Fix Checkov Security Findings and Enhance Documentation

[kunduso]

This PR addresses multiple Checkov security findings and significantly enhances the project documentation to provide comprehensive guidance for users.

🔒 Security Enhancements

Checkov Security Findings Resolved

This PR systematically addresses all outstanding Checkov security findings to improve the overall security posture of the infrastructure:

Lambda Function Security

• Dead Letter Queue (DLQ): Added encrypted SQS dead letter queue for Lambda error handling and retry mechanisms
• X-Ray Tracing: Enabled AWS X-Ray tracing for Lambda functions to improve observability and debugging
• Environment Variable Encryption: Configured KMS encryption for Lambda environment variables
• VPC Configuration: Lambda functions now run in private subnets with proper security group restrictions
• Reserved Concurrency: Set concurrent execution limits to prevent resource exhaustion

SNS Topic Encryption

• Customer-Managed KMS: Implemented customer-managed KMS key encryption for SNS topics
• Proper Key Policies: Added service principals and ViaService conditions for secure access
• Cross-Service Integration: Ensured proper encryption integration with Auto Scaling lifecycle hooks

EFS Security Enhancements

• Customer-Managed KMS: Replaced AWS-managed keys with customer-managed KMS keys for EFS encryption
• Enhanced Key Policies: Added elasticfilesystem.amazonaws.com service principal permissions
• Backup Configuration: Enabled automatic EFS backups for data protection

IAM Security Improvements

• Least Privilege Access: Refined IAM policies to follow principle of least privilege
• Resource-Specific Permissions: Replaced wildcard resources with specific ARNs where possible
• Constraint-Based Policies: Added conditions and constraints to IAM policies
• Service-Specific Roles: Separated concerns with dedicated roles for different services

Network Security

• Security Group Refinement: Added Checkov skip annotations with detailed justifications for necessary broad egress rules
• VPC Isolation: Enhanced network isolation with proper subnet configurations
• NFS Security: Restricted EFS access to specific security groups and subnets

📚 Documentation Overhaul

Comprehensive README Updates

The README has been significantly enhanced to provide complete guidance:

Enhanced Architecture Documentation

• Detailed Component List: Added all missing components (SNS, Lambda Layer, DLQ, Lifecycle Hooks, Systemd Service)
• Security Architecture: Comprehensive security considerations with encryption details
• Performance Optimization: Documented EFS tuning and Lambda layer benefits

Automated Deployment Focus

• GitHub Actions Workflow: Detailed explanation of the automated CI/CD pipeline
• OIDC Authentication: Clear guidance on secure AWS credential management
• Pull Request Workflow: Step-by-step process for code review and deployment
• Monitoring and Validation: Comprehensive monitoring guidance

Enhanced Troubleshooting

• Expanded Issue Coverage: Added troubleshooting for Lambda, EFS, SNS, and lifecycle hooks
• Monitoring Metrics: Detailed monitoring capabilities for all components
• Error Handling: Guidance on using dead letter queues and CloudWatch logs

Security Documentation

• Encryption Details: Comprehensive encryption coverage for all components
• Access Control: IAM roles, security groups, and network security
• Compliance: Security best practices and compliance considerations

🛠️ Technical Improvements

Infrastructure Enhancements

• KMS Key Management: Centralized customer-managed KMS keys with proper policies
• CloudWatch Integration: Enhanced logging configuration with structured formats
• Error Handling: Robust error handling with dead letter queues and retry mechanisms
• Performance Optimization: Tuned configurations for better performance

Code Quality Improvements

• Checkov Compliance: All security findings addressed with proper skip annotations where necessary
• Resource Organization: Better organization of related resources
• Documentation: Inline comments and clear resource naming
• Terraform Best Practices: Following Terraform and AWS best practices

🔗 Issues Resolved

This PR addresses multiple outstanding issues and security findings:

Closes #10
Closes #26
Closes #27
Closes #28
Closes #29
Closes #30
Closes #31
Closes #32
Closes #33
Closes #34
Closes #35
Closes #36
Closes #37
Closes #38
Closes #39

📊 Impact Summary

Security Improvements

• ✅ 15 Checkov findings resolved with proper security implementations
• ✅ Customer-managed encryption for all data at rest and in transit
• ✅ Enhanced IAM policies following least privilege principles
• ✅ Network security hardening with proper isolation and access controls

Documentation Enhancements

• ✅ Comprehensive usage guide focusing on automated deployment
• ✅ Enhanced troubleshooting covering all infrastructure components
• ✅ Security documentation with detailed encryption and access control guidance
• ✅ Architecture clarity with complete component descriptions

Operational Benefits

• ✅ Improved observability with X-Ray tracing and enhanced logging
• ✅ Better error handling with dead letter queues and retry mechanisms
• ✅ Enhanced reliability with proper backup and recovery mechanisms
• ✅ Performance optimization with tuned configurations

✅ Testing and Validation

• All Checkov security scans pass without findings
• Lambda functions deploy successfully with DLQ and X-Ray tracing
• SNS topics encrypted with customer-managed KMS keys
• EFS file systems use customer-managed encryption
• IAM policies follow least privilege principles
• Documentation accurately reflects current implementation
• All infrastructure components deploy successfully
• GitHub Actions workflow validates all changes

🎯 Post-Merge Actions

1. Security Validation: Verify all Checkov findings are resolved
2. Documentation Review: Ensure README accurately guides new users
3. Monitoring Setup: Validate enhanced CloudWatch and X-Ray integration
4. Performance Testing: Test EFS and Lambda performance improvements

[github-actions]

💰 Infracost report

Monthly estimate increased by $3 📈

Changed project	Baseline cost	Usage cost*	Total change	New monthly cost
kunduso-org/github-self-hosted-...azon-ec2-terraform/TFplan.JSON	+$3	-	+$3 (+2%)	$134

*Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options.

Estimate details

Key: * usage cost, ~ changed, + added, - removed

──────────────────────────────────
Project: kunduso-org/github-self-hosted-runner-amazon-ec2-terraform/TFplan.JSON

+ aws_kms_key.encrypt_efs
  +$1

    + Customer master key
      +$1

    + Requests
      Monthly cost depends on usage
        +$0.03 per 10k requests

    + ECC GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

    + RSA GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

+ aws_kms_key.encrypt_lambda
  +$1

    + Customer master key
      +$1

    + Requests
      Monthly cost depends on usage
        +$0.03 per 10k requests

    + ECC GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

    + RSA GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

+ aws_kms_key.encrypt_sns
  +$1

    + Customer master key
      +$1

    + Requests
      Monthly cost depends on usage
        +$0.03 per 10k requests

    + ECC GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

    + RSA GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

+ aws_kms_key.encrypt_ssm
  +$1

    + Customer master key
      +$1

    + Requests
      Monthly cost depends on usage
        +$0.03 per 10k requests

    + ECC GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

    + RSA GenerateDataKeyPair requests
      Monthly cost depends on usage
        +$0.10 per 10k requests

+ aws_sqs_queue.dlq
  Monthly cost depends on usage

    + Requests
      Monthly cost depends on usage
        +$0.40 per 1M requests

- aws_kms_key.ssm_parameters
  -$1

    - Customer master key
      -$1

    - Requests
      Monthly cost depends on usage
        -$0.03 per 10k requests

    - ECC GenerateDataKeyPair requests
      Monthly cost depends on usage
        -$0.10 per 10k requests

    - RSA GenerateDataKeyPair requests
      Monthly cost depends on usage
        -$0.10 per 10k requests

Monthly cost change for kunduso-org/github-self-hosted-runner-amazon-ec2-terraform/TFplan.JSON
Amount:  +$3 ($131 → $134)
Percent: +2%

──────────────────────────────────
Key: * usage cost, ~ changed, + added, - removed

*Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options.

85 cloud resources were detected:
∙ 17 were estimated
∙ 68 were free

Infracost estimate: Monthly estimate increased by $3 ↑
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃ Changed project                                                  ┃ Baseline cost ┃ Usage cost* ┃ Total change ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━╋━━━━━━━━━━━━━━┫
┃ kunduso-org/github-self-hosted-...azon-ec2-terraform/TFplan.JSON ┃           +$3 ┃           - ┃    +$3 (+2%) ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━┻━━━━━━━━━━━━━━┛

_{This comment will be updated when code changes.}

[github-actions]

