t3 change as per compliance

[jameslaneovermind]

No description provided.

[env0]

🚀  env0 had composed a PR Plan for environment Terraform Example / production :

Plan: 1 to add, 2 to change, 0 to destroy.

Plan Details

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create
!   update in-place

Terraform will perform the following actions:


  # module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0] will be created
+   resource "aws_cloudwatch_metric_alarm" "cpu_credits" {
+       actions_enabled                       = true
+       alarm_actions                         = [
+           "arn:aws:sns:eu-west-2:540044833068:api-51c748b4-alerts",
        ]
+       alarm_description                     = "CPU credit balance is low"
+       alarm_name                            = "api-51c748b4-cpu-credits-low"
+       arn                                   = (known after apply)
+       comparison_operator                   = "LessThanThreshold"
+       dimensions                            = {
+           "InstanceId" = "i-057105c8b13bee63a"
        }
+       evaluate_low_sample_count_percentiles = (known after apply)
+       evaluation_periods                    = 2
+       id                                    = (known after apply)
+       metric_name                           = "CPUCreditBalance"
+       namespace                             = "AWS/EC2"
+       ok_actions                            = [
+           "arn:aws:sns:eu-west-2:540044833068:api-51c748b4-alerts",
        ]
+       period                                = 300
+       statistic                             = "Average"
+       tags                                  = {
+           "CostCenter"  = "engineering"
+           "Environment" = "production"
+           "ManagedBy"   = "terraform"
+           "Name"        = "api-51c748b4-credits-alarm"
+           "Project"     = "api-platform"
+           "Workload"    = "cpu-intensive"
        }
+       tags_all                              = {
+           "CostCenter"  = "engineering"
+           "Environment" = "production"
+           "ManagedBy"   = "terraform"
+           "Name"        = "api-51c748b4-credits-alarm"
+           "Project"     = "api-platform"
+           "Workload"    = "cpu-intensive"
        }
+       threshold                             = 50
+       treat_missing_data                    = "missing"
    }

  # module.api_server.aws_instance.api_server[0] will be updated in-place
!   resource "aws_instance" "api_server" {
        id                                   = "i-057105c8b13bee63a"
!       instance_type                        = "c5.large" -> "t3.large"
!       public_dns                           = "ec2-35-178-211-139.eu-west-2.compute.amazonaws.com" -> (known after apply)
!       public_ip                            = "35.178.211.139" -> (known after apply)
        tags                                 = {
            "CostCenter"  = "engineering"
            "Environment" = "production"
            "ManagedBy"   = "terraform"
            "Name"        = "api-51c748b4-api-server"
            "Project"     = "api-platform"
            "Workload"    = "cpu-intensive"
        }
!       user_data                            = "acf40314e678f506b36da3c78022132136664591" -> "53cc44b24699094d69344f1f1ffe1416cd20ba52"
        # (29 unchanged attributes hidden)

+       credit_specification {
+           cpu_credits = "standard"
        }

        # (7 unchanged blocks hidden)
    }

  # module.heritage[0].aws_rds_cluster.face_database will be updated in-place
!   resource "aws_rds_cluster" "face_database" {
        id                                    = "facial-recognition-terraform-example"
        tags                                  = {}
        # (46 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 1 to add, 2 to change, 0 to destroy.

Monthly cost change for overmindtech/terraform-example/env0_tf_plan.json
Amount:  -$5 ($390 → $385)
Percent: -1%

Cost Estimation Details

Key: * usage cost, ~ changed, + added, - removed

──────────────────────────────────
Project: overmindtech/terraform-example/env0_tf_plan.json

+ module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0]
  +$0.10

+     Standard resolution
      +$0.10

! module.api_server.aws_instance.api_server[0]
  -$5 ($74 → $70)

!     Instance usage (Linux/UNIX, on-demand, c5.large → t3.large)
      -$5 ($74 → $69)

Monthly cost change for overmindtech/terraform-example/env0_tf_plan.json
Amount:  -$5 ($390 → $385)
Percent: -1%

──────────────────────────────────
Key: * usage cost, ~ changed, + added, - removed

*Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options.

