = "arn:aws:iam::743794601996:role/github-self-hosted-runner-lifecycle-hook-role" -> null
      - assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "autoscaling.amazonaws.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - create_date           = "2025-08-23T15:00:36Z" -> null
      - force_detach_policies = false -> null
      - id                    = "github-self-hosted-runner-lifecycle-hook-role" -> null
      - managed_policy_arns   = [] -> null
      - max_session_duration  = 3600 -> null
      - name                  = "github-self-hosted-runner-lifecycle-hook-role" -> null
      - path                  = "/" -> null
      - tags                  = {} -> null
      - tags_all              = {
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
      - unique_id             = "AROA22LM46AGFSTBWZ6AZ" -> null
        # (3 unchanged attributes hidden)

      - inline_policy {
          - name   = "github-self-hosted-runner-lifecycle-hook-policy" -> null
          - policy = jsonencode(
                {
                  - Statement = [
                      - {
                          - Action   = [
                              - "sns:Publish",
                            ]
                          - Effect   = "Allow"
                          - Resource = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle"
                        },
                      - {
                          - Action   = [
                              - "kms:Encrypt*",
                              - "kms:Decrypt*",
                              - "kms:ReEncrypt*",
                              - "kms:GenerateDataKey*",
                              - "kms:Describe*",
                            ]
                          - Effect   = "Allow"
                          - Resource = "arn:aws:kms:us-west-2:743794601996:key/79376031-6274-4fe8-8c1b-01ab85054087"
                        },
                    ]
                  - Version   = "2012-10-17"
                }
            ) -> null
        }
    }

  # aws_iam_role_policy.lambda_deregistration will be destroyed
  # (because aws_iam_role_policy.lambda_deregistration is not in configuration)
  - resource "aws_iam_role_policy" "lambda_deregistration" {
      - id          = "github-self-hosted-runner-lambda-deregistration-role:github-self-hosted-runner-lambda-deregistration-policy" -> null
      - name        = "github-self-hosted-runner-lambda-deregistration-policy" -> null
      - policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "logs:CreateLogGroup",
                          - "logs:CreateLogStream",
                          - "logs:PutLogEvents",
                          - "logs:DescribeLogStreams",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:logs:us-west-2:*:*"
                    },
                  - {
                      - Action   = [
                          - "secretsmanager:GetSecretValue",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo",
                        ]
                    },
                  - {
                      - Action   = [
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-west-2:743794601996:key/c77ff6db-241d-4e88-9317-17c07d0ca952"
                    },
                  - {
                      - Action   = [
                          - "logs:CreateLogStream",
                          - "logs:PutLogEvents",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:logs:us-west-2:743794601996:log-group:/github-self-hosted-runner/lifecycle:*",
                        ]
                    },
                  - {
                      - Action   = [
                          - "autoscaling:CompleteLifecycleAction",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:autoscaling:us-west-2:743794601996:autoScalingGroup:6901c764-d51d-4900-af39-78d2e1ba7311:autoScalingGroupName/github-self-hosted-runner-asg",
                        ]
                    },
                  - {
                      - Action   = [
                          - "sqs:SendMessage",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:sqs:us-west-2:743794601996:github-self-hosted-runner-lambda-dlq",
                        ]
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - role        = "github-self-hosted-runner-lambda-deregistration-role" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_iam_role_policy.lifecycle_hook will be destroyed
  # (because aws_iam_role_policy.lifecycle_hook is not in configuration)
  - resource "aws_iam_role_policy" "lifecycle_hook" {
      - id          = "github-self-hosted-runner-lifecycle-hook-role:github-self-hosted-runner-lifecycle-hook-policy" -> null
      - name        = "github-self-hosted-runner-lifecycle-hook-policy" -> null
      - policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "sns:Publish",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle"
                    },
                  - {
                      - Action   = [
                          - "kms:Encrypt*",
                          - "kms:Decrypt*",
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:Describe*",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-west-2:743794601996:key/79376031-6274-4fe8-8c1b-01ab85054087"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - role        = "github-self-hosted-runner-lifecycle-hook-role" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_iam_role_policy_attachment.lambda_vpc_execution will be destroyed
  # (because aws_iam_role_policy_attachment.lambda_vpc_execution is not in configuration)
  - resource "aws_iam_role_policy_attachment" "lambda_vpc_execution" {
      - id         = "github-self-hosted-runner-lambda-deregistration-role-20250823150045064900000002" -> null
      - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" -> null
      - role       = "github-self-hosted-runner-lambda-deregistration-role" -> null
    }

  # aws_kms_alias.encrypt_efs will be destroyed
  # (because aws_kms_alias.encrypt_efs is not in configuration)
  - resource "aws_kms_alias" "encrypt_efs" {
      - arn            = "arn:aws:kms:us-west-2:743794601996:alias/github-self-hosted-runner-encrypt-efs" -> null
      - id             = "alias/github-self-hosted-runner-encrypt-efs" -> null
      - name           = "alias/github-self-hosted-runner-encrypt-efs" -> null
      - target_key_arn = "arn:aws:kms:us-west-2:743794601996:key/57161dac-ea94-435b-bdd4-6bb40a54de92" -> null
      - target_key_id  = "57161dac-ea94-435b-bdd4-6bb40a54de92" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.encrypt_lambda will be destroyed
  # (because aws_kms_alias.encrypt_lambda is not in configuration)
  - resource "aws_kms_alias" "encrypt_lambda" {
      - arn            = "arn:aws:kms:us-west-2:743794601996:alias/github-self-hosted-runner-encryption" -> null
      - id             = "alias/github-self-hosted-runner-encryption" -> null
      - name           = "alias/github-self-hosted-runner-encryption" -> null
      - target_key_arn = "arn:aws:kms:us-west-2:743794601996:key/6df8fd54-93d4-4771-a855-6d8bba252528" -> null
      - target_key_id  = "6df8fd54-93d4-4771-a855-6d8bba252528" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.encrypt_sns will be destroyed
  # (because aws_kms_alias.encrypt_sns is not in configuration)
  - resource "aws_kms_alias" "encrypt_sns" {
      - arn            = "arn:aws:kms:us-west-2:743794601996:alias/github-self-hosted-runner-encrypt-sns" -> null
      - id             = "alias/github-self-hosted-runner-encrypt-sns" -> null
      - name           = "alias/github-self-hosted-runner-encrypt-sns" -> null
      - target_key_arn = "arn:aws:kms:us-west-2:743794601996:key/79376031-6274-4fe8-8c1b-01ab85054087" -> null
      - target_key_id  = "79376031-6274-4fe8-8c1b-01ab85054087" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.encrypt_ssm will be destroyed
  # (because aws_kms_alias.encrypt_ssm is not in configuration)
  - resource "aws_kms_alias" "encrypt_ssm" {
      - arn            = "arn:aws:kms:us-west-2:743794601996:alias/github-self-hosted-runner-encrypt-ssm" -> null
      - id             = "alias/github-self-hosted-runner-encrypt-ssm" -> null
      - name           = "alias/github-self-hosted-runner-encrypt-ssm" -> null
      - target_key_arn = "arn:aws:kms:us-west-2:743794601996:key/939dab50-f649-40ed-9372-33b812e93be3" -> null
      - target_key_id  = "939dab50-f649-40ed-9372-33b812e93be3" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.ssm_parameters will be created
  + resource "aws_kms_alias" "ssm_parameters" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/github-self-hosted-runner-ssm"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # aws_kms_key.encrypt_efs will be destroyed
  # (because aws_kms_key.encrypt_efs is not in configuration)
  - resource "aws_kms_key" "encrypt_efs" {
      - arn                                = "arn:aws:kms:us-west-2:743794601996:key/57161dac-ea94-435b-bdd4-6bb40a54de92" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 7 -> null
      - description                        = "Key to encrypt EFS file system in github-self-hosted-runner." -> null
      - enable_key_rotation                = true -> null
      - id                                 = "57161dac-ea94-435b-bdd4-6bb40a54de92" -> null
      - is_enabled                         = true -> null
      - key_id                             = "57161dac-ea94-435b-bdd4-6bb40a54de92" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/57161dac-ea94-435b-bdd4-6bb40a54de92"
                      - Sid       = "Enable full access for root account"
                    },
                  - {
                      - Action    = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "elasticfilesystem.amazonaws.com"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/57161dac-ea94-435b-bdd4-6bb40a54de92"
                      - Sid       = "Allow EFS service"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days            = 365 -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key.encrypt_lambda will be destroyed
  # (because aws_kms_key.encrypt_lambda is not in configuration)
  - resource "aws_kms_key" "encrypt_lambda" {
      - arn                                = "arn:aws:kms:us-west-2:743794601996:key/6df8fd54-93d4-4771-a855-6d8bba252528" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 7 -> null
      - description                        = "Key to encrypt the lambda resource in github-self-hosted-runner." -> null
      - enable_key_rotation                = true -> null
      - id                                 = "6df8fd54-93d4-4771-a855-6d8bba252528" -> null
      - is_enabled                         = true -> null
      - key_id                             = "6df8fd54-93d4-4771-a855-6d8bba252528" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = [
                          - "kms:Update*",
                          - "kms:UntagResource",
                          - "kms:TagResource",
                          - "kms:ScheduleKeyDeletion",
                          - "kms:Revoke*",
                          - "kms:ReEncrypt*",
                          - "kms:Put*",
                          - "kms:List*",
                          - "kms:Get*",
                          - "kms:GenerateDataKey*",
                          - "kms:Encrypt",
                          - "kms:Enable*",
                          - "kms:Disable*",
                          - "kms:DescribeKey",
                          - "kms:Delete*",
                          - "kms:Decrypt",
                          - "kms:Create*",
                          - "kms:CancelKeyDeletion",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/6df8fd54-93d4-4771-a855-6d8bba252528"
                      - Sid       = "Enable IAM User Permissions"
                    },
                  - {
                      - Action    = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                          - "kms:CreateGrant",
                        ]
                      - Condition = {
                          - StringEquals = {
                              - "aws:RequestedRegion"                      = "us-west-2"
                              - "kms:EncryptionContext:LambdaFunctionName" = "github-self-hosted-runner"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "lambda.amazonaws.com"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/6df8fd54-93d4-4771-a855-6d8bba252528"
                      - Sid       = "Allow Lambda to use the key"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days            = 365 -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key.encrypt_sns will be destroyed
  # (because aws_kms_key.encrypt_sns is not in configuration)
  - resource "aws_kms_key" "encrypt_sns" {
      - arn                                = "arn:aws:kms:us-west-2:743794601996:key/79376031-6274-4fe8-8c1b-01ab85054087" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 7 -> null
      - description                        = "Key to encrypt SNS topic in github-self-hosted-runner." -> null
      - enable_key_rotation                = true -> null
      - id                                 = "79376031-6274-4fe8-8c1b-01ab85054087" -> null
      - is_enabled                         = true -> null
      - key_id                             = "79376031-6274-4fe8-8c1b-01ab85054087" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/79376031-6274-4fe8-8c1b-01ab85054087"
                      - Sid       = "Enable full access for root account"
                    },
                  - {
                      - Action    = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "sns.amazonaws.com"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/79376031-6274-4fe8-8c1b-01ab85054087"
                      - Sid       = "Allow AWS services"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days            = 365 -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key.encrypt_ssm will be destroyed
  # (because aws_kms_key.encrypt_ssm is not in configuration)
  - resource "aws_kms_key" "encrypt_ssm" {
      - arn                                = "arn:aws:kms:us-west-2:743794601996:key/939dab50-f649-40ed-9372-33b812e93be3" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 7 -> null
      - description                        = "Key to encrypt the ssm resource in github-self-hosted-runner." -> null
      - enable_key_rotation                = true -> null
      - id                                 = "939dab50-f649-40ed-9372-33b812e93be3" -> null
      - is_enabled                         = true -> null
      - key_id                             = "939dab50-f649-40ed-9372-33b812e93be3" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/939dab50-f649-40ed-9372-33b812e93be3"
                      - Sid       = "Enable IAM User Permissions"
                    },
                  - {
                      - Action    = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "ssm.amazonaws.com"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/939dab50-f649-40ed-9372-33b812e93be3"
                      - Sid       = "Allow SSM Service"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days            = 365 -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key.ssm_parameters will be created
  + resource "aws_kms_key" "ssm_parameters" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "KMS key for SSM parameter encryption"
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "kms:*"
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::743794601996:root"
                        }
                      + Resource  = "*"
                      + Sid       = "Enable IAM User Permissions"
                    },
                  + {
                      + Action    = [
                          + "kms:ReEncrypt*",
                          + "kms:GenerateDataKey",
                          + "kms:Encrypt",
                          + "kms:DescribeKey",
                          + "kms:Decrypt",
                        ]
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ssm.amazonaws.com"
                        }
                      + Resource  = "*"
                      + Sid       = "Allow SSM Service"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + rotation_period_in_days            = (known after apply)
      + tags_all                           = {
          + "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        }
    }

  # aws_kms_key_policy.encrypt_cloudwatch will be updated in-place
  ~ resource "aws_kms_key_policy" "encrypt_cloudwatch" {
        id                                 = "a725a4e2-3f6c-4a07-ac88-25baafbe7b76"
      ~ policy                             = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = "kms:*"
                        Effect    = "Allow"
                        Principal = {
                            AWS = "arn:aws:iam::743794601996:root"
                        }
                        Resource  = "*"
                        Sid       = "Enable IAM User Permissions"
                    },
                  ~ {
                      ~ Condition = {
                          ~ ArnEquals = {
                              ~ "kms:EncryptionContext:aws:logs:arn" = [
                                  ~ "arn:aws:logs:us-west-2:743794601996:log-group:/github-self-hosted-runner/lifecycle" -> "arn:aws:logs:us-west-2:743794601996:log-group:/github-runner/github-self-hosted-runner/log",
                                ]
                            }
                        }
                        # (4 unchanged attributes hidden)
                    },
                ]
                # (2 unchanged attributes hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key_policy.encrypt_efs will be destroyed
  # (because aws_kms_key_policy.encrypt_efs is not in configuration)
  - resource "aws_kms_key_policy" "encrypt_efs" {
      - bypass_policy_lockout_safety_check = false -> null
      - id                                 = "57161dac-ea94-435b-bdd4-6bb40a54de92" -> null
      - key_id                             = "57161dac-ea94-435b-bdd4-6bb40a54de92" -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/57161dac-ea94-435b-bdd4-6bb40a54de92"
                      - Sid       = "Enable full access for root account"
                    },
                  - {
                      - Action    = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "elasticfilesystem.amazonaws.com"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/57161dac-ea94-435b-bdd4-6bb40a54de92"
                      - Sid       = "Allow EFS service"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
    }

  # aws_kms_key_policy.encrypt_lambda will be destroyed
  # (because aws_kms_key_policy.encrypt_lambda is not in configuration)
  - resource "aws_kms_key_policy" "encrypt_lambda" {
      - bypass_policy_lockout_safety_check = false -> null
      - id                                 = "6df8fd54-93d4-4771-a855-6d8bba252528" -> null
      - key_id                             = "6df8fd54-93d4-4771-a855-6d8bba252528" -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = [
                          - "kms:Update*",
                          - "kms:UntagResource",
                          - "kms:TagResource",
                          - "kms:ScheduleKeyDeletion",
                          - "kms:Revoke*",
                          - "kms:ReEncrypt*",
                          - "kms:Put*",
                          - "kms:List*",
                          - "kms:Get*",
                          - "kms:GenerateDataKey*",
                          - "kms:Encrypt",
                          - "kms:Enable*",
                          - "kms:Disable*",
                          - "kms:DescribeKey",
                          - "kms:Delete*",
                          - "kms:Decrypt",
                          - "kms:Create*",
                          - "kms:CancelKeyDeletion",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/6df8fd54-93d4-4771-a855-6d8bba252528"
                      - Sid       = "Enable IAM User Permissions"
                    },
                  - {
                      - Action    = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                          - "kms:CreateGrant",
                        ]
                      - Condition = {
                          - StringEquals = {
                              - "aws:RequestedRegion"                      = "us-west-2"
                              - "kms:EncryptionContext:LambdaFunctionName" = "github-self-hosted-runner"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "lambda.amazonaws.com"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/6df8fd54-93d4-4771-a855-6d8bba252528"
                      - Sid       = "Allow Lambda to use the key"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
    }

  # aws_kms_key_policy.encrypt_sns will be destroyed
  # (because aws_kms_key_policy.encrypt_sns is not in configuration)
  - resource "aws_kms_key_policy" "encrypt_sns" {
      - bypass_policy_lockout_safety_check = false -> null
      - id                                 = "79376031-6274-4fe8-8c1b-01ab85054087" -> null
      - key_id                             = "79376031-6274-4fe8-8c1b-01ab85054087" -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/79376031-6274-4fe8-8c1b-01ab85054087"
                      - Sid       = "Enable full access for root account"
                    },
                  - {
                      - Action    = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "sns.amazonaws.com"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/79376031-6274-4fe8-8c1b-01ab85054087"
                      - Sid       = "Allow AWS services"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
    }

  # aws_kms_key_policy.encrypt_ssm will be destroyed
  # (because aws_kms_key_policy.encrypt_ssm is not in configuration)
  - resource "aws_kms_key_policy" "encrypt_ssm" {
      - bypass_policy_lockout_safety_check = false -> null
      - id                                 = "939dab50-f649-40ed-9372-33b812e93be3" -> null
      - key_id                             = "939dab50-f649-40ed-9372-33b812e93be3" -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/939dab50-f649-40ed-9372-33b812e93be3"
                      - Sid       = "Enable IAM User Permissions"
                    },
                  - {
                      - Action    = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "ssm.amazonaws.com"
                        }
                      - Resource  = "arn:aws:kms:us-west-2:743794601996:key/939dab50-f649-40ed-9372-33b812e93be3"
                      - Sid       = "Allow SSM Service"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
    }

  # aws_lambda_function.runner_deregistration will be destroyed
  # (because aws_lambda_function.runner_deregistration is not in configuration)
  - resource "aws_lambda_function" "runner_deregistration" {
      - architectures                  = [
          - "x86_64",
        ] -> null
      - arn                            = "arn:aws:lambda:us-west-2:743794601996:function:github-self-hosted-runner-deregistration" -> null
      - code_sha256                    = "fMFiWq/NWXhGvBY+NU3Qo0KILSf1yLYG/0aUKLw3G5Y=" -> null
      - filename                       = "runner_deregistration.zip" -> null
      - function_name                  = "github-self-hosted-runner-deregistration" -> null
      - handler                        = "index.handler" -> null
      - id                             = "github-self-hosted-runner-deregistration" -> null
      - invoke_arn                     = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:743794601996:function:github-self-hosted-runner-deregistration/invocations" -> null
      - kms_key_arn                    = "arn:aws:kms:us-west-2:743794601996:key/6df8fd54-93d4-4771-a855-6d8bba252528" -> null
      - last_modified                  = "2025-08-23T15:03:05.382+0000" -> null
      - layers                         = [
          - "arn:aws:lambda:us-west-2:743794601996:layer:pyjwt:7",
        ] -> null
      - memory_size                    = 128 -> null
      - package_type                   = "Zip" -> null
      - publish                        = false -> null
      - qualified_arn                  = "arn:aws:lambda:us-west-2:743794601996:function:github-self-hosted-runner-deregistration:$LATEST" -> null
      - qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:743794601996:function:github-self-hosted-runner-deregistration:$LATEST/invocations" -> null
      - reserved_concurrent_executions = 5 -> null
      - role                           = "arn:aws:iam::743794601996:role/github-self-hosted-runner-lambda-deregistration-role" -> null
      - runtime                        = "python3.12" -> null
      - skip_destroy                   = false -> null
      - source_code_hash               = "fMFiWq/NWXhGvBY+NU3Qo0KILSf1yLYG/0aUKLw3G5Y=" -> null
      - source_code_size               = 2233 -> null
      - tags                           = {} -> null
      - tags_all                       = {
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
      - timeout                        = 60 -> null
      - version                        = "$LATEST" -> null
        # (5 unchanged attributes hidden)

      - dead_letter_config {
          - target_arn = "arn:aws:sqs:us-west-2:743794601996:github-self-hosted-runner-lambda-dlq" -> null
        }

      - environment {
          - variables = {
              - "GITHUB_ORGANIZATION" = "kunduso-org"
              - "LIFECYCLE_LOG_GROUP" = "/github-self-hosted-runner/lifecycle"
              - "REGION"              = "us-west-2"
              - "SECRET_NAME"         = "github-self-hosted-runner-credentials-v2"
            } -> null
        }

      - ephemeral_storage {
          - size = 512 -> null
        }

      - logging_config {
          - log_format            = "Text" -> null
          - log_group             = "/aws/lambda/github-self-hosted-runner-deregistration" -> null
            # (2 unchanged attributes hidden)
        }

      - tracing_config {
          - mode = "Active" -> null
        }

      - vpc_config {
          - ipv6_allowed_for_dual_stack = false -> null
          - security_group_ids          = [
              - "sg-09efac711d1a4f657",
            ] -> null
          - subnet_ids                  = [
              - "subnet-03e1ed051e9e071c1",
              - "subnet-0da9beaf2e436c556",
            ] -> null
          - vpc_id                      = "vpc-0f94d52581179e6b3" -> null
        }
    }

  # aws_lambda_layer_version.lambda_layer_pyjwt will be destroyed
  # (because aws_lambda_layer_version.lambda_layer_pyjwt is not in configuration)
  - resource "aws_lambda_layer_version" "lambda_layer_pyjwt" {
      - arn                         = "arn:aws:lambda:us-west-2:743794601996:layer:pyjwt:7" -> null
      - code_sha256                 = "wIADZnX/t6eAZcPI5PzKpqyeHttwc7KsK0Df1MLVwqs=" -> null
      - compatible_architectures    = [] -> null
      - compatible_runtimes         = [
          - "python3.12",
        ] -> null
      - created_date                = "2025-08-23T15:00:57.949+0000" -> null
      - filename                    = "./lambda_layer.zip" -> null
      - id                          = "arn:aws:lambda:us-west-2:743794601996:layer:pyjwt:7" -> null
      - layer_arn                   = "arn:aws:lambda:us-west-2:743794601996:layer:pyjwt" -> null
      - layer_name                  = "pyjwt" -> null
      - skip_destroy                = false -> null
      - source_code_hash            = "wIADZnX/t6eAZcPI5PzKpqyeHttwc7KsK0Df1MLVwqs=" -> null
      - source_code_size            = 5660225 -> null
      - version                     = "7" -> null
        # (4 unchanged attributes hidden)
    }

  # aws_lambda_permission.sns_invoke will be destroyed
  # (because aws_lambda_permission.sns_invoke is not in configuration)
  - resource "aws_lambda_permission" "sns_invoke" {
      - action              = "lambda:InvokeFunction" -> null
      - function_name       = "github-self-hosted-runner-deregistration" -> null
      - id                  = "AllowExecutionFromSNS" -> null
      - principal           = "sns.amazonaws.com" -> null
      - source_arn          = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle" -> null
      - statement_id        = "AllowExecutionFromSNS" -> null
        # (2 unchanged attributes hidden)
    }

  # aws_launch_template.github_runner will be updated in-place
  ~ resource "aws_launch_template" "github_runner" {
        id                                   = "lt-0fc3f2cf8d3ca7905"
      ~ latest_version                       = 3 -> (known after apply)
        name                                 = "github-self-hosted-runner2025082315022253420000000f"
        tags                                 = {}
      ~ user_data                            = "IyEvYmluL2Jhc2gKc2V0IC1lCgojIFNldHVwIGxvZ2dpbmcKUkVHSVNUUkFUSU9OX0xPR19GSUxFPSIvdmFyL2xvZy9naXRodWItcnVubmVyLXJlZ2lzdHJhdGlvbi5sb2ciCmV4ZWMgPiA+KHRlZSAtYSAkUkVHSVNUUkFUSU9OX0xPR19GSUxFKQpleGVjIDI+JjEKCmVjaG8gIiQoZGF0ZSk6IFN0YXJ0aW5nIEdpdEh1YiBydW5uZXIgc2V0dXAiCgojIE5ldHdvcmsgY29ubmVjdGl2aXR5IHZhbGlkYXRpb24KZWNobyAiJChkYXRlKTogVmFsaWRhdGluZyBuZXR3b3JrIGNvbm5lY3Rpdml0eS4uLiIKcmV0cnlfY291bnQ9MAptYXhfcmV0cmllcz0xMiAgIyAyIG1pbnV0ZXMgdG90YWwKCnVudGlsIGN1cmwgLXMgLS1jb25uZWN0LXRpbWVvdXQgNSBodHRwczovL2F3cy5hbWF6b24uY29tID4gL2Rldi9udWxsOyBkbwogICAgcmV0cnlfY291bnQ9JCgocmV0cnlfY291bnQgKyAxKSkKICAgIGlmIFsgJHJldHJ5X2NvdW50IC1nZSAkbWF4X3JldHJpZXMgXTsgdGhlbgogICAgICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gTmV0d29yayBjb25uZWN0aXZpdHkgZmFpbGVkIGFmdGVyICRtYXhfcmV0cmllcyBhdHRlbXB0cyIKICAgICAgICBleGl0IDEKICAgIGZpCiAgICBlY2hvICIkKGRhdGUpOiBOZXR3b3JrIG5vdCByZWFkeSwgd2FpdGluZy4uLiAoYXR0ZW1wdCAkcmV0cnlfY291bnQvJG1heF9yZXRyaWVzKSIKICAgIHNsZWVwIDEwCmRvbmUKCmVjaG8gIiQoZGF0ZSk6IE5ldHdvcmsgY29ubmVjdGl2aXR5IGNvbmZpcm1lZCIKCiMgVGVzdCBjcml0aWNhbCBBV1Mgc2VydmljZXMKZWNobyAiJChkYXRlKTogVGVzdGluZyBBV1Mgc2VydmljZXMgY29ubmVjdGl2aXR5Li4uIgphd3Nfc2VydmljZXM9KAogICAgImh0dHBzOi8vczMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20iCiAgICAiaHR0cHM6Ly9zZWNyZXRzbWFuYWdlci51cy13ZXN0LTIuYW1hem9uYXdzLmNvbSIKICAgICJodHRwczovL2xvZ3MudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20iCikKCmZvciBzZXJ2aWNlIGluICIke2F3c19zZXJ2aWNlc1tAXX0iOyBkbwogICAgZWNobyAiJChkYXRlKTogVGVzdGluZyBjb25uZWN0aXZpdHkgdG8gJHNlcnZpY2UuLi4iCiAgICBpZiAhIGN1cmwgLXMgLS1jb25uZWN0LXRpbWVvdXQgMTAgIiRzZXJ2aWNlIiA+IC9kZXYvbnVsbDsgdGhlbgogICAgICAgIGVjaG8gIiQoZGF0ZSk6IFdBUk5JTkcgLSBDYW5ub3QgcmVhY2ggJHNlcnZpY2UiCiAgICBlbHNlCiAgICAgICAgZWNobyAiJChkYXRlKTogU3VjY2Vzc2Z1bGx5IGNvbm5lY3RlZCB0byAkc2VydmljZSIKICAgIGZpCmRvbmUKCmVjaG8gIiQoZGF0ZSk6IEFXUyBzZXJ2aWNlcyBjb25uZWN0aXZpdHkgdGVzdCBjb21wbGV0ZWQiCgojIEdldCBpbnN0YW5jZSBJRCBmb3IgcnVubmVyIG5hbWluZyB1c2luZyBJTURTdjIKVE9LRU49JChjdXJsIC1YIFBVVCAiaHR0cDovLzE2OS4yNTQuMTY5LjI1NC9sYXRlc3QvYXBpL3Rva2VuIiAtSCAiWC1hd3MtZWMyLW1ldGFkYXRhLXRva2VuLXR0bC1zZWNvbmRzOiAyMTYwMCIpCklOU1RBTkNFX0lEPSQoY3VybCAtSCAiWC1hd3MtZWMyLW1ldGFkYXRhLXRva2VuOiAkVE9LRU4iIC1zIGh0dHA6Ly8xNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pbnN0YW5jZS1pZCkKCiMgVXBkYXRlIHN5c3RlbQplY2hvICIkKGRhdGUpOiBVcGRhdGluZyBzeXN0ZW0gcGFja2FnZXMiCmFwdC1nZXQgdXBkYXRlCmFwdC1nZXQgaW5zdGFsbCAteSBjdXJsIGpxIGF3c2NsaSBweXRob24zLXBpcCBnaXQgYmludXRpbHMgbmZzLWNvbW1vbgpwaXAzIGluc3RhbGwgUHlKV1QgcmVxdWVzdHMKZWNobyAiJChkYXRlKTogU3lzdGVtIHBhY2thZ2VzIHVwZGF0ZWQgc3VjY2Vzc2Z1bGx5IgoKIyBJbnN0YWxsIE5GUyBjbGllbnQgZm9yIEVGUyBtb3VudGluZwplY2hvICIkKGRhdGUpOiBJbnN0YWxsaW5nIE5GUyBjbGllbnQiCmFwdC1nZXQgLXkgaW5zdGFsbCBuZnMtY29tbW9uCmVjaG8gIiQoZGF0ZSk6IE5GUyBjbGllbnQgaW5zdGFsbGVkIHN1Y2Nlc3NmdWxseSIKCiMgU2V0dXAgQ2xvdWRXYXRjaCBsb2dnaW5nCmVjaG8gIiQoZGF0ZSk6IFNldHRpbmcgdXAgQ2xvdWRXYXRjaCBsb2dnaW5nIgoKIyBJbnN0YWxsIENsb3VkV2F0Y2ggTG9ncyBhZ2VudApjdXJsIC1vIC90bXAvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQuZGViIGh0dHBzOi8vczMuYW1hem9uYXdzLmNvbS9hbWF6b25jbG91ZHdhdGNoLWFnZW50L2RlYmlhbi9hbWQ2NC9sYXRlc3QvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQuZGViCmRwa2cgLWkgL3RtcC9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC5kZWIKcm0gL3RtcC9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC5kZWIKCiMgQ29uZmlndXJlIENsb3VkV2F0Y2ggTG9ncyBhZ2VudApjYXQgPiAvb3B0L2F3cy9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC9ldGMvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQuanNvbiA8PEVPRgp7CiAgImxvZ3MiOiB7CiAgICAibG9nc19jb2xsZWN0ZWQiOiB7CiAgICAgICJmaWxlcyI6IHsKICAgICAgICAiY29sbGVjdF9saXN0IjogWwogICAgICAgICAgewogICAgICAgICAgICAiZmlsZV9wYXRoIjogIi92YXIvbG9nL2dpdGh1Yi1ydW5uZXItcmVnaXN0cmF0aW9uLmxvZyIsCiAgICAgICAgICAgICJsb2dfZ3JvdXBfbmFtZSI6ICIvZ2l0aHViLXNlbGYtaG9zdGVkLXJ1bm5lci9saWZlY3ljbGUiLAogICAgICAgICAgICAibG9nX3N0cmVhbV9uYW1lIjogIntpbnN0YW5jZV9pZH0vcmVnaXN0cmF0aW9uIiwKICAgICAgICAgICAgInRpbWV6b25lIjogIlVUQyIKICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJmaWxlX3BhdGgiOiAiL3Zhci9sb2cvZ2l0aHViLXJ1bm5lci1kZXJlZ2lzdHJhdGlvbi5sb2ciLAogICAgICAgICAgICAibG9nX2dyb3VwX25hbWUiOiAiL2dpdGh1Yi1zZWxmLWhvc3RlZC1ydW5uZXIvbGlmZWN5Y2xlIiwKICAgICAgICAgICAgImxvZ19zdHJlYW1fbmFtZSI6ICJ7aW5zdGFuY2VfaWR9L2RlcmVnaXN0cmF0aW9uIiwKICAgICAgICAgICAgInRpbWV6b25lIjogIlVUQyIKICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJmaWxlX3BhdGgiOiAiL3Zhci9sb2cvZ2l0aHViLXJ1bm5lci5sb2ciLAogICAgICAgICAgICAibG9nX2dyb3VwX25hbWUiOiAiL2dpdGh1Yi1zZWxmLWhvc3RlZC1ydW5uZXIvbGlmZWN5Y2xlIiwKICAgICAgICAgICAgImxvZ19zdHJlYW1fbmFtZSI6ICJ7aW5zdGFuY2VfaWR9L2V4ZWN1dGlvbiIsCiAgICAgICAgICAgICJ0aW1lem9uZSI6ICJVVEMiCiAgICAgICAgICB9CiAgICAgICAgXQogICAgICB9CiAgICB9CiAgfQp9CkVPRgoKIyBTdGFydCBDbG91ZFdhdGNoIGFnZW50Ci9vcHQvYXdzL2FtYXpvbi1jbG91ZHdhdGNoLWFnZW50L2Jpbi9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC1jdGwgLWEgZmV0Y2gtY29uZmlnIC1tIGVjMiAtcyAtYyBmaWxlOi9vcHQvYXdzL2FtYXpvbi1jbG91ZHdhdGNoLWFnZW50L2V0Yy9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC5qc29uCmVjaG8gIiQoZGF0ZSk6IENsb3VkV2F0Y2ggTG9ncyBhZ2VudCBjb25maWd1cmVkIGFuZCBzdGFydGVkIgoKIyBTZXR1cCBFRlMgbW91bnQKZWNobyAiJChkYXRlKTogU2V0dGluZyB1cCBFRlMgbW91bnQiCm1rZGlyIC1wIC9ob21lL3J1bm5lci9fd29yawplY2hvICJmcy0wYjU1ZTlhNzAxMWJmN2M5MC5lZnMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb206LyAvaG9tZS9ydW5uZXIvX3dvcmsgbmZzNCBuZnN2ZXJzPTQuMSxyc2l6ZT0xMDQ4NTc2LHdzaXplPTEwNDg1NzYsaGFyZCx0aW1lbz02MDAscmV0cmFucz0yIDAgMCIgPj4gL2V0Yy9mc3RhYgptb3VudCAvaG9tZS9ydW5uZXIvX3dvcmsKZWNobyAiJChkYXRlKTogRUZTIG1vdW50ZWQgc3VjY2Vzc2Z1bGx5IgoKIyBJbnN0YWxsIERvY2tlcgplY2hvICIkKGRhdGUpOiBJbnN0YWxsaW5nIERvY2tlciIKY3VybCAtZnNTTCBodHRwczovL2dldC5kb2NrZXIuY29tIC1vIGdldC1kb2NrZXIuc2gKc2ggZ2V0LWRvY2tlci5zaAp1c2VybW9kIC1hRyBkb2NrZXIgdWJ1bnR1CmVjaG8gIiQoZGF0ZSk6IERvY2tlciBpbnN0YWxsZWQgc3VjY2Vzc2Z1bGx5IgoKIyBJbnN0YWxsIFRlcnJhZm9ybQplY2hvICIkKGRhdGUpOiBJbnN0YWxsaW5nIFRlcnJhZm9ybSIKd2dldCAtTy0gaHR0cHM6Ly9hcHQucmVsZWFzZXMuaGFzaGljb3JwLmNvbS9ncGcgfCBncGcgLS1kZWFybW9yIHwgdGVlIC91c3Ivc2hhcmUva2V5cmluZ3MvaGFzaGljb3JwLWFyY2hpdmUta2V5cmluZy5ncGcKZWNobyAiZGViIFtzaWduZWQtYnk9L3Vzci9zaGFyZS9rZXlyaW5ncy9oYXNoaWNvcnAtYXJjaGl2ZS1rZXlyaW5nLmdwZ10gaHR0cHM6Ly9hcHQucmVsZWFzZXMuaGFzaGljb3JwLmNvbSAkKGxzYl9yZWxlYXNlIC1jcykgbWFpbiIgfCB0ZWUgL2V0Yy9hcHQvc291cmNlcy5saXN0LmQvaGFzaGljb3JwLmxpc3QKYXB0IHVwZGF0ZSAmJiBhcHQgaW5zdGFsbCAteSB0ZXJyYWZvcm0KZWNobyAiJChkYXRlKTogVGVycmFmb3JtIGluc3RhbGxlZCBzdWNjZXNzZnVsbHkiCgojIENyZWF0ZSBydW5uZXIgdXNlcgplY2hvICIkKGRhdGUpOiBDcmVhdGluZyBydW5uZXIgdXNlciIKdXNlcmFkZCAtbSAtcyAvYmluL2Jhc2ggcnVubmVyCnVzZXJtb2QgLWFHIGRvY2tlciBydW5uZXIKIyBGaXggRUZTIG1vdW50IG93bmVyc2hpcApjaG93biAtUiBydW5uZXI6cnVubmVyIC9ob21lL3J1bm5lci9fd29yawplY2hvICIkKGRhdGUpOiBSdW5uZXIgdXNlciBjcmVhdGVkIHN1Y2Nlc3NmdWxseSBhbmQgRUZTIG93bmVyc2hpcCBmaXhlZCIKCiMgRG93bmxvYWQgR2l0SHViIEFjdGlvbnMgcnVubmVyCmVjaG8gIiQoZGF0ZSk6IERvd25sb2FkaW5nIEdpdEh1YiBBY3Rpb25zIHJ1bm5lciIKY2QgL2hvbWUvcnVubmVyCmN1cmwgLW8gYWN0aW9ucy1ydW5uZXItbGludXgteDY0LTIuMzIxLjAudGFyLmd6IC1MIGh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9yZWxlYXNlcy9kb3dubG9hZC92Mi4zMjEuMC9hY3Rpb25zLXJ1bm5lci1saW51eC14NjQtMi4zMjEuMC50YXIuZ3oKdGFyIHh6ZiBhY3Rpb25zLXJ1bm5lci1saW51eC14NjQtMi4zMjEuMC50YXIuZ3oKZWNobyAiJChkYXRlKTogR2l0SHViIEFjdGlvbnMgcnVubmVyIGRvd25sb2FkZWQgc3VjY2Vzc2Z1bGx5IgoKIyBHZXQgR2l0SHViIGNyZWRlbnRpYWxzIGZyb20gU2VjcmV0cyBNYW5hZ2VyCmVjaG8gIiQoZGF0ZSk6IFJldHJpZXZpbmcgR2l0SHViIGNyZWRlbnRpYWxzIGZyb20gU2VjcmV0cyBNYW5hZ2VyIgpTRUNSRVQ9JChhd3Mgc2VjcmV0c21hbmFnZXIgZ2V0LXNlY3JldC12YWx1ZSAtLXNlY3JldC1pZCAiZ2l0aHViLXNlbGYtaG9zdGVkLXJ1bm5lci1jcmVkZW50aWFscy12MiIgLS1yZWdpb24gInVzLXdlc3QtMiIgLS1xdWVyeSBTZWNyZXRTdHJpbmcgLS1vdXRwdXQgdGV4dCkKQVBQX0lEPSQoZWNobyAkU0VDUkVUIHwganEgLXIgJy5hcHBfaWQnKQpJTlNUQUxMQVRJT05fSUQ9JChlY2hvICRTRUNSRVQgfCBqcSAtciAnLmluc3RhbGxhdGlvbl9pZCcpClBSSVZBVEVfS0VZPSQoZWNobyAkU0VDUkVUIHwganEgLXIgJy5wcml2YXRlX2tleScpCgojIEZvciBkZWJ1Z2dpbmcgKHNob3dpbmcgb25seSBub24tc2Vuc2l0aXZlIGRhdGEpCmVjaG8gIiQoZGF0ZSk6IEFwcCBJRDogJEFQUF9JRCIKZWNobyAiJChkYXRlKTogSW5zdGFsbGF0aW9uIElEOiAkSU5TVEFMTEFUSU9OX0lEIgplY2hvICIkKGRhdGUpOiBPcmdhbml6YXRpb246IGt1bmR1c28tb3JnIgplY2hvICIkKGRhdGUpOiBHaXRIdWIgY3JlZGVudGlhbHMgcmV0cmlldmVkIHN1Y2Nlc3NmdWxseSIKCiMgR2VuZXJhdGUgSldUIHRva2VuIGZvciBHaXRIdWIgQXBwIGF1dGhlbnRpY2F0aW9uCmVjaG8gIiQoZGF0ZSk6IEdlbmVyYXRpbmcgR2l0SHViIEFwcCBKV1QgdG9rZW4iCgojIENyZWF0ZSBQeXRob24gc2NyaXB0IGZvciBKV1QgZ2VuZXJhdGlvbgpjYXQgPiAvdG1wL2p3dF9zY3JpcHQucHkgPDxFT0ZQWVRIT04KaW1wb3J0IGp3dAppbXBvcnQgdGltZQppbXBvcnQganNvbgppbXBvcnQgcmVxdWVzdHMKaW1wb3J0IHN5cwppbXBvcnQgb3MKCnByaW50KCdERUJVRzogU3RhcnRpbmcgSldUIHNjcmlwdCcsIGZpbGU9c3lzLnN0ZGVycikKCnRyeToKICAgIHByaW50KCdERUJVRzogUmVhZGluZyBlbnZpcm9ubWVudCB2YXJpYWJsZXMnLCBmaWxlPXN5cy5zdGRlcnIpCiAgICBhcHBfaWQgPSBvcy5lbnZpcm9uWydBUFBfSUQnXQogICAgaW5zdGFsbGF0aW9uX2lkID0gb3MuZW52aXJvblsnSU5TVEFMTEFUSU9OX0lEJ10KICAgIHByaXZhdGVfa2V5ID0gb3MuZW52aXJvblsnUFJJVkFURV9LRVknXQogICAgCiAgICAjIENvbnZlcnQgZXNjYXBlZCBuZXdsaW5lcyB0byBhY3R1YWwgbmV3bGluZXMKICAgIHByaXZhdGVfa2V5ID0gcHJpdmF0ZV9rZXkucmVwbGFjZSgnXFxuJywgJ1xuJykKICAgIAogICAgcHJpbnQoJ0RFQlVHOiBBcHAgSUQ6ICcgKyBhcHBfaWQsIGZpbGU9c3lzLnN0ZGVycikKICAgIHByaW50KCdERUJVRzogSW5zdGFsbGF0aW9uIElEOiAnICsgaW5zdGFsbGF0aW9uX2lkLCBmaWxlPXN5cy5zdGRlcnIpCiAgICBwcmludCgnREVCVUc6IFByaXZhdGUga2V5IGxlbmd0aDogJyArIHN0cihsZW4ocHJpdmF0ZV9rZXkpKSwgZmlsZT1zeXMuc3RkZXJyKQogICAgCiAgICBwcmludCgnREVCVUc6IENyZWF0aW5nIEpXVCBwYXlsb2FkJywgZmlsZT1zeXMuc3RkZXJyKQogICAgcGF5bG9hZCA9IHsKICAgICAgICAnaWF0JzogaW50KHRpbWUudGltZSgpKSwKICAgICAgICAnZXhwJzogaW50KHRpbWUudGltZSgpKSArIDYwMCwKICAgICAgICAnaXNzJzogYXBwX2lkCiAgICB9CiAgICAKICAgIHByaW50KCdERUJVRzogRW5jb2RpbmcgSldUIHRva2VuJywgZmlsZT1zeXMuc3RkZXJyKQogICAgdG9rZW4gPSBqd3QuZW5jb2RlKHBheWxvYWQsIHByaXZhdGVfa2V5LCBhbGdvcml0aG09J1JTMjU2JykKICAgIHByaW50KCdERUJVRzogSldUIHRva2VuIGNyZWF0ZWQgc3VjY2Vzc2Z1bGx5JywgZmlsZT1zeXMuc3RkZXJyKQogICAgCiAgICBwcmludCgnREVCVUc6IFByZXBhcmluZyBBUEkgcmVxdWVzdCBoZWFkZXJzJywgZmlsZT1zeXMuc3RkZXJyKQogICAgaGVhZGVycyA9IHsKICAgICAgICAnQXV0aG9yaXphdGlvbic6ICdCZWFyZXIgJyArIHN0cih0b2tlbiksCiAgICAgICAgJ0FjY2VwdCc6ICdhcHBsaWNhdGlvbi92bmQuZ2l0aHViLnYzK2pzb24nCiAgICB9CiAgICAKICAgIGFwaV91cmwgPSAnaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9hcHAvaW5zdGFsbGF0aW9ucy8nICsgaW5zdGFsbGF0aW9uX2lkICsgJy9hY2Nlc3NfdG9rZW5zJwogICAgcHJpbnQoJ0RFQlVHOiBNYWtpbmcgcmVxdWVzdCB0bzogJyArIGFwaV91cmwsIGZpbGU9c3lzLnN0ZGVycikKICAgIAogICAgcmVzcG9uc2UgPSByZXF1ZXN0cy5wb3N0KGFwaV91cmwsIGhlYWRlcnM9aGVhZGVycywgdGltZW91dD0zMCkKICAgIAogICAgcHJpbnQoJ0RFQlVHOiBBUEkgcmVzcG9uc2Ugc3RhdHVzOiAnICsgc3RyKHJlc3BvbnNlLnN0YXR1c19jb2RlKSwgZmlsZT1zeXMuc3RkZXJyKQogICAgCiAgICBpZiByZXNwb25zZS5zdGF0dXNfY29kZSAhPSAyMDE6CiAgICAgICAgcHJpbnQoJ0VSUk9SOiBGYWlsZWQgdG8gZ2V0IGFjY2VzcyB0b2tlbi4gU3RhdHVzOiAnICsgc3RyKHJlc3BvbnNlLnN0YXR1c19jb2RlKSkKICAgICAgICBwcmludCgnUmVzcG9uc2UgYm9keTogJyArIHJlc3BvbnNlLnRleHQpCiAgICAgICAgc3lzLmV4aXQoMSkKICAgIAogICAgcHJpbnQoJ0RFQlVHOiBQYXJzaW5nIHJlc3BvbnNlIEpTT04nLCBmaWxlPXN5cy5zdGRlcnIpCiAgICBhY2Nlc3NfdG9rZW4gPSByZXNwb25zZS5qc29uKClbJ3Rva2VuJ10KICAgIHByaW50KCdERUJVRzogQWNjZXNzIHRva2VuIG9idGFpbmVkIHN1Y2Nlc3NmdWxseScsIGZpbGU9c3lzLnN0ZGVycikKICAgIHByaW50KGFjY2Vzc190b2tlbikKZXhjZXB0IEV4Y2VwdGlvbiBhcyBlOgogICAgcHJpbnQoJ0VSUk9SOiAnICsgc3RyKGUpLCBmaWxlPXN5cy5zdGRlcnIpCiAgICBpbXBvcnQgdHJhY2ViYWNrCiAgICB0cmFjZWJhY2sucHJpbnRfZXhjKGZpbGU9c3lzLnN0ZGVycikKICAgIHN5cy5leGl0KDEpCkVPRlBZVEhPTgoKIyBQYXNzIHZhcmlhYmxlcyB0byBQeXRob24gc2NyaXB0IHZpYSBlbnZpcm9ubWVudApleHBvcnQgQVBQX0lEPSIkQVBQX0lEIgpleHBvcnQgSU5TVEFMTEFUSU9OX0lEPSIkSU5TVEFMTEFUSU9OX0lEIgpleHBvcnQgUFJJVkFURV9LRVk9IiRQUklWQVRFX0tFWSIKCmVjaG8gIiQoZGF0ZSk6IEV4ZWN1dGluZyBKV1QgZ2VuZXJhdGlvbiBzY3JpcHQuLi4iCgojIFJ1biBKV1Qgc2NyaXB0IHdpdGggdGltZW91dAppZiAhIHRpbWVvdXQgNjAgcHl0aG9uMyAvdG1wL2p3dF9zY3JpcHQucHkgPiAvdG1wL2p3dF9vdXRwdXQudHh0IDI+IC90bXAvand0X2Vycm9yLnR4dDsgdGhlbgogICAgSldUX0VYSVRfQ09ERT0kPwogICAgZWNobyAiJChkYXRlKTogRVJST1IgLSBKV1QgZ2VuZXJhdGlvbiBmYWlsZWQgb3IgdGltZWQgb3V0IHdpdGggZXhpdCBjb2RlICRKV1RfRVhJVF9DT0RFIgogICAgZWNobyAiJChkYXRlKTogQ2hlY2sgQ2xvdWRXYXRjaCBsb2dzIGZvciBkZXRhaWxlZCBlcnJvciBpbmZvcm1hdGlvbiIKICAgIHJtIC1mIC90bXAvand0X3NjcmlwdC5weSAvdG1wL2p3dF9vdXRwdXQudHh0IC90bXAvand0X2Vycm9yLnR4dAogICAgZXhpdCAxCmZpCgpHSVRIVUJfVE9LRU49JChjYXQgL3RtcC9qd3Rfb3V0cHV0LnR4dCkKcm0gLWYgL3RtcC9qd3Rfc2NyaXB0LnB5IC90bXAvand0X291dHB1dC50eHQgL3RtcC9qd3RfZXJyb3IudHh0CgppZiBbIC16ICIkR0lUSFVCX1RPS0VOIiBdIHx8IFsgIiRHSVRIVUJfVE9LRU4iID0gIm51bGwiIF07IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gSldUIHRva2VuIGlzIGVtcHR5IG9yIG51bGwiCiAgICBleGl0IDEKZmkKCmVjaG8gIiQoZGF0ZSk6IEdpdEh1YiBBcHAgSldUIHRva2VuIGdlbmVyYXRlZCBzdWNjZXNzZnVsbHkiCgojIEdldCByZWdpc3RyYXRpb24gdG9rZW4gZm9yIG9yZ2FuaXphdGlvbgplY2hvICIkKGRhdGUpOiBHZXR0aW5nIHJlZ2lzdHJhdGlvbiB0b2tlbiBmb3IgR2l0SHViIG9yZ2FuaXphdGlvbiIKT1JHX1VSTD0iaHR0cHM6Ly9naXRodWIuY29tL2t1bmR1c28tb3JnIgplY2hvICIkKGRhdGUpOiBPcmdhbml6YXRpb24gVVJMOiAkT1JHX1VSTCIKCmVjaG8gIiQoZGF0ZSk6IE1ha2luZyBBUEkgcmVxdWVzdCB0byBHaXRIdWIuLi4iCkFQSV9SRVNQT05TRT0kKGN1cmwgLXMgLXcgIkhUVFBfQ09ERTole2h0dHBfY29kZX0iIC1YIFBPU1QgLUggIkF1dGhvcml6YXRpb246IHRva2VuICRHSVRIVUJfVE9LRU4iICJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3Mva3VuZHVzby1vcmcvYWN0aW9ucy9ydW5uZXJzL3JlZ2lzdHJhdGlvbi10b2tlbiIpCkhUVFBfQ09ERT0kKGVjaG8gIiRBUElfUkVTUE9OU0UiIHwgZ3JlcCAtbyAiSFRUUF9DT0RFOlswLTldKiIgfCBjdXQgLWQ6IC1mMikKQVBJX0JPRFk9JChlY2hvICIkQVBJX1JFU1BPTlNFIiB8IHNlZCAncy9IVFRQX0NPREU6WzAtOV0qJC8vJykKCmVjaG8gIiQoZGF0ZSk6IEdpdEh1YiBBUEkgcmVzcG9uc2UgY29kZTogJEhUVFBfQ09ERSIKCmlmIFsgIiRIVFRQX0NPREUiICE9ICIyMDEiIF07IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gR2l0SHViIEFQSSByZXF1ZXN0IGZhaWxlZCB3aXRoIEhUVFAgY29kZSAkSFRUUF9DT0RFIgogICAgZWNobyAiJChkYXRlKTogQ2hlY2sgR2l0SHViIEFwcCBwZXJtaXNzaW9ucyBhbmQgaW5zdGFsbGF0aW9uIgogICAgZXhpdCAxCmZpCgpSRUdfVE9LRU49JChlY2hvICIkQVBJX0JPRFkiIHwganEgLXIgJy50b2tlbicpCgppZiBbICIkUkVHX1RPS0VOIiA9ICJudWxsIiBdIHx8IFsgLXogIiRSRUdfVE9LRU4iIF07IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gUmVnaXN0cmF0aW9uIHRva2VuIGlzIG51bGwgb3IgZW1wdHkiCiAgICBlY2hvICIkKGRhdGUpOiBHaXRIdWIgQVBJIHJldHVybmVkIGludmFsaWQgcmVzcG9uc2UiCiAgICBleGl0IDEKZmkKZWNobyAiJChkYXRlKTogUmVnaXN0cmF0aW9uIHRva2VuIG9idGFpbmVkIHN1Y2Nlc3NmdWxseSIKCiMgQ29uZmlndXJlIGFuZCBzdGFydCBydW5uZXIKZWNobyAiJChkYXRlKTogQ29uZmlndXJpbmcgR2l0SHViIHJ1bm5lciIKZWNobyAiJChkYXRlKTogUnVubmluZyBjb25maWcuc2ggd2l0aCBwYXJhbWV0ZXJzOiIKZWNobyAiJChkYXRlKTogVVJMOiAkT1JHX1VSTCIKZWNobyAiJChkYXRlKTogTmFtZTogJElOU1RBTkNFX0lEIgplY2hvICIkKGRhdGUpOiBMYWJlbHM6IHVzLXdlc3QtMiIKCmlmICEgc3VkbyAtdSBydW5uZXIgLi9jb25maWcuc2ggLS11cmwgIiRPUkdfVVJMIiAtLXRva2VuICIkUkVHX1RPS0VOIiAtLW5hbWUgIiRJTlNUQU5DRV9JRCIgLS13b3JrIC9ob21lL3J1bm5lci9fd29yayAtLWxhYmVscyAidXMtd2VzdC0yIiAtLXJlcGxhY2UgLS11bmF0dGVuZGVkIDI+JjE7IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gUnVubmVyIGNvbmZpZ3VyYXRpb24gZmFpbGVkIgogICAgZXhpdCAxCmZpCmVjaG8gIiQoZGF0ZSk6IEdpdEh1YiBydW5uZXIgY29uZmlndXJlZCBzdWNjZXNzZnVsbHkiCgplY2hvICIkKGRhdGUpOiBTdGFydGluZyBHaXRIdWIgcnVubmVyIgpzdWRvIC11IHJ1bm5lciBub2h1cCAuL3J1bi5zaCA+IC92YXIvbG9nL2dpdGh1Yi1ydW5uZXIubG9nIDI+JjEgJgplY2hvICIkKGRhdGUpOiBHaXRIdWIgcnVubmVyIHN0YXJ0ZWQgaW4gYmFja2dyb3VuZCIKCiMgSW5zdGFsbCBydW5uZXIgYXMgc2VydmljZQplY2hvICIkKGRhdGUpOiBJbnN0YWxsaW5nIHJ1bm5lciBhcyBzZXJ2aWNlIgppZiAhIC4vc3ZjLnNoIGluc3RhbGwgcnVubmVyIDI+JjE7IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gRmFpbGVkIHRvIGluc3RhbGwgcnVubmVyIHNlcnZpY2UiCiAgICBleGl0IDEKZmkKCmlmICEgLi9zdmMuc2ggc3RhcnQgMj4mMTsgdGhlbgogICAgZWNobyAiJChkYXRlKTogRVJST1IgLSBGYWlsZWQgdG8gc3RhcnQgcnVubmVyIHNlcnZpY2UiCiAgICBleGl0IDEKZmkKZWNobyAiJChkYXRlKTogUnVubmVyIHNlcnZpY2UgaW5zdGFsbGVkIGFuZCBzdGFydGVkIHN1Y2Nlc3NmdWxseSIKCiMgU2V0dXAgZGVyZWdpc3RyYXRpb24gc2NyaXB0CmVjaG8gIiQoZGF0ZSk6IFNldHRpbmcgdXAgcnVubmVyIGRlcmVnaXN0cmF0aW9uIHNlcnZpY2UiCmF3cyBzc20gZ2V0LXBhcmFtZXRlciAtLW5hbWUgIi9naXRodWItc2VsZi1ob3N0ZWQtcnVubmVyL2RlcmVnaXN0cmF0aW9uLXNjcmlwdCIgLS13aXRoLWRlY3J5cHRpb24gLS1yZWdpb24gInVzLXdlc3QtMiIgLS1xdWVyeSBQYXJhbWV0ZXIuVmFsdWUgLS1vdXRwdXQgdGV4dCA+IC91c3IvbG9jYWwvYmluL2RlcmVnaXN0ZXItcnVubmVyLnNoCmNobW9kICt4IC91c3IvbG9jYWwvYmluL2RlcmVnaXN0ZXItcnVubmVyLnNoCgojIENyZWF0ZSBzeXN0ZW1kIHNlcnZpY2UgZm9yIGRlcmVnaXN0cmF0aW9uCmNhdCA+IC9ldGMvc3lzdGVtZC9zeXN0ZW0vZ2l0aHViLXJ1bm5lci1kZXJlZ2lzdGVyLnNlcnZpY2UgPDxFT0YKW1VuaXRdCkRlc2NyaXB0aW9uPUdpdEh1YiBSdW5uZXIgRGVyZWdpc3RyYXRpb24KRGVmYXVsdERlcGVuZGVuY2llcz1mYWxzZQpCZWZvcmU9c2h1dGRvd24udGFyZ2V0IHJlYm9vdC50YXJnZXQgaGFsdC50YXJnZXQKCltTZXJ2aWNlXQpUeXBlPW9uZXNob3QKUmVtYWluQWZ0ZXJFeGl0PXRydWUKRXhlY1N0YXJ0PS9iaW4vdHJ1ZQpFeGVjU3RvcD0vdXNyL2xvY2FsL2Jpbi9kZXJlZ2lzdGVyLXJ1bm5lci5zaApUaW1lb3V0U3RvcFNlYz0zMAoKW0luc3RhbGxdCldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0CkVPRgoKc3lzdGVtY3RsIGVuYWJsZSBnaXRodWItcnVubmVyLWRlcmVnaXN0ZXIuc2VydmljZQpzeXN0ZW1jdGwgc3RhcnQgZ2l0aHViLXJ1bm5lci1kZXJlZ2lzdGVyLnNlcnZpY2UKZWNobyAiJChkYXRlKTogRGVyZWdpc3RyYXRpb24gc2VydmljZSBjb25maWd1cmVkIgoKZWNobyAiJChkYXRlKTogR2l0SHViIHJ1bm5lciBzZXR1cCBjb21wbGV0ZWQgc3VjY2Vzc2Z1bGx5Ig==" -> "IyEvYmluL2Jhc2gKc2V0IC1lCgojIFNldHVwIGxvZ2dpbmcKTE9HX0ZJTEU9Ii92YXIvbG9nL2dpdGh1Yi1ydW5uZXItc2V0dXAubG9nIgpleGVjID4gPih0ZWUgLWEgJExPR19GSUxFKQpleGVjIDI+JjEKCmVjaG8gIiQoZGF0ZSk6IFN0YXJ0aW5nIEdpdEh1YiBydW5uZXIgc2V0dXAiCgojIE5ldHdvcmsgY29ubmVjdGl2aXR5IHZhbGlkYXRpb24KZWNobyAiJChkYXRlKTogVmFsaWRhdGluZyBuZXR3b3JrIGNvbm5lY3Rpdml0eS4uLiIKcmV0cnlfY291bnQ9MAptYXhfcmV0cmllcz0xMiAgIyAyIG1pbnV0ZXMgdG90YWwKCnVudGlsIGN1cmwgLXMgLS1jb25uZWN0LXRpbWVvdXQgNSBodHRwczovL2F3cy5hbWF6b24uY29tID4gL2Rldi9udWxsOyBkbwogICAgcmV0cnlfY291bnQ9JCgocmV0cnlfY291bnQgKyAxKSkKICAgIGlmIFsgJHJldHJ5X2NvdW50IC1nZSAkbWF4X3JldHJpZXMgXTsgdGhlbgogICAgICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gTmV0d29yayBjb25uZWN0aXZpdHkgZmFpbGVkIGFmdGVyICRtYXhfcmV0cmllcyBhdHRlbXB0cyIKICAgICAgICBleGl0IDEKICAgIGZpCiAgICBlY2hvICIkKGRhdGUpOiBOZXR3b3JrIG5vdCByZWFkeSwgd2FpdGluZy4uLiAoYXR0ZW1wdCAkcmV0cnlfY291bnQvJG1heF9yZXRyaWVzKSIKICAgIHNsZWVwIDEwCmRvbmUKCmVjaG8gIiQoZGF0ZSk6IE5ldHdvcmsgY29ubmVjdGl2aXR5IGNvbmZpcm1lZCIKCiMgVGVzdCBjcml0aWNhbCBBV1Mgc2VydmljZXMKZWNobyAiJChkYXRlKTogVGVzdGluZyBBV1Mgc2VydmljZXMgY29ubmVjdGl2aXR5Li4uIgphd3Nfc2VydmljZXM9KAogICAgImh0dHBzOi8vczMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20iCiAgICAiaHR0cHM6Ly9zZWNyZXRzbWFuYWdlci51cy13ZXN0LTIuYW1hem9uYXdzLmNvbSIKICAgICJodHRwczovL2xvZ3MudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20iCikKCmZvciBzZXJ2aWNlIGluICIke2F3c19zZXJ2aWNlc1tAXX0iOyBkbwogICAgZWNobyAiJChkYXRlKTogVGVzdGluZyBjb25uZWN0aXZpdHkgdG8gJHNlcnZpY2UuLi4iCiAgICBpZiAhIGN1cmwgLXMgLS1jb25uZWN0LXRpbWVvdXQgMTAgIiRzZXJ2aWNlIiA+IC9kZXYvbnVsbDsgdGhlbgogICAgICAgIGVjaG8gIiQoZGF0ZSk6IFdBUk5JTkcgLSBDYW5ub3QgcmVhY2ggJHNlcnZpY2UiCiAgICBlbHNlCiAgICAgICAgZWNobyAiJChkYXRlKTogU3VjY2Vzc2Z1bGx5IGNvbm5lY3RlZCB0byAkc2VydmljZSIKICAgIGZpCmRvbmUKCmVjaG8gIiQoZGF0ZSk6IEFXUyBzZXJ2aWNlcyBjb25uZWN0aXZpdHkgdGVzdCBjb21wbGV0ZWQiCgojIEdldCBpbnN0YW5jZSBJRCBmb3IgcnVubmVyIG5hbWluZyB1c2luZyBJTURTdjIKVE9LRU49JChjdXJsIC1YIFBVVCAiaHR0cDovLzE2OS4yNTQuMTY5LjI1NC9sYXRlc3QvYXBpL3Rva2VuIiAtSCAiWC1hd3MtZWMyLW1ldGFkYXRhLXRva2VuLXR0bC1zZWNvbmRzOiAyMTYwMCIpCklOU1RBTkNFX0lEPSQoY3VybCAtSCAiWC1hd3MtZWMyLW1ldGFkYXRhLXRva2VuOiAkVE9LRU4iIC1zIGh0dHA6Ly8xNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pbnN0YW5jZS1pZCkKCiMgVXBkYXRlIHN5c3RlbQplY2hvICIkKGRhdGUpOiBVcGRhdGluZyBzeXN0ZW0gcGFja2FnZXMiCmFwdC1nZXQgdXBkYXRlCmFwdC1nZXQgaW5zdGFsbCAteSBjdXJsIGpxIGF3c2NsaSBweXRob24zLXBpcCBnaXQgYmludXRpbHMgbmZzLWNvbW1vbgpwaXAzIGluc3RhbGwgUHlKV1QgcmVxdWVzdHMKZWNobyAiJChkYXRlKTogU3lzdGVtIHBhY2thZ2VzIHVwZGF0ZWQgc3VjY2Vzc2Z1bGx5IgoKIyBJbnN0YWxsIE5GUyBjbGllbnQgZm9yIEVGUyBtb3VudGluZwplY2hvICIkKGRhdGUpOiBJbnN0YWxsaW5nIE5GUyBjbGllbnQiCmFwdC1nZXQgLXkgaW5zdGFsbCBuZnMtY29tbW9uCmVjaG8gIiQoZGF0ZSk6IE5GUyBjbGllbnQgaW5zdGFsbGVkIHN1Y2Nlc3NmdWxseSIKCiMgU2V0dXAgQ2xvdWRXYXRjaCBsb2dnaW5nCmVjaG8gIiQoZGF0ZSk6IFNldHRpbmcgdXAgQ2xvdWRXYXRjaCBsb2dnaW5nIgoKIyBJbnN0YWxsIENsb3VkV2F0Y2ggTG9ncyBhZ2VudApjdXJsIC1vIC90bXAvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQuZGViIGh0dHBzOi8vczMuYW1hem9uYXdzLmNvbS9hbWF6b25jbG91ZHdhdGNoLWFnZW50L2RlYmlhbi9hbWQ2NC9sYXRlc3QvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQuZGViCmRwa2cgLWkgL3RtcC9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC5kZWIKcm0gL3RtcC9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC5kZWIKCiMgQ29uZmlndXJlIENsb3VkV2F0Y2ggTG9ncyBhZ2VudApjYXQgPiAvb3B0L2F3cy9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC9ldGMvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQuanNvbiA8PEVPRgp7CiAgImxvZ3MiOiB7CiAgICAibG9nc19jb2xsZWN0ZWQiOiB7CiAgICAgICJmaWxlcyI6IHsKICAgICAgICAiY29sbGVjdF9saXN0IjogWwogICAgICAgICAgewogICAgICAgICAgICAiZmlsZV9wYXRoIjogIi92YXIvbG9nL2dpdGh1Yi1ydW5uZXItc2V0dXAubG9nIiwKICAgICAgICAgICAgImxvZ19ncm91cF9uYW1lIjogIi9naXRodWItcnVubmVyL2dpdGh1Yi1zZWxmLWhvc3RlZC1ydW5uZXIvbG9nIiwKICAgICAgICAgICAgImxvZ19zdHJlYW1fbmFtZSI6ICJ7aW5zdGFuY2VfaWR9LXNldHVwIiwKICAgICAgICAgICAgInRpbWV6b25lIjogIlVUQyIKICAgICAgICAgIH0sCiAgICAgICAgICB7CiAgICAgICAgICAgICJmaWxlX3BhdGgiOiAiL3Zhci9sb2cvZ2l0aHViLXJ1bm5lci5sb2ciLAogICAgICAgICAgICAibG9nX2dyb3VwX25hbWUiOiAiL2dpdGh1Yi1ydW5uZXIvZ2l0aHViLXNlbGYtaG9zdGVkLXJ1bm5lci9sb2ciLAogICAgICAgICAgICAibG9nX3N0cmVhbV9uYW1lIjogIntpbnN0YW5jZV9pZH0tcnVubmVyIiwKICAgICAgICAgICAgInRpbWV6b25lIjogIlVUQyIKICAgICAgICAgIH0KICAgICAgICBdCiAgICAgIH0KICAgIH0KICB9Cn0KRU9GCgojIFN0YXJ0IENsb3VkV2F0Y2ggYWdlbnQKL29wdC9hd3MvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQvYmluL2FtYXpvbi1jbG91ZHdhdGNoLWFnZW50LWN0bCAtYSBmZXRjaC1jb25maWcgLW0gZWMyIC1zIC1jIGZpbGU6L29wdC9hd3MvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQvZXRjL2FtYXpvbi1jbG91ZHdhdGNoLWFnZW50Lmpzb24KZWNobyAiJChkYXRlKTogQ2xvdWRXYXRjaCBMb2dzIGFnZW50IGNvbmZpZ3VyZWQgYW5kIHN0YXJ0ZWQiCgojIFNldHVwIEVGUyBtb3VudAplY2hvICIkKGRhdGUpOiBTZXR0aW5nIHVwIEVGUyBtb3VudCIKbWtkaXIgLXAgL2hvbWUvcnVubmVyL193b3JrCmVjaG8gImZzLTBiNTVlOWE3MDExYmY3YzkwLmVmcy51cy13ZXN0LTIuYW1hem9uYXdzLmNvbTovIC9ob21lL3J1bm5lci9fd29yayBuZnM0IG5mc3ZlcnM9NC4xLHJzaXplPTEwNDg1NzYsd3NpemU9MTA0ODU3NixoYXJkLHRpbWVvPTYwMCxyZXRyYW5zPTIgMCAwIiA+PiAvZXRjL2ZzdGFiCm1vdW50IC9ob21lL3J1bm5lci9fd29yawplY2hvICIkKGRhdGUpOiBFRlMgbW91bnRlZCBzdWNjZXNzZnVsbHkiCgojIEluc3RhbGwgRG9ja2VyCmVjaG8gIiQoZGF0ZSk6IEluc3RhbGxpbmcgRG9ja2VyIgpjdXJsIC1mc1NMIGh0dHBzOi8vZ2V0LmRvY2tlci5jb20gLW8gZ2V0LWRvY2tlci5zaApzaCBnZXQtZG9ja2VyLnNoCnVzZXJtb2QgLWFHIGRvY2tlciB1YnVudHUKZWNobyAiJChkYXRlKTogRG9ja2VyIGluc3RhbGxlZCBzdWNjZXNzZnVsbHkiCgojIEluc3RhbGwgVGVycmFmb3JtCmVjaG8gIiQoZGF0ZSk6IEluc3RhbGxpbmcgVGVycmFmb3JtIgp3Z2V0IC1PLSBodHRwczovL2FwdC5yZWxlYXNlcy5oYXNoaWNvcnAuY29tL2dwZyB8IGdwZyAtLWRlYXJtb3IgfCB0ZWUgL3Vzci9zaGFyZS9rZXlyaW5ncy9oYXNoaWNvcnAtYXJjaGl2ZS1rZXlyaW5nLmdwZwplY2hvICJkZWIgW3NpZ25lZC1ieT0vdXNyL3NoYXJlL2tleXJpbmdzL2hhc2hpY29ycC1hcmNoaXZlLWtleXJpbmcuZ3BnXSBodHRwczovL2FwdC5yZWxlYXNlcy5oYXNoaWNvcnAuY29tICQobHNiX3JlbGVhc2UgLWNzKSBtYWluIiB8IHRlZSAvZXRjL2FwdC9zb3VyY2VzLmxpc3QuZC9oYXNoaWNvcnAubGlzdAphcHQgdXBkYXRlICYmIGFwdCBpbnN0YWxsIC15IHRlcnJhZm9ybQplY2hvICIkKGRhdGUpOiBUZXJyYWZvcm0gaW5zdGFsbGVkIHN1Y2Nlc3NmdWxseSIKCiMgQ3JlYXRlIHJ1bm5lciB1c2VyCmVjaG8gIiQoZGF0ZSk6IENyZWF0aW5nIHJ1bm5lciB1c2VyIgp1c2VyYWRkIC1tIC1zIC9iaW4vYmFzaCBydW5uZXIKdXNlcm1vZCAtYUcgZG9ja2VyIHJ1bm5lcgplY2hvICIkKGRhdGUpOiBSdW5uZXIgdXNlciBjcmVhdGVkIHN1Y2Nlc3NmdWxseSIKCiMgRG93bmxvYWQgR2l0SHViIEFjdGlvbnMgcnVubmVyCmVjaG8gIiQoZGF0ZSk6IERvd25sb2FkaW5nIEdpdEh1YiBBY3Rpb25zIHJ1bm5lciIKY2QgL2hvbWUvcnVubmVyCmN1cmwgLW8gYWN0aW9ucy1ydW5uZXItbGludXgteDY0LTIuMzIxLjAudGFyLmd6IC1MIGh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9yZWxlYXNlcy9kb3dubG9hZC92Mi4zMjEuMC9hY3Rpb25zLXJ1bm5lci1saW51eC14NjQtMi4zMjEuMC50YXIuZ3oKdGFyIHh6ZiBhY3Rpb25zLXJ1bm5lci1saW51eC14NjQtMi4zMjEuMC50YXIuZ3oKY2hvd24gLVIgcnVubmVyOnJ1bm5lciAvaG9tZS9ydW5uZXIKZWNobyAiJChkYXRlKTogR2l0SHViIEFjdGlvbnMgcnVubmVyIGRvd25sb2FkZWQgc3VjY2Vzc2Z1bGx5IgoKIyBHZXQgR2l0SHViIGNyZWRlbnRpYWxzIGZyb20gU2VjcmV0cyBNYW5hZ2VyCmVjaG8gIiQoZGF0ZSk6IFJldHJpZXZpbmcgR2l0SHViIGNyZWRlbnRpYWxzIGZyb20gU2VjcmV0cyBNYW5hZ2VyIgpTRUNSRVQ9JChhd3Mgc2VjcmV0c21hbmFnZXIgZ2V0LXNlY3JldC12YWx1ZSAtLXNlY3JldC1pZCAiZ2l0aHViLXNlbGYtaG9zdGVkLXJ1bm5lci1jcmVkZW50aWFscy12MiIgLS1yZWdpb24gInVzLXdlc3QtMiIgLS1xdWVyeSBTZWNyZXRTdHJpbmcgLS1vdXRwdXQgdGV4dCkKQVBQX0lEPSQoZWNobyAkU0VDUkVUIHwganEgLXIgJy5hcHBfaWQnKQpJTlNUQUxMQVRJT05fSUQ9JChlY2hvICRTRUNSRVQgfCBqcSAtciAnLmluc3RhbGxhdGlvbl9pZCcpClBSSVZBVEVfS0VZPSQoZWNobyAkU0VDUkVUIHwganEgLXIgJy5wcml2YXRlX2tleScpCgojIEZvciBkZWJ1Z2dpbmcgKHNob3dpbmcgb25seSBub24tc2Vuc2l0aXZlIGRhdGEpCmVjaG8gIiQoZGF0ZSk6IEFwcCBJRDogJEFQUF9JRCIKZWNobyAiJChkYXRlKTogSW5zdGFsbGF0aW9uIElEOiAkSU5TVEFMTEFUSU9OX0lEIgplY2hvICIkKGRhdGUpOiBPcmdhbml6YXRpb246IGt1bmR1c28tb3JnIgplY2hvICIkKGRhdGUpOiBHaXRIdWIgY3JlZGVudGlhbHMgcmV0cmlldmVkIHN1Y2Nlc3NmdWxseSIKCiMgR2VuZXJhdGUgSldUIHRva2VuIGZvciBHaXRIdWIgQXBwIGF1dGhlbnRpY2F0aW9uCmVjaG8gIiQoZGF0ZSk6IEdlbmVyYXRpbmcgR2l0SHViIEFwcCBKV1QgdG9rZW4iCgojIENyZWF0ZSBQeXRob24gc2NyaXB0IGZvciBKV1QgZ2VuZXJhdGlvbgpjYXQgPiAvdG1wL2p3dF9zY3JpcHQucHkgPDxFT0ZQWVRIT04KaW1wb3J0IGp3dAppbXBvcnQgdGltZQppbXBvcnQganNvbgppbXBvcnQgcmVxdWVzdHMKaW1wb3J0IHN5cwppbXBvcnQgb3MKCnByaW50KCdERUJVRzogU3RhcnRpbmcgSldUIHNjcmlwdCcsIGZpbGU9c3lzLnN0ZGVycikKCnRyeToKICAgIHByaW50KCdERUJVRzogUmVhZGluZyBlbnZpcm9ubWVudCB2YXJpYWJsZXMnLCBmaWxlPXN5cy5zdGRlcnIpCiAgICBhcHBfaWQgPSBvcy5lbnZpcm9uWydBUFBfSUQnXQogICAgaW5zdGFsbGF0aW9uX2lkID0gb3MuZW52aXJvblsnSU5TVEFMTEFUSU9OX0lEJ10KICAgIHByaXZhdGVfa2V5ID0gb3MuZW52aXJvblsnUFJJVkFURV9LRVknXQogICAgCiAgICAjIENvbnZlcnQgZXNjYXBlZCBuZXdsaW5lcyB0byBhY3R1YWwgbmV3bGluZXMKICAgIHByaXZhdGVfa2V5ID0gcHJpdmF0ZV9rZXkucmVwbGFjZSgnXFxuJywgJ1xuJykKICAgIAogICAgcHJpbnQoJ0RFQlVHOiBBcHAgSUQ6ICcgKyBhcHBfaWQsIGZpbGU9c3lzLnN0ZGVycikKICAgIHByaW50KCdERUJVRzogSW5zdGFsbGF0aW9uIElEOiAnICsgaW5zdGFsbGF0aW9uX2lkLCBmaWxlPXN5cy5zdGRlcnIpCiAgICBwcmludCgnREVCVUc6IFByaXZhdGUga2V5IGxlbmd0aDogJyArIHN0cihsZW4ocHJpdmF0ZV9rZXkpKSwgZmlsZT1zeXMuc3RkZXJyKQogICAgCiAgICBwcmludCgnREVCVUc6IENyZWF0aW5nIEpXVCBwYXlsb2FkJywgZmlsZT1zeXMuc3RkZXJyKQogICAgcGF5bG9hZCA9IHsKICAgICAgICAnaWF0JzogaW50KHRpbWUudGltZSgpKSwKICAgICAgICAnZXhwJzogaW50KHRpbWUudGltZSgpKSArIDYwMCwKICAgICAgICAnaXNzJzogYXBwX2lkCiAgICB9CiAgICAKICAgIHByaW50KCdERUJVRzogRW5jb2RpbmcgSldUIHRva2VuJywgZmlsZT1zeXMuc3RkZXJyKQogICAgdG9rZW4gPSBqd3QuZW5jb2RlKHBheWxvYWQsIHByaXZhdGVfa2V5LCBhbGdvcml0aG09J1JTMjU2JykKICAgIHByaW50KCdERUJVRzogSldUIHRva2VuIGNyZWF0ZWQgc3VjY2Vzc2Z1bGx5JywgZmlsZT1zeXMuc3RkZXJyKQogICAgCiAgICBwcmludCgnREVCVUc6IFByZXBhcmluZyBBUEkgcmVxdWVzdCBoZWFkZXJzJywgZmlsZT1zeXMuc3RkZXJyKQogICAgaGVhZGVycyA9IHsKICAgICAgICAnQXV0aG9yaXphdGlvbic6ICdCZWFyZXIgJyArIHN0cih0b2tlbiksCiAgICAgICAgJ0FjY2VwdCc6ICdhcHBsaWNhdGlvbi92bmQuZ2l0aHViLnYzK2pzb24nCiAgICB9CiAgICAKICAgIGFwaV91cmwgPSAnaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9hcHAvaW5zdGFsbGF0aW9ucy8nICsgaW5zdGFsbGF0aW9uX2lkICsgJy9hY2Nlc3NfdG9rZW5zJwogICAgcHJpbnQoJ0RFQlVHOiBNYWtpbmcgcmVxdWVzdCB0bzogJyArIGFwaV91cmwsIGZpbGU9c3lzLnN0ZGVycikKICAgIAogICAgcmVzcG9uc2UgPSByZXF1ZXN0cy5wb3N0KGFwaV91cmwsIGhlYWRlcnM9aGVhZGVycywgdGltZW91dD0zMCkKICAgIAogICAgcHJpbnQoJ0RFQlVHOiBBUEkgcmVzcG9uc2Ugc3RhdHVzOiAnICsgc3RyKHJlc3BvbnNlLnN0YXR1c19jb2RlKSwgZmlsZT1zeXMuc3RkZXJyKQogICAgCiAgICBpZiByZXNwb25zZS5zdGF0dXNfY29kZSAhPSAyMDE6CiAgICAgICAgcHJpbnQoJ0VSUk9SOiBGYWlsZWQgdG8gZ2V0IGFjY2VzcyB0b2tlbi4gU3RhdHVzOiAnICsgc3RyKHJlc3BvbnNlLnN0YXR1c19jb2RlKSkKICAgICAgICBwcmludCgnUmVzcG9uc2UgYm9keTogJyArIHJlc3BvbnNlLnRleHQpCiAgICAgICAgc3lzLmV4aXQoMSkKICAgIAogICAgcHJpbnQoJ0RFQlVHOiBQYXJzaW5nIHJlc3BvbnNlIEpTT04nLCBmaWxlPXN5cy5zdGRlcnIpCiAgICBhY2Nlc3NfdG9rZW4gPSByZXNwb25zZS5qc29uKClbJ3Rva2VuJ10KICAgIHByaW50KCdERUJVRzogQWNjZXNzIHRva2VuIG9idGFpbmVkIHN1Y2Nlc3NmdWxseScsIGZpbGU9c3lzLnN0ZGVycikKICAgIHByaW50KGFjY2Vzc190b2tlbikKZXhjZXB0IEV4Y2VwdGlvbiBhcyBlOgogICAgcHJpbnQoJ0VSUk9SOiAnICsgc3RyKGUpLCBmaWxlPXN5cy5zdGRlcnIpCiAgICBpbXBvcnQgdHJhY2ViYWNrCiAgICB0cmFjZWJhY2sucHJpbnRfZXhjKGZpbGU9c3lzLnN0ZGVycikKICAgIHN5cy5leGl0KDEpCkVPRlBZVEhPTgoKIyBQYXNzIHZhcmlhYmxlcyB0byBQeXRob24gc2NyaXB0IHZpYSBlbnZpcm9ubWVudApleHBvcnQgQVBQX0lEPSIkQVBQX0lEIgpleHBvcnQgSU5TVEFMTEFUSU9OX0lEPSIkSU5TVEFMTEFUSU9OX0lEIgpleHBvcnQgUFJJVkFURV9LRVk9IiRQUklWQVRFX0tFWSIKCmVjaG8gIiQoZGF0ZSk6IEV4ZWN1dGluZyBKV1QgZ2VuZXJhdGlvbiBzY3JpcHQuLi4iCgojIFJ1biBKV1Qgc2NyaXB0IHdpdGggdGltZW91dAppZiAhIHRpbWVvdXQgNjAgcHl0aG9uMyAvdG1wL2p3dF9zY3JpcHQucHkgPiAvdG1wL2p3dF9vdXRwdXQudHh0IDI+IC90bXAvand0X2Vycm9yLnR4dDsgdGhlbgogICAgSldUX0VYSVRfQ09ERT0kPwogICAgZWNobyAiJChkYXRlKTogRVJST1IgLSBKV1QgZ2VuZXJhdGlvbiBmYWlsZWQgb3IgdGltZWQgb3V0IHdpdGggZXhpdCBjb2RlICRKV1RfRVhJVF9DT0RFIgogICAgZWNobyAiJChkYXRlKTogQ2hlY2sgQ2xvdWRXYXRjaCBsb2dzIGZvciBkZXRhaWxlZCBlcnJvciBpbmZvcm1hdGlvbiIKICAgIHJtIC1mIC90bXAvand0X3NjcmlwdC5weSAvdG1wL2p3dF9vdXRwdXQudHh0IC90bXAvand0X2Vycm9yLnR4dAogICAgZXhpdCAxCmZpCgpHSVRIVUJfVE9LRU49JChjYXQgL3RtcC9qd3Rfb3V0cHV0LnR4dCkKcm0gLWYgL3RtcC9qd3Rfc2NyaXB0LnB5IC90bXAvand0X291dHB1dC50eHQgL3RtcC9qd3RfZXJyb3IudHh0CgppZiBbIC16ICIkR0lUSFVCX1RPS0VOIiBdIHx8IFsgIiRHSVRIVUJfVE9LRU4iID0gIm51bGwiIF07IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gSldUIHRva2VuIGlzIGVtcHR5IG9yIG51bGwiCiAgICBleGl0IDEKZmkKCmVjaG8gIiQoZGF0ZSk6IEdpdEh1YiBBcHAgSldUIHRva2VuIGdlbmVyYXRlZCBzdWNjZXNzZnVsbHkiCgojIEdldCByZWdpc3RyYXRpb24gdG9rZW4gZm9yIG9yZ2FuaXphdGlvbgplY2hvICIkKGRhdGUpOiBHZXR0aW5nIHJlZ2lzdHJhdGlvbiB0b2tlbiBmb3IgR2l0SHViIG9yZ2FuaXphdGlvbiIKT1JHX1VSTD0iaHR0cHM6Ly9naXRodWIuY29tL2t1bmR1c28tb3JnIgplY2hvICIkKGRhdGUpOiBPcmdhbml6YXRpb24gVVJMOiAkT1JHX1VSTCIKCmVjaG8gIiQoZGF0ZSk6IE1ha2luZyBBUEkgcmVxdWVzdCB0byBHaXRIdWIuLi4iCkFQSV9SRVNQT05TRT0kKGN1cmwgLXMgLXcgIkhUVFBfQ09ERTole2h0dHBfY29kZX0iIC1YIFBPU1QgLUggIkF1dGhvcml6YXRpb246IHRva2VuICRHSVRIVUJfVE9LRU4iICJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3Mva3VuZHVzby1vcmcvYWN0aW9ucy9ydW5uZXJzL3JlZ2lzdHJhdGlvbi10b2tlbiIpCkhUVFBfQ09ERT0kKGVjaG8gIiRBUElfUkVTUE9OU0UiIHwgZ3JlcCAtbyAiSFRUUF9DT0RFOlswLTldKiIgfCBjdXQgLWQ6IC1mMikKQVBJX0JPRFk9JChlY2hvICIkQVBJX1JFU1BPTlNFIiB8IHNlZCAncy9IVFRQX0NPREU6WzAtOV0qJC8vJykKCmVjaG8gIiQoZGF0ZSk6IEdpdEh1YiBBUEkgcmVzcG9uc2UgY29kZTogJEhUVFBfQ09ERSIKCmlmIFsgIiRIVFRQX0NPREUiICE9ICIyMDEiIF07IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gR2l0SHViIEFQSSByZXF1ZXN0IGZhaWxlZCB3aXRoIEhUVFAgY29kZSAkSFRUUF9DT0RFIgogICAgZWNobyAiJChkYXRlKTogQ2hlY2sgR2l0SHViIEFwcCBwZXJtaXNzaW9ucyBhbmQgaW5zdGFsbGF0aW9uIgogICAgZXhpdCAxCmZpCgpSRUdfVE9LRU49JChlY2hvICIkQVBJX0JPRFkiIHwganEgLXIgJy50b2tlbicpCgppZiBbICIkUkVHX1RPS0VOIiA9ICJudWxsIiBdIHx8IFsgLXogIiRSRUdfVE9LRU4iIF07IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gUmVnaXN0cmF0aW9uIHRva2VuIGlzIG51bGwgb3IgZW1wdHkiCiAgICBlY2hvICIkKGRhdGUpOiBHaXRIdWIgQVBJIHJldHVybmVkIGludmFsaWQgcmVzcG9uc2UiCiAgICBleGl0IDEKZmkKZWNobyAiJChkYXRlKTogUmVnaXN0cmF0aW9uIHRva2VuIG9idGFpbmVkIHN1Y2Nlc3NmdWxseSIKCiMgQ29uZmlndXJlIGFuZCBzdGFydCBydW5uZXIKZWNobyAiJChkYXRlKTogQ29uZmlndXJpbmcgR2l0SHViIHJ1bm5lciIKY2hvd24gLVIgcnVubmVyOnJ1bm5lciAvaG9tZS9ydW5uZXIvX3dvcmsKZWNobyAiJChkYXRlKTogUnVubmluZyBjb25maWcuc2ggd2l0aCBwYXJhbWV0ZXJzOiIKZWNobyAiJChkYXRlKTogVVJMOiAkT1JHX1VSTCIKZWNobyAiJChkYXRlKTogTmFtZTogJElOU1RBTkNFX0lEIgplY2hvICIkKGRhdGUpOiBMYWJlbHM6IHVzLXdlc3QtMiIKCmlmICEgc3VkbyAtdSBydW5uZXIgLi9jb25maWcuc2ggLS11cmwgIiRPUkdfVVJMIiAtLXRva2VuICIkUkVHX1RPS0VOIiAtLW5hbWUgIiRJTlNUQU5DRV9JRCIgLS13b3JrIC9ob21lL3J1bm5lci9fd29yayAtLWxhYmVscyAidXMtd2VzdC0yIiAtLXJlcGxhY2UgLS11bmF0dGVuZGVkIDI+JjE7IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gUnVubmVyIGNvbmZpZ3VyYXRpb24gZmFpbGVkIgogICAgZXhpdCAxCmZpCmVjaG8gIiQoZGF0ZSk6IEdpdEh1YiBydW5uZXIgY29uZmlndXJlZCBzdWNjZXNzZnVsbHkiCgplY2hvICIkKGRhdGUpOiBTdGFydGluZyBHaXRIdWIgcnVubmVyIgpzdWRvIC11IHJ1bm5lciBub2h1cCAuL3J1bi5zaCA+IC92YXIvbG9nL2dpdGh1Yi1ydW5uZXIubG9nIDI+JjEgJgplY2hvICIkKGRhdGUpOiBHaXRIdWIgcnVubmVyIHN0YXJ0ZWQgaW4gYmFja2dyb3VuZCIKCiMgSW5zdGFsbCBydW5uZXIgYXMgc2VydmljZQplY2hvICIkKGRhdGUpOiBJbnN0YWxsaW5nIHJ1bm5lciBhcyBzZXJ2aWNlIgppZiAhIC4vc3ZjLnNoIGluc3RhbGwgcnVubmVyIDI+JjE7IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gRmFpbGVkIHRvIGluc3RhbGwgcnVubmVyIHNlcnZpY2UiCiAgICBleGl0IDEKZmkKCmlmICEgLi9zdmMuc2ggc3RhcnQgMj4mMTsgdGhlbgogICAgZWNobyAiJChkYXRlKTogRVJST1IgLSBGYWlsZWQgdG8gc3RhcnQgcnVubmVyIHNlcnZpY2UiCiAgICBleGl0IDEKZmkKZWNobyAiJChkYXRlKTogUnVubmVyIHNlcnZpY2UgaW5zdGFsbGVkIGFuZCBzdGFydGVkIHN1Y2Nlc3NmdWxseSIKCmVjaG8gIiQoZGF0ZSk6IEdpdEh1YiBydW5uZXIgc2V0dXAgY29tcGxldGVkIHN1Y2Nlc3NmdWxseSI="
        # (16 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_secretsmanager_secret_version.github_runner_credentials must be replaced
-/+ resource "aws_secretsmanager_secret_version" "github_runner_credentials" {
      ~ arn                  = "arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo" -> (known after apply)
      + has_secret_string_wo = (known after apply)
      ~ id                   = "arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo|terraform-20250823150048623300000006" -> (known after apply)
      ~ secret_string        = (sensitive value) # forces replacement
      ~ version_id           = "terraform-20250823150048623300000006" -> (known after apply)
      ~ version_stages       = [
          - "AWSCURRENT",
        ] -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # aws_security_group.lambda will be destroyed
  # (because aws_security_group.lambda is not in configuration)
  - resource "aws_security_group" "lambda" {
      - arn                    = "arn:aws:ec2:us-west-2:743794601996:security-group/sg-09efac711d1a4f657" -> null
      - description            = "Security group for Lambda function" -> null
      - egress                 = [
          - {
              - cidr_blocks      = [
                  - "0.0.0.0/0",
                ]
              - description      = "Allow all outbound traffic for Lambda"
              - from_port        = 0
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "-1"
              - security_groups  = []
              - self             = false
              - to_port          = 0
            },
        ] -> null
      - id                     = "sg-09efac711d1a4f657" -> null
      - ingress                = [] -> null
      - name                   = "github-self-hosted-runner-lambda-sg" -> null
      - owner_id               = "743794601996" -> null
      - revoke_rules_on_delete = false -> null
      - tags                   = {
          - "Name" = "github-self-hosted-runner-lambda-sg"
        } -> null
      - tags_all               = {
          - "Name"   = "github-self-hosted-runner-lambda-sg"
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
      - vpc_id                 = "vpc-0f94d52581179e6b3" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_security_group_rule.lambda_egress will be destroyed
  # (because aws_security_group_rule.lambda_egress is not in configuration)
  - resource "aws_security_group_rule" "lambda_egress" {
      - cidr_blocks            = [
          - "0.0.0.0/0",
        ] -> null
      - description            = "Allow all outbound traffic for Lambda" -> null
      - from_port              = 0 -> null
      - id                     = "sgrule-3195649409" -> null
      - protocol               = "-1" -> null
      - security_group_id      = "sg-09efac711d1a4f657" -> null
      - security_group_rule_id = "sgr-0111d48fe00625300" -> null
      - self                   = false -> null
      - to_port                = 0 -> null
      - type                   = "egress" -> null
    }

  # aws_sns_topic.runner_lifecycle will be destroyed
  # (because aws_sns_topic.runner_lifecycle is not in configuration)
  - resource "aws_sns_topic" "runner_lifecycle" {
      - application_success_feedback_sample_rate = 0 -> null
      - arn                                      = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle" -> null
      - content_based_deduplication              = false -> null
      - fifo_topic                               = false -> null
      - firehose_success_feedback_sample_rate    = 0 -> null
      - http_success_feedback_sample_rate        = 0 -> null
      - id                                       = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle" -> null
      - kms_master_key_id                        = "79376031-6274-4fe8-8c1b-01ab85054087" -> null
      - lambda_success_feedback_sample_rate      = 0 -> null
      - name                                     = "github-self-hosted-runner-lifecycle" -> null
      - owner                                    = "743794601996" -> null
      - policy                                   = jsonencode(
            {
              - Id        = "__default_policy_ID"
              - Statement = [
                  - {
                      - Action    = [
                          - "SNS:GetTopicAttributes",
                          - "SNS:SetTopicAttributes",
                          - "SNS:AddPermission",
                          - "SNS:RemovePermission",
                          - "SNS:DeleteTopic",
                          - "SNS:Subscribe",
                          - "SNS:ListSubscriptionsByTopic",
                          - "SNS:Publish",
                        ]
                      - Condition = {
                          - StringEquals = {
                              - "AWS:SourceOwner" = "743794601996"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "*"
                        }
                      - Resource  = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle"
                      - Sid       = "__default_statement_ID"
                    },
                ]
              - Version   = "2008-10-17"
            }
        ) -> null
      - signature_version                        = 0 -> null
      - sqs_success_feedback_sample_rate         = 0 -> null
      - tags                                     = {} -> null
      - tags_all                                 = {
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
        # (16 unchanged attributes hidden)
    }

  # aws_sns_topic_subscription.runner_lifecycle will be destroyed
  # (because aws_sns_topic_subscription.runner_lifecycle is not in configuration)
  - resource "aws_sns_topic_subscription" "runner_lifecycle" {
      - arn                             = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle:a97e4ab2-5d9f-4f41-b401-fcccb3fae625" -> null
      - confirmation_timeout_in_minutes = 1 -> null
      - confirmation_was_authenticated  = true -> null
      - endpoint                        = "arn:aws:lambda:us-west-2:743794601996:function:github-self-hosted-runner-deregistration" -> null
      - endpoint_auto_confirms          = false -> null
      - id                              = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle:a97e4ab2-5d9f-4f41-b401-fcccb3fae625" -> null
      - owner_id                        = "743794601996" -> null
      - pending_confirmation            = false -> null
      - protocol                        = "lambda" -> null
      - raw_message_delivery            = false -> null
      - topic_arn                       = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle" -> null
        # (6 unchanged attributes hidden)
    }

  # aws_sqs_queue.dlq will be destroyed
  # (because aws_sqs_queue.dlq is not in configuration)
  - resource "aws_sqs_queue" "dlq" {
      - arn                               = "arn:aws:sqs:us-west-2:743794601996:github-self-hosted-runner-lambda-dlq" -> null
      - content_based_deduplication       = false -> null
      - delay_seconds                     = 0 -> null
      - fifo_queue                        = false -> null
      - id                                = "https://sqs.us-west-2.amazonaws.com/743794601996/github-self-hosted-runner-lambda-dlq" -> null
      - kms_data_key_reuse_period_seconds = 300 -> null
      - kms_master_key_id                 = "arn:aws:kms:us-west-2:743794601996:key/6df8fd54-93d4-4771-a855-6d8bba252528" -> null
      - max_message_size                  = 262144 -> null
      - message_retention_seconds         = 345600 -> null
      - name                              = "github-self-hosted-runner-lambda-dlq" -> null
      - receive_wait_time_seconds         = 0 -> null
      - sqs_managed_sse_enabled           = false -> null
      - tags                              = {} -> null
      - tags_all                          = {
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
      - url                               = "https://sqs.us-west-2.amazonaws.com/743794601996/github-self-hosted-runner-lambda-dlq" -> null
      - visibility_timeout_seconds        = 30 -> null
        # (6 unchanged attributes hidden)
    }

