Migrate non-compliant c5.large instance to t3 platform standard #415
Conversation
|
🚀 env0 had composed a PR Plan for environment Terraform Example / production : Plan DetailsTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
! update in-place
Terraform will perform the following actions:
# module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0] will be created
+ resource "aws_cloudwatch_metric_alarm" "cpu_credits" {
+ actions_enabled = true
+ alarm_actions = [
+ "arn:aws:sns:eu-west-2:540044833068:api-51c748b4-alerts",
]
+ alarm_description = "CPU credit balance is low"
+ alarm_name = "api-51c748b4-cpu-credits-low"
+ arn = (known after apply)
+ comparison_operator = "LessThanThreshold"
+ dimensions = {
+ "InstanceId" = "i-057105c8b13bee63a"
}
+ evaluate_low_sample_count_percentiles = (known after apply)
+ evaluation_periods = 2
+ id = (known after apply)
+ metric_name = "CPUCreditBalance"
+ namespace = "AWS/EC2"
+ ok_actions = [
+ "arn:aws:sns:eu-west-2:540044833068:api-51c748b4-alerts",
]
+ period = 300
+ statistic = "Average"
+ tags = {
+ "CostCenter" = "engineering"
+ "Environment" = "production"
+ "ManagedBy" = "terraform"
+ "Name" = "api-51c748b4-credits-alarm"
+ "Project" = "api-platform"
+ "Workload" = "cpu-intensive"
}
+ tags_all = {
+ "CostCenter" = "engineering"
+ "Environment" = "production"
+ "ManagedBy" = "terraform"
+ "Name" = "api-51c748b4-credits-alarm"
+ "Project" = "api-platform"
+ "Workload" = "cpu-intensive"
}
+ threshold = 50
+ treat_missing_data = "missing"
}
# module.api_server.aws_instance.api_server[0] will be updated in-place
! resource "aws_instance" "api_server" {
id = "i-057105c8b13bee63a"
! instance_type = "c5.large" -> "t3.large"
! public_dns = "ec2-35-178-211-139.eu-west-2.compute.amazonaws.com" -> (known after apply)
! public_ip = "35.178.211.139" -> (known after apply)
tags = {
"CostCenter" = "engineering"
"Environment" = "production"
"ManagedBy" = "terraform"
"Name" = "api-51c748b4-api-server"
"Project" = "api-platform"
"Workload" = "cpu-intensive"
}
! user_data = "acf40314e678f506b36da3c78022132136664591" -> "53cc44b24699094d69344f1f1ffe1416cd20ba52"
# (29 unchanged attributes hidden)
+ credit_specification {
+ cpu_credits = "standard"
}
# (7 unchanged blocks hidden)
}
# module.heritage[0].aws_rds_cluster.face_database will be updated in-place
! resource "aws_rds_cluster" "face_database" {
id = "facial-recognition-terraform-example"
tags = {}
# (46 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 1 to add, 2 to change, 0 to destroy.
|
|
Open in Overmind ↗
🔴 Change SignalsRoutine 🔴 🔥 RisksChanging instance type will stop the only ALB target, causing zero healthy backends and 5xx responses While the instance is stopped and until it passes health checks again, the ALB will have zero healthy targets, resulting in failed requests and a rise in UnHealthyHostCount on the associated CloudWatch alarm. The separate 9090 health target belongs to a different IP-based target group and does not mitigate loss of this instance behind the HTTP/80 ALB. Moving CPU‑bound production instance to T3 standard credits will throttle CPU and degrade the API behind the ALB On T3 with standard credits, sustained CPU at this level will rapidly deplete credits and throttle the instance to its lower baseline, reducing available compute well below current demand. As throttling takes effect, request latency will rise, the api-51c748b4-high-cpu alarm may trigger, and the ALB health checks can start failing, causing target health flaps and potential service unavailability for the API. Removing 203.0.113.101/32 from customer-api-access SG will block NewCo HTTPS access to 18.132.149.19 When the change applies, all HTTPS traffic from 203.0.113.101 to 18.132.149.19:443 will be dropped by the SG, cutting off NewCo’s access and any integrations originating from that IP. Impact is a targeted client outage rather than a full service failure; internal load-balancer health remains unaffected, and existing Route53 health checks are already blocked by the whitelist regardless of this specific IP. 🟣 Expected Changes~ ec2-security-group › sg-085ee012c9855643f--- current
+++ proposed
@@ -43,11 +43,4 @@
to_port: 443
- cidr_blocks:
- - 203.0.113.101/32
- description: NewCo 1
- from_port: 443
- protocol: tcp
- self: false
- to_port: 443
- - cidr_blocks:
- 203.0.113.16/30
description: Acme Corp
~ ec2-instance › i-057105c8b13bee63a--- current
+++ proposed
@@ -13,4 +13,6 @@
threads_per_core: 2
cpu_threads_per_core: 2
+ credit_specification:
+ - cpu_credits: standard
disable_api_stop: false
disable_api_termination: false
@@ -26,5 +28,5 @@
instance_initiated_shutdown_behavior: stop
instance_state: running
- instance_type: c5.large
+ instance_type: t3.large
ipv6_address_count: 0
maintenance_options:
@@ -45,6 +47,6 @@
hostname_type: ip-name
private_ip: 10.0.101.119
- public_dns: ec2-35-178-211-139.eu-west-2.compute.amazonaws.com
- public_ip: 35.178.211.139
+ public_dns: (known after apply)
+ public_ip: (known after apply)
root_block_device:
- delete_on_termination: true
@@ -90,5 +92,5 @@
terraform_name: module.api_server.aws_instance.api_server[0]
timeouts: null
- user_data: acf40314e678f506b36da3c78022132136664591
+ user_data: 53cc44b24699094d69344f1f1ffe1416cd20ba52
user_data_base64: null
user_data_replace_on_change: false
🟠 Unmapped Changes+ cloudwatch-alarm › module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0]--- current
+++ proposed
@@ -0,0 +1,44 @@
+type: cloudwatch-alarm
+id: github.com/overmindtech/terraform-example.cloudwatch-alarm.module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0]
+attributes:
+ actions_enabled: true
+ alarm_actions:
+ - arn:aws:sns:eu-west-2:540044833068:api-51c748b4-alerts
+ alarm_description: CPU credit balance is low
+ alarm_name: api-51c748b4-cpu-credits-low
+ arn: (known after apply)
+ comparison_operator: LessThanThreshold
+ datapoints_to_alarm: null
+ dimensions:
+ InstanceId: i-057105c8b13bee63a
+ evaluate_low_sample_count_percentiles: (known after apply)
+ evaluation_periods: 2
+ extended_statistic: null
+ id: (known after apply)
+ insufficient_data_actions: null
+ metric_name: CPUCreditBalance
+ namespace: AWS/EC2
+ ok_actions:
+ - arn:aws:sns:eu-west-2:540044833068:api-51c748b4-alerts
+ period: 300
+ statistic: Average
+ tags:
+ CostCenter: engineering
+ Environment: production
+ ManagedBy: terraform
+ Name: api-51c748b4-credits-alarm
+ Project: api-platform
+ Workload: cpu-intensive
+ tags_all:
+ CostCenter: engineering
+ Environment: production
+ ManagedBy: terraform
+ Name: api-51c748b4-credits-alarm
+ Project: api-platform
+ Workload: cpu-intensive
+ terraform_address: module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0]
+ terraform_name: module.api_server.aws_cloudwatch_metric_alarm.cpu_credits[0]
+ threshold: 50
+ threshold_metric_id: null
+ treat_missing_data: missing
+ unit: null
💥 Blast RadiusItems Edges |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Migrate non-compliant c5.large instance to t3 platform standard
Instance Details:
• Instance ID: i-0a1b2c3d4e5f67890
• Name: api-prod-server
• Current Type: c5.large (non-compliant)
• Target Type: t3.large (compliant)
• Environment: Production
• Region: eu-west-2
Justification:
Per platform standard PS-2024-003, all EC2 instances should use t3 instance family to leverage pre-purchased Savings Plans. This instance was flagged during monthly compliance audit.
✓ This is a Standard Change (SC-0042: Instance Family Migration) and does not require CAB approval. Instance specifications (2 vCPU, 4GB RAM) remain unchanged.