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

Show Plan

terraform
data.archive_file.lambda_zip: Reading...
data.archive_file.lambda_layer_pyjwt: Reading...
data.archive_file.lambda_zip: Read complete after 0s [id=85af42f0bfb7d1cfaedb0399f1045465f4d28866]
module.vpc.aws_eip.nat_gateway[0]: Refreshing state... [id=eipalloc-001340df10b3e1b97]
aws_iam_role.lambda_deregistration: Refreshing state... [id=github-self-hosted-runner-lambda-deregistration-role]
module.vpc.aws_eip.nat_gateway[1]: Refreshing state... [id=eipalloc-0e79188509e4f565a]
data.aws_caller_identity.current: Reading...
aws_kms_alias.ssm_parameters: Refreshing state... [id=alias/github-self-hosted-runner-ssm]
module.vpc.aws_vpc.this: Refreshing state... [id=vpc-0f94d52581179e6b3]
aws_kms_key.ssm_parameters: Refreshing state... [id=8c717a58-141f-4ddd-88eb-d30645daebdb]
module.vpc.aws_kms_key.custom_kms_key[0]: Refreshing state... [id=a3fd4228-613d-487c-89c6-74f2235bdd36]
aws_iam_role.github_runner: Refreshing state... [id=github-self-hosted-runner-ec2-role]
data.aws_caller_identity.current: Read complete after 0s [id=743794601996]
aws_iam_role.lifecycle_hook: Refreshing state... [id=github-self-hosted-runner-lifecycle-hook-role]
module.vpc.data.aws_availability_zones.available: Reading...
aws_kms_key.github_runner_secrets: Refreshing state... [id=c77ff6db-241d-4e88-9317-17c07d0ca952]
aws_iam_policy.github_actions_state: Refreshing state... [id=arn:aws:iam::743794601996:policy/github-self-hosted-runner-github-actions-state-policy]
module.vpc.data.aws_availability_zones.available: Read complete after 1s [id=us-west-2]
aws_kms_key.cloudwatch_kms_key: Refreshing state... [id=a725a4e2-3f6c-4a07-ac88-25baafbe7b76]
module.vpc.data.aws_iam_policy_document.assume_role: Reading...
module.vpc.data.aws_iam_policy_document.assume_role: Read complete after 0s [id=2717921857]
data.archive_file.lambda_layer_pyjwt: Read complete after 1s [id=c695122e3691f4ce6af7f8076ecef8b11a043b76]
data.aws_ami.ubuntu: Reading...
data.aws_availability_zones.available: Reading...
module.vpc.data.aws_caller_identity.current: Reading...
module.vpc.data.aws_caller_identity.current: Read complete after 0s [id=743794601996]
aws_sns_topic.runner_lifecycle: Refreshing state... [id=arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle]
module.vpc.aws_kms_alias.key[0]: Refreshing state... [id=alias/github-self-hosted-runner-encrypt-flow-log]
data.aws_availability_zones.available: Read complete after 0s [id=us-west-2]
module.vpc.aws_cloudwatch_log_group.network_flow_logging[0]: Refreshing state... [id=github-self-hosted-runner-flow-logs]
aws_secretsmanager_secret.github_runner_credentials: Refreshing state... [id=arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo]
aws_kms_alias.github_runner_secrets: Refreshing state... [id=alias/github-self-hosted-runner-secret]
aws_lambda_layer_version.lambda_layer_pyjwt: Refreshing state... [id=arn:aws:lambda:us-west-2:743794601996:layer:pyjwt:8]
data.aws_ami.ubuntu: Read complete after 0s [id=ami-065778886ef8ec7c8]
module.vpc.aws_iam_role.vpc_flow_log_role[0]: Refreshing state... [id=github-self-hosted-runner-vpc-flow-role]
aws_efs_file_system.github_runner_work: Refreshing state... [id=fs-0b55e9a7011bf7c90]
aws_ssm_parameter.deregistration_script: Refreshing state... [id=/github-self-hosted-runner/deregistration-script]
aws_kms_key_policy.encrypt_secret: Refreshing state... [id=c77ff6db-241d-4e88-9317-17c07d0ca952]
aws_kms_alias.key: Refreshing state... [id=alias/github-self-hosted-runner]
aws_kms_key_policy.encrypt_cloudwatch: Refreshing state... [id=a725a4e2-3f6c-4a07-ac88-25baafbe7b76]
aws_cloudwatch_log_group.github_runner_lifecycle: Refreshing state... [id=/github-runner/github-self-hosted-runner/lifecycle]
aws_secretsmanager_secret_version.github_runner_credentials: Refreshing state... [id=arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo|terraform-20250823212320163400000001]
module.vpc.aws_kms_key_policy.encrypt_log[0]: Refreshing state... [id=a3fd4228-613d-487c-89c6-74f2235bdd36]
module.vpc.data.aws_iam_policy_document.vpc_flow_log_policy_document[0]: Reading...
module.vpc.data.aws_iam_policy_document.vpc_flow_log_policy_document[0]: Read complete after 0s [id=54070053]
aws_iam_role_policy_attachment.ssm: Refreshing state... [id=github-self-hosted-runner-ec2-role-20250823150037802000000001]
aws_iam_role.github_actions_runner: Refreshing state... [id=github-self-hosted-runner-github-actions-runner-role]
aws_iam_instance_profile.github_runner: Refreshing state... [id=github-self-hosted-runner-ec2-profile]
aws_iam_policy.cloudwatch_logs: Refreshing state... [id=arn:aws:iam::743794601996:policy/github-self-hosted-runner-cloudwatch-logs-policy]
aws_iam_role_policy.lifecycle_hook: Refreshing state... [id=github-self-hosted-runner-lifecycle-hook-role:github-self-hosted-runner-lifecycle-hook-policy]
module.vpc.aws_default_security_group.default: Refreshing state... [id=sg-059fed260f3f7d461]
module.vpc.aws_subnet.private[0]: Refreshing state... [id=subnet-0da9beaf2e436c556]
module.vpc.aws_subnet.private[1]: Refreshing state... [id=subnet-03e1ed051e9e071c1]
module.vpc.aws_route_table.private[0]: Refreshing state... [id=rtb-09d2063d896d96860]
module.vpc.aws_route_table.private[1]: Refreshing state... [id=rtb-044fac8abc330694a]
module.vpc.aws_route_table.public[0]: Refreshing state... [id=rtb-03bf97d42f9a82730]
module.vpc.aws_subnet.public[1]: Refreshing state... [id=subnet-09651f70f6184babe]
module.vpc.aws_internet_gateway.this_igw[0]: Refreshing state... [id=igw-0a0d939ec05e85391]
module.vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-0febf2c2af76e2c79]
aws_security_group.efs: Refreshing state... [id=sg-024a1e389c84b48ea]
aws_security_group.github_runner: Refreshing state... [id=sg-079a81840121b7da7]
aws_iam_policy.github_runner: Refreshing state... [id=arn:aws:iam::743794601996:policy/github-self-hosted-runner-ec2-policy]
aws_iam_role_policy_attachment.cloudwatch_logs: Refreshing state... [id=github-self-hosted-runner-ec2-role-20250823150055004200000007]
module.vpc.aws_flow_log.network_flow_logging[0]: Refreshing state... [id=fl-0ea1bdd10867b211d]
module.vpc.aws_iam_role_policy.vpc_flow_log_role_policy[0]: Refreshing state... [id=github-self-hosted-runner-vpc-flow-role:github-self-hosted-runner-vpc-flow-policy]
module.vpc.aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-03caad7157f63b8cd]
aws_lambda_function.runner_deregistration: Refreshing state... [id=github-self-hosted-runner-deregistration]
module.vpc.aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-028d25a5848086fff]
aws_iam_role_policy_attachment.github_actions_admin: Refreshing state... [id=github-self-hosted-runner-github-actions-runner-role-20250823150045535900000004]
aws_iam_role_policy_attachment.github_actions_state: Refreshing state... [id=github-self-hosted-runner-github-actions-runner-role-20250823150045310200000003]
module.vpc.aws_route.internet_route[0]: Refreshing state... [id=r-rtb-03bf97d42f9a827301080289494]
aws_efs_mount_target.github_runner_work[0]: Refreshing state... [id=fsmt-06593fb53f8c2522f]
aws_efs_mount_target.github_runner_work[1]: Refreshing state... [id=fsmt-080b547fe91291e3b]
aws_security_group_rule.github_runner_egress: Refreshing state... [id=sgrule-3110254434]
aws_launch_template.github_runner: Refreshing state... [id=lt-0fc3f2cf8d3ca7905]
aws_security_group_rule.efs_ingress: Refreshing state... [id=sgrule-1720110692]
module.vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0ef5f4bbe527d85a1]
module.vpc.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-0d7d71401df749b1a]
module.vpc.aws_nat_gateway.public[0]: Refreshing state... [id=nat-0f2a89d17c306f450]
module.vpc.aws_nat_gateway.public[1]: Refreshing state... [id=nat-0a26d68751d3c1b6f]
aws_iam_role_policy_attachment.github_runner: Refreshing state... [id=github-self-hosted-runner-ec2-role-2025082315011670590000000c]
aws_autoscaling_group.github_runner: Refreshing state... [id=github-self-hosted-runner-asg]
module.vpc.aws_route.private_route[0]: Refreshing state... [id=r-rtb-09d2063d896d968601080289494]
module.vpc.aws_route.private_route[1]: Refreshing state... [id=r-rtb-044fac8abc330694a1080289494]
aws_ssm_parameter.nat_gateway_public_ips: Refreshing state... [id=/github-self-hosted-runner-ip-address]
aws_sns_topic_subscription.runner_lifecycle: Refreshing state... [id=arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle:7dd43bb5-7fdc-48d7-90e9-4b4723b5ac1a]
aws_lambda_permission.sns_invoke: Refreshing state... [id=AllowExecutionFromSNS]
aws_iam_role_policy.lambda_deregistration: Refreshing state... [id=github-self-hosted-runner-lambda-deregistration-role:github-self-hosted-runner-lambda-deregistration-policy]
aws_autoscaling_lifecycle_hook.runner_termination: Refreshing state... [id=github-self-hosted-runner-termination-hook]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
-/+ destroy and then create replacement
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.encrypt_efs will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "encrypt_efs" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "Enable full access for root account"

          + principals {
              + identifiers = [
                  + "arn:aws:iam::743794601996:root",
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:DescribeKey",
              + "kms:Encrypt",
              + "kms:GenerateDataKey*",
              + "kms:ReEncrypt*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "Allow EFS service"

          + principals {
              + identifiers = [
                  + "elasticfilesystem.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # data.aws_iam_policy_document.encrypt_lambda_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "encrypt_lambda_policy" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:CancelKeyDeletion",
              + "kms:Create*",
              + "kms:Decrypt",
              + "kms:Delete*",
              + "kms:DescribeKey",
              + "kms:Disable*",
              + "kms:Enable*",
              + "kms:Encrypt",
              + "kms:GenerateDataKey*",
              + "kms:Get*",
              + "kms:List*",
              + "kms:Put*",
              + "kms:ReEncrypt*",
              + "kms:Revoke*",
              + "kms:ScheduleKeyDeletion",
              + "kms:TagResource",
              + "kms:UntagResource",
              + "kms:Update*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "Enable IAM User Permissions"

