Skip to content

Update loom.tf #355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update loom.tf #355

wants to merge 1 commit into from

Conversation

@dylanratcliffe
Copy link
Member

@dylanratcliffe dylanratcliffe commented Nov 18, 2025

No description provided.

@env0
Copy link

env0 bot commented Nov 18, 2025
edited
Loading

🚀  env0 had composed a PR Plan for environment Terraform Example / production :

Plan: 1 to add, 2 to change, 1 to destroy.
Plan Details 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!   update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:


  # module.scenarios[0].aws_ecs_service.face will be updated in-place
!   resource "aws_ecs_service" "face" {
        id                                 = "arn:aws:ecs:eu-west-2:540044833068:service/example-terraform-example/facial-recognition"
        name                               = "facial-recognition"
        tags                               = {}
!       task_definition                    = "arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example:9" -> (known after apply)
        # (15 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

  # module.scenarios[0].aws_ecs_task_definition.face must be replaced
-/+ resource "aws_ecs_task_definition" "face" {
!       arn                      = "arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example:9" -> (known after apply)
!       arn_without_revision     = "arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example" -> (known after apply)
!       container_definitions    = jsonencode(
!           [
!               {
!                   healthCheck    = {
!                       command  = [
                            "CMD-SHELL",
-                           "wget -q --spider localhost:1234",
+                           "wget -q --spider localhost:2222",
                        ]
                        # (3 unchanged attributes hidden)
                    }
                    name           = "facial-recognition"
!                   portMappings   = [
!                       {
-                           hostPort      = 1234
-                           protocol      = "tcp"
                            # (2 unchanged attributes hidden)
                        },
                    ]
-                   systemControls = []
                    # (7 unchanged attributes hidden)
                },
            ] # forces replacement
        )
!       enable_fault_injection   = false -> (known after apply)
!       id                       = "facial-recognition-terraform-example" -> (known after apply)
!       revision                 = 9 -> (known after apply)
-       tags                     = {} -> null
!       tags_all                 = {} -> (known after apply)
        # (7 unchanged attributes hidden)
    }

  # module.scenarios[0].module.cloudfront.aws_cloudfront_distribution.this[0] will be updated in-place
!   resource "aws_cloudfront_distribution" "this" {
        id                             = "EX4HFUQMZ2ULI"
        tags                           = {}
        # (20 unchanged attributes hidden)

-       custom_error_response {
-           error_caching_min_ttl = 0 -> null
-           error_code            = 403 -> null
-           response_code         = 403 -> null
-           response_page_path    = "/errors/403.html" -> null
        }
-       custom_error_response {
-           error_caching_min_ttl = 0 -> null
-           error_code            = 404 -> null
-           response_code         = 404 -> null
-           response_page_path    = "/errors/404.html" -> null
        }
+       custom_error_response {
+           error_code         = 403
+           response_code      = 404
+           response_page_path = "/errors/403.html"
        }
+       custom_error_response {
+           error_code         = 404
+           response_code      = 404
+           response_page_path = "/errors/404.html"
        }

        # (8 unchanged blocks hidden)
    }

Plan: 1 to add, 2 to change, 1 to destroy.

Failed to calculate cost estimation

Full PR Plan logs on env0

Get instant insights with AI Summary

@github-actions
Copy link

github-actions bot commented Nov 18, 2025

Overmind

Open in Overmind ↗

model|risks_v6

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ AWS ECS task definitions showing first ever modifications across multiple attributes, which is unusual compared to typical patterns.

View signals ↗

🔥 Risks

Health check changed to wrong port will mark all tasks unhealthy and cause outage ‼️High Open Risk ↗
The ECS task definition for facial-recognition-terraform-example changes the container health check to probe localhost:2222 while the container still exposes containerPort 1234. In awsvpc on Fargate, removing hostPort does not alter exposure because hostPort mirrors containerPort, but the health check now targets a port the application is not configured to serve.

When this revision deploys, new tasks will fail their container health checks and be replaced repeatedly. As the service rolls to the new revision, healthy tasks will be drained and replaced by unhealthy ones, resulting in zero healthy tasks and a service outage.

403 errors will be returned as 404 and error responses will be cached due to removal of zero TTL ❗Medium Open Risk ↗
The CloudFront distribution 540044833068.cloudfront-distribution.EX4HFUQMZ2ULI is changing its custom error responses so that origin 403 responses are returned to clients as 404, while still using /errors/403.html as the error page. This will cause clients, crawlers, and monitoring that expect a 403 Forbidden to instead receive a 404 Not Found, altering application logic and SEO signals.

Additionally, error_caching_min_ttl is being removed (set to null) for the 403 and 404 entries, replacing the explicit 0s with the provider’s default error caching. Error responses that were previously not cached will now be cached for a non-zero period, leading to stale 404/403 pages being served after transient issues or permission fixes. The current state shows ErrorCachingMinTTL: 0 with 403->403 and 404->404, so this change will directly modify both status code semantics and error caching behavior at the edge.