150 cloud resources were detected:
∙ 52 were estimated
∙ 96 were free
∙ 2 are not supported yet, see https://infracost.io/requested-resources:
  ∙ 1 x aws_cloudfront_monitoring_subscription
  ∙ 1 x aws_cloudwatch_query_definition

Infracost estimate: Monthly estimate decreased by $5 ↓
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃ Changed project                                    ┃ Baseline cost ┃ Usage cost* ┃ Total change ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━╋━━━━━━━━━━━━━━┫
┃ overmindtech/terraform-example/env0_tf_plan.json   ┃           -$5 ┃           - ┃    -$5 (-1%) ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━┻━━━━━━━━━━━━━━┛

Full PR Plan logs on env0

[github-actions]

Open in Overmind ↗

---

model|risks_v6

🔴 Change Signals

Routine 🔴 ▇▅▃▂▁ Multiple resources are showing the first ever modification of various attributes, which is unusual compared to typical patterns.
Policies 🔴 ▃▂▁ Multiple S3 buckets and security groups are showing unusual policy violations, including missing server-side encryption and required tags, and allowing SSH access from anywhere, which may need review.
Cost 🟢 ▁ Monthly cost decreases by $24.03 (-5.8%) from $409.00 to $384.97 USD. 150 resources analyzed.

View signals ↗

---

🔥 Risks

Deleting internal NLB, listener, and target group will remove DNS and break routing to TCP:9090 endpoints ‼️High Open Risk ↗
This change deletes the internal Network Load Balancer mon-internal-terraform-example, its TCP 9090 listener, and the api-health-terraform-example target group in VPC vpc-0369a7298af430cad. Today the listener forwards to the target group and the NLB DNS name resolves to 10.50.101.220 and 10.50.102.245, with at least one IP target 10.0.101.239:9090 reporting healthy.

Once applied, the NLB DNS name will disappear, the forward action and health checks will be removed, and the IP targets will be deregistered. Any service depending on mon-internal-terraform-example-915cae33823bc8cf.elb.eu-west-2.amazonaws.com for routing or monitoring will become unreachable and lose health visibility.

Deleting monitoring subnets and peering will remove NLB ENIs and sever cross‑VPC routes, causing DNS to point at unreachable IPs ‼️High Open Risk ↗
This change deletes the monitoring subnets subnet-06122bb92461cf526 and subnet-09b23cb47d05bd250 in vpc-0369a7298af430cad, removes their association to route table rtb-084c3bed3efe0d311, and deletes the peering pcx-05328111681313df4 while removing the peer route in rtb-073519b951ac0afb5. The internal NLB mon-internal-terraform-example is deployed only in these two subnets and uses ENIs eni-0d0da76ff7204dffd (10.50.102.245) and eni-04edaee772e71d571 (10.50.101.220) in those CIDRs.

When applied, deleting the subnets will remove the NLB’s ENIs and take the load balancer out of service, leaving DNS names that resolve to the now-unreachable 10.50.101.220 and 10.50.102.245. Simultaneously, deleting the peering and peer routes will blackhole all 10.0.0.0/16 ↔ 10.50.0.0/16 traffic. The result is immediate loss of connectivity for services in those subnets and downtime for any clients relying on the NLB or cross-VPC access.

Deleting monitoring VPC will delete subnets, SGs, internal NLB and tear down peering, causing cross‑VPC route blackholes and outages ‼️High Open Risk ↗
Deleting VPC vpc-0369a7298af430cad will cascade‑delete its dependent resources including the default security group sg-0d73f55a92f446a2d and rules, subnets subnet-09b23cb47d05bd250 and subnet-06122bb92461cf526, route tables rtb-081dba6698139bbe3 and rtb-084c3bed3efe0d311, and the internal load balancer mon-internal-terraform-example. It will also remove the active peering pcx-05328111681313df4 used for routing between 10.50.0.0/16 and 10.0.0.0/16.

When these are removed, services in the monitoring VPC lose all network infrastructure and the workloads VPC rtb-073519b951ac0afb5 retains a 10.50.0.0/16 route that blackholes. Monitoring endpoints behind the internal NLB become unreachable and all cross‑VPC traffic fails, resulting in widespread connectivity loss and service outages.

Switching c5.large to t3.large (standard credits) on a CPU‑bound ALB target and disabling user_data replacement will cause throttling outages and configuration drift ‼️High Open Risk ↗
The production API instance i-057105c8b13bee63a is being switched from c5.large to t3.large with cpu_credits set to standard while it currently averages 70% CPU and serves traffic behind api-51c748b4-tg. On a T3.large in standard mode, sustained CPU usage exhausts credits and throttles CPU below the current demand, slowing request handling beyond the target group’s 5-second health check timeout. Once throttled, the ALB will mark the target unhealthy and remove it from service, causing outages for traffic routed to this instance.

