[NDR-233] Move FhirDocumentReference #438

jameslinnell · 2025-09-17T16:22:48Z

Also a new make command to build a workspace on dev.

robg-test · 2025-09-18T09:03:54Z

scripts/build_sandbox.sh

+#!/bin/bash
+set -euo pipefail
+
+branch="${WORKSPACE:-$(git rev-parse --abbrev-ref HEAD)}"
+branch=$(echo "$branch" | sed 's/[^a-zA-Z0-9]//g')
+branch="${branch,,}"
+apply="${APPLY:-false}"
+
+# Forbidden branches
+forbidden_branches=("main" "prod" "pre-prod" "ndr-test" "ndr-dev")
+
+for fb in "${forbidden_branches[@]}"; do
+  if [[ "$branch" == "$fb" ]]; then
+    echo "❌ Error: Deployment from branch '$branch' is not allowed."
+    exit 1
+  fi
+done
+
+cd infrastructure/
+terraform init -backend-config=backend.conf
+terraform workspace select -or-create "$branch"
+terraform plan -input=false -var-file=dev.tfvars -out tf.plan
+
+if [[ "$apply" == "true" ]]; then
+  terraform apply -auto-approve -input=false tf.plan
+fi


Is there any way to quickly check that your currently using the dev (or test) AWS environment?

I think that should do it.

infrastructure/lambda-search-document-references-fhir.tf

infrastructure/lambda-post-document-reference-fhir.tf

NogaNHS · 2025-09-24T06:50:29Z

infrastructure/lambda-get-document-reference-fhir.tf

-
 }

-resource "aws_lambda_permission" "lambda_permission_get_mtls_api" {


Is this not needed?

no, it was only needed when the mtls-api was "extra" to the api. Now the lambda only exists in the mtls-api it doesn't need to have this extra permission.

sonarqubecloud · 2025-10-24T08:17:14Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-actions · 2025-10-24T08:17:52Z

Report for environment: ndr-dev

Terraform Initialization ⚙️`success`

Initialization Output


Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
- access-audit-alarm in modules/lambda_alarms
- access-audit-alarm-topic in modules/sns
- access-audit-gateway in modules/gateway
- access-audit-lambda in modules/lambda
- access_audit_dynamodb_table in modules/dynamo_db
- alarm_state_history_table in modules/dynamo_db
- api_endpoint_url_ssm_parameter in modules/ssm_parameter
- auth_session_dynamodb_table in modules/dynamo_db
- auth_state_dynamodb_table in modules/dynamo_db
- authoriser-alarm in modules/lambda_alarms
- authoriser-alarm-topic in modules/sns
- authoriser-lambda in modules/lambda
- back-channel-logout-gateway in modules/gateway
- back_channel_logout_alarm in modules/lambda_alarms
- back_channel_logout_alarm_topic in modules/sns
- back_channel_logout_lambda in modules/lambda
- bulk-upload-alarm in modules/lambda_alarms
- bulk-upload-alarm-topic in modules/sns
- bulk-upload-lambda in modules/lambda
- bulk-upload-metadata-alarm in modules/lambda_alarms
- bulk-upload-metadata-alarm-topic in modules/sns
- bulk-upload-metadata-lambda in modules/lambda
- bulk-upload-metadata-processor-alarm in modules/lambda_alarms
- bulk-upload-metadata-processor-alarm-topic in modules/sns
- bulk-upload-metadata-processor-lambda in modules/lambda
- bulk-upload-report-alarm in modules/lambda_alarms
- bulk-upload-report-alarm-topic in modules/sns
- bulk-upload-report-lambda in modules/lambda
- bulk_upload_metadata_preprocessor_lambda in modules/lambda
- bulk_upload_report_dynamodb_table in modules/dynamo_db
Downloading registry.terraform.io/cloudstoragesec/cloud-storage-security/aws 1.8.10+css9.03.000 for cloud_storage_security...
- cloud_storage_security in .terraform/modules/cloud_storage_security
- cloudfront-distribution-lg in modules/cloudfront
- cloudfront_edge_dynamodb_table in modules/dynamo_db
- cloudfront_firewall_waf_v2 in modules/firewall_waf_v2
- create-doc-ref-lambda in modules/lambda
- create-token-gateway in modules/gateway
- create-token-lambda in modules/lambda
- create_doc_alarm in modules/lambda_alarms
- create_doc_alarm_topic in modules/sns
- create_document_reference_gateway in modules/gateway
- create_token-alarm in modules/lambda_alarms
- create_token-alarm_topic in modules/sns
- data-collection-alarm in modules/lambda_alarms
- data-collection-alarm-topic in modules/sns
- data-collection-lambda in modules/lambda
- delete-doc-ref-gateway in modules/gateway
- delete-doc-ref-lambda in modules/lambda
- delete-document-object-alarm in modules/lambda_alarms
- delete-document-object-alarm-topic in modules/sns
- delete-document-object-lambda in modules/lambda
- delete_doc_alarm in modules/lambda_alarms
- delete_doc_alarm_topic in modules/sns
- document-manifest-job-gateway in modules/gateway
- document-manifest-job-lambda in modules/lambda
- document-status-check-alarm in modules/lambda_alarms
- document-status-check-alarm-topic in modules/sns
- document-status-check-gateway in modules/gateway
- document-status-check-lambda in modules/lambda
- document_manifest_alarm in modules/lambda_alarms
- document_manifest_alarm_topic in modules/sns
- document_reference_dynamodb_table in modules/dynamo_db
- document_upload_check_lambda in modules/lambda
- edge-presign-lambda in modules/lambda_edge
- edge_presign_alarm in modules/lambda_alarms
- edge_presign_alarm_topic in modules/sns
- feature-flags-gateway in modules/gateway
- feature-flags-lambda in modules/lambda
- feature_flags_alarm in modules/lambda_alarms
- feature_flags_alarm_topic in modules/sns
- fhir_document_reference_mtls_gateway in modules/gateway
- firewall_waf_v2 in modules/firewall_waf_v2
- firewall_waf_v2_api in modules/firewall_waf_v2
- generate-document-manifest-alarm in modules/lambda_alarms
- generate-document-manifest-alarm-topic in modules/sns
- generate-document-manifest-lambda in modules/lambda
- generate-lloyd-george-stitch-alarm in modules/lambda_alarms
- generate-lloyd-george-stitch-alarm-topic in modules/sns
- generate-lloyd-george-stitch-lambda in modules/lambda
- get-report-by-ods-alarm in modules/lambda_alarms
- get-report-by-ods-alarm-topic in modules/sns
- get-report-by-ods-gateway in modules/gateway
- get-report-by-ods-lambda in modules/lambda
- get_document_reference_fhir_lambda in modules/lambda
- global_sqs_age_alarm_topic in modules/sns
- im-alerting-lambda in modules/lambda
- lambda-layer-alerting in modules/lambda_layers
- lambda-layer-core in modules/lambda_layers
- lambda-layer-data in modules/lambda_layers
- lambda-layer-reports in modules/lambda_layers
- lloyd-george-stitch-gateway in modules/gateway
- lloyd-george-stitch-lambda in modules/lambda
- lloyd-george-stitch_alarm in modules/lambda_alarms
- lloyd-george-stitch_topic in modules/sns
- lloyd_george_reference_dynamodb_table in modules/dynamo_db
- login_redirect-alarm_topic in modules/sns
- login_redirect_alarm in modules/lambda_alarms
- login_redirect_lambda in modules/lambda
- logout-gateway in modules/gateway
- logout_alarm in modules/lambda_alarms
- logout_alarm_topic in modules/sns
- logout_lambda in modules/lambda
- manage-nrl-pointer-alarm in modules/lambda_alarms
- manage-nrl-pointer-alarm-topic in modules/sns
- manage-nrl-pointer-lambda in modules/lambda
- migration-dynamodb-segment-lambda in modules/lambda
- migration-dynamodb-segment-store in modules/s3
- mns-dlq-alarm-topic in modules/sns
- mns-notification-alarm in modules/lambda_alarms
- mns-notification-alarm-topic in modules/sns
- mns-notification-lambda in modules/lambda
- mns_encryption_key in modules/kms
- mtls_api_endpoint_url_ssm_parameter in modules/ssm_parameter
- ndr-app-config in modules/app_config
- ndr-bulk-staging-store in modules/s3
- ndr-docker-ecr-data-collection in modules/ecr
- ndr-docker-ecr-ui in modules/ecr
- ndr-document-store in modules/s3
- ndr-ecs-container-port-ssm-parameter in modules/ssm_parameter
- ndr-ecs-fargate-app in modules/ecs
- ndr-ecs-fargate-data-collection in modules/ecs
- ndr-feedback-mailbox in modules/ses
- ndr-lloyd-george-store in modules/s3
- ndr-truststore in modules/s3
- ndr-vpc-ui in modules/vpc
- ndr-zip-request-store in modules/s3
- nhs-oauth-token-generator-alarm in modules/lambda_alarms
- nhs-oauth-token-generator-alarm-topic in modules/sns
- nhs-oauth-token-generator-lambda in modules/lambda
- nrl-dlq-alarm-topic in modules/sns
- pdf-stitching-alarm-topic in modules/sns
- pdf-stitching-lambda in modules/lambda
- pdf-stitching-lambda-alarms in modules/lambda_alarms
- pdm-document-store in modules/s3
- pdm_dynamodb_table in modules/dynamo_db
- pdm_encryption_key in modules/kms
- post_document_reference_fhir_lambda in modules/lambda
- route53_fargate_ui in modules/route53
- search-document-references-gateway in modules/gateway
- search-document-references-lambda in modules/lambda
- search-patient-details-gateway in modules/gateway
- search-patient-details-lambda in modules/lambda
- search_doc_alarm in modules/lambda_alarms
- search_doc_alarm_topic in modules/sns
- search_document_reference_fhir_lambda in modules/lambda
- search_patient_alarm in modules/lambda_alarms
- search_patient_alarm_topic in modules/sns
- send-feedback-alarm in modules/lambda_alarms
- send-feedback-alarm-topic in modules/sns
- send-feedback-gateway in modules/gateway
- send-feedback-lambda in modules/lambda
- sns_encryption_key in modules/kms
- sqs-lg-bulk-upload-invalid-queue in modules/sqs
- sqs-lg-bulk-upload-metadata-queue in modules/sqs
- sqs-mns-notification-queue in modules/sqs
- sqs-nrl-queue in modules/sqs
- sqs-stitching-queue in modules/sqs
- sqs_alarm_lambda_topic in modules/sns
- ssm_param_external_client_cert in modules/ssm_parameter
- ssm_param_external_client_key in modules/ssm_parameter
- statistical-report-alarm in modules/lambda_alarms
- statistical-report-alarm-topic in modules/sns
- statistical-report-lambda in modules/lambda
- statistical-reports-store in modules/s3
- statistics_dynamodb_table in modules/dynamo_db
- stitch_metadata_reference_dynamodb_table in modules/dynamo_db
- stitching-dlq-alarm-topic in modules/sns
- toggle-bulk-upload-lambda in modules/lambda
- unstitched_lloyd_george_reference_dynamodb_table in modules/dynamo_db
- update-upload-state-gateway in modules/gateway
- update-upload-state-lambda in modules/lambda
- update_upload_state_alarm in modules/lambda_alarms
- update_upload_state_alarm_topic in modules/sns
- virus_scan_result_alarm in modules/lambda_alarms
- virus_scan_result_alarm_topic in modules/sns
- virus_scan_result_gateway in modules/gateway
- virus_scan_result_lambda in modules/lambda
- zip_store_reference_dynamodb_table in modules/dynamo_db
Initializing provider plugins...
- terraform.io/builtin/terraform is built in to Terraform
- Finding latest version of hashicorp/random...
- Finding latest version of hashicorp/time...
- Finding hashicorp/awscc versions matching ">= 0.72.1, ~> 1.0"...
- Finding hashicorp/aws versions matching ">= 4.0.0, ~> 5.0"...
- Finding latest version of hashicorp/archive...
- Installing hashicorp/time v0.13.1...
- Installed hashicorp/time v0.13.1 (signed by HashiCorp)
- Installing hashicorp/awscc v1.60.0...
- Installed hashicorp/awscc v1.60.0 (signed by HashiCorp)
- Installing hashicorp/aws v5.100.0...
- Installed hashicorp/aws v5.100.0 (signed by HashiCorp)
- Installing hashicorp/archive v2.7.1...
- Installed hashicorp/archive v2.7.1 (signed by HashiCorp)
- Installing hashicorp/random v3.7.2...
- Installed hashicorp/random v3.7.2 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖`success`

Validation Output


Success! The configuration is valid.

Terraform Plan 📖`success`

Show Plan (35 to add, 6 to change, 50 to destroy)



Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.edge-presign-lambda.aws_lambda_function.lambda has changed
  ~ resource "aws_lambda_function" "lambda" {
        id                             = "ndr-dev_EdgePresignLambda"
      ~ qualified_arn                  = "arn:aws:lambda:us-east-1:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_EdgePresignLambda:398" -> "arn:aws:lambda:us-east-1:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_EdgePresignLambda:401"
        tags                           = {}
        # (28 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
+/- create replacement and then destroy
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.assume_role_policy_for_create_lambda will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "assume_role_policy_for_create_lambda" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]

          + principals {
              + identifiers = (known after apply)
              + type        = "AWS"
            }
        }
    }

  # data.aws_iam_policy_document.assume_role_policy_for_get_doc_ref_lambda will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "assume_role_policy_for_get_doc_ref_lambda" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # aws_api_gateway_deployment.ndr_api_deploy must be replaced
+/- resource "aws_api_gateway_deployment" "ndr_api_deploy" {
      ~ created_date  = "2025-10-23T13:53:56Z" -> (known after apply)
      ~ execution_arn = "arn:aws:execute-api:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ccy0v3rve9/" -> (known after apply)
      ~ id            = "lbgu4g" -> (known after apply)
      ~ invoke_url    = "[REDACTED_API_GATEWAY_URL]" -> (known after apply)
      ~ variables     = {
          - "deployed_at" = "2025-10-23T13:53:50Z"
        } -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)
    }

  # aws_api_gateway_deployment.ndr_api_deploy_mtls must be replaced
+/- resource "aws_api_gateway_deployment" "ndr_api_deploy_mtls" {
      ~ created_date  = "2025-10-23T13:53:50Z" -> (known after apply)
      ~ execution_arn = "arn:aws:execute-api:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:p9uuab4oyl/" -> (known after apply)
      ~ id            = "pkssuy" -> (known after apply)
      ~ invoke_url    = "[REDACTED_API_GATEWAY_URL]" -> (known after apply)
      ~ variables     = {
          - "deployed_at" = "2025-10-23T13:53:50Z"
        } -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)
    }

  # aws_api_gateway_integration.get_doc_fhir_lambda_integration will be destroyed
  # (because aws_api_gateway_integration.get_doc_fhir_lambda_integration is not in configuration)
  - resource "aws_api_gateway_integration" "get_doc_fhir_lambda_integration" {
      - cache_key_parameters    = [] -> null
      - cache_namespace         = "ah2hii" -> null
      - connection_type         = "INTERNET" -> null
      - http_method             = "GET" -> null
      - id                      = "agi-p9uuab4oyl-ah2hii-GET" -> null
      - integration_http_method = "POST" -> null
      - passthrough_behavior    = "WHEN_NO_MATCH" -> null
      - request_parameters      = {} -> null
      - request_templates       = {} -> null
      - resource_id             = "ah2hii" -> null
      - rest_api_id             = "p9uuab4oyl" -> null
      - timeout_milliseconds    = 29000 -> null
      - type                    = "AWS_PROXY" -> null
      - uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_GetDocumentReference/invocations" -> null
        # (3 unchanged attributes hidden)
    }

  # aws_api_gateway_integration.post_doc_fhir_lambda_integration will be destroyed
  # (because aws_api_gateway_integration.post_doc_fhir_lambda_integration is not in configuration)
  - resource "aws_api_gateway_integration" "post_doc_fhir_lambda_integration" {
      - cache_key_parameters    = [] -> null
      - cache_namespace         = "glv147" -> null
      - connection_type         = "INTERNET" -> null
      - http_method             = "POST" -> null
      - id                      = "agi-p9uuab4oyl-glv147-POST" -> null
      - integration_http_method = "POST" -> null
      - passthrough_behavior    = "WHEN_NO_MATCH" -> null
      - request_parameters      = {} -> null
      - request_templates       = {} -> null
      - resource_id             = "glv147" -> null
      - rest_api_id             = "p9uuab4oyl" -> null
      - timeout_milliseconds    = 29000 -> null
      - type                    = "AWS_PROXY" -> null
      - uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_PostDocumentReferencesFHIR/invocations" -> null
        # (3 unchanged attributes hidden)
    }

  # aws_api_gateway_integration.search_doc_fhir_lambda_integration will be destroyed
  # (because aws_api_gateway_integration.search_doc_fhir_lambda_integration is not in configuration)
  - resource "aws_api_gateway_integration" "search_doc_fhir_lambda_integration" {
      - cache_key_parameters    = [] -> null
      - cache_namespace         = "glv147" -> null
      - connection_type         = "INTERNET" -> null
      - http_method             = "GET" -> null
      - id                      = "agi-p9uuab4oyl-glv147-GET" -> null
      - integration_http_method = "POST" -> null
      - passthrough_behavior    = "WHEN_NO_MATCH" -> null
      - request_parameters      = {} -> null
      - request_templates       = {} -> null
      - resource_id             = "glv147" -> null
      - rest_api_id             = "p9uuab4oyl" -> null
      - timeout_milliseconds    = 29000 -> null
      - type                    = "AWS_PROXY" -> null
      - uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_SearchDocumentReferencesFHIR/invocations" -> null
        # (3 unchanged attributes hidden)
    }

  # aws_api_gateway_method.get_document_reference will be destroyed
  # (because aws_api_gateway_method.get_document_reference is not in configuration)
  - resource "aws_api_gateway_method" "get_document_reference" {
      - api_key_required     = true -> null
      - authorization        = "NONE" -> null
      - authorization_scopes = [] -> null
      - http_method          = "GET" -> null
      - id                   = "agm-ccy0v3rve9-32fp0k-GET" -> null
      - request_models       = {} -> null
      - request_parameters   = {
          - "method.request.path.id" = true
        } -> null
      - resource_id          = "32fp0k" -> null
      - rest_api_id          = "ccy0v3rve9" -> null
        # (3 unchanged attributes hidden)
    }

  # aws_api_gateway_resource.get_document_reference will be destroyed
  # (because aws_api_gateway_resource.get_document_reference is not in configuration)
  - resource "aws_api_gateway_resource" "get_document_reference" {
      - id          = "32fp0k" -> null
      - parent_id   = "yhpuj4" -> null
      - path        = "/FhirDocumentReference/{id}" -> null
      - path_part   = "{id}" -> null
      - rest_api_id = "ccy0v3rve9" -> null
    }

  # aws_api_gateway_stage.ndr_api will be updated in-place
  ~ resource "aws_api_gateway_stage" "ndr_api" {
      ~ deployment_id         = "lbgu4g" -> (known after apply)
        id                    = "ags-ccy0v3rve9-dev"
        tags                  = {}
        # (14 unchanged attributes hidden)
    }

  # aws_api_gateway_stage.ndr_api_mtls will be updated in-place
  ~ resource "aws_api_gateway_stage" "ndr_api_mtls" {
      ~ deployment_id         = "pkssuy" -> (known after apply)
        id                    = "ags-p9uuab4oyl-dev"
        tags                  = {}
        # (14 unchanged attributes hidden)
    }

  # aws_iam_role.create_post_presign_url_role will be updated in-place
  ~ resource "aws_iam_role" "create_post_presign_url_role" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = [
                              - "[REDACTED_IAM_ROLE_ARN]",
                              - "[REDACTED_IAM_ROLE_ARN]",
                            ]
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "ndr-dev_create_post_presign_url_role"
        name                  = "ndr-dev_create_post_presign_url_role"
        tags                  = {}
        # (11 unchanged attributes hidden)
    }

  # aws_iam_role.get_fhir_doc_presign_url_role will be updated in-place
  ~ resource "aws_iam_role" "get_fhir_doc_presign_url_role" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "[REDACTED_IAM_ROLE_ARN]"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "ndr-dev_get_fhir_doc_presign_url_role"
        name                  = "ndr-dev_get_fhir_doc_presign_url_role"
        tags                  = {}
        # (11 unchanged attributes hidden)
    }

  # aws_lambda_permission.lambda_permission_get_mtls_api will be destroyed
  # (because aws_lambda_permission.lambda_permission_get_mtls_api is not in configuration)
  - resource "aws_lambda_permission" "lambda_permission_get_mtls_api" {
      - action              = "lambda:InvokeFunction" -> null
      - function_name       = "arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_GetDocumentReference" -> null
      - id                  = "AllowAPImTLSGatewayInvoke" -> null
      - principal           = "apigateway.amazonaws.com" -> null
      - source_arn          = "arn:aws:execute-api:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:p9uuab4oyl/*/*" -> null
      - statement_id        = "AllowAPImTLSGatewayInvoke" -> null
        # (2 unchanged attributes hidden)
    }

  # aws_lambda_permission.lambda_permission_post_mtls_api will be destroyed
  # (because aws_lambda_permission.lambda_permission_post_mtls_api is not in configuration)
  - resource "aws_lambda_permission" "lambda_permission_post_mtls_api" {
      - action              = "lambda:InvokeFunction" -> null
      - function_name       = "arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_PostDocumentReferencesFHIR" -> null
      - id                  = "AllowAPImTLSGatewayInvoke" -> null
      - principal           = "apigateway.amazonaws.com" -> null
      - source_arn          = "arn:aws:execute-api:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:p9uuab4oyl/*/*" -> null
      - statement_id        = "AllowAPImTLSGatewayInvoke" -> null
        # (2 unchanged attributes hidden)
    }

  # aws_lambda_permission.lambda_permission_search_mtls_api will be destroyed
  # (because aws_lambda_permission.lambda_permission_search_mtls_api is not in configuration)
  - resource "aws_lambda_permission" "lambda_permission_search_mtls_api" {
      - action              = "lambda:InvokeFunction" -> null
      - function_name       = "arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_SearchDocumentReferencesFHIR" -> null
      - id                  = "AllowMtlsApiGatewayInvoke" -> null
      - principal           = "apigateway.amazonaws.com" -> null
      - source_arn          = "arn:aws:execute-api:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:p9uuab4oyl/*/*" -> null
      - statement_id        = "AllowMtlsApiGatewayInvoke" -> null
        # (2 unchanged attributes hidden)
    }

  # module.fhir_document_reference_gateway[0].aws_api_gateway_integration.preflight_integration will be destroyed
  # (because aws_api_gateway_integration.preflight_integration is not in configuration)
  - resource "aws_api_gateway_integration" "preflight_integration" {
      - cache_key_parameters    = [] -> null
      - cache_namespace         = "yhpuj4" -> null
      - connection_type         = "INTERNET" -> null
      - http_method             = "OPTIONS" -> null
      - id                      = "agi-ccy0v3rve9-yhpuj4-OPTIONS" -> null
      - passthrough_behavior    = "WHEN_NO_MATCH" -> null
      - request_parameters      = {} -> null
      - request_templates       = {
          - "application/json" = jsonencode(
                {
                  - statusCode = 200
                }
            )
        } -> null
      - resource_id             = "yhpuj4" -> null
      - rest_api_id             = "ccy0v3rve9" -> null
      - timeout_milliseconds    = 29000 -> null
      - type                    = "MOCK" -> null
        # (5 unchanged attributes hidden)
    }

  # module.fhir_document_reference_gateway[0].aws_api_gateway_integration_response.preflight_integration_response will be destroyed
  # (because aws_api_gateway_integration_response.preflight_integration_response is not in configuration)
  - resource "aws_api_gateway_integration_response" "preflight_integration_response" {
      - http_method         = "OPTIONS" -> null
      - id                  = "agir-ccy0v3rve9-yhpuj4-OPTIONS-200" -> null
      - resource_id         = "yhpuj4" -> null
      - response_parameters = {
          - "method.response.header.Access-Control-Allow-Credentials" = "'true'"
          - "method.response.header.Access-Control-Allow-Headers"     = "'Content-Type,X-Amz-Date,Authorization,X-Auth,Cookie,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'"
          - "method.response.header.Access-Control-Allow-Methods"     = "'POST, GET'"
          - "method.response.header.Access-Control-Allow-Origin"      = "'*'"
        } -> null
      - response_templates  = {} -> null
      - rest_api_id         = "ccy0v3rve9" -> null
      - status_code         = "200" -> null
        # (2 unchanged attributes hidden)
    }

  # module.fhir_document_reference_gateway[0].aws_api_gateway_method.preflight_method will be destroyed
  # (because aws_api_gateway_method.preflight_method is not in configuration)
  - resource "aws_api_gateway_method" "preflight_method" {
      - api_key_required     = false -> null
      - authorization        = "NONE" -> null
      - authorization_scopes = [] -> null
      - http_method          = "OPTIONS" -> null
      - id                   = "agm-ccy0v3rve9-yhpuj4-OPTIONS" -> null
      - request_models       = {} -> null
      - request_parameters   = {} -> null
      - resource_id          = "yhpuj4" -> null
      - rest_api_id          = "ccy0v3rve9" -> null
        # (3 unchanged attributes hidden)
    }

  # module.fhir_document_reference_gateway[0].aws_api_gateway_method.proxy_method["GET"] will be destroyed
  # (because aws_api_gateway_method.proxy_method is not in configuration)
  - resource "aws_api_gateway_method" "proxy_method" {
      - api_key_required     = true -> null
      - authorization        = "NONE" -> null
      - authorization_scopes = [] -> null
      - http_method          = "GET" -> null
      - id                   = "agm-ccy0v3rve9-yhpuj4-GET" -> null
      - request_models       = {} -> null
      - request_parameters   = {} -> null
      - resource_id          = "yhpuj4" -> null
      - rest_api_id          = "ccy0v3rve9" -> null
        # (3 unchanged attributes hidden)
    }

  # module.fhir_document_reference_gateway[0].aws_api_gateway_method.proxy_method["POST"] will be destroyed
  # (because aws_api_gateway_method.proxy_method is not in configuration)
  - resource "aws_api_gateway_method" "proxy_method" {
      - api_key_required     = true -> null
      - authorization        = "NONE" -> null
      - authorization_scopes = [] -> null
      - http_method          = "POST" -> null
      - id                   = "agm-ccy0v3rve9-yhpuj4-POST" -> null
      - request_models       = {} -> null
      - request_parameters   = {} -> null
      - resource_id          = "yhpuj4" -> null
      - rest_api_id          = "ccy0v3rve9" -> null
        # (3 unchanged attributes hidden)
    }

  # module.fhir_document_reference_gateway[0].aws_api_gateway_method_response.preflight_method_response will be destroyed
  # (because aws_api_gateway_method_response.preflight_method_response is not in configuration)
  - resource "aws_api_gateway_method_response" "preflight_method_response" {
      - http_method         = "OPTIONS" -> null
      - id                  = "agmr-ccy0v3rve9-yhpuj4-OPTIONS-200" -> null
      - resource_id         = "yhpuj4" -> null
      - response_models     = {
          - "application/json" = "Empty"
        } -> null
      - response_parameters = {
          - "method.response.header.Access-Control-Allow-Credentials" = true
          - "method.response.header.Access-Control-Allow-Headers"     = true
          - "method.response.header.Access-Control-Allow-Methods"     = true
          - "method.response.header.Access-Control-Allow-Origin"      = true
        } -> null
      - rest_api_id         = "ccy0v3rve9" -> null
      - status_code         = "200" -> null
    }

  # module.fhir_document_reference_gateway[0].aws_api_gateway_resource.gateway_resource will be destroyed
  # (because aws_api_gateway_resource.gateway_resource is not in configuration)
  - resource "aws_api_gateway_resource" "gateway_resource" {
      - id          = "yhpuj4" -> null
      - parent_id   = "1lozellmb1" -> null
      - path        = "/FhirDocumentReference" -> null
      - path_part   = "FhirDocumentReference" -> null
      - rest_api_id = "ccy0v3rve9" -> null
    }

  # module.get-doc-fhir-lambda.aws_api_gateway_integration.lambda_integration["0"] will be destroyed
  # (because aws_api_gateway_integration.lambda_integration is not in configuration)
  - resource "aws_api_gateway_integration" "lambda_integration" {
      - cache_key_parameters    = [] -> null
      - cache_namespace         = "32fp0k" -> null
      - connection_type         = "INTERNET" -> null
      - http_method             = "GET" -> null
      - id                      = "agi-ccy0v3rve9-32fp0k-GET" -> null
      - integration_http_method = "POST" -> null
      - passthrough_behavior    = "WHEN_NO_MATCH" -> null
      - request_parameters      = {} -> null
      - request_templates       = {} -> null
      - resource_id             = "32fp0k" -> null
      - rest_api_id             = "ccy0v3rve9" -> null
      - timeout_milliseconds    = 29000 -> null
      - type                    = "AWS_PROXY" -> null
      - uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_GetDocumentReference/invocations" -> null
        # (3 unchanged attributes hidden)
    }

  # module.get-doc-fhir-lambda.aws_iam_role_policy.lambda_kms_access will be destroyed
  # (because aws_iam_role_policy.lambda_kms_access is not in configuration)
  - resource "aws_iam_role_policy" "lambda_kms_access" {
      - id          = "ndr-dev_lambda_execution_role_GetDocumentReference:lambda_kms_usage" -> null
      - name        = "lambda_kms_usage" -> null
      - policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/79756dcb-72fa-4439-a67d-552061b78f63"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - role        = "ndr-dev_lambda_execution_role_GetDocumentReference" -> null
        # (1 unchanged attribute hidden)
    }

  # module.get-doc-fhir-lambda.aws_iam_role_policy_attachment.default_policies["arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"] will be destroyed
  # (because aws_iam_role_policy_attachment.default_policies is not in configuration)
  - resource "aws_iam_role_policy_attachment" "default_policies" {
      - id         = "ndr-dev_lambda_execution_role_GetDocumentReference-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]04" -> null
      - policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy" -> null
      - role       = "ndr-dev_lambda_execution_role_GetDocumentReference" -> null
    }

  # module.get-doc-fhir-lambda.aws_iam_role_policy_attachment.default_policies["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"] will be destroyed
  # (because aws_iam_role_policy_attachment.default_policies is not in configuration)
  - resource "aws_iam_role_policy_attachment" "default_policies" {
      - id         = "ndr-dev_lambda_execution_role_GetDocumentReference-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]05" -> null
      - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" -> null
      - role       = "ndr-dev_lambda_execution_role_GetDocumentReference" -> null
    }

  # module.get-doc-fhir-lambda.aws_iam_role_policy_attachment.lambda_execution_policy will be destroyed
  # (because aws_iam_role_policy_attachment.lambda_execution_policy is not in configuration)
  - resource "aws_iam_role_policy_attachment" "lambda_execution_policy" {
      - id         = "ndr-dev_lambda_execution_role_GetDocumentReference-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]06" -> null
      - policy_arn = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_GetDocumentReference_combined_policy" -> null
      - role       = "ndr-dev_lambda_execution_role_GetDocumentReference" -> null
    }

  # module.get-doc-fhir-lambda.aws_kms_key.lambda will be destroyed
  # (because aws_kms_key.lambda is not in configuration)
  - resource "aws_kms_key" "lambda" {
      - arn                                = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/79756dcb-72fa-4439-a67d-552061b78f63" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 7 -> null
      - description                        = "Custom KMS Key for ndr-dev_GetDocumentReference" -> null
      - enable_key_rotation                = true -> null
      - id                                 = "79756dcb-72fa-4439-a67d-552061b78f63" -> null
      - is_enabled                         = true -> null
      - key_id                             = "79756dcb-72fa-4439-a67d-552061b78f63" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root"
                        }
                      - Resource  = "*"
                      - Sid       = "AllowRootAccountAccess"
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "[REDACTED_IAM_ROLE_ARN]"
                        }
                      - Resource  = "*"
                      - Sid       = "AllowLambdaExecutionRole"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days            = 365 -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "Environment" = "dev"
          - "Owner"       = "nhse/ndr-team"
          - "Workspace"   = "ndr-dev"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # module.get_document_reference_fhir_lambda.data.aws_iam_policy_document.lambda_kms_access will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "lambda_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
    }

  # module.get_document_reference_fhir_lambda.data.aws_iam_policy_document.merged_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "merged_policy" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = [
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "appconfig:StartConfigurationSession",
                              + "appconfig:GetLatestConfiguration",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                              + "dynamodb:BatchGetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/FileLocationsIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/NhsNumberIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/OdsCodeIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                              + "dynamodb:BatchGetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata/index/NhsNumberIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata/index/DocumentSnomedCodeTypeIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata/index/DocStatusIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata/index/AuthorIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata/index/CustodianIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "ssm:GetParameter",
                              + "ssm:GetParameters",
                              + "ssm:PutParameter",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:ssm:*:*:parameter/*",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-lloyd-george-store/*",
                              + "arn:aws:s3:::ndr-dev-lloyd-george-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-pdm-document-store/*",
                              + "arn:aws:s3:::ndr-dev-pdm-document-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + (known after apply),
        ]
    }

  # module.get_document_reference_fhir_lambda.data.aws_iam_policy_document.root_kms_access will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "root_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "AllowRootAccountAccess"

          + principals {
              + identifiers = [
                  + "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root",
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "AllowLambdaExecutionRole"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.get_document_reference_fhir_lambda.aws_api_gateway_integration.lambda_integration["0"] will be created
  + resource "aws_api_gateway_integration" "lambda_integration" {
      + cache_namespace         = (known after apply)
      + connection_type         = "INTERNET"
      + http_method             = "GET"
      + id                      = (known after apply)
      + integration_http_method = "POST"
      + passthrough_behavior    = (known after apply)
      + resource_id             = "ah2hii"
      + rest_api_id             = "p9uuab4oyl"
      + timeout_milliseconds    = 29000
      + type                    = "AWS_PROXY"
      + uri                     = (known after apply)
    }

  # module.get_document_reference_fhir_lambda.aws_iam_policy.combined_policies must be replaced
  # (moved from module.get-doc-fhir-lambda.aws_iam_policy.combined_policies)
+/- resource "aws_iam_policy" "combined_policies" {
      ~ arn              = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_GetDocumentReference_combined_policy" -> (known after apply)
      ~ attachment_count = 1 -> (known after apply)
      ~ id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_GetDocumentReference_combined_policy" -> (known after apply)
      ~ name             = "ndr-dev_GetDocumentReference_combined_policy" -> "ndr-dev_GetDocumentReferenceFhir_combined_policy" # forces replacement
      + name_prefix      = (known after apply)
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "appconfig:StartConfigurationSession",
                          - "appconfig:GetLatestConfiguration",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                          - "dynamodb:BatchGetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/FileLocationsIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/NhsNumberIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/OdsCodeIndex"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                          - "dynamodb:BatchGetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata/index/NhsNumberIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata/index/DocumentSnomedCodeTypeIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata/index/DocStatusIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata/index/AuthorIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata/index/CustodianIndex"
                    },
                  - {
                      - Action   = [
                          - "ssm:GetParameter",
                          - "ssm:GetParameters",
                          - "ssm:PutParameter",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:ssm:*:*:parameter/*",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-lloyd-george-store/*",
                          - "arn:aws:s3:::ndr-dev-lloyd-george-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-pdm-document-store/*",
                          - "arn:aws:s3:::ndr-dev-pdm-document-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/79756dcb-72fa-4439-a67d-552061b78f63"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
      ~ policy_id        = "ANPAXYSUA44VX7PQGQIZC" -> (known after apply)
      - tags             = {} -> null
        # (3 unchanged attributes hidden)
    }

  # module.get_document_reference_fhir_lambda.aws_iam_role.lambda_execution_role must be replaced
  # (moved from module.get-doc-fhir-lambda.aws_iam_role.lambda_execution_role)
+/- resource "aws_iam_role" "lambda_execution_role" {
      ~ arn                   = "[REDACTED_IAM_ROLE_ARN]" -> (known after apply)
      ~ create_date           = "2025-01-17T14:07:00Z" -> (known after apply)
      ~ id                    = "ndr-dev_lambda_execution_role_GetDocumentReference" -> (known after apply)
      ~ managed_policy_arns   = [
          - "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_GetDocumentReference_combined_policy",
          - "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
          - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
        ] -> (known after apply)
      ~ name                  = "ndr-dev_lambda_execution_role_GetDocumentReference" -> "ndr-dev_lambda_execution_role_GetDocumentReferenceFhir" # forces replacement
      + name_prefix           = (known after apply)
      - tags                  = {} -> null
      ~ unique_id             = "AROAXYSUA44VSWT26DJVV" -> (known after apply)
        # (7 unchanged attributes hidden)

      ~ inline_policy (known after apply)
      - inline_policy {
          - name   = "lambda_kms_usage" -> null
          - policy = jsonencode(
                {
                  - Statement = [
                      - {
                          - Action   = [
                              - "kms:GenerateDataKey",
                              - "kms:Encrypt",
                              - "kms:Decrypt",
                            ]
                          - Effect   = "Allow"
                          - Resource = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/79756dcb-72fa-4439-a67d-552061b78f63"
                        },
                    ]
                  - Version   = "2012-10-17"
                }
            ) -> null
        }
    }

  # module.get_document_reference_fhir_lambda.aws_iam_role_policy.lambda_kms_access will be created
  + resource "aws_iam_role_policy" "lambda_kms_access" {
      + id          = (known after apply)
      + name        = "lambda_kms_usage"
      + name_prefix = (known after apply)
      + policy      = (known after apply)
      + role        = (known after apply)
    }

  # module.get_document_reference_fhir_lambda.aws_iam_role_policy_attachment.default_policies["arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"] will be created
  + resource "aws_iam_role_policy_attachment" "default_policies" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
      + role       = "ndr-dev_lambda_execution_role_GetDocumentReferenceFhir"
    }

  # module.get_document_reference_fhir_lambda.aws_iam_role_policy_attachment.default_policies["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"] will be created
  + resource "aws_iam_role_policy_attachment" "default_policies" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      + role       = "ndr-dev_lambda_execution_role_GetDocumentReferenceFhir"
    }

  # module.get_document_reference_fhir_lambda.aws_iam_role_policy_attachment.lambda_execution_policy will be created
  + resource "aws_iam_role_policy_attachment" "lambda_execution_policy" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "ndr-dev_lambda_execution_role_GetDocumentReferenceFhir"
    }

  # module.get_document_reference_fhir_lambda.aws_kms_alias.lambda must be replaced
  # (moved from module.get-doc-fhir-lambda.aws_kms_alias.lambda)
+/- resource "aws_kms_alias" "lambda" {
      ~ arn            = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alias/ndr-dev_GetDocumentReference" -> (known after apply)
      ~ id             = "alias/ndr-dev_GetDocumentReference" -> (known after apply)
      ~ name           = "alias/ndr-dev_GetDocumentReference" -> "alias/ndr-dev_GetDocumentReferenceFhir" # forces replacement
      + name_prefix    = (known after apply)
      ~ target_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/79756dcb-72fa-4439-a67d-552061b78f63" -> (known after apply)
      ~ target_key_id  = "79756dcb-72fa-4439-a67d-552061b78f63" -> (known after apply)
    }

  # module.get_document_reference_fhir_lambda.aws_kms_key.lambda will be created
  + resource "aws_kms_key" "lambda" {
      + arn                                = (known after apply)
      + bypass_policy_lockout_safety_check = false
      + customer_master_key_spec           = "SYMMETRIC_DEFAULT"
      + deletion_window_in_days            = 7
      + description                        = "Custom KMS Key for ndr-dev_GetDocumentReferenceFhir"
      + enable_key_rotation                = true
      + id                                 = (known after apply)
      + is_enabled                         = true
      + key_id                             = (known after apply)
      + key_usage                          = "ENCRYPT_DECRYPT"
      + multi_region                       = (known after apply)
      + policy                             = (known after apply)
      + rotation_period_in_days            = (known after apply)
      + tags_all                           = {
          + "Environment" = "dev"
          + "Owner"       = "nhse/ndr-team"
          + "Workspace"   = "ndr-dev"
        }
    }

  # module.get_document_reference_fhir_lambda.aws_lambda_function.lambda must be replaced
  # (moved from module.get-doc-fhir-lambda.aws_lambda_function.lambda)
+/- resource "aws_lambda_function" "lambda" {
      ~ architectures                  = [
          - "x86_64",
        ] -> (known after apply)
      ~ arn                            = "arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_GetDocumentReference" -> (known after apply)
      ~ code_sha256                    = "kslQSG86EGQLxrYYwTl4vgqE4NVan3rd9tYQz/VZEe8=" -> (known after apply)
      ~ function_name                  = "ndr-dev_GetDocumentReference" -> "ndr-dev_GetDocumentReferenceFhir" # forces replacement
      ~ handler                        = "handlers.get_fhir_document_reference_handler.lambda_handler" -> "handlers.get_document_reference_fhir_handler.lambda_handler"
      ~ id                             = "ndr-dev_GetDocumentReference" -> (known after apply)
      ~ invoke_arn                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_GetDocumentReference/invocations" -> (known after apply)
      ~ kms_key_arn                    = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/79756dcb-72fa-4439-a67d-552061b78f63" -> (known after apply)
      ~ last_modified                  = "2025-10-23T16:16:58.000+0000" -> (known after apply)
      ~ layers                         = [
          - "arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:layer:LambdaInsightsExtension:53",
            "arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:layer:AWS-AppConfig-Extension:120",
          - "arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:layer:ndr-dev_core_lambda_layer:436",
          + "arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:layer:LambdaInsightsExtension:53",
        ]
      ~ qualified_arn                  = "arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_GetDocumentReference:6" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_GetDocumentReference:6/invocations" -> (known after apply)
      ~ role                           = "[REDACTED_IAM_ROLE_ARN]" -> (known after apply)
      + signing_job_arn                = (known after apply)
      + signing_profile_version_arn    = (known after apply)
      ~ source_code_size               = 217233 -> (known after apply)
      - tags                           = {} -> null
      ~ version                        = "6" -> (known after apply)
        # (13 unchanged attributes hidden)

      ~ logging_config (known after apply)
      - logging_config {
          - log_format            = "Text" -> null
          - log_group             = "/aws/lambda/ndr-dev_GetDocumentReference" -> null
            # (2 unchanged attributes hidden)
        }

      ~ tracing_config (known after apply)
      - tracing_config {
          - mode = "PassThrough" -> null
        }

      + vpc_config {
          + ipv6_allowed_for_dual_stack = false
          + vpc_id                      = (known after apply)
        }

        # (2 unchanged blocks hidden)
    }

  # module.get_document_reference_fhir_lambda.aws_lambda_permission.lambda_permission[0] must be replaced
  # (moved from module.get-doc-fhir-lambda.aws_lambda_permission.lambda_permission[0])
+/- resource "aws_lambda_permission" "lambda_permission" {
      ~ function_name       = "arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_GetDocumentReference" -> (known after apply) # forces replacement
      ~ id                  = "AllowAPIGatewayInvoke" -> (known after apply)
      ~ source_arn          = "arn:aws:execute-api:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ccy0v3rve9/*/*" -> "arn:aws:execute-api:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:p9uuab4oyl/*/*" # forces replacement
      + statement_id_prefix = (known after apply)
        # (4 unchanged attributes hidden)
    }

  # module.ndr-ecs-fargate-app.aws_ecs_task_definition.ndr_ecs_task will be updated in-place
  ~ resource "aws_ecs_task_definition" "ndr_ecs_task" {
        id                       = "ndr-dev-task-app-cluster"
        tags                     = {}
      ~ tags_all                 = {
          + "Environment" = "dev"
          + "Owner"       = "nhse/ndr-team"
          + "Workspace"   = "ndr-dev"
        }
        # (16 unchanged attributes hidden)
    }

  # module.ndr-ecs-fargate-data-collection[0].aws_ecs_task_definition.ndr_ecs_task will be updated in-place
  ~ resource "aws_ecs_task_definition" "ndr_ecs_task" {
        id                       = "ndr-dev-task-data-collection"
        tags                     = {}
      ~ tags_all                 = {
          + "Environment" = "dev"
          + "Owner"       = "nhse/ndr-team"
          + "Workspace"   = "ndr-dev"
        }
        # (16 unchanged attributes hidden)
    }

  # module.post-document-references-fhir-lambda.aws_api_gateway_integration.lambda_integration["0"] will be destroyed
  # (because aws_api_gateway_integration.lambda_integration is not in configuration)
  - resource "aws_api_gateway_integration" "lambda_integration" {
      - cache_key_parameters    = [] -> null
      - cache_namespace         = "yhpuj4" -> null
      - connection_type         = "INTERNET" -> null
      - http_method             = "POST" -> null
      - id                      = "agi-ccy0v3rve9-yhpuj4-POST" -> null
      - integration_http_method = "POST" -> null
      - passthrough_behavior    = "WHEN_NO_MATCH" -> null
      - request_parameters      = {} -> null
      - request_templates       = {} -> null
      - resource_id             = "yhpuj4" -> null
      - rest_api_id             = "ccy0v3rve9" -> null
      - timeout_milliseconds    = 29000 -> null
      - type                    = "AWS_PROXY" -> null
      - uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_PostDocumentReferencesFHIR/invocations" -> null
        # (3 unchanged attributes hidden)
    }

  # module.post-document-references-fhir-lambda.aws_iam_role_policy.lambda_kms_access will be destroyed
  # (because aws_iam_role_policy.lambda_kms_access is not in configuration)
  - resource "aws_iam_role_policy" "lambda_kms_access" {
      - id          = "ndr-dev_lambda_execution_role_PostDocumentReferencesFHIR:lambda_kms_usage" -> null
      - name        = "lambda_kms_usage" -> null
      - policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/37e1841e-d028-4b6b-a521-8bc0fc2edc38"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - role        = "ndr-dev_lambda_execution_role_PostDocumentReferencesFHIR" -> null
        # (1 unchanged attribute hidden)
    }

  # module.post-document-references-fhir-lambda.aws_iam_role_policy_attachment.default_policies["arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"] will be destroyed
  # (because aws_iam_role_policy_attachment.default_policies is not in configuration)
  - resource "aws_iam_role_policy_attachment" "default_policies" {
      - id         = "ndr-dev_lambda_execution_role_PostDocumentReferencesFHIR-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]01" -> null
      - policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy" -> null
      - role       = "ndr-dev_lambda_execution_role_PostDocumentReferencesFHIR" -> null
    }

  # module.post-document-references-fhir-lambda.aws_iam_role_policy_attachment.default_policies["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"] will be destroyed
  # (because aws_iam_role_policy_attachment.default_policies is not in configuration)
  - resource "aws_iam_role_policy_attachment" "default_policies" {
      - id         = "ndr-dev_lambda_execution_role_PostDocumentReferencesFHIR-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]02" -> null
      - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" -> null
      - role       = "ndr-dev_lambda_execution_role_PostDocumentReferencesFHIR" -> null
    }

  # module.post-document-references-fhir-lambda.aws_iam_role_policy_attachment.lambda_execution_policy will be destroyed
  # (because aws_iam_role_policy_attachment.lambda_execution_policy is not in configuration)
  - resource "aws_iam_role_policy_attachment" "lambda_execution_policy" {
      - id         = "ndr-dev_lambda_execution_role_PostDocumentReferencesFHIR-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]03" -> null
      - policy_arn = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_PostDocumentReferencesFHIR_combined_policy" -> null
      - role       = "ndr-dev_lambda_execution_role_PostDocumentReferencesFHIR" -> null
    }

  # module.post-document-references-fhir-lambda.aws_kms_key.lambda will be destroyed
  # (because aws_kms_key.lambda is not in configuration)
  - resource "aws_kms_key" "lambda" {
      - arn                                = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/37e1841e-d028-4b6b-a521-8bc0fc2edc38" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 7 -> null
      - description                        = "Custom KMS Key for ndr-dev_PostDocumentReferencesFHIR" -> null
      - enable_key_rotation                = true -> null
      - id                                 = "37e1841e-d028-4b6b-a521-8bc0fc2edc38" -> null
      - is_enabled                         = true -> null
      - key_id                             = "37e1841e-d028-4b6b-a521-8bc0fc2edc38" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root"
                        }
                      - Resource  = "*"
                      - Sid       = "AllowRootAccountAccess"
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "[REDACTED_IAM_ROLE_ARN]"
                        }
                      - Resource  = "*"
                      - Sid       = "AllowLambdaExecutionRole"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days            = 365 -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "Environment" = "dev"
          - "Owner"       = "nhse/ndr-team"
          - "Workspace"   = "ndr-dev"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # module.post_document_reference_fhir_lambda.data.aws_iam_policy_document.lambda_kms_access will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "lambda_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
    }

  # module.post_document_reference_fhir_lambda.data.aws_iam_policy_document.merged_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "merged_policy" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = [
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_DocumentReferenceMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_PDMDocumentMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:RestoreObject",
                              + "s3:Put*",
                              + "s3:Delete*",
                              + "s3:AbortMultipartUpload",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:s3:::ndr-dev-staging-bulk-store/*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "appconfig:StartConfigurationSession",
                              + "appconfig:GetLatestConfiguration",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "ssm:GetParameter",
                              + "ssm:GetParameters",
                              + "ssm:PutParameter",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:ssm:*:*:parameter/*",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + (known after apply),
        ]
    }

  # module.post_document_reference_fhir_lambda.data.aws_iam_policy_document.root_kms_access will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document
(truncated - see workflow logs for full output)

jameslinnell temporarily deployed to development September 17, 2025 16:22 — with GitHub Actions Inactive

jameslinnell temporarily deployed to development September 18, 2025 08:37 — with GitHub Actions Inactive

jameslinnell force-pushed the NDR-233 branch from d3fc8a1 to 7b79283 Compare September 18, 2025 08:43

jameslinnell temporarily deployed to development September 18, 2025 08:44 — with GitHub Actions Inactive

robg-test reviewed Sep 18, 2025

View reviewed changes

jameslinnell temporarily deployed to development September 18, 2025 09:24 — with GitHub Actions Inactive

jameslinnell temporarily deployed to development September 18, 2025 09:27 — with GitHub Actions Inactive

jameslinnell temporarily deployed to development September 18, 2025 14:31 — with GitHub Actions Inactive

jameslinnell force-pushed the NDR-233 branch from 065a35e to fb7abd8 Compare September 22, 2025 08:11

jameslinnell temporarily deployed to development September 22, 2025 08:11 — with GitHub Actions Inactive

jameslinnell force-pushed the NDR-233 branch from fb7abd8 to d6cd1cb Compare September 22, 2025 09:50

jameslinnell temporarily deployed to development September 22, 2025 09:50 — with GitHub Actions Inactive

jameslinnell had a problem deploying to development September 22, 2025 13:38 — with GitHub Actions Failure

jameslinnell temporarily deployed to development September 22, 2025 13:45 — with GitHub Actions Inactive

jameslinnell temporarily deployed to development September 22, 2025 14:05 — with GitHub Actions Inactive

NogaNHS reviewed Sep 23, 2025

View reviewed changes

infrastructure/lambda-search-document-references-fhir.tf Show resolved Hide resolved

NogaNHS reviewed Sep 23, 2025

View reviewed changes

infrastructure/lambda-post-document-reference-fhir.tf Show resolved Hide resolved

jameslinnell temporarily deployed to development September 23, 2025 09:04 — with GitHub Actions Inactive

jameslinnell temporarily deployed to development September 23, 2025 15:06 — with GitHub Actions Inactive

jameslinnell had a problem deploying to development September 23, 2025 16:12 — with GitHub Actions Failure

jameslinnell had a problem deploying to development September 23, 2025 16:42 — with GitHub Actions Failure

jameslinnell temporarily deployed to development September 23, 2025 16:54 — with GitHub Actions Inactive

NogaNHS reviewed Sep 24, 2025

View reviewed changes

jameslinnell temporarily deployed to development September 24, 2025 09:04 — with GitHub Actions Inactive

jameslinnell temporarily deployed to development September 24, 2025 13:37 — with GitHub Actions Inactive

jameslinnell temporarily deployed to development September 24, 2025 13:42 — with GitHub Actions Inactive

jameslinnell force-pushed the NDR-233 branch from d94270b to eb4c636 Compare September 25, 2025 09:49

jameslinnell temporarily deployed to development September 25, 2025 09:49 — with GitHub Actions Inactive

jameslinnell force-pushed the NDR-233 branch from eb4c636 to e926bfe Compare October 3, 2025 09:30

jameslinnell temporarily deployed to development October 3, 2025 09:30 — with GitHub Actions Inactive

jameslinnell force-pushed the NDR-233 branch from e926bfe to fd28b77 Compare October 8, 2025 09:32

jameslinnell temporarily deployed to development October 8, 2025 09:32 — with GitHub Actions Inactive

jameslinnell force-pushed the NDR-233 branch from fd28b77 to 885019e Compare October 13, 2025 13:57

jameslinnell temporarily deployed to development October 13, 2025 13:57 — with GitHub Actions Inactive

jameslinnell force-pushed the NDR-233 branch from 885019e to 326a867 Compare October 14, 2025 14:51

jameslinnell temporarily deployed to development October 14, 2025 14:51 — with GitHub Actions Inactive

megan-bower4 marked this pull request as draft October 15, 2025 07:51

jameslinnell added 17 commits October 24, 2025 09:16

Move FhirDocumentReference

9fb336d

Update make description.

0189bb2

Rename files

a32a186

Add check for aws environment

6f41912

Remove gateway-document-reference

0510aa0

Change lambda names due to conflict

54f1b13

Remove api key

81e2f43

add fhir to all lambda names

5697613

update module load

483a60d

Move resources

536d8c9

Move get function

11af2f5

Move lambdas and assoc

41d2d23

fixed moved

afea703

Fix race conditions

92482a6

Add lifecycle into lambda combined policy

df58fa4

remove lifecycle

66fd3ca

Remove comments

0c98569

jameslinnell force-pushed the NDR-233 branch from 326a867 to 0c98569 Compare October 24, 2025 08:16

jameslinnell temporarily deployed to development October 24, 2025 08:16 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[NDR-233] Move FhirDocumentReference #438

[NDR-233] Move FhirDocumentReference #438

Uh oh!

jameslinnell commented Sep 17, 2025

Uh oh!

robg-test Sep 18, 2025 •

edited

Loading

Uh oh!

jameslinnell Sep 18, 2025

Uh oh!

Uh oh!

Uh oh!

NogaNHS Sep 24, 2025

Uh oh!

jameslinnell Sep 25, 2025

Uh oh!

sonarqubecloud bot commented Oct 24, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Oct 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants


		}

		resource "aws_lambda_permission" "lambda_permission_get_mtls_api" {

[NDR-233] Move FhirDocumentReference #438

Are you sure you want to change the base?

[NDR-233] Move FhirDocumentReference #438

Uh oh!

Conversation

jameslinnell commented Sep 17, 2025

Uh oh!

robg-test Sep 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jameslinnell Sep 18, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

NogaNHS Sep 24, 2025

Choose a reason for hiding this comment

Uh oh!

jameslinnell Sep 25, 2025

Choose a reason for hiding this comment

Uh oh!

sonarqubecloud bot commented Oct 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Quality Gate passed

Uh oh!

github-actions bot commented Oct 24, 2025

Report for environment: ndr-dev

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

robg-test Sep 18, 2025 •

edited

Loading

sonarqubecloud bot commented Oct 24, 2025 •

edited

Loading

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`