KEMBAR78
configure artifacts.k8s.io to use atlantis + atlantis IAM changes in management account by upodroid · Pull Request #8686 · kubernetes/k8s.io · GitHub
Skip to content

configure artifacts.k8s.io to use atlantis + atlantis IAM changes in management account #8686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

configure artifacts.k8s.io to use atlantis + atlantis IAM changes in management account #8686

wants to merge 1 commit into from
+129 −59

Conversation

@upodroid
Copy link
Member

Required for #8684

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. labels Oct 23, 2025
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 23, 2025
@upodroid upodroid force-pushed the atlantis-iam-changes branch from ece877f to 502e127 Compare October 23, 2025 06:00
@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for 3 projects:

  1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default
  2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default
  3. dir: infra/aws/terraform/management-account workspace: default

1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default

Plan Error

running 'sh -c' '/atlantis/bin/terraform1.13.4 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/8686/default/infra/aws/terraform/artifacts.k8s.io': exit status 1
Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
╷
│ Error: Error refreshing state: Unable to access object "terraform.tfstate" in S3 bucket "artifacts-k8s-io-tfstate": operation error S3: HeadObject, https response error StatusCode: 403, RequestID: 823WVB6QEJSG6EJS, HostID: 5Bb2asIJlpawmAGYQjhjGPjJiSUND6PhD5voVAm2488rbC6Mb5OLE+jk1LjCEnjr1yEvEgt+wt2D+0mULZwXEw+6XIgKeEes8LDxvbSFIgk=, api error Forbidden: Forbidden
│ 
│ 
╵

2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default

Plan Error

running 'sh -c' '/atlantis/bin/terraform1.13.4 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/8686/default/infra/aws/terraform/artifacts.k8s.io/s3': exit status 1
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 5.0"...
- Installing hashicorp/aws v5.100.0...
╷
│ Error: Failed to install provider
│ 
│ Error while installing hashicorp/aws v5.100.0: failed to make target path
│ .terraform/providers/registry.terraform.io/hashicorp/aws/5.100.0/linux_amd64
│ absolute: getwd: no such file or directory
╵

3. dir: infra/aws/terraform/management-account workspace: default

Plan Failed: This project is currently locked by an unapplied plan from pull #8685. To continue, delete the lock from #8685 or apply that plan and merge the pull request.

Once the lock is released, comment atlantis plan here to re-plan.

Plan Summary

3 projects, 0 with changes, 0 with no changes, 3 failed

  • ⏩ To apply all unapplied plans from this Pull Request, comment: 
    atlantis apply
  • 🚮 To delete all plans and locks from this Pull Request, comment: 
    atlantis unlock

upodroid
upodroid commented Oct 23, 2025
View reviewed changes
infra/aws/terraform/management-account/iam-roles.tf
limitations under the License.
*/


Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved to iam.tf

@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for 3 projects:

  1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default
  2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default
  3. dir: infra/aws/terraform/management-account workspace: default

1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default

Plan Error

running 'sh -c' '/atlantis/bin/terraform1.13.4 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/8686/default/infra/aws/terraform/artifacts.k8s.io': exit status 1
Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
╷
│ Error: Error refreshing state: Unable to access object "terraform.tfstate" in S3 bucket "artifacts-k8s-io-tfstate": operation error S3: HeadObject, https response error StatusCode: 403, RequestID: XFNBWYFCAGJPQTQM, HostID: k5DvXqgikU16zJUUTjtMFvNAd7evnZAxvw3iKL7zS7OLzddzuJt5utRQEK581wLJhOWR3f1CZ/c=, api error Forbidden: Forbidden
│ 
│ 
╵

2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default

Show Output 
data.aws_region.current: Reading...
data.aws_region.current: Read complete after 0s [id=us-east-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

  # aws_s3_bucket.artifacts-k8s-io will be created
+ resource "aws_s3_bucket" "artifacts-k8s-io" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "artifacts-k8s-io-us-east-2"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule (known after apply)

      + grant (known after apply)

      + lifecycle_rule (known after apply)

      + logging (known after apply)

      + object_lock_configuration (known after apply)

      + replication_configuration (known after apply)

      + server_side_encryption_configuration (known after apply)

      + versioning (known after apply)

      + website (known after apply)
    }

  # aws_s3_bucket_acl.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_acl" "artifacts-k8s-io" {
      + acl    = "private"
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_ownership_controls.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_ownership_controls" "artifacts-k8s-io" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_policy.artifacts-k8s-io-public-read will be created
+ resource "aws_s3_bucket_policy" "artifacts-k8s-io-public-read" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + policy = (known after apply)
    }

  # aws_s3_bucket_versioning.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_versioning" "artifacts-k8s-io" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

Plan: 5 to add, 0 to change, 0 to destroy.
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/aws/terraform/artifacts.k8s.io/s3
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/aws/terraform/artifacts.k8s.io/s3

Plan: 5 to add, 0 to change, 0 to destroy.