At the same time, user_data is being changed on i-057105c8b13bee63a and i-0a7dff76d3b77d8cc while user_data_replace_on_change is false (and is being changed from true to false on i-0a7dff76d3b77d8cc). Terraform will record the new user_data but the running instances will not be replaced or re‑provisioned, so cloud-init will not apply the new bootstrap. This creates configuration drift where the instances continue running the old configuration despite the declared change, leaving services out of sync with the intended state.

---

🟣 Expected Changes

- elbv2-load-balancer › mon-internal-terraform-example

--- current
+++ proposed
@@ -1,46 +0,0 @@
-type: elbv2-load-balancer
-id: github.com/overmindtech/terraform-example.elbv2-load-balancer.monitoring_internal[0]
-attributes:
-  access_logs:
-    - enabled: false
-  arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:loadbalancer/net/mon-internal-terraform-example/915cae33823bc8cf
-  arn_suffix: net/mon-internal-terraform-example/915cae33823bc8cf
-  client_keep_alive: null
-  desync_mitigation_mode: null
-  dns_name: mon-internal-terraform-example-915cae33823bc8cf.elb.eu-west-2.amazonaws.com
-  dns_record_client_routing_policy: any_availability_zone
-  drop_invalid_header_fields: null
-  enable_cross_zone_load_balancing: false
-  enable_deletion_protection: false
-  enable_http2: null
-  enable_tls_version_and_cipher_suite_headers: null
-  enable_waf_fail_open: null
-  enable_xff_client_port: null
-  enable_zonal_shift: false
-  id: arn:aws:elasticloadbalancing:eu-west-2:540044833068:loadbalancer/net/mon-internal-terraform-example/915cae33823bc8cf
-  idle_timeout: null
-  internal: true
-  ip_address_type: ipv4
-  load_balancer_type: network
-  name: mon-internal-terraform-example
-  preserve_host_header: null
-  subnet_mapping:
-    - subnet_id: subnet-06122bb92461cf526
-    - subnet_id: subnet-09b23cb47d05bd250
-  subnets:
-    - subnet-06122bb92461cf526
-    - subnet-09b23cb47d05bd250
-  tags:
-    Environment: terraform-example
-    Name: monitoring-internal-nlb-terraform-example
-    Purpose: signals-demo-health-proof
-  tags_all:
-    Environment: terraform-example
-    Name: monitoring-internal-nlb-terraform-example
-    Purpose: signals-demo-health-proof
-  terraform_address: aws_lb.monitoring_internal[0]
-  terraform_name: monitoring_internal[0]
-  timeouts: null
-  vpc_id: vpc-0369a7298af430cad
-  xff_header_processing_mode: null
-  zone_id: ZD4D7Y8KGAS4G

- elbv2-listener › arn:aws:elasticloadbalancing:eu-west-2:540044833068:listener/net/mon-internal-terraform-example/915cae33823bc8cf/a8150454b5c4f232

--- current
+++ proposed
@@ -1,37 +0,0 @@
-type: elbv2-listener
-id: github.com/overmindtech/terraform-example.elbv2-listener.monitoring_internal_9090[0]
-attributes:
-  alpn_policy: null
-  arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:listener/net/mon-internal-terraform-example/915cae33823bc8cf/a8150454b5c4f232
-  certificate_arn: null
-  default_action:
-    - order: 1
-      target_group_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/api-health-terraform-example/6cd623e4eb49f3c7
-      type: forward
-  id: arn:aws:elasticloadbalancing:eu-west-2:540044833068:listener/net/mon-internal-terraform-example/915cae33823bc8cf/a8150454b5c4f232
-  load_balancer_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:loadbalancer/net/mon-internal-terraform-example/915cae33823bc8cf
-  port: 9090
-  protocol: TCP
-  routing_http_request_x_amzn_mtls_clientcert_header_name: null
-  routing_http_request_x_amzn_mtls_clientcert_issuer_header_name: null
-  routing_http_request_x_amzn_mtls_clientcert_leaf_header_name: null
-  routing_http_request_x_amzn_mtls_clientcert_serial_number_header_name: null
-  routing_http_request_x_amzn_mtls_clientcert_subject_header_name: null
-  routing_http_request_x_amzn_mtls_clientcert_validity_header_name: null
-  routing_http_request_x_amzn_tls_cipher_suite_header_name: null
-  routing_http_request_x_amzn_tls_version_header_name: null
-  routing_http_response_access_control_allow_credentials_header_value: null
-  routing_http_response_access_control_allow_headers_header_value: null
-  routing_http_response_access_control_allow_methods_header_value: null
-  routing_http_response_access_control_allow_origin_header_value: null
-  routing_http_response_access_control_expose_headers_header_value: null
-  routing_http_response_access_control_max_age_header_value: null
-  routing_http_response_content_security_policy_header_value: null
-  routing_http_response_server_enabled: null
-  routing_http_response_strict_transport_security_header_value: null
-  routing_http_response_x_content_type_options_header_value: null
-  routing_http_response_x_frame_options_header_value: null
-  tcp_idle_timeout_seconds: 350
-  terraform_address: aws_lb_listener.monitoring_internal_9090[0]
-  terraform_name: monitoring_internal_9090[0]
-  timeouts: null

- elbv2-target-group › api-health-terraform-example

--- current
+++ proposed
@@ -1,59 +0,0 @@
-type: elbv2-target-group
-id: github.com/overmindtech/terraform-example.elbv2-target-group.api_health[0]
-attributes:
-  arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/api-health-terraform-example/6cd623e4eb49f3c7
-  arn_suffix: targetgroup/api-health-terraform-example/6cd623e4eb49f3c7
-  connection_termination: false
-  deregistration_delay: "300"
-  health_check:
-    - enabled: true
-      healthy_threshold: 3
-      interval: 30
-      port: traffic-port
-      protocol: TCP
-      timeout: 10
-      unhealthy_threshold: 3
-  id: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/api-health-terraform-example/6cd623e4eb49f3c7
-  ip_address_type: ipv4
-  lambda_multi_value_headers_enabled: false
-  load_balancer_arns:
-    - arn:aws:elasticloadbalancing:eu-west-2:540044833068:loadbalancer/net/mon-internal-terraform-example/915cae33823bc8cf
-  load_balancing_algorithm_type: null
-  load_balancing_anomaly_mitigation: null
-  load_balancing_cross_zone_enabled: use_load_balancer_configuration
-  name: api-health-terraform-example
-  port: 9090
-  preserve_client_ip: "false"
-  protocol: TCP
-  protocol_version: null
-  proxy_protocol_v2: false
-  slow_start: 0
-  stickiness:
-    - cookie_duration: 0
-      enabled: false
-      type: source_ip
-  tags:
-    Environment: terraform-example
-    Name: api-health-tg-terraform-example
-    Purpose: signals-demo-health-proof
-  tags_all:
-    Environment: terraform-example
-    Name: api-health-tg-terraform-example
-    Purpose: signals-demo-health-proof
-  target_failover:
-    - on_deregistration: null
-      on_unhealthy: null
-  target_group_health:
-    - dns_failover:
-        - minimum_healthy_targets_count: "1"
-          minimum_healthy_targets_percentage: "off"
-      unhealthy_state_routing:
-        - minimum_healthy_targets_count: 1
-          minimum_healthy_targets_percentage: "off"
-  target_health_state:
-    - enable_unhealthy_connection_termination: true
-      unhealthy_draining_interval: 0
-  target_type: ip
-  terraform_address: aws_lb_target_group.api_health[0]
-  terraform_name: api_health[0]
-  vpc_id: vpc-0369a7298af430cad

- ec2-route-table › rtb-073519b951ac0afb5

--- current
+++ proposed
@@ -1,12 +0,0 @@
-type: ec2-route-table
-id: github.com/overmindtech/terraform-example.ec2-route-table.baseline_to_monitoring["rtb-073519b951ac0afb5"]
-attributes:
-  destination_cidr_block: 10.50.0.0/16
-  id: r-rtb-073519b951ac0afb51125690821
-  origin: CreateRoute
-  route_table_id: rtb-073519b951ac0afb5
-  state: active
-  terraform_address: aws_route.baseline_to_monitoring["rtb-073519b951ac0afb5"]
-  terraform_name: baseline_to_monitoring["rtb-073519b951ac0afb5"]
-  timeouts: null
-  vpc_peering_connection_id: pcx-05328111681313df4

