Skip to content

Port v0.17 template-infra changes (storage, docs, project-config, version bump)#10811

Merged
sean-navapbc merged 3 commits into
mainfrom
template-v0.17-full-upgrade
Jun 10, 2026
Merged

Port v0.17 template-infra changes (storage, docs, project-config, version bump)#10811
sean-navapbc merged 3 commits into
mainfrom
template-v0.17-full-upgrade

Conversation

@sean-navapbc

@sean-navapbc sean-navapbc commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator

Ticket

Closes #9837 — template-infra v0.16 → v0.17 upgrade.

What this PR ships

The safely additive parts of upstream v0.17. Two commits:

  1. Storage module: service_principals_with_access (upstream PR Support configuring storage module for service principal access navapbc/template-infra#997)

    • variables.tf — new service_principals_with_access (list(string), default [])
    • encryption.tf — explicit KMS key policy doc; conditional service-principal grants
    • providers.tf — new file declaring aws provider source
    • access_control.tf — cosmetic blank line
    • tests/storage.tftest.hcloverride_data for the new policy doc so mock_provider produces valid JSON
    • Behavior unchanged for current callers (all four services pass nothing → empty list → no extra statements)

  2. Docs, project-config, version bump

    • New docs: deletion-protection-and-temporary-environments.md, temporary-environments-and-out-of-band-resources.md
    • project-config/aws_services.tf — add bedrock + cloudformation to the AWS services allow list
    • .template-infra/*.yml — bump _commit: v0.15.7v0.17.0 across base + 4 app answers files

What's deliberately NOT in this PR (and why)

Skipped — feature additions, not template upgrades

Item Reason
infra/modules/document-data-extraction/ Brand-new module for Strata DocumentAI / structured doc parsing. Pure feature add. Only port if backend has a use case.
infra/modules/notifications-sms/ + notifications-phone-pool/ New SMS notifications. Requires backend changes + product decision on SMS as a channel.
sms-voice AWS service / SMS-related VPC endpoints Tied to the SMS modules above.
Playwright 1.49 → 1.56.1 Frontend layer, separate concern.

Skipped — sgg has diverged from upstream

Applying v0.17 deltas here would clobber sgg-specific features. Each deserves its own focused PR if/when worth doing.

File What sgg has that v0.17 doesn't
infra/modules/monitoring/main.tf Custom aws_cloudwatch_metric_alarm.service_errors + aws_cloudwatch_log_metric_filter.service_error_filter. Also different alarm thresholds.
infra/modules/service/database_access.tf Extra aws_iam_role_policy_attachment.migrator_app_db_access resource.
infra/modules/terraform-backend-s3/main.tf sgg-specific checkov skip pointing at #2366.
infra/modules/network/resources/vpc_endpoints.tf sgg's network module diverges structurally; need careful diff.
bin/* (many) Most bin scripts have sgg-specific functionality. 4–82 lines of divergence each.

Skipped — already aligned with v0.17 or N/A

File Status
infra/accounts/outputs.tf sgg already matches v0.17
docs/infra/migrate-terraform-state-locking-to-s3.md Already in sgg via #9672
bin/migrate-terraform-state-locking-to-s3 Already in sgg via #9672
infra/{{app_name}}/... Jinja-only files These don't exist in instantiated sgg; the rendered versions are already managed by other PRs (#10358, #10487, etc.)
template-only-* Template-source files only, not in instantiated repos

Removal of mobiletargeting from aws_services intentionally NOT here

Upstream v0.17 dropped mobiletargeting (Pinpoint) since v0.16 already removed the Pinpoint module. sgg still uses Pinpoint actively — that removal is being staged via PRs #10358 (full migration, paused) and #10487 (additive SES, ready for review). Keeping mobiletargeting here until those land.

Testing

  • terraform fmt -recursive infra/ clean
  • terraform validate clean on infra/modules/storage and infra/project-config
  • terraform test — 8/8 pass on storage module
  • CI checks
  • terraform plan against each consumer of module.storage to confirm only the KMS key policy field changes from null → explicit doc

Closes

Closes #9837. Supersedes #10763 (which only had the storage subset).

Follow-up issues to file (post-merge)

  1. DDE module port — only if backend wants document data extraction
  2. SMS notifications port — only if product wants SMS as a channel
  3. Network vpc_endpoints structural cleanup — reconcile sgg's network module with v0.17 upstream
  4. bin script alignment — case-by-case review of each diverged script
  5. monitoring/service/database tweaks — port small v0.17 deltas where they don't conflict with sgg customizations

Sean Thomas added 2 commits June 8, 2026 18:05
template-infra v0.17: add storage service_principals_with_access
19eba72 
Ports the v0.17 storage module change (upstream PR navapbc/template-infra#997)
that lets a caller grant AWS service principals direct access to the
bucket's KMS key. Strictly additive — the variable defaults to an empty
list so existing callers (api, analytics, frontend, nofos) see no
behavioral change.

What changed:
- variables.tf: add service_principals_with_access (list(string), default [])
- encryption.tf: replace the implicit AWS-managed KMS key policy with an
  explicit policy doc that
    - grants the AWS account root full kms:* (the default policy AWS
      would attach anyway — functionally equivalent),
    - conditionally grants the listed service principals
      Decrypt/GenerateDataKey/DescribeKey via the S3 service.
  Also adds data sources for caller identity and region.
- providers.tf: new file declaring the aws provider source (matches the
  rest of the modules updated in v0.17)
- access_control.tf: cosmetic blank line between two statements
- tests/storage.tftest.hcl: override the kms_key_policy data source so
  mock_provider returns valid JSON (default mock value isn't valid JSON
  and aws_kms_key validates the policy field as JSON)

Validated locally:
- terraform fmt clean
- terraform validate green
- terraform test: 8 passed, 0 failed

Scope notes (other v0.17 items NOT in this PR):
- New modules (document-data-extraction, notifications-sms,
  notifications-phone-pool) — pure feature additions, only port if
  backend wants them
- Network vpc_endpoints restructure — sgg's network module diverges from
  upstream; safer as a focused follow-up
- bin script cleanups, doc additions, monitoring/database/service
  tweaks — bundle into a separate "v0.17 housekeeping" PR
- Playwright bump — frontend layer, separate concern

Tracks issue #9837.
template-infra v0.17: docs, project-config additions, version bump
747d281 
Second commit on the v0.17 upgrade branch covering the safely-additive
remaining items. Storage module changes are in the previous commit
(cherry-picked from #10763).

New docs from upstream v0.17:
- docs/infra/deletion-protection-and-temporary-environments.md
- docs/infra/temporary-environments-and-out-of-band-resources.md
  (the third v0.17 doc, migrate-terraform-state-locking-to-s3.md, is
  already in sgg via #9672)

project-config/aws_services.tf:
- Add "bedrock" (AWS Bedrock LLM access)
- Add "cloudformation" (IaC service)

  Deliberately NOT applied from v0.17:
  - Removal of "mobiletargeting" — sgg still uses Pinpoint; this is
    being unwound via the SES migration on PRs #10358 / #10487
  - Addition of "sms-voice" — sgg isn't adopting SMS notifications in
    this PR

Template version pin: .template-infra/*.yml bumped from v0.15.7 to
v0.17.0 (base + 4 apps).
@sean-navapbc

sean-navapbc commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator Author

terraform plan results (dev, all 3 impacted layers)

Plans run from this branch against dev backend.

Summary

Layer Plan What this PR causes What's drift
infra/analytics/service 1 add, 7 change, 1 destroy module.storage.aws_kms_key.storage policy field gets the explicit policy doc (replaces AWS default key-default-1); module.storage.aws_iam_policy.storage_access cascade-rebuilt because it references the KMS key arn task_definition replacement + IAM/state-machine cascade
infra/frontend/service 1 add, 7 change, 1 destroy Same storage changes as analytics task_definition replacement + CloudFront/IAM cascade
infra/accounts 7 add, 3 change, 4 destroy module.auth_github_actions.aws_iam_policy.github_actions: adds bedrock:* and cloudformation:* to allowed actions Security Hub additions, GuardDuty runtime-monitoring replacement, SSM service settings removed, lambda update — all unrelated drift

Confirmed PR effects

KMS key policy (analytics + frontend):

~ module.storage.aws_kms_key.storage
  ~ policy = jsonencode(
    ~ {
        - Id = "key-default-1"
          # (2 unchanged attributes hidden)
      }
  )

The current policy is the AWS implicit default (with auto-assigned Id = "key-default-1"); the new one is the explicit doc this PR introduces. Both grant the AWS account root full kms:* — functionally equivalent. No data re-encryption, no key rotation, no consumer permission change.

GitHub Actions IAM policy (accounts):

+ "cloudformation:*",
+ "bedrock:*",

Exactly what's expected from adding those two services to project-config/aws_services.tf.

Drift not caused by this PR (worth knowing)

In accounts the plan also shows:

  • Security Hub additions (CIS 1.2/1.4, foundational standards, EventBridge rule + SNS subscription for high findings)
  • GuardDuty runtime_monitoring feature replaced
  • aws_cloudwatch_log_group.ssm_automation + 2× aws_ssm_service_setting destroyed
  • aws_lambda_function.security_hub_slack updated
  • Removal of es:*, sqs:*, dynamodb:*, elasticfilesystem:* from the github_actions policy (these were already removed from aws_services.tf on main but dev hasn't been redeployed)

In analytics + frontend the plan also shows:

  • aws_ecs_task_definition.app must be replaced (container_definitions drift — same situation we saw on the SES additive PR)
  • Cascade IAM policy / state-machine updates from the new task-def ARN
  • CloudFront cache policy + distribution + bucket policy updates on frontend

Two pre-existing accounts-plan errors (unrelated to this PR):

Error: Missing required argument
  on main.tf line 37, in provider "newrelic":
  The argument "account_id" is required
  The argument "api_key" is required

NewRelic provider missing local credentials. Plan generated despite this; would block apply unless the env vars are set.

Full plan output

Three follow-up comments below — one per layer. ~1800 total lines, posting separately due to GitHub's 64KB comment cap.

@sean-navapbc

sean-navapbc commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator Author

Full plan: infra/accounts/service (dev)

(layer is infra/accounts, not service)

terraform plan output 
module.newrelic-aws-cloud-integrations.random_string.s3-bucket-name: Refreshing state... [id=083hg5ug]
aws_ebs_encryption_by_default.main: Refreshing state... [id=terraform-20251208183427159500000001]
aws_ssm_service_setting.automation_cloudwatch_logging_enabled: Refreshing state... [id=arn:aws:ssm:us-east-1:315341936575:servicesetting/ssm/automation/customer-script-log-group-name]
aws_ssm_service_setting.automation_cloudwatch_logging: Refreshing state... [id=arn:aws:ssm:us-east-1:315341936575:servicesetting/ssm/automation/customer-script-log-destination]
data.aws_iam_policy_document.api_gateway_cloudwatch_permissions: Reading...
data.aws_secretsmanager_secret.slack_webhook: Reading...
aws_cloudwatch_log_group.cloudtrail_management: Refreshing state... [id=/aws/cloudtrail/management-events]
aws_cloudwatch_log_group.ssm_automation: Refreshing state... [id=/aws/ssm/automation]
aws_iam_role.cloudtrail_cloudwatch: Refreshing state... [id=cloudtrail-cloudwatch-logs-role]
module.newrelic-aws-cloud-integrations.aws_iam_role.metric_stream_to_firehose: Refreshing state... [id=newrelic_metric_stream_to_firehose_role_simpler-grants-gov]
module.newrelic-aws-cloud-integrations.aws_s3_bucket.newrelic_configuration_recorder_s3: Refreshing state... [id=newrelic-configuration-recorder-083hg5ug]
data.aws_iam_policy_document.api_gateway_cloudwatch_permissions: Read complete after 0s [id=1005217238]
module.newrelic-aws-cloud-integrations.aws_iam_role.newrelic_configuration_recorder: Refreshing state... [id=newrelic_configuration_recorder-simpler-grants-gov]
data.aws_caller_identity.current: Reading...
aws_securityhub_account.main: Refreshing state... [id=arn:aws:securityhub:us-east-1:315341936575:hub/default]
data.aws_secretsmanager_secret.slack_webhook: Read complete after 2s [id=arn:aws:secretsmanager:us-east-1:315341936575:secret:security-hub-slack-webhook-3JqMpk]
aws_sns_topic.security_hub_findings_formatted: Refreshing state... [id=arn:aws:sns:us-east-1:315341936575:security-hub-findings-formatted]
aws_cloudwatch_event_rule.security_hub_critical_findings: Refreshing state... [id=security-hub-critical-findings]
aws_guardduty_detector.main: Refreshing state... [id=94c62cc0d4fe7b2eb627a33e8273238c]
data.aws_caller_identity.current: Read complete after 0s [id=315341936575]
module.auth_github_actions.data.aws_iam_openid_connect_provider.github: Reading...
aws_iam_role.security_hub_slack_lambda: Refreshing state... [id=security-hub-slack-lambda-role]
module.auth_github_actions.data.aws_iam_openid_connect_provider.github: Read complete after 1s [id=arn:aws:iam::315341936575:oidc-provider/token.actions.githubusercontent.com]
module.auth_github_actions.data.aws_iam_policy_document.github_actions: Reading...
module.auth_github_actions.data.aws_iam_policy_document.github_actions: Read complete after 0s [id=1071607489]
module.newrelic-aws-cloud-integrations.aws_iam_policy.newrelic_aws_permissions: Refreshing state... [id=arn:aws:iam::315341936575:policy/NewRelicCloudStreamReadPermissions-simpler-grants-gov]
data.aws_kms_key.ebs: Reading...
aws_s3_account_public_access_block.main: Refreshing state... [id=315341936575]
module.backend.aws_kms_key.tf_backend: Refreshing state... [id=47e55dd0-92fd-40e3-92a6-c18a00928059]
aws_iam_role.security_hub_email_formatter: Refreshing state... [id=security-hub-email-formatter-role]
module.backend.data.aws_partition.current: Reading...
module.backend.data.aws_partition.current: Read complete after 0s [id=aws]
data.aws_secretsmanager_secret.alerts_email: Reading...
module.backend.data.aws_region.current: Reading...
module.backend.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.backend.data.aws_caller_identity.current: Reading...
aws_sns_topic.log_failure: Refreshing state... [id=arn:aws:sns:us-east-1:315341936575:security-no-logs]
aws_sns_topic.security_hub_findings: Refreshing state... [id=arn:aws:sns:us-east-1:315341936575:security-hub-findings]
module.backend.data.aws_caller_identity.current: Read complete after 0s [id=315341936575]
aws_cloudwatch_log_group.cloudtrail_pinpoint: Refreshing state... [id=/aws/cloudtrail/pinpoint-events]
module.newrelic-aws-cloud-integrations.aws_iam_role.firehose_newrelic_role: Refreshing state... [id=firehose_newrelic_role_simpler-grants-gov]
data.aws_secretsmanager_secret.alerts_email: Read complete after 0s [id=arn:aws:secretsmanager:us-east-1:315341936575:secret:grants-alerts-email-1pyspJ]
data.aws_iam_policy_document.api_gateway_assume_role: Reading...
data.aws_iam_policy_document.api_gateway_assume_role: Read complete after 0s [id=2699642182]
module.newrelic-aws-cloud-integrations.aws_s3_bucket.newrelic_aws_bucket: Refreshing state... [id=newrelic-aws-bucket-083hg5ug]
data.aws_kms_key.ebs: Read complete after 1s [id=792a19e0-82c5-4085-903c-0a3a0443a356]
data.aws_ssm_parameter.newrelic_account_id: Reading...
data.aws_region.current: Reading...
data.aws_secretsmanager_secret_version.slack_webhook: Reading...
data.aws_region.current: Read complete after 0s [id=us-east-1]
aws_inspector2_enabler.main: Refreshing state... [id=315341936575-EC2:ECR:LAMBDA:LAMBDA_CODE]
module.auth_github_actions.data.aws_iam_policy_document.github_assume_role: Reading...
module.auth_github_actions.data.aws_iam_policy_document.github_assume_role: Read complete after 0s [id=1809092987]
module.auth_github_actions.aws_iam_policy.github_actions: Refreshing state... [id=arn:aws:iam::315341936575:policy/simpler-grants-gov-github-actions-manage-infra]
data.aws_ssm_parameter.newrelic_account_id: Read complete after 1s [id=/new-relic-account-id]
aws_securityhub_standards_subscription.cis_1_2: Refreshing state... [id=arn:aws:securityhub:us-east-1:315341936575:subscription/cis-aws-foundations-benchmark/v/1.2.0]
aws_securityhub_insight.critical_and_high_severity: Refreshing state... [id=arn:aws:securityhub:us-east-1:315341936575:insight/315341936575/custom/9f50c1b5-db73-4438-8747-899dfb5bd54d]
aws_securityhub_insight.failed_cis_controls: Refreshing state... [id=arn:aws:securityhub:us-east-1:315341936575:insight/315341936575/custom/d3b94b11-efac-4a20-b3bc-9d25bfbb305b]
data.aws_secretsmanager_secret_version.slack_webhook: Read complete after 0s [id=arn:aws:secretsmanager:us-east-1:315341936575:secret:security-hub-slack-webhook-3JqMpk|AWSCURRENT]
aws_securityhub_insight.public_resources: Refreshing state... [id=arn:aws:securityhub:us-east-1:315341936575:insight/315341936575/custom/ea6c9e55-cc20-4f5b-8e54-767931c77698]
aws_cloudtrail.management_events: Refreshing state... [id=management-events]
module.newrelic-aws-cloud-integrations.aws_iam_role_policy_attachment.newrelic_configuration_recorder: Refreshing state... [id=newrelic_configuration_recorder-simpler-grants-gov-20250312224413757900000002]
module.newrelic-aws-cloud-integrations.aws_config_configuration_recorder.newrelic_recorder: Refreshing state... [id=newrelic_configuration_recorder-simpler-grants-gov]
aws_guardduty_detector_feature.runtime_monitoring: Refreshing state... [id=94c62cc0d4fe7b2eb627a33e8273238c/RUNTIME_MONITORING]
aws_lambda_function.security_hub_slack: Refreshing state... [id=security-hub-slack-notifier]
aws_iam_role_policy.lambda_secrets: Refreshing state... [id=security-hub-slack-lambda-role:secrets-access]
aws_iam_role_policy_attachment.lambda_basic: Refreshing state... [id=security-hub-slack-lambda-role-20251124212903200400000001]
data.aws_secretsmanager_secret_version.alerts_email: Reading...
aws_iam_role.api_gateway_cloudwatch_logging: Refreshing state... [id=api_gateway_service_cloudwatch_logging_role]
aws_ebs_default_kms_key.main: Refreshing state... [id=arn:aws:kms:us-east-1:315341936575:key/792a19e0-82c5-4085-903c-0a3a0443a356]
data.aws_secretsmanager_secret_version.alerts_email: Read complete after 1s [id=arn:aws:secretsmanager:us-east-1:315341936575:secret:grants-alerts-email-1pyspJ|AWSCURRENT]
aws_cloudtrail.pinpoint_events: Refreshing state... [id=pinpoint-events]
aws_iam_role_policy.cloudtrail_cloudwatch: Refreshing state... [id=cloudtrail-cloudwatch-logs-role:cloudtrail-cloudwatch-logs-policy]
aws_securityhub_product_subscription.systems_manager: Refreshing state... [id=arn:aws:securityhub:us-east-1::product/aws/ssm-patch-manager,arn:aws:securityhub:us-east-1:315341936575:product-subscription/aws/ssm-patch-manager]
aws_securityhub_product_subscription.access_analyzer: Refreshing state... [id=arn:aws:securityhub:us-east-1::product/aws/access-analyzer,arn:aws:securityhub:us-east-1:315341936575:product-subscription/aws/access-analyzer]
aws_securityhub_product_subscription.inspector: Refreshing state... [id=arn:aws:securityhub:us-east-1::product/aws/inspector,arn:aws:securityhub:us-east-1:315341936575:product-subscription/aws/inspector]
aws_securityhub_product_subscription.firewall_manager: Refreshing state... [id=arn:aws:securityhub:us-east-1::product/aws/firewall-manager,arn:aws:securityhub:us-east-1:315341936575:product-subscription/aws/firewall-manager]
aws_securityhub_standards_subscription.nist_800_53: Refreshing state... [id=arn:aws:securityhub:us-east-1:315341936575:subscription/nist-800-53/v/5.0.0]
aws_securityhub_standards_subscription.cis_1_4: Refreshing state... [id=arn:aws:securityhub:us-east-1:315341936575:subscription/cis-aws-foundations-benchmark/v/1.4.0]
aws_securityhub_product_subscription.macie: Refreshing state... [id=arn:aws:securityhub:us-east-1::product/aws/macie,arn:aws:securityhub:us-east-1:315341936575:product-subscription/aws/macie]
aws_securityhub_product_subscription.health: Refreshing state... [id=arn:aws:securityhub:us-east-1::product/aws/health,arn:aws:securityhub:us-east-1:315341936575:product-subscription/aws/health]
aws_ssm_service_setting.block_public_sharing: Refreshing state... [id=arn:aws:ssm:us-east-1:315341936575:servicesetting/ssm/documents/console/public-sharing-permission]
aws_securityhub_product_subscription.guardduty: Refreshing state... [id=arn:aws:securityhub:us-east-1::product/aws/guardduty,arn:aws:securityhub:us-east-1:315341936575:product-subscription/aws/guardduty]
aws_securityhub_standards_subscription.aws_foundational: Refreshing state... [id=arn:aws:securityhub:us-east-1:315341936575:subscription/aws-foundational-security-best-practices/v/1.0.0]
data.aws_iam_policy_document.policy: Reading...
aws_iam_role_policy.formatter_sns_publish: Refreshing state... [id=security-hub-email-formatter-role:sns-publish]
data.aws_iam_policy_document.policy: Read complete after 0s [id=1064821354]
aws_iam_role_policy_attachment.formatter_lambda_basic: Refreshing state... [id=security-hub-email-formatter-role-20251209215304767300000001]
aws_lambda_function.format_security_hub_email: Refreshing state... [id=security-hub-email-formatter]
module.auth_github_actions.aws_iam_role.github_actions: Refreshing state... [id=simpler-grants-gov-github-actions]
aws_cloudwatch_metric_alarm.container_log_failure: Refreshing state... [id=logs-missing]
aws_sns_topic_policy.security_hub_findings: Refreshing state... [id=arn:aws:sns:us-east-1:315341936575:security-hub-findings]
aws_cloudwatch_event_target.security_hub_critical_findings_sns: Refreshing state... [id=security-hub-critical-findings-SendToSNS]
module.newrelic-aws-cloud-integrations.aws_iam_role_policy.newrelic_configuration_recorder_s3: Refreshing state... [id=newrelic_configuration_recorder-simpler-grants-gov:newrelic-configuration-recorder-s3-simpler-grants-gov]
module.newrelic-aws-cloud-integrations.aws_config_delivery_channel.newrelic_recorder_delivery: Refreshing state... [id=newrelic_configuration_recorder-simpler-grants-gov]
aws_cloudwatch_log_resource_policy.policy: Refreshing state... [id=account-level-logs]
aws_api_gateway_account.api_gateway_account_level_settings: Refreshing state... [id=api-gateway-account]
aws_iam_role_policy.api_gateway_cloudwatch_policy: Refreshing state... [id=api_gateway_service_cloudwatch_logging_role:cloudwatch_log_permissions]
module.newrelic-aws-cloud-integrations.data.aws_iam_policy_document.newrelic_assume_policy: Reading...
aws_lambda_permission.allow_sns: Refreshing state... [id=AllowExecutionFromSNS]
module.newrelic-aws-cloud-integrations.data.aws_iam_policy_document.newrelic_assume_policy: Read complete after 0s [id=444471593]
aws_sns_topic_subscription.security_hub_findings_slack: Refreshing state... [id=arn:aws:sns:us-east-1:315341936575:security-hub-findings:eedf23f7-af9f-43b9-8f18-14bca8ee2a0c]
aws_sns_topic_subscription.log_failure: Refreshing state... [id=arn:aws:sns:us-east-1:315341936575:security-no-logs:c646bb46-221f-4a21-b407-de5bc9bcedc4]
aws_sns_topic_subscription.security_hub_findings_email: Refreshing state... [id=arn:aws:sns:us-east-1:315341936575:security-hub-findings-formatted:c14f5834-db54-4a81-89d1-cc67770c4b4d]
module.newrelic-aws-cloud-integrations.aws_config_configuration_recorder_status.newrelic_recorder_status: Refreshing state... [id=newrelic_configuration_recorder-simpler-grants-gov]
module.newrelic-aws-cloud-integrations.aws_iam_role.newrelic_aws_role: Refreshing state... [id=NewRelicInfrastructure-Integrations-simpler-grants-gov]
aws_lambda_permission.allow_sns_formatter: Refreshing state... [id=AllowExecutionFromSNS]
aws_sns_topic_subscription.security_hub_findings_formatter: Refreshing state... [id=arn:aws:sns:us-east-1:315341936575:security-hub-findings:a5f2e5ef-18c6-4ab8-bcd9-08f3e3fd4fea]
module.backend.aws_s3_bucket.tf_state: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf]
module.backend.aws_s3_bucket.tf_log: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf-logs]
module.auth_github_actions.aws_iam_role_policy_attachment.github_actions: Refreshing state... [id=simpler-grants-gov-github-actions-20250312224413698800000001]
module.newrelic-aws-cloud-integrations.aws_iam_role_policy_attachment.newrelic_aws_policy_attach: Refreshing state... [id=NewRelicInfrastructure-Integrations-simpler-grants-gov-20250312224413914400000003]
module.newrelic-aws-cloud-integrations.aws_s3_bucket_ownership_controls.newrelic_ownership_controls: Refreshing state... [id=newrelic-aws-bucket-083hg5ug]
module.backend.aws_s3_bucket_ownership_controls.tf_state: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf]
module.backend.aws_s3_bucket_public_access_block.tf_state: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf]
module.backend.aws_s3_bucket_versioning.tf_state: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf]
module.backend.aws_s3_bucket_server_side_encryption_configuration.tf_state: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf]
module.backend.data.aws_iam_policy_document.tf_state: Reading...
module.backend.data.aws_iam_policy_document.tf_state: Read complete after 0s [id=581147307]
module.backend.aws_s3_bucket_policy.tf_state: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf]
module.backend.aws_s3_bucket_versioning.tf_log: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf-logs]
module.backend.aws_s3_bucket_server_side_encryption_configuration.tf_log: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf-logs]
module.backend.aws_s3_bucket_ownership_controls.tf_log: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf-logs]
module.backend.aws_s3_bucket_public_access_block.tf_log: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf-logs]
module.backend.data.aws_iam_policy_document.tf_log: Reading...
module.backend.data.aws_iam_policy_document.tf_log: Read complete after 0s [id=837173280]
module.backend.aws_s3_bucket_lifecycle_configuration.tf_log: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf-logs,315341936575]
module.backend.aws_s3_bucket_logging.tf_state: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf]
module.backend.aws_s3_bucket_policy.tf_log: Refreshing state... [id=simpler-grants-gov-315341936575-us-east-1-tf-logs]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
-/+ destroy and then create replacement

