Skip to content

[NDR-74] Variable Types & Descriptions #351

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

[NDR-74] Variable Types & Descriptions #351

wants to merge 10 commits into from

Conversation

SWhyteAnswer-NHS
Copy link
Contributor

No description provided.

@chrisbloe-nhse chrisbloe-nhse changed the title NDR-74 Variable Types & Descriptions [NDR-74] Variable Types & Descriptions Jul 24, 2025
}

variable "web_acl_id" {
description = "Web ACL to associate this Cloudfront distribution with."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "Web ACL to associate this Cloudfront distribution with."
description = "Web ACL to associate this CloudFront distribution with."

}

variable "owner" {
type = string
description = "Identifies the team or person responsible for the resource (used for tagging)."
type = string
}

variable "current_account_id" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this not be obtained within the module?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ticket raised NDR-181

@@ -1,45 +1,55 @@
variable "current_account_id" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be discovered within the module?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ticket raised NDR-181

type = string
}

variable "table_name" {
description = "The name of the bucket"
description = "The name of the DynamoDB table used by the Lambda function."
type = string
}

variable "current_account_id" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be discovered within the module?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ticket raised NDR-181

}
variable "enable_fifo" {
description = "Attach first in first out policy to notification queue"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "Attach first in first out policy to notification queue"
description = "Attach first in first out policy to notification queue."

}

variable "enable_deduplication" {
description = "Prevent content based duplication in notification queue"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "Prevent content based duplication in notification queue"
description = "Prevent content based duplication in notification queue."

default = []
description = "A list of endpoints (e.g., SQS ARNs) to subscribe to the topic."
type = any
default = []
}

variable "current_account_id" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be discovered within the module?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ticket raised NDR-181

@@ -39,15 +40,15 @@ variable "enable_sse" {
}

variable "enable_deduplication" {
description = "Prevent content based duplication in queue"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "Prevent content based duplication in queue"
description = "Prevent content based duplication in queue."

}

variable "enable_fifo" {
description = "Attach first in first out policy to sqs"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "Attach first in first out policy to sqs"
description = "Attach 'first in first out' policy to SQS queue."

@@ -57,18 +58,21 @@ variable "kms_master_key_id" {
}

variable "max_receive_count" {
type = number
default = 1
description = "Maximum number of receives before messages are moved to the DLQ."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "Maximum number of receives before messages are moved to the DLQ."
description = "Maximum number of receives before messages are moved to the dead-letter queue."

}

output "endpoint" {
value = aws_sqs_queue.sqs_queue.arn
description = "Same as sqs queue arn. For use when setting the queue as endpoint of sns topic"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "Same as sqs queue arn. For use when setting the queue as endpoint of sns topic"
description = "The SQS queue ARN e.g. for use when setting the queue as the endpoint of an SNS topic."

@@ -112,4 +118,4 @@ output "sqs_write_policy_document" {
}
output "dlq_name" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs description?

@@ -1,80 +1,88 @@
# Availability zones for Amazon region
variable "standalone_vpc_tag" {
type = string
description = "This is the tag assigned to the standalone vpc that should be created manaully before the first run of the infrastructure"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "This is the tag assigned to the standalone vpc that should be created manaully before the first run of the infrastructure"
description = "This is the tag assigned to the standalone VPC that should be created manually before the first run of the infrastructure."

}

variable "standalone_vpc_ig_tag" {
type = string
description = "This is the tag assigned to the standalone vpc internet gateway that should be created manaully before the first run of the infrastructure"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "This is the tag assigned to the standalone vpc internet gateway that should be created manaully before the first run of the infrastructure"
description = "This is the tag assigned to the standalone VPC internet gateway that should be created manually before the first run of the infrastructure."

}

variable "availability_zones" {
type = list(string)
description = "This is a list that specifies all the Availability Zones that will have a pair of public and private subnets"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "This is a list that specifies all the Availability Zones that will have a pair of public and private subnets"
description = "This list specifies all the Availability Zones that will have a pair of public and private subnets."

default = "api-"
}

# Bucket Variables
variable "docstore_bucket_name" {
type = string
description = "The name of the S3 bucket to store ARF documents"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the S3 bucket to store ARF documents"
description = "The name of the S3 bucket to store ARF documents."

default = "statistical-reports"
}

# DynamoDB Table Variables

variable "pdm_dynamodb_table_name" {
description = "The name of the dynamodb table to be use for pdm metadata."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to be use for pdm metadata."
description = "The name of the DynamoDB table to be use for PDM metadata."

default = "PDMDocumentMetadata"
}

variable "docstore_dynamodb_table_name" {
description = "The name of the dynamodb table to store the metadata of ARF documents."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store the metadata of ARF documents."
description = "The name of the DynamoDB table to store the metadata of ARF documents."

default = "DocumentReferenceMetadata"
}

variable "lloyd_george_dynamodb_table_name" {
description = "The name of the dynamodb table to store the metadata of Lloyd George documents."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store the metadata of Lloyd George documents."
description = "The name of the DynamoDB table to store the metadata of Lloyd George documents."

default = "LloydGeorgeReferenceMetadata"
}

variable "unstitched_lloyd_george_dynamodb_table_name" {
description = "The name of the dynamodb table to store the metadata of un-stitched Lloyd George documents."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store the metadata of un-stitched Lloyd George documents."
description = "The name of the DynamoDB table to store the metadata of un-stitched Lloyd George documents."

default = "UnstitchedLloydGeorgeReferenceMetadata"
}

variable "cloudfront_edge_table_name" {
description = "The name of the dynamodb table to store the presigned url reference of CloudFront requests."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store the presigned url reference of CloudFront requests."
description = "The name of the DynamoDB table to store the presigned URL reference of CloudFront requests."

default = "CloudFrontEdgeReference"
}

variable "zip_store_dynamodb_table_name" {
type = string
default = "ZipStoreReferenceMetadata"
description = "The name of the dynamodb table to store metadata related to zip file storage."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store metadata related to zip file storage."
description = "The name of the DynamoDB table to store metadata related to zip file storage."

}

variable "stitch_metadata_dynamodb_table_name" {
type = string
default = "LloydGeorgeStitchJobMetadata"
description = "The name of the dynamodb table to store metadata related to LG stitching jobs ."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store metadata related to LG stitching jobs ."
description = "The name of the DynamoDB table to store metadata related to Lloyd George stitching jobs."

}

variable "auth_state_dynamodb_table_name" {
description = "The name of the dynamodb table to store the state values (for CIS2 authorisation)."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store the state values (for CIS2 authorisation)."
description = "The name of the DynamoDB table to store the state values (for CIS2 authorisation)."

default = "AuthStateReferenceMetadata"
}

variable "auth_session_dynamodb_table_name" {
description = "The name of the dynamodb table to store user login sessions."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store user login sessions."
description = "The name of the DynamoDB table to store user login sessions."

default = "AuthSessionReferenceMetadata"
}

variable "bulk_upload_report_dynamodb_table_name" {
description = "The name of the dynamodb table to store bulk upload status."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store bulk upload status."
description = "The name of the DynamoDB table to store bulk upload status."

default = "BulkUploadReport"
}

variable "statistics_dynamodb_table_name" {
description = "The name of the dynamodb table to store application statistics."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store application statistics."
description = "The name of the DynamoDB table to store application statistics."

default = "ApplicationStatistics"
}

variable "access_audit_dynamodb_table_name" {
description = "The name of the dynamodb table to store the audit of access to deceased patient records."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store the audit of access to deceased patient records."
description = "The name of the DynamoDB table to store the audit of access to deceased patient records."

default = "AccessAudit"
}

variable "alarm_state_history_table_name" {
type = string
description = "The name of the dynamodb table to store the history of recent alarms that have been triggered."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "The name of the dynamodb table to store the history of recent alarms that have been triggered."
description = "The name of the DynamoDB table to store the history of recent alarms that have been triggered."

default = "AlarmStateHistory"
}

# VPC Variables

variable "standalone_vpc_tag" {
description = "This is the tag assigned to the standalone vpc that should be created manaully before the first run of the infrastructure."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "This is the tag assigned to the standalone vpc that should be created manaully before the first run of the infrastructure."
description = "This is the tag assigned to the standalone VPC that should be created manually before the first run of the infrastructure."

}

variable "standalone_vpc_ig_tag" {
description = "This is the tag assigned to the standalone vpc internet gateway that should be created manaully before the first run of the infrastructure."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "This is the tag assigned to the standalone vpc internet gateway that should be created manaully before the first run of the infrastructure."
description = "This is the tag assigned to the standalone VPC internet gateway that should be created manaully before the first run of the infrastructure."

default = false
}

variable "enable_dns_support" {
description = "Enable DNS support for VPC."
Copy link
Contributor

@chrisbloe-nhse chrisbloe-nhse Jul 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "Enable DNS support for VPC."
description = "Enable DNS support for VPC."

variable "cloudwatch_alarm_evaluation_periods" {}

variable "apim_environment" {}
variable "apim_environment" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs description.

Copy link
Contributor

@chrisbloe-nhse chrisbloe-nhse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The plan shows the following warnings... do they need fixing?

The root module does not declare a variable named "poll_frequency" but a
value was found in file "***". If you meant to use this value, add a
"variable" block to the configuration.
The root module does not declare a variable named
"cloudwatch_alarm_evaluation_periods" but a value was found in file
"***". If you meant to use this value, add a "variable" block to the
configuration.

}

variable "cloudfront_arn" {
description = "CloudFront Distribution ARN association and policy toggles"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "CloudFront Distribution ARN association and policy toggles"
description = "Cloudfront distribution ARN association and policy toggles"

Copy link

Report for environment: ndr-dev

Terraform Initialization ⚙️success

Initialization Output

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
- access-audit-alarm in modules/lambda_alarms
- access-audit-alarm-topic in modules/sns
- access-audit-gateway in modules/gateway
- access-audit-lambda in modules/lambda
- access_audit_dynamodb_table in modules/dynamo_db
- alarm_state_history_table in modules/dynamo_db
- api_endpoint_url_ssm_parameter in modules/ssm_parameter
- auth_session_dynamodb_table in modules/dynamo_db
- auth_state_dynamodb_table in modules/dynamo_db
- authoriser-alarm in modules/lambda_alarms
- authoriser-alarm-topic in modules/sns
- authoriser-lambda in modules/lambda
- back-channel-logout-gateway in modules/gateway
- back_channel_logout_alarm in modules/lambda_alarms
- back_channel_logout_alarm_topic in modules/sns
- back_channel_logout_lambda in modules/lambda
- bulk-upload-alarm in modules/lambda_alarms
- bulk-upload-alarm-topic in modules/sns
- bulk-upload-lambda in modules/lambda
- bulk-upload-metadata-alarm in modules/lambda_alarms
- bulk-upload-metadata-alarm-topic in modules/sns
- bulk-upload-metadata-lambda in modules/lambda
- bulk-upload-report-alarm in modules/lambda_alarms
- bulk-upload-report-alarm-topic in modules/sns
- bulk-upload-report-lambda in modules/lambda
- bulk_upload_metadata_preprocessor_lambda in modules/lambda
- bulk_upload_report_dynamodb_table in modules/dynamo_db
Downloading registry.terraform.io/cloudstoragesec/cloud-storage-security/aws 1.8.5+css9.01.001 for cloud_storage_security...
- cloud_storage_security in .terraform/modules/cloud_storage_security
- cloudfront-distribution-lg in modules/cloudfront
- cloudfront_edge_dynamodb_table in modules/dynamo_db
- cloudfront_firewall_waf_v2 in modules/firewall_waf_v2
- create-doc-ref-lambda in modules/lambda
- create-token-gateway in modules/gateway
- create-token-lambda in modules/lambda
- create_doc_alarm in modules/lambda_alarms
- create_doc_alarm_topic in modules/sns
- create_document_reference_gateway in modules/gateway
- create_token-alarm in modules/lambda_alarms
- create_token-alarm_topic in modules/sns
- data-collection-alarm in modules/lambda_alarms
- data-collection-alarm-topic in modules/sns
- data-collection-lambda in modules/lambda
- delete-doc-ref-gateway in modules/gateway
- delete-doc-ref-lambda in modules/lambda
- delete-document-object-alarm in modules/lambda_alarms
- delete-document-object-alarm-topic in modules/sns
- delete-document-object-lambda in modules/lambda
- delete_doc_alarm in modules/lambda_alarms
- delete_doc_alarm_topic in modules/sns
- document-manifest-job-gateway in modules/gateway
- document-manifest-job-lambda in modules/lambda
- document_manifest_alarm in modules/lambda_alarms
- document_manifest_alarm_topic in modules/sns
- document_reference_dynamodb_table in modules/dynamo_db
- edge-presign-lambda in modules/lambda_edge
- edge_presign_alarm in modules/lambda_alarms
- edge_presign_alarm_topic in modules/sns
- feature-flags-gateway in modules/gateway
- feature-flags-lambda in modules/lambda
- feature_flags_alarm in modules/lambda_alarms
- feature_flags_alarm_topic in modules/sns
- fhir_document_reference_gateway in modules/gateway
- firewall_waf_v2 in modules/firewall_waf_v2
- firewall_waf_v2_api in modules/firewall_waf_v2
- generate-document-manifest-alarm in modules/lambda_alarms
- generate-document-manifest-alarm-topic in modules/sns
- generate-document-manifest-lambda in modules/lambda
- generate-lloyd-george-stitch-alarm in modules/lambda_alarms
- generate-lloyd-george-stitch-alarm-topic in modules/sns
- generate-lloyd-george-stitch-lambda in modules/lambda
- get-doc-fhir-lambda in modules/lambda
- get-report-by-ods-alarm in modules/lambda_alarms
- get-report-by-ods-alarm-topic in modules/sns
- get-report-by-ods-gateway in modules/gateway
- get-report-by-ods-lambda in modules/lambda
- im-alerting-lambda in modules/lambda
- lambda-layer-alerting in modules/lambda_layers
- lambda-layer-core in modules/lambda_layers
- lambda-layer-data in modules/lambda_layers
- lloyd-george-stitch-gateway in modules/gateway
- lloyd-george-stitch-lambda in modules/lambda
- lloyd-george-stitch_alarm in modules/lambda_alarms
- lloyd-george-stitch_topic in modules/sns