3. dir: infra/aws/terraform/management-account workspace: default

Plan Failed: This project is currently locked by an unapplied plan from pull #8685. To continue, delete the lock from #8685 or apply that plan and merge the pull request.

Once the lock is released, comment atlantis plan here to re-plan.

Plan Summary

3 projects, 1 with changes, 0 with no changes, 2 failed

  • ⏩ To apply all unapplied plans from this Pull Request, comment: 
    atlantis apply
  • 🚮 To delete all plans and locks from this Pull Request, comment: 
    atlantis unlock

@upodroid upodroid force-pushed the atlantis-iam-changes branch from 502e127 to 0754e39 Compare October 23, 2025 06:02
@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for 3 projects:

  1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default
  2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default
  3. dir: infra/aws/terraform/management-account workspace: default

1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default

Plan Error

running 'sh -c' '/atlantis/bin/terraform1.13.4 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/8686/default/infra/aws/terraform/artifacts.k8s.io': exit status 1
Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
╷
│ Error: Error refreshing state: Unable to access object "terraform.tfstate" in S3 bucket "artifacts-k8s-io-tfstate": operation error S3: HeadObject, https response error StatusCode: 403, RequestID: 43PB42K61K9HSFV0, HostID: 9oiXSSSLFPa1o6t2knl56ouz7nAhiTe5P5uJG0P0MjztVO4/z9owf+FXy5RexoTzRwJrGYEkSAjUwN/VvZF/Ww6xRlak6JBQczoL4Cm/9go=, api error Forbidden: Forbidden
│ 
│ 
╵

2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default

Show Output 
data.aws_region.current: Reading...
data.aws_region.current: Read complete after 0s [id=us-east-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

  # aws_s3_bucket.artifacts-k8s-io will be created
+ resource "aws_s3_bucket" "artifacts-k8s-io" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "artifacts-k8s-io-us-east-2"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule (known after apply)

      + grant (known after apply)

      + lifecycle_rule (known after apply)

      + logging (known after apply)

      + object_lock_configuration (known after apply)

      + replication_configuration (known after apply)

      + server_side_encryption_configuration (known after apply)

      + versioning (known after apply)

      + website (known after apply)
    }

  # aws_s3_bucket_acl.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_acl" "artifacts-k8s-io" {
      + acl    = "private"
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_ownership_controls.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_ownership_controls" "artifacts-k8s-io" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_policy.artifacts-k8s-io-public-read will be created
+ resource "aws_s3_bucket_policy" "artifacts-k8s-io-public-read" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + policy = (known after apply)
    }

  # aws_s3_bucket_versioning.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_versioning" "artifacts-k8s-io" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

Plan: 5 to add, 0 to change, 0 to destroy.
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/aws/terraform/artifacts.k8s.io/s3
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/aws/terraform/artifacts.k8s.io/s3

Plan: 5 to add, 0 to change, 0 to destroy.

3. dir: infra/aws/terraform/management-account workspace: default

Plan Failed: This project is currently locked by an unapplied plan from pull #8685. To continue, delete the lock from #8685 or apply that plan and merge the pull request.

Once the lock is released, comment atlantis plan here to re-plan.

Plan Summary

3 projects, 1 with changes, 0 with no changes, 2 failed

  • ⏩ To apply all unapplied plans from this Pull Request, comment: 
    atlantis apply
  • 🚮 To delete all plans and locks from this Pull Request, comment: 
    atlantis unlock

@upodroid
Copy link
Member Author

atlantis plan -d infra/aws/terraform/management-account/default

@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for dir: infra/aws/terraform/management-account/default workspace: default

Plan Error

dir "infra/aws/terraform/management-account/default" does not exist

@upodroid
Copy link
Member Author

atlantis plan

@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for 3 projects:

  1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default
  2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default
  3. dir: infra/aws/terraform/management-account workspace: default

1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default

Plan Error

running 'sh -c' '/atlantis/bin/terraform1.13.4 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/8686/default/infra/aws/terraform/artifacts.k8s.io': exit status 1
Initializing the backend...
╷
│ Error: Error refreshing state: Unable to access object "terraform.tfstate" in S3 bucket "artifacts-k8s-io-tfstate": operation error S3: HeadObject, https response error StatusCode: 403, RequestID: PC24QTPBAVX9ZEHK, HostID: 7X3ghBpST0IcYrQUmAzYtCmSBkZVgKeOWg8jF2XBp60Oidl1yjSX2r+7aB/HtBWks/58dHANZBY=, api error Forbidden: Forbidden
│ 
│ 
╵

2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default

Show Output 
data.aws_region.current: Reading...
data.aws_region.current: Read complete after 0s [id=us-east-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

  # aws_s3_bucket.artifacts-k8s-io will be created
+ resource "aws_s3_bucket" "artifacts-k8s-io" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "artifacts-k8s-io-us-east-2"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule (known after apply)

      + grant (known after apply)

      + lifecycle_rule (known after apply)

      + logging (known after apply)

      + object_lock_configuration (known after apply)

      + replication_configuration (known after apply)

      + server_side_encryption_configuration (known after apply)

      + versioning (known after apply)

      + website (known after apply)
    }

  # aws_s3_bucket_acl.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_acl" "artifacts-k8s-io" {
      + acl    = "private"
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_ownership_controls.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_ownership_controls" "artifacts-k8s-io" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_policy.artifacts-k8s-io-public-read will be created
+ resource "aws_s3_bucket_policy" "artifacts-k8s-io-public-read" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + policy = (known after apply)
    }

  # aws_s3_bucket_versioning.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_versioning" "artifacts-k8s-io" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

Plan: 5 to add, 0 to change, 0 to destroy.
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/aws/terraform/artifacts.k8s.io/s3
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/aws/terraform/artifacts.k8s.io/s3

Plan: 5 to add, 0 to change, 0 to destroy.

3. dir: infra/aws/terraform/management-account workspace: default

Show Output 
Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket.this[0] has changed
~ resource "aws_s3_bucket" "this" {
      + bucket_region               = "us-east-1"
        id                          = "k8s-infra-cur-reports-athena-bucket"
        tags                        = {}
        # (13 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.cur_reports_s3_bucket.aws_s3_bucket.this[0] has changed
~ resource "aws_s3_bucket" "this" {
      + bucket_region               = "us-east-1"
        id                          = "k8s-infra-cur-reports-bucket"
        tags                        = {}
        # (13 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
- destroy

Terraform will perform the following actions:

  # aws_iam_user.bentheelder will be destroyed
  # (because aws_iam_user.bentheelder is not in configuration)
- resource "aws_iam_user" "bentheelder" {
      - arn                  = "arn:aws:iam::348685125169:user/bentheelder" -> null
      - force_destroy        = false -> null
      - id                   = "bentheelder" -> null
      - name                 = "bentheelder" -> null
      - path                 = "/" -> null
      - tags                 = {} -> null
      - tags_all             = {} -> null
      - unique_id            = "AIDAVCL2AYYY5RFHLQZJC" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_iam_user_login_profile.bentheelder_login will be destroyed
  # (because aws_iam_user_login_profile.bentheelder_login is not in configuration)
- resource "aws_iam_user_login_profile" "bentheelder_login" {
      - id                      = "bentheelder" -> null
      - password                = (sensitive value) -> null
      - password_length         = 20 -> null
      - password_reset_required = false -> null
      - user                    = "bentheelder" -> null
    }

  # aws_iam_user_policy_attachment.bentheelder_billing will be destroyed
  # (because aws_iam_user_policy_attachment.bentheelder_billing is not in configuration)
- resource "aws_iam_user_policy_attachment" "bentheelder_billing" {
      - id         = "bentheelder-20230328164714983500000001" -> null
      - policy_arn = "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess" -> null
      - user       = "bentheelder" -> null
    }

  # module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket_public_access_block.this[0] will be updated in-place
~ resource "aws_s3_bucket_public_access_block" "this" {
        id                      = "k8s-infra-cur-reports-athena-bucket"
      + skip_destroy            = true
        # (6 unchanged attributes hidden)
    }

  # module.cur_reports_s3_bucket.aws_s3_bucket_public_access_block.this[0] will be updated in-place
~ resource "aws_s3_bucket_public_access_block" "this" {
        id                      = "k8s-infra-cur-reports-bucket"
      + skip_destroy            = true
        # (6 unchanged attributes hidden)
    }

  # module.k8s_infra_e2e_boskos_001.aws_organizations_account.this will be destroyed
  # (because aws_organizations_account.this is not in configuration)
- resource "aws_organizations_account" "this" {
      - arn                        = "arn:aws:organizations::348685125169:account/o-kz4vlkihvy/144171684817" -> null
      - close_on_deletion          = false -> null
      - create_govcloud            = false -> null
      - email                      = "k8s-infra-aws-admins+k8s-infra-e2e-boskos-001@kubernetes.io" -> null
      - iam_user_access_to_billing = "ALLOW" -> null
      - id                         = "144171684817" -> null
      - joined_method              = "CREATED" -> null
      - joined_timestamp           = "2023-03-22T20:16:50Z" -> null
      - name                       = "k8s-infra-e2e-boskos-001" -> null
      - parent_id                  = "ou-unv1-z45kp70m" -> null
      - status                     = "ACTIVE" -> null
      - tags                       = {} -> null
      - tags_all                   = {} -> null
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 2 to change, 4 to destroy.
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/aws/terraform/management-account
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/aws/terraform/management-account

Note: Objects have changed outside of Terraform
Plan: 0 to add, 2 to change, 4 to destroy.

Plan Summary

3 projects, 2 with changes, 0 with no changes, 1 failed

  • ⏩ To apply all unapplied plans from this Pull Request, comment: 
    atlantis apply
  • 🚮 To delete all plans and locks from this Pull Request, comment: 
    atlantis unlock

@upodroid
Copy link
Member Author

upodroid commented Oct 23, 2025
edited
Loading

Regarding the diff:

  1. I'm dropping Ben's user as he can access the account using AWS SSO
  2. k8s-infra-e2e-boskos-001 should be deleted, it was changed to k8s-infra-eks-e2e-boskos-001 and we forgot to clean it up

Ignore the errors in artifacts.k8s.io

@upodroid upodroid requested a review from ameukam October 23, 2025 06:09
@upodroid upodroid force-pushed the atlantis-iam-changes branch from 0754e39 to 7f36738 Compare October 23, 2025 06:57
@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for 3 projects:

  1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default
  2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default
  3. dir: infra/aws/terraform/management-account workspace: default

1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default

Plan Error

running 'sh -c' '/atlantis/bin/terraform1.13.4 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/8686/default/infra/aws/terraform/artifacts.k8s.io': exit status 1
Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
╷
│ Error: Error refreshing state: Unable to access object "terraform.tfstate" in S3 bucket "artifacts-k8s-io-tfstate": operation error S3: HeadObject, https response error StatusCode: 403, RequestID: Q07VFGTXZP7JP968, HostID: zrAk+3UhcFbX1/B/p7PRaI6Vw/xJqWChukjQWAqa0nEyho8IJrAHdqTPJgRId2FGIRReMY1Uel5YYIcU5OaGtUmqSL40aYOg4Im0GE14Ej0=, api error Forbidden: Forbidden
│ 
│ 
╵

2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default

Show Output 
data.aws_region.current: Reading...
data.aws_region.current: Read complete after 0s [id=us-east-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

  # aws_s3_bucket.artifacts-k8s-io will be created
+ resource "aws_s3_bucket" "artifacts-k8s-io" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "artifacts-k8s-io-us-east-2"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_region               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = "us-east-2"
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule (known after apply)

      + grant (known after apply)

      + lifecycle_rule (known after apply)

      + logging (known after apply)

      + object_lock_configuration (known after apply)

      + replication_configuration (known after apply)

      + server_side_encryption_configuration (known after apply)

      + versioning (known after apply)

      + website (known after apply)
    }

  # aws_s3_bucket_acl.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_acl" "artifacts-k8s-io" {
      + acl    = "private"
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + region = "us-east-2"

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_ownership_controls.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_ownership_controls" "artifacts-k8s-io" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + region = "us-east-2"

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_policy.artifacts-k8s-io-public-read will be created
+ resource "aws_s3_bucket_policy" "artifacts-k8s-io-public-read" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + policy = (known after apply)
      + region = "us-east-2"
    }

  # aws_s3_bucket_versioning.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_versioning" "artifacts-k8s-io" {
      + bucket = (known after apply)
      + id     = (known after apply)
      + region = "us-east-2"

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

Plan: 5 to add, 0 to change, 0 to destroy.
╷
│ Warning: Deprecated attribute
│ 
│   on main.tf line 20, in resource "aws_s3_bucket" "artifacts-k8s-io":
│   20:   bucket = "${var.prefix}artifacts-k8s-io-${data.aws_region.current.name}"
│ 
│ The attribute "name" is deprecated. Refer to the provider documentation for
│ details.
╵
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/aws/terraform/artifacts.k8s.io/s3
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/aws/terraform/artifacts.k8s.io/s3

Plan: 5 to add, 0 to change, 0 to destroy.

3. dir: infra/aws/terraform/management-account workspace: default

Show Output 
Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket.this[0] has changed
~ resource "aws_s3_bucket" "this" {
      + bucket_region               = "us-east-1"
        id                          = "k8s-infra-cur-reports-athena-bucket"
        tags                        = {}
        # (13 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.cur_reports_s3_bucket.aws_s3_bucket.this[0] has changed
~ resource "aws_s3_bucket" "this" {
      + bucket_region               = "us-east-1"
        id                          = "k8s-infra-cur-reports-bucket"
        tags                        = {}
        # (13 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
- destroy

Terraform will perform the following actions:

  # aws_iam_user.bentheelder will be destroyed
  # (because aws_iam_user.bentheelder is not in configuration)
- resource "aws_iam_user" "bentheelder" {
      - arn                  = "arn:aws:iam::348685125169:user/bentheelder" -> null
      - force_destroy        = false -> null
      - id                   = "bentheelder" -> null
      - name                 = "bentheelder" -> null
      - path                 = "/" -> null
      - tags                 = {} -> null
      - tags_all             = {} -> null
      - unique_id            = "AIDAVCL2AYYY5RFHLQZJC" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_iam_user_login_profile.bentheelder_login will be destroyed
  # (because aws_iam_user_login_profile.bentheelder_login is not in configuration)
- resource "aws_iam_user_login_profile" "bentheelder_login" {
      - id                      = "bentheelder" -> null
      - password                = (sensitive value) -> null
      - password_length         = 20 -> null
      - password_reset_required = false -> null
      - user                    = "bentheelder" -> null
    }

  # aws_iam_user_policy_attachment.bentheelder_billing will be destroyed
  # (because aws_iam_user_policy_attachment.bentheelder_billing is not in configuration)
- resource "aws_iam_user_policy_attachment" "bentheelder_billing" {
      - id         = "bentheelder-20230328164714983500000001" -> null
      - policy_arn = "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess" -> null
      - user       = "bentheelder" -> null
    }

  # module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket_public_access_block.this[0] will be updated in-place
~ resource "aws_s3_bucket_public_access_block" "this" {
        id                      = "k8s-infra-cur-reports-athena-bucket"
      + skip_destroy            = true
        # (6 unchanged attributes hidden)
    }

  # module.cur_reports_s3_bucket.aws_s3_bucket_public_access_block.this[0] will be updated in-place
~ resource "aws_s3_bucket_public_access_block" "this" {
        id                      = "k8s-infra-cur-reports-bucket"
      + skip_destroy            = true
        # (6 unchanged attributes hidden)
    }

  # module.k8s_infra_e2e_boskos_001.aws_organizations_account.this will be destroyed
  # (because aws_organizations_account.this is not in configuration)
- resource "aws_organizations_account" "this" {
      - arn                        = "arn:aws:organizations::348685125169:account/o-kz4vlkihvy/144171684817" -> null
      - close_on_deletion          = false -> null
      - create_govcloud            = false -> null
      - email                      = "k8s-infra-aws-admins+k8s-infra-e2e-boskos-001@kubernetes.io" -> null
      - iam_user_access_to_billing = "ALLOW" -> null
      - id                         = "144171684817" -> null
      - joined_method              = "CREATED" -> null
      - joined_timestamp           = "2023-03-22T20:16:50Z" -> null
      - name                       = "k8s-infra-e2e-boskos-001" -> null
      - parent_id                  = "ou-unv1-z45kp70m" -> null
      - status                     = "ACTIVE" -> null
      - tags                       = {} -> null
      - tags_all                   = {} -> null
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 2 to change, 4 to destroy.
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/aws/terraform/management-account
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/aws/terraform/management-account

Note: Objects have changed outside of Terraform
Plan: 0 to add, 2 to change, 4 to destroy.

Plan Summary

3 projects, 2 with changes, 0 with no changes, 1 failed

  • ⏩ To apply all unapplied plans from this Pull Request, comment: 
    atlantis apply
  • 🚮 To delete all plans and locks from this Pull Request, comment: 
    atlantis unlock

@upodroid upodroid added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. labels Oct 23, 2025
@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for 3 projects:

  1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default
  2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default
  3. dir: infra/aws/terraform/management-account workspace: default

1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default

Plan Error

running 'sh -c' '/atlantis/bin/terraform1.13.4 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/8686/default/infra/aws/terraform/artifacts.k8s.io': exit status 1
Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
╷
│ Error: Error refreshing state: Unable to access object "terraform.tfstate" in S3 bucket "artifacts-k8s-io-tfstate": operation error S3: HeadObject, https response error StatusCode: 403, RequestID: GS6V9T45314TDPVD, HostID: qsFMMbqJklhAJMX5gNfsESCiKLgMI5IbQdqhF+GFLy0yGmODqTlGjfl2b8aJwGmEIRxHr9yDMFw3laXo4Tq5B0aBW0gcaZXTQ9k4zSpv3gM=, api error Forbidden: Forbidden
│ 
│ 
╵

2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default

Show Output 
data.aws_region.current: Reading...
data.aws_region.current: Read complete after 0s [id=us-east-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

  # aws_s3_bucket.artifacts-k8s-io will be created
+ resource "aws_s3_bucket" "artifacts-k8s-io" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "artifacts-k8s-io-us-east-2"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_region               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = "us-east-2"
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule (known after apply)

      + grant (known after apply)

      + lifecycle_rule (known after apply)

      + logging (known after apply)

      + object_lock_configuration (known after apply)

      + replication_configuration (known after apply)

      + server_side_encryption_configuration (known after apply)

      + versioning (known after apply)

      + website (known after apply)
    }

  # aws_s3_bucket_acl.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_acl" "artifacts-k8s-io" {
      + acl    = "private"
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + region = "us-east-2"

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_ownership_controls.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_ownership_controls" "artifacts-k8s-io" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + region = "us-east-2"

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_policy.artifacts-k8s-io-public-read will be created
+ resource "aws_s3_bucket_policy" "artifacts-k8s-io-public-read" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + policy = (known after apply)
      + region = "us-east-2"
    }

  # aws_s3_bucket_versioning.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_versioning" "artifacts-k8s-io" {
      + bucket = (known after apply)
      + id     = (known after apply)
      + region = "us-east-2"

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

Plan: 5 to add, 0 to change, 0 to destroy.
╷
│ Warning: Deprecated attribute
│ 
│   on main.tf line 20, in resource "aws_s3_bucket" "artifacts-k8s-io":
│   20:   bucket = "${var.prefix}artifacts-k8s-io-${data.aws_region.current.name}"
│ 
│ The attribute "name" is deprecated. Refer to the provider documentation for
│ details.
╵
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/aws/terraform/artifacts.k8s.io/s3
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/aws/terraform/artifacts.k8s.io/s3

Plan: 5 to add, 0 to change, 0 to destroy.

3. dir: infra/aws/terraform/management-account workspace: default

Show Output 
Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket.this[0] has changed
~ resource "aws_s3_bucket" "this" {
      + bucket_region               = "us-east-1"
        id                          = "k8s-infra-cur-reports-athena-bucket"
        tags                        = {}
        # (13 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.cur_reports_s3_bucket.aws_s3_bucket.this[0] has changed
~ resource "aws_s3_bucket" "this" {
      + bucket_region               = "us-east-1"
        id                          = "k8s-infra-cur-reports-bucket"
        tags                        = {}
        # (13 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
- destroy

Terraform will perform the following actions:

  # aws_iam_user.bentheelder will be destroyed
  # (because aws_iam_user.bentheelder is not in configuration)
- resource "aws_iam_user" "bentheelder" {
      - arn                  = "arn:aws:iam::348685125169:user/bentheelder" -> null
      - force_destroy        = false -> null
      - id                   = "bentheelder" -> null
      - name                 = "bentheelder" -> null
      - path                 = "/" -> null
      - tags                 = {} -> null
      - tags_all             = {} -> null
      - unique_id            = "AIDAVCL2AYYY5RFHLQZJC" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_iam_user_login_profile.bentheelder_login will be destroyed
  # (because aws_iam_user_login_profile.bentheelder_login is not in configuration)
- resource "aws_iam_user_login_profile" "bentheelder_login" {
      - id                      = "bentheelder" -> null
      - password                = (sensitive value) -> null
      - password_length         = 20 -> null
      - password_reset_required = false -> null
      - user                    = "bentheelder" -> null
    }

  # aws_iam_user_policy_attachment.bentheelder_billing will be destroyed
  # (because aws_iam_user_policy_attachment.bentheelder_billing is not in configuration)
- resource "aws_iam_user_policy_attachment" "bentheelder_billing" {
      - id         = "bentheelder-20230328164714983500000001" -> null
      - policy_arn = "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess" -> null
      - user       = "bentheelder" -> null
    }

  # module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket_public_access_block.this[0] will be updated in-place
~ resource "aws_s3_bucket_public_access_block" "this" {
        id                      = "k8s-infra-cur-reports-athena-bucket"
      + skip_destroy            = true
        # (6 unchanged attributes hidden)
    }

  # module.cur_reports_s3_bucket.aws_s3_bucket_public_access_block.this[0] will be updated in-place
~ resource "aws_s3_bucket_public_access_block" "this" {
        id                      = "k8s-infra-cur-reports-bucket"
      + skip_destroy            = true
        # (6 unchanged attributes hidden)
    }

  # module.k8s_infra_e2e_boskos_001.aws_organizations_account.this will be destroyed
  # (because aws_organizations_account.this is not in configuration)
- resource "aws_organizations_account" "this" {
      - arn                        = "arn:aws:organizations::348685125169:account/o-kz4vlkihvy/144171684817" -> null
      - close_on_deletion          = false -> null
      - create_govcloud            = false -> null
      - email                      = "k8s-infra-aws-admins+k8s-infra-e2e-boskos-001@kubernetes.io" -> null
      - iam_user_access_to_billing = "ALLOW" -> null
      - id                         = "144171684817" -> null
      - joined_method              = "CREATED" -> null
      - joined_timestamp           = "2023-03-22T20:16:50Z" -> null
      - name                       = "k8s-infra-e2e-boskos-001" -> null
      - parent_id                  = "ou-unv1-z45kp70m" -> null
      - status                     = "ACTIVE" -> null
      - tags                       = {} -> null
      - tags_all                   = {} -> null
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 2 to change, 4 to destroy.
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/aws/terraform/management-account
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/aws/terraform/management-account

Note: Objects have changed outside of Terraform
Plan: 0 to add, 2 to change, 4 to destroy.

