Skip to content

[PRM-609] Add git ref feature flag #522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
adamwhitingnhs wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[PRM-609] Add git ref feature flag #522

adamwhitingnhs wants to merge 2 commits into from

Conversation

@adamwhitingnhs
Copy link
Contributor

@adamwhitingnhs adamwhitingnhs commented Nov 27, 2025

No description provided.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 27, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions
Copy link

github-actions bot commented Nov 27, 2025

Report for environment: ndr-dev

Terraform Initialization ⚙️success

Initialization Output 

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
- access-audit-alarm in modules/lambda_alarms
- access-audit-alarm-topic in modules/sns
- access-audit-gateway in modules/gateway
- access-audit-lambda in modules/lambda
- access_audit_dynamodb_table in modules/dynamo_db
- alarm_state_history_table in modules/dynamo_db
- api_endpoint_url_ssm_parameter in modules/ssm_parameter
- auth_session_dynamodb_table in modules/dynamo_db
- auth_state_dynamodb_table in modules/dynamo_db
- authoriser-alarm in modules/lambda_alarms
- authoriser-alarm-topic in modules/sns
- authoriser-lambda in modules/lambda
- back-channel-logout-gateway in modules/gateway
- back_channel_logout_alarm in modules/lambda_alarms
- back_channel_logout_alarm_topic in modules/sns
- back_channel_logout_lambda in modules/lambda
- bulk-upload-alarm in modules/lambda_alarms
- bulk-upload-alarm-topic in modules/sns
- bulk-upload-lambda in modules/lambda
- bulk-upload-metadata-alarm in modules/lambda_alarms
- bulk-upload-metadata-alarm-topic in modules/sns
- bulk-upload-metadata-lambda in modules/lambda
- bulk-upload-metadata-processor-alarm in modules/lambda_alarms
- bulk-upload-metadata-processor-alarm-topic in modules/sns
- bulk-upload-metadata-processor-lambda in modules/lambda
- bulk-upload-report-alarm in modules/lambda_alarms
- bulk-upload-report-alarm-topic in modules/sns
- bulk-upload-report-lambda in modules/lambda
- bulk_upload_metadata_preprocessor_lambda in modules/lambda
- bulk_upload_report_dynamodb_table in modules/dynamo_db
Downloading registry.terraform.io/cloudstoragesec/cloud-storage-security/aws 1.8.10+css9.03.000 for cloud_storage_security...
- cloud_storage_security in .terraform/modules/cloud_storage_security
- cloudfront-distribution-lg in modules/cloudfront
- cloudfront_edge_dynamodb_table in modules/dynamo_db
- cloudfront_firewall_waf_v2 in modules/firewall_waf_v2
- create-doc-ref-lambda in modules/lambda
- create-token-gateway in modules/gateway
- create-token-lambda in modules/lambda
- create_doc_alarm in modules/lambda_alarms
- create_doc_alarm_topic in modules/sns
- create_token-alarm in modules/lambda_alarms
- create_token-alarm_topic in modules/sns
- data-collection-alarm in modules/lambda_alarms
- data-collection-alarm-topic in modules/sns
- data-collection-lambda in modules/lambda
- delete-doc-ref-gateway in modules/gateway
- delete-doc-ref-lambda in modules/lambda
- delete-document-object-alarm in modules/lambda_alarms
- delete-document-object-alarm-topic in modules/sns
- delete-document-object-lambda in modules/lambda
- delete_doc_alarm in modules/lambda_alarms
- delete_doc_alarm_topic in modules/sns
- document-manifest-job-gateway in modules/gateway
- document-manifest-job-lambda in modules/lambda
- document-status-check-alarm in modules/lambda_alarms
- document-status-check-alarm-topic in modules/sns
- document-status-check-gateway in modules/gateway
- document-status-check-lambda in modules/lambda
- document_manifest_alarm in modules/lambda_alarms
- document_manifest_alarm_topic in modules/sns
- document_reference_dynamodb_table in modules/dynamo_db
- document_reference_gateway in modules/gateway
- document_reference_id_gateway in modules/gateway
- document_review_dlq_alarm_topic in modules/sns
- document_review_dynamodb_table in modules/dynamo_db
- document_review_processor_lambda in modules/lambda
- document_review_queue in modules/sqs
- document_upload_check_lambda in modules/lambda
- edge-presign-lambda in modules/lambda_edge
- edge_presign_alarm in modules/lambda_alarms
- edge_presign_alarm_topic in modules/sns
- feature-flags-gateway in modules/gateway
- feature-flags-lambda in modules/lambda
- feature_flags_alarm in modules/lambda_alarms
- feature_flags_alarm_topic in modules/sns
- fhir_document_reference_gateway in modules/gateway
- fhir_document_reference_mtls_gateway in modules/gateway
- firewall_waf_v2 in modules/firewall_waf_v2
- firewall_waf_v2_api in modules/firewall_waf_v2
- generate-document-manifest-alarm in modules/lambda_alarms
- generate-document-manifest-alarm-topic in modules/sns
- generate-document-manifest-lambda in modules/lambda
- generate-lloyd-george-stitch-alarm in modules/lambda_alarms
- generate-lloyd-george-stitch-alarm-topic in modules/sns
- generate-lloyd-george-stitch-lambda in modules/lambda
- get-doc-fhir-lambda in modules/lambda
- get-doc-ref-alarm in modules/lambda_alarms
- get-doc-ref-alarm-topic in modules/sns
- get-doc-ref-lambda in modules/lambda
- get-report-by-ods-alarm in modules/lambda_alarms
- get-report-by-ods-alarm-topic in modules/sns
- get-report-by-ods-gateway in modules/gateway
- get-report-by-ods-lambda in modules/lambda
- get_document_review_lambda in modules/lambda
- get_document_review_lambda_alarm in modules/lambda_alarms
- get_document_review_lambda_alarm_topic in modules/sns
- global_sqs_age_alarm_topic in modules/sns
- im-alerting-lambda in modules/lambda
- lambda-layer-alerting in modules/lambda_layers
- lambda-layer-core in modules/lambda_layers
- lambda-layer-data in modules/lambda_layers
- lambda-layer-reports in modules/lambda_layers
- lg-bulk-upload-expedite-metadata-queue in modules/sqs
- lloyd-george-stitch-gateway in modules/gateway
- lloyd-george-stitch-lambda in modules/lambda
- lloyd-george-stitch_alarm in modules/lambda_alarms
- lloyd-george-stitch_topic in modules/sns
- lloyd_george_reference_dynamodb_table in modules/dynamo_db
- login_redirect-alarm_topic in modules/sns
- login_redirect_alarm in modules/lambda_alarms
- login_redirect_lambda in modules/lambda
- logout-gateway in modules/gateway
- logout_alarm in modules/lambda_alarms
- logout_alarm_topic in modules/sns
- logout_lambda in modules/lambda
- manage-nrl-pointer-alarm in modules/lambda_alarms
- manage-nrl-pointer-alarm-topic in modules/sns
- manage-nrl-pointer-lambda in modules/lambda
- migration-dynamodb-lambda in modules/lambda
- migration-dynamodb-segment-lambda in modules/lambda
- migration-dynamodb-segment-store in modules/s3
- migration-failed-items-store in modules/s3
- mns-dlq-alarm-topic in modules/sns
- mns-notification-alarm in modules/lambda_alarms
- mns-notification-alarm-topic in modules/sns
- mns-notification-lambda in modules/lambda
- mns_encryption_key in modules/kms
- mtls_api_endpoint_url_ssm_parameter in modules/ssm_parameter
- ndr-app-config in modules/app_config
- ndr-bulk-staging-store in modules/s3
- ndr-docker-ecr-data-collection in modules/ecr
- ndr-docker-ecr-ui in modules/ecr
- ndr-document-pending-review-store in modules/s3
- ndr-document-store in modules/s3
- ndr-ecs-container-port-ssm-parameter in modules/ssm_parameter
- ndr-ecs-fargate-app in modules/ecs
- ndr-ecs-fargate-data-collection in modules/ecs
- ndr-feedback-mailbox in modules/ses
- ndr-lloyd-george-store in modules/s3
- ndr-truststore in modules/s3
- ndr-vpc-ui in modules/vpc
- ndr-zip-request-store in modules/s3
- nhs-oauth-token-generator-alarm in modules/lambda_alarms
- nhs-oauth-token-generator-alarm-topic in modules/sns
- nhs-oauth-token-generator-lambda in modules/lambda
- nrl-dlq-alarm-topic in modules/sns
- patch_document_review_lambda in modules/lambda
- patch_document_review_lambda_alarm in modules/lambda_alarms
- patch_document_review_lambda_alarm_topic in modules/sns
- pdf-stitching-alarm-topic in modules/sns
- pdf-stitching-lambda in modules/lambda
- pdf-stitching-lambda-alarms in modules/lambda_alarms
- pdm-document-store in modules/s3
- pdm_dynamodb_table in modules/dynamo_db
- pdm_encryption_key in modules/kms
- post-document-references-fhir-lambda in modules/lambda
- review_document_gateway in modules/gateway
- review_document_version_gateway in modules/gateway
- route53_fargate_ui in modules/route53
- search-document-references-fhir-lambda in modules/lambda
- search-document-references-gateway in modules/gateway
- search-document-references-lambda in modules/lambda
- search-patient-details-gateway in modules/gateway
- search-patient-details-lambda in modules/lambda
- search_doc_alarm in modules/lambda_alarms
- search_doc_alarm_topic in modules/sns
- search_document_review_lambda in modules/lambda
- search_document_review_lambda_alarm in modules/lambda_alarms
- search_document_review_lambda_alarm_topic in modules/sns
- search_patient_alarm in modules/lambda_alarms
- search_patient_alarm_topic in modules/sns
- send-feedback-alarm in modules/lambda_alarms
- send-feedback-alarm-topic in modules/sns
- send-feedback-gateway in modules/gateway
- send-feedback-lambda in modules/lambda
- sns_encryption_key in modules/kms
- sqs-lg-bulk-upload-invalid-queue in modules/sqs
- sqs-lg-bulk-upload-metadata-queue in modules/sqs
- sqs-mns-notification-queue in modules/sqs
- sqs-nrl-queue in modules/sqs
- sqs-stitching-queue in modules/sqs
- sqs_alarm_lambda_topic in modules/sns
- ssm_param_external_client_cert in modules/ssm_parameter
- ssm_param_external_client_key in modules/ssm_parameter
- ssm_param_unauthorised_client_cert in modules/ssm_parameter
- ssm_param_unauthorised_client_key in modules/ssm_parameter
- statistical-report-alarm in modules/lambda_alarms
- statistical-report-alarm-topic in modules/sns
- statistical-report-lambda in modules/lambda
- statistical-reports-store in modules/s3
- statistics_dynamodb_table in modules/dynamo_db
- stitch_metadata_reference_dynamodb_table in modules/dynamo_db
- stitching-dlq-alarm-topic in modules/sns
- toggle-bulk-upload-lambda in modules/lambda
- unstitched_lloyd_george_reference_dynamodb_table in modules/dynamo_db
- update-doc-ref-alarm in modules/lambda_alarms
- update-doc-ref-alarm-topic in modules/sns
- update-doc-ref-lambda in modules/lambda
- update-upload-state-gateway in modules/gateway
- update-upload-state-lambda in modules/lambda
- update_upload_state_alarm in modules/lambda_alarms
- update_upload_state_alarm_topic in modules/sns
- virus_scan_result_alarm in modules/lambda_alarms
- virus_scan_result_alarm_topic in modules/sns
- virus_scan_result_gateway in modules/gateway
- virus_scan_result_lambda in modules/lambda
- zip_store_reference_dynamodb_table in modules/dynamo_db
Initializing provider plugins...
- terraform.io/builtin/terraform is built in to Terraform
- Finding latest version of hashicorp/random...
- Finding hashicorp/aws versions matching ">= 4.0.0, ~> 5.0"...
- Finding hashicorp/awscc versions matching ">= 0.72.1, ~> 1.0"...
- Finding latest version of hashicorp/archive...
- Finding latest version of hashicorp/time...
- Installing hashicorp/random v3.7.2...
- Installed hashicorp/random v3.7.2 (signed by HashiCorp)
- Installing hashicorp/aws v5.100.0...
- Installed hashicorp/aws v5.100.0 (signed by HashiCorp)
- Installing hashicorp/awscc v1.65.0...
- Installed hashicorp/awscc v1.65.0 (signed by HashiCorp)
- Installing hashicorp/archive v2.7.1...
- Installed hashicorp/archive v2.7.1 (signed by HashiCorp)
- Installing hashicorp/time v0.13.1...
- Installed hashicorp/time v0.13.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖success

Validation Output 

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan (4 to add, 134 to change, 4 to destroy) 


Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # module.edge-presign-lambda.aws_lambda_function.lambda has changed
  ~ resource "aws_lambda_function" "lambda" {
        id                             = "ndr-dev_EdgePresignLambda"
      ~ qualified_arn                  = "arn:aws:lambda:us-east-1:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_EdgePresignLambda:476" -> "arn:aws:lambda:us-east-1:[REDACTED_AWS_ACCOUNT_ID]:function:ndr-dev_EdgePresignLambda:479"
        tags                           = {}
        # (28 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
+/- create replacement and then destroy
 <= read (data resources)

Terraform will perform the following actions:

  # aws_api_gateway_deployment.ndr_api_deploy must be replaced
+/- resource "aws_api_gateway_deployment" "ndr_api_deploy" {
      ~ created_date  = "2025-11-27T08:28:36Z" -> (known after apply)
      ~ execution_arn = "arn:aws:execute-api:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ccy0v3rve9/" -> (known after apply)
      ~ id            = "b528f8" -> (known after apply)
      ~ invoke_url    = "[REDACTED_API_GATEWAY_URL]" -> (known after apply)
      ~ variables     = {
          - "deployed_at" = "2025-11-27T08:28:35Z"
        } -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)
    }

  # aws_api_gateway_deployment.ndr_api_deploy_mtls must be replaced
+/- resource "aws_api_gateway_deployment" "ndr_api_deploy_mtls" {
      ~ created_date  = "2025-11-27T08:28:35Z" -> (known after apply)
      ~ execution_arn = "arn:aws:execute-api:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:p9uuab4oyl/" -> (known after apply)
      ~ id            = "df7g1y" -> (known after apply)
      ~ invoke_url    = "[REDACTED_API_GATEWAY_URL]" -> (known after apply)
      ~ variables     = {
          - "deployed_at" = "2025-11-27T08:28:35Z"
        } -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)
    }

  # aws_api_gateway_stage.ndr_api will be updated in-place
  ~ resource "aws_api_gateway_stage" "ndr_api" {
      ~ deployment_id         = "b528f8" -> (known after apply)
        id                    = "ags-ccy0v3rve9-dev"
        tags                  = {}
        # (14 unchanged attributes hidden)
    }

  # aws_api_gateway_stage.ndr_api_mtls will be updated in-place
  ~ resource "aws_api_gateway_stage" "ndr_api_mtls" {
      ~ deployment_id         = "df7g1y" -> (known after apply)
        id                    = "ags-p9uuab4oyl-dev"
        tags                  = {}
        # (14 unchanged attributes hidden)
    }

  # module.access-audit-lambda.data.archive_file.lambda will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "archive_file" "lambda" {
      + id                  = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_base64sha512 = (known after apply)
      + output_md5          = (known after apply)
      + output_path         = "placeholder_lambda_payload.zip"
      + output_sha          = (known after apply)
      + output_sha256       = (known after apply)
      + output_sha512       = (known after apply)
      + output_size         = (known after apply)
      + source_file         = "placeholder_lambda.py"
      + type                = "zip"
    }

  # module.access-audit-lambda.data.aws_caller_identity.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "current" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.access-audit-lambda.data.aws_iam_policy_document.assume_role will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "assume_role" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "lambda.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.access-audit-lambda.data.aws_iam_policy_document.lambda_kms_access will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "lambda_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/83193deb-104f-4eb5-9263-30637dd3a531",
            ]
        }
    }

  # module.access-audit-lambda.data.aws_iam_policy_document.merged_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "merged_policy" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = [
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "appconfig:StartConfigurationSession",
                              + "appconfig:GetLatestConfiguration",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                              + "dynamodb:BatchGetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata/index/NDRSessionIdIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AccessAudit"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + (known after apply),
        ]
    }

  # module.access-audit-lambda.data.aws_iam_policy_document.root_kms_access will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "root_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "AllowRootAccountAccess"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "AllowLambdaExecutionRole"

          + principals {
              + identifiers = [
                  + "[REDACTED_IAM_ROLE_ARN]",
                ]
              + type        = "AWS"
            }
        }
    }

  # module.access-audit-lambda.aws_iam_policy.combined_policies will be updated in-place
  ~ resource "aws_iam_policy" "combined_policies" {
        id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_AccessAuditLambda_combined_policy"
        name             = "ndr-dev_AccessAuditLambda_combined_policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "appconfig:StartConfigurationSession",
                          - "appconfig:GetLatestConfiguration",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:UpdateItem",
                          - "dynamodb:PutItem",
                          - "dynamodb:DeleteItem",
                          - "dynamodb:BatchWriteItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                          - "dynamodb:BatchGetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata/index/NDRSessionIdIndex"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:UpdateItem",
                          - "dynamodb:PutItem",
                          - "dynamodb:DeleteItem",
                          - "dynamodb:BatchWriteItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AccessAudit"
                    },
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/83193deb-104f-4eb5-9263-30637dd3a531"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.access-audit-lambda.aws_iam_role.lambda_execution_role will be updated in-place
  ~ resource "aws_iam_role" "lambda_execution_role" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "lambda.amazonaws.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "ndr-dev_lambda_execution_role_AccessAuditLambda"
        name                  = "ndr-dev_lambda_execution_role_AccessAuditLambda"
        tags                  = {}
        # (11 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.access-audit-lambda.aws_iam_role_policy.lambda_kms_access will be updated in-place
  ~ resource "aws_iam_role_policy" "lambda_kms_access" {
        id          = "ndr-dev_lambda_execution_role_AccessAuditLambda:lambda_kms_usage"
        name        = "lambda_kms_usage"
      ~ policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/83193deb-104f-4eb5-9263-30637dd3a531"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.access-audit-lambda.aws_kms_key.lambda will be updated in-place
  ~ resource "aws_kms_key" "lambda" {
        id                                 = "83193deb-104f-4eb5-9263-30637dd3a531"
      ~ policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root"
                        }
                      - Resource  = "*"
                      - Sid       = "AllowRootAccountAccess"
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "[REDACTED_IAM_ROLE_ARN]"
                        }
                      - Resource  = "*"
                      - Sid       = "AllowLambdaExecutionRole"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags                               = {}
        # (14 unchanged attributes hidden)
    }

  # module.authoriser-lambda.data.archive_file.lambda will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "archive_file" "lambda" {
      + id                  = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_base64sha512 = (known after apply)
      + output_md5          = (known after apply)
      + output_path         = "placeholder_lambda_payload.zip"
      + output_sha          = (known after apply)
      + output_sha256       = (known after apply)
      + output_sha512       = (known after apply)
      + output_size         = (known after apply)
      + source_file         = "placeholder_lambda.py"
      + type                = "zip"
    }

  # module.authoriser-lambda.data.aws_caller_identity.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "current" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.authoriser-lambda.data.aws_iam_policy_document.assume_role will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "assume_role" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "lambda.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.authoriser-lambda.data.aws_iam_policy_document.lambda_kms_access will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "lambda_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/f3250b0a-276a-4ce7-a607-f62bdad3b475",
            ]
        }
    }

  # module.authoriser-lambda.data.aws_iam_policy_document.merged_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "merged_policy" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = [
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "ssm:GetParameter",
                              + "ssm:GetParametersByPath",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:ssm:*:*:parameter/jwt_token_public_key",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                              + "dynamodb:BatchGetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata/index/NDRSessionIdIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "appconfig:StartConfigurationSession",
                              + "appconfig:GetLatestConfiguration",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + (known after apply),
        ]
    }

  # module.authoriser-lambda.data.aws_iam_policy_document.root_kms_access will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "root_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "AllowRootAccountAccess"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "AllowLambdaExecutionRole"

          + principals {
              + identifiers = [
                  + "[REDACTED_IAM_ROLE_ARN]",
                ]
              + type        = "AWS"
            }
        }
    }

  # module.authoriser-lambda.aws_iam_policy.combined_policies will be updated in-place
  ~ resource "aws_iam_policy" "combined_policies" {
        id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_AuthoriserLambda_combined_policy"
        name             = "ndr-dev_AuthoriserLambda_combined_policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "ssm:GetParameter",
                          - "ssm:GetParametersByPath",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:ssm:*:*:parameter/jwt_token_public_key",
                        ]
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                          - "dynamodb:BatchGetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata/index/NDRSessionIdIndex"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:UpdateItem",
                          - "dynamodb:PutItem",
                          - "dynamodb:DeleteItem",
                          - "dynamodb:BatchWriteItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                    },
                  - {
                      - Action   = [
                          - "appconfig:StartConfigurationSession",
                          - "appconfig:GetLatestConfiguration",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                    },
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/f3250b0a-276a-4ce7-a607-f62bdad3b475"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.authoriser-lambda.aws_iam_role.lambda_execution_role will be updated in-place
  ~ resource "aws_iam_role" "lambda_execution_role" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "lambda.amazonaws.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "ndr-dev_lambda_execution_role_AuthoriserLambda"
        name                  = "ndr-dev_lambda_execution_role_AuthoriserLambda"
        tags                  = {}
        # (11 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.authoriser-lambda.aws_iam_role_policy.lambda_kms_access will be updated in-place
  ~ resource "aws_iam_role_policy" "lambda_kms_access" {
        id          = "ndr-dev_lambda_execution_role_AuthoriserLambda:lambda_kms_usage"
        name        = "lambda_kms_usage"
      ~ policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/f3250b0a-276a-4ce7-a607-f62bdad3b475"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.authoriser-lambda.aws_kms_key.lambda will be updated in-place
  ~ resource "aws_kms_key" "lambda" {
        id                                 = "f3250b0a-276a-4ce7-a607-f62bdad3b475"
      ~ policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root"
                        }
                      - Resource  = "*"
                      - Sid       = "AllowRootAccountAccess"
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "[REDACTED_IAM_ROLE_ARN]"
                        }
                      - Resource  = "*"
                      - Sid       = "AllowLambdaExecutionRole"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags                               = {}
        # (14 unchanged attributes hidden)
    }

  # module.back_channel_logout_lambda.data.archive_file.lambda will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "archive_file" "lambda" {
      + id                  = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_base64sha512 = (known after apply)
      + output_md5          = (known after apply)
      + output_path         = "placeholder_lambda_payload.zip"
      + output_sha          = (known after apply)
      + output_sha256       = (known after apply)
      + output_sha512       = (known after apply)
      + output_size         = (known after apply)
      + source_file         = "placeholder_lambda.py"
      + type                = "zip"
    }

  # module.back_channel_logout_lambda.data.aws_caller_identity.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "current" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.back_channel_logout_lambda.data.aws_iam_policy_document.assume_role will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "assume_role" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "lambda.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.back_channel_logout_lambda.data.aws_iam_policy_document.lambda_kms_access will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "lambda_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/e400dbab-bdff-4b86-a2c0-e327b4634c4b",
            ]
        }
    }

  # module.back_channel_logout_lambda.data.aws_iam_policy_document.merged_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "merged_policy" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = [
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "ssm:GetParameter",
                              + "ssm:GetParameters",
                              + "ssm:PutParameter",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:ssm:*:*:parameter/*",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                              + "dynamodb:BatchGetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata/index/NDRSessionIdIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "appconfig:StartConfigurationSession",
                              + "appconfig:GetLatestConfiguration",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + (known after apply),
        ]
    }

  # module.back_channel_logout_lambda.data.aws_iam_policy_document.root_kms_access will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "root_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "AllowRootAccountAccess"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "AllowLambdaExecutionRole"

          + principals {
              + identifiers = [
                  + "[REDACTED_IAM_ROLE_ARN]",
                ]
              + type        = "AWS"
            }
        }
    }

  # module.back_channel_logout_lambda.aws_iam_policy.combined_policies will be updated in-place
  ~ resource "aws_iam_policy" "combined_policies" {
        id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_BackChannelLogoutHandler_combined_policy"
        name             = "ndr-dev_BackChannelLogoutHandler_combined_policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "ssm:GetParameter",
                          - "ssm:GetParameters",
                          - "ssm:PutParameter",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:ssm:*:*:parameter/*",
                        ]
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                          - "dynamodb:BatchGetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata/index/NDRSessionIdIndex"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:UpdateItem",
                          - "dynamodb:PutItem",
                          - "dynamodb:DeleteItem",
                          - "dynamodb:BatchWriteItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_AuthSessionReferenceMetadata"
                    },
                  - {
                      - Action   = [
                          - "appconfig:StartConfigurationSession",
                          - "appconfig:GetLatestConfiguration",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                    },
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/e400dbab-bdff-4b86-a2c0-e327b4634c4b"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags             = {}
        # (7 unchanged attributes hidden)
    }

  # module.back_channel_logout_lambda.aws_iam_role.lambda_execution_role will be updated in-place
  ~ resource "aws_iam_role" "lambda_execution_role" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "lambda.amazonaws.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "ndr-dev_lambda_execution_role_BackChannelLogoutHandler"
        name                  = "ndr-dev_lambda_execution_role_BackChannelLogoutHandler"
        tags                  = {}
        # (11 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.back_channel_logout_lambda.aws_iam_role_policy.lambda_kms_access will be updated in-place
  ~ resource "aws_iam_role_policy" "lambda_kms_access" {
        id          = "ndr-dev_lambda_execution_role_BackChannelLogoutHandler:lambda_kms_usage"
        name        = "lambda_kms_usage"
      ~ policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/e400dbab-bdff-4b86-a2c0-e327b4634c4b"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.back_channel_logout_lambda.aws_kms_key.lambda will be updated in-place
  ~ resource "aws_kms_key" "lambda" {
        id                                 = "e400dbab-bdff-4b86-a2c0-e327b4634c4b"
      ~ policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root"
                        }
                      - Resource  = "*"
                      - Sid       = "AllowRootAccountAccess"
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey",
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "[REDACTED_IAM_ROLE_ARN]"
                        }
                      - Resource  = "*"
                      - Sid       = "AllowLambdaExecutionRole"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags                               = {}
        # (14 unchanged attributes hidden)
    }

  # module.bulk-upload-lambda.data.archive_file.lambda will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "archive_file" "lambda" {
      + id                  = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_base64sha512 = (known after apply)
      + output_md5          = (known after apply)
      + output_path         = "placeholder_lambda_payload.zip"
      + output_sha          = (known after apply)
      + output_sha256       = (known after apply)
      + output_sha512       = (known after apply)
      + output_size         = (known after apply)
      + source_file         = "placeholder_lambda.py"
      + type                = "zip"
    }

  # module.bulk-upload-lambda.data.aws_caller_identity.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "current" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.bulk-upload-lambda.data.aws_iam_policy_document.assume_role will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "assume_role" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "sts:AssumeRole",
            ]
          + effect  = "Allow"

          + principals {
              + identifiers = [
                  + "lambda.amazonaws.com",
                ]
              + type        = "Service"
            }
        }
    }

  # module.bulk-upload-lambda.data.aws_iam_policy_document.lambda_kms_access will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "lambda_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/a5b8d163-72aa-4d81-b8f9-f03d9a5e24e6",
            ]
        }
    }

  # module.bulk-upload-lambda.data.aws_iam_policy_document.merged_policy will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "merged_policy" {
      + id                      = (known after apply)
      + json                    = (known after apply)
      + minified_json           = (known after apply)
      + source_policy_documents = [
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-staging-bulk-store/*",
                              + "arn:aws:s3:::ndr-dev-staging-bulk-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:RestoreObject",
                              + "s3:Put*",
                              + "s3:Delete*",
                              + "s3:AbortMultipartUpload",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:s3:::ndr-dev-staging-bulk-store/*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:List*",
                              + "s3:Get*",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:s3:::ndr-dev-lloyd-george-store/*",
                              + "arn:aws:s3:::ndr-dev-lloyd-george-store",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "s3:RestoreObject",
                              + "s3:Put*",
                              + "s3:Delete*",
                              + "s3:AbortMultipartUpload",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:s3:::ndr-dev-lloyd-george-store/*"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                              + "dynamodb:BatchGetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/FileLocationsIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/NhsNumberIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/OdsCodeIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/S3FileKeyIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:Scan",
                              + "dynamodb:Query",
                              + "dynamodb:GetItem",
                              + "dynamodb:BatchGetItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport/index/NhsNumberIndex"
                        },
                      + {
                          + Action   = "dynamodb:Query"
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport/index/TimestampIndex"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "dynamodb:UpdateItem",
                              + "dynamodb:PutItem",
                              + "dynamodb:DeleteItem",
                              + "dynamodb:BatchWriteItem",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_BulkUploadReport"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:SendMessage",
                              + "sqs:DeleteMessage",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-stitching-queue",
                              + "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-deadletter-stitching-queue",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:ReceiveMessage",
                              + "sqs:GetQueueUrl",
                              + "sqs:GetQueueAttributes",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-metadata-queue.fifo"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:SendMessage",
                              + "sqs:DeleteMessage",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-metadata-queue.fifo"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:ReceiveMessage",
                              + "sqs:GetQueueUrl",
                              + "sqs:GetQueueAttributes",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-invalid-queue"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:SendMessage",
                              + "sqs:DeleteMessage",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-invalid-queue"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:SendMessage",
                              + "sqs:DeleteMessage",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-expedite-metadata-queue.fifo",
                              + "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-deadletter-lg-bulk-upload-expedite-metadata-queue.fifo",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "sqs:ReceiveMessage",
                              + "sqs:GetQueueUrl",
                              + "sqs:GetQueueAttributes",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-lg-bulk-upload-expedite-metadata-queue.fifo",
                              + "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:ndr-dev-deadletter-lg-bulk-upload-expedite-metadata-queue.fifo",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "ssm:GetParameter",
                              + "ssm:GetParameters",
                              + "ssm:PutParameter",
                            ]
                          + Effect   = "Allow"
                          + Resource = [
                              + "arn:aws:ssm:*:*:parameter/*",
                            ]
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "appconfig:StartConfigurationSession",
                              + "appconfig:GetLatestConfiguration",
                            ]
                          + Effect   = "Allow"
                          + Resource = "arn:aws:appconfig:*:*:application/cbe8t8t/environment/w3zulwr/configuration/tsaegbq"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            ),
          + (known after apply),
        ]
    }

  # module.bulk-upload-lambda.data.aws_iam_policy_document.root_kms_access will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "root_kms_access" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "kms:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "AllowRootAccountAccess"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
      + statement {
          + actions   = [
              + "kms:Decrypt",
              + "kms:Encrypt",
              + "kms:GenerateDataKey",
            ]
          + effect    = "Allow"
          + resources = [
              + "*",
            ]
          + sid       = "AllowLambdaExecutionRole"

          + principals {
              + identifiers = [
                  + "[REDACTED_IAM_ROLE_ARN]",
                ]
              + type        = "AWS"
            }
        }
    }

  # module.bulk-upload-lambda.aws_iam_policy.combined_policies will be updated in-place
  ~ resource "aws_iam_policy" "combined_policies" {
        id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/ndr-dev_BulkUploadLambda_combined_policy"
        name             = "ndr-dev_BulkUploadLambda_combined_policy"
      ~ policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-staging-bulk-store/*",
                          - "arn:aws:s3:::ndr-dev-staging-bulk-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:RestoreObject",
                          - "s3:Put*",
                          - "s3:Delete*",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::ndr-dev-staging-bulk-store/*"
                    },
                  - {
                      - Action   = [
                          - "s3:List*",
                          - "s3:Get*",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:s3:::ndr-dev-lloyd-george-store/*",
                          - "arn:aws:s3:::ndr-dev-lloyd-george-store",
                        ]
                    },
                  - {
                      - Action   = [
                          - "s3:RestoreObject",
                          - "s3:Put*",
                          - "s3:Delete*",
                          - "s3:AbortMultipartUpload",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:s3:::ndr-dev-lloyd-george-store/*"
                    },
                  - {
                      - Action   = [
                          - "dynamodb:Scan",
                          - "dynamodb:Query",
                          - "dynamodb:GetItem",
                          - "dynamodb:BatchGetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/FileLocationsIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/NhsNumberIndex"
                    },
                  - {
                      - Action   = "dynamodb:Query"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/ndr-dev_LloydGeorgeReferenceMetadata/index/OdsCodeIndex"
                    },
               
(truncated - see workflow logs for full output)

@adamwhitingnhs adamwhitingnhs changed the title Prm 609 [PRM-609] Add git ref feature flag Nov 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adamwhitingnhs