- lloyd_george_reference_dynamodb_table in modules/dynamo_db
- login_redirect-alarm_topic in modules/sns
- login_redirect_alarm in modules/lambda_alarms
- login_redirect_lambda in modules/lambda
- logout-gateway in modules/gateway
- logout_alarm in modules/lambda_alarms
- logout_alarm_topic in modules/sns
- logout_lambda in modules/lambda
- manage-nrl-pointer-alarm in modules/lambda_alarms
- manage-nrl-pointer-alarm-topic in modules/sns
- manage-nrl-pointer-lambda in modules/lambda
- mns-dlq-alarm-topic in modules/sns
- mns-notification-alarm in modules/lambda_alarms
- mns-notification-alarm-topic in modules/sns
- mns-notification-lambda in modules/lambda
- mns_encryption_key in modules/kms
- ndr-app-config in modules/app_config
- ndr-bulk-staging-store in modules/s3
- ndr-docker-ecr-data-collection in modules/ecr
- ndr-docker-ecr-ui in modules/ecr
- ndr-document-store in modules/s3
- ndr-ecs-container-port-ssm-parameter in modules/ssm_parameter
- ndr-ecs-fargate-app in modules/ecs
- ndr-ecs-fargate-data-collection in modules/ecs
- ndr-feedback-mailbox in modules/ses
- ndr-lloyd-george-store in modules/s3
- ndr-vpc-ui in modules/vpc
- ndr-zip-request-store in modules/s3
- nhs-oauth-token-generator-alarm in modules/lambda_alarms
- nhs-oauth-token-generator-alarm-topic in modules/sns
- nhs-oauth-token-generator-lambda in modules/lambda
- nrl-dlq-alarm-topic in modules/sns
- pdf-stitching-alarm-topic in modules/sns
- pdf-stitching-lambda in modules/lambda
- pdf-stitching-lambda-alarms in modules/lambda_alarms
- pdm-document-store in modules/s3
- pdm_dynamodb_table in modules/dynamo_db
- post-document-references-fhir-lambda in modules/lambda
- route53_fargate_ui in modules/route53
- search-document-references-fhir-lambda in modules/lambda
- search-document-references-gateway in modules/gateway
- search-document-references-lambda in modules/lambda
- search-patient-details-gateway in modules/gateway
- search-patient-details-lambda in modules/lambda
- search_doc_alarm in modules/lambda_alarms
- search_doc_alarm_topic in modules/sns
- search_patient_alarm in modules/lambda_alarms
- search_patient_alarm_topic in modules/sns
- send-feedback-alarm in modules/lambda_alarms
- send-feedback-alarm-topic in modules/sns
- send-feedback-gateway in modules/gateway
- send-feedback-lambda in modules/lambda
- sns_encryption_key in modules/kms
- sqs-lg-bulk-upload-invalid-queue in modules/sqs
- sqs-lg-bulk-upload-metadata-queue in modules/sqs
- sqs-mns-notification-queue in modules/sqs
- sqs-nrl-queue in modules/sqs
- sqs-splunk-queue in modules/sqs
- sqs-stitching-queue in modules/sqs
- statistical-report-alarm in modules/lambda_alarms
- statistical-report-alarm-topic in modules/sns
- statistical-report-lambda in modules/lambda
- statistical-reports-store in modules/s3
- statistics_dynamodb_table in modules/dynamo_db
- stitch_metadata_reference_dynamodb_table in modules/dynamo_db
- stitching-dlq-alarm-topic in modules/sns
- unstitched_lloyd_george_reference_dynamodb_table in modules/dynamo_db
- update-upload-state-gateway in modules/gateway
- update-upload-state-lambda in modules/lambda
- update_upload_state_alarm in modules/lambda_alarms
- update_upload_state_alarm_topic in modules/sns
- upload_confirm_result_alarm in modules/lambda_alarms
- upload_confirm_result_alarm_topic in modules/sns
- upload_confirm_result_gateway in modules/gateway
- upload_confirm_result_lambda in modules/lambda
- virus_scan_result_alarm in modules/lambda_alarms
- virus_scan_result_alarm_topic in modules/sns
- virus_scan_result_gateway in modules/gateway
- virus_scan_result_lambda in modules/lambda
- zip_store_reference_dynamodb_table in modules/dynamo_db
Initializing provider plugins...
- terraform.io/builtin/terraform is built in to Terraform
- Finding latest version of hashicorp/time...
- Finding latest version of hashicorp/random...
- Finding hashicorp/aws versions matching ">= 4.0.0, ~> 5.0"...
- Finding hashicorp/awscc versions matching ">= 0.72.1, ~> 1.0"...
- Finding latest version of hashicorp/archive...
- Installing hashicorp/time v0.13.1...
- Installed hashicorp/time v0.13.1 (signed by HashiCorp)
- Installing hashicorp/random v3.7.2...
- Installed hashicorp/random v3.7.2 (signed by HashiCorp)
- Installing hashicorp/aws v5.100.0...
- Installed hashicorp/aws v5.100.0 (signed by HashiCorp)
- Installing hashicorp/awscc v1.49.0...
- Installed hashicorp/awscc v1.49.0 (signed by HashiCorp)
- Installing hashicorp/archive v2.7.1...
- Installed hashicorp/archive v2.7.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.