- ec2-route-table › rtb-084c3bed3efe0d311

--- current
+++ proposed
@@ -1,9 +0,0 @@
-type: ec2-route-table
-id: github.com/overmindtech/terraform-example.ec2-route-table.monitoring_b[0]
-attributes:
-  id: rtbassoc-0d1d70aaa36354c99
-  route_table_id: rtb-084c3bed3efe0d311
-  subnet_id: subnet-06122bb92461cf526
-  terraform_address: aws_route_table_association.monitoring_b[0]
-  terraform_name: monitoring_b[0]
-  timeouts: null

- ec2-subnet › subnet-09b23cb47d05bd250

--- current
+++ proposed
@@ -1,28 +0,0 @@
-type: ec2-subnet
-id: github.com/overmindtech/terraform-example.ec2-subnet.monitoring_a[0]
-attributes:
-  arn: arn:aws:ec2:eu-west-2:540044833068:subnet/subnet-09b23cb47d05bd250
-  assign_ipv6_address_on_creation: false
-  availability_zone: eu-west-2a
-  availability_zone_id: euw2-az2
-  cidr_block: 10.50.101.0/24
-  enable_dns64: false
-  enable_lni_at_device_index: 0
-  enable_resource_name_dns_a_record_on_launch: false
-  enable_resource_name_dns_aaaa_record_on_launch: false
-  id: subnet-09b23cb47d05bd250
-  ipv6_native: false
-  map_customer_owned_ip_on_launch: false
-  map_public_ip_on_launch: false
-  owner_id: "540044833068"
-  private_dns_hostname_type_on_launch: ip-name
-  tags:
-    Environment: terraform-example
-    Name: monitoring-a-terraform-example
-  tags_all:
-    Environment: terraform-example
-    Name: monitoring-a-terraform-example
-  terraform_address: aws_subnet.monitoring_a[0]
-  terraform_name: monitoring_a[0]
-  timeouts: null
-  vpc_id: vpc-0369a7298af430cad

- ec2-subnet › subnet-06122bb92461cf526

--- current
+++ proposed
@@ -1,28 +0,0 @@
-type: ec2-subnet
-id: github.com/overmindtech/terraform-example.ec2-subnet.monitoring_b[0]
-attributes:
-  arn: arn:aws:ec2:eu-west-2:540044833068:subnet/subnet-06122bb92461cf526
-  assign_ipv6_address_on_creation: false
-  availability_zone: eu-west-2b
-  availability_zone_id: euw2-az3
-  cidr_block: 10.50.102.0/24
-  enable_dns64: false
-  enable_lni_at_device_index: 0
-  enable_resource_name_dns_a_record_on_launch: false
-  enable_resource_name_dns_aaaa_record_on_launch: false
-  id: subnet-06122bb92461cf526
-  ipv6_native: false
-  map_customer_owned_ip_on_launch: false
-  map_public_ip_on_launch: false
-  owner_id: "540044833068"
-  private_dns_hostname_type_on_launch: ip-name
-  tags:
-    Environment: terraform-example
-    Name: monitoring-b-terraform-example
-  tags_all:
-    Environment: terraform-example
-    Name: monitoring-b-terraform-example
-  terraform_address: aws_subnet.monitoring_b[0]
-  terraform_name: monitoring_b[0]
-  timeouts: null
-  vpc_id: vpc-0369a7298af430cad

- ec2-vpc › vpc-0369a7298af430cad

--- current
+++ proposed
@@ -1,30 +0,0 @@
-type: ec2-vpc
-id: github.com/overmindtech/terraform-example.ec2-vpc.monitoring[0]
-attributes:
-  arn: arn:aws:ec2:eu-west-2:540044833068:vpc/vpc-0369a7298af430cad
-  assign_generated_ipv6_cidr_block: false
-  cidr_block: 10.50.0.0/16
-  default_network_acl_id: acl-04397b648c4a590cb
-  default_route_table_id: rtb-081dba6698139bbe3
-  default_security_group_id: sg-0d73f55a92f446a2d
-  dhcp_options_id: dopt-038753549445222b5
-  enable_dns_hostnames: true
-  enable_dns_support: true
-  enable_network_address_usage_metrics: false
-  id: vpc-0369a7298af430cad
-  instance_tenancy: default
-  ipv4_ipam_pool_id: null
-  ipv4_netmask_length: null
-  ipv6_netmask_length: 0
-  main_route_table_id: rtb-081dba6698139bbe3
-  owner_id: "540044833068"
-  tags:
-    Environment: terraform-example
-    Name: monitoring-terraform-example
-    Purpose: signals-demo-monitoring
-  tags_all:
-    Environment: terraform-example
-    Name: monitoring-terraform-example
-    Purpose: signals-demo-monitoring
-  terraform_address: aws_vpc.monitoring[0]
-  terraform_name: monitoring[0]

- ec2-vpc-peering-connection › pcx-05328111681313df4

--- current
+++ proposed
@@ -1,25 +0,0 @@
-type: ec2-vpc-peering-connection
-id: github.com/overmindtech/terraform-example.ec2-vpc-peering-connection.monitoring_to_baseline[0]
-attributes:
-  accept_status: active
-  accepter:
-    - allow_remote_vpc_dns_resolution: false
-  auto_accept: true
-  id: pcx-05328111681313df4
-  peer_owner_id: "540044833068"
-  peer_region: eu-west-2
-  peer_vpc_id: vpc-0369a7298af430cad
-  requester:
-    - allow_remote_vpc_dns_resolution: false
-  tags:
-    Environment: terraform-example
-    Name: monitoring-to-baseline-terraform-example
-    Purpose: signals-demo-peering
-  tags_all:
-    Environment: terraform-example
-    Name: monitoring-to-baseline-terraform-example
-    Purpose: signals-demo-peering
-  terraform_address: aws_vpc_peering_connection.monitoring_to_baseline[0]
-  terraform_name: monitoring_to_baseline[0]
-  timeouts: null
-  vpc_id: vpc-02901bcbb89561298

~ ec2-instance › i-0a7dff76d3b77d8cc

--- current
+++ proposed
@@ -77,7 +77,7 @@
   terraform_name: module.api_access[0].aws_instance.api_server
   timeouts: null
-  user_data: 81da62125f9a922120a56e2408e5798a6cdef634
+  user_data: 43abb7297409a23050d7d4e11c07b7288965aa81
   user_data_base64: null
-  user_data_replace_on_change: true
+  user_data_replace_on_change: false
   volume_tags: null
   vpc_security_group_ids:

~ ec2-instance › i-057105c8b13bee63a

--- current
+++ proposed
@@ -13,4 +13,6 @@
       threads_per_core: 2
   cpu_threads_per_core: 2
+  credit_specification:
+    - cpu_credits: standard
   disable_api_stop: false
   disable_api_termination: false
@@ -26,5 +28,5 @@
   instance_initiated_shutdown_behavior: stop
   instance_state: running
-  instance_type: c5.large
+  instance_type: t3.large
   ipv6_address_count: 0
   maintenance_options:
@@ -45,6 +47,6 @@
       hostname_type: ip-name
   private_ip: 10.0.101.119
-  public_dns: ec2-35-178-211-139.eu-west-2.compute.amazonaws.com
-  public_ip: 35.178.211.139
+  public_dns: (known after apply)
+  public_ip: (known after apply)
   root_block_device:
     - delete_on_termination: true
@@ -90,5 +92,5 @@
   terraform_name: module.api_server.aws_instance.api_server[0]
   timeouts: null
-  user_data: acf40314e678f506b36da3c78022132136664591
+  user_data: 53cc44b24699094d69344f1f1ffe1416cd20ba52
   user_data_base64: null
   user_data_replace_on_change: false

---

🟠 Unmapped Changes

- aws_lb_target_group_attachment › api_server_ip[0]

--- current
+++ proposed
@@ -1,10 +0,0 @@
-type: aws_lb_target_group_attachment
-id: github.com/overmindtech/terraform-example.aws_lb_target_group_attachment.api_server_ip[0]
-attributes:
-  availability_zone: all
-  id: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/api-health-terraform-example/6cd623e4eb49f3c7-20251212184733032600000003
-  port: 9090
-  target_group_arn: arn:aws:elasticloadbalancing:eu-west-2:540044833068:targetgroup/api-health-terraform-example/6cd623e4eb49f3c7
-  target_id: 10.0.101.239
-  terraform_address: aws_lb_target_group_attachment.api_server_ip[0]
-  terraform_name: api_server_ip[0]

- ec2-route-table › monitoring_to_baseline[0]

--- current
+++ proposed
@@ -1,12 +0,0 @@
-type: ec2-route-table
-id: github.com/overmindtech/terraform-example.ec2-route-table.monitoring_to_baseline[0]
-attributes:
-  destination_cidr_block: 10.0.0.0/16
-  id: r-rtb-084c3bed3efe0d311179966490
-  origin: CreateRoute
-  route_table_id: rtb-084c3bed3efe0d311
-  state: active
-  terraform_address: aws_route.monitoring_to_baseline[0]
-  terraform_name: monitoring_to_baseline[0]
-  timeouts: null
-  vpc_peering_connection_id: pcx-05328111681313df4

- ec2-route-table › monitoring[0]

--- current
+++ proposed
@@ -1,19 +0,0 @@
-type: ec2-route-table
-id: github.com/overmindtech/terraform-example.ec2-route-table.monitoring[0]
-attributes:
-  arn: arn:aws:ec2:eu-west-2:540044833068:route-table/rtb-084c3bed3efe0d311
-  id: rtb-084c3bed3efe0d311
-  owner_id: "540044833068"
-  route:
-    - cidr_block: 10.0.0.0/16
-      vpc_peering_connection_id: pcx-05328111681313df4
-  tags:
-    Environment: terraform-example
-    Name: monitoring-rt-terraform-example
-  tags_all:
-    Environment: terraform-example
-    Name: monitoring-rt-terraform-example
-  terraform_address: aws_route_table.monitoring[0]
-  terraform_name: monitoring[0]
-  timeouts: null
-  vpc_id: vpc-0369a7298af430cad

- ec2-route-table › monitoring_a[0]

--- current
+++ proposed
@@ -1,9 +0,0 @@
-type: ec2-route-table
-id: github.com/overmindtech/terraform-example.ec2-route-table.monitoring_a[0]
-attributes:
-  id: rtbassoc-02b1599604cbd8704
-  route_table_id: rtb-084c3bed3efe0d311
-  subnet_id: subnet-09b23cb47d05bd250
-  terraform_address: aws_route_table_association.monitoring_a[0]
-  terraform_name: monitoring_a[0]
-  timeouts: null

+ cloudwatch-alarm › module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0]

--- current
+++ proposed
@@ -0,0 +1,44 @@
+type: cloudwatch-alarm
+id: github.com/overmindtech/terraform-example.cloudwatch-alarm.module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0]
+attributes:
+  actions_enabled: true
+  alarm_actions:
+    - arn:aws:sns:eu-west-2:540044833068:api-51c748b4-alerts
+  alarm_description: CPU credit balance is low
+  alarm_name: api-51c748b4-cpu-credits-low
+  arn: (known after apply)
+  comparison_operator: LessThanThreshold
+  datapoints_to_alarm: null
+  dimensions:
+    InstanceId: i-057105c8b13bee63a
+  evaluate_low_sample_count_percentiles: (known after apply)
+  evaluation_periods: 2
+  extended_statistic: null
+  id: (known after apply)
+  insufficient_data_actions: null
+  metric_name: CPUCreditBalance
+  namespace: AWS/EC2
+  ok_actions:
+    - arn:aws:sns:eu-west-2:540044833068:api-51c748b4-alerts
+  period: 300
+  statistic: Average
+  tags:
+    CostCenter: engineering
+    Environment: production
+    ManagedBy: terraform
+    Name: api-51c748b4-credits-alarm
+    Project: api-platform
+    Workload: cpu-intensive
+  tags_all:
+    CostCenter: engineering
+    Environment: production
+    ManagedBy: terraform
+    Name: api-51c748b4-credits-alarm
+    Project: api-platform
+    Workload: cpu-intensive
+  terraform_address: module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0]
+  terraform_name: module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0]
+  threshold: 50
+  threshold_metric_id: null
+  treat_missing_data: missing
+  unit: null

---

💥 Blast Radius

Items 186

Edges 457

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 1 high risk requiring review

---

📊 Signals Summary

Routine 🔴 -5

---

🔥 Risks Summary

High 1 · Medium 1 · Low 0

---

💥 Blast Radius

Items 104 · Edges 299

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Found 4 high risks requiring review

---

📊 Signals Summary

Routine 🔴 -5

Policies 🔴 -3

Cost 🟢 +1

---

🔥 Risks Summary

High 4 · Medium 0 · Low 0

---

💥 Blast Radius

Items 186 · Edges 457

---

View full analysis in Overmind ↗