          + principals {
              + identifiers = [
                  + "arn:aws:iam::743794601996:root",
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "kms:CreateGrant",
              + "kms:Decrypt",
              + "kms:DescribeKey",
              + "kms:Encrypt",
              + "kms:GenerateDataKey*",
              + "kms:ReEncrypt*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "Allow Lambda to use the key"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "github-self-hosted-runner",
                ]
              + variable = "kms:EncryptionContext:LambdaFunctionName"
            }
          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "us-west-2",
                ]
              + variable = "aws:RequestedRegion"
            }

          + principals {
              + identifiers = [
                  + "lambda.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # data.aws_iam_policy_document.encrypt_sns will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "encrypt_sns" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "Enable full access for root account"

          + principals {
              + identifiers = [
                  + "arn:aws:iam::743794601996:root",
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:DescribeKey",
              + "kms:Encrypt",
              + "kms:GenerateDataKey*",
              + "kms:ReEncrypt*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "Allow AWS services"

          + principals {
              + identifiers = [
                  + "sns.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # data.aws_iam_policy_document.encrypt_ssm will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "encrypt_ssm" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "Enable IAM User Permissions"

          + principals {
              + identifiers = [
                  + "arn:aws:iam::743794601996:root",
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:DescribeKey",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
              + "kms:ReEncrypt*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
          + sid       = "Allow SSM Service"

          + principals {
              + identifiers = [
                  + "ssm.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # aws_autoscaling_group.github_runner will be updated in-place
  ~ resource "aws_autoscaling_group" "github_runner" {
        id                               = "github-self-hosted-runner-asg"
        name                             = "github-self-hosted-runner-asg"
        # (31 unchanged attributes hidden)

      ~ launch_template {
            id      = "lt-0fc3f2cf8d3ca7905"
            name    = "github-self-hosted-runner2025082315022253420000000f"
          ~ version = "5" -> (known after apply)
        }

        # (3 unchanged blocks hidden)
    }

  # aws_cloudwatch_log_group.github_runner_lifecycle must be replaced
-/+ resource "aws_cloudwatch_log_group" "github_runner_lifecycle" {
      ~ arn               = "arn:aws:logs:us-west-2:743794601996:log-group:/github-runner/github-self-hosted-runner/lifecycle" -> (known after apply)
      ~ id                = "/github-runner/github-self-hosted-runner/lifecycle" -> (known after apply)
      ~ log_group_class   = "STANDARD" -> (known after apply)
      ~ name              = "/github-runner/github-self-hosted-runner/lifecycle" -> "/github-self-hosted-runner/lifecycle" # forces replacement
      + name_prefix       = (known after apply)
      ~ retention_in_days = 14 -> 365
        tags              = {
            "Name" = "github-self-hosted-runner-lifecycle-logs"
        }
        # (3 unchanged attributes hidden)
    }

  # aws_efs_file_system.github_runner_work must be replaced
-/+ resource "aws_efs_file_system" "github_runner_work" {
      ~ arn                             = "arn:aws:elasticfilesystem:us-west-2:743794601996:file-system/fs-0b55e9a7011bf7c90" -> (known after apply)
      + availability_zone_id            = (known after apply)
      + availability_zone_name          = (known after apply)
      ~ dns_name                        = "fs-0b55e9a7011bf7c90.efs.us-west-2.amazonaws.com" -> (known after apply)
      ~ id                              = "fs-0b55e9a7011bf7c90" -> (known after apply)
      ~ kms_key_id                      = "arn:aws:kms:us-west-2:743794601996:key/57161dac-ea94-435b-bdd4-6bb40a54de92" -> (known after apply) # forces replacement
      ~ name                            = "github-self-hosted-runner-work-dir" -> (known after apply)
      ~ number_of_mount_targets         = 2 -> (known after apply)
      ~ owner_id                        = "743794601996" -> (known after apply)
      ~ performance_mode                = "generalPurpose" -> (known after apply)
      - provisioned_throughput_in_mibps = 0 -> null
      ~ size_in_bytes                   = [
          - {
              - value             = 1457387520
              - value_in_ia       = 0
              - value_in_standard = 1457387520
            },
        ] -> (known after apply)
        tags                            = {
            "Name" = "github-self-hosted-runner-work-dir"
        }
        # (4 unchanged attributes hidden)

      ~ protection (known after apply)
      - protection {
          - replication_overwrite = "ENABLED" -> null
        }
    }

  # aws_efs_mount_target.github_runner_work[0] must be replaced
-/+ resource "aws_efs_mount_target" "github_runner_work" {
      ~ availability_zone_id   = "usw2-az2" -> (known after apply)
      ~ availability_zone_name = "us-west-2a" -> (known after apply)
      ~ dns_name               = "fs-0b55e9a7011bf7c90.efs.us-west-2.amazonaws.com" -> (known after apply)
      ~ file_system_arn        = "arn:aws:elasticfilesystem:us-west-2:743794601996:file-system/fs-0b55e9a7011bf7c90" -> (known after apply)
      ~ file_system_id         = "fs-0b55e9a7011bf7c90" -> (known after apply) # forces replacement
      ~ id                     = "fsmt-06593fb53f8c2522f" -> (known after apply)
      ~ ip_address             = "10.20.20.45" -> (known after apply)
      ~ mount_target_dns_name  = "us-west-2a.fs-0b55e9a7011bf7c90.efs.us-west-2.amazonaws.com" -> (known after apply)
      ~ network_interface_id   = "eni-0d4c44b269f0d2e17" -> (known after apply)
      ~ owner_id               = "743794601996" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # aws_efs_mount_target.github_runner_work[1] must be replaced
-/+ resource "aws_efs_mount_target" "github_runner_work" {
      ~ availability_zone_id   = "usw2-az1" -> (known after apply)
      ~ availability_zone_name = "us-west-2b" -> (known after apply)
      ~ dns_name               = "fs-0b55e9a7011bf7c90.efs.us-west-2.amazonaws.com" -> (known after apply)
      ~ file_system_arn        = "arn:aws:elasticfilesystem:us-west-2:743794601996:file-system/fs-0b55e9a7011bf7c90" -> (known after apply)
      ~ file_system_id         = "fs-0b55e9a7011bf7c90" -> (known after apply) # forces replacement
      ~ id                     = "fsmt-080b547fe91291e3b" -> (known after apply)
      ~ ip_address             = "10.20.20.56" -> (known after apply)
      ~ mount_target_dns_name  = "us-west-2b.fs-0b55e9a7011bf7c90.efs.us-west-2.amazonaws.com" -> (known after apply)
      ~ network_interface_id   = "eni-068c44b3b81ab72fe" -> (known after apply)
      ~ owner_id               = "743794601996" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # aws_iam_policy.cloudwatch_logs will be updated in-place
  ~ resource "aws_iam_policy" "cloudwatch_logs" {
        id               = "arn:aws:iam::743794601996:policy/github-self-hosted-runner-cloudwatch-logs-policy"
        name             = "github-self-hosted-runner-cloudwatch-logs-policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "logs:CreateLogGroup",
                          - "logs:CreateLogStream",
                          - "logs:PutLogEvents",
                          - "logs:DescribeLogStreams",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:logs:us-west-2:743794601996:log-group:/github-runner/github-self-hosted-runner/lifecycle",
                          - "arn:aws:logs:us-west-2:743794601996:log-group:/github-runner/github-self-hosted-runner/lifecycle:*",
                        ]
                    },
                  - {
                      - Action   = [
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey*",
                          - "kms:DescribeKey",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-west-2:743794601996:key/a725a4e2-3f6c-4a07-ac88-25baafbe7b76"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # aws_iam_policy.github_runner will be updated in-place
  ~ resource "aws_iam_policy" "github_runner" {
        id               = "arn:aws:iam::743794601996:policy/github-self-hosted-runner-ec2-policy"
        name             = "github-self-hosted-runner-ec2-policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "secretsmanager:GetSecretValue",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo"
                    },
                  - {
                      - Action   = [
                          - "kms:Decrypt",
                          - "kms:DescribeKey",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-west-2:743794601996:key/c77ff6db-241d-4e88-9317-17c07d0ca952"
                    },
                  - {
                      - Action   = [
                          - "elasticfilesystem:ClientMount",
                          - "elasticfilesystem:ClientWrite",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:elasticfilesystem:us-west-2:743794601996:file-system/fs-0b55e9a7011bf7c90"
                    },
                  - {
                      - Action   = [
                          - "sts:AssumeRole",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:iam::743794601996:role/github-self-hosted-runner-github-actions-runner-role"
                    },
                  - {
                      - Action   = [
                          - "ssm:GetParameter",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:ssm:us-west-2:743794601996:parameter/github-self-hosted-runner/deregistration-script"
                    },
                  - {
                      - Action   = [
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-west-2:743794601996:key/8c717a58-141f-4ddd-88eb-d30645daebdb"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # aws_iam_role_policy.lambda_deregistration will be updated in-place
  ~ resource "aws_iam_role_policy" "lambda_deregistration" {
        id          = "github-self-hosted-runner-lambda-deregistration-role:github-self-hosted-runner-lambda-deregistration-policy"
        name        = "github-self-hosted-runner-lambda-deregistration-policy"
      ~ policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "logs:CreateLogGroup",
                          - "logs:CreateLogStream",
                          - "logs:PutLogEvents",
                          - "logs:DescribeLogStreams",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:logs:us-west-2:*:*"
                    },
                  - {
                      - Action   = [
                          - "secretsmanager:GetSecretValue",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:secretsmanager:us-west-2:743794601996:secret:github-self-hosted-runner-credentials-v2-QXLXJo"
                    },
                  - {
                      - Action   = [
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-west-2:743794601996:key/c77ff6db-241d-4e88-9317-17c07d0ca952"
                    },
                  - {
                      - Action   = [
                          - "logs:CreateLogStream",
                          - "logs:PutLogEvents",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:logs:us-west-2:743794601996:log-group:/github-runner/github-self-hosted-runner/lifecycle:*",
                        ]
                    },
                  - {
                      - Action   = [
                          - "autoscaling:CompleteLifecycleAction",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # aws_iam_role_policy.lifecycle_hook will be updated in-place
  ~ resource "aws_iam_role_policy" "lifecycle_hook" {
        id          = "github-self-hosted-runner-lifecycle-hook-role:github-self-hosted-runner-lifecycle-hook-policy"
        name        = "github-self-hosted-runner-lifecycle-hook-policy"
      ~ policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "sns:Publish",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # aws_iam_role_policy_attachment.lambda_vpc_execution will be created
  + resource "aws_iam_role_policy_attachment" "lambda_vpc_execution" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
      + role       = "github-self-hosted-runner-lambda-deregistration-role"
    }

  # aws_kms_alias.encrypt_efs will be created
  + resource "aws_kms_alias" "encrypt_efs" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/github-self-hosted-runner-encrypt-efs"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # aws_kms_alias.encrypt_lambda will be created
  + resource "aws_kms_alias" "encrypt_lambda" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/github-self-hosted-runner-encryption"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # aws_kms_alias.encrypt_sns will be created
  + resource "aws_kms_alias" "encrypt_sns" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/github-self-hosted-runner-encrypt-sns"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # aws_kms_alias.encrypt_ssm will be created
  + resource "aws_kms_alias" "encrypt_ssm" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/github-self-hosted-runner-encrypt-ssm"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = (known after apply)
    }

  # aws_kms_alias.ssm_parameters will be destroyed
  # (because aws_kms_alias.ssm_parameters is not in configuration)
  - resource "aws_kms_alias" "ssm_parameters" {
      - arn            = "arn:aws:kms:us-west-2:743794601996:alias/github-self-hosted-runner-ssm" -> null
      - id             = "alias/github-self-hosted-runner-ssm" -> null
      - name           = "alias/github-self-hosted-runner-ssm" -> null
      - target_key_arn = "arn:aws:kms:us-west-2:743794601996:key/8c717a58-141f-4ddd-88eb-d30645daebdb" -> null
      - target_key_id  = "8c717a58-141f-4ddd-88eb-d30645daebdb" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_key.encrypt_efs will be created
  + resource "aws_kms_key" "encrypt_efs" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "Key to encrypt EFS file system in github-self-hosted-runner."
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + rotation_period_in_days            = (known after apply)
      + tags_all                           = {
          + "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        }
    }

  # aws_kms_key.encrypt_lambda will be created
  + resource "aws_kms_key" "encrypt_lambda" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "Key to encrypt the lambda resource in github-self-hosted-runner."
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + rotation_period_in_days            = (known after apply)
      + tags_all                           = {
          + "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        }
    }

  # aws_kms_key.encrypt_sns will be created
  + resource "aws_kms_key" "encrypt_sns" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "Key to encrypt SNS topic in github-self-hosted-runner."
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + rotation_period_in_days            = (known after apply)
      + tags_all                           = {
          + "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        }
    }

  # aws_kms_key.encrypt_ssm will be created
  + resource "aws_kms_key" "encrypt_ssm" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "Key to encrypt the ssm resource in github-self-hosted-runner."
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + rotation_period_in_days            = (known after apply)
      + tags_all                           = {
          + "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        }
    }

  # aws_kms_key.ssm_parameters will be destroyed
  # (because aws_kms_key.ssm_parameters is not in configuration)
  - resource "aws_kms_key" "ssm_parameters" {
      - arn                                = "arn:aws:kms:us-west-2:743794601996:key/8c717a58-141f-4ddd-88eb-d30645daebdb" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 7 -> null
      - description                        = "KMS key for SSM parameter encryption" -> null
      - enable_key_rotation                = true -> null
      - id                                 = "8c717a58-141f-4ddd-88eb-d30645daebdb" -> null
      - is_enabled                         = true -> null
      - key_id                             = "8c717a58-141f-4ddd-88eb-d30645daebdb" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::743794601996:root"
                        }
                      - Resource  = "*"
                      - Sid       = "Enable IAM User Permissions"
                    },
                  - {
                      - Action    = [
                          - "kms:ReEncrypt*",
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:DescribeKey",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "ssm.amazonaws.com"
                        }
                      - Resource  = "*"
                      - Sid       = "Allow SSM Service"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days            = 365 -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key_policy.encrypt_cloudwatch will be updated in-place
  ~ resource "aws_kms_key_policy" "encrypt_cloudwatch" {
        id                                 = "a725a4e2-3f6c-4a07-ac88-25baafbe7b76"
      ~ policy                             = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = "kms:*"
                        Effect    = "Allow"
                        Principal = {
                            AWS = "arn:aws:iam::743794601996:root"
                        }
                        Resource  = "*"
                        Sid       = "Enable IAM User Permissions"
                    },
                  ~ {
                      ~ Condition = {
                          ~ ArnEquals = {
                              ~ "kms:EncryptionContext:aws:logs:arn" = [
                                  ~ "arn:aws:logs:us-west-2:743794601996:log-group:/github-runner/github-self-hosted-runner/lifecycle" -> "arn:aws:logs:us-west-2:743794601996:log-group:/github-self-hosted-runner/lifecycle",
                                ]
                            }
                        }
                        # (4 unchanged attributes hidden)
                    },
                ]
                # (2 unchanged attributes hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key_policy.encrypt_efs will be created
  + resource "aws_kms_key_policy" "encrypt_efs" {
      + bypass_policy_lockout_safety_check = false
      + id                                 = (known after apply)
      + key_id                             = (known after apply)
      + policy                             = (known after apply)
    }

  # aws_kms_key_policy.encrypt_lambda will be created
  + resource "aws_kms_key_policy" "encrypt_lambda" {
      + bypass_policy_lockout_safety_check = false
      + id                                 = (known after apply)
      + key_id                             = (known after apply)
      + policy                             = (known after apply)
    }

  # aws_kms_key_policy.encrypt_sns will be created
  + resource "aws_kms_key_policy" "encrypt_sns" {
      + bypass_policy_lockout_safety_check = false
      + id                                 = (known after apply)
      + key_id                             = (known after apply)
      + policy                             = (known after apply)
    }

  # aws_kms_key_policy.encrypt_ssm will be created
  + resource "aws_kms_key_policy" "encrypt_ssm" {
      + bypass_policy_lockout_safety_check = false
      + id                                 = (known after apply)
      + key_id                             = (known after apply)
      + policy                             = (known after apply)
    }

  # aws_lambda_function.runner_deregistration will be updated in-place
  ~ resource "aws_lambda_function" "runner_deregistration" {
        id                             = "github-self-hosted-runner-deregistration"
      + kms_key_arn                    = (known after apply)
      ~ reserved_concurrent_executions = -1 -> 5
        tags                           = {}
        # (27 unchanged attributes hidden)

      + dead_letter_config {
          + target_arn = (known after apply)
        }

      ~ environment {
          ~ variables = {
              ~ "LIFECYCLE_LOG_GROUP" = "/github-runner/github-self-hosted-runner/lifecycle" -> "/github-self-hosted-runner/lifecycle"
                # (3 unchanged elements hidden)
            }
        }

      ~ tracing_config {
          ~ mode = "PassThrough" -> "Active"
        }

      + vpc_config {
          + ipv6_allowed_for_dual_stack = false
          + security_group_ids          = (known after apply)
          + subnet_ids                  = [
              + "subnet-03e1ed051e9e071c1",
              + "subnet-0da9beaf2e436c556",
            ]
        }

        # (2 unchanged blocks hidden)
    }

  # aws_launch_template.github_runner will be updated in-place
  ~ resource "aws_launch_template" "github_runner" {
        id                                   = "lt-0fc3f2cf8d3ca7905"
      ~ latest_version                       = 5 -> (known after apply)
        name                                 = "github-self-hosted-runner2025082315022253420000000f"
        tags                                 = {}
      ~ user_data                            = "IyEvYmluL2Jhc2gKc2V0IC1lCgojIFNldHVwIGxvZ2dpbmcKUkVHSVNUUkFUSU9OX0xPR19GSUxFPSIvdmFyL2xvZy9naXRodWItcnVubmVyLXJlZ2lzdHJhdGlvbi5sb2ciCmV4ZWMgPiA+KHRlZSAtYSAkUkVHSVNUUkFUSU9OX0xPR19GSUxFKQpleGVjIDI+JjEKCmVjaG8gIiQoZGF0ZSk6IFN0YXJ0aW5nIEdpdEh1YiBydW5uZXIgc2V0dXAiCgojIE5ldHdvcmsgY29ubmVjdGl2aXR5IHZhbGlkYXRpb24KZWNobyAiJChkYXRlKTogVmFsaWRhdGluZyBuZXR3b3JrIGNvbm5lY3Rpdml0eS4uLiIKcmV0cnlfY291bnQ9MAptYXhfcmV0cmllcz0xMiAgIyAyIG1pbnV0ZXMgdG90YWwKCnVudGlsIGN1cmwgLXMgLS1jb25uZWN0LXRpbWVvdXQgNSBodHRwczovL2F3cy5hbWF6b24uY29tID4gL2Rldi9udWxsOyBkbwogICAgcmV0cnlfY291bnQ9JCgocmV0cnlfY291bnQgKyAxKSkKICAgIGlmIFsgJHJldHJ5X2NvdW50IC1nZSAkbWF4X3JldHJpZXMgXTsgdGhlbgogICAgICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gTmV0d29yayBjb25uZWN0aXZpdHkgZmFpbGVkIGFmdGVyICRtYXhfcmV0cmllcyBhdHRlbXB0cyIKICAgICAgICBleGl0IDEKICAgIGZpCiAgICBlY2hvICIkKGRhdGUpOiBOZXR3b3JrIG5vdCByZWFkeSwgd2FpdGluZy4uLiAoYXR0ZW1wdCAkcmV0cnlfY291bnQvJG1heF9yZXRyaWVzKSIKICAgIHNsZWVwIDEwCmRvbmUKCmVjaG8gIiQoZGF0ZSk6IE5ldHdvcmsgY29ubmVjdGl2aXR5IGNvbmZpcm1lZCIKCiMgVGVzdCBjcml0aWNhbCBBV1Mgc2VydmljZXMKZWNobyAiJChkYXRlKTogVGVzdGluZyBBV1Mgc2VydmljZXMgY29ubmVjdGl2aXR5Li4uIgphd3Nfc2VydmljZXM9KAogICAgImh0dHBzOi8vczMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20iCiAgICAiaHR0cHM6Ly9zZWNyZXRzbWFuYWdlci51cy13ZXN0LTIuYW1hem9uYXdzLmNvbSIKICAgICJodHRwczovL2xvZ3MudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20iCikKCmZvciBzZXJ2aWNlIGluICIke2F3c19zZXJ2aWNlc1tAXX0iOyBkbwogICAgZWNobyAiJChkYXRlKTogVGVzdGluZyBjb25uZWN0aXZpdHkgdG8gJHNlcnZpY2UuLi4iCiAgICBpZiAhIGN1cmwgLXMgLS1jb25uZWN0LXRpbWVvdXQgMTAgIiRzZXJ2aWNlIiA+IC9kZXYvbnVsbDsgdGhlbgogICAgICAgIGVjaG8gIiQoZGF0ZSk6IFdBUk5JTkcgLSBDYW5ub3QgcmVhY2ggJHNlcnZpY2UiCiAgICBlbHNlCiAgICAgICAgZWNobyAiJChkYXRlKTogU3VjY2Vzc2Z1bGx5IGNvbm5lY3RlZCB0byAkc2VydmljZSIKICAgIGZpCmRvbmUKCmVjaG8gIiQoZGF0ZSk6IEFXUyBzZXJ2aWNlcyBjb25uZWN0aXZpdHkgdGVzdCBjb21wbGV0ZWQiCgojIEdldCBpbnN0YW5jZSBJRCBmb3IgcnVubmVyIG5hbWluZyB1c2luZyBJTURTdjIKVE9LRU49JChjdXJsIC1YIFBVVCAiaHR0cDovLzE2OS4yNTQuMTY5LjI1NC9sYXRlc3QvYXBpL3Rva2VuIiAtSCAiWC1hd3MtZWMyLW1ldGFkYXRhLXRva2VuLXR0bC1zZWNvbmRzOiAyMTYwMCIpCklOU1RBTkNFX0lEPSQoY3VybCAtSCAiWC1hd3MtZWMyLW1ldGFkYXRhLXRva2VuOiAkVE9LRU4iIC1zIGh0dHA6Ly8xNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pbnN0YW5jZS1pZCkKCiMgVXBkYXRlIHN5c3RlbQplY2hvICIkKGRhdGUpOiBVcGRhdGluZyBzeXN0ZW0gcGFja2FnZXMiCmFwdC1nZXQgdXBkYXRlCmFwdC1nZXQgaW5zdGFsbCAteSBjdXJsIGpxIGF3c2NsaSBweXRob24zLXBpcCBnaXQgYmludXRpbHMgbmZzLWNvbW1vbgpwaXAzIGluc3RhbGwgUHlKV1QgcmVxdWVzdHMKZWNobyAiJChkYXRlKTogU3lzdGVtIHBhY2thZ2VzIHVwZGF0ZWQgc3VjY2Vzc2Z1bGx5IgoKIyBJbnN0YWxsIE5GUyBjbGllbnQgZm9yIEVGUyBtb3VudGluZwplY2hvICIkKGRhdGUpOiBJbnN0YWxsaW5nIE5GUyBjbGllbnQiCmFwdC1nZXQgLXkgaW5zdGFsbCBuZnMtY29tbW9uCmVjaG8gIiQoZGF0ZSk6IE5GUyBjbGllbnQgaW5zdGFsbGVkIHN1Y2Nlc3NmdWxseSIKCiMgU2V0dXAgQ2xvdWRXYXRjaCBsb2dnaW5nCmVjaG8gIiQoZGF0ZSk6IFNldHRpbmcgdXAgQ2xvdWRXYXRjaCBsb2dnaW5nIgoKIyBJbnN0YWxsIENsb3VkV2F0Y2ggTG9ncyBhZ2VudApjdXJsIC1vIC90bXAvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQuZGViIGh0dHBzOi8vczMuYW1hem9uYXdzLmNvbS9hbWF6b25jbG91ZHdhdGNoLWFnZW50L2RlYmlhbi9hbWQ2NC9sYXRlc3QvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQuZGViCmRwa2cgLWkgL3RtcC9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC5kZWIKcm0gL3RtcC9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC5kZWIKCiMgQ29uZmlndXJlIENsb3VkV2F0Y2ggTG9ncyBhZ2VudApjYXQgPiAvb3B0L2F3cy9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC9ldGMvYW1hem9uLWNsb3Vkd2F0Y2gtYWdlbnQuanNvbiA8PEVPRgp7CiAgImxvZ3MiOiB7CiAgICAibG9nc19jb2xsZWN0ZWQiOiB7CiAgICAgICJmaWxlcyI6IHsKICAgICAgICAiY29sbGVjdF9saXN0IjogWwogICAgICAgICAgewogICAgICAgICAgICAiZmlsZV9wYXRoIjogIi92YXIvbG9nL2dpdGh1Yi1ydW5uZXItcmVnaXN0cmF0aW9uLmxvZyIsCiAgICAgICAgICAgICJsb2dfZ3JvdXBfbmFtZSI6ICIvZ2l0aHViLXJ1bm5lci9naXRodWItc2VsZi1ob3N0ZWQtcnVubmVyL2xpZmVjeWNsZSIsCiAgICAgICAgICAgICJsb2dfc3RyZWFtX25hbWUiOiAie2luc3RhbmNlX2lkfS9yZWdpc3RyYXRpb24iLAogICAgICAgICAgICAidGltZXpvbmUiOiAiVVRDIgogICAgICAgICAgfSwKICAgICAgICAgIHsKICAgICAgICAgICAgImZpbGVfcGF0aCI6ICIvdmFyL2xvZy9naXRodWItcnVubmVyLWRlcmVnaXN0cmF0aW9uLmxvZyIsCiAgICAgICAgICAgICJsb2dfZ3JvdXBfbmFtZSI6ICIvZ2l0aHViLXJ1bm5lci9naXRodWItc2VsZi1ob3N0ZWQtcnVubmVyL2xpZmVjeWNsZSIsCiAgICAgICAgICAgICJsb2dfc3RyZWFtX25hbWUiOiAie2luc3RhbmNlX2lkfS9kZXJlZ2lzdHJhdGlvbiIsCiAgICAgICAgICAgICJ0aW1lem9uZSI6ICJVVEMiCiAgICAgICAgICB9LAogICAgICAgICAgewogICAgICAgICAgICAiZmlsZV9wYXRoIjogIi92YXIvbG9nL2dpdGh1Yi1ydW5uZXIubG9nIiwKICAgICAgICAgICAgImxvZ19ncm91cF9uYW1lIjogIi9naXRodWItcnVubmVyL2dpdGh1Yi1zZWxmLWhvc3RlZC1ydW5uZXIvbGlmZWN5Y2xlIiwKICAgICAgICAgICAgImxvZ19zdHJlYW1fbmFtZSI6ICJ7aW5zdGFuY2VfaWR9L2V4ZWN1dGlvbiIsCiAgICAgICAgICAgICJ0aW1lem9uZSI6ICJVVEMiCiAgICAgICAgICB9CiAgICAgICAgXQogICAgICB9CiAgICB9CiAgfQp9CkVPRgoKIyBTdGFydCBDbG91ZFdhdGNoIGFnZW50Ci9vcHQvYXdzL2FtYXpvbi1jbG91ZHdhdGNoLWFnZW50L2Jpbi9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC1jdGwgLWEgZmV0Y2gtY29uZmlnIC1tIGVjMiAtcyAtYyBmaWxlOi9vcHQvYXdzL2FtYXpvbi1jbG91ZHdhdGNoLWFnZW50L2V0Yy9hbWF6b24tY2xvdWR3YXRjaC1hZ2VudC5qc29uCmVjaG8gIiQoZGF0ZSk6IENsb3VkV2F0Y2ggTG9ncyBhZ2VudCBjb25maWd1cmVkIGFuZCBzdGFydGVkIgoKIyBTZXR1cCBFRlMgbW91bnQKZWNobyAiJChkYXRlKTogU2V0dGluZyB1cCBFRlMgbW91bnQiCm1rZGlyIC1wIC9ob21lL3J1bm5lci9fd29yawplY2hvICJmcy0wYjU1ZTlhNzAxMWJmN2M5MC5lZnMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb206LyAvaG9tZS9ydW5uZXIvX3dvcmsgbmZzNCBuZnN2ZXJzPTQuMSxyc2l6ZT0xMDQ4NTc2LHdzaXplPTEwNDg1NzYsaGFyZCx0aW1lbz02MDAscmV0cmFucz0yIDAgMCIgPj4gL2V0Yy9mc3RhYgptb3VudCAvaG9tZS9ydW5uZXIvX3dvcmsKZWNobyAiJChkYXRlKTogRUZTIG1vdW50ZWQgc3VjY2Vzc2Z1bGx5IgoKIyBJbnN0YWxsIERvY2tlcgplY2hvICIkKGRhdGUpOiBJbnN0YWxsaW5nIERvY2tlciIKY3VybCAtZnNTTCBodHRwczovL2dldC5kb2NrZXIuY29tIC1vIGdldC1kb2NrZXIuc2gKc2ggZ2V0LWRvY2tlci5zaAp1c2VybW9kIC1hRyBkb2NrZXIgdWJ1bnR1CmVjaG8gIiQoZGF0ZSk6IERvY2tlciBpbnN0YWxsZWQgc3VjY2Vzc2Z1bGx5IgoKIyBJbnN0YWxsIFRlcnJhZm9ybQplY2hvICIkKGRhdGUpOiBJbnN0YWxsaW5nIFRlcnJhZm9ybSIKd2dldCAtTy0gaHR0cHM6Ly9hcHQucmVsZWFzZXMuaGFzaGljb3JwLmNvbS9ncGcgfCBncGcgLS1kZWFybW9yIHwgdGVlIC91c3Ivc2hhcmUva2V5cmluZ3MvaGFzaGljb3JwLWFyY2hpdmUta2V5cmluZy5ncGcKZWNobyAiZGViIFtzaWduZWQtYnk9L3Vzci9zaGFyZS9rZXlyaW5ncy9oYXNoaWNvcnAtYXJjaGl2ZS1rZXlyaW5nLmdwZ10gaHR0cHM6Ly9hcHQucmVsZWFzZXMuaGFzaGljb3JwLmNvbSAkKGxzYl9yZWxlYXNlIC1jcykgbWFpbiIgfCB0ZWUgL2V0Yy9hcHQvc291cmNlcy5saXN0LmQvaGFzaGljb3JwLmxpc3QKYXB0IHVwZGF0ZSAmJiBhcHQgaW5zdGFsbCAteSB0ZXJyYWZvcm0KZWNobyAiJChkYXRlKTogVGVycmFmb3JtIGluc3RhbGxlZCBzdWNjZXNzZnVsbHkiCgojIENyZWF0ZSBydW5uZXIgdXNlcgplY2hvICIkKGRhdGUpOiBDcmVhdGluZyBydW5uZXIgdXNlciIKdXNlcmFkZCAtbSAtcyAvYmluL2Jhc2ggcnVubmVyCnVzZXJtb2QgLWFHIGRvY2tlciBydW5uZXIKZWNobyAiJChkYXRlKTogUnVubmVyIHVzZXIgY3JlYXRlZCBzdWNjZXNzZnVsbHkiCgojIERvd25sb2FkIEdpdEh1YiBBY3Rpb25zIHJ1bm5lcgplY2hvICIkKGRhdGUpOiBEb3dubG9hZGluZyBHaXRIdWIgQWN0aW9ucyBydW5uZXIiCmNkIC9ob21lL3J1bm5lcgpjdXJsIC1vIGFjdGlvbnMtcnVubmVyLWxpbnV4LXg2NC0yLjMyMS4wLnRhci5neiAtTCBodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9ydW5uZXIvcmVsZWFzZXMvZG93bmxvYWQvdjIuMzIxLjAvYWN0aW9ucy1ydW5uZXItbGludXgteDY0LTIuMzIxLjAudGFyLmd6CnRhciB4emYgYWN0aW9ucy1ydW5uZXItbGludXgteDY0LTIuMzIxLjAudGFyLmd6CmVjaG8gIiQoZGF0ZSk6IEdpdEh1YiBBY3Rpb25zIHJ1bm5lciBkb3dubG9hZGVkIHN1Y2Nlc3NmdWxseSIKCiMgR2V0IEdpdEh1YiBjcmVkZW50aWFscyBmcm9tIFNlY3JldHMgTWFuYWdlcgplY2hvICIkKGRhdGUpOiBSZXRyaWV2aW5nIEdpdEh1YiBjcmVkZW50aWFscyBmcm9tIFNlY3JldHMgTWFuYWdlciIKU0VDUkVUPSQoYXdzIHNlY3JldHNtYW5hZ2VyIGdldC1zZWNyZXQtdmFsdWUgLS1zZWNyZXQtaWQgImdpdGh1Yi1zZWxmLWhvc3RlZC1ydW5uZXItY3JlZGVudGlhbHMtdjIiIC0tcmVnaW9uICJ1cy13ZXN0LTIiIC0tcXVlcnkgU2VjcmV0U3RyaW5nIC0tb3V0cHV0IHRleHQpCkFQUF9JRD0kKGVjaG8gJFNFQ1JFVCB8IGpxIC1yICcuYXBwX2lkJykKSU5TVEFMTEFUSU9OX0lEPSQoZWNobyAkU0VDUkVUIHwganEgLXIgJy5pbnN0YWxsYXRpb25faWQnKQpQUklWQVRFX0tFWT0kKGVjaG8gJFNFQ1JFVCB8IGpxIC1yICcucHJpdmF0ZV9rZXknKQoKIyBGb3IgZGVidWdnaW5nIChzaG93aW5nIG9ubHkgbm9uLXNlbnNpdGl2ZSBkYXRhKQplY2hvICIkKGRhdGUpOiBBcHAgSUQ6ICRBUFBfSUQiCmVjaG8gIiQoZGF0ZSk6IEluc3RhbGxhdGlvbiBJRDogJElOU1RBTExBVElPTl9JRCIKZWNobyAiJChkYXRlKTogT3JnYW5pemF0aW9uOiBrdW5kdXNvLW9yZyIKZWNobyAiJChkYXRlKTogR2l0SHViIGNyZWRlbnRpYWxzIHJldHJpZXZlZCBzdWNjZXNzZnVsbHkiCgojIEdlbmVyYXRlIEpXVCB0b2tlbiBmb3IgR2l0SHViIEFwcCBhdXRoZW50aWNhdGlvbgplY2hvICIkKGRhdGUpOiBHZW5lcmF0aW5nIEdpdEh1YiBBcHAgSldUIHRva2VuIgoKIyBDcmVhdGUgUHl0aG9uIHNjcmlwdCBmb3IgSldUIGdlbmVyYXRpb24KY2F0ID4gL3RtcC9qd3Rfc2NyaXB0LnB5IDw8RU9GUFlUSE9OCmltcG9ydCBqd3QKaW1wb3J0IHRpbWUKaW1wb3J0IGpzb24KaW1wb3J0IHJlcXVlc3RzCmltcG9ydCBzeXMKaW1wb3J0IG9zCgpwcmludCgnREVCVUc6IFN0YXJ0aW5nIEpXVCBzY3JpcHQnLCBmaWxlPXN5cy5zdGRlcnIpCgp0cnk6CiAgICBwcmludCgnREVCVUc6IFJlYWRpbmcgZW52aXJvbm1lbnQgdmFyaWFibGVzJywgZmlsZT1zeXMuc3RkZXJyKQogICAgYXBwX2lkID0gb3MuZW52aXJvblsnQVBQX0lEJ10KICAgIGluc3RhbGxhdGlvbl9pZCA9IG9zLmVudmlyb25bJ0lOU1RBTExBVElPTl9JRCddCiAgICBwcml2YXRlX2tleSA9IG9zLmVudmlyb25bJ1BSSVZBVEVfS0VZJ10KICAgIAogICAgIyBDb252ZXJ0IGVzY2FwZWQgbmV3bGluZXMgdG8gYWN0dWFsIG5ld2xpbmVzCiAgICBwcml2YXRlX2tleSA9IHByaXZhdGVfa2V5LnJlcGxhY2UoJ1xcbicsICdcbicpCiAgICAKICAgIHByaW50KCdERUJVRzogQXBwIElEOiAnICsgYXBwX2lkLCBmaWxlPXN5cy5zdGRlcnIpCiAgICBwcmludCgnREVCVUc6IEluc3RhbGxhdGlvbiBJRDogJyArIGluc3RhbGxhdGlvbl9pZCwgZmlsZT1zeXMuc3RkZXJyKQogICAgcHJpbnQoJ0RFQlVHOiBQcml2YXRlIGtleSBsZW5ndGg6ICcgKyBzdHIobGVuKHByaXZhdGVfa2V5KSksIGZpbGU9c3lzLnN0ZGVycikKICAgIAogICAgcHJpbnQoJ0RFQlVHOiBDcmVhdGluZyBKV1QgcGF5bG9hZCcsIGZpbGU9c3lzLnN0ZGVycikKICAgIHBheWxvYWQgPSB7CiAgICAgICAgJ2lhdCc6IGludCh0aW1lLnRpbWUoKSksCiAgICAgICAgJ2V4cCc6IGludCh0aW1lLnRpbWUoKSkgKyA2MDAsCiAgICAgICAgJ2lzcyc6IGFwcF9pZAogICAgfQogICAgCiAgICBwcmludCgnREVCVUc6IEVuY29kaW5nIEpXVCB0b2tlbicsIGZpbGU9c3lzLnN0ZGVycikKICAgIHRva2VuID0gand0LmVuY29kZShwYXlsb2FkLCBwcml2YXRlX2tleSwgYWxnb3JpdGhtPSdSUzI1NicpCiAgICBwcmludCgnREVCVUc6IEpXVCB0b2tlbiBjcmVhdGVkIHN1Y2Nlc3NmdWxseScsIGZpbGU9c3lzLnN0ZGVycikKICAgIAogICAgcHJpbnQoJ0RFQlVHOiBQcmVwYXJpbmcgQVBJIHJlcXVlc3QgaGVhZGVycycsIGZpbGU9c3lzLnN0ZGVycikKICAgIGhlYWRlcnMgPSB7CiAgICAgICAgJ0F1dGhvcml6YXRpb24nOiAnQmVhcmVyICcgKyBzdHIodG9rZW4pLAogICAgICAgICdBY2NlcHQnOiAnYXBwbGljYXRpb24vdm5kLmdpdGh1Yi52Mytqc29uJwogICAgfQogICAgCiAgICBhcGlfdXJsID0gJ2h0dHBzOi8vYXBpLmdpdGh1Yi5jb20vYXBwL2luc3RhbGxhdGlvbnMvJyArIGluc3RhbGxhdGlvbl9pZCArICcvYWNjZXNzX3Rva2VucycKICAgIHByaW50KCdERUJVRzogTWFraW5nIHJlcXVlc3QgdG86ICcgKyBhcGlfdXJsLCBmaWxlPXN5cy5zdGRlcnIpCiAgICAKICAgIHJlc3BvbnNlID0gcmVxdWVzdHMucG9zdChhcGlfdXJsLCBoZWFkZXJzPWhlYWRlcnMsIHRpbWVvdXQ9MzApCiAgICAKICAgIHByaW50KCdERUJVRzogQVBJIHJlc3BvbnNlIHN0YXR1czogJyArIHN0cihyZXNwb25zZS5zdGF0dXNfY29kZSksIGZpbGU9c3lzLnN0ZGVycikKICAgIAogICAgaWYgcmVzcG9uc2Uuc3RhdHVzX2NvZGUgIT0gMjAxOgogICAgICAgIHByaW50KCdFUlJPUjogRmFpbGVkIHRvIGdldCBhY2Nlc3MgdG9rZW4uIFN0YXR1czogJyArIHN0cihyZXNwb25zZS5zdGF0dXNfY29kZSkpCiAgICAgICAgcHJpbnQoJ1Jlc3BvbnNlIGJvZHk6ICcgKyByZXNwb25zZS50ZXh0KQogICAgICAgIHN5cy5leGl0KDEpCiAgICAKICAgIHByaW50KCdERUJVRzogUGFyc2luZyByZXNwb25zZSBKU09OJywgZmlsZT1zeXMuc3RkZXJyKQogICAgYWNjZXNzX3Rva2VuID0gcmVzcG9uc2UuanNvbigpWyd0b2tlbiddCiAgICBwcmludCgnREVCVUc6IEFjY2VzcyB0b2tlbiBvYnRhaW5lZCBzdWNjZXNzZnVsbHknLCBmaWxlPXN5cy5zdGRlcnIpCiAgICBwcmludChhY2Nlc3NfdG9rZW4pCmV4Y2VwdCBFeGNlcHRpb24gYXMgZToKICAgIHByaW50KCdFUlJPUjogJyArIHN0cihlKSwgZmlsZT1zeXMuc3RkZXJyKQogICAgaW1wb3J0IHRyYWNlYmFjawogICAgdHJhY2ViYWNrLnByaW50X2V4YyhmaWxlPXN5cy5zdGRlcnIpCiAgICBzeXMuZXhpdCgxKQpFT0ZQWVRIT04KCiMgUGFzcyB2YXJpYWJsZXMgdG8gUHl0aG9uIHNjcmlwdCB2aWEgZW52aXJvbm1lbnQKZXhwb3J0IEFQUF9JRD0iJEFQUF9JRCIKZXhwb3J0IElOU1RBTExBVElPTl9JRD0iJElOU1RBTExBVElPTl9JRCIKZXhwb3J0IFBSSVZBVEVfS0VZPSIkUFJJVkFURV9LRVkiCgplY2hvICIkKGRhdGUpOiBFeGVjdXRpbmcgSldUIGdlbmVyYXRpb24gc2NyaXB0Li4uIgoKIyBSdW4gSldUIHNjcmlwdCB3aXRoIHRpbWVvdXQKaWYgISB0aW1lb3V0IDYwIHB5dGhvbjMgL3RtcC9qd3Rfc2NyaXB0LnB5ID4gL3RtcC9qd3Rfb3V0cHV0LnR4dCAyPiAvdG1wL2p3dF9lcnJvci50eHQ7IHRoZW4KICAgIEpXVF9FWElUX0NPREU9JD8KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gSldUIGdlbmVyYXRpb24gZmFpbGVkIG9yIHRpbWVkIG91dCB3aXRoIGV4aXQgY29kZSAkSldUX0VYSVRfQ09ERSIKICAgIGVjaG8gIiQoZGF0ZSk6IENoZWNrIENsb3VkV2F0Y2ggbG9ncyBmb3IgZGV0YWlsZWQgZXJyb3IgaW5mb3JtYXRpb24iCiAgICBybSAtZiAvdG1wL2p3dF9zY3JpcHQucHkgL3RtcC9qd3Rfb3V0cHV0LnR4dCAvdG1wL2p3dF9lcnJvci50eHQKICAgIGV4aXQgMQpmaQoKR0lUSFVCX1RPS0VOPSQoY2F0IC90bXAvand0X291dHB1dC50eHQpCnJtIC1mIC90bXAvand0X3NjcmlwdC5weSAvdG1wL2p3dF9vdXRwdXQudHh0IC90bXAvand0X2Vycm9yLnR4dAoKaWYgWyAteiAiJEdJVEhVQl9UT0tFTiIgXSB8fCBbICIkR0lUSFVCX1RPS0VOIiA9ICJudWxsIiBdOyB0aGVuCiAgICBlY2hvICIkKGRhdGUpOiBFUlJPUiAtIEpXVCB0b2tlbiBpcyBlbXB0eSBvciBudWxsIgogICAgZXhpdCAxCmZpCgplY2hvICIkKGRhdGUpOiBHaXRIdWIgQXBwIEpXVCB0b2tlbiBnZW5lcmF0ZWQgc3VjY2Vzc2Z1bGx5IgoKIyBHZXQgcmVnaXN0cmF0aW9uIHRva2VuIGZvciBvcmdhbml6YXRpb24KZWNobyAiJChkYXRlKTogR2V0dGluZyByZWdpc3RyYXRpb24gdG9rZW4gZm9yIEdpdEh1YiBvcmdhbml6YXRpb24iCk9SR19VUkw9Imh0dHBzOi8vZ2l0aHViLmNvbS9rdW5kdXNvLW9yZyIKZWNobyAiJChkYXRlKTogT3JnYW5pemF0aW9uIFVSTDogJE9SR19VUkwiCgplY2hvICIkKGRhdGUpOiBNYWtpbmcgQVBJIHJlcXVlc3QgdG8gR2l0SHViLi4uIgpBUElfUkVTUE9OU0U9JChjdXJsIC1zIC13ICJIVFRQX0NPREU6JXtodHRwX2NvZGV9IiAtWCBQT1NUIC1IICJBdXRob3JpemF0aW9uOiB0b2tlbiAkR0lUSFVCX1RPS0VOIiAiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL2t1bmR1c28tb3JnL2FjdGlvbnMvcnVubmVycy9yZWdpc3RyYXRpb24tdG9rZW4iKQpIVFRQX0NPREU9JChlY2hvICIkQVBJX1JFU1BPTlNFIiB8IGdyZXAgLW8gIkhUVFBfQ09ERTpbMC05XSoiIHwgY3V0IC1kOiAtZjIpCkFQSV9CT0RZPSQoZWNobyAiJEFQSV9SRVNQT05TRSIgfCBzZWQgJ3MvSFRUUF9DT0RFOlswLTldKiQvLycpCgplY2hvICIkKGRhdGUpOiBHaXRIdWIgQVBJIHJlc3BvbnNlIGNvZGU6ICRIVFRQX0NPREUiCgppZiBbICIkSFRUUF9DT0RFIiAhPSAiMjAxIiBdOyB0aGVuCiAgICBlY2hvICIkKGRhdGUpOiBFUlJPUiAtIEdpdEh1YiBBUEkgcmVxdWVzdCBmYWlsZWQgd2l0aCBIVFRQIGNvZGUgJEhUVFBfQ09ERSIKICAgIGVjaG8gIiQoZGF0ZSk6IENoZWNrIEdpdEh1YiBBcHAgcGVybWlzc2lvbnMgYW5kIGluc3RhbGxhdGlvbiIKICAgIGV4aXQgMQpmaQoKUkVHX1RPS0VOPSQoZWNobyAiJEFQSV9CT0RZIiB8IGpxIC1yICcudG9rZW4nKQoKaWYgWyAiJFJFR19UT0tFTiIgPSAibnVsbCIgXSB8fCBbIC16ICIkUkVHX1RPS0VOIiBdOyB0aGVuCiAgICBlY2hvICIkKGRhdGUpOiBFUlJPUiAtIFJlZ2lzdHJhdGlvbiB0b2tlbiBpcyBudWxsIG9yIGVtcHR5IgogICAgZWNobyAiJChkYXRlKTogR2l0SHViIEFQSSByZXR1cm5lZCBpbnZhbGlkIHJlc3BvbnNlIgogICAgZXhpdCAxCmZpCmVjaG8gIiQoZGF0ZSk6IFJlZ2lzdHJhdGlvbiB0b2tlbiBvYnRhaW5lZCBzdWNjZXNzZnVsbHkiCgojIENvbmZpZ3VyZSBhbmQgc3RhcnQgcnVubmVyCmVjaG8gIiQoZGF0ZSk6IENvbmZpZ3VyaW5nIEdpdEh1YiBydW5uZXIiCmVjaG8gIiQoZGF0ZSk6IFJ1bm5pbmcgY29uZmlnLnNoIHdpdGggcGFyYW1ldGVyczoiCmVjaG8gIiQoZGF0ZSk6IFVSTDogJE9SR19VUkwiCmVjaG8gIiQoZGF0ZSk6IE5hbWU6ICRJTlNUQU5DRV9JRCIKZWNobyAiJChkYXRlKTogTGFiZWxzOiB1cy13ZXN0LTIiCgppZiAhIHN1ZG8gLXUgcnVubmVyIC4vY29uZmlnLnNoIC0tdXJsICIkT1JHX1VSTCIgLS10b2tlbiAiJFJFR19UT0tFTiIgLS1uYW1lICIkSU5TVEFOQ0VfSUQiIC0td29yayAvaG9tZS9ydW5uZXIvX3dvcmsgLS1sYWJlbHMgInVzLXdlc3QtMiIgLS1yZXBsYWNlIC0tdW5hdHRlbmRlZCAyPiYxOyB0aGVuCiAgICBlY2hvICIkKGRhdGUpOiBFUlJPUiAtIFJ1bm5lciBjb25maWd1cmF0aW9uIGZhaWxlZCIKICAgIGV4aXQgMQpmaQplY2hvICIkKGRhdGUpOiBHaXRIdWIgcnVubmVyIGNvbmZpZ3VyZWQgc3VjY2Vzc2Z1bGx5IgoKZWNobyAiJChkYXRlKTogU3RhcnRpbmcgR2l0SHViIHJ1bm5lciIKc3VkbyAtdSBydW5uZXIgbm9odXAgLi9ydW4uc2ggPiAvdmFyL2xvZy9naXRodWItcnVubmVyLmxvZyAyPiYxICYKZWNobyAiJChkYXRlKTogR2l0SHViIHJ1bm5lciBzdGFydGVkIGluIGJhY2tncm91bmQiCgojIEluc3RhbGwgcnVubmVyIGFzIHNlcnZpY2UKZWNobyAiJChkYXRlKTogSW5zdGFsbGluZyBydW5uZXIgYXMgc2VydmljZSIKaWYgISAuL3N2Yy5zaCBpbnN0YWxsIHJ1bm5lciAyPiYxOyB0aGVuCiAgICBlY2hvICIkKGRhdGUpOiBFUlJPUiAtIEZhaWxlZCB0byBpbnN0YWxsIHJ1bm5lciBzZXJ2aWNlIgogICAgZXhpdCAxCmZpCgppZiAhIC4vc3ZjLnNoIHN0YXJ0IDI+JjE7IHRoZW4KICAgIGVjaG8gIiQoZGF0ZSk6IEVSUk9SIC0gRmFpbGVkIHRvIHN0YXJ0IHJ1bm5lciBzZXJ2aWNlIgogICAgZXhpdCAxCmZpCmVjaG8gIiQoZGF0ZSk6IFJ1bm5lciBzZXJ2aWNlIGluc3RhbGxlZCBhbmQgc3RhcnRlZCBzdWNjZXNzZnVsbHkiCgojIFNldHVwIGRlcmVnaXN0cmF0aW9uIHNjcmlwdAplY2hvICIkKGRhdGUpOiBTZXR0aW5nIHVwIHJ1bm5lciBkZXJlZ2lzdHJhdGlvbiBzZXJ2aWNlIgphd3Mgc3NtIGdldC1wYXJhbWV0ZXIgLS1uYW1lICIvZ2l0aHViLXNlbGYtaG9zdGVkLXJ1bm5lci9kZXJlZ2lzdHJhdGlvbi1zY3JpcHQiIC0td2l0aC1kZWNyeXB0aW9uIC0tcmVnaW9uICJ1cy13ZXN0LTIiIC0tcXVlcnkgUGFyYW1ldGVyLlZhbHVlIC0tb3V0cHV0IHRleHQgPiAvdXNyL2xvY2FsL2Jpbi9kZXJlZ2lzdGVyLXJ1bm5lci5zaApjaG1vZCAreCAvdXNyL2xvY2FsL2Jpbi9kZXJlZ2lzdGVyLXJ1bm5lci5zaAoKIyBDcmVhdGUgc3lzdGVtZCBzZXJ2aWNlIGZvciBkZXJlZ2lzdHJhdGlvbgpjYXQgPiAvZXRjL3N5c3RlbWQvc3lzdGVtL2dpdGh1Yi1ydW5uZXItZGVyZWdpc3Rlci5zZXJ2aWNlIDw8RU9GCltVbml0XQpEZXNjcmlwdGlvbj1HaXRIdWIgUnVubmVyIERlcmVnaXN0cmF0aW9uCkRlZmF1bHREZXBlbmRlbmNpZXM9ZmFsc2UKQmVmb3JlPXNodXRkb3duLnRhcmdldCByZWJvb3QudGFyZ2V0IGhhbHQudGFyZ2V0CgpbU2VydmljZV0KVHlwZT1vbmVzaG90ClJlbWFpbkFmdGVyRXhpdD10cnVlCkV4ZWNTdGFydD0vYmluL3RydWUKRXhlY1N0b3A9L3Vzci9sb2NhbC9iaW4vZGVyZWdpc3Rlci1ydW5uZXIuc2gKVGltZW91dFN0b3BTZWM9MzAKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCnN5c3RlbWN0bCBlbmFibGUgZ2l0aHViLXJ1bm5lci1kZXJlZ2lzdGVyLnNlcnZpY2UKc3lzdGVtY3RsIHN0YXJ0IGdpdGh1Yi1ydW5uZXItZGVyZWdpc3Rlci5zZXJ2aWNlCmVjaG8gIiQoZGF0ZSk6IERlcmVnaXN0cmF0aW9uIHNlcnZpY2UgY29uZmlndXJlZCIKCmVjaG8gIiQoZGF0ZSk6IEdpdEh1YiBydW5uZXIgc2V0dXAgY29tcGxldGVkIHN1Y2Nlc3NmdWxseSI=" -> (known after apply)
        # (16 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_security_group.lambda will be created
  + resource "aws_security_group" "lambda" {
      + arn                    = (known after apply)
      + description            = "Security group for Lambda function"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "github-self-hosted-runner-lambda-sg"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "Name" = "github-self-hosted-runner-lambda-sg"
        }
      + tags_all               = {
          + "Name"   = "github-self-hosted-runner-lambda-sg"
          + "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        }
      + vpc_id                 = "vpc-0f94d52581179e6b3"
    }

  # aws_security_group_rule.lambda_egress will be created
  + resource "aws_security_group_rule" "lambda_egress" {
      + cidr_blocks              = [
          + "0.0.0.0/0",
        ]
      + description              = "Allow all outbound traffic for Lambda"
      + from_port                = 0
      + id                       = (known after apply)
      + protocol                 = "-1"
      + security_group_id        = (known after apply)
      + security_group_rule_id   = (known after apply)
      + self                     = false
      + source_security_group_id = (known after apply)
      + to_port                  = 0
      + type                     = "egress"
    }

  # aws_sns_topic.runner_lifecycle will be updated in-place
  ~ resource "aws_sns_topic" "runner_lifecycle" {
        id                                       = "arn:aws:sns:us-west-2:743794601996:github-self-hosted-runner-lifecycle"
      + kms_master_key_id                        = (known after apply)
        name                                     = "github-self-hosted-runner-lifecycle"
        tags                                     = {}
        # (28 unchanged attributes hidden)
    }

  # aws_sqs_queue.dlq will be created
  + resource "aws_sqs_queue" "dlq" {
      + arn                               = (known after apply)
      + content_based_deduplication       = false
      + deduplication_scope               = (known after apply)
      + delay_seconds                     = 0
      + fifo_queue                        = false
      + fifo_throughput_limit             = (known after apply)
      + id                                = (known after apply)
      + kms_data_key_reuse_period_seconds = 300
      + kms_master_key_id                 = (known after apply)
      + max_message_size                  = 262144
      + message_retention_seconds         = 345600
      + name                              = "github-self-hosted-runner-lambda-dlq"
      + name_prefix                       = (known after apply)
      + policy                            = (known after apply)
      + receive_wait_time_seconds         = 0
      + redrive_allow_policy              = (known after apply)
      + redrive_policy                    = (known after apply)
      + sqs_managed_sse_enabled           = (known after apply)
      + tags_all                          = {
          + "Source" = "https://github.com/kunduso-org/github-self-hosted-runner-amazon-ec2-terraform"
        }
      + url                               = (known after apply)
      + visibility_timeout_seconds        = 30
    }

  # aws_ssm_parameter.deregistration_script will be updated in-place
  ~ resource "aws_ssm_parameter" "deregistration_script" {
        id              = "/github-self-hosted-runner/deregistration-script"
      ~ key_id          = "arn:aws:kms:us-west-2:743794601996:key/8c717a58-141f-4ddd-88eb-d30645daebdb" -> (known after apply)
        name            = "/github-self-hosted-runner/deregistration-script"
        tags            = {
            "Name" = "github-self-hosted-runner-deregistration-script"
        }
        # (10 unchanged attributes hidden)
    }

  # aws_ssm_parameter.nat_gateway_public_ips will be updated in-place
  ~ resource "aws_ssm_parameter" "nat_gateway_public_ips" {
        id              = "/github-self-hosted-runner-ip-address"
      + key_id          = (known after apply)
        name            = "/github-self-hosted-runner-ip-address"
        tags            = {
            "Name" = "github-self-hosted-runner-ip-addresses"
        }
      ~ type            = "StringList" -> "SecureString"
        # (9 unchanged attributes hidden)
    }

Plan: 20 to add, 11 to change, 6 to destroy.

Warning: 'launch_template' always triggers an instance refresh and can be removed

  with aws_autoscaling_group.github_runner,
  on asg.tf line 182, in resource "aws_autoscaling_group" "github_runner":
 182:     triggers = ["launch_template"]


─────────────────────────────────────────────────────────────────────────────

Saved the plan to: TFplan.JSON

To perform exactly these actions, run the following command to apply:
    terraform apply "TFplan.JSON"

Pushed by: @kunduso, Action: pull_request