Terraform planned the following actions, but then encountered a problem:

  # aws_cloudwatch_event_rule.security_hub_high_findings will be created
  + resource "aws_cloudwatch_event_rule" "security_hub_high_findings" {
      + arn            = (known after apply)
      + description    = "Capture HIGH severity findings from Security Hub (excluding Inspector)"
      + event_bus_name = "default"
      + event_pattern  = jsonencode(
            {
              + detail      = {
                  + findings = {
                      + ProductArn  = [
                          + {
                              + anything-but = {
                                  + prefix = "arn:aws:securityhub:us-east-1::product/aws/inspector"
                                }
                            },
                        ]
                      + RecordState = [
                          + "ACTIVE",
                        ]
                      + Severity    = {
                          + Label = [
                              + "HIGH",
                            ]
                        }
                      + Workflow    = {
                          + Status = [
                              + "NEW",
                            ]
                        }
                    }
                }
              + detail-type = [
                  + "Security Hub Findings - Imported",
                ]
              + source      = [
                  + "aws.securityhub",
                ]
            }
        )
      + force_destroy  = false
      + id             = (known after apply)
      + name           = "security-hub-high-findings"
      + name_prefix    = (known after apply)
      + tags_all       = {
          + "description"         = "Backend resources required for terraform state management and GitHub authentication with AWS."
          + "owner"               = "navapbc"
          + "project"             = "simpler-grants-gov"
          + "repository"          = "https://github.com/HHS/simpler-grants-gov"
          + "terraform"           = "true"
          + "terraform_workspace" = "default"
        }
    }

  # aws_cloudwatch_event_target.security_hub_high_findings_sns will be created
  + resource "aws_cloudwatch_event_target" "security_hub_high_findings_sns" {
      + arn            = "arn:aws:sns:us-east-1:315341936575:security-hub-findings"
      + event_bus_name = "default"
      + force_destroy  = false
      + id             = (known after apply)
      + rule           = "security-hub-high-findings"
      + target_id      = "SendToSNS"
    }

  # aws_cloudwatch_log_group.ssm_automation will be destroyed
  # (because aws_cloudwatch_log_group.ssm_automation is not in configuration)
  - resource "aws_cloudwatch_log_group" "ssm_automation" {
      - arn               = "arn:aws:logs:us-east-1:315341936575:log-group:/aws/ssm/automation" -> null
      - id                = "/aws/ssm/automation" -> null
      - log_group_class   = "STANDARD" -> null
      - name              = "/aws/ssm/automation" -> null
      - retention_in_days = 365 -> null
      - skip_destroy      = false -> null
      - tags              = {} -> null
      - tags_all          = {
          - "description"         = "Backend resources required for terraform state management and GitHub authentication with AWS."
          - "owner"               = "navapbc"
          - "project"             = "simpler-grants-gov"
          - "repository"          = "https://github.com/HHS/simpler-grants-gov"
          - "terraform"           = "true"
          - "terraform_workspace" = "default"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_cloudwatch_log_resource_policy.policy will be updated in-place
  ~ resource "aws_cloudwatch_log_resource_policy" "policy" {
        id              = "account-level-logs"
      ~ policy_document = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action    = [
                          - "logs:PutLogEvents",
                            "logs:PutLogEventsBatch",
                          + "logs:PutLogEvents",
                            "logs:CreateLogStream",
                        ]
                      ~ Condition = {
                          + ArnLike      = {
                              + "aws:SourceArn" = "arn:aws:logs:us-east-1:315341936575:*"
                            }
                            # (1 unchanged attribute hidden)
                        }
                      ~ Principal = {
                          ~ Service = [
                              - "delivery.logs.amazonaws.com",
                                "es.amazonaws.com",
                              + "delivery.logs.amazonaws.com",
                            ]
                        }
                        # (2 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

  # aws_guardduty_detector_feature.runtime_monitoring must be replaced
-/+ resource "aws_guardduty_detector_feature" "runtime_monitoring" {
      ~ id          = "94c62cc0d4fe7b2eb627a33e8273238c/RUNTIME_MONITORING" -> (known after apply)
        name        = "RUNTIME_MONITORING"
        # (2 unchanged attributes hidden)

      ~ additional_configuration { # forces replacement
          ~ name   = "EKS_ADDON_MANAGEMENT" -> "ECS_FARGATE_AGENT_MANAGEMENT" # forces replacement
            # (1 unchanged attribute hidden)
        }
      ~ additional_configuration { # forces replacement
          ~ name   = "ECS_FARGATE_AGENT_MANAGEMENT" -> "EC2_AGENT_MANAGEMENT" # forces replacement
            # (1 unchanged attribute hidden)
        }
      - additional_configuration { # forces replacement
          - name   = "EC2_AGENT_MANAGEMENT" -> null # forces replacement
          - status = "ENABLED" -> null
        }
    }

  # aws_lambda_function.security_hub_slack will be updated in-place
  ~ resource "aws_lambda_function" "security_hub_slack" {
      - description                    = "Posts Security Hub findings to Slack - webhook updated 20251217131039" -> null
        id                             = "security-hub-slack-notifier"
        tags                           = {}
        # (28 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # aws_securityhub_standards_subscription.aws_foundational will be created
  + resource "aws_securityhub_standards_subscription" "aws_foundational" {
      + id            = (known after apply)
      + standards_arn = "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
    }

  # aws_securityhub_standards_subscription.cis_1_2 will be created
  + resource "aws_securityhub_standards_subscription" "cis_1_2" {
      + id            = (known after apply)
      + standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
    }

  # aws_securityhub_standards_subscription.cis_1_4 will be created
  + resource "aws_securityhub_standards_subscription" "cis_1_4" {
      + id            = (known after apply)
      + standards_arn = "arn:aws:securityhub:us-east-1::standards/cis-aws-foundations-benchmark/v/1.4.0"
    }

  # aws_sns_topic_subscription.security_hub_findings_email will be created
  + resource "aws_sns_topic_subscription" "security_hub_findings_email" {
      + arn                             = (known after apply)
      + confirmation_timeout_in_minutes = 1
      + confirmation_was_authenticated  = (known after apply)
      + endpoint                        = (sensitive value)
      + endpoint_auto_confirms          = false
      + filter_policy_scope             = (known after apply)
      + id                              = (known after apply)
      + owner_id                        = (known after apply)
      + pending_confirmation            = (known after apply)
      + protocol                        = "email"
      + raw_message_delivery            = false
      + topic_arn                       = "arn:aws:sns:us-east-1:315341936575:security-hub-findings-formatted"
    }

  # aws_ssm_service_setting.automation_cloudwatch_logging will be destroyed
  # (because aws_ssm_service_setting.automation_cloudwatch_logging is not in configuration)
  - resource "aws_ssm_service_setting" "automation_cloudwatch_logging" {
      - arn           = "arn:aws:ssm:us-east-1:315341936575:servicesetting/ssm/automation/customer-script-log-destination" -> null
      - id            = "arn:aws:ssm:us-east-1:315341936575:servicesetting/ssm/automation/customer-script-log-destination" -> null
      - setting_id    = "arn:aws:ssm:us-east-1:315341936575:servicesetting/ssm/automation/customer-script-log-destination" -> null
      - setting_value = "CloudWatch" -> null
      - status        = "Customized" -> null
    }

  # aws_ssm_service_setting.automation_cloudwatch_logging_enabled will be destroyed
  # (because aws_ssm_service_setting.automation_cloudwatch_logging_enabled is not in configuration)
  - resource "aws_ssm_service_setting" "automation_cloudwatch_logging_enabled" {
      - arn           = "arn:aws:ssm:us-east-1:315341936575:servicesetting/ssm/automation/customer-script-log-group-name" -> null
      - id            = "arn:aws:ssm:us-east-1:315341936575:servicesetting/ssm/automation/customer-script-log-group-name" -> null
      - setting_id    = "arn:aws:ssm:us-east-1:315341936575:servicesetting/ssm/automation/customer-script-log-group-name" -> null
      - setting_value = "/aws/ssm/automation" -> null
      - status        = "Customized" -> null
    }

  # module.auth_github_actions.aws_iam_policy.github_actions will be updated in-place
  ~ resource "aws_iam_policy" "github_actions" {
        id               = "arn:aws:iam::315341936575:policy/simpler-grants-gov-github-actions-manage-infra"
        name             = "simpler-grants-gov-github-actions-manage-infra"
      ~ policy           = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action   = [
                            # (5 unchanged elements hidden)
                            "ses:*",
                          - "es:*",
                          - "sqs:*",
                            "servicediscovery:*",
                            # (2 unchanged elements hidden)
                            "scheduler:*",
                          - "dynamodb:*",
                          - "elasticfilesystem:*",
                            "s3:*",
                            # (17 unchanged elements hidden)
                            "cloudfront:*",
                          + "cloudformation:*",
                          + "bedrock:*",
                            "backup:*",
                            # (3 unchanged elements hidden)
                            "acm:*",
                          - "elasticfilesystem:*",
                        ]
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags             = {}
        # (7 unchanged attributes hidden)
    }

Plan: 7 to add, 3 to change, 4 to destroy.

Changes to Outputs:
  - tf_locks_table_name  = "simpler-grants-gov-315341936575-us-east-1-tf-state-locks" -> null

Error: Missing required argument

  on main.tf line 37, in provider "newrelic":
  37: provider "newrelic" {}

The argument "account_id" is required, but no definition was found.

Error: Missing required argument

  on main.tf line 37, in provider "newrelic":
  37: provider "newrelic" {}

The argument "api_key" is required, but no definition was found.
Releasing state lock. This may take a few moments...

@sean-navapbc

sean-navapbc commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator Author

Full plan: infra/analytics/service (dev)