🟣 Expected Changes

+/- ecs-task-definition › facial-recognition-terraform-example 
--- current
+++ proposed
@@ -2,17 +2,23 @@
 id: github.com/overmindtech/terraform-example.ecs-task-definition.module.scenarios[0].aws_ecs_task_definition.face
 attributes:
-  arn: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example:9
-  arn_without_revision: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example
-  container_definitions: '[{"cpu":1024,"environment":[{"name":"DATABASE_URL","value":"tf-20251117235257281600000001.cnx7xf6hwmba.eu-west-2.rds.amazonaws.com"}],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:1234"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234,"hostPort":1234,"protocol":"tcp"}],"systemControls":[],"volumesFrom":[]}]'
+  arn: (known after apply)
+  arn_without_revision: (known after apply)
+  container_definitions: '[{"cpu":1024,"environment":[{"name":"DATABASE_URL","value":"tf-20251117235257281600000001.cnx7xf6hwmba.eu-west-2.rds.amazonaws.com"}],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:2222"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234}],"volumesFrom":[]}]'
   cpu: "1024"
-  enable_fault_injection: false
+  enable_fault_injection: (known after apply)
+  execution_role_arn: null
   family: facial-recognition-terraform-example
-  id: facial-recognition-terraform-example
+  id: (known after apply)
+  ipc_mode: null
   memory: "2048"
   network_mode: awsvpc
+  pid_mode: null
   requires_compatibilities:
     - FARGATE
-  revision: 9
+  revision: (known after apply)
   skip_destroy: false
+  tags: null
+  tags_all: (known after apply)
+  task_role_arn: null
   terraform_address: module.scenarios[0].aws_ecs_task_definition.face
   terraform_name: module.scenarios[0].aws_ecs_task_definition.face
~ cloudfront-distribution › EX4HFUQMZ2ULI 
--- current
+++ proposed
@@ -6,9 +6,9 @@
   comment: My awesome CloudFront
   custom_error_response:
-    - error_caching_min_ttl: 0
+    - error_caching_min_ttl: null
       error_code: 403
-      response_code: 403
+      response_code: 404
       response_page_path: /errors/403.html
-    - error_caching_min_ttl: 0
+    - error_caching_min_ttl: null
       error_code: 404
       response_code: 404

🟠 Unmapped Changes

~ aws_ecs_service › module.scenarios[0].aws_ecs_service.face 
--- current
+++ proposed
@@ -38,5 +38,5 @@
   propagate_tags: NONE
   scheduling_strategy: REPLICA
-  task_definition: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example:9
+  task_definition: (known after apply)
   terraform_address: module.scenarios[0].aws_ecs_service.face
   terraform_name: module.scenarios[0].aws_ecs_service.face

💥 Blast Radius

Items 17

Edges 48

@dylanratcliffe
Copy link
Member Author

dylanratcliffe commented Nov 18, 2025

Overmind

Open in Overmind ↗

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ AWS ECS task definitions showing first ever modifications across multiple attributes, which is unusual compared to typical patterns.

View signals ↗

🔥 Risks

[!NOTE] > Overmind has not identified any risks associated with this change
This could be due to the change being low risk with no impact on other parts of the system, or involving resources that Overmind currently does not support.

🟣 Expected Changes

+/- ecs-task-definition › facial-recognition-terraform-example 
--- current
+++ proposed
@@ -2,17 +2,23 @@
 id: github.com/overmindtech/terraform-example.ecs-task-definition.module.scenarios[0].aws_ecs_task_definition.face
 attributes:
-  arn: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example:9
-  arn_without_revision: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example
-  container_definitions: '[{"cpu":1024,"environment":[{"name":"DATABASE_URL","value":"tf-20251117235257281600000001.cnx7xf6hwmba.eu-west-2.rds.amazonaws.com"}],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:1234"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234,"hostPort":1234,"protocol":"tcp"}],"systemControls":[],"volumesFrom":[]}]'
+  arn: (known after apply)
+  arn_without_revision: (known after apply)
+  container_definitions: '[{"cpu":1024,"environment":[{"name":"DATABASE_URL","value":"tf-20251117235257281600000001.cnx7xf6hwmba.eu-west-2.rds.amazonaws.com"}],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:2222"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234}],"volumesFrom":[]}]'
   cpu: "1024"
-  enable_fault_injection: false
+  enable_fault_injection: (known after apply)
+  execution_role_arn: null
   family: facial-recognition-terraform-example
-  id: facial-recognition-terraform-example
+  id: (known after apply)
+  ipc_mode: null
   memory: "2048"
   network_mode: awsvpc
+  pid_mode: null
   requires_compatibilities:
     - FARGATE
-  revision: 9
+  revision: (known after apply)
   skip_destroy: false
+  tags: null
+  tags_all: (known after apply)
+  task_role_arn: null
   terraform_address: module.scenarios[0].aws_ecs_task_definition.face
   terraform_name: module.scenarios[0].aws_ecs_task_definition.face
~ cloudfront-distribution › EX4HFUQMZ2ULI 
--- current
+++ proposed
@@ -6,9 +6,9 @@
   comment: My awesome CloudFront
   custom_error_response:
-    - error_caching_min_ttl: 0
+    - error_caching_min_ttl: null
       error_code: 403
-      response_code: 403
+      response_code: 404
       response_page_path: /errors/403.html
-    - error_caching_min_ttl: 0
+    - error_caching_min_ttl: null
       error_code: 404
       response_code: 404

🟠 Unmapped Changes

~ aws_ecs_service › module.scenarios[0].aws_ecs_service.face 
--- current
+++ proposed
@@ -38,5 +38,5 @@
   propagate_tags: NONE
   scheduling_strategy: REPLICA
-  task_definition: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example:9
+  task_definition: (known after apply)
   terraform_address: module.scenarios[0].aws_ecs_service.face
   terraform_name: module.scenarios[0].aws_ecs_service.face

💥 Blast Radius

Items 29

Edges 89

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dylanratcliffe