Plan Summary

3 projects, 2 with changes, 0 with no changes, 1 failed

  • ⏩ To apply all unapplied plans from this Pull Request, comment: 
    atlantis apply
  • 🚮 To delete all plans and locks from this Pull Request, comment: 
    atlantis unlock

@upodroid
Copy link
Member Author

atlantis plan -d infra/aws/terraform/artifacts.k8s.io

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 23, 2025
@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for dir: infra/aws/terraform/artifacts.k8s.io workspace: default

Plan Error

running git merge -q --no-ff -m atlantis-merge FETCH_HEAD: Auto-merging .atlantis.yaml
CONFLICT (content): Merge conflict in .atlantis.yaml
Automatic merge failed; fix conflicts and then commit the result.
: exit status 1

@upodroid upodroid force-pushed the atlantis-iam-changes branch from 8e958f8 to fd05d8f Compare October 23, 2025 15:32
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 23, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: upodroid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-infra-ci-robot
Copy link
Contributor

Ran Plan for 3 projects:

  1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default
  2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default
  3. dir: infra/aws/terraform/management-account workspace: default

1. dir: infra/aws/terraform/artifacts.k8s.io workspace: default

Plan Error

running 'sh -c' '/atlantis/bin/terraform1.13.4 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/8686/default/infra/aws/terraform/artifacts.k8s.io': exit status 1
Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
╷
│ Error: Error refreshing state: Unable to access object "terraform.tfstate" in S3 bucket "artifacts-k8s-io-tfstate": operation error S3: HeadObject, https response error StatusCode: 403, RequestID: DCQVE2KMHK90Z2FH, HostID: xidbd18bz3/eqFzwqwcaT4Gmt+T3FgGG+Jcy71IODVSKVfkLmT8NugiA8z0IE629tqC0EIR/sM8LtOLfhySJrCIbwqeZZdBrc9FCpeC/u38=, api error Forbidden: Forbidden
│ 
│ 
╵

2. dir: infra/aws/terraform/artifacts.k8s.io/s3 workspace: default

Show Output 
data.aws_region.current: Reading...
data.aws_region.current: Read complete after 0s [id=us-east-2]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

  # aws_s3_bucket.artifacts-k8s-io will be created
+ resource "aws_s3_bucket" "artifacts-k8s-io" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "artifacts-k8s-io-us-east-2"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_region               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = "us-east-2"
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule (known after apply)

      + grant (known after apply)

      + lifecycle_rule (known after apply)

      + logging (known after apply)

      + object_lock_configuration (known after apply)

      + replication_configuration (known after apply)

      + server_side_encryption_configuration (known after apply)

      + versioning (known after apply)

      + website (known after apply)
    }

  # aws_s3_bucket_acl.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_acl" "artifacts-k8s-io" {
      + acl    = "private"
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + region = "us-east-2"

      + access_control_policy (known after apply)
    }

  # aws_s3_bucket_ownership_controls.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_ownership_controls" "artifacts-k8s-io" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + region = "us-east-2"

      + rule {
          + object_ownership = "BucketOwnerEnforced"
        }
    }

  # aws_s3_bucket_policy.artifacts-k8s-io-public-read will be created
+ resource "aws_s3_bucket_policy" "artifacts-k8s-io-public-read" {
      + bucket = "artifacts-k8s-io-us-east-2"
      + id     = (known after apply)
      + policy = (known after apply)
      + region = "us-east-2"
    }

  # aws_s3_bucket_versioning.artifacts-k8s-io will be created
+ resource "aws_s3_bucket_versioning" "artifacts-k8s-io" {
      + bucket = (known after apply)
      + id     = (known after apply)
      + region = "us-east-2"

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

Plan: 5 to add, 0 to change, 0 to destroy.
╷
│ Warning: Deprecated attribute
│ 
│   on main.tf line 20, in resource "aws_s3_bucket" "artifacts-k8s-io":
│   20:   bucket = "${var.prefix}artifacts-k8s-io-${data.aws_region.current.name}"
│ 
│ The attribute "name" is deprecated. Refer to the provider documentation for
│ details.
╵
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/aws/terraform/artifacts.k8s.io/s3
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/aws/terraform/artifacts.k8s.io/s3

Plan: 5 to add, 0 to change, 0 to destroy.