Terraform Plan 📖success

Show Plan (5 to add, 15 to change, 1 to destroy)


Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.edge-presign-lambda.aws_lambda_function.lambda has changed
  ~ resource "aws_lambda_function" "lambda" {
        id                             = "ndr-dev_EdgePresignLambda"
      ~ qualified_arn                  = "arn:aws:lambda:us-east-1:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_EdgePresignLambda:252" -> "arn:aws:lambda:us-east-1:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_EdgePresignLambda:254"
        tags                           = {}
        # (28 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
+/- create replacement and then destroy
 <= read (data resources)

Terraform will perform the following actions:

  # aws_api_gateway_deployment.ndr_api_deploy must be replaced
+/- resource "aws_api_gateway_deployment" "ndr_api_deploy" {
      ~ created_date  = "2025-07-23T08:34:48Z" -> (known after apply)
      ~ execution_arn = "arn:aws:execute-api:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ccy0v3rve9/" -> (known after apply)
      ~ id            = "vfx5i3" -> (known after apply)
      ~ invoke_url    = "[REDACTED_API_GATEWAY_URL]" -> (known after apply)
      ~ variables     = {
          - "deployed_at" = "2025-07-23T08:34:47Z"
        } -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)
    }

  # aws_api_gateway_stage.ndr_api will be updated in-place
  ~ resource "aws_api_gateway_stage" "ndr_api" {
      ~ deployment_id         = "vfx5i3" -> (known after apply)
        id                    = "ags-ccy0v3rve9-dev"
        tags                  = {}
        # (14 unchanged attributes hidden)
    }

  # aws_sns_topic_subscription.alarm_notifications_sns_topic_subscription["[email protected]"] will be created
  + resource "aws_sns_topic_subscription" "alarm_notifications_sns_topic_subscription" {
      + arn                             = (known after apply)
      + confirmation_timeout_in_minutes = 1
      + confirmation_was_authenticated  = (known after apply)
      + endpoint                        = "[email protected]"
      + endpoint_auto_confirms          = false
      + filter_policy_scope             = (known after apply)
      + id                              = (known after apply)
      + owner_id                        = (known after apply)
      + pending_confirmation            = (known after apply)
      + protocol                        = "email"
      + raw_message_delivery            = false
      + topic_arn                       = "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-alarms-notification-topic-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]14"
    }

  # module.bulk-upload-lambda.data.archive_file.lambda will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "archive_file" "lambda" {
      + id                  = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_base64sha512 = (known after apply)
      + output_md5          = (known after apply)
      + output_path         = "placeholder_lambda_payload.zip"
      + output_sha          = (known after apply)
      + output_sha256       = (known after apply)
      + output_sha512       = (known after apply)
      + output_size         = (known after apply)
      + source_file         = "placeholder_lambda.py"
      + type                = "zip"
    }

  # module.bulk-upload-lambda.data.aws_iam_policy_document.assume_role will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "assume_role" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "lambda.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.bulk-upload-lambda.data.aws_iam_policy_document.merged_policy will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "merged_policy" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = [
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-staging-bulk-store/*",
                              + "arn:aws:s3:::ndr-dev-staging-bulk-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:RestoreObject",
                              + "s3:Put*",
                              + "s3:Delete*",
                              + "s3:AbortMultipartUpload",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:s3:::ndr-dev-staging-bulk-store/*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-lloyd-george-store/*",
                              + "arn:aws:s3:::ndr-dev-lloyd-george-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:RestoreObject",
                              + "s3:Put*",
                              + "s3:Delete*",
                              + "s3:AbortMultipartUpload",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:s3:::ndr-dev-lloyd-george-store/*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/FileLocationsIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/NhsNumberIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/OdsCodeIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport/index/NhsNumberIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport/index/TimestampIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:SendMessage",
                              + "sqs:DeleteMessage",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-stitching-queue",
                              + "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-deadletter-stitching-queue",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:ReceiveMessage",
                              + "sqs:GetQueueUrl",
                              + "sqs:GetQueueAttributes",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-metadata-queue.fifo"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:SendMessage",
                              + "sqs:DeleteMessage",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-metadata-queue.fifo"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:ReceiveMessage",
                              + "sqs:GetQueueUrl",
                              + "sqs:GetQueueAttributes",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-invalid-queue"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:SendMessage",
                              + "sqs:DeleteMessage",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-invalid-queue"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "ssm:GetParameter",
                              + "ssm:GetParameters",
                              + "ssm:PutParameter",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:ssm:*:*:parameter/*",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "appconfig:StartConfigurationSession",
                              + "appconfig:GetLatestConfiguration",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
        ]
    }