  # aws_ssm_parameter.deregistration_script will be destroyed
  # (because aws_ssm_parameter.deregistration_script is not in configuration)
  - resource "aws_ssm_parameter" "deregistration_script" {
      - arn             = "arn:aws:ssm:us-west-2:743794601996:parameter/github-self-hosted-runner/deregistration-script" -> null
      - data_type       = "text" -> null
      - id              = "/github-self-hosted-runner/deregistration-script" -> null
      - key_id          = "arn:aws:kms:us-west-2:743794601996:key/939dab50-f649-40ed-9372-33b812e93be3" -> null
      - name            = "/github-self-hosted-runner/deregistration-script" -> null
      - tags            = {
          - "Name" = "github-self-hosted-runner-deregistration-script"
        } -> null
      - tags_all        = {
          - "Name"   = "github-self-hosted-runner-deregistration-script"
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
      - tier            = "Standard" -> null
      - type            = "SecureString" -> null
      - value           = (sensitive value) -> null
      - value_wo        = (write-only attribute) -> null
      - version         = 1 -> null
        # (2 unchanged attributes hidden)
    }

  # aws_ssm_parameter.nat_gateway_public_ips will be updated in-place
  ~ resource "aws_ssm_parameter" "nat_gateway_public_ips" {
        id              = "/github-self-hosted-runner-ip-address"
      ~ key_id          = "arn:aws:kms:us-west-2:743794601996:key/939dab50-f649-40ed-9372-33b812e93be3" -> (known after apply)
        name            = "/github-self-hosted-runner-ip-address"
        tags            = {
            "Name" = "github-self-hosted-runner-ip-addresses"
        }
      ~ type            = "SecureString" -> "StringList"
        # (9 unchanged attributes hidden)
    }

Plan: 4 to add, 6 to change, 29 to destroy.

Warning: 'launch_template' always triggers an instance refresh and can be removed

  with aws_autoscaling_group.github_runner,
  on asg.tf line 155, in resource "aws_autoscaling_group" "github_runner":
 155:     triggers = ["launch_template"]


─────────────────────────────────────────────────────────────────────────────

Saved the plan to: TFplan.JSON

To perform exactly these actions, run the following command to apply:
    terraform apply "TFplan.JSON"

Pushed by: @kunduso, Action: pull_request

[github-actions]

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

Show Plan

terraform
data.aws_ami.ubuntu: Reading...
aws_kms_key.encrypt_efs: Refreshing state... [id=57161dac-ea94-435b-bdd4-6bb40a54de92]
aws_kms_key.github_runner_secrets: Refreshing state... [id=c77ff6db-241d-4e88-9317-17c07d0ca952]
aws_iam_role.lambda_deregistration: Refreshing state... [id=github-self-hosted-runner-lambda-deregistration-role]
module.vpc.aws_vpc.this: Refreshing state... [id=vpc-0f94d52581179e6b3]
aws_kms_alias.encrypt_sns: Refreshing state... [id=alias/github-self-hosted-runner-encrypt-sns]
aws_iam_policy.github_actions_state: Refreshing state... [id=arn:aws:iam::743794601996:policy/github-self-hosted-runner-github-actions-state-policy]
aws_iam_role.github_runner: Refreshing state... [id=github-self-hosted-runner-ec2-role]
module.vpc.aws_kms_key.custom_kms_key[0]: Refreshing state... [id=a3fd4228-613d-487c-89c6-74f2235bdd36]
aws_lambda_function.runner_deregistration: Refreshing state... [id=github-self-hosted-runner-deregistration]
aws_kms_key_policy.encrypt_lambda: Refreshing state... [id=6df8fd54-93d4-4771-a855-6d8bba252528]
aws_kms_key_policy.encrypt_ssm: Refreshing state... [id=939dab50-f649-40ed-9372-33b812e93be3]
aws_kms_key_policy.encrypt_sns: Refreshing state... [id=79376031-6274-4fe8-8c1b-01ab85054087]
module.vpc.data.aws_caller_identity.current: Reading...
aws_kms_key.cloudwatch_kms_key: Refreshing state... [id=a725a4e2-3f6c-4a07-ac88-25baafbe7b76]
module.vpc.data.aws_caller_identity.current: Read complete after 0s [id=743794601996]
aws_lambda_layer_version.lambda_layer_pyjwt: Refreshing state... [id=arn:aws:lambda:us-west-2:743794601996:layer:pyjwt:7]
aws_ssm_parameter.deregistration_script: Refreshing state... [id=/github-self-hosted-runner/deregistration-script]
aws_kms_alias.encrypt_ssm: Refreshing state... [id=alias/github-self-hosted-runner-encrypt-ssm]
aws_sns_topic_subscription.runner_lifecycle: Refreshing state... [id=arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle:a97e4ab2-5d9f-4f41-b401-fcccb3fae625]
aws_kms_key.encrypt_lambda: Refreshing state... [id=6df8fd54-93d4-4771-a855-6d8bba252528]
aws_autoscaling_lifecycle_hook.runner_termination: Refreshing state... [id=github-self-hosted-runner-termination-hook]
aws_security_group.lambda: Refreshing state... [id=sg-09efac711d1a4f657]
aws_security_group_rule.lambda_egress: Refreshing state... [id=sgrule-3195649409]
aws_kms_alias.encrypt_lambda: Refreshing state... [id=alias/github-self-hosted-runner-encryption]
data.aws_ami.ubuntu: Read complete after 0s [id=ami-065778886ef8ec7c8]
aws_cloudwatch_log_group.github_runner_lifecycle: Refreshing state... [id=/github-self-hosted-runner/lifecycle]
aws_kms_key.encrypt_sns: Refreshing state... [id=79376031-6274-4fe8-8c1b-01ab85054087]
aws_iam_role_policy.lambda_deregistration: Refreshing state... [id=github-self-hosted-runner-lambda-deregistration-role:github-self-hosted-runner-lambda-deregistration-policy]
aws_kms_key.encrypt_ssm: Refreshing state... [id=939dab50-f649-40ed-9372-33b812e93be3]
aws_iam_role_policy.lifecycle_hook: Refreshing state... [id=github-self-hosted-runner-lifecycle-hook-role:github-self-hosted-runner-lifecycle-hook-policy]
aws_kms_key_policy.encrypt_efs: Refreshing state... [id=57161dac-ea94-435b-bdd4-6bb40a54de92]
aws_kms_alias.encrypt_efs: Refreshing state... [id=alias/github-self-hosted-runner-encrypt-efs]
aws_iam_role.lifecycle_hook: Refreshing state... [id=github-self-hosted-runner-lifecycle-hook-role]
aws_sns_topic.runner_lifecycle: Refreshing state... [id=arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle]
aws_iam_role_policy_attachment.lambda_vpc_execution: Refreshing state... [id=github-self-hosted-runner-lambda-deregistration-role-20250823150045064900000002]
aws_lambda_permission.sns_invoke: Refreshing state... [id=AllowExecutionFromSNS]
aws_sqs_queue.dlq: Refreshing state... [id=https://sqs.us-west-2.amazonaws.com/743794601996/github-self-hosted-runner-lambda-dlq]
module.vpc.aws_eip.nat_gateway[0]: Refreshing state... [id=eipalloc-001340df10b3e1b97]
module.vpc.aws_eip.nat_gateway[1]: Refreshing state... [id=eipalloc-0e79188509e4f565a]
module.vpc.data.aws_availability_zones.available: Reading...
data.aws_availability_zones.available: Reading...
data.aws_caller_identity.current: Reading...
data.aws_caller_identity.current: Read complete after 0s [id=743794601996]
module.vpc.data.aws_iam_policy_document.assume_role: Reading...
module.vpc.data.aws_iam_policy_document.assume_role: Read complete after 0s [id=2717921857]
aws_efs_file_system.github_runner_work: Refreshing state... [id=fs-0b55e9a7011bf7c90]
module.vpc.data.aws_availability_zones.available: Read complete after 0s [id=us-west-2]
module.vpc.aws_kms_alias.key[0]: Refreshing state... [id=alias/github-self-hosted-runner-encrypt-flow-log]
aws_secretsmanager_secret.github_runner_credentials: Refreshing state... [id=arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo]
data.aws_availability_zones.available: Read complete after 0s [id=us-west-2]
module.vpc.aws_cloudwatch_log_group.network_flow_logging[0]: Refreshing state... [id=github-self-hosted-runner-flow-logs]
aws_kms_alias.github_runner_secrets: Refreshing state... [id=alias/github-self-hosted-runner-secret]
aws_kms_alias.key: Refreshing state... [id=alias/github-self-hosted-runner]
data.aws_iam_policy_document.ssm_kms: Reading...
data.aws_iam_policy_document.ssm_kms: Read complete after 0s [id=3292091877]
module.vpc.aws_iam_role.vpc_flow_log_role[0]: Refreshing state... [id=github-self-hosted-runner-vpc-flow-role]
module.vpc.aws_kms_key_policy.encrypt_log[0]: Refreshing state... [id=a3fd4228-613d-487c-89c6-74f2235bdd36]
aws_kms_key_policy.encrypt_secret: Refreshing state... [id=c77ff6db-241d-4e88-9317-17c07d0ca952]
aws_iam_policy.cloudwatch_logs: Refreshing state... [id=arn:aws:iam::743794601996:policy/github-self-hosted-runner-cloudwatch-logs-policy]
aws_kms_key_policy.encrypt_cloudwatch: Refreshing state... [id=a725a4e2-3f6c-4a07-ac88-25baafbe7b76]
module.vpc.data.aws_iam_policy_document.vpc_flow_log_policy_document[0]: Reading...
module.vpc.data.aws_iam_policy_document.vpc_flow_log_policy_document[0]: Read complete after 0s [id=54070053]
aws_iam_role.github_actions_runner: Refreshing state... [id=github-self-hosted-runner-github-actions-runner-role]
aws_iam_instance_profile.github_runner: Refreshing state... [id=github-self-hosted-runner-ec2-profile]
aws_iam_role_policy_attachment.ssm: Refreshing state... [id=github-self-hosted-runner-ec2-role-20250823150037802000000001]
module.vpc.aws_subnet.public[1]: Refreshing state... [id=subnet-09651f70f6184babe]
module.vpc.aws_default_security_group.default: Refreshing state... [id=sg-059fed260f3f7d461]
module.vpc.aws_subnet.private[0]: Refreshing state... [id=subnet-0da9beaf2e436c556]
module.vpc.aws_subnet.private[1]: Refreshing state... [id=subnet-03e1ed051e9e071c1]
module.vpc.aws_route_table.private[0]: Refreshing state... [id=rtb-09d2063d896d96860]
module.vpc.aws_route_table.private[1]: Refreshing state... [id=rtb-044fac8abc330694a]
module.vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-0febf2c2af76e2c79]
module.vpc.aws_route_table.public[0]: Refreshing state... [id=rtb-03bf97d42f9a82730]
module.vpc.aws_internet_gateway.this_igw[0]: Refreshing state... [id=igw-0a0d939ec05e85391]
aws_secretsmanager_secret_version.github_runner_credentials: Refreshing state... [id=arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo|terraform-20250823150048623300000006]
aws_iam_policy.github_runner: Refreshing state... [id=arn:aws:iam::743794601996:policy/github-self-hosted-runner-ec2-policy]
aws_security_group.efs: Refreshing state... [id=sg-024a1e389c84b48ea]
aws_security_group.github_runner: Refreshing state... [id=sg-079a81840121b7da7]
aws_iam_role_policy_attachment.cloudwatch_logs: Refreshing state... [id=github-self-hosted-runner-ec2-role-20250823150055004200000007]
module.vpc.aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-028d25a5848086fff]
module.vpc.aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-03caad7157f63b8cd]
module.vpc.aws_route.internet_route[0]: Refreshing state... [id=r-rtb-03bf97d42f9a827301080289494]
module.vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0ef5f4bbe527d85a1]
module.vpc.aws_nat_gateway.public[0]: Refreshing state... [id=nat-0f2a89d17c306f450]
module.vpc.aws_nat_gateway.public[1]: Refreshing state... [id=nat-0a26d68751d3c1b6f]
module.vpc.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-0d7d71401df749b1a]
aws_efs_mount_target.github_runner_work[0]: Refreshing state... [id=fsmt-06593fb53f8c2522f]
aws_efs_mount_target.github_runner_work[1]: Refreshing state... [id=fsmt-080b547fe91291e3b]
aws_security_group_rule.github_runner_egress: Refreshing state... [id=sgrule-3110254434]
aws_security_group_rule.efs_ingress: Refreshing state... [id=sgrule-1720110692]
aws_iam_role_policy_attachment.github_actions_admin: Refreshing state... [id=github-self-hosted-runner-github-actions-runner-role-20250823150045535900000004]
aws_launch_template.github_runner: Refreshing state... [id=lt-0fc3f2cf8d3ca7905]
module.vpc.aws_flow_log.network_flow_logging[0]: Refreshing state... [id=fl-0ea1bdd10867b211d]
aws_iam_role_policy_attachment.github_actions_state: Refreshing state... [id=github-self-hosted-runner-github-actions-runner-role-20250823150045310200000003]
module.vpc.aws_iam_role_policy.vpc_flow_log_role_policy[0]: Refreshing state... [id=github-self-hosted-runner-vpc-flow-role:github-self-hosted-runner-vpc-flow-policy]
module.vpc.aws_route.private_route[0]: Refreshing state... [id=r-rtb-09d2063d896d968601080289494]
module.vpc.aws_route.private_route[1]: Refreshing state... [id=r-rtb-044fac8abc330694a1080289494]
aws_iam_role_policy_attachment.github_runner: Refreshing state... [id=github-self-hosted-runner-ec2-role-2025082315011670590000000c]
aws_ssm_parameter.nat_gateway_public_ips: Refreshing state... [id=/github-self-hosted-runner-ip-address]
aws_autoscaling_group.github_runner: Refreshing state... [id=github-self-hosted-runner-asg]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # aws_cloudwatch_log_group.github_runner will be created
  + resource "aws_cloudwatch_log_group" "github_runner" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + kms_key_id        = "arn:aws:kms:us-west-2:743794601996:key/a725a4e2-3f6c-4a07-ac88-25baafbe7b76"
      + log_group_class   = (known after apply)
      + name              = "/github-runner/github-self-hosted-runner/log"
      + name_prefix       = (known after apply)
      + retention_in_days = 365
      + skip_destroy      = false
      + tags              = {
          + "Name" = "github-self-hosted-runner-logs"
        }
      + tags_all          = {
          + "Name"   = "github-self-hosted-runner-logs"
          + "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        }
    }

  # aws_iam_policy.cloudwatch_logs will be updated in-place
  ~ resource "aws_iam_policy" "cloudwatch_logs" {
        id               = "arn:aws:iam::743794601996:policy/github-self-hosted-runner-cloudwatch-logs-policy"
        name             = "github-self-hosted-runner-cloudwatch-logs-policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "logs:CreateLogGroup",
                          - "logs:CreateLogStream",
                          - "logs:PutLogEvents",
                          - "logs:DescribeLogStreams",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:logs:us-west-2:743794601996:log-group:/github-runner/github-self-hosted-runner/log",
                          - "arn:aws:logs:us-west-2:743794601996:log-group:/github-runner/github-self-hosted-runner/log:*",
                        ]
                    },
                  - {
                      - Action   = [
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:DescribeKey",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-west-2:743794601996:key/a725a4e2-3f6c-4a07-ac88-25baafbe7b76"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # aws_kms_alias.ssm_parameters will be created
  + resource "aws_kms_alias" "ssm_parameters" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/github-self-hosted-runner-ssm"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # aws_kms_key.ssm_parameters will be created
  + resource "aws_kms_key" "ssm_parameters" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "KMS key for SSM parameter encryption"
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "kms:*"
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::743794601996:root"
                        }
                      + Resource  = "*"
                      + Sid       = "Enable IAM User Permissions"
                    },
                  + {
                      + Action    = [
                          + "kms:ReEncrypt*",
                          + "kms:GenerateDataKey",
                          + "kms:Encrypt",
                          + "kms:DescribeKey",
                          + "kms:Decrypt",
                        ]
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ssm.amazonaws.com"
                        }
                      + Resource  = "*"
                      + Sid       = "Allow SSM Service"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + rotation_period_in_days            = (known after apply)
      + tags_all                           = {
          + "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        }
    }

  # aws_secretsmanager_secret_version.github_runner_credentials must be replaced
-/+ resource "aws_secretsmanager_secret_version" "github_runner_credentials" {
      ~ arn                  = "arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo" -> (known after apply)
      + has_secret_string_wo = (known after apply)
      ~ id                   = "arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo|terraform-20250823150048623300000006" -> (known after apply)
      ~ secret_string        = (sensitive value) # forces replacement
      ~ version_id           = "terraform-20250823150048623300000006" -> (known after apply)
      ~ version_stages       = [
          - "AWSPREVIOUS",
        ] -> (known after apply)
        # (3 unchanged attributes hidden)
    }

  # aws_security_group.lambda will be destroyed
  # (because aws_security_group.lambda is not in configuration)
  - resource "aws_security_group" "lambda" {
      - arn                    = "arn:aws:ec2:us-west-2:743794601996:security-group/sg-09efac711d1a4f657" -> null
      - description            = "Security group for Lambda function" -> null
      - egress                 = [] -> null
      - id                     = "sg-09efac711d1a4f657" -> null
      - ingress                = [] -> null
      - name                   = "github-self-hosted-runner-lambda-sg" -> null
      - owner_id               = "743794601996" -> null
      - revoke_rules_on_delete = false -> null
      - tags                   = {
          - "Name" = "github-self-hosted-runner-lambda-sg"
        } -> null
      - tags_all               = {
          - "Name"   = "github-self-hosted-runner-lambda-sg"
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
      - vpc_id                 = "vpc-0f94d52581179e6b3" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_ssm_parameter.nat_gateway_public_ips will be updated in-place
  ~ resource "aws_ssm_parameter" "nat_gateway_public_ips" {
        id              = "/github-self-hosted-runner-ip-address"
      + key_id          = (known after apply)
        name            = "/github-self-hosted-runner-ip-address"
        tags            = {
            "Name" = "github-self-hosted-runner-ip-addresses"
        }
        # (10 unchanged attributes hidden)
    }

Plan: 4 to add, 2 to change, 2 to destroy.

Warning: 'launch_template' always triggers an instance refresh and can be removed

  with aws_autoscaling_group.github_runner,
  on asg.tf line 155, in resource "aws_autoscaling_group" "github_runner":
 155:     triggers = ["launch_template"]


─────────────────────────────────────────────────────────────────────────────

Saved the plan to: TFplan.JSON

To perform exactly these actions, run the following command to apply:
    terraform apply "TFplan.JSON"

Pushed by: @kunduso, Action: pull_request