3. dir: infra/aws/terraform/management-account workspace: default

Show Output 
Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket.this[0] has changed
~ resource "aws_s3_bucket" "this" {
      + bucket_region               = "us-east-1"
        id                          = "k8s-infra-cur-reports-athena-bucket"
        tags                        = {}
        # (13 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.cur_reports_s3_bucket.aws_s3_bucket.this[0] has changed
~ resource "aws_s3_bucket" "this" {
      + bucket_region               = "us-east-1"
        id                          = "k8s-infra-cur-reports-bucket"
        tags                        = {}
        # (13 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
- destroy

Terraform will perform the following actions:

  # aws_iam_user.bentheelder will be destroyed
  # (because aws_iam_user.bentheelder is not in configuration)
- resource "aws_iam_user" "bentheelder" {
      - arn                  = "arn:aws:iam::348685125169:user/bentheelder" -> null
      - force_destroy        = false -> null
      - id                   = "bentheelder" -> null
      - name                 = "bentheelder" -> null
      - path                 = "/" -> null
      - tags                 = {} -> null
      - tags_all             = {} -> null
      - unique_id            = "AIDAVCL2AYYY5RFHLQZJC" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_iam_user_login_profile.bentheelder_login will be destroyed
  # (because aws_iam_user_login_profile.bentheelder_login is not in configuration)
- resource "aws_iam_user_login_profile" "bentheelder_login" {
      - id                      = "bentheelder" -> null
      - password                = (sensitive value) -> null
      - password_length         = 20 -> null
      - password_reset_required = false -> null
      - user                    = "bentheelder" -> null
    }

  # aws_iam_user_policy_attachment.bentheelder_billing will be destroyed
  # (because aws_iam_user_policy_attachment.bentheelder_billing is not in configuration)
- resource "aws_iam_user_policy_attachment" "bentheelder_billing" {
      - id         = "bentheelder-20230328164714983500000001" -> null
      - policy_arn = "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess" -> null
      - user       = "bentheelder" -> null
    }

  # module.cur_reports_integration_athena_s3_bucket.aws_s3_bucket_public_access_block.this[0] will be updated in-place
~ resource "aws_s3_bucket_public_access_block" "this" {
        id                      = "k8s-infra-cur-reports-athena-bucket"
      + skip_destroy            = true
        # (6 unchanged attributes hidden)
    }

  # module.cur_reports_s3_bucket.aws_s3_bucket_public_access_block.this[0] will be updated in-place
~ resource "aws_s3_bucket_public_access_block" "this" {
        id                      = "k8s-infra-cur-reports-bucket"
      + skip_destroy            = true
        # (6 unchanged attributes hidden)
    }

  # module.k8s_infra_e2e_boskos_001.aws_organizations_account.this will be destroyed
  # (because aws_organizations_account.this is not in configuration)
- resource "aws_organizations_account" "this" {
      - arn                        = "arn:aws:organizations::348685125169:account/o-kz4vlkihvy/144171684817" -> null
      - close_on_deletion          = false -> null
      - create_govcloud            = false -> null
      - email                      = "k8s-infra-aws-admins+k8s-infra-e2e-boskos-001@kubernetes.io" -> null
      - iam_user_access_to_billing = "ALLOW" -> null
      - id                         = "144171684817" -> null
      - joined_method              = "CREATED" -> null
      - joined_timestamp           = "2023-03-22T20:16:50Z" -> null
      - name                       = "k8s-infra-e2e-boskos-001" -> null
      - parent_id                  = "ou-unv1-z45kp70m" -> null
      - status                     = "ACTIVE" -> null
      - tags                       = {} -> null
      - tags_all                   = {} -> null
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 2 to change, 4 to destroy.
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/aws/terraform/management-account
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/aws/terraform/management-account

Note: Objects have changed outside of Terraform
Plan: 0 to add, 2 to change, 4 to destroy.

Plan Summary

3 projects, 2 with changes, 0 with no changes, 1 failed

  • ⏩ To apply all unapplied plans from this Pull Request, comment: 
    atlantis apply
  • 🚮 To delete all plans and locks from this Pull Request, comment: 
    atlantis unlock

@ameukam
Copy link
Member

ameukam commented Oct 23, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 23, 2025
ameukam
ameukam reviewed Oct 23, 2025
View reviewed changes
infra/aws/terraform/artifacts.k8s.io/main.tf
provider "aws" {
region = "us-east-2"
assume_role {
role_arn = var.atlantis_role_arn
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use a data resource for this ?
We could avoid use a tf.vars with a disclosed account ID.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It has to be specified before the API calls are made. Also, account ids are everywhere in this repo and in test-infra

@upodroid
Copy link
Member Author

/hold cancel

changes have been applied

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ameukam ameukam ameukam left review comments

@GenPage GenPage Awaiting requested review from GenPage

@xmudrii xmudrii Awaiting requested review from xmudrii

Assignees

@ameukam ameukam

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@upodroid @k8s-infra-ci-robot @k8s-ci-robot @ameukam