terraform plan output 
data.terraform_remote_state.current_image_tag[0]: Reading...
module.service.data.external.deploy_github_sha: Reading...
module.app_config.data.external.account_ids_by_name: Reading...
module.service.data.external.whoami: Reading...
module.service.data.archive_file.nr_host_log_forwarder: Reading...
module.service.data.archive_file.nr_host_log_forwarder: Read complete after 0s [id=d0ad0ee7fd1065a8208bbdcbd96edb2c45eaca7f]
module.app_config.data.external.account_ids_by_name: Read complete after 0s [id=-]
module.service.data.external.whoami: Read complete after 0s [id=-]
module.service.data.external.deploy_github_sha: Read complete after 0s [id=-]
data.aws_iam_policy.migrator_db_access_policy[0]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["ANALYTICS_REPORTING_CHANNEL_ID"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["ANALYTICS_SLACK_BOT_TOKEN"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["NEW_RELIC_LICENSE_KEY"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["GH_TOKEN"]: Reading...
module.service.data.aws_iam_policy_document.scheduler_assume_role: Reading...
module.service.module.network.data.aws_subnets.public: Reading...
module.monitoring.aws_sns_topic.this: Refreshing state... [id=arn:aws:sns:us-east-1:315341936575:analytics-dev-monitoring]
module.service.data.aws_iam_policy_document.scheduler_assume_role: Read complete after 0s [id=52247394]
data.aws_vpc.network: Reading...
module.service.aws_s3_bucket.access_logs: Refreshing state... [id=analytics-dev-access-logs20241029172617413200000004]
module.secrets.data.aws_ssm_parameter.secrets["ANALYTICS_REPORTING_CHANNEL_ID"]: Read complete after 1s [id=/analytics/dev/reporting-channel-id]
module.secrets.data.aws_ssm_parameter.secrets["NEW_RELIC_LICENSE_KEY"]: Read complete after 1s [id=/analytics/dev/new-relic-license-key]
module.service.module.network.data.aws_subnets.private: Reading...
module.service.module.network.data.aws_vpc.network: Reading...
module.secrets.data.aws_ssm_parameter.secrets["ANALYTICS_SLACK_BOT_TOKEN"]: Read complete after 1s [id=/analytics/slack-bot-token]
module.service.data.aws_iam_policy_document.ecs_tasks_assume_role_policy: Reading...
module.service.data.aws_iam_policy_document.ecs_tasks_assume_role_policy: Read complete after 0s [id=4229150499]
module.service.module.network.data.aws_subnets.database: Reading...
module.secrets.data.aws_ssm_parameter.secrets["GH_TOKEN"]: Read complete after 1s [id=/analytics/github-token]
module.domain.data.aws_acm_certificate.certificate[0]: Reading...
module.service.module.network.data.aws_subnets.public: Read complete after 1s [id=us-east-1]
module.domain.data.aws_route53_zone.zone[0]: Reading...
module.service.data.aws_caller_identity.current: Reading...
module.service.module.network.data.aws_subnets.private: Read complete after 1s [id=us-east-1]
module.service.data.aws_iam_policy_document.events_assume_role: Reading...
module.service.data.aws_iam_policy_document.events_assume_role: Read complete after 0s [id=3959961479]
module.database[0].data.aws_rds_cluster.db_cluster: Reading...
module.service.data.aws_caller_identity.current: Read complete after 1s [id=315341936575]
module.service.aws_cloudwatch_log_group.service_logs: Refreshing state... [id=service/analytics-dev]
module.service.module.network.data.aws_subnets.database: Read complete after 1s [id=us-east-1]
module.database[0].data.aws_iam_policy.app_db_access_policy: Reading...
data.terraform_remote_state.current_image_tag[0]: Read complete after 4s
module.storage.data.aws_region.current: Reading...
module.storage.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.service.data.aws_ssm_parameter.newrelic_license_key_host: Reading...
module.service.data.aws_ssm_parameter.newrelic_license_key_host: Read complete after 0s [id=/new-relic-license-key]
module.service.data.aws_iam_policy_document.ecs_exec: Reading...
module.service.data.aws_iam_policy_document.ecs_exec: Read complete after 0s [id=1236260518]
module.service.aws_s3_bucket.general_purpose: Refreshing state... [id=analytics-dev-general-purpose20241029172617410500000003]
data.aws_vpc.network: Read complete after 3s [id=vpc-08f522c5cc442d126]
module.storage.data.aws_caller_identity.current: Reading...
module.domain.data.aws_route53_zone.zone[0]: Read complete after 2s [id=Z04517193GDPF9DWUX2WT]
module.monitoring.aws_cloudwatch_log_metric_filter.service_error_filter: Refreshing state... [id=service-error-filter]
module.database[0].data.aws_rds_cluster.db_cluster: Read complete after 1s [id=analytics-dev]
data.aws_ssm_parameter.api_analytics_bucket_arn: Reading...
module.domain.data.aws_acm_certificate.certificate[0]: Read complete after 2s [id=arn:aws:acm:us-east-1:315341936575:certificate/621b6adc-182d-4f4b-b8fc-47fc80db97f8]
module.service.aws_ecs_cluster.cluster: Refreshing state... [id=arn:aws:ecs:us-east-1:315341936575:cluster/analytics-dev]
module.storage.data.aws_caller_identity.current: Read complete after 0s [id=315341936575]
module.database[0].data.aws_iam_policy.migrator_db_access_policy: Reading...
module.service.module.network.data.aws_vpc.network: Read complete after 2s [id=vpc-08f522c5cc442d126]
module.service.aws_iam_role.nr_host_log_forwarder: Refreshing state... [id=analytics-dev-nr-host-log-forwarder-role]
module.storage.aws_s3_bucket.storage: Refreshing state... [id=simpler-grants-gov-analytics-dev]
data.aws_ssm_parameter.api_analytics_bucket_arn: Read complete after 1s [id=/buckets/api-dev/api-analytics-transfer/arn]
module.service.data.aws_region.current: Reading...
module.service.data.aws_region.current: Read complete after 0s [id=us-east-1]
data.aws_acm_certificate.certificate[0]: Reading...
data.aws_ssm_parameter.api_analytics_bucket_id: Reading...
data.aws_ssm_parameter.api_analytics_bucket_id: Read complete after 0s [id=/buckets/api-dev/api-analytics-transfer/id]
module.service.aws_cloudwatch_log_group.scheduled_jobs["opportunity-load-csvs"]: Refreshing state... [id=/aws/vendedlogs/states/analytics-dev-opportunity-load-csvs/scheduled-jobs/20250314180447731500000001]
module.service.aws_cloudwatch_log_group.scheduled_jobs["sprint-reports"]: Refreshing state... [id=/aws/vendedlogs/states/analytics-dev-sprint-reports/scheduled-jobs/20250314180447733700000002]
data.aws_rds_cluster.db_cluster[0]: Reading...
data.aws_iam_policy.app_db_access_policy[0]: Reading...
data.aws_acm_certificate.certificate[0]: Read complete after 1s [id=arn:aws:acm:us-east-1:315341936575:certificate/621b6adc-182d-4f4b-b8fc-47fc80db97f8]
module.service.aws_iam_role.scheduler: Refreshing state... [id=analytics-dev-scheduler]
module.service.aws_iam_role.task_executor: Refreshing state... [id=analytics-dev-task-executor]
data.aws_rds_cluster.db_cluster[0]: Read complete after 0s [id=analytics-dev]
module.service.aws_iam_role.app_service: Refreshing state... [id=analytics-dev-app]
module.monitoring.aws_cloudwatch_metric_alarm.service_errors: Refreshing state... [id=analytics-dev-errors]
module.service.aws_iam_role.events: Refreshing state... [id=analytics-dev-events]
module.service.aws_iam_policy.ecs_exec: Refreshing state... [id=arn:aws:iam::315341936575:policy/analytics-dev-ecs-exec]
data.aws_security_groups.aws_services: Reading...
data.aws_subnets.public: Reading...
data.aws_security_groups.aws_services: Read complete after 0s [id=us-east-1]
data.aws_subnets.private: Reading...
module.storage.data.aws_iam_policy_document.kms_key_policy: Reading...
module.storage.data.aws_iam_policy_document.kms_key_policy: Read complete after 0s [id=2126862806]
module.service.module.network.data.aws_security_groups.aws_services: Reading...
data.aws_iam_policy_document.api_analytics_bucket_access: Reading...
data.aws_iam_policy_document.api_analytics_bucket_access: Read complete after 0s [id=2174760927]
module.service.data.aws_iam_policy_document.workflow_orchestrator_assume_role: Reading...
module.service.data.aws_iam_policy_document.workflow_orchestrator_assume_role: Read complete after 0s [id=3468042870]
module.service.data.aws_iam_policy_document.runtime_logs: Reading...
module.service.data.aws_iam_policy_document.runtime_logs: Read complete after 0s [id=3547612059]
module.service.aws_kms_key.nr_host_log_forwarder: Refreshing state... [id=019c0f25-ccbc-42e7-b68a-6e7785bfefb5]
data.aws_subnets.public: Read complete after 1s [id=us-east-1]
module.service.aws_iam_role_policy.nr_host_log_forwarder_ssm: Refreshing state... [id=analytics-dev-nr-host-log-forwarder-role:analytics-dev-nr-host-log-forwarder-ssm]
data.aws_subnets.private: Read complete after 1s [id=us-east-1]
module.service.aws_iam_role_policy_attachment.nr_host_log_forwarder_basic: Refreshing state... [id=analytics-dev-nr-host-log-forwarder-role-20260429104936955600000001]
module.service.module.network.data.aws_security_groups.aws_services: Read complete after 1s [id=us-east-1]
module.service.aws_s3_bucket_lifecycle_configuration.access_logs: Refreshing state... [id=analytics-dev-access-logs20241029172617413200000004]
module.service.aws_s3_bucket_server_side_encryption_configuration.encryption: Refreshing state... [id=analytics-dev-access-logs20241029172617413200000004]
module.service.aws_s3_bucket_public_access_block.access_logs: Refreshing state... [id=analytics-dev-access-logs20241029172617413200000004]
module.service.data.aws_iam_policy_document.access_logs_put_access: Reading...
module.service.data.aws_iam_policy_document.access_logs_put_access: Read complete after 0s [id=2027746860]
module.storage.aws_kms_key.storage: Refreshing state... [id=ceac213d-eed9-4579-a206-49b001ecaae3]
module.service.aws_security_group.alb: Refreshing state... [id=sg-0c9a3959f2f42a76e]
aws_iam_policy.api_analytics_bucket_access: Refreshing state... [id=arn:aws:iam::315341936575:policy/dev-api-analytics-transfer]
module.service.aws_iam_role.workflow_orchestrator: Refreshing state... [id=analytics-dev-workflow-orchestrator]
module.service.aws_iam_policy.runtime_logs: Refreshing state... [id=arn:aws:iam::315341936575:policy/analytics-dev-task-executor-role-policy]
module.service.aws_s3_bucket_policy.access_logs: Refreshing state... [id=analytics-dev-access-logs20241029172617413200000004]
data.aws_iam_policy.migrator_db_access_policy[0]: Still reading... [00m10s elapsed]
module.service.data.aws_iam_policy_document.task_executor: Reading...
module.service.data.aws_iam_policy_document.task_executor: Read complete after 0s [id=1906789360]
module.service.aws_s3_bucket_public_access_block.general_purpose: Refreshing state... [id=analytics-dev-general-purpose20241029172617410500000003]
module.database[0].data.aws_iam_policy.app_db_access_policy: Read complete after 9s [id=arn:aws:iam::315341936575:policy/analytics-dev-app-access]
module.service.aws_s3_bucket_lifecycle_configuration.general_purpose: Refreshing state... [id=analytics-dev-general-purpose20241029172617410500000003]
module.service.aws_s3_bucket_server_side_encryption_configuration.general_purpose_encryption: Refreshing state... [id=analytics-dev-general-purpose20241029172617410500000003]
module.service.data.aws_iam_policy_document.general_purpose_put_access: Reading...
module.service.data.aws_iam_policy_document.general_purpose_put_access: Read complete after 0s [id=417394005]
module.service.aws_security_group_rule.http_ingress_ipv6: Refreshing state... [id=sgrule-4112141054]
module.service.aws_security_group.app: Refreshing state... [id=sg-09c1394b598221f67]
module.service.aws_security_group_rule.http_ingress: Refreshing state... [id=sgrule-1369163356]
module.service.aws_iam_role_policy.task_executor: Refreshing state... [id=analytics-dev-task-executor:analytics-dev-task-executor-role-policy]
module.storage.aws_s3_bucket_lifecycle_configuration.storage: Refreshing state... [id=simpler-grants-gov-analytics-dev]
data.aws_iam_policy.migrator_db_access_policy[0]: Read complete after 12s [id=arn:aws:iam::315341936575:policy/analytics-dev-migrator-access]
module.storage.aws_s3_bucket_notification.storage: Refreshing state... [id=simpler-grants-gov-analytics-dev]
module.storage.aws_s3_bucket_public_access_block.storage: Refreshing state... [id=simpler-grants-gov-analytics-dev]
module.service.aws_iam_role_policy_attachment.runtime_logs: Refreshing state... [id=analytics-dev-app-20250430181528072200000001]
module.storage.data.aws_iam_policy_document.storage: Reading...
module.storage.data.aws_iam_policy_document.storage: Read complete after 0s [id=3333657052]
module.service.aws_s3_bucket_policy.general_purpose: Refreshing state... [id=analytics-dev-general-purpose20241029172617410500000003]
module.storage.aws_s3_bucket_server_side_encryption_configuration.storage: Refreshing state... [id=simpler-grants-gov-analytics-dev]
module.service.aws_iam_role_policy_attachment.extra_policies["api_analytics_bucket_access"]: Refreshing state... [id=analytics-dev-app-20250121210750300800000001]
module.service.aws_cloudwatch_log_group.nr_host_log_forwarder: Refreshing state... [id=/aws/lambda/analytics-dev-nr-host-log-forwarder/logs]
module.storage.aws_s3_bucket_policy.storage: Refreshing state... [id=simpler-grants-gov-analytics-dev]
module.storage.aws_iam_policy.storage_access: Refreshing state... [id=arn:aws:iam::315341936575:policy/simpler-grants-gov-analytics-dev-access]
module.service.aws_security_group_rule.alb_app_local_health_check: Refreshing state... [id=sgrule-3202974405]
module.monitoring.aws_cloudwatch_metric_alarm.high_load_balancer_http_5xx_count: Refreshing state... [id=analytics-dev-high-load-balancer-5xx-count]
module.monitoring.aws_cloudwatch_metric_alarm.high_app_http_5xx_count: Refreshing state... [id=analytics-dev-high-app-5xx-count]
module.monitoring.aws_cloudwatch_metric_alarm.high_app_response_time: Refreshing state... [id=analytics-dev-high-app-response-time]
module.database[0].data.aws_iam_policy.migrator_db_access_policy: Still reading... [00m10s elapsed]
data.aws_iam_policy.app_db_access_policy[0]: Still reading... [00m10s elapsed]
module.service.aws_lambda_function.nr_host_log_forwarder: Refreshing state... [id=analytics-dev-nr-host-log-forwarder]
module.service.aws_lambda_permission.allow_cloudwatch_host: Refreshing state... [id=AllowCloudWatchHost]
module.service.aws_cloudwatch_log_subscription_filter.host_to_newrelic: Refreshing state... [id=cwlsf-2022952151]
module.database[0].data.aws_iam_policy.migrator_db_access_policy: Read complete after 16s [id=arn:aws:iam::315341936575:policy/analytics-dev-migrator-access]
module.service.aws_iam_role_policy_attachment.app_service_db_access[0]: Refreshing state... [id=analytics-dev-app-20250211201518640400000002]
module.service.aws_vpc_security_group_ingress_rule.db_ingress_from_service[0]: Refreshing state... [id=sgr-012f867ee6ffdbdb0]
module.service.aws_iam_role.migrator_task[0]: Refreshing state... [id=analytics-dev-migrator]
module.service.aws_ecs_task_definition.app: Refreshing state... [id=analytics-dev]
module.service.aws_iam_role_policy_attachment.migrator_app_db_access[0]: Refreshing state... [id=analytics-dev-migrator-20251218101854760900000001]
module.service.aws_iam_role_policy_attachment.migrator_db_access[0]: Refreshing state... [id=analytics-dev-migrator-20250211201518636400000001]
module.service.data.aws_iam_policy_document.run_task: Reading...
module.service.aws_sfn_state_machine.scheduled_jobs["sprint-reports"]: Refreshing state... [id=arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-sprint-reports]
module.service.aws_ecs_service.app: Refreshing state... [id=arn:aws:ecs:us-east-1:315341936575:service/analytics-dev/analytics-dev]
module.service.aws_sfn_state_machine.scheduled_jobs["opportunity-load-csvs"]: Refreshing state... [id=arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-opportunity-load-csvs]
module.service.data.aws_iam_policy_document.run_task: Read complete after 0s [id=1712525928]
module.service.aws_iam_policy.workflow_orchestrator: Refreshing state... [id=arn:aws:iam::315341936575:policy/analytics-dev-workflow-orchestrator]
module.service.aws_iam_policy.run_task: Refreshing state... [id=arn:aws:iam::315341936575:policy/analytics-dev-run-access]
module.service.aws_iam_role_policy_attachment.events: Refreshing state... [id=analytics-dev-events-20260226212600417300000001]
module.service.aws_iam_role_policy_attachment.workflow_orchestrator: Refreshing state... [id=analytics-dev-workflow-orchestrator-20260226212600443700000002]
module.service.aws_scheduler_schedule.scheduled_jobs["sprint-reports"]: Refreshing state... [id=default/analytics-dev-sprint-reports]
module.service.aws_scheduler_schedule.scheduled_jobs["opportunity-load-csvs"]: Refreshing state... [id=default/analytics-dev-opportunity-load-csvs]
module.service.aws_iam_policy.scheduler: Refreshing state... [id=arn:aws:iam::315341936575:policy/analytics-dev-scheduler]
module.service.aws_iam_role_policy_attachment.scheduler: Refreshing state... [id=analytics-dev-scheduler-20260226212601590400000003]
data.aws_iam_policy.app_db_access_policy[0]: Still reading... [00m20s elapsed]
data.aws_iam_policy.app_db_access_policy[0]: Read complete after 21s [id=arn:aws:iam::315341936575:policy/analytics-dev-app-access]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement
 <= read (data resources)

Terraform will perform the following actions:

  # module.service.data.aws_iam_policy_document.scheduler will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "scheduler" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "events:DescribeRule",
              + "events:PutRule",
              + "events:PutTargets",
            ]
          + resources = [
              + "arn:aws:events:us-east-1:315341936575:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule",
            ]
          + sid       = "StepFunctionsEvents"
        }
      + statement {
          + actions   = [
              + "states:StartExecution",
            ]
          + resources = [
              + "arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-opportunity-load-csvs",
            ]
        }
      + statement {
          + actions   = [
              + "states:StartExecution",
            ]
          + resources = [
              + "arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-sprint-reports",
            ]
        }
      + statement {
          + actions   = [
              + "states:DescribeExecution",
              + "states:StopExecution",
            ]
          + resources = [
              + "arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-opportunity-load-csvs:*",
            ]
        }
      + statement {
          + actions   = [
              + "states:DescribeExecution",
              + "states:StopExecution",
            ]
          + resources = [
              + "arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-sprint-reports:*",
            ]
        }
    }

  # module.service.data.aws_iam_policy_document.workflow_orchestrator will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "workflow_orchestrator" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "logs:CreateLogDelivery",
              + "logs:CreateLogStream",
              + "logs:DeleteLogDelivery",
              + "logs:DescribeLogGroups",
              + "logs:DescribeResourcePolicies",
              + "logs:GetLogDelivery",
              + "logs:ListLogDeliveries",
              + "logs:PutLogEvents",
              + "logs:PutResourcePolicy",
              + "logs:UpdateLogDelivery",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "UnscopeLogsPermissions"
        }
      + statement {
          + actions   = [
              + "events:DescribeRule",
              + "events:PutRule",
              + "events:PutTargets",
            ]
          + resources = [
              + "arn:aws:events:us-east-1:315341936575:rule/StepFunctionsGetEventsForECSTaskRule",
            ]
          + sid       = "StepFunctionsEvents"
        }
      + statement {
          + actions   = [
              + "events:CreateManagedRule",
              + "events:DeleteManagedRule",
              + "events:DescribeManagedRule",
              + "events:DisableManagedRule",
              + "events:EnableManagedRule",
              + "events:PutManagedRule",
              + "events:PutTargets",
            ]
          + resources = [
              + "arn:aws:events:us-east-1:315341936575:managed-rule/*",
            ]
          + sid       = "StepFunctionsManagedRules"
        }
      + statement {
          + actions   = [
              + "ecs:RunTask",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]

          + condition {
              + test     = "ArnLike"
              + values   = [
                  + "arn:aws:ecs:us-east-1:315341936575:cluster/analytics-dev",
                ]
              + variable = "ecs:cluster"
            }
        }
      + statement {
          + actions   = [
              + "ecs:DescribeTasks",
              + "ecs:StopTask",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:ecs:us-east-1:315341936575:task/analytics-dev/*",
            ]

          + condition {
              + test     = "ArnLike"
              + values   = [
                  + "arn:aws:ecs:us-east-1:315341936575:cluster/analytics-dev",
                ]
              + variable = "ecs:cluster"
            }
        }
      + statement {
          + actions   = [
              + "iam:PassRole",
            ]
          + resources = [
              + "arn:aws:iam::315341936575:role/analytics-dev-app",
              + "arn:aws:iam::315341936575:role/analytics-dev-migrator",
              + "arn:aws:iam::315341936575:role/analytics-dev-task-executor",
            ]
          + sid       = "PassRole"
        }
    }

  # module.service.aws_ecs_service.app will be updated in-place
  ~ resource "aws_ecs_service" "app" {
        id                                 = "arn:aws:ecs:us-east-1:315341936575:service/analytics-dev/analytics-dev"
        name                               = "analytics-dev"
        tags                               = {}
      ~ task_definition                    = "arn:aws:ecs:us-east-1:315341936575:task-definition/analytics-dev:694" -> (known after apply)
        # (16 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.service.aws_ecs_task_definition.app must be replaced
-/+ resource "aws_ecs_task_definition" "app" {
      ~ arn                      = "arn:aws:ecs:us-east-1:315341936575:task-definition/analytics-dev:694" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:315341936575:task-definition/analytics-dev" -> (known after apply)
      ~ container_definitions    = (sensitive value) # forces replacement
      ~ enable_fault_injection   = false -> (known after apply)
      ~ id                       = "analytics-dev" -> (known after apply)
      ~ revision                 = 694 -> (known after apply)
      - tags                     = {} -> null
        # (12 unchanged attributes hidden)
    }

  # module.service.aws_iam_policy.scheduler will be updated in-place
  ~ resource "aws_iam_policy" "scheduler" {
        id               = "arn:aws:iam::315341936575:policy/analytics-dev-scheduler"
        name             = "analytics-dev-scheduler"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "events:PutTargets",
                          - "events:PutRule",
                          - "events:DescribeRule",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:events:us-east-1:315341936575:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
                      - Sid      = "StepFunctionsEvents"
                    },
                  - {
                      - Action   = "states:StartExecution"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-opportunity-load-csvs"
                    },
                  - {
                      - Action   = "states:StartExecution"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-sprint-reports"
                    },
                  - {
                      - Action   = [
                          - "states:StopExecution",
                          - "states:DescribeExecution",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-opportunity-load-csvs:*"
                    },
                  - {
                      - Action   = [
                          - "states:StopExecution",
                          - "states:DescribeExecution",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-sprint-reports:*"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.service.aws_iam_policy.workflow_orchestrator will be updated in-place
  ~ resource "aws_iam_policy" "workflow_orchestrator" {
        id               = "arn:aws:iam::315341936575:policy/analytics-dev-workflow-orchestrator"
        name             = "analytics-dev-workflow-orchestrator"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "logs:UpdateLogDelivery",
                          - "logs:PutResourcePolicy",
                          - "logs:PutLogEvents",
                          - "logs:ListLogDeliveries",
                          - "logs:GetLogDelivery",
                          - "logs:DescribeResourcePolicies",
                          - "logs:DescribeLogGroups",
                          - "logs:DeleteLogDelivery",
                          - "logs:CreateLogStream",
                          - "logs:CreateLogDelivery",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "UnscopeLogsPermissions"
                    },
                  - {
                      - Action   = [
                          - "events:PutTargets",
                          - "events:PutRule",
                          - "events:DescribeRule",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:events:us-east-1:315341936575:rule/StepFunctionsGetEventsForECSTaskRule"
                      - Sid      = "StepFunctionsEvents"
                    },
                  - {
                      - Action   = [
                          - "events:PutTargets",
                          - "events:PutManagedRule",
                          - "events:EnableManagedRule",
                          - "events:DisableManagedRule",
                          - "events:DescribeManagedRule",
                          - "events:DeleteManagedRule",
                          - "events:CreateManagedRule",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:events:us-east-1:315341936575:managed-rule/*"
                      - Sid      = "StepFunctionsManagedRules"
                    },
                  - {
                      - Action    = "ecs:RunTask"
                      - Condition = {
                          - ArnLike = {
                              - "ecs:cluster" = "arn:aws:ecs:us-east-1:315341936575:cluster/analytics-dev"
                            }
                        }
                      - Effect    = "Allow"
                      - Resource  = "arn:aws:ecs:us-east-1:315341936575:task-definition/analytics-dev:*"
                    },
                  - {
                      - Action    = [
                          - "ecs:StopTask",
                          - "ecs:DescribeTasks",
                        ]
                      - Condition = {
                          - ArnLike = {
                              - "ecs:cluster" = "arn:aws:ecs:us-east-1:315341936575:cluster/analytics-dev"
                            }
                        }
                      - Effect    = "Allow"
                      - Resource  = "arn:aws:ecs:us-east-1:315341936575:task/analytics-dev/*"
                    },
                  - {
                      - Action   = "iam:PassRole"
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:iam::315341936575:role/analytics-dev-task-executor",
                          - "arn:aws:iam::315341936575:role/analytics-dev-migrator",
                          - "arn:aws:iam::315341936575:role/analytics-dev-app",
                        ]
                      - Sid      = "PassRole"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.service.aws_sfn_state_machine.scheduled_jobs["opportunity-load-csvs"] will be updated in-place
  ~ resource "aws_sfn_state_machine" "scheduled_jobs" {
      ~ definition                = jsonencode(
            {
              - StartAt = "RunTask"
              - States  = {
                  - RunTask = {
                      - End        = true
                      - Parameters = {
                          - Cluster              = "arn:aws:ecs:us-east-1:315341936575:cluster/analytics-dev"
                          - LaunchType           = "FARGATE"
                          - NetworkConfiguration = {
                              - AwsvpcConfiguration = {
                                  - SecurityGroups = [
                                      - "sg-09c1394b598221f67",
                                    ]
                                  - Subnets        = [
                                      - "subnet-068ede7dcfd9469ab",
                                      - "subnet-0a5ea667d3751639f",
                                      - "subnet-019f469ba97dc6ec7",
                                    ]
                                }
                            }
                          - Overrides            = {
                              - ContainerOverrides = [
                                  - {
                                      - Command     = [
                                          - "analytics",
                                          - "etl",
                                          - "opportunity-load",
                                        ]
                                      - Cpu         = 768
                                      - Environment = []
                                      - Memory      = 1792
                                      - Name        = "analytics-dev"
                                    },
                                ]
                              - Cpu                = "1024"
                              - Memory             = "2048"
                              - TaskRoleArn        = "arn:aws:iam::315341936575:role/analytics-dev-app"
                            }
                          - TaskDefinition       = "arn:aws:ecs:us-east-1:315341936575:task-definition/analytics-dev"
                        }
                      - Resource   = "arn:aws:states:::ecs:runTask.sync"
                      - Type       = "Task"
                    }
                }
            }
        ) -> (known after apply)
        id                        = "arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-opportunity-load-csvs"
        name                      = "analytics-dev-opportunity-load-csvs"
        tags                      = {
            "job"  = "opportunity-load-csvs"
            "name" = "analytics-dev-opportunity-load-csvs"
        }
        # (11 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.service.aws_sfn_state_machine.scheduled_jobs["sprint-reports"] will be updated in-place
  ~ resource "aws_sfn_state_machine" "scheduled_jobs" {
      ~ definition                = jsonencode(
            {
              - StartAt = "RunTask"
              - States  = {
                  - RunTask = {
                      - End        = true
                      - Parameters = {
                          - Cluster              = "arn:aws:ecs:us-east-1:315341936575:cluster/analytics-dev"
                          - LaunchType           = "FARGATE"
                          - NetworkConfiguration = {
                              - AwsvpcConfiguration = {
                                  - SecurityGroups = [
                                      - "sg-09c1394b598221f67",
                                    ]
                                  - Subnets        = [
                                      - "subnet-068ede7dcfd9469ab",
                                      - "subnet-0a5ea667d3751639f",
                                      - "subnet-019f469ba97dc6ec7",
                                    ]
                                }
                            }
                          - Overrides            = {
                              - ContainerOverrides = [
                                  - {
                                      - Command     = [
                                          - "make",
                                          - "gh-extract-transform-and-load",
                                        ]
                                      - Cpu         = 768
                                      - Environment = []
                                      - Memory      = 1792
                                      - Name        = "analytics-dev"
                                    },
                                ]
                              - Cpu                = "1024"
                              - Memory             = "2048"
                              - TaskRoleArn        = "arn:aws:iam::315341936575:role/analytics-dev-app"
                            }
                          - TaskDefinition       = "arn:aws:ecs:us-east-1:315341936575:task-definition/analytics-dev"
                        }
                      - Resource   = "arn:aws:states:::ecs:runTask.sync"
                      - Type       = "Task"
                    }
                }
            }
        ) -> (known after apply)
        id                        = "arn:aws:states:us-east-1:315341936575:stateMachine:analytics-dev-sprint-reports"
        name                      = "analytics-dev-sprint-reports"
        tags                      = {
            "job"  = "sprint-reports"
            "name" = "analytics-dev-sprint-reports"
        }
        # (11 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.storage.data.aws_iam_policy_document.storage_access will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "storage_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "s3:DeleteObject",
              + "s3:DeleteObjectTagging",
              + "s3:GetObject",
              + "s3:GetObjectAttributes",
              + "s3:GetObjectTagging",
              + "s3:ListBucket",
              + "s3:PutObject",
              + "s3:PutObjectTagging",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::simpler-grants-gov-analytics-dev",
              + "arn:aws:s3:::simpler-grants-gov-analytics-dev/*",
            ]
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:kms:us-east-1:315341936575:key/ceac213d-eed9-4579-a206-49b001ecaae3",
            ]
        }
    }

  # module.storage.aws_iam_policy.storage_access will be updated in-place
  ~ resource "aws_iam_policy" "storage_access" {
        id               = "arn:aws:iam::315341936575:policy/simpler-grants-gov-analytics-dev-access"
        name             = "simpler-grants-gov-analytics-dev-access"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "s3:PutObjectTagging",
                          - "s3:PutObject",
                          - "s3:ListBucket",
                          - "s3:GetObjectTagging",
                          - "s3:GetObjectAttributes",
                          - "s3:GetObject",
                          - "s3:DeleteObjectTagging",
                          - "s3:DeleteObject",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::simpler-grants-gov-analytics-dev/*",
                          - "arn:aws:s3:::simpler-grants-gov-analytics-dev",
                        ]
                    },
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-east-1:315341936575:key/ceac213d-eed9-4579-a206-49b001ecaae3"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.storage.aws_kms_key.storage will be updated in-place
  ~ resource "aws_kms_key" "storage" {
        id                                 = "ceac213d-eed9-4579-a206-49b001ecaae3"
      ~ policy                             = jsonencode(
          ~ {
              - Id        = "key-default-1"
                # (2 unchanged attributes hidden)
            }
        )
        tags                               = {}
        # (14 unchanged attributes hidden)
    }

Plan: 1 to add, 7 to change, 1 to destroy.

Warning: Invalid Attribute Combination

  with module.service.aws_s3_bucket_lifecycle_configuration.access_logs,
  on ../../modules/service/access_logs.tf line 78, in resource "aws_s3_bucket_lifecycle_configuration" "access_logs":
  78:   rule {

No attribute specified when one (and only one) of [rule[0].prefix.<.filter]
is required

This will be an error in a future version of the provider

(and 6 more similar warnings elsewhere)

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
Releasing state lock. This may take a few moments...

@sean-navapbc

sean-navapbc commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator Author

Full plan: infra/frontend/service (dev)

terraform plan output 
data.terraform_remote_state.current_image_tag[0]: Reading...
module.service.data.external.deploy_github_sha: Reading...
module.app_config.data.external.account_ids_by_name: Reading...
module.service.data.external.whoami: Reading...
module.secrets.random_password.secrets["SESSION_SECRET"]: Refreshing state... [id=none]
module.service.data.archive_file.nr_alb_log_forwarder[0]: Reading...
module.service.data.archive_file.nr_host_log_forwarder: Reading...
module.service.data.archive_file.nr_alb_log_forwarder[0]: Read complete after 0s [id=a4f15637d56de097131019ee4c4607ac07a854c3]
module.service.data.archive_file.nr_host_log_forwarder: Read complete after 0s [id=d0ad0ee7fd1065a8208bbdcbd96edb2c45eaca7f]
module.service.data.external.whoami: Read complete after 0s [id=-]
module.app_config.data.external.account_ids_by_name: Read complete after 0s [id=-]
module.service.data.external.deploy_github_sha: Read complete after 0s [id=-]
module.service.module.network.data.aws_subnets.private: Reading...
module.service.module.network.data.aws_subnets.database: Reading...
module.storage.data.aws_caller_identity.current: Reading...
module.storage.data.aws_region.current: Reading...
module.service.module.network.data.aws_vpc.network: Reading...
module.service.data.aws_ssm_parameter.newrelic_license_key_host: Reading...
module.service.aws_cloudwatch_log_group.service_logs: Refreshing state... [id=service/frontend-dev]
module.service.data.aws_iam_policy_document.scheduler_assume_role: Reading...
module.storage.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.service.data.aws_iam_policy_document.scheduler_assume_role: Read complete after 0s [id=52247394]
module.service.aws_s3_bucket.access_logs: Refreshing state... [id=frontend-dev-access-logs20230818175923948800000003]
module.service.aws_iam_role.nr_host_log_forwarder: Refreshing state... [id=frontend-dev-nr-host-log-forwarder-role]
module.service.aws_s3_bucket.general_purpose: Refreshing state... [id=frontend-dev-general-purpose20240422224603864800000001]
module.storage.data.aws_caller_identity.current: Read complete after 1s [id=315341936575]
module.service.data.aws_iam_policy_document.events_assume_role: Reading...
module.service.data.aws_iam_policy_document.events_assume_role: Read complete after 0s [id=3959961479]
module.service.data.aws_iam_policy_document.ecs_tasks_assume_role_policy: Reading...
module.service.data.aws_iam_policy_document.ecs_tasks_assume_role_policy: Read complete after 0s [id=4229150499]
module.service.aws_cloudfront_cache_policy.api_no_cache[0]: Refreshing state... [id=b22e8f53-d955-4c8a-af44-240996fe999d]
module.service.module.network.data.aws_subnets.database: Read complete after 2s [id=us-east-1]
module.secrets.data.aws_ssm_parameter.secrets["SENDY_API_KEY"]: Reading...
module.service.module.network.data.aws_subnets.private: Read complete after 2s [id=us-east-1]
module.secrets.data.aws_ssm_parameter.secrets["FEATURE_APPLY_FORM_PROTOTYPE_OFF"]: Reading...
module.service.data.aws_ssm_parameter.newrelic_license_key_host: Read complete after 2s [id=/new-relic-license-key]
module.secrets.data.aws_ssm_parameter.secrets["NEW_RELIC_LICENSE_KEY"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["API_URL"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["SENDY_LIST_ID"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["SENDY_API_KEY"]: Read complete after 0s [id=/frontend/dev/sendy-api-key]
module.secrets.data.aws_ssm_parameter.secrets["FEATURE_OPPORTUNITIES_LIST_OFF"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["FEATURE_APPLY_FORM_PROTOTYPE_OFF"]: Read complete after 1s [id=/frontend/dev/feature-apply-form-prototype-off]
module.secrets.data.aws_ssm_parameter.secrets["FEATURE_FEATURE_FLAG_ADMIN_OFF"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["API_JWT_PUBLIC_KEY"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["NEW_RELIC_LICENSE_KEY"]: Read complete after 1s [id=/new-relic-license-key]
module.secrets.data.aws_ssm_parameter.secrets["FEATURE_MAINTENANCE_MODE"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["API_URL"]: Read complete after 1s [id=/frontend/dev/api-url]
module.secrets.data.aws_ssm_parameter.secrets["SENDY_API_URL"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["SENDY_LIST_ID"]: Read complete after 1s [id=/frontend/dev/sendy-list-id]
module.secrets.data.aws_ssm_parameter.secrets["NEW_RELIC_APP_NAME"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["FEATURE_OPPORTUNITIES_LIST_OFF"]: Read complete after 1s [id=/frontend/dev/feature-opportunities-list-off]
module.secrets.data.aws_ssm_parameter.secrets["FEATURE_AWARD_RECOMMENDATION_OFF"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["FEATURE_FEATURE_FLAG_ADMIN_OFF"]: Read complete after 0s [id=/frontend/dev/feature-feature-flag-admin-off]
module.service.data.aws_caller_identity.current: Reading...
module.secrets.data.aws_ssm_parameter.secrets["API_JWT_PUBLIC_KEY"]: Read complete after 0s [id=/api/dev/api-jwt-public-key]
module.secrets.data.aws_ssm_parameter.secrets["API_GW_AUTH"]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["SENDY_API_URL"]: Read complete after 1s [id=/frontend/dev/sendy-api-url]
module.secrets.data.aws_ssm_parameter.secrets["NEW_RELIC_APP_NAME"]: Read complete after 1s [id=/frontend/dev/new-relic-app-name]
module.secrets.data.aws_ssm_parameter.secrets["AUTH_LOGIN_URL"]: Reading...
module.secrets.aws_ssm_parameter.secrets["SESSION_SECRET"]: Refreshing state... [id=/frontend/dev/session-secret]
module.secrets.data.aws_ssm_parameter.secrets["FEATURE_AWARD_RECOMMENDATION_OFF"]: Read complete after 1s [id=/frontend/dev/feature-award-recommendation-off]
data.aws_acm_certificate.certificate[0]: Reading...
module.service.data.aws_caller_identity.current: Read complete after 1s [id=315341936575]
module.service.aws_cloudfront_origin_request_policy.forward_all_cookies[0]: Refreshing state... [id=e7b98a93-2372-4c81-b522-e6d8141bfc19]
module.service.module.network.data.aws_vpc.network: Read complete after 4s [id=vpc-08f522c5cc442d126]
module.domain.data.aws_route53_zone.zone[0]: Reading...
data.terraform_remote_state.current_image_tag[0]: Read complete after 5s
module.domain.data.aws_acm_certificate.certificate[0]: Reading...
module.secrets.data.aws_ssm_parameter.secrets["API_GW_AUTH"]: Read complete after 1s [id=/frontend/dev/X-API-KEY]
module.service.aws_cloudfront_cache_policy.default[0]: Refreshing state... [id=bba68319-a780-4ac0-b437-cc85490c7213]
module.secrets.data.aws_ssm_parameter.secrets["FEATURE_MAINTENANCE_MODE"]: Read complete after 1s [id=/frontend/dev/feature-maintenance-mode]
module.service.module.network.data.aws_subnets.public: Reading...
module.secrets.data.aws_ssm_parameter.secrets["AUTH_LOGIN_URL"]: Read complete after 0s [id=/frontend/dev/auth-login-url]
module.service.aws_iam_role.nr_alb_log_forwarder[0]: Refreshing state... [id=frontend-dev-nr-alb-log-forwarder-role]
data.aws_vpc.network: Reading...
module.service.module.network.data.aws_subnets.public: Read complete after 0s [id=us-east-1]
module.service.aws_ecs_cluster.cluster: Refreshing state... [id=arn:aws:ecs:us-east-1:315341936575:cluster/frontend-dev]
module.storage.aws_s3_bucket.storage: Refreshing state... [id=simpler-grants-gov-frontend-dev]
module.service.aws_wafv2_web_acl.waf[0]: Refreshing state... [id=c7b7b8d6-3f15-497d-8ec8-66c6239cdff2]
module.service.data.aws_iam_policy_document.ecs_exec: Reading...
module.service.data.aws_iam_policy_document.ecs_exec: Read complete after 0s [id=1236260518]
module.service.data.aws_region.current: Reading...
module.service.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.service.aws_s3_bucket.cdn[0]: Refreshing state... [id=frontend-dev-cdn-access-logs20241206211507516700000002]
module.service.aws_cloudwatch_log_group.WafWebAclLoggroup[0]: Refreshing state... [id=aws-waf-logs-wafv2-web-acl-frontend-dev]
data.aws_vpc.network: Read complete after 2s [id=vpc-08f522c5cc442d126]
module.service.data.aws_ssm_parameter.newrelic_license_key[0]: Reading...
module.domain.data.aws_route53_zone.zone[0]: Read complete after 2s [id=Z04517193GDPF9DWUX2WT]
module.service.aws_cloudfront_origin_access_control.cdn[0]: Refreshing state... [id=E3FCVP7DYF159W]
module.service.aws_iam_role.scheduler: Refreshing state... [id=frontend-dev-scheduler]
data.aws_acm_certificate.certificate[0]: Read complete after 2s [id=arn:aws:acm:us-east-1:315341936575:certificate/aae4b400-c70e-432c-a2f1-ff0a9e901cd7]
module.storage.data.aws_iam_policy_document.kms_key_policy: Reading...
module.storage.data.aws_iam_policy_document.kms_key_policy: Read complete after 0s [id=2126862806]
module.service.aws_iam_role.events: Refreshing state... [id=frontend-dev-events]
module.service.aws_iam_role.app_service: Refreshing state... [id=frontend-dev-app]
module.domain.data.aws_acm_certificate.certificate[0]: Read complete after 2s [id=arn:aws:acm:us-east-1:315341936575:certificate/aae4b400-c70e-432c-a2f1-ff0a9e901cd7]
module.service.aws_iam_role.task_executor: Refreshing state... [id=frontend-dev-task-executor]
module.service.data.aws_ssm_parameter.newrelic_license_key[0]: Read complete after 0s [id=/new-relic-license-key]
module.service.aws_iam_role_policy_attachment.nr_host_log_forwarder_basic: Refreshing state... [id=frontend-dev-nr-host-log-forwarder-role-20260429103818548300000001]
module.service.aws_iam_role_policy.nr_host_log_forwarder_ssm: Refreshing state... [id=frontend-dev-nr-host-log-forwarder-role:frontend-dev-nr-host-log-forwarder-ssm]
module.service.module.network.data.aws_security_groups.aws_services: Reading...
module.service.module.network.data.aws_security_groups.aws_services: Read complete after 1s [id=us-east-1]
module.service.aws_iam_role_policy_attachment.nr_alb_log_forwarder_basic[0]: Refreshing state... [id=frontend-dev-nr-alb-log-forwarder-role-20260327200002606100000001]
module.service.aws_iam_policy.ecs_exec: Refreshing state... [id=arn:aws:iam::315341936575:policy/frontend-dev-ecs-exec]
module.service.data.aws_iam_policy_document.workflow_orchestrator_assume_role: Reading...
module.service.data.aws_iam_policy_document.workflow_orchestrator_assume_role: Read complete after 0s [id=3468042870]
module.service.data.aws_iam_policy_document.runtime_logs: Reading...
module.service.data.aws_iam_policy_document.runtime_logs: Read complete after 0s [id=654727942]
module.service.aws_kms_key.nr_alb_log_forwarder[0]: Refreshing state... [id=9070e894-ca3e-4826-9252-8d24851566d5]
module.service.aws_kms_key.nr_host_log_forwarder: Refreshing state... [id=f3a24401-814e-484d-ba4f-a5b414115889]
data.aws_subnets.private: Reading...
data.aws_security_groups.aws_services: Reading...
data.aws_subnets.public: Reading...
module.service.aws_s3_bucket_server_side_encryption_configuration.encryption: Refreshing state... [id=frontend-dev-access-logs20230818175923948800000003]
data.aws_subnets.private: Read complete after 0s [id=us-east-1]
module.service.data.aws_iam_policy_document.access_logs_put_access: Reading...
module.service.data.aws_iam_policy_document.access_logs_put_access: Read complete after 0s [id=2207872279]
module.service.aws_s3_bucket_lifecycle_configuration.access_logs: Refreshing state... [id=frontend-dev-access-logs20230818175923948800000003]
data.aws_security_groups.aws_services: Read complete after 0s [id=us-east-1]
module.service.aws_s3_bucket_public_access_block.access_logs: Refreshing state... [id=frontend-dev-access-logs20230818175923948800000003]
data.aws_subnets.public: Read complete after 0s [id=us-east-1]
module.service.aws_iam_role_policy.nr_alb_log_forwarder_s3[0]: Refreshing state... [id=frontend-dev-nr-alb-log-forwarder-role:frontend-dev-nr-alb-log-forwarder-s3]
module.service.aws_s3_bucket_server_side_encryption_configuration.general_purpose_encryption: Refreshing state... [id=frontend-dev-general-purpose20240422224603864800000001]
module.service.aws_s3_bucket_public_access_block.general_purpose: Refreshing state... [id=frontend-dev-general-purpose20240422224603864800000001]
module.storage.aws_kms_key.storage: Refreshing state... [id=cca102a2-9b68-446d-8a0d-8258f640aa97]
module.service.aws_s3_bucket_lifecycle_configuration.general_purpose: Refreshing state... [id=frontend-dev-general-purpose20240422224603864800000001]
module.service.aws_iam_role_policy.nr_alb_log_forwarder_ssm[0]: Refreshing state... [id=frontend-dev-nr-alb-log-forwarder-role:frontend-dev-nr-alb-log-forwarder-ssm]
module.service.aws_security_group.alb: Refreshing state... [id=sg-09f21e3710e63e128]
module.service.aws_lb_target_group.app_tg[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-1:315341936575:targetgroup/app-20240129183934308400000001/6291f09ee717b0d7]
module.service.aws_iam_role.workflow_orchestrator: Refreshing state... [id=frontend-dev-workflow-orchestrator]
module.service.aws_iam_policy.runtime_logs: Refreshing state... [id=arn:aws:iam::315341936575:policy/frontend-dev-task-executor-role-policy]
module.service.data.aws_iam_policy_document.general_purpose_put_access: Reading...
module.service.data.aws_iam_policy_document.general_purpose_put_access: Read complete after 0s [id=1545896503]
module.service.aws_s3_bucket_policy.access_logs: Refreshing state... [id=frontend-dev-access-logs20230818175923948800000003]
module.service.aws_cloudwatch_log_group.nr_alb_log_forwarder[0]: Refreshing state... [id=/aws/lambda/frontend-dev-nr-alb-log-forwarder]
module.service.data.aws_iam_policy_document.task_executor: Reading...
module.service.data.aws_iam_policy_document.task_executor: Read complete after 0s [id=1946054165]
module.service.aws_security_group_rule.http_ingress: Refreshing state... [id=sgrule-982783969]
module.service.aws_security_group_rule.https_ingress[0]: Refreshing state... [id=sgrule-1653939980]
module.service.aws_security_group.app: Refreshing state... [id=sg-0ab68d90ef2574a9b]
module.service.aws_security_group_rule.http_ingress_ipv6: Refreshing state... [id=sgrule-535005817]
module.service.aws_security_group_rule.https_ingress_ipv6[0]: Refreshing state... [id=sgrule-2489528993]
module.service.aws_wafv2_web_acl_logging_configuration.WafWebAclLogging[0]: Refreshing state... [id=arn:aws:wafv2:us-east-1:315341936575:regional/webacl/frontend-dev-wafv2-web-acl/c7b7b8d6-3f15-497d-8ec8-66c6239cdff2]
module.service.aws_s3_bucket_policy.general_purpose: Refreshing state... [id=frontend-dev-general-purpose20240422224603864800000001]
module.service.aws_cloudwatch_log_group.nr_host_log_forwarder: Refreshing state... [id=/aws/lambda/frontend-dev-nr-host-log-forwarder/logs]
module.service.aws_iam_role_policy.task_executor: Refreshing state... [id=frontend-dev-task-executor:frontend-dev-task-executor-role-policy]
module.service.aws_lb.alb[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-1:315341936575:loadbalancer/app/frontend-dev/3c9002fb0aa7756d]
module.storage.aws_s3_bucket_notification.storage: Refreshing state... [id=simpler-grants-gov-frontend-dev]
module.storage.aws_s3_bucket_public_access_block.storage: Refreshing state... [id=simpler-grants-gov-frontend-dev]
module.storage.aws_s3_bucket_lifecycle_configuration.storage: Refreshing state... [id=simpler-grants-gov-frontend-dev]
module.storage.data.aws_iam_policy_document.storage: Reading...
module.storage.data.aws_iam_policy_document.storage: Read complete after 0s [id=1890763773]
module.service.aws_iam_role_policy_attachment.runtime_logs: Refreshing state... [id=frontend-dev-app-20250501191931680200000002]
module.storage.aws_s3_bucket_server_side_encryption_configuration.storage: Refreshing state... [id=simpler-grants-gov-frontend-dev]
module.service.aws_lambda_function.nr_alb_log_forwarder[0]: Refreshing state... [id=frontend-dev-nr-alb-log-forwarder]
module.service.aws_security_group_rule.alb_app_local_health_check: Refreshing state... [id=sgrule-2374040162]
module.storage.aws_s3_bucket_policy.storage: Refreshing state... [id=simpler-grants-gov-frontend-dev]
module.storage.aws_iam_policy.storage_access: Refreshing state... [id=arn:aws:iam::315341936575:policy/simpler-grants-gov-frontend-dev-access]
module.service.aws_lambda_function.nr_host_log_forwarder: Refreshing state... [id=frontend-dev-nr-host-log-forwarder]
module.service.aws_s3_bucket_ownership_controls.cdn[0]: Refreshing state... [id=frontend-dev-cdn-access-logs20241206211507516700000002]
module.service.aws_s3_bucket_lifecycle_configuration.cdn[0]: Refreshing state... [id=frontend-dev-cdn-access-logs20241206211507516700000002]
module.service.aws_s3_bucket_public_access_block.cdn[0]: Refreshing state... [id=frontend-dev-cdn-access-logs20241206211507516700000002]
module.service.aws_s3_bucket_acl.cdn[0]: Refreshing state... [id=frontend-dev-cdn-access-logs20241206211507516700000002,log-delivery-write]
module.service.aws_wafv2_web_acl_association.WafWebAclAssociation[0]: Refreshing state... [id=arn:aws:wafv2:us-east-1:315341936575:regional/webacl/frontend-dev-wafv2-web-acl/c7b7b8d6-3f15-497d-8ec8-66c6239cdff2,arn:aws:elasticloadbalancing:us-east-1:315341936575:loadbalancer/app/frontend-dev/3c9002fb0aa7756d]
module.service.aws_lb_listener.alb_listener_http[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-1:315341936575:listener/app/frontend-dev/3c9002fb0aa7756d/249586ef7c2428aa]
module.service.aws_lb_listener.alb_listener_https[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-1:315341936575:listener/app/frontend-dev/3c9002fb0aa7756d/05591061f06ab0bc]
module.service.aws_cloudfront_distribution.cdn[0]: Refreshing state... [id=E8MSK3F3PHH2L]
module.service.aws_lambda_permission.allow_cloudwatch_host: Refreshing state... [id=AllowCloudWatchHost]
module.service.aws_lambda_permission.allow_s3_alb_logs[0]: Refreshing state... [id=AllowS3AlbLogs]
module.service.aws_cloudwatch_log_subscription_filter.host_to_newrelic: Refreshing state... [id=cwlsf-3722069325]
module.service.aws_s3_bucket_notification.alb_logs_to_lambda[0]: Refreshing state... [id=frontend-dev-access-logs20230818175923948800000003]
module.service.aws_lb_listener_rule.app_http_forward[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-1:315341936575:listener-rule/app/frontend-dev/3c9002fb0aa7756d/249586ef7c2428aa/42ac4725904087e4]
module.service.aws_lb_listener_rule.http_to_https_redirect[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-1:315341936575:listener-rule/app/frontend-dev/3c9002fb0aa7756d/249586ef7c2428aa/70d0491ede43a7c5]
module.service.aws_lb_listener_rule.app_https_forward[0]: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-1:315341936575:listener-rule/app/frontend-dev/3c9002fb0aa7756d/05591061f06ab0bc/2076660e9d031dd3]
module.service.aws_s3_bucket_policy.cdn[0]: Refreshing state... [id=frontend-dev-cdn-access-logs20241206211507516700000002]
module.service.aws_ecs_task_definition.app: Refreshing state... [id=frontend-dev]
module.service.data.aws_iam_policy_document.scheduler: Reading...
module.service.data.aws_iam_policy_document.run_task: Reading...
module.service.aws_ecs_service.app: Refreshing state... [id=arn:aws:ecs:us-east-1:315341936575:service/frontend-dev/frontend-dev]
module.service.data.aws_iam_policy_document.scheduler: Read complete after 0s [id=1712525928]
module.service.aws_iam_policy.workflow_orchestrator: Refreshing state... [id=arn:aws:iam::315341936575:policy/frontend-dev-workflow-orchestrator]
module.service.data.aws_iam_policy_document.run_task: Read complete after 0s [id=1712525928]
module.service.aws_iam_policy.scheduler: Refreshing state... [id=arn:aws:iam::315341936575:policy/frontend-dev-scheduler]
module.service.aws_iam_policy.run_task: Refreshing state... [id=arn:aws:iam::315341936575:policy/frontend-dev-run-access]
module.service.aws_iam_role_policy_attachment.scheduler: Refreshing state... [id=frontend-dev-scheduler-20260226101858800400000002]
module.service.aws_iam_role_policy_attachment.events: Refreshing state... [id=frontend-dev-events-20260226101858890900000004]
module.service.aws_iam_role_policy_attachment.workflow_orchestrator: Refreshing state... [id=frontend-dev-workflow-orchestrator-20260226101858874400000003]
module.service.aws_appautoscaling_target.ecs_target[0]: Refreshing state... [id=service/frontend-dev/frontend-dev]
module.service.aws_appautoscaling_policy.ecs_scale_policy_cpu[0]: Refreshing state... [id=frontend-dev-ecs-scale-policy-cpu]
module.service.aws_appautoscaling_policy.ecs_scale_policy_memory[0]: Refreshing state... [id=frontend-dev-ecs-scale-policy-memory]
module.monitoring.aws_cloudwatch_log_metric_filter.service_error_filter: Refreshing state... [id=service-error-filter]
module.monitoring.aws_sns_topic.this: Refreshing state... [id=arn:aws:sns:us-east-1:315341936575:frontend-dev-monitoring]
module.monitoring.aws_cloudwatch_metric_alarm.high_load_balancer_http_5xx_count: Refreshing state... [id=frontend-dev-high-load-balancer-5xx-count]
module.monitoring.aws_cloudwatch_metric_alarm.high_app_http_5xx_count: Refreshing state... [id=frontend-dev-high-app-5xx-count]
module.monitoring.aws_cloudwatch_metric_alarm.service_errors: Refreshing state... [id=frontend-dev-errors]
module.monitoring.aws_cloudwatch_metric_alarm.high_app_response_time: Refreshing state... [id=frontend-dev-high-app-response-time]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement
 <= read (data resources)

Terraform will perform the following actions:

  # module.service.data.aws_iam_policy_document.cdn[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "cdn" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "s3:GetObject",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::frontend-dev-cdn-access-logs20241206211507516700000002/*",
            ]
          + sid       = "AllowCloudFrontIngress"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "arn:aws:cloudfront::315341936575:distribution/E8MSK3F3PHH2L",
                ]
              + variable = "AWS:SourceArn"
            }

          + principals {
              + identifiers = [
                  + "cloudfront.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.service.data.aws_iam_policy_document.workflow_orchestrator will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "workflow_orchestrator" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "logs:CreateLogDelivery",
              + "logs:CreateLogStream",
              + "logs:DeleteLogDelivery",
              + "logs:DescribeLogGroups",
              + "logs:DescribeResourcePolicies",
              + "logs:GetLogDelivery",
              + "logs:ListLogDeliveries",
              + "logs:PutLogEvents",
              + "logs:PutResourcePolicy",
              + "logs:UpdateLogDelivery",
            ]
          + resources = [
              + "*",
            ]
          + sid       = "UnscopeLogsPermissions"
        }
      + statement {
          + actions   = [
              + "events:DescribeRule",
              + "events:PutRule",
              + "events:PutTargets",
            ]
          + resources = [
              + "arn:aws:events:us-east-1:315341936575:rule/StepFunctionsGetEventsForECSTaskRule",
            ]
          + sid       = "StepFunctionsEvents"
        }
      + statement {
          + actions   = [
              + "events:CreateManagedRule",
              + "events:DeleteManagedRule",
              + "events:DescribeManagedRule",
              + "events:DisableManagedRule",
              + "events:EnableManagedRule",
              + "events:PutManagedRule",
              + "events:PutTargets",
            ]
          + resources = [
              + "arn:aws:events:us-east-1:315341936575:managed-rule/*",
            ]
          + sid       = "StepFunctionsManagedRules"
        }
      + statement {
          + actions   = [
              + "ecs:RunTask",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]

          + condition {
              + test     = "ArnLike"
              + values   = [
                  + "arn:aws:ecs:us-east-1:315341936575:cluster/frontend-dev",
                ]
              + variable = "ecs:cluster"
            }
        }
      + statement {
          + actions   = [
              + "ecs:DescribeTasks",
              + "ecs:StopTask",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:ecs:us-east-1:315341936575:task/frontend-dev/*",
            ]

          + condition {
              + test     = "ArnLike"
              + values   = [
                  + "arn:aws:ecs:us-east-1:315341936575:cluster/frontend-dev",
                ]
              + variable = "ecs:cluster"
            }
        }
      + statement {
          + actions   = [
              + "iam:PassRole",
            ]
          + resources = [
              + "arn:aws:iam::315341936575:role/frontend-dev-app",
              + "arn:aws:iam::315341936575:role/frontend-dev-task-executor",
            ]
          + sid       = "PassRole"
        }
    }

  # module.service.aws_cloudfront_cache_policy.default[0] will be updated in-place
  ~ resource "aws_cloudfront_cache_policy" "default" {
      - comment     = "Auth-aware cache policy with X-User-Authenticated header support" -> null
        id          = "bba68319-a780-4ac0-b437-cc85490c7213"
        name        = "frontend-dev"
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.service.aws_cloudfront_distribution.cdn[0] will be updated in-place
  ~ resource "aws_cloudfront_distribution" "cdn" {
        id                              = "E8MSK3F3PHH2L"
        tags                            = {}
        # (22 unchanged attributes hidden)

      - origin {
          - connection_attempts      = 3 -> null
          - connection_timeout       = 10 -> null
          - domain_name              = "frontend-dev-1739892538.us-east-1.elb.amazonaws.com" -> null
          - origin_id                = "default" -> null
            # (2 unchanged attributes hidden)

          - custom_origin_config {
              - http_port                = 80 -> null
              - https_port               = 443 -> null
              - origin_keepalive_timeout = 5 -> null
              - origin_protocol_policy   = "https-only" -> null
              - origin_read_timeout      = 30 -> null
              - origin_ssl_protocols     = [
                  - "TLSv1.2",
                ] -> null
            }

          - origin_shield {
              - enabled              = true -> null
              - origin_shield_region = "us-east-1" -> null
            }
        }
      + origin {
          + connection_attempts      = 3
          + connection_timeout       = 10
          + domain_name              = "frontend-dev-1739892538.us-east-1.elb.amazonaws.com"
          + origin_id                = "default"
            # (2 unchanged attributes hidden)

          + custom_origin_config {
              + http_port                = 80
              + https_port               = 443
              + origin_keepalive_timeout = 5
              + origin_protocol_policy   = "https-only"
              + origin_read_timeout      = 30
              + origin_ssl_protocols     = [
                  + "TLSv1.2",
                ]
            }
        }

        # (5 unchanged blocks hidden)
    }

  # module.service.aws_ecs_service.app will be updated in-place
  ~ resource "aws_ecs_service" "app" {
        id                                 = "arn:aws:ecs:us-east-1:315341936575:service/frontend-dev/frontend-dev"
        name                               = "frontend-dev"
        tags                               = {}
      ~ task_definition                    = "arn:aws:ecs:us-east-1:315341936575:task-definition/frontend-dev:890" -> (known after apply)
        # (16 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.service.aws_ecs_task_definition.app must be replaced
-/+ resource "aws_ecs_task_definition" "app" {
      ~ arn                      = "arn:aws:ecs:us-east-1:315341936575:task-definition/frontend-dev:890" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:315341936575:task-definition/frontend-dev" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [
              ~ {
                  ~ environment            = [
                        # (3 unchanged elements hidden)
                        {
                            name  = "CDN_URL"
                            value = "https://dev.simpler.grants.gov"
                        },
                      ~ {
                            name  = "DEPLOY_GITHUB_SHA"
                          ~ value = "57614c833b41a1a99f7cf15508360b05cd442ba4" -> "747d2817dec5e1cc256eff6b0d88e016e16eb508"
                        },
                      ~ {
                            name  = "DEPLOY_WHOAMI"
                          ~ value = "runner" -> "seanthomas"
                        },
                        {
                            name  = "ENVIRONMENT"
                            value = "dev"
                        },
                      + {
                          + name  = "ENVIRONMENT"
                          + value = "dev"
                        },
                        {
                            name  = "GENERAL_S3_BUCKET_URL"
                            value = "frontend-dev-general-purpose20240422224603864800000001.s3.us-east-1.amazonaws.com"
                        },
                        # (13 unchanged elements hidden)
                    ]
                  - mountPoints            = []
                    name                   = "frontend-dev"
                    # (12 unchanged attributes hidden)
                },
            ] # forces replacement
        )
      ~ enable_fault_injection   = false -> (known after apply)
      ~ id                       = "frontend-dev" -> (known after apply)
      ~ revision                 = 890 -> (known after apply)
      - tags                     = {} -> null
        # (12 unchanged attributes hidden)
    }

  # module.service.aws_iam_policy.workflow_orchestrator will be updated in-place
  ~ resource "aws_iam_policy" "workflow_orchestrator" {
        id               = "arn:aws:iam::315341936575:policy/frontend-dev-workflow-orchestrator"
        name             = "frontend-dev-workflow-orchestrator"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "logs:UpdateLogDelivery",
                          - "logs:PutResourcePolicy",
                          - "logs:PutLogEvents",
                          - "logs:ListLogDeliveries",
                          - "logs:GetLogDelivery",
                          - "logs:DescribeResourcePolicies",
                          - "logs:DescribeLogGroups",
                          - "logs:DeleteLogDelivery",
                          - "logs:CreateLogStream",
                          - "logs:CreateLogDelivery",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "UnscopeLogsPermissions"
                    },
                  - {
                      - Action   = [
                          - "events:PutTargets",
                          - "events:PutRule",
                          - "events:DescribeRule",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:events:us-east-1:315341936575:rule/StepFunctionsGetEventsForECSTaskRule"
                      - Sid      = "StepFunctionsEvents"
                    },
                  - {
                      - Action   = [
                          - "events:PutTargets",
                          - "events:PutManagedRule",
                          - "events:EnableManagedRule",
                          - "events:DisableManagedRule",
                          - "events:DescribeManagedRule",
                          - "events:DeleteManagedRule",
                          - "events:CreateManagedRule",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:events:us-east-1:315341936575:managed-rule/*"
                      - Sid      = "StepFunctionsManagedRules"
                    },
                  - {
                      - Action    = "ecs:RunTask"
                      - Condition = {
                          - ArnLike = {
                              - "ecs:cluster" = "arn:aws:ecs:us-east-1:315341936575:cluster/frontend-dev"
                            }
                        }
                      - Effect    = "Allow"
                      - Resource  = "arn:aws:ecs:us-east-1:315341936575:task-definition/frontend-dev:*"
                    },
                  - {
                      - Action    = [
                          - "ecs:StopTask",
                          - "ecs:DescribeTasks",
                        ]
                      - Condition = {
                          - ArnLike = {
                              - "ecs:cluster" = "arn:aws:ecs:us-east-1:315341936575:cluster/frontend-dev"
                            }
                        }
                      - Effect    = "Allow"
                      - Resource  = "arn:aws:ecs:us-east-1:315341936575:task/frontend-dev/*"
                    },
                  - {
                      - Action   = "iam:PassRole"
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:iam::315341936575:role/frontend-dev-task-executor",
                          - "arn:aws:iam::315341936575:role/frontend-dev-app",
                        ]
                      - Sid      = "PassRole"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.service.aws_s3_bucket_policy.cdn[0] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "cdn" {
        id     = "frontend-dev-cdn-access-logs20241206211507516700000002"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:GetObject"
                      - Condition = {
                          - StringEquals = {
                              - "AWS:SourceArn" = "arn:aws:cloudfront::315341936575:distribution/E8MSK3F3PHH2L"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "cloudfront.amazonaws.com"
                        }
                      - Resource  = "arn:aws:s3:::frontend-dev-cdn-access-logs20241206211507516700000002/*"
                      - Sid       = "AllowCloudFrontIngress"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.storage.data.aws_iam_policy_document.storage_access will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "storage_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "s3:DeleteObject",
              + "s3:DeleteObjectTagging",
              + "s3:GetObject",
              + "s3:GetObjectAttributes",
              + "s3:GetObjectTagging",
              + "s3:ListBucket",
              + "s3:PutObject",
              + "s3:PutObjectTagging",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::simpler-grants-gov-frontend-dev",
              + "arn:aws:s3:::simpler-grants-gov-frontend-dev/*",
            ]
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:kms:us-east-1:315341936575:key/cca102a2-9b68-446d-8a0d-8258f640aa97",
            ]
        }
    }

  # module.storage.aws_iam_policy.storage_access will be updated in-place
  ~ resource "aws_iam_policy" "storage_access" {
        id               = "arn:aws:iam::315341936575:policy/simpler-grants-gov-frontend-dev-access"
        name             = "simpler-grants-gov-frontend-dev-access"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "s3:PutObjectTagging",
                          - "s3:PutObject",
                          - "s3:ListBucket",
                          - "s3:GetObjectTagging",
                          - "s3:GetObjectAttributes",
                          - "s3:GetObject",
                          - "s3:DeleteObjectTagging",
                          - "s3:DeleteObject",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::simpler-grants-gov-frontend-dev/*",
                          - "arn:aws:s3:::simpler-grants-gov-frontend-dev",
                        ]
                    },
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:us-east-1:315341936575:key/cca102a2-9b68-446d-8a0d-8258f640aa97"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.storage.aws_kms_key.storage will be updated in-place
  ~ resource "aws_kms_key" "storage" {
        id                                 = "cca102a2-9b68-446d-8a0d-8258f640aa97"
      ~ policy                             = jsonencode(
          ~ {
              - Id        = "key-default-1"
                # (2 unchanged attributes hidden)
            }
        )
        tags                               = {}
        # (14 unchanged attributes hidden)
    }

Plan: 1 to add, 7 to change, 1 to destroy.

Warning: Invalid Attribute Combination

  with module.service.aws_s3_bucket_lifecycle_configuration.access_logs,
  on ../../modules/service/access_logs.tf line 78, in resource "aws_s3_bucket_lifecycle_configuration" "access_logs":
  78:   rule {

No attribute specified when one (and only one) of [rule[0].prefix.<.filter]
is required

This will be an error in a future version of the provider

(and 6 more similar warnings elsewhere)

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
Releasing state lock. This may take a few moments...

@sean-navapbc sean-navapbc requested a review from prasnava June 8, 2026 23:05
prasnava
prasnava approved these changes Jun 10, 2026
View reviewed changes

@prasnava prasnava left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified there are no breaking change across frontend, analytics and the api service.

Deployed the branch to api dev: here

@sean-navapbc sean-navapbc merged commit 8104a7c into main Jun 10, 2026
20 checks passed
@sean-navapbc sean-navapbc deleted the template-v0.17-full-upgrade branch June 10, 2026 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prasnava prasnava prasnava approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Upgrade from v16.x to v17.x from template infra

2 participants

@sean-navapbc @prasnava