  # module.bulk-upload-lambda.aws_iam_policy.combined_policies will be updated in-place
  ~ resource "aws_iam_policy" "combined_policies" {
        id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_BulkUploadLambda_combined_policy"
        name             = "ndr-dev_BulkUploadLambda_combined_policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-staging-bulk-store/*",
                          - "arn:aws:s3:::ndr-dev-staging-bulk-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:RestoreObject",
                          - "s3:Put*",
                          - "s3:Delete*",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::ndr-dev-staging-bulk-store/*"
                    },
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-lloyd-george-store/*",
                          - "arn:aws:s3:::ndr-dev-lloyd-george-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:RestoreObject",
                          - "s3:Put*",
                          - "s3:Delete*",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::ndr-dev-lloyd-george-store/*"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/FileLocationsIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/NhsNumberIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/OdsCodeIndex"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:UpdateItem",
                          - "dynamodb:PutItem",
                          - "dynamodb:DeleteItem",
                          - "dynamodb:BatchWriteItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport/index/NhsNumberIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport/index/TimestampIndex"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:UpdateItem",
                          - "dynamodb:PutItem",
                          - "dynamodb:DeleteItem",
                          - "dynamodb:BatchWriteItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport"
                    },
                  - {
                      - Action   = [
                          - "sqs:SendMessage",
                          - "sqs:DeleteMessage",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-stitching-queue",
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-deadletter-stitching-queue",
                        ]
                    },
                  - {
                      - Action   = [
                          - "sqs:ReceiveMessage",
                          - "sqs:GetQueueUrl",
                          - "sqs:GetQueueAttributes",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-metadata-queue.fifo"
                    },
                  - {
                      - Action   = [
                          - "sqs:SendMessage",
                          - "sqs:DeleteMessage",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-metadata-queue.fifo"
                    },
                  - {
                      - Action   = [
                          - "sqs:ReceiveMessage",
                          - "sqs:GetQueueUrl",
                          - "sqs:GetQueueAttributes",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-invalid-queue"
                    },
                  - {
                      - Action   = [
                          - "sqs:SendMessage",
                          - "sqs:DeleteMessage",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-invalid-queue"
                    },
                  - {
                      - Action   = [
                          - "ssm:GetParameter",
                          - "ssm:GetParameters",
                          - "ssm:PutParameter",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:ssm:*:*:parameter/*",
                        ]
                    },
                  - {
                      - Action   = [
                          - "appconfig:StartConfigurationSession",
                          - "appconfig:GetLatestConfiguration",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.bulk-upload-lambda.aws_iam_role.lambda_execution_role will be updated in-place
  ~ resource "aws_iam_role" "lambda_execution_role" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "lambda.amazonaws.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "ndr-dev_lambda_execution_role_BulkUploadLambda"
        name                  = "ndr-dev_lambda_execution_role_BulkUploadLambda"
        tags                  = {}
        # (11 unchanged attributes hidden)
    }

  # module.cloudfront-distribution-lg.aws_cloudfront_distribution.distribution will be updated in-place
  ~ resource "aws_cloudfront_distribution" "distribution" {
        id                              = "E3MY5DTOCCTK2Y"
        tags                            = {}
        # (22 unchanged attributes hidden)

      ~ default_cache_behavior {
            # (16 unchanged attributes hidden)

          - lambda_function_association {
              - event_type   = "origin-request" -> null
              - include_body = false -> null
              - lambda_arn   = "arn:aws:lambda:us-east-1:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_EdgePresignLambda:254" -> null
            }
          + lambda_function_association {
              + event_type   = "origin-request"
              + include_body = false
              + lambda_arn   = (known after apply)
            }

            # (1 unchanged block hidden)
        }

        # (3 unchanged blocks hidden)
    }

  # module.data-collection-lambda.data.archive_file.lambda will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "archive_file" "lambda" {
      + id                  = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_base64sha512 = (known after apply)
      + output_md5          = (known after apply)
      + output_path         = "placeholder_lambda_payload.zip"
      + output_sha          = (known after apply)
      + output_sha256       = (known after apply)
      + output_sha512       = (known after apply)
      + output_size         = (known after apply)
      + source_file         = "placeholder_lambda.py"
      + type                = "zip"
    }

  # module.data-collection-lambda.data.aws_iam_policy_document.assume_role will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "assume_role" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "lambda.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.data-collection-lambda.data.aws_iam_policy_document.merged_policy will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "merged_policy" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = [
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "appconfig:StartConfigurationSession",
                              + "appconfig:GetLatestConfiguration",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ApplicationStatistics"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ApplicationStatistics/index/OdsCodeIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ApplicationStatistics"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-lloyd-george-store/*",
                              + "arn:aws:s3:::ndr-dev-lloyd-george-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:RestoreObject",
                              + "s3:Put*",
                              + "s3:Delete*",
                              + "s3:AbortMultipartUpload",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:s3:::ndr-dev-lloyd-george-store/*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-ndr-document-store/*",
                              + "arn:aws:s3:::ndr-dev-ndr-document-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:RestoreObject",
                              + "s3:Put*",
                              + "s3:Delete*",
                              + "s3:AbortMultipartUpload",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:s3:::ndr-dev-ndr-document-store/*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/FileLocationsIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/NhsNumberIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/OdsCodeIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_DocumentReferenceMetadata"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_DocumentReferenceMetadata/index/FileLocationsIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_DocumentReferenceMetadata/index/NhsNumberIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_DocumentReferenceMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "logs:StartQuery",
                              + "logs:GetQueryResults",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:logs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:log-group:*",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
        ]
    }

  # module.data-collection-lambda.aws_iam_policy.combined_policies will be updated in-place
  ~ resource "aws_iam_policy" "combined_policies" {
        id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_DataCollectionLambda_combined_policy"
        name             = "ndr-dev_DataCollectionLambda_combined_policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "appconfig:StartConfigurationSession",
                          - "appconfig:GetLatestConfiguration",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ApplicationStatistics"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ApplicationStatistics/index/OdsCodeIndex"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:UpdateItem",
                          - "dynamodb:PutItem",
                          - "dynamodb:DeleteItem",
                          - "dynamodb:BatchWriteItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ApplicationStatistics"
                    },
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-lloyd-george-store/*",
                          - "arn:aws:s3:::ndr-dev-lloyd-george-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:RestoreObject",
                          - "s3:Put*",
                          - "s3:Delete*",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::ndr-dev-lloyd-george-store/*"
                    },
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-ndr-document-store/*",
                          - "arn:aws:s3:::ndr-dev-ndr-document-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:RestoreObject",
                          - "s3:Put*",
                          - "s3:Delete*",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::ndr-dev-ndr-document-store/*"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/FileLocationsIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/NhsNumberIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/OdsCodeIndex"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:UpdateItem",
                          - "dynamodb:PutItem",
                          - "dynamodb:DeleteItem",
                          - "dynamodb:BatchWriteItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_DocumentReferenceMetadata"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_DocumentReferenceMetadata/index/FileLocationsIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_DocumentReferenceMetadata/index/NhsNumberIndex"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:UpdateItem",
                          - "dynamodb:PutItem",
                          - "dynamodb:DeleteItem",
                          - "dynamodb:BatchWriteItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_DocumentReferenceMetadata"
                    },
                  - {
                      - Action   = [
                          - "logs:StartQuery",
                          - "logs:GetQueryResults",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:logs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:log-group:*",
                        ]
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.data-collection-lambda.aws_iam_role.lambda_execution_role will be updated in-place
  ~ resource "aws_iam_role" "lambda_execution_role" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "lambda.amazonaws.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "ndr-dev_lambda_execution_role_DataCollectionLambda"
        name                  = "ndr-dev_lambda_execution_role_DataCollectionLambda"
        tags                  = {}
        # (11 unchanged attributes hidden)
    }

  # module.edge-presign-lambda.aws_lambda_function.lambda will be updated in-place
  ~ resource "aws_lambda_function" "lambda" {
        id                             = "ndr-dev_EdgePresignLambda"
      ~ last_modified                  = "2025-07-23T13:47:19.000+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-east-1:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_EdgePresignLambda:254" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_EdgePresignLambda:254/invocations" -> (known after apply)
      ~ source_code_hash               = "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" -> "lO9WEvaJuYP7UltTs4rOL0Tzxm/iNPPPYFFUEJPCQpc="
        tags                           = {}
      ~ version                        = "254" -> (known after apply)
        # (24 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.generate-document-manifest-lambda.data.archive_file.lambda will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "archive_file" "lambda" {
      + id                  = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_base64sha512 = (known after apply)
      + output_md5          = (known after apply)
      + output_path         = "placeholder_lambda_payload.zip"
      + output_sha          = (known after apply)
      + output_sha256       = (known after apply)
      + output_sha512       = (known after apply)
      + output_size         = (known after apply)
      + source_file         = "placeholder_lambda.py"
      + type                = "zip"
    }

  # module.generate-document-manifest-lambda.data.aws_iam_policy_document.assume_role will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "assume_role" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "lambda.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.generate-document-manifest-lambda.data.aws_iam_policy_document.merged_policy will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "merged_policy" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = [
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-ndr-document-store/*",
                              + "arn:aws:s3:::ndr-dev-ndr-document-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:RestoreObject",
                              + "s3:Put*",
                              + "s3:Delete*",
                              + "s3:AbortMultipartUpload",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:s3:::ndr-dev-ndr-document-store/*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-lloyd-george-store/*",
                              + "arn:aws:s3:::ndr-dev-lloyd-george-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:RestoreObject",
                              + "s3:Put*",
                              + "s3:Delete*",
                              + "s3:AbortMultipartUpload",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:s3:::ndr-dev-lloyd-george-store/*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ZipStoreReferenceMetadata"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ZipStoreReferenceMetadata/index/JobIdIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ZipStoreReferenceMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-zip-request-store/*",
                              + "arn:aws:s3:::ndr-dev-zip-request-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:RestoreObject",
                              + "s3:Put*",
                              + "s3:Delete*",
                              + "s3:AbortMultipartUpload",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:s3:::ndr-dev-zip-request-store/*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "appconfig:StartConfigurationSession",
                              + "appconfig:GetLatestConfiguration",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:GetRecords",
                              + "dynamodb:GetShardIterator",
                              + "dynamodb:DescribeStream",
                              + "dynamodb:ListStreams",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ZipStoreReferenceMetadata/stream/2024-07-09T16:01:09.989"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
        ]
    }

  # module.generate-document-manifest-lambda.aws_iam_policy.combined_policies will be updated in-place
  ~ resource "aws_iam_policy" "combined_policies" {
        id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_GenerateDocumentManifest_combined_policy"
        name             = "ndr-dev_GenerateDocumentManifest_combined_policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-ndr-document-store/*",
                          - "arn:aws:s3:::ndr-dev-ndr-document-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:RestoreObject",
                          - "s3:Put*",
                          - "s3:Delete*",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::ndr-dev-ndr-document-store/*"
                    },
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-lloyd-george-store/*",
                          - "arn:aws:s3:::ndr-dev-lloyd-george-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:RestoreObject",
                          - "s3:Put*",
                          - "s3:Delete*",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::ndr-dev-lloyd-george-store/*"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ZipStoreReferenceMetadata"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ZipStoreReferenceMetadata/index/JobIdIndex"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:UpdateItem",
                          - "dynamodb:PutItem",
                          - "dynamodb:DeleteItem",
                          - "dynamodb:BatchWriteItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ZipStoreReferenceMetadata"
                    },
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-zip-request-store/*",
                          - "arn:aws:s3:::ndr-dev-zip-request-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:RestoreObject",
                          - "s3:Put*",
                          - "s3:Delete*",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::ndr-dev-zip-request-store/*"
                    },
                  - {
                      - Action   = [
                          - "appconfig:StartConfigurationSession",
                          - "appconfig:GetLatestConfiguration",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:GetRecords",
                          - "dynamodb:GetShardIterator",
                          - "dynamodb:DescribeStream",
                          - "dynamodb:ListStreams",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_ZipStoreReferenceMetadata/stream/2024-07-09T16:01:09.989"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.generate-document-manifest-lambda.aws_iam_role.lambda_execution_role will be updated in-place
  ~ resource "aws_iam_role" "lambda_execution_role" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "lambda.amazonaws.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "ndr-dev_lambda_execution_role_GenerateDocumentManifest"
        name                  = "ndr-dev_lambda_execution_role_GenerateDocumentManifest"
        tags                  = {}
        # (11 unchanged attributes hidden)
    }

  # module.generate-lloyd-george-stitch-lambda.data.archive_file.lambda will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "archive_file" "lambda" {
      + id                  = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_base64sha512 = (known after apply)
      + output_md5          = (known after apply)
      + output_path         = "placeholder_lambda_payload.zip"
      + output_sha          = (known after apply)
      + output_sha256       = (known after apply)
      + output_sha512       = (known after apply)
      + output_size         = (known after apply)
      + source_file         = "placeholder_lambda.py"
      + type                = "zip"
    }

  # module.generate-lloyd-george-stitch-lambda.data.aws_iam_policy_document.assume_role will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "assume_role" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "lambda.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.generate-lloyd-george-stitch-lambda.data.aws_iam_policy_document.merged_policy will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "merged_policy" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = [
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
   
(truncated - see workflow logs for full output)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants