Skip to content

feat: Added load balancer log exports. #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jamesiarmes merged 1 commit into from
Jun 24, 2025
Merged

feat: Added load balancer log exports. #10

jamesiarmes merged 1 commit into from
Jun 24, 2025

Conversation

@jamesiarmes
Copy link
Member

@jamesiarmes jamesiarmes commented Jun 24, 2025

No description provided.

@github-actions
Copy link

github-actions bot commented Jun 24, 2025

Plan output

module.app["dc-sebt-portal"].module.secrets.data.aws_region.current: Reading...
module.logging.module.s3.data.aws_organizations_organization.current: Reading...
module.app["dc-sebt-portal"].module.database["this"].data.aws_region.current: Reading...
module.vpc.module.vpc.data.aws_caller_identity.current[0]: Reading...
module.app["dc-sebt-portal"].data.aws_lambda_functions.all: Reading...
module.vpc.module.vpc.data.aws_partition.current[0]: Reading...
module.vpc.data.aws_availability_zones.available: Reading...
module.logging.module.s3.data.aws_caller_identity.current: Reading...
module.logging.data.aws_lambda_functions.all: Reading...
module.app["dc-sebt-portal"].module.secrets.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.vpc.module.vpc.data.aws_partition.current[0]: Read complete after 0s [id=aws]
module.app["dc-sebt-portal"].module.database["this"].data.aws_region.current: Read complete after 0s [id=us-east-1]
module.app["dc-sebt-portal"].data.aws_cloudwatch_log_groups.ecs_insights: Reading...
module.app["dc-sebt-portal"].module.secrets.data.aws_caller_identity.identity: Reading...
module.vpc.module.vpc.data.aws_caller_identity.current[0]: Read complete after 0s [id=816069131564]
module.logging.data.aws_region.current: Reading...
module.logging.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.logging.data.aws_partition.current: Reading...
module.logging.data.aws_caller_identity.identity: Reading...
module.logging.data.aws_partition.current: Read complete after 0s [id=aws]
module.logging.module.s3.data.aws_region.current: Reading...
module.logging.module.s3.data.aws_region.current: Read complete after 0s [id=us-east-1]
module.app["dc-sebt-portal"].data.aws_cloudwatch_log_groups.ecs: Reading...
module.logging.module.s3.data.aws_caller_identity.current: Read complete after 0s [id=816069131564]
module.app["dc-sebt-portal"].data.aws_cloudwatch_log_groups.rds: Reading...
module.app["dc-sebt-portal"].module.secrets.data.aws_caller_identity.identity: Read complete after 0s [id=816069131564]
module.vpc.module.vpc.data.aws_region.current[0]: Reading...
module.vpc.module.vpc.data.aws_region.current[0]: Read complete after 0s [id=us-east-1]
module.logging.data.aws_caller_identity.identity: Read complete after 0s [id=816069131564]
module.vpc.data.aws_availability_zones.available: Read complete after 0s [id=us-east-1]
module.app["dc-sebt-portal"].module.database["this"].data.aws_rds_engine_version.this: Reading...
module.app["dc-sebt-portal"].data.aws_cloudwatch_log_groups.ecs_insights: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_vpc_endpoint_service.services["ec2messages"]: Reading...
module.vpc.data.aws_vpc_endpoint_service.services["ssm"]: Reading...
module.app["dc-sebt-portal"].data.aws_cloudwatch_log_groups.rds: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_vpc_endpoint_service.services["ssm-incidents"]: Reading...
module.app["dc-sebt-portal"].data.aws_lambda_functions.all: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_vpc_endpoint_service.services["ssmmessages"]: Reading...
module.vpc.data.aws_vpc_endpoint_service.services["ssm-contacts"]: Reading...
module.app["dc-sebt-portal"].data.aws_cloudwatch_log_groups.ecs: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_vpc_endpoint_service.services["guardduty-data"]: Reading...
module.logging.data.aws_lambda_functions.all: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_vpc_endpoint_service.services["ecr.dkr"]: Reading...
module.vpc.data.aws_vpc_endpoint_service.services["ec2messages"]: Read complete after 0s [id=2187510914]
module.vpc.data.aws_vpc_endpoint_service.services["ecr.api"]: Reading...
module.vpc.data.aws_vpc_endpoint_service.services["ssm"]: Read complete after 0s [id=874300523]
module.vpc.data.aws_vpc_endpoint_service.services["ec2"]: Reading...
module.app["dc-sebt-portal"].module.database["this"].module.mssql["this"].module.db_instance.data.aws_iam_policy_document.enhanced_monitoring: Reading...
module.app["dc-sebt-portal"].module.database["this"].module.mssql["this"].module.db_instance.data.aws_iam_policy_document.enhanced_monitoring: Read complete after 0s [id=76086537]
module.vpc.data.aws_vpc_endpoint_service.services["ssm-incidents"]: Read complete after 0s [id=3798321550]
module.vpc.module.vpc.data.aws_iam_policy_document.flow_log_cloudwatch_assume_role[0]: Reading...
module.app["dc-sebt-portal"].module.database["this"].module.mssql["this"].module.db_instance.data.aws_partition.current: Reading...
module.vpc.module.vpc.data.aws_iam_policy_document.flow_log_cloudwatch_assume_role[0]: Read complete after 0s [id=1021377347]
module.app["dc-sebt-portal"].module.database["this"].module.mssql["this"].module.db_instance.data.aws_partition.current: Read complete after 0s [id=aws]
module.app["dc-sebt-portal"].module.secrets.data.aws_partition.current: Reading...
module.logging.module.s3.data.aws_partition.current: Reading...
module.app["dc-sebt-portal"].module.secrets.data.aws_partition.current: Read complete after 0s [id=aws]
module.logging.module.s3.data.aws_partition.current: Read complete after 0s [id=aws]
module.app["dc-sebt-portal"].module.database["this"].data.aws_caller_identity.identity: Reading...
module.logging.data.aws_elb_service_account.current: Reading...
module.logging.data.aws_elb_service_account.current: Read complete after 0s [id=127311923021]
module.vpc.data.aws_vpc_endpoint_service.services["guardduty-data"]: Read complete after 0s [id=3795168285]
module.vpc.data.aws_vpc_endpoint_service.services["ssm-contacts"]: Read complete after 0s [id=3701104373]
module.app["dc-sebt-portal"].module.database["this"].data.aws_partition.current: Reading...
module.app["dc-sebt-portal"].module.database["this"].data.aws_partition.current: Read complete after 0s [id=aws]
module.vpc.data.aws_vpc_endpoint_service.services["ssmmessages"]: Read complete after 0s [id=1315226949]
module.app["dc-sebt-portal"].module.database["this"].data.aws_caller_identity.identity: Read complete after 0s [id=816069131564]
module.logging.module.s3.data.aws_organizations_organization.current: Read complete after 0s [id=o-f5mr0gq6lc]
module.vpc.data.aws_vpc_endpoint_service.services["ecr.dkr"]: Read complete after 0s [id=1314884315]
module.app["dc-sebt-portal"].data.aws_lambda_function.datadog["this"]: Reading...
module.vpc.data.aws_vpc_endpoint_service.services["ecr.api"]: Read complete after 0s [id=1808222790]
module.logging.data.aws_lambda_function.datadog["this"]: Reading...
module.vpc.data.aws_vpc_endpoint_service.services["ec2"]: Read complete after 0s [id=2644592029]
module.logging.module.s3.data.aws_iam_policy_document.default: Reading...
module.logging.module.s3.data.aws_iam_policy_document.default: Read complete after 0s [id=3580588753]
module.logging.module.s3.data.aws_iam_policy_document.combined: Reading...
module.logging.module.s3.data.aws_iam_policy_document.combined: Read complete after 0s [id=199516603]
module.app["dc-sebt-portal"].data.aws_lambda_function.datadog["this"]: Read complete after 0s [id=DatadogIntegration-ForwarderStack-W7KLT9-Forwarder-VufEAiofNX9f]
module.logging.data.aws_lambda_function.datadog["this"]: Read complete after 0s [id=DatadogIntegration-ForwarderStack-W7KLT9-Forwarder-VufEAiofNX9f]
module.app["dc-sebt-portal"].module.database["this"].data.aws_rds_engine_version.this: Read complete after 1s [id=16.00.4185.3.v1]
module.vpc.module.vpc.data.aws_iam_policy_document.vpc_flow_log_cloudwatch[0]: Reading...
module.vpc.module.vpc.data.aws_iam_policy_document.vpc_flow_log_cloudwatch[0]: Read complete after 0s [id=2856726747]
module.vpc.data.aws_subnets.endpoints["ssm-incidents"]: Reading...
module.vpc.data.aws_subnets.endpoints["ssm-contacts"]: Reading...
module.vpc.data.aws_subnets.endpoints["guardduty-data"]: Reading...
module.vpc.data.aws_subnets.endpoints["ssmmessages"]: Reading...
module.vpc.data.aws_subnets.endpoints["ec2"]: Reading...
module.vpc.data.aws_subnets.endpoints["ssm"]: Reading...
module.vpc.data.aws_subnets.endpoints["ec2messages"]: Reading...
module.vpc.data.aws_subnets.endpoints["ecr.dkr"]: Reading...
module.vpc.data.aws_subnets.endpoints["ecr.api"]: Reading...
module.vpc.data.aws_subnets.endpoints["ssm-incidents"]: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_subnets.endpoints["ssm-contacts"]: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_subnets.endpoints["guardduty-data"]: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_subnets.endpoints["ecr.dkr"]: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_subnets.endpoints["ssm"]: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_subnets.endpoints["ec2messages"]: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_subnets.endpoints["ec2"]: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_subnets.endpoints["ecr.api"]: Read complete after 0s [id=us-east-1]
module.vpc.data.aws_subnets.endpoints["ssmmessages"]: Read complete after 0s [id=us-east-1]
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ssm"]: Reading...
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ssm-contacts"]: Reading...
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ec2messages"]: Reading...
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ecr.dkr"]: Reading...
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["guardduty-data"]: Reading...
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ec2"]: Reading...
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ssm-incidents"]: Reading...
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ecr.api"]: Reading...
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ssm-contacts"]: Read complete after 0s [id=3701104373]
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ssmmessages"]: Reading...
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["s3"]: Reading...
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ec2messages"]: Read complete after 0s [id=2187510914]
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ssm"]: Read complete after 0s [id=874300523]
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["guardduty-data"]: Read complete after 0s [id=3795168285]
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ec2"]: Read complete after 0s [id=2644592029]
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ecr.dkr"]: Read complete after 0s [id=1314884315]
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ssm-incidents"]: Read complete after 0s [id=3798321550]
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ecr.api"]: Read complete after 1s [id=1808222790]
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["ssmmessages"]: Read complete after 1s [id=1315226949]
module.vpc.module.endpoints.data.aws_vpc_endpoint_service.this["s3"]: Read complete after 1s [id=195798706]

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
-/+ destroy and then create replacement
+/- create replacement and then destroy
 <= read (data resources)

OpenTofu will perform the following actions:

  # module.app["df-all-screen-scrapes"].aws_cloudwatch_log_subscription_filter.datadog["/aws/ecs/containerinsights/df-all-screens-scrape-development-web/performance"] will be destroyed
  # (because module.app["df-all-screen-scrapes"] is not in configuration)
  - resource "aws_cloudwatch_log_subscription_filter" "datadog" {
      - destination_arn = "arn:aws:lambda:us-east-1:816069131564:function:DatadogIntegration-ForwarderStack-W7KLT9-Forwarder-VufEAiofNX9f" -> null
      - distribution    = "ByLogStream" -> null
      - id              = "cwlsf-4053398882" -> null
      - log_group_name  = "/aws/ecs/containerinsights/df-all-screens-scrape-development-web/performance" -> null
      - name            = "datadog" -> null
    }

  # module.app["df-all-screen-scrapes"].aws_cloudwatch_log_subscription_filter.datadog["/aws/ecs/df-all-screens-scrape/development/web"] will be destroyed
  # (because module.app["df-all-screen-scrapes"] is not in configuration)
  - resource "aws_cloudwatch_log_subscription_filter" "datadog" {
      - destination_arn = "arn:aws:lambda:us-east-1:816069131564:function:DatadogIntegration-ForwarderStack-W7KLT9-Forwarder-VufEAiofNX9f" -> null
      - distribution    = "ByLogStream" -> null
      - id              = "cwlsf-1709858279" -> null
      - log_group_name  = "/aws/ecs/df-all-screens-scrape/development/web" -> null
      - name            = "datadog" -> null
    }

  # module.app["dc-sebt-portal"].module.service["web"].data.aws_caller_identity.identity will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "identity" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].data.aws_partition.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_partition" "current" {
      + dns_suffix         = (known after apply)
      + id                 = (known after apply)
      + partition          = (known after apply)
      + reverse_dns_prefix = (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].data.aws_region.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_region" "current" {
      + description = (known after apply)
      + endpoint    = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].data.aws_route53_zone.domain["this"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_route53_zone" "domain" {
      + arn                        = (known after apply)
      + caller_reference           = (known after apply)
      + comment                    = (known after apply)
      + id                         = (known after apply)
      + linked_service_description = (known after apply)
      + linked_service_principal   = (known after apply)
      + name                       = "dev.codeforamerica.app"
      + name_servers               = (known after apply)
      + primary_name_server        = (known after apply)
      + resource_record_set_count  = (known after apply)
      + tags                       = (known after apply)
      + vpc_id                     = (known after apply)
      + zone_id                    = (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].data.aws_ssm_parameter.version["/sebt-portal/development/web/version"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_ssm_parameter" "version" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + insecure_value = (known after apply)
      + name           = "/sebt-portal/development/web/version"
      + type           = (known after apply)
      + value          = (sensitive value)
      + version        = (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].data.aws_vpc.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_vpc" "current" {
      + arn                                  = (known after apply)
      + cidr_block                           = (known after apply)
      + cidr_block_associations              = (known after apply)
      + default                              = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_dns_hostnames                 = (known after apply)
      + enable_dns_support                   = (known after apply)
      + enable_network_address_usage_metrics = (known after apply)
      + id                                   = "vpc-024d66fcc4f521d0a"
      + instance_tenancy                     = (known after apply)
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + state                                = (known after apply)
      + tags                                 = (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].aws_acm_certificate.endpoint["this"] must be replaced
+/- resource "aws_acm_certificate" "endpoint" {
      ~ arn                       = "arn:aws:acm:us-east-1:816069131564:certificate/b185a108-b78d-484b-ab10-4db31a65ecf7" -> (known after apply)
      ~ domain_name               = "www.dc-sebt-portal.development.dev.codeforamerica.app" -> "dc-sebt-portal.dev.codeforamerica.app" # forces replacement
      ~ domain_validation_options = [
          - {
              - domain_name           = "www.dc-sebt-portal.development.dev.codeforamerica.app"
              - resource_record_name  = "_0ca11d6eb5c2ef112d46210b4f5072e0.www.dc-sebt-portal.development.dev.codeforamerica.app."
              - resource_record_type  = "CNAME"
              - resource_record_value = "_a280ac53ae358f4c3b7c88258a69073d.xlfgrmvvlj.acm-validations.aws."
            },
          + {
              + domain_name           = "dc-sebt-portal.dev.codeforamerica.app"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
        ]
      ~ id                        = "arn:aws:acm:us-east-1:816069131564:certificate/b185a108-b78d-484b-ab10-4db31a65ecf7" -> (known after apply)
      ~ key_algorithm             = "RSA_2048" -> (known after apply)
      ~ not_after                 = "2026-07-13T23:59:59Z" -> (known after apply)
      ~ not_before                = "2025-06-14T00:00:00Z" -> (known after apply)
      ~ pending_renewal           = false -> (known after apply)
      ~ renewal_eligibility       = "ELIGIBLE" -> (known after apply)
      ~ renewal_summary           = [] -> (known after apply)
      ~ status                    = "ISSUED" -> (known after apply)
      ~ subject_alternative_names = [ # forces replacement
          - "www.dc-sebt-portal.development.dev.codeforamerica.app",
          + "dc-sebt-portal.dev.codeforamerica.app",
        ]
        tags                      = {
            "application" = "sebt-portal-development"
            "environment" = "development"
            "program"     = "safety-net"
            "project"     = "sebt-portal"
        }
      ~ type                      = "AMAZON_ISSUED" -> (known after apply)
      ~ validation_emails         = [] -> (known after apply)
        # (2 unchanged attributes hidden)

      ~ options {
          + arn                       = (known after apply)
          + certificate_authority_arn = (known after apply)
          + certificate_body          = (known after apply)
          + certificate_chain         = (known after apply)
          + domain_name               = (known after apply)
          + domain_validation_options = (known after apply)
          + early_renewal_duration    = (known after apply)
          + id                        = (known after apply)
          + key_algorithm             = (known after apply)
          + not_after                 = (known after apply)
          + not_before                = (known after apply)
          + pending_renewal           = (known after apply)
          + private_key               = (known after apply)
          + renewal_eligibility       = (known after apply)
          + renewal_summary           = (known after apply)
          + status                    = (known after apply)
          + subject_alternative_names = (known after apply)
          + tags                      = (known after apply)
          + tags_all                  = (known after apply)
          + type                      = (known after apply)
          + validation_emails         = (known after apply)
          + validation_method         = (known after apply)
        } -> (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].aws_acm_certificate_validation.endpoint["this"] must be replaced
-/+ resource "aws_acm_certificate_validation" "endpoint" {
      ~ certificate_arn         = "arn:aws:acm:us-east-1:816069131564:certificate/b185a108-b78d-484b-ab10-4db31a65ecf7" # forces replacement -> (known after apply) # forces replacement
      ~ id                      = "0001-01-01 00:00:00 +0000 UTC" -> (known after apply)
      ~ validation_record_fqdns = [ # forces replacement
          - "_0ca11d6eb5c2ef112d46210b4f5072e0.www.dc-sebt-portal.development.dev.codeforamerica.app",
        ] -> (known after apply) # forces replacement
    }

  # module.app["dc-sebt-portal"].module.service["web"].aws_iam_role_policy_attachments_exclusive.execution will be updated in-place
  ~ resource "aws_iam_role_policy_attachments_exclusive" "execution" {
      ~ policy_arns = [
          - "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
          - "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
          + (known after apply),
          + (known after apply),
            # (1 unchanged element hidden)
        ]
        # (1 unchanged attribute hidden)
    }

  # module.app["dc-sebt-portal"].module.service["web"].aws_iam_role_policy_attachments_exclusive.task will be updated in-place
  ~ resource "aws_iam_role_policy_attachments_exclusive" "task" {
      ~ policy_arns = [
          - "arn:aws:iam::aws:policy/AmazonSSMFullAccess",
          - "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
          - "arn:aws:iam::aws:policy/CloudWatchFullAccess",
          + (known after apply),
          + (known after apply),
          + (known after apply),
            # (1 unchanged element hidden)
        ]
        # (1 unchanged attribute hidden)
    }

  # module.app["dc-sebt-portal"].module.service["web"].aws_kms_key.fargate will be updated in-place
  ~ resource "aws_kms_key" "fargate" {
        id                                 = "4527d3ac-0df9-4d4d-8f02-7f0f22a32b28"
      ~ policy                             = jsonencode(
            {
              - Id        = "Fargate hosting key policy"
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::816069131564:root"
                        }
                      - Resource  = "*"
                      - Sid       = "Enable IAM User Permissions"
                    },
                  - {
                      - Action    = [
                          - "kms:Decrypt",
                          - "kms:Encrypt",
                          - "kms:GenerateDataKey",
                          - "kms:ReEncrypt*",
                        ]
                      - Condition = {
                          - StringEquals = {
                              - "kms:CallerAccount"                 = "816069131564"
                              - "kms:EncryptionContext:aws:ecr:arn" = "arn:aws:ecr:us-east-1:816069131564:repository/sebt-portal-development-web"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "*"
                        }
                      - Resource  = "*"
                      - Sid       = "Allow ECR to encrypt container images"
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "*"
                        }
                      - Resource  = "*"
                      - Sid       = "Allow Fargate containers to encrypt objects"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        tags                               = {
            "application" = "sebt-portal-development"
            "environment" = "development"
            "program"     = "safety-net"
            "project"     = "sebt-portal"
        }
        # (12 unchanged attributes hidden)
    }

  # module.app["dc-sebt-portal"].module.service["web"].aws_route53_record.endpoint["this"] must be replaced
-/+ resource "aws_route53_record" "endpoint" {
      + allow_overwrite                  = (known after apply)
      ~ fqdn                             = "www.dc-sebt-portal.development.dev.codeforamerica.app" -> (known after apply)
      ~ id                               = "Z0097236342AE196VY5TV_www.dc-sebt-portal.development.dev.codeforamerica.app_A" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "www.dc-sebt-portal.development.dev.codeforamerica.app" -> "dc-sebt-portal.dev.codeforamerica.app" # forces replacement
      - records                          = [] -> null
      - ttl                              = 0 -> null
      ~ zone_id                          = "Z0097236342AE196VY5TV" # forces replacement -> (known after apply) # forces replacement
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

  # module.app["dc-sebt-portal"].module.service["web"].aws_route53_record.endpoint_validation["dc-sebt-portal.dev.codeforamerica.app"] will be created
  + resource "aws_route53_record" "endpoint_validation" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = (known after apply)
      + records         = (known after apply)
      + ttl             = 60
      + type            = (known after apply)
      + zone_id         = (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].aws_route53_record.endpoint_validation["www.dc-sebt-portal.development.dev.codeforamerica.app"] will be destroyed
  # (because key ["www.dc-sebt-portal.development.dev.codeforamerica.app"] is not in for_each map)
  - resource "aws_route53_record" "endpoint_validation" {
      - allow_overwrite                  = true -> null
      - fqdn                             = "_0ca11d6eb5c2ef112d46210b4f5072e0.www.dc-sebt-portal.development.dev.codeforamerica.app" -> null
      - id                               = "Z0097236342AE196VY5TV__0ca11d6eb5c2ef112d46210b4f5072e0.www.dc-sebt-portal.development.dev.codeforamerica.app._CNAME" -> null
      - multivalue_answer_routing_policy = false -> null
      - name                             = "_0ca11d6eb5c2ef112d46210b4f5072e0.www.dc-sebt-portal.development.dev.codeforamerica.app" -> null
      - records                          = [
          - "_a280ac53ae358f4c3b7c88258a69073d.xlfgrmvvlj.acm-validations.aws.",
        ] -> null
      - ttl                              = 60 -> null
      - type                             = "CNAME" -> null
      - zone_id                          = "Z0097236342AE196VY5TV" -> null
    }

  # module.app["df-all-screen-scrapes"].module.secrets.aws_kms_alias.secrets will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.secrets is not in configuration)
  - resource "aws_kms_alias" "secrets" {
      - arn            = "arn:aws:kms:us-east-1:816069131564:alias/df-all-screens-scrape/development/secrets" -> null
      - id             = "alias/df-all-screens-scrape/development/secrets" -> null
      - name           = "alias/df-all-screens-scrape/development/secrets" -> null
      - target_key_arn = "arn:aws:kms:us-east-1:816069131564:key/c66f1e88-a435-45f7-af3d-7732ad214954" -> null
      - target_key_id  = "c66f1e88-a435-45f7-af3d-7732ad214954" -> null
    }

  # module.app["df-all-screen-scrapes"].module.secrets.aws_kms_key.secrets will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.secrets is not in configuration)
  - resource "aws_kms_key" "secrets" {
      - arn                                = "arn:aws:kms:us-east-1:816069131564:key/c66f1e88-a435-45f7-af3d-7732ad214954" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 30 -> null
      - description                        = "Secrets encryption key for df-all-screens-scrape development" -> null
      - enable_key_rotation                = true -> null
      - id                                 = "c66f1e88-a435-45f7-af3d-7732ad214954" -> null
      - is_enabled                         = true -> null
      - key_id                             = "c66f1e88-a435-45f7-af3d-7732ad214954" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::816069131564:root"
                        }
                      - Resource  = "*"
                      - Sid       = "Enable IAM User Permissions"
                    },
                  - {
                      - Action    = [
                          - "kms:Encrypt",
                          - "kms:Decrypt",
                          - "kms:ReEncrypt*",
                          - "kms:CreateGrant",
                          - "kms:DescribeKey",
                        ]
                      - Condition = {
                          - StringEquals = {
                              - "kms:CallerAccount" = "816069131564"
                              - "kms:ViaService"    = "secretsmanager.us-east-1.amazonaws.com"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = [
                              - "*",
                            ]
                        }
                      - Resource  = "*"
                      - Sid       = "Allow access through AWS Secrets Manager"
                    },
                  - {
                      - Action    = "kms:GenerateDataKey*"
                      - Condition = {
                          - StringEquals = {
                              - "kms:CallerAccount" = "816069131564"
                            }
                          - StringLike   = {
                              - "kms:ViaService" = "secretsmanager.us-east-1.amazonaws.com"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = [
                              - "*",
                            ]
                        }
                      - Resource  = "*"
                      - Sid       = "Allow access through AWS Secrets Manager"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days            = 365 -> null
      - tags                               = {} -> null
      - tags_all                           = {
          - "environment" = "development"
          - "project"     = "shared-services"
        } -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_acm_certificate.endpoint["this"] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_acm_certificate" "endpoint" {
      - arn                       = "arn:aws:acm:us-east-1:816069131564:certificate/2481c5e9-f77d-4021-927b-66e2b6d2367a" -> null
      - domain_name               = "scrapes.tax.dev.services.cfa.codes" -> null
      - domain_validation_options = [
          - {
              - domain_name           = "scrapes.tax.dev.services.cfa.codes"
              - resource_record_name  = "_82dce5817c19ad8cb3b0e037966140c2.scrapes.tax.dev.services.cfa.codes."
              - resource_record_type  = "CNAME"
              - resource_record_value = "_6c16ef9a87f36480afcdbdec47cc60c7.xlfgrmvvlj.acm-validations.aws."
            },
        ] -> null
      - id                        = "arn:aws:acm:us-east-1:816069131564:certificate/2481c5e9-f77d-4021-927b-66e2b6d2367a" -> null
      - key_algorithm             = "RSA_2048" -> null
      - not_after                 = "2026-07-23T23:59:59Z" -> null
      - not_before                = "2025-06-24T00:00:00Z" -> null
      - pending_renewal           = false -> null
      - renewal_eligibility       = "ELIGIBLE" -> null
      - renewal_summary           = [] -> null
      - status                    = "ISSUED" -> null
      - subject_alternative_names = [
          - "scrapes.tax.dev.services.cfa.codes",
        ] -> null
      - tags                      = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all                  = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - type                      = "AMAZON_ISSUED" -> null
      - validation_emails         = [] -> null
      - validation_method         = "DNS" -> null

      - options {
          - certificate_transparency_logging_preference = "ENABLED" -> null
        }
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_acm_certificate_validation.endpoint["this"] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_acm_certificate_validation" "endpoint" {
      - certificate_arn         = "arn:aws:acm:us-east-1:816069131564:certificate/2481c5e9-f77d-4021-927b-66e2b6d2367a" -> null
      - id                      = "2025-06-24 00:16:05.511 +0000 UTC" -> null
      - validation_record_fqdns = [
          - "_82dce5817c19ad8cb3b0e037966140c2.scrapes.tax.dev.services.cfa.codes",
        ] -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_cloudwatch_log_group.service will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_cloudwatch_log_group" "service" {
      - arn               = "arn:aws:logs:us-east-1:816069131564:log-group:/aws/ecs/df-all-screens-scrape/development/web" -> null
      - id                = "/aws/ecs/df-all-screens-scrape/development/web" -> null
      - kms_key_id        = "arn:aws:kms:us-east-1:816069131564:key/57071cd6-e68a-41e9-8b61-3e51e36d2131" -> null
      - log_group_class   = "STANDARD" -> null
      - name              = "/aws/ecs/df-all-screens-scrape/development/web" -> null
      - retention_in_days = 30 -> null
      - skip_destroy      = false -> null
      - tags              = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all          = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_iam_policy.execution will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_iam_policy" "execution" {
      - arn              = "arn:aws:iam::816069131564:policy/df-all-screens-scrape-development-web-execution" -> null
      - attachment_count = 0 -> null
      - description      = "web task execution policy for df-all-screens-scrape development." -> null
      - id               = "arn:aws:iam::816069131564:policy/df-all-screens-scrape-development-web-execution" -> null
      - name             = "df-all-screens-scrape-development-web-execution" -> null
      - path             = "/" -> null
      - policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "ecr:GetAuthorizationToken",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = "ECRAuthToken"
                    },
                  - {
                      - Action   = [
                          - "ecr:BatchCheckLayerAvailability",
                          - "ecr:GetDownloadUrlForLayer",
                          - "ecr:BatchGetImage",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:ecr:us-east-1:816069131564:repository/df-all-screens-scrape-development-web"
                      - Sid      = "ECRRepositoryAccess"
                    },
                  - {
                      - Action    = [
                          - "logs:CreateLogStream",
                          - "logs:PutLogEvents",
                        ]
                      - Condition = {
                          - StringEquals = {
                              - "aws:RequestTag/environment" = "development"
                              - "aws:RequestTag/project"     = "df-all-screens-scrape"
                            }
                        }
                      - Effect    = "Allow"
                      - Resource  = "*"
                      - Sid       = "LogWrite"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id        = "ANPA34AMCXUWAZLXGCSW7" -> null
      - tags             = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all         = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_iam_policy.secrets will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_iam_policy" "secrets" {
      - arn              = "arn:aws:iam::816069131564:policy/df-all-screens-scrape-development-web-secrets-access-20250624001607232500000005" -> null
      - attachment_count = 2 -> null
      - description      = "Allow acceess to web secrets for df-all-screens-scrape development." -> null
      - id               = "arn:aws:iam::816069131564:policy/df-all-screens-scrape-development-web-secrets-access-20250624001607232500000005" -> null
      - name             = "df-all-screens-scrape-development-web-secrets-access-20250624001607232500000005" -> null
      - name_prefix      = "df-all-screens-scrape-development-web-secrets-access-" -> null
      - path             = "/" -> null
      - policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "secretsmanager:GetSecretValue",
                          - "kms:Decrypt",
                          - "ssm:GetParameter",
                          - "ssm:GetParameters",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:kms:us-east-1:816069131564:key/bf069987-fff0-4faa-bfc2-6013fd921c5e",
                          - "arn:aws:ssm:us-east-1:816069131564:parameter/df-all-screens-scrape/development/web/otel",
                        ]
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id        = "ANPA34AMCXUWPUMPRQO73" -> null
      - tags             = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all         = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_iam_role.execution will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_iam_role" "execution" {
      - arn                   = "arn:aws:iam::816069131564:role/df-all-screens-scrape-development-web-execution" -> null
      - assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "ecs-tasks.amazonaws.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - create_date           = "2025-06-24T00:15:52Z" -> null
      - description           = "web task execution role for df-all-screens-scrape development." -> null
      - force_detach_policies = false -> null
      - id                    = "df-all-screens-scrape-development-web-execution" -> null
      - managed_policy_arns   = [
          - "arn:aws:iam::816069131564:policy/df-all-screens-scrape-development-web-secrets-access-20250624001607232500000005",
          - "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
          - "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
        ] -> null
      - max_session_duration  = 3600 -> null
      - name                  = "df-all-screens-scrape-development-web-execution" -> null
      - path                  = "/" -> null
      - tags                  = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all              = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - unique_id             = "AROA34AMCXUWL63BFTORI" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_iam_role.task will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_iam_role" "task" {
      - arn                   = "arn:aws:iam::816069131564:role/df-all-screens-scrape-development-web-task" -> null
      - assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "ecs-tasks.amazonaws.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - create_date           = "2025-06-24T00:15:52Z" -> null
      - description           = "web task role for df-all-screens-scrape development." -> null
      - force_detach_policies = false -> null
      - id                    = "df-all-screens-scrape-development-web-task" -> null
      - managed_policy_arns   = [
          - "arn:aws:iam::816069131564:policy/df-all-screens-scrape-development-web-secrets-access-20250624001607232500000005",
          - "arn:aws:iam::aws:policy/AmazonSSMFullAccess",
          - "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
          - "arn:aws:iam::aws:policy/CloudWatchFullAccess",
        ] -> null
      - max_session_duration  = 3600 -> null
      - name                  = "df-all-screens-scrape-development-web-task" -> null
      - path                  = "/" -> null
      - tags                  = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all              = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - unique_id             = "AROA34AMCXUWNAUDML66O" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_iam_role_policy_attachments_exclusive.execution will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_iam_role_policy_attachments_exclusive" "execution" {
      - policy_arns = [
          - "arn:aws:iam::816069131564:policy/df-all-screens-scrape-development-web-secrets-access-20250624001607232500000005",
          - "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
          - "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
        ] -> null
      - role_name   = "df-all-screens-scrape-development-web-execution" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_iam_role_policy_attachments_exclusive.task will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_iam_role_policy_attachments_exclusive" "task" {
      - policy_arns = [
          - "arn:aws:iam::816069131564:policy/df-all-screens-scrape-development-web-secrets-access-20250624001607232500000005",
          - "arn:aws:iam::aws:policy/AmazonSSMFullAccess",
          - "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
          - "arn:aws:iam::aws:policy/CloudWatchFullAccess",
        ] -> null
      - role_name   = "df-all-screens-scrape-development-web-task" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_kms_alias.fargate will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_kms_alias" "fargate" {
      - arn            = "arn:aws:kms:us-east-1:816069131564:alias/df-all-screens-scrape/development/web" -> null
      - id             = "alias/df-all-screens-scrape/development/web" -> null
      - name           = "alias/df-all-screens-scrape/development/web" -> null
      - target_key_arn = "arn:aws:kms:us-east-1:816069131564:key/bf069987-fff0-4faa-bfc2-6013fd921c5e" -> null
      - target_key_id  = "bf069987-fff0-4faa-bfc2-6013fd921c5e" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_kms_key.fargate will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_kms_key" "fargate" {
      - arn                                = "arn:aws:kms:us-east-1:816069131564:key/bf069987-fff0-4faa-bfc2-6013fd921c5e" -> null
      - bypass_policy_lockout_safety_check = false -> null
      - customer_master_key_spec           = "SYMMETRIC_DEFAULT" -> null
      - deletion_window_in_days            = 30 -> null
      - description                        = "web hosting encryption key for df-all-screens-scrape development" -> null
      - enable_key_rotation                = true -> null
      - id                                 = "bf069987-fff0-4faa-bfc2-6013fd921c5e" -> null
      - is_enabled                         = true -> null
      - key_id                             = "bf069987-fff0-4faa-bfc2-6013fd921c5e" -> null
      - key_usage                          = "ENCRYPT_DECRYPT" -> null
      - multi_region                       = false -> null
      - policy                             = jsonencode(
            {
              - Id        = "Fargate hosting key policy"
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::816069131564:root"
                        }
                      - Resource  = "*"
                      - Sid       = "Enable IAM User Permissions"
                    },
                  - {
                      - Action    = [
                          - "kms:Decrypt",
                          - "kms:Encrypt",
                          - "kms:GenerateDataKey",
                          - "kms:ReEncrypt*",
                        ]
                      - Condition = {
                          - StringEquals = {
                              - "kms:CallerAccount"                 = "816069131564"
                              - "kms:EncryptionContext:aws:ecr:arn" = "arn:aws:ecr:us-east-1:816069131564:repository/df-all-screens-scrape-development-web"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "*"
                        }
                      - Resource  = "*"
                      - Sid       = "Allow ECR to encrypt container images"
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "*"
                        }
                      - Resource  = "*"
                      - Sid       = "Allow Fargate containers to encrypt objects"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days            = 365 -> null
      - tags                               = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all                           = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_route53_record.endpoint["this"] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_route53_record" "endpoint" {
      - fqdn                             = "scrapes.tax.dev.services.cfa.codes" -> null
      - id                               = "Z088564232NGJRO0LYHKL_scrapes.tax.dev.services.cfa.codes_A" -> null
      - multivalue_answer_routing_policy = false -> null
      - name                             = "scrapes.tax.dev.services.cfa.codes" -> null
      - records                          = [] -> null
      - ttl                              = 0 -> null
      - type                             = "A" -> null
      - zone_id                          = "Z088564232NGJRO0LYHKL" -> null

      - alias {
          - evaluate_target_health = true -> null
          - name                   = "df-scrape-development-web-1211173138.us-east-1.elb.amazonaws.com" -> null
          - zone_id                = "Z35SXDOTRQ7X7K" -> null
        }
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_route53_record.endpoint_validation["scrapes.tax.dev.services.cfa.codes"] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_route53_record" "endpoint_validation" {
      - allow_overwrite                  = true -> null
      - fqdn                             = "_82dce5817c19ad8cb3b0e037966140c2.scrapes.tax.dev.services.cfa.codes" -> null
      - id                               = "Z088564232NGJRO0LYHKL__82dce5817c19ad8cb3b0e037966140c2.scrapes.tax.dev.services.cfa.codes._CNAME" -> null
      - multivalue_answer_routing_policy = false -> null
      - name                             = "_82dce5817c19ad8cb3b0e037966140c2.scrapes.tax.dev.services.cfa.codes" -> null
      - records                          = [
          - "_6c16ef9a87f36480afcdbdec47cc60c7.xlfgrmvvlj.acm-validations.aws.",
        ] -> null
      - ttl                              = 60 -> null
      - type                             = "CNAME" -> null
      - zone_id                          = "Z088564232NGJRO0LYHKL" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].aws_ssm_parameter.version["this"] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"] is not in configuration)
  - resource "aws_ssm_parameter" "version" {
      - arn            = "arn:aws:ssm:us-east-1:816069131564:parameter/df-all-screens-scrape/development/web/version" -> null
      - data_type      = "text" -> null
      - description    = "Current version of df-all-screens-scrape - development web" -> null
      - id             = "/df-all-screens-scrape/development/web/version" -> null
      - insecure_value = "latest" -> null
      - name           = "/df-all-screens-scrape/development/web/version" -> null
      - tags           = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all       = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tier           = "Standard" -> null
      - type           = "String" -> null
      - version        = 7 -> null
    }

  # module.app["dc-sebt-portal"].module.service["web"].module.alb["this"].data.aws_partition.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_partition" "current" {
      + dns_suffix         = (known after apply)
      + id                 = (known after apply)
      + partition          = (known after apply)
      + reverse_dns_prefix = (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].module.alb["this"].aws_lb.this[0] will be updated in-place
  ~ resource "aws_lb" "this" {
        id                                          = "arn:aws:elasticloadbalancing:us-east-1:816069131564:loadbalancer/app/sebt-portal-development-web/13cd57b9f185027b"
        name                                        = "sebt-portal-development-web"
        tags                                        = {
            "application"           = "sebt-portal-development"
            "environment"           = "development"
            "program"               = "safety-net"
            "project"               = "sebt-portal"
            "terraform-aws-modules" = "alb"
        }
        # (24 unchanged attributes hidden)

      ~ access_logs {
          + bucket  = "shared-services-development-logs"
          ~ enabled = false -> true
        }

      ~ connection_logs {
          + bucket  = "shared-services-development-logs"
          ~ enabled = false -> true
        }

        # (4 unchanged blocks hidden)
    }

  # module.app["dc-sebt-portal"].module.service["web"].module.alb["this"].aws_lb_listener.this["https"] will be updated in-place
  ~ resource "aws_lb_listener" "this" {
      ~ certificate_arn                      = "arn:aws:acm:us-east-1:816069131564:certificate/b185a108-b78d-484b-ab10-4db31a65ecf7" -> (known after apply)
        id                                   = "arn:aws:elasticloadbalancing:us-east-1:816069131564:listener/app/sebt-portal-development-web/13cd57b9f185027b/06b7c6aa632be5cd"
        tags                                 = {
            "application"           = "sebt-portal-development"
            "environment"           = "development"
            "program"               = "safety-net"
            "project"               = "sebt-portal"
            "terraform-aws-modules" = "alb"
        }
        # (7 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.app["dc-sebt-portal"].module.service["web"].module.ecr["this"].data.aws_caller_identity.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "current" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].module.ecr["this"].data.aws_iam_policy_document.repository[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "repository" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "ecr:BatchCheckLayerAvailability",
              + "ecr:BatchGetImage",
              + "ecr:DescribeImageScanFindings",
              + "ecr:DescribeImages",
              + "ecr:DescribeRepositories",
              + "ecr:GetAuthorizationToken",
              + "ecr:GetDownloadUrlForLayer",
              + "ecr:GetLifecyclePolicy",
              + "ecr:GetLifecyclePolicyPreview",
              + "ecr:GetRepositoryPolicy",
              + "ecr:ListImages",
              + "ecr:ListTagsForResource",
            ]
          + sid     = "PrivateReadOnly"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.app["dc-sebt-portal"].module.service["web"].module.ecr["this"].data.aws_partition.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_partition" "current" {
      + dns_suffix         = (known after apply)
      + id                 = (known after apply)
      + partition          = (known after apply)
      + reverse_dns_prefix = (known after apply)
    }

  # module.app["dc-sebt-portal"].module.service["web"].module.ecr["this"].aws_ecr_repository_policy.this[0] will be updated in-place
  ~ resource "aws_ecr_repository_policy" "this" {
        id          = "sebt-portal-development-web"
      ~ policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = [
                          - "ecr:ListTagsForResource",
                          - "ecr:ListImages",
                          - "ecr:GetRepositoryPolicy",
                          - "ecr:GetLifecyclePolicyPreview",
                          - "ecr:GetLifecyclePolicy",
                          - "ecr:GetDownloadUrlForLayer",
                          - "ecr:GetAuthorizationToken",
                          - "ecr:DescribeRepositories",
                          - "ecr:DescribeImages",
                          - "ecr:DescribeImageScanFindings",
                          - "ecr:BatchGetImage",
                          - "ecr:BatchCheckLayerAvailability",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::816069131564:root"
                        }
                      - Sid       = "PrivateReadOnly"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # module.app["dc-sebt-portal"].module.service["web"].module.endpoint_security_group.aws_security_group_rule.egress_rules[0] must be replaced
-/+ resource "aws_security_group_rule" "egress_rules" {
      ~ cidr_blocks              = [ # forces replacement
          - "10.1.0.0/16",
        ] -> (known after apply) # forces replacement
      ~ from_port                = 0 -> -1
      ~ id                       = "sgrule-2115756838" -> (known after apply)
      ~ security_group_rule_id   = "sgr-048dee6dc0e6f1e21" -> (known after apply)
      + source_security_group_id = (known after apply)
      ~ to_port                  = 0 -> -1
        # (7 unchanged attributes hidden)
    }

  # module.app["df-all-screen-scrapes"].module.secrets.module.secrets_manager["oidc"].aws_secretsmanager_secret.this[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.secrets.module.secrets_manager["oidc"] is not in configuration)
  - resource "aws_secretsmanager_secret" "this" {
      - arn                            = "arn:aws:secretsmanager:us-east-1:816069131564:secret:df-all-screens-scrape/development/oidc-20250623183809209800000001-j7Kc8D" -> null
      - description                    = "OIDC secrets for df-all-screens-scrape - development" -> null
      - force_overwrite_replica_secret = false -> null
      - id                             = "arn:aws:secretsmanager:us-east-1:816069131564:secret:df-all-screens-scrape/development/oidc-20250623183809209800000001-j7Kc8D" -> null
      - kms_key_id                     = "alias/df-all-screens-scrape/development/secrets" -> null
      - name                           = "df-all-screens-scrape/development/oidc-20250623183809209800000001" -> null
      - name_prefix                    = "df-all-screens-scrape/development/oidc-" -> null
      - recovery_window_in_days        = 30 -> null
      - tags                           = {} -> null
      - tags_all                       = {
          - "environment" = "development"
          - "project"     = "shared-services"
        } -> null
    }

  # module.app["df-all-screen-scrapes"].module.secrets.module.secrets_manager["oidc"].aws_secretsmanager_secret_version.ignore_changes[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.secrets.module.secrets_manager["oidc"] is not in configuration)
  - resource "aws_secretsmanager_secret_version" "ignore_changes" {
      - arn            = "arn:aws:secretsmanager:us-east-1:816069131564:secret:df-all-screens-scrape/development/oidc-20250623183809209800000001-j7Kc8D" -> null
      - id             = "arn:aws:secretsmanager:us-east-1:816069131564:secret:df-all-screens-scrape/development/oidc-20250623183809209800000001-j7Kc8D|terraform-20250623183809626000000003" -> null
      - secret_id      = "arn:aws:secretsmanager:us-east-1:816069131564:secret:df-all-screens-scrape/development/oidc-20250623183809209800000001-j7Kc8D" -> null
      - secret_string  = (sensitive value) -> null
      - version_id     = "terraform-20250623183809626000000003" -> null
      - version_stages = [
          - "AWSPREVIOUS",
        ] -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.alb["this"].aws_lb.this[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.alb["this"] is not in configuration)
  - resource "aws_lb" "this" {
      - arn                                         = "arn:aws:elasticloadbalancing:us-east-1:816069131564:loadbalancer/app/df-scrape-development-web/3cf70983c2be0261" -> null
      - arn_suffix                                  = "app/df-scrape-development-web/3cf70983c2be0261" -> null
      - client_keep_alive                           = 3600 -> null
      - desync_mitigation_mode                      = "defensive" -> null
      - dns_name                                    = "df-scrape-development-web-1211173138.us-east-1.elb.amazonaws.com" -> null
      - drop_invalid_header_fields                  = true -> null
      - enable_cross_zone_load_balancing            = true -> null
      - enable_deletion_protection                  = false -> null
      - enable_http2                                = true -> null
      - enable_tls_version_and_cipher_suite_headers = false -> null
      - enable_waf_fail_open                        = false -> null
      - enable_xff_client_port                      = false -> null
      - enable_zonal_shift                          = false -> null
      - id                                          = "arn:aws:elasticloadbalancing:us-east-1:816069131564:loadbalancer/app/df-scrape-development-web/3cf70983c2be0261" -> null
      - idle_timeout                                = 60 -> null
      - internal                                    = false -> null
      - ip_address_type                             = "ipv4" -> null
      - load_balancer_type                          = "application" -> null
      - name                                        = "df-scrape-development-web" -> null
      - preserve_host_header                        = false -> null
      - security_groups                             = [
          - "sg-00877a5fcd34931a2",
          - "sg-0db92c069951ad4a9",
        ] -> null
      - subnets                                     = [
          - "subnet-037226b6f514e6dd1",
          - "subnet-04a634af483d94adb",
          - "subnet-0ff03c3903c4c785c",
        ] -> null
      - tags                                        = {
          - "application"           = "df-all-screens-scrape-development"
          - "environment"           = "development"
          - "program"               = "tax-benefits"
          - "project"               = "df-all-screens-scrape"
          - "terraform-aws-modules" = "alb"
        } -> null
      - tags_all                                    = {
          - "application"           = "df-all-screens-scrape-development"
          - "environment"           = "development"
          - "program"               = "tax-benefits"
          - "project"               = "df-all-screens-scrape"
          - "terraform-aws-modules" = "alb"
        } -> null
      - vpc_id                                      = "vpc-024d66fcc4f521d0a" -> null
      - xff_header_processing_mode                  = "append" -> null
      - zone_id                                     = "Z35SXDOTRQ7X7K" -> null

      - access_logs {
          - bucket  = "shared-services-development-logs" -> null
          - enabled = true -> null
        }

      - connection_logs {
          - bucket  = "shared-services-development-logs" -> null
          - enabled = true -> null
        }

      - subnet_mapping {
          - subnet_id = "subnet-037226b6f514e6dd1" -> null
        }
      - subnet_mapping {
          - subnet_id = "subnet-04a634af483d94adb" -> null
        }
      - subnet_mapping {
          - subnet_id = "subnet-0ff03c3903c4c785c" -> null
        }

      - timeouts {}
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.alb["this"].aws_lb_listener.this["http"] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.alb["this"] is not in configuration)
  - resource "aws_lb_listener" "this" {
      - arn                                  = "arn:aws:elasticloadbalancing:us-east-1:816069131564:listener/app/df-scrape-development-web/3cf70983c2be0261/74a8570533695170" -> null
      - id                                   = "arn:aws:elasticloadbalancing:us-east-1:816069131564:listener/app/df-scrape-development-web/3cf70983c2be0261/74a8570533695170" -> null
      - load_balancer_arn                    = "arn:aws:elasticloadbalancing:us-east-1:816069131564:loadbalancer/app/df-scrape-development-web/3cf70983c2be0261" -> null
      - port                                 = 80 -> null
      - protocol                             = "HTTP" -> null
      - routing_http_response_server_enabled = true -> null
      - tags                                 = {
          - "application"           = "df-all-screens-scrape-development"
          - "environment"           = "development"
          - "program"               = "tax-benefits"
          - "project"               = "df-all-screens-scrape"
          - "terraform-aws-modules" = "alb"
        } -> null
      - tags_all                             = {
          - "application"           = "df-all-screens-scrape-development"
          - "environment"           = "development"
          - "program"               = "tax-benefits"
          - "project"               = "df-all-screens-scrape"
          - "terraform-aws-modules" = "alb"
        } -> null

      - default_action {
          - order = 1 -> null
          - type  = "redirect" -> null

          - redirect {
              - host        = "#{host}" -> null
              - path        = "/#{path}" -> null
              - port        = "443" -> null
              - protocol    = "HTTPS" -> null
              - query       = "#{query}" -> null
              - status_code = "HTTP_301" -> null
            }
        }
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.alb["this"].aws_lb_listener.this["https"] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.alb["this"] is not in configuration)
  - resource "aws_lb_listener" "this" {
      - arn                                  = "arn:aws:elasticloadbalancing:us-east-1:816069131564:listener/app/df-scrape-development-web/3cf70983c2be0261/714130289b18b618" -> null
      - certificate_arn                      = "arn:aws:acm:us-east-1:816069131564:certificate/2481c5e9-f77d-4021-927b-66e2b6d2367a" -> null
      - id                                   = "arn:aws:elasticloadbalancing:us-east-1:816069131564:listener/app/df-scrape-development-web/3cf70983c2be0261/714130289b18b618" -> null
      - load_balancer_arn                    = "arn:aws:elasticloadbalancing:us-east-1:816069131564:loadbalancer/app/df-scrape-development-web/3cf70983c2be0261" -> null
      - port                                 = 443 -> null
      - protocol                             = "HTTPS" -> null
      - routing_http_response_server_enabled = true -> null
      - ssl_policy                           = "ELBSecurityPolicy-TLS-1-2-2017-01" -> null
      - tags                                 = {
          - "application"           = "df-all-screens-scrape-development"
          - "environment"           = "development"
          - "program"               = "tax-benefits"
          - "project"               = "df-all-screens-scrape"
          - "terraform-aws-modules" = "alb"
        } -> null
      - tags_all                             = {
          - "application"           = "df-all-screens-scrape-development"
          - "environment"           = "development"
          - "program"               = "tax-benefits"
          - "project"               = "df-all-screens-scrape"
          - "terraform-aws-modules" = "alb"
        } -> null

      - default_action {
          - order = 1 -> null
          - type  = "authenticate-oidc" -> null

          - authenticate_oidc {
              - authentication_request_extra_params = {} -> null
              - authorization_endpoint              = (sensitive value) -> null
              - client_id                           = (sensitive value) -> null
              - client_secret                       = (sensitive value) -> null
              - issuer                              = (sensitive value) -> null
              - on_unauthenticated_request          = "authenticate" -> null
              - scope                               = "openid" -> null
              - session_cookie_name                 = "AWSELBAuthSessionCookie" -> null
              - session_timeout                     = 604800 -> null
              - token_endpoint                      = (sensitive value) -> null
              - user_info_endpoint                  = (sensitive value) -> null
            }
        }
      - default_action {
          - order            = 2 -> null
          - target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:816069131564:targetgroup/df-scrape-development-web-app/12772c19e4c6ddc8" -> null
          - type             = "forward" -> null
        }

      - mutual_authentication {
          - ignore_client_certificate_expiry = false -> null
          - mode                             = "off" -> null
        }
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.alb["this"].aws_lb_target_group.this["endpoint"] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.alb["this"] is not in configuration)
  - resource "aws_lb_target_group" "this" {
      - arn                                = "arn:aws:elasticloadbalancing:us-east-1:816069131564:targetgroup/df-scrape-development-web-app/12772c19e4c6ddc8" -> null
      - arn_suffix                         = "targetgroup/df-scrape-development-web-app/12772c19e4c6ddc8" -> null
      - deregistration_delay               = "300" -> null
      - id                                 = "arn:aws:elasticloadbalancing:us-east-1:816069131564:targetgroup/df-scrape-development-web-app/12772c19e4c6ddc8" -> null
      - ip_address_type                    = "ipv4" -> null
      - lambda_multi_value_headers_enabled = false -> null
      - load_balancer_arns                 = [
          - "arn:aws:elasticloadbalancing:us-east-1:816069131564:loadbalancer/app/df-scrape-development-web/3cf70983c2be0261",
        ] -> null
      - load_balancing_algorithm_type      = "round_robin" -> null
      - load_balancing_anomaly_mitigation  = "off" -> null
      - load_balancing_cross_zone_enabled  = "use_load_balancer_configuration" -> null
      - name                               = "df-scrape-development-web-app" -> null
      - port                               = 9292 -> null
      - protocol                           = "HTTP" -> null
      - protocol_version                   = "HTTP1" -> null
      - proxy_protocol_v2                  = false -> null
      - slow_start                         = 0 -> null
      - tags                               = {
          - "application"           = "df-all-screens-scrape-development"
          - "environment"           = "development"
          - "program"               = "tax-benefits"
          - "project"               = "df-all-screens-scrape"
          - "terraform-aws-modules" = "alb"
        } -> null
      - tags_all                           = {
          - "application"           = "df-all-screens-scrape-development"
          - "environment"           = "development"
          - "program"               = "tax-benefits"
          - "project"               = "df-all-screens-scrape"
          - "terraform-aws-modules" = "alb"
        } -> null
      - target_type                        = "ip" -> null
      - vpc_id                             = "vpc-024d66fcc4f521d0a" -> null

      - health_check {
          - enabled             = true -> null
          - healthy_threshold   = 5 -> null
          - interval            = 30 -> null
          - matcher             = "200" -> null
          - path                = "/" -> null
          - port                = "traffic-port" -> null
          - protocol            = "HTTP" -> null
          - timeout             = 5 -> null
          - unhealthy_threshold = 2 -> null
        }

      - stickiness {
          - cookie_duration = 86400 -> null
          - enabled         = false -> null
          - type            = "lb_cookie" -> null
        }

      - target_failover {}

      - target_group_health {
          - dns_failover {
              - minimum_healthy_targets_count      = "1" -> null
              - minimum_healthy_targets_percentage = "off" -> null
            }
          - unhealthy_state_routing {
              - minimum_healthy_targets_count      = 1 -> null
              - minimum_healthy_targets_percentage = "off" -> null
            }
        }

      - target_health_state {}
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.alb["this"].aws_security_group.this[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.alb["this"] is not in configuration)
  - resource "aws_security_group" "this" {
      - arn                    = "arn:aws:ec2:us-east-1:816069131564:security-group/sg-0db92c069951ad4a9" -> null
      - description            = "Security group for df-scrape-development-web application load balancer" -> null
      - egress                 = [] -> null
      - id                     = "sg-0db92c069951ad4a9" -> null
      - ingress                = [] -> null
      - name                   = "df-scrape-development-web-20250624001553188500000004" -> null
      - name_prefix            = "df-scrape-development-web-" -> null
      - owner_id               = "816069131564" -> null
      - revoke_rules_on_delete = false -> null
      - tags                   = {
          - "application"           = "df-all-screens-scrape-development"
          - "environment"           = "development"
          - "program"               = "tax-benefits"
          - "project"               = "df-all-screens-scrape"
          - "terraform-aws-modules" = "alb"
        } -> null
      - tags_all               = {
          - "application"           = "df-all-screens-scrape-development"
          - "environment"           = "development"
          - "program"               = "tax-benefits"
          - "project"               = "df-all-screens-scrape"
          - "terraform-aws-modules" = "alb"
        } -> null
      - vpc_id                 = "vpc-024d66fcc4f521d0a" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.ecr["this"].aws_ecr_lifecycle_policy.this[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.ecr["this"] is not in configuration)
  - resource "aws_ecr_lifecycle_policy" "this" {
      - id          = "df-all-screens-scrape-development-web" -> null
      - policy      = jsonencode(
            {
              - rules = [
                  - {
                      - action       = {
                          - type = "expire"
                        }
                      - description  = "Expire untagged images older than 14 days"
                      - rulePriority = 1
                      - selection    = {
                          - countNumber = 14
                          - countType   = "sinceImagePushed"
                          - countUnit   = "days"
                          - tagStatus   = "untagged"
                        }
                    },
                ]
            }
        ) -> null
      - registry_id = "816069131564" -> null
      - repository  = "df-all-screens-scrape-development-web" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.ecr["this"].aws_ecr_repository.this[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.ecr["this"] is not in configuration)
  - resource "aws_ecr_repository" "this" {
      - arn                  = "arn:aws:ecr:us-east-1:816069131564:repository/df-all-screens-scrape-development-web" -> null
      - force_delete         = true -> null
      - id                   = "df-all-screens-scrape-development-web" -> null
      - image_tag_mutability = "IMMUTABLE" -> null
      - name                 = "df-all-screens-scrape-development-web" -> null
      - registry_id          = "816069131564" -> null
      - repository_url       = "816069131564.dkr.ecr.us-east-1.amazonaws.com/df-all-screens-scrape-development-web" -> null
      - tags                 = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all             = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null

      - encryption_configuration {
          - encryption_type = "KMS" -> null
          - kms_key         = "arn:aws:kms:us-east-1:816069131564:key/bf069987-fff0-4faa-bfc2-6013fd921c5e" -> null
        }

      - image_scanning_configuration {
          - scan_on_push = true -> null
        }
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.ecr["this"].aws_ecr_repository_policy.this[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.ecr["this"] is not in configuration)
  - resource "aws_ecr_repository_policy" "this" {
      - id          = "df-all-screens-scrape-development-web" -> null
      - policy      = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = [
                          - "ecr:ListTagsForResource",
                          - "ecr:ListImages",
                          - "ecr:GetRepositoryPolicy",
                          - "ecr:GetLifecyclePolicyPreview",
                          - "ecr:GetLifecyclePolicy",
                          - "ecr:GetDownloadUrlForLayer",
                          - "ecr:GetAuthorizationToken",
                          - "ecr:DescribeRepositories",
                          - "ecr:DescribeImages",
                          - "ecr:DescribeImageScanFindings",
                          - "ecr:BatchGetImage",
                          - "ecr:BatchCheckLayerAvailability",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::816069131564:root"
                        }
                      - Sid       = "PrivateReadOnly"
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - registry_id = "816069131564" -> null
      - repository  = "df-all-screens-scrape-development-web" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.ecs.aws_ecs_cluster.main will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.ecs is not in configuration)
  - resource "aws_ecs_cluster" "main" {
      - arn      = "arn:aws:ecs:us-east-1:816069131564:cluster/df-all-screens-scrape-development-web" -> null
      - id       = "arn:aws:ecs:us-east-1:816069131564:cluster/df-all-screens-scrape-development-web" -> null
      - name     = "df-all-screens-scrape-development-web" -> null
      - tags     = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null

      - setting {
          - name  = "containerInsights" -> null
          - value = "enabled" -> null
        }
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.ecs.aws_ecs_cluster_capacity_providers.main[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.ecs is not in configuration)
  - resource "aws_ecs_cluster_capacity_providers" "main" {
      - capacity_providers = [
          - "FARGATE",
        ] -> null
      - cluster_name       = "df-all-screens-scrape-development-web" -> null
      - id                 = "df-all-screens-scrape-development-web" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.endpoint_security_group.aws_security_group.this_name_prefix[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.endpoint_security_group is not in configuration)
  - resource "aws_security_group" "this_name_prefix" {
      - arn                    = "arn:aws:ec2:us-east-1:816069131564:security-group/sg-00877a5fcd34931a2" -> null
      - description            = "Security Group managed by Terraform" -> null
      - egress                 = [
          - {
              - cidr_blocks      = [
                  - "0.0.0.0/0",
                ]
              - description      = "IdP access for OIDC authentication."
              - from_port        = 443
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = []
              - self             = false
              - to_port          = 443
            },
          - {
              - cidr_blocks      = [
                  - "10.1.0.0/16",
                ]
              - description      = "All protocols"
              - from_port        = 0
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "-1"
              - security_groups  = []
              - self             = false
              - to_port          = 0
            },
        ] -> null
      - id                     = "sg-00877a5fcd34931a2" -> null
      - ingress                = [
          - {
              - cidr_blocks      = [
                  - "0.0.0.0/0",
                ]
              - description      = "HTTP"
              - from_port        = 80
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = []
              - self             = false
              - to_port          = 80
            },
          - {
              - cidr_blocks      = [
                  - "0.0.0.0/0",
                ]
              - description      = "HTTPS"
              - from_port        = 443
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = []
              - self             = false
              - to_port          = 443
            },
        ] -> null
      - name                   = "df-all-screens-scrape-development-web-endpoint-20250624001552841300000002" -> null
      - name_prefix            = "df-all-screens-scrape-development-web-endpoint-" -> null
      - owner_id               = "816069131564" -> null
      - revoke_rules_on_delete = false -> null
      - tags                   = {
          - "Name"        = "df-all-screens-scrape-development-web-endpoint"
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all               = {
          - "Name"        = "df-all-screens-scrape-development-web-endpoint"
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - vpc_id                 = "vpc-024d66fcc4f521d0a" -> null

      - timeouts {
          - create = "10m" -> null
          - delete = "15m" -> null
        }
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.endpoint_security_group.aws_security_group_rule.egress_rules[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.endpoint_security_group is not in configuration)
  - resource "aws_security_group_rule" "egress_rules" {
      - cidr_blocks            = [
          - "10.1.0.0/16",
        ] -> null
      - description            = "All protocols" -> null
      - from_port              = 0 -> null
      - id                     = "sgrule-2236683853" -> null
      - ipv6_cidr_blocks       = [] -> null
      - prefix_list_ids        = [] -> null
      - protocol               = "-1" -> null
      - security_group_id      = "sg-00877a5fcd34931a2" -> null
      - security_group_rule_id = "sgr-0c200c0da0cc2e024" -> null
      - self                   = false -> null
      - to_port                = 0 -> null
      - type                   = "egress" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.endpoint_security_group.aws_security_group_rule.egress_with_cidr_blocks[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.endpoint_security_group is not in configuration)
  - resource "aws_security_group_rule" "egress_with_cidr_blocks" {
      - cidr_blocks            = [
          - "0.0.0.0/0",
        ] -> null
      - description            = "IdP access for OIDC authentication." -> null
      - from_port              = 443 -> null
      - id                     = "sgrule-2778065677" -> null
      - protocol               = "tcp" -> null
      - security_group_id      = "sg-00877a5fcd34931a2" -> null
      - security_group_rule_id = "sgr-03a3f29d501f785ad" -> null
      - self                   = false -> null
      - to_port                = 443 -> null
      - type                   = "egress" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.endpoint_security_group.aws_security_group_rule.ingress_rules[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.endpoint_security_group is not in configuration)
  - resource "aws_security_group_rule" "ingress_rules" {
      - cidr_blocks            = [
          - "0.0.0.0/0",
        ] -> null
      - description            = "HTTP" -> null
      - from_port              = 80 -> null
      - id                     = "sgrule-3256096751" -> null
      - ipv6_cidr_blocks       = [] -> null
      - prefix_list_ids        = [] -> null
      - protocol               = "tcp" -> null
      - security_group_id      = "sg-00877a5fcd34931a2" -> null
      - security_group_rule_id = "sgr-0475e98ce8bc2c3ef" -> null
      - self                   = false -> null
      - to_port                = 80 -> null
      - type                   = "ingress" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.endpoint_security_group.aws_security_group_rule.ingress_rules[1] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.endpoint_security_group is not in configuration)
  - resource "aws_security_group_rule" "ingress_rules" {
      - cidr_blocks            = [
          - "0.0.0.0/0",
        ] -> null
      - description            = "HTTPS" -> null
      - from_port              = 443 -> null
      - id                     = "sgrule-4229351938" -> null
      - ipv6_cidr_blocks       = [] -> null
      - prefix_list_ids        = [] -> null
      - protocol               = "tcp" -> null
      - security_group_id      = "sg-00877a5fcd34931a2" -> null
      - security_group_rule_id = "sgr-0615fc363a7dc1f10" -> null
      - self                   = false -> null
      - to_port                = 443 -> null
      - type                   = "ingress" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.otel_config.aws_ssm_parameter.this[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.otel_config is not in configuration)
  - resource "aws_ssm_parameter" "this" {
      - arn            = "arn:aws:ssm:us-east-1:816069131564:parameter/df-all-screens-scrape/development/web/otel" -> null
      - data_type      = "text" -> null
      - description    = "Configuration for the OpenTelemetry collector." -> null
      - id             = "/df-all-screens-scrape/development/web/otel" -> null
      - insecure_value = <<-EOT
            extensions:
              health_check:
            
            receivers:
              otlp:
                protocols:
                  grpc:
                    endpoint: 0.0.0.0:4317
                  http:
                    endpoint: 0.0.0.0:4318
              awsxray:
                endpoint: 0.0.0.0:2000
                transport: udp
              statsd:
                endpoint: 0.0.0.0:8125
                aggregation_interval: 60s
              awsecscontainermetrics:
            
            processors:
              batch/traces:
                timeout: 1s
                send_batch_size: 50
              batch/metrics:
                timeout: 60s
              filter:
                metrics:
                  include:
                    match_type: strict
                    metric_names:
                      - ecs.task.memory.reserved
                      - ecs.task.memory.utilized
                      - ecs.task.cpu.reserved
                      - ecs.task.cpu.utilized
                      - ecs.task.network.rate.rx
                      - ecs.task.network.rate.tx
                      - ecs.task.storage.read_bytes
                      - ecs.task.storage.write_bytes
                      - container.duration
              metricstransform:
                transforms:
                  - include: ecs.task.memory.utilized
                    action: update
                    new_name: MemoryUtilized
                  - include: ecs.task.memory.reserved
                    action: update
                    new_name: MemoryReserved
                  - include: ecs.task.cpu.utilized
                    action: update
                    new_name: CpuUtilized
                  - include: ecs.task.cpu.reserved
                    action: update
                    new_name: CpuReserved
                  - include: ecs.task.network.rate.rx
                    action: update
                    new_name: NetworkRxBytes
                  - include: ecs.task.network.rate.tx
                    action: update
                    new_name: NetworkTxBytes
                  - include: ecs.task.storage.read_bytes
                    action: update
                    new_name: StorageReadBytes
                  - include: ecs.task.storage.write_bytes
                    action: update
                    new_name: StorageWriteBytes
            
              resource:
                attributes:
                  - key: ClusterName
                    from_attribute: aws.ecs.cluster.name
                    action: insert
                  - key: aws.ecs.cluster.name
                    action: delete
                  - key: ServiceName
                    from_attribute: aws.ecs.service.name
                    action: insert
                  - key: aws.ecs.service.name
                    action: delete
                  - key: TaskId
                    from_attribute: aws.ecs.task.id
                    action: insert
                  - key: aws.ecs.task.id
                    action: delete
                  - key: TaskDefinitionFamily
                    from_attribute: aws.ecs.task.family
                    action: insert
                  - key: aws.ecs.task.family
                    action: delete
                  - key: TaskARN
                    from_attribute: aws.ecs.task.arn
                    action: insert
                  - key: aws.ecs.task.arn
                    action: delete
                  - key: DockerName
                    from_attribute: aws.ecs.docker.name
                    action: insert
                  - key: aws.ecs.docker.name
                    action: delete
                  - key: TaskDefinitionRevision
                    from_attribute: aws.ecs.task.version
                    action: insert
                  - key: aws.ecs.task.version
                    action: delete
                  - key: PullStartedAt
                    from_attribute: aws.ecs.task.pull_started_at
                    action: insert
                  - key: aws.ecs.task.pull_started_at
                    action: delete
                  - key: PullStoppedAt
                    from_attribute: aws.ecs.task.pull_stopped_at
                    action: insert
                  - key: aws.ecs.task.pull_stopped_at
                    action: delete
                  - key: AvailabilityZone
                    from_attribute: cloud.zone
                    action: insert
                  - key: cloud.zone
                    action: delete
                  - key: LaunchType
                    from_attribute: aws.ecs.task.launch_type
                    action: insert
                  - key: aws.ecs.task.launch_type
                    action: delete
                  - key: Region
                    from_attribute: cloud.region
                    action: insert
                  - key: cloud.region
                    action: delete
                  - key: AccountId
                    from_attribute: cloud.account.id
                    action: insert
                  - key: cloud.account.id
                    action: delete
                  - key: DockerId
                    from_attribute: container.id
                    action: insert
                  - key: container.id
                    action: delete
                  - key: ContainerName
                    from_attribute: container.name
                    action: insert
                  - key: container.name
                    action: delete
                  - key: Image
                    from_attribute: container.image.name
                    action: insert
                  - key: container.image.name
                    action: delete
                  - key: ImageId
                    from_attribute: aws.ecs.container.image.id
                    action: insert
                  - key: aws.ecs.container.image.id
                    action: delete
                  - key: ExitCode
                    from_attribute: aws.ecs.container.exit_code
                    action: insert
                  - key: aws.ecs.container.exit_code
                    action: delete
                  - key: CreatedAt
                    from_attribute: aws.ecs.container.created_at
                    action: insert
                  - key: aws.ecs.container.created_at
                    action: delete
                  - key: StartedAt
                    from_attribute: aws.ecs.container.started_at
                    action: insert
                  - key: aws.ecs.container.started_at
                    action: delete
                  - key: FinishedAt
                    from_attribute: aws.ecs.container.finished_at
                    action: insert
                  - key: aws.ecs.container.finished_at
                    action: delete
                  - key: ImageTag
                    from_attribute: container.image.tag
                    action: insert
                  - key: container.image.tag
                    action: delete
            
            exporters:
              awsxray:
              awsemf/application:
                namespace: "df-all-screens-scrape/web"
                log_group_name: '/aws/ecs/application/metrics'
              awsemf/performance:
                namespace: ECS/ContainerInsights
                log_group_name: '/aws/ecs/containerinsights/{ClusterName}/performance'
                log_stream_name: '{TaskId}'
                resource_to_telemetry_conversion:
                  enabled: true
                dimension_rollup_option: NoDimensionRollup
                metric_declarations:
                  - dimensions: [ [ ClusterName ], [ ClusterName, TaskDefinitionFamily ] ]
                    metric_name_selectors:
                      - MemoryUtilized
                      - MemoryReserved
                      - CpuUtilized
                      - CpuReserved
                      - NetworkRxBytes
                      - NetworkTxBytes
                      - StorageReadBytes
                      - StorageWriteBytes
                  - metric_name_selectors: [container.*]
            
            service:
              pipelines:
                traces:
                  receivers: [otlp,awsxray]
                  processors: [batch/traces]
                  exporters: [awsxray]
                metrics/application:
                  receivers: [otlp, statsd]
                  processors: [batch/metrics]
                  exporters: [awsemf/application]
                metrics/performance:
                  receivers: [awsecscontainermetrics ]
                  processors: [filter, metricstransform, resource]
                  exporters: [ awsemf/performance ]
            
              extensions: [health_check]
        EOT -> null
      - name           = "/df-all-screens-scrape/development/web/otel" -> null
      - tags           = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all       = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tier           = "Advanced" -> null
      - type           = "String" -> null
      - version        = 1 -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.task_security_group.aws_security_group.this_name_prefix[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.task_security_group is not in configuration)
  - resource "aws_security_group" "this_name_prefix" {
      - arn                    = "arn:aws:ec2:us-east-1:816069131564:security-group/sg-0afad7a99ddfd7952" -> null
      - description            = "Security Group managed by Terraform" -> null
      - egress                 = [
          - {
              - cidr_blocks      = [
                  - "0.0.0.0/0",
                ]
              - description      = "All protocols"
              - from_port        = 0
              - ipv6_cidr_blocks = [
                  - "::/0",
                ]
              - prefix_list_ids  = []
              - protocol         = "-1"
              - security_groups  = []
              - self             = false
              - to_port          = 0
            },
        ] -> null
      - id                     = "sg-0afad7a99ddfd7952" -> null
      - ingress                = [
          - {
              - cidr_blocks      = []
              - description      = "web access from the load balancer."
              - from_port        = 9292
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = [
                  - "sg-00877a5fcd34931a2",
                ]
              - self             = false
              - to_port          = 9292
            },
        ] -> null
      - name                   = "df-all-screens-scrape-development-web-endpoint-20250624001552841600000003" -> null
      - name_prefix            = "df-all-screens-scrape-development-web-endpoint-" -> null
      - owner_id               = "816069131564" -> null
      - revoke_rules_on_delete = false -> null
      - tags                   = {
          - "Name"        = "df-all-screens-scrape-development-web-endpoint"
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all               = {
          - "Name"        = "df-all-screens-scrape-development-web-endpoint"
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - vpc_id                 = "vpc-024d66fcc4f521d0a" -> null

      - timeouts {
          - create = "10m" -> null
          - delete = "15m" -> null
        }
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.task_security_group.aws_security_group_rule.egress_rules[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.task_security_group is not in configuration)
  - resource "aws_security_group_rule" "egress_rules" {
      - cidr_blocks       = [
          - "0.0.0.0/0",
        ] -> null
      - description       = "All protocols" -> null
      - from_port         = 0 -> null
      - id                = "sgrule-1757154202" -> null
      - ipv6_cidr_blocks  = [
          - "::/0",
        ] -> null
      - prefix_list_ids   = [] -> null
      - protocol          = "-1" -> null
      - security_group_id = "sg-0afad7a99ddfd7952" -> null
      - self              = false -> null
      - to_port           = 0 -> null
      - type              = "egress" -> null
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.task_security_group.aws_security_group_rule.ingress_with_source_security_group_id[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.task_security_group is not in configuration)
  - resource "aws_security_group_rule" "ingress_with_source_security_group_id" {
      - description              = "web access from the load balancer." -> null
      - from_port                = 9292 -> null
      - id                       = "sgrule-1682406258" -> null
      - prefix_list_ids          = [] -> null
      - protocol                 = "tcp" -> null
      - security_group_id        = "sg-0afad7a99ddfd7952" -> null
      - security_group_rule_id   = "sgr-009c85016d204f90c" -> null
      - self                     = false -> null
      - source_security_group_id = "sg-00877a5fcd34931a2" -> null
      - to_port                  = 9292 -> null
      - type                     = "ingress" -> null
    }

  # module.app["dc-sebt-portal"].module.service["web"].module.ecs_service.module.fargate.aws_ecs_service.main[0] will be updated in-place
  ~ resource "aws_ecs_service" "main" {
        id                                 = "arn:aws:ecs:us-east-1:816069131564:service/sebt-portal-development-web/sebt-portal-development-web"
        name                               = "sebt-portal-development-web"
        tags                               = {
            "application" = "sebt-portal-development"
            "environment" = "development"
            "program"     = "safety-net"
            "project"     = "sebt-portal"
        }
      ~ task_definition                    = "arn:aws:ecs:us-east-1:816069131564:task-definition/sebt-portal-development-web:18" -> (known after apply)
        # (16 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.ecs_service.module.fargate.aws_ecs_service.main[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.ecs_service.module.fargate is not in configuration)
  - resource "aws_ecs_service" "main" {
      - availability_zone_rebalancing      = "DISABLED" -> null
      - cluster                            = "arn:aws:ecs:us-east-1:816069131564:cluster/df-all-screens-scrape-development-web" -> null
      - deployment_maximum_percent         = 200 -> null
      - deployment_minimum_healthy_percent = 100 -> null
      - desired_count                      = 1 -> null
      - enable_ecs_managed_tags            = false -> null
      - enable_execute_command             = false -> null
      - health_check_grace_period_seconds  = 300 -> null
      - iam_role                           = "/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS" -> null
      - id                                 = "arn:aws:ecs:us-east-1:816069131564:service/df-all-screens-scrape-development-web/df-all-screens-scrape-development-web" -> null
      - launch_type                        = "FARGATE" -> null
      - name                               = "df-all-screens-scrape-development-web" -> null
      - platform_version                   = "LATEST" -> null
      - propagate_tags                     = "NONE" -> null
      - scheduling_strategy                = "REPLICA" -> null
      - tags                               = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all                           = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - task_definition                    = "arn:aws:ecs:us-east-1:816069131564:task-definition/df-all-screens-scrape-development-web:8" -> null
      - triggers                           = {} -> null
      - wait_for_steady_state              = false -> null

      - deployment_circuit_breaker {
          - enable   = false -> null
          - rollback = false -> null
        }

      - deployment_controller {
          - type = "ECS" -> null
        }

      - load_balancer {
          - container_name   = "df-all-screens-scrape-development-web" -> null
          - container_port   = 9292 -> null
          - target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:816069131564:targetgroup/df-scrape-development-web-app/12772c19e4c6ddc8" -> null
        }

      - network_configuration {
          - assign_public_ip = false -> null
          - security_groups  = [
              - "sg-0afad7a99ddfd7952",
            ] -> null
          - subnets          = [
              - "subnet-04f0c33c52950250c",
              - "subnet-053de37a3ecb7298b",
              - "subnet-0686b2ea9061f8367",
            ] -> null
        }
    }

  # module.app["dc-sebt-portal"].module.service["web"].module.ecs_service.module.fargate.module.task.aws_ecs_task_definition.main[0] must be replaced
+/- resource "aws_ecs_task_definition" "main" {
      ~ arn                      = "arn:aws:ecs:us-east-1:816069131564:task-definition/sebt-portal-development-web:18" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:816069131564:task-definition/sebt-portal-development-web" -> (known after apply)
      ~ container_definitions    = jsonencode(
            [
              - {
                  - command          = [
                      - "--config=/etc/ecs/container-insights/otel-task-metrics-config.yaml",
                    ]
                  - cpu              = 256
                  - environment      = [
                      - {
                          - name  = "OTEL_LOG_LEVEL"
                          - value = "info"
                        },
                    ]
                  - essential        = false
                  - image            = "public.ecr.aws/aws-observability/aws-otel-collector:latest"
                  - logConfiguration = {
                      - logDriver = "awslogs"
                      - options   = {
                          - awslogs-group         = "/aws/ecs/sebt-portal/development/web"
                          - awslogs-region        = "us-east-1"
                          - awslogs-stream-prefix = "otel-collector"
                        }
                    }
                  - memory           = 512
                  - mountPoints      = []
                  - name             = "otel-collector"
                  - portMappings     = []
                  - secrets          = [
                      - {
                          - name      = "AOT_CONFIG_CONTENT"
                          - valueFrom = "arn:aws:ssm:us-east-1:816069131564:parameter/sebt-portal/development/web/otel"
                        },
                    ]
                  - systemControls   = []
                  - volumesFrom      = []
                },
              - {
                  - cpu               = 256
                  - environment       = [
                      - {
                          - name  = "DATABASE_HOST"
                          - value = "sebt-portal-development-20250613171717133500000001.cxcgye2iuxai.us-east-1.rds.amazonaws.com"
                        },
                      - {
                          - name  = "DATABASE_PORT"
                          - value = "1433"
                        },
                    ]
                  - essential         = true
                  - image             = "816069131564.dkr.ecr.us-east-1.amazonaws.com/sebt-portal-development-web:dabefb8f502b1dfa0b18bd17e2c780e5c4a69baf"
                  - linuxParameters   = {
                      - initProcessEnabled = true
                    }
                  - logConfiguration  = {
                      - logDriver = "awslogs"
                      - options   = {
                          - awslogs-group         = "/aws/ecs/sebt-portal/development/web"
                          - awslogs-region        = "us-east-1"
                          - awslogs-stream-prefix = "ecs"
                        }
                    }
                  - memory            = 512
                  - memoryReservation = 512
                  - mountPoints       = []
                  - name              = "sebt-portal-development-web"
                  - portMappings      = [
                      - {
                          - containerPort = 8080
                          - hostPort      = 8080
                          - protocol      = "tcp"
                        },
                    ]
                  - secrets           = [
                      - {
                          - name      = "DATABASE_PASSWORD"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:816069131564:secret:rds!db-810abc7e-8474-4512-bb79-c1a1bc80a43d-u0v3r9:password::"
                        },
                      - {
                          - name      = "DATABASE_USERNAME"
                          - valueFrom = "arn:aws:secretsmanager:us-east-1:816069131564:secret:rds!db-810abc7e-8474-4512-bb79-c1a1bc80a43d-u0v3r9:username::"
                        },
                    ]
                  - systemControls    = []
                  - volumesFrom       = []
                },
            ] # forces replacement
        ) -> (known after apply) # forces replacement
      ~ enable_fault_injection   = false -> (known after apply)
      ~ id                       = "sebt-portal-development-web" -> (known after apply)
      ~ revision                 = 18 -> (known after apply)
        tags                     = {
            "application" = "sebt-portal-development"
            "environment" = "development"
            "program"     = "safety-net"
            "project"     = "sebt-portal"
        }
        # (10 unchanged attributes hidden)
    }

  # module.app["df-all-screen-scrapes"].module.service["web"].module.ecs_service.module.fargate.module.task.aws_ecs_task_definition.main[0] will be destroyed
  # (because module.app["df-all-screen-scrapes"].module.service["web"].module.ecs_service.module.fargate.module.task is not in configuration)
  - resource "aws_ecs_task_definition" "main" {
      - arn                      = "arn:aws:ecs:us-east-1:816069131564:task-definition/df-all-screens-scrape-development-web:8" -> null
      - arn_without_revision     = "arn:aws:ecs:us-east-1:816069131564:task-definition/df-all-screens-scrape-development-web" -> null
      - container_definitions    = jsonencode(
            [
              - {
                  - cpu               = 256
                  - environment       = []
                  - essential         = true
                  - image             = "816069131564.dkr.ecr.us-east-1.amazonaws.com/df-all-screens-scrape-development-web:latest"
                  - linuxParameters   = {
                      - initProcessEnabled = true
                    }
                  - logConfiguration  = {
                      - logDriver = "awslogs"
                      - options   = {
                          - awslogs-group         = "/aws/ecs/df-all-screens-scrape/development/web"
                          - awslogs-region        = "us-east-1"
                          - awslogs-stream-prefix = "ecs"
                        }
                    }
                  - memory            = 512
                  - memoryReservation = 512
                  - mountPoints       = []
                  - name              = "df-all-screens-scrape-development-web"
                  - portMappings      = [
                      - {
                          - containerPort = 9292
                          - hostPort      = 9292
                          - protocol      = "tcp"
                        },
                    ]
                  - systemControls    = []
                  - volumesFrom       = []
                },
              - {
                  - command          = [
                      - "--config=/etc/ecs/container-insights/otel-task-metrics-config.yaml",
                    ]
                  - cpu              = 256
                  - environment      = [
                      - {
                          - name  = "OTEL_LOG_LEVEL"
                          - value = "info"
                        },
                    ]
                  - essential        = false
                  - image            = "public.ecr.aws/aws-observability/aws-otel-collector:latest"
                  - logConfiguration = {
                      - logDriver = "awslogs"
                      - options   = {
                          - awslogs-group         = "/aws/ecs/df-all-screens-scrape/development/web"
                          - awslogs-region        = "us-east-1"
                          - awslogs-stream-prefix = "otel-collector"
                        }
                    }
                  - memory           = 512
                  - mountPoints      = []
                  - name             = "otel-collector"
                  - portMappings     = []
                  - secrets          = [
                      - {
                          - name      = "AOT_CONFIG_CONTENT"
                          - valueFrom = "arn:aws:ssm:us-east-1:816069131564:parameter/df-all-screens-scrape/development/web/otel"
                        },
                    ]
                  - systemControls   = []
                  - volumesFrom      = []
                },
            ]
        ) -> null
      - cpu                      = "512" -> null
      - enable_fault_injection   = false -> null
      - execution_role_arn       = "arn:aws:iam::816069131564:role/df-all-screens-scrape-development-web-execution" -> null
      - family                   = "df-all-screens-scrape-development-web" -> null
      - id                       = "df-all-screens-scrape-development-web" -> null
      - memory                   = "1024" -> null
      - network_mode             = "awsvpc" -> null
      - requires_compatibilities = [
          - "FARGATE",
        ] -> null
      - revision                 = 8 -> null
      - skip_destroy             = false -> null
      - tags                     = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - tags_all                 = {
          - "application" = "df-all-screens-scrape-development"
          - "environment" = "development"
          - "program"     = "tax-benefits"
          - "project"     = "df-all-screens-scrape"
        } -> null
      - task_role_arn            = "arn:aws:iam::816069131564:role/df-all-screens-scrape-development-web-task" -> null
      - track_latest             = false -> null
    }

Plan: 6 to add, 7 to change, 47 to destroy.

Changes to Outputs:
  ~ apps = {
      ~ dc-sebt-portal        = {
          ~ services   = {
              ~ web = {
                  ~ docker_push                = <<-EOT
                        aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 816069131564.dkr.ecr.us-east-1.amazonaws.com
                        docker build -t sebt-portal-development-web --platform linux/amd64 .
                        docker tag sebt-portal-development-web:latest 816069131564.dkr.ecr.us-east-1.amazonaws.com/sebt-portal-development-web:latest
                        docker push 816069131564.dkr.ecr.us-east-1.amazonaws.com/sebt-portal-development-web:latest
                    EOT -> (known after apply)
                  ~ endpoint_url               = "www.dc-sebt-portal.development.dev.codeforamerica.app" -> (known after apply)
                    # (6 unchanged attributes hidden)
                }
            }
            # (1 unchanged attribute hidden)
        }
      - df-all-screen-scrapes = {
          - log_groups = [
              - "/aws/ecs/containerinsights/df-all-screens-scrape-development-web/performance",
              - "/aws/ecs/df-all-screens-scrape/development/web",
            ]
          - services   = {
              - web = {
                  - cluster_name               = "df-all-screens-scrape-development-web"
                  - docker_push                = <<-EOT
                        aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 816069131564.dkr.ecr.us-east-1.amazonaws.com
                        docker build -t df-all-screens-scrape-development-web --platform linux/amd64 .
                        docker tag df-all-screens-scrape-development-web:latest 816069131564.dkr.ecr.us-east-1.amazonaws.com/df-all-screens-scrape-development-web:latest
                        docker push 816069131564.dkr.ecr.us-east-1.amazonaws.com/df-all-screens-scrape-development-web:latest
                    EOT
                  - endpoint_security_group_id = "sg-00877a5fcd34931a2"
                  - endpoint_url               = "scrapes.tax.dev.services.cfa.codes"
                  - repository_arn             = "arn:aws:ecr:us-east-1:816069131564:repository/df-all-screens-scrape-development-web"
                  - repository_url             = "816069131564.dkr.ecr.us-east-1.amazonaws.com/df-all-screens-scrape-development-web"
                  - security_group_id          = "sg-0afad7a99ddfd7952"
                  - version_parameter          = "/df-all-screens-scrape/development/web/version"
                }
            }
        }
    }

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so OpenTofu can't
guarantee to take exactly these actions if you run "tofu apply" now.

@jamesiarmes jamesiarmes merged commit eb350a6 into main Jun 24, 2025
8 checks passed
@jamesiarmes jamesiarmes deleted the alb-logs branch June 24, 2025 05:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamesiarmes