[PRM-726] Removal of end-of-transfer-service via terraform destroy by oliverbeumkes-nhs · Pull Request #204 · NHSDigital/orphaned-record-continuity-infrastructure

oliverbeumkes-nhs · 2026-02-26T15:19:44Z

WE DON'T WANT TO MERGE THIS PR
It exists purely to view the terraform plan and run the modified deploy stack to destroy end-of-transfer-service's infrastructure.

This reverts (most of) commit 84fa3a9. In particular, the parts that reference the End of Transfer Service. We have not reintroduced the gp2gp-adaptor or the mi-forwarder.

The reasoning for this PR is that the End of Transfer Service Terraform components were removed as part of PRM-227, however the components were not destroyed. We're reverting the Terraform in this commit to see what the state file does. (PRM-667)

…elf on a destroy

…n a destroy on end-of-transfer-service

github-actions · 2026-02-26T15:22:49Z

Report for suspension-service

Terraform Initialization ⚙️`success`

Initialization Output


Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing modules...
- end-of-transfer-service in modules/end-of-transfer-service
- suspension-service in modules/suspension-service
Initializing provider plugins...
- Finding latest version of hashicorp/archive...
- Finding hashicorp/aws versions matching "5.59.0"...
- Installing hashicorp/aws v5.59.0...
- Installed hashicorp/aws v5.59.0 (signed by HashiCorp)
- Installing hashicorp/archive v2.7.1...
- Installed hashicorp/archive v2.7.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Validation 🤖`success`

Validation Output


Success! The configuration is valid.

Terraform Plan 📖`success`

Show Plan (0 to add, 0 to change, 114 to destroy)



Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # aws_cloudwatch_log_group.log_group will be destroyed
  - resource "aws_cloudwatch_log_group" "log_group" {
      - arn               = "arn:aws:logs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:log-group:/nhs/deductions/dev-[REDACTED_AWS_ACCOUNT_ID]/end-of-transfer-service" -> null
      - id                = "/nhs/deductions/dev-[REDACTED_AWS_ACCOUNT_ID]/end-of-transfer-service" -> null
      - log_group_class   = "STANDARD" -> null
      - name              = "/nhs/deductions/dev-[REDACTED_AWS_ACCOUNT_ID]/end-of-transfer-service" -> null
      - retention_in_days = 0 -> null
      - skip_destroy      = false -> null
      - tags              = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
        } -> null
      - tags_all          = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_cloudwatch_log_metric_filter.log_metric_filter will be destroyed
  - resource "aws_cloudwatch_log_metric_filter" "log_metric_filter" {
      - id             = "dev-end-of-transfer-service-error-logs" -> null
      - log_group_name = "/nhs/deductions/dev-[REDACTED_AWS_ACCOUNT_ID]/end-of-transfer-service" -> null
      - name           = "dev-end-of-transfer-service-error-logs" -> null
      - pattern        = "{ $.level = "ERROR" }" -> null

      - metric_transformation {
          - default_value = "0" -> null
          - dimensions    = {} -> null
          - name          = "ErrorCountInLogs" -> null
          - namespace     = "EndOfTransferService" -> null
          - value         = "1" -> null
            # (1 unchanged attribute hidden)
        }
    }

  # aws_cloudwatch_metric_alarm.error_log_alarm will be destroyed
  - resource "aws_cloudwatch_metric_alarm" "error_log_alarm" {
      - actions_enabled                       = true -> null
      - alarm_actions                         = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - alarm_description                     = "This alarm monitors errors logs in end-of-transfer-service" -> null
      - alarm_name                            = "dev-end-of-transfer-service-error-logs" -> null
      - arn                                   = "arn:aws:cloudwatch:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alarm:dev-end-of-transfer-service-error-logs" -> null
      - comparison_operator                   = "GreaterThanThreshold" -> null
      - datapoints_to_alarm                   = 0 -> null
      - dimensions                            = {} -> null
      - evaluation_periods                    = 1 -> null
      - id                                    = "dev-end-of-transfer-service-error-logs" -> null
      - insufficient_data_actions             = [] -> null
      - metric_name                           = "ErrorCountInLogs" -> null
      - namespace                             = "EndOfTransferService" -> null
      - ok_actions                            = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - period                                = 60 -> null
      - statistic                             = "Sum" -> null
      - tags                                  = {} -> null
      - tags_all                              = {} -> null
      - threshold                             = 0 -> null
      - treat_missing_data                    = "notBreaching" -> null
        # (4 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.not_suspended_sns_topic_error_log_alarm will be destroyed
  - resource "aws_cloudwatch_metric_alarm" "not_suspended_sns_topic_error_log_alarm" {
      - actions_enabled                       = true -> null
      - alarm_actions                         = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - alarm_description                     = "This alarm monitors errors logs in dev-suspension-service-not-suspended-sns-topic" -> null
      - alarm_name                            = "dev-suspension-service-not-suspended-sns-topic-error-logs" -> null
      - arn                                   = "arn:aws:cloudwatch:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alarm:dev-suspension-service-not-suspended-sns-topic-error-logs" -> null
      - comparison_operator                   = "GreaterThanThreshold" -> null
      - datapoints_to_alarm                   = 0 -> null
      - dimensions                            = {
          - "TopicName" = "dev-suspension-service-not-suspended-sns-topic"
        } -> null
      - evaluation_periods                    = 1 -> null
      - id                                    = "dev-suspension-service-not-suspended-sns-topic-error-logs" -> null
      - insufficient_data_actions             = [] -> null
      - metric_name                           = "NumberOfNotificationsFailed" -> null
      - namespace                             = "AWS/SNS" -> null
      - ok_actions                            = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - period                                = 60 -> null
      - statistic                             = "Sum" -> null
      - tags                                  = {} -> null
      - tags_all                              = {} -> null
      - threshold                             = 0 -> null
      - treat_missing_data                    = "notBreaching" -> null
        # (4 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.suspension_deceased_patient_audit will be destroyed
  - resource "aws_cloudwatch_metric_alarm" "suspension_deceased_patient_audit" {
      - actions_enabled                       = true -> null
      - alarm_actions                         = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - alarm_description                     = "This alarm triggers when messages on the deceased patient audit queue is not polled by splunk in last 15 mins" -> null
      - alarm_name                            = "dev-end-of-transfer-service-deceased-patient-audit" -> null
      - arn                                   = "arn:aws:cloudwatch:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alarm:dev-end-of-transfer-service-deceased-patient-audit" -> null
      - comparison_operator                   = "GreaterThanThreshold" -> null
      - datapoints_to_alarm                   = 0 -> null
      - dimensions                            = {
          - "QueueName" = "dev-end-of-transfer-service-deceased-patient-audit"
        } -> null
      - evaluation_periods                    = 1 -> null
      - id                                    = "dev-end-of-transfer-service-deceased-patient-audit" -> null
      - insufficient_data_actions             = [] -> null
      - metric_name                           = "ApproximateAgeOfOldestMessage" -> null
      - namespace                             = "AWS/SQS" -> null
      - ok_actions                            = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - period                                = 900 -> null
      - statistic                             = "Maximum" -> null
      - tags                                  = {} -> null
      - tags_all                              = {} -> null
      - threshold                             = 900 -> null
      - treat_missing_data                    = "missing" -> null
        # (4 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.suspension_invalid_suspension_dlq_audit will be destroyed
  - resource "aws_cloudwatch_metric_alarm" "suspension_invalid_suspension_dlq_audit" {
      - actions_enabled                       = true -> null
      - alarm_actions                         = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - alarm_description                     = "This alarm triggers when messages on the invalid suspensions dlq audit queue is not polled by splunk in last 15 mins" -> null
      - alarm_name                            = "dev-end-of-transfer-service-invalid-suspension-dlq-audit" -> null
      - arn                                   = "arn:aws:cloudwatch:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alarm:dev-end-of-transfer-service-invalid-suspension-dlq-audit" -> null
      - comparison_operator                   = "GreaterThanThreshold" -> null
      - datapoints_to_alarm                   = 0 -> null
      - dimensions                            = {
          - "QueueName" = "dev-end-of-transfer-service-invalid-suspension-dlq-audit"
        } -> null
      - evaluation_periods                    = 1 -> null
      - id                                    = "dev-end-of-transfer-service-invalid-suspension-dlq-audit" -> null
      - insufficient_data_actions             = [] -> null
      - metric_name                           = "ApproximateAgeOfOldestMessage" -> null
      - namespace                             = "AWS/SQS" -> null
      - ok_actions                            = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - period                                = 900 -> null
      - statistic                             = "Maximum" -> null
      - tags                                  = {} -> null
      - tags_all                              = {} -> null
      - threshold                             = 900 -> null
      - treat_missing_data                    = "missing" -> null
        # (4 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.suspension_mof_not_updated_audit will be destroyed
  - resource "aws_cloudwatch_metric_alarm" "suspension_mof_not_updated_audit" {
      - actions_enabled                       = true -> null
      - alarm_actions                         = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - alarm_description                     = "This alarm triggers when messages on the MOF not updated audit queue is not polled by splunk in last 15 mins" -> null
      - alarm_name                            = "dev-end-of-transfer-service-mof-not-updated-audit" -> null
      - arn                                   = "arn:aws:cloudwatch:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alarm:dev-end-of-transfer-service-mof-not-updated-audit" -> null
      - comparison_operator                   = "GreaterThanThreshold" -> null
      - datapoints_to_alarm                   = 0 -> null
      - dimensions                            = {
          - "QueueName" = "dev-end-of-transfer-service-mof-not-updated-audit"
        } -> null
      - evaluation_periods                    = 1 -> null
      - id                                    = "dev-end-of-transfer-service-mof-not-updated-audit" -> null
      - insufficient_data_actions             = [] -> null
      - metric_name                           = "ApproximateAgeOfOldestMessage" -> null
      - namespace                             = "AWS/SQS" -> null
      - ok_actions                            = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - period                                = 900 -> null
      - statistic                             = "Maximum" -> null
      - tags                                  = {} -> null
      - tags_all                              = {} -> null
      - threshold                             = 900 -> null
      - treat_missing_data                    = "missing" -> null
        # (4 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.suspension_mof_updated_audit will be destroyed
  - resource "aws_cloudwatch_metric_alarm" "suspension_mof_updated_audit" {
      - actions_enabled                       = true -> null
      - alarm_actions                         = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - alarm_description                     = "This alarm triggers when messages on the MOF updated audit queue is not polled by splunk in last 15 mins" -> null
      - alarm_name                            = "dev-end-of-transfer-service-mof-updated-audit" -> null
      - arn                                   = "arn:aws:cloudwatch:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alarm:dev-end-of-transfer-service-mof-updated-audit" -> null
      - comparison_operator                   = "GreaterThanThreshold" -> null
      - datapoints_to_alarm                   = 0 -> null
      - dimensions                            = {
          - "QueueName" = "dev-end-of-transfer-service-mof-updated-audit"
        } -> null
      - evaluation_periods                    = 1 -> null
      - id                                    = "dev-end-of-transfer-service-mof-updated-audit" -> null
      - insufficient_data_actions             = [] -> null
      - metric_name                           = "ApproximateAgeOfOldestMessage" -> null
      - namespace                             = "AWS/SQS" -> null
      - ok_actions                            = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - period                                = 900 -> null
      - statistic                             = "Maximum" -> null
      - tags                                  = {} -> null
      - tags_all                              = {} -> null
      - threshold                             = 900 -> null
      - treat_missing_data                    = "missing" -> null
        # (4 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.suspension_not_suspended_audit will be destroyed
  - resource "aws_cloudwatch_metric_alarm" "suspension_not_suspended_audit" {
      - actions_enabled                       = true -> null
      - alarm_actions                         = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - alarm_description                     = "This alarm triggers when messages on the not suspended audit queue is not polled by splunk in last 15 mins" -> null
      - alarm_name                            = "dev-end-of-transfer-service-not-suspended-audit" -> null
      - arn                                   = "arn:aws:cloudwatch:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alarm:dev-end-of-transfer-service-not-suspended-audit" -> null
      - comparison_operator                   = "GreaterThanThreshold" -> null
      - datapoints_to_alarm                   = 0 -> null
      - dimensions                            = {
          - "QueueName" = "dev-end-of-transfer-service-not-suspended-audit"
        } -> null
      - evaluation_periods                    = 1 -> null
      - id                                    = "dev-end-of-transfer-service-not-suspended-audit" -> null
      - insufficient_data_actions             = [] -> null
      - metric_name                           = "ApproximateAgeOfOldestMessage" -> null
      - namespace                             = "AWS/SQS" -> null
      - ok_actions                            = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - period                                = 900 -> null
      - statistic                             = "Maximum" -> null
      - tags                                  = {} -> null
      - tags_all                              = {} -> null
      - threshold                             = 900 -> null
      - treat_missing_data                    = "missing" -> null
        # (4 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.suspension_out_of_order_audit will be destroyed
  - resource "aws_cloudwatch_metric_alarm" "suspension_out_of_order_audit" {
      - actions_enabled                       = true -> null
      - alarm_actions                         = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - alarm_description                     = "This alarm triggers when messages on the out of order audit queue is not polled by splunk in last 15 mins" -> null
      - alarm_name                            = "dev-end-of-transfer-service-out-of-order-audit" -> null
      - arn                                   = "arn:aws:cloudwatch:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alarm:dev-end-of-transfer-service-out-of-order-audit" -> null
      - comparison_operator                   = "GreaterThanThreshold" -> null
      - datapoints_to_alarm                   = 0 -> null
      - dimensions                            = {
          - "QueueName" = "dev-end-of-transfer-service-event-out-of-order-audit"
        } -> null
      - evaluation_periods                    = 1 -> null
      - id                                    = "dev-end-of-transfer-service-out-of-order-audit" -> null
      - insufficient_data_actions             = [] -> null
      - metric_name                           = "ApproximateAgeOfOldestMessage" -> null
      - namespace                             = "AWS/SQS" -> null
      - ok_actions                            = [
          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-alarm-notifications-sns-topic",
        ] -> null
      - period                                = 900 -> null
      - statistic                             = "Maximum" -> null
      - tags                                  = {} -> null
      - tags_all                              = {} -> null
      - threshold                             = 900 -> null
      - treat_missing_data                    = "missing" -> null
        # (4 unchanged attributes hidden)
    }

  # aws_dynamodb_table.suspensions will be destroyed
  - resource "aws_dynamodb_table" "suspensions" {
      - arn                         = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/dev-end-of-transfer-service-dynamodb" -> null
      - billing_mode                = "PAY_PER_REQUEST" -> null
      - deletion_protection_enabled = true -> null
      - hash_key                    = "nhs_number" -> null
      - id                          = "dev-end-of-transfer-service-dynamodb" -> null
      - name                        = "dev-end-of-transfer-service-dynamodb" -> null
      - read_capacity               = 0 -> null
      - stream_enabled              = false -> null
      - table_class                 = "STANDARD" -> null
      - tags                        = {} -> null
      - tags_all                    = {} -> null
      - write_capacity              = 0 -> null
        # (3 unchanged attributes hidden)

      - attribute {
          - name = "nhs_number" -> null
          - type = "S" -> null
        }

      - point_in_time_recovery {
          - enabled = true -> null
        }

      - server_side_encryption {
          - enabled     = true -> null
          - kms_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/48bed1d5-6201-443d-99be-62a20bf1bf9f" -> null
        }

      - ttl {
          - enabled        = false -> null
            # (1 unchanged attribute hidden)
        }
    }

  # aws_ecs_cluster.ecs-cluster will be destroyed
  - resource "aws_ecs_cluster" "ecs-cluster" {
      - arn      = "arn:aws:ecs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:cluster/dev-end-of-transfer-service-ecs-cluster" -> null
      - id       = "arn:aws:ecs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:cluster/dev-end-of-transfer-service-ecs-cluster" -> null
      - name     = "dev-end-of-transfer-service-ecs-cluster" -> null
      - tags     = {
          - "AWS.SSM.AppManager.ECS.Cluster.ARN" = "arn:aws:ecs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:cluster/dev-end-of-transfer-service-ecs-cluster"
          - "CreatedBy"                          = "end-of-transfer-service"
          - "Environment"                        = "dev"
        } -> null
      - tags_all = {
          - "AWS.SSM.AppManager.ECS.Cluster.ARN" = "arn:aws:ecs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:cluster/dev-end-of-transfer-service-ecs-cluster"
          - "CreatedBy"                          = "end-of-transfer-service"
          - "Environment"                        = "dev"
        } -> null

      - setting {
          - name  = "containerInsights" -> null
          - value = "enabled" -> null
        }
    }

  # aws_ecs_service.ecs-service will be destroyed
  - resource "aws_ecs_service" "ecs-service" {
      - cluster                            = "arn:aws:ecs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:cluster/dev-end-of-transfer-service-ecs-cluster" -> null
      - deployment_maximum_percent         = 200 -> null
      - deployment_minimum_healthy_percent = 100 -> null
      - desired_count                      = 0 -> null
      - enable_ecs_managed_tags            = false -> null
      - enable_execute_command             = false -> null
      - health_check_grace_period_seconds  = 0 -> null
      - iam_role                           = "/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS" -> null
      - id                                 = "arn:aws:ecs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:service/dev-end-of-transfer-service-ecs-cluster/dev-end-of-transfer-service" -> null
      - launch_type                        = "FARGATE" -> null
      - name                               = "dev-end-of-transfer-service" -> null
      - platform_version                   = "LATEST" -> null
      - propagate_tags                     = "NONE" -> null
      - scheduling_strategy                = "REPLICA" -> null
      - tags                               = {} -> null
      - tags_all                           = {} -> null
      - task_definition                    = "arn:aws:ecs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:task-definition/end-of-transfer-service:114" -> null
      - triggers                           = {} -> null
      - wait_for_steady_state              = false -> null

      - deployment_circuit_breaker {
          - enable   = false -> null
          - rollback = false -> null
        }

      - deployment_controller {
          - type = "ECS" -> null
        }

      - network_configuration {
          - assign_public_ip = false -> null
          - security_groups  = [
              - "sg-0fefe[REDACTED_AWS_ACCOUNT_ID]",
            ] -> null
          - subnets          = (sensitive value) -> null
        }
    }

  # aws_ecs_task_definition.task will be destroyed
  - resource "aws_ecs_task_definition" "task" {
      - arn                      = "arn:aws:ecs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:task-definition/end-of-transfer-service:114" -> null
      - arn_without_revision     = "arn:aws:ecs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:task-definition/end-of-transfer-service" -> null
      - container_definitions    = (sensitive value) -> null
      - cpu                      = "512" -> null
      - execution_role_arn       = "[REDACTED_IAM_ROLE_ARN]" -> null
      - family                   = "end-of-transfer-service" -> null
      - id                       = "end-of-transfer-service" -> null
      - memory                   = "1024" -> null
      - network_mode             = "awsvpc" -> null
      - requires_compatibilities = [
          - "FARGATE",
        ] -> null
      - revision                 = 114 -> null
      - tags                     = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
        } -> null
      - tags_all                 = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
        } -> null
      - task_role_arn            = "[REDACTED_IAM_ROLE_ARN]" -> null
      - track_latest             = false -> null
        # (2 unchanged attributes hidden)
    }

  # aws_iam_policy.cloudwatch_metrics_policy will be destroyed
  - resource "aws_iam_policy" "cloudwatch_metrics_policy" {
      - arn              = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-cloudwatch-metrics" -> null
      - attachment_count = 1 -> null
      - id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-cloudwatch-metrics" -> null
      - name             = "dev-end-of-transfer-service-cloudwatch-metrics" -> null
      - path             = "/" -> null
      - policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "cloudwatch:PutMetricData",
                          - "cloudwatch:GetMetricData",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id        = "ANPAWCD5NRKJBUS4Q46ZP" -> null
      - tags             = {} -> null
      - tags_all         = {} -> null
        # (2 unchanged attributes hidden)
    }

  # aws_iam_policy.dynamodb-table-access will be destroyed
  - resource "aws_iam_policy" "dynamodb-table-access" {
      - arn              = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-dynamodb-table-access" -> null
      - attachment_count = 1 -> null
      - id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-dynamodb-table-access" -> null
      - name             = "dev-end-of-transfer-service-dynamodb-table-access" -> null
      - path             = "/" -> null
      - policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "dynamodb:PutItem",
                          - "dynamodb:GetItem",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:dynamodb:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:table/dev-end-of-transfer-service-dynamodb"
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id        = "ANPAWCD5NRKJLLZ3WJQNS" -> null
      - tags             = {} -> null
      - tags_all         = {} -> null
        # (2 unchanged attributes hidden)
    }

  # aws_iam_policy.ecr_policy will be destroyed
  - resource "aws_iam_policy" "ecr_policy" {
      - arn              = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-ecr" -> null
      - attachment_count = 1 -> null
      - id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-ecr" -> null
      - name             = "dev-end-of-transfer-service-ecr" -> null
      - path             = "/" -> null
      - policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "ecr:GetDownloadUrlForLayer",
                          - "ecr:BatchGetImage",
                          - "ecr:BatchCheckLayerAvailability",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:ecr:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:repository/repo/suspension-service"
                      - Sid      = ""
                    },
                  - {
                      - Action   = "ecr:GetAuthorizationToken"
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id        = "ANPAWCD5NRKJMD6VZK4G2" -> null
      - tags             = {} -> null
      - tags_all         = {} -> null
        # (2 unchanged attributes hidden)
    }

  # aws_iam_policy.logs_policy will be destroyed
  - resource "aws_iam_policy" "logs_policy" {
      - arn              = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-logs" -> null
      - attachment_count = 1 -> null
      - id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-logs" -> null
      - name             = "dev-end-of-transfer-service-logs" -> null
      - path             = "/" -> null
      - policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "logs:PutLogEvents",
                          - "logs:CreateLogStream",
                        ]
                      - Effect   = "Allow"
                      - Resource = "arn:aws:logs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:log-group:/nhs/deductions/dev-[REDACTED_AWS_ACCOUNT_ID]/end-of-transfer-service:*"
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id        = "ANPAWCD5NRKJJDLAAEN43" -> null
      - tags             = {} -> null
      - tags_all         = {} -> null
        # (2 unchanged attributes hidden)
    }

  # aws_iam_policy.sns_failure_feedback_policy will be destroyed
  - resource "aws_iam_policy" "sns_failure_feedback_policy" {
      - arn              = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sns-failure-feedback" -> null
      - attachment_count = 1 -> null
      - id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sns-failure-feedback" -> null
      - name             = "dev-end-of-transfer-service-sns-failure-feedback" -> null
      - path             = "/" -> null
      - policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "logs:PutRetentionPolicy",
                          - "logs:PutMetricFilter",
                          - "logs:PutLogEvents",
                          - "logs:CreateLogStream",
                          - "logs:CreateLogGroup",
                        ]
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id        = "ANPAWCD5NRKJBZ3SAESK5" -> null
      - tags             = {} -> null
      - tags_all         = {} -> null
        # (2 unchanged attributes hidden)
    }

  # aws_iam_policy.suspension_service_sns will be destroyed
  - resource "aws_iam_policy" "suspension_service_sns" {
      - arn              = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sns" -> null
      - attachment_count = 1 -> null
      - id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sns" -> null
      - name             = "dev-end-of-transfer-service-sns" -> null
      - path             = "/" -> null
      - policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "sns:Publish",
                          - "sns:GetTopicAttributes",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-not-suspended-sns-topic",
                          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-mof-updated-sns-topic",
                          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-mof-not-updated-sns-topic",
                          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-invalid-suspension-sns-topic",
                          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-invalid-suspension-audit-sns-topic",
                          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-event-out-of-order",
                          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-deceased-patient",
                          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-active-suspensions-sns-topic",
                          - "arn:aws:sns:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-ehr-transfer-service-transfer-complete-sns-topic",
                        ]
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id        = "ANPAWCD5NRKJDR3WFWBSK" -> null
      - tags             = {} -> null
      - tags_all         = {} -> null
        # (2 unchanged attributes hidden)
    }

  # aws_iam_policy.suspensions_kms will be destroyed
  - resource "aws_iam_policy" "suspensions_kms" {
      - arn              = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-kms" -> null
      - attachment_count = 1 -> null
      - id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-kms" -> null
      - name             = "dev-end-of-transfer-service-kms" -> null
      - path             = "/" -> null
      - policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = "kms:*"
                      - Effect   = "Allow"
                      - Resource = "*"
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id        = "ANPAWCD5NRKJC3YWEYECN" -> null
      - tags             = {} -> null
      - tags_all         = {} -> null
        # (2 unchanged attributes hidden)
    }

  # aws_iam_policy.suspensions_processor_sqs will be destroyed
  - resource "aws_iam_policy" "suspensions_processor_sqs" {
      - arn              = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sqs" -> null
      - attachment_count = 1 -> null
      - id               = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sqs" -> null
      - name             = "dev-end-of-transfer-service-sqs" -> null
      - path             = "/" -> null
      - policy           = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "sqs:ReceiveMessage",
                          - "sqs:GetQueue*",
                          - "sqs:DeleteMessage",
                          - "sqs:ChangeMessageVisibility",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-transfer-complete",
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-not-suspended-observability",
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-not-suspended-audit",
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-mof-updated-audit",
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-mof-updated",
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-mof-not-updated-audit",
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-mof-not-updated",
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-invalid-suspension-dlq-audit",
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-invalid-suspension-dlq",
                          - "arn:aws:sqs:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:dev-end-of-transfer-service-deceased-patient",
                        ]
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - policy_id        = "ANPAWCD5NRKJGBRLGCVPF" -> null
      - tags             = {} -> null
      - tags_all         = {} -> null
        # (2 unchanged attributes hidden)
    }

  # aws_iam_role.component-ecs-role will be destroyed
  - resource "aws_iam_role" "component-ecs-role" {
      - arn                   = "[REDACTED_IAM_ROLE_ARN]" -> null
      - assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "ecs-tasks.amazonaws.com"
                        }
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - create_date           = "2022-07-11T16:26:33Z" -> null
      - description           = "Role assumed by end-of-transfer-service ECS task" -> null
      - force_detach_policies = false -> null
      - id                    = "dev-end-of-transfer-service-EcsTaskRole" -> null
      - managed_policy_arns   = [
          - "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-cloudwatch-metrics",
          - "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-dynamodb-table-access",
          - "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-ecr",
          - "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-kms",
          - "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-logs",
          - "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sns",
          - "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sqs",
        ] -> null
      - max_session_duration  = 3600 -> null
      - name                  = "dev-end-of-transfer-service-EcsTaskRole" -> null
      - path                  = "/" -> null
      - tags                  = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
        } -> null
      - tags_all              = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
        } -> null
      - unique_id             = "AROAWCD5NRKJCGU3ZM5SH" -> null
        # (2 unchanged attributes hidden)

      - inline_policy {
            name   = null
            # (1 unchanged attribute hidden)
        }
    }

  # aws_iam_role.sns_failure_feedback_role will be destroyed
  - resource "aws_iam_role" "sns_failure_feedback_role" {
      - arn                   = "[REDACTED_IAM_ROLE_ARN]" -> null
      - assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "sns.amazonaws.com"
                        }
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - create_date           = "2022-07-11T16:26:34Z" -> null
      - description           = "Allows logging of SNS delivery failures in end-of-transfer-service" -> null
      - force_detach_policies = false -> null
      - id                    = "dev-end-of-transfer-service-sns-failure-feedback-role" -> null
      - managed_policy_arns   = [
          - "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sns-failure-feedback",
        ] -> null
      - max_session_duration  = 3600 -> null
      - name                  = "dev-end-of-transfer-service-sns-failure-feedback-role" -> null
      - path                  = "/" -> null
      - tags                  = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
        } -> null
      - tags_all              = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
        } -> null
      - unique_id             = "AROAWCD5NRKJELHXHQCGP" -> null
        # (2 unchanged attributes hidden)

      - inline_policy {
            name   = null
            # (1 unchanged attribute hidden)
        }
    }

  # aws_iam_role_policy_attachment.cloudwatch_metrics_policy_attach will be destroyed
  - resource "aws_iam_role_policy_attachment" "cloudwatch_metrics_policy_attach" {
      - id         = "dev-end-of-transfer-service-EcsTaskRole-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]01" -> null
      - policy_arn = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-cloudwatch-metrics" -> null
      - role       = "dev-end-of-transfer-service-EcsTaskRole" -> null
    }

  # aws_iam_role_policy_attachment.ecr_policy_attach will be destroyed
  - resource "aws_iam_role_policy_attachment" "ecr_policy_attach" {
      - id         = "dev-end-of-transfer-service-EcsTaskRole-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]02" -> null
      - policy_arn = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-ecr" -> null
      - role       = "dev-end-of-transfer-service-EcsTaskRole" -> null
    }

  # aws_iam_role_policy_attachment.ecs_dynamo_attach will be destroyed
  - resource "aws_iam_role_policy_attachment" "ecs_dynamo_attach" {
      - id         = "dev-end-of-transfer-service-EcsTaskRole-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]09" -> null
      - policy_arn = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-dynamodb-table-access" -> null
      - role       = "dev-end-of-transfer-service-EcsTaskRole" -> null
    }

  # aws_iam_role_policy_attachment.logs_policy_attach will be destroyed
  - resource "aws_iam_role_policy_attachment" "logs_policy_attach" {
      - id         = "dev-end-of-transfer-service-EcsTaskRole-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]06" -> null
      - policy_arn = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-logs" -> null
      - role       = "dev-end-of-transfer-service-EcsTaskRole" -> null
    }

  # aws_iam_role_policy_attachment.sns_failure_feedback_policy_attachment will be destroyed
  - resource "aws_iam_role_policy_attachment" "sns_failure_feedback_policy_attachment" {
      - id         = "dev-end-of-transfer-service-sns-failure-feedback-role-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]04" -> null
      - policy_arn = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sns-failure-feedback" -> null
      - role       = "dev-end-of-transfer-service-sns-failure-feedback-role" -> null
    }

  # aws_iam_role_policy_attachment.suspension_service_sns will be destroyed
  - resource "aws_iam_role_policy_attachment" "suspension_service_sns" {
      - id         = "dev-end-of-transfer-service-EcsTaskRole-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]0a" -> null
      - policy_arn = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sns" -> null
      - role       = "dev-end-of-transfer-service-EcsTaskRole" -> null
    }

  # aws_iam_role_policy_attachment.suspensions_kms will be destroyed
  - resource "aws_iam_role_policy_attachment" "suspensions_kms" {
      - id         = "dev-end-of-transfer-service-EcsTaskRole-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]03" -> null
      - policy_arn = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-kms" -> null
      - role       = "dev-end-of-transfer-service-EcsTaskRole" -> null
    }

  # aws_iam_role_policy_attachment.suspensions_processor_sqs will be destroyed
  - resource "aws_iam_role_policy_attachment" "suspensions_processor_sqs" {
      - id         = "dev-end-of-transfer-service-EcsTaskRole-[REDACTED_AWS_ACCOUNT_ID][REDACTED_AWS_ACCOUNT_ID]08" -> null
      - policy_arn = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:policy/dev-end-of-transfer-service-sqs" -> null
      - role       = "dev-end-of-transfer-service-EcsTaskRole" -> null
    }

  # aws_kms_alias.active_suspensions_encryption will be destroyed
  - resource "aws_kms_alias" "active_suspensions_encryption" {
      - arn            = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alias/end-of-transfer-service-active-suspensions-encryption-kms-key" -> null
      - id             = "alias/end-of-transfer-service-active-suspensions-encryption-kms-key" -> null
      - name           = "alias/end-of-transfer-service-active-suspensions-encryption-kms-key" -> null
      - target_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/bf507282-d669-4fb4-b08c-f9a5f0a459a5" -> null
      - target_key_id  = "bf507282-d669-4fb4-b08c-f9a5f0a459a5" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.deceased_patient_encryption will be destroyed
  - resource "aws_kms_alias" "deceased_patient_encryption" {
      - arn            = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alias/end-of-transfer-service-deceased-patient-encryption-kms-key" -> null
      - id             = "alias/end-of-transfer-service-deceased-patient-encryption-kms-key" -> null
      - name           = "alias/end-of-transfer-service-deceased-patient-encryption-kms-key" -> null
      - target_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/826dcb44-3c17-49e2-b2d5-975b78d92f7f" -> null
      - target_key_id  = "826dcb44-3c17-49e2-b2d5-975b78d92f7f" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.event_out_of_order_encryption will be destroyed
  - resource "aws_kms_alias" "event_out_of_order_encryption" {
      - arn            = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alias/end-of-transfer-service-event-out-of-order-encryption-kms-key" -> null
      - id             = "alias/end-of-transfer-service-event-out-of-order-encryption-kms-key" -> null
      - name           = "alias/end-of-transfer-service-event-out-of-order-encryption-kms-key" -> null
      - target_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/15af7d3e-9a73-4e8a-b8bf-82e83f7307b8" -> null
      - target_key_id  = "15af7d3e-9a73-4e8a-b8bf-82e83f7307b8" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.invalid_suspension_audit_encryption will be destroyed
  - resource "aws_kms_alias" "invalid_suspension_audit_encryption" {
      - arn            = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alias/end-of-transfer-service-non-sensitive-invalid-suspension-encryption-kms-key" -> null
      - id             = "alias/end-of-transfer-service-non-sensitive-invalid-suspension-encryption-kms-key" -> null
      - name           = "alias/end-of-transfer-service-non-sensitive-invalid-suspension-encryption-kms-key" -> null
      - target_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/532c023d-babd-429f-acf7-d29b54722f54" -> null
      - target_key_id  = "532c023d-babd-429f-acf7-d29b54722f54" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.invalid_suspension_encryption will be destroyed
  - resource "aws_kms_alias" "invalid_suspension_encryption" {
      - arn            = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alias/end-of-transfer-service-invalid-suspension-encryption-kms-key" -> null
      - id             = "alias/end-of-transfer-service-invalid-suspension-encryption-kms-key" -> null
      - name           = "alias/end-of-transfer-service-invalid-suspension-encryption-kms-key" -> null
      - target_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/8e320040-e36c-45fc-a505-e4f0385240ba" -> null
      - target_key_id  = "8e320040-e36c-45fc-a505-e4f0385240ba" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.mof_not_updated_encryption will be destroyed
  - resource "aws_kms_alias" "mof_not_updated_encryption" {
      - arn            = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alias/end-of-transfer-service-mof-not-updated-encryption-kms-key" -> null
      - id             = "alias/end-of-transfer-service-mof-not-updated-encryption-kms-key" -> null
      - name           = "alias/end-of-transfer-service-mof-not-updated-encryption-kms-key" -> null
      - target_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/9f2a07f1-d926-4a2e-a2c7-360934d24f94" -> null
      - target_key_id  = "9f2a07f1-d926-4a2e-a2c7-360934d24f94" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.mof_updated_encryption will be destroyed
  - resource "aws_kms_alias" "mof_updated_encryption" {
      - arn            = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alias/end-of-transfer-service-mof-updated-encryption-kms-key" -> null
      - id             = "alias/end-of-transfer-service-mof-updated-encryption-kms-key" -> null
      - name           = "alias/end-of-transfer-service-mof-updated-encryption-kms-key" -> null
      - target_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/c874ecbb-de61-4e98-8c64-a3bc53989774" -> null
      - target_key_id  = "c874ecbb-de61-4e98-8c64-a3bc53989774" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.not_suspended_encryption will be destroyed
  - resource "aws_kms_alias" "not_suspended_encryption" {
      - arn            = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alias/end-of-transfer-service-not-suspended-encryption-kms-key" -> null
      - id             = "alias/end-of-transfer-service-not-suspended-encryption-kms-key" -> null
      - name           = "alias/end-of-transfer-service-not-suspended-encryption-kms-key" -> null
      - target_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/9a958079-ee35-4059-97f6-b57059fd63ee" -> null
      - target_key_id  = "9a958079-ee35-4059-97f6-b57059fd63ee" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_alias.suspension_dynamodb_encryption will be destroyed
  - resource "aws_kms_alias" "suspension_dynamodb_encryption" {
      - arn            = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:alias/end-of-transfer-service-suspension-dynamodb-encryption-kms-key" -> null
      - id             = "alias/end-of-transfer-service-suspension-dynamodb-encryption-kms-key" -> null
      - name           = "alias/end-of-transfer-service-suspension-dynamodb-encryption-kms-key" -> null
      - target_key_arn = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/48bed1d5-6201-443d-99be-62a20bf1bf9f" -> null
      - target_key_id  = "48bed1d5-6201-443d-99be-62a20bf1bf9f" -> null
        # (1 unchanged attribute hidden)
    }

  # aws_kms_key.active_suspensions will be destroyed
  - resource "aws_kms_key" "active_suspensions" {
      - arn                      = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/bf507282-d669-4fb4-b08c-f9a5f0a459a5" -> null
      - customer_master_key_spec = "SYMMETRIC_DEFAULT" -> null
      - description              = "Custom KMS Key to enable server side encryption for active-suspensions topic" -> null
      - enable_key_rotation      = true -> null
      - id                       = "bf507282-d669-4fb4-b08c-f9a5f0a459a5" -> null
      - is_enabled               = true -> null
      - key_id                   = "bf507282-d669-4fb4-b08c-f9a5f0a459a5" -> null
      - key_usage                = "ENCRYPT_DECRYPT" -> null
      - multi_region             = false -> null
      - policy                   = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "sns.amazonaws.com"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "cloudwatch.amazonaws.com"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days  = 365 -> null
      - tags                     = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
          - "Name"        = "dev-active-suspensions-encryption-kms-key"
        } -> null
      - tags_all                 = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
          - "Name"        = "dev-active-suspensions-encryption-kms-key"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key.deceased_patient will be destroyed
  - resource "aws_kms_key" "deceased_patient" {
      - arn                      = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/826dcb44-3c17-49e2-b2d5-975b78d92f7f" -> null
      - customer_master_key_spec = "SYMMETRIC_DEFAULT" -> null
      - description              = "Custom KMS Key to enable server side encryption for deceased patient topic" -> null
      - enable_key_rotation      = true -> null
      - id                       = "826dcb44-3c17-49e2-b2d5-975b78d92f7f" -> null
      - is_enabled               = true -> null
      - key_id                   = "826dcb44-3c17-49e2-b2d5-975b78d92f7f" -> null
      - key_usage                = "ENCRYPT_DECRYPT" -> null
      - multi_region             = false -> null
      - policy                   = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "sns.amazonaws.com"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "cloudwatch.amazonaws.com"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days  = 365 -> null
      - tags                     = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
          - "Name"        = "dev-deceased-patient-kms-key"
        } -> null
      - tags_all                 = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
          - "Name"        = "dev-deceased-patient-kms-key"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key.event_out_of_order will be destroyed
  - resource "aws_kms_key" "event_out_of_order" {
      - arn                      = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/15af7d3e-9a73-4e8a-b8bf-82e83f7307b8" -> null
      - customer_master_key_spec = "SYMMETRIC_DEFAULT" -> null
      - description              = "Custom KMS Key to enable server side encryption for event out of order topic" -> null
      - enable_key_rotation      = true -> null
      - id                       = "15af7d3e-9a73-4e8a-b8bf-82e83f7307b8" -> null
      - is_enabled               = true -> null
      - key_id                   = "15af7d3e-9a73-4e8a-b8bf-82e83f7307b8" -> null
      - key_usage                = "ENCRYPT_DECRYPT" -> null
      - multi_region             = false -> null
      - policy                   = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "sns.amazonaws.com"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "cloudwatch.amazonaws.com"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days  = 365 -> null
      - tags                     = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
          - "Name"        = "dev-event-out-of-order-kms-key"
        } -> null
      - tags_all                 = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
          - "Name"        = "dev-event-out-of-order-kms-key"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key.invalid_suspension will be destroyed
  - resource "aws_kms_key" "invalid_suspension" {
      - arn                      = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/8e320040-e36c-45fc-a505-e4f0385240ba" -> null
      - customer_master_key_spec = "SYMMETRIC_DEFAULT" -> null
      - description              = "Custom KMS Key to enable server side encryption for invalid suspension topic" -> null
      - enable_key_rotation      = true -> null
      - id                       = "8e320040-e36c-45fc-a505-e4f0385240ba" -> null
      - is_enabled               = true -> null
      - key_id                   = "8e320040-e36c-45fc-a505-e4f0385240ba" -> null
      - key_usage                = "ENCRYPT_DECRYPT" -> null
      - multi_region             = false -> null
      - policy                   = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "sns.amazonaws.com"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "cloudwatch.amazonaws.com"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - rotation_period_in_days  = 365 -> null
      - tags                     = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
          - "Name"        = "dev-invalid-suspension-kms-key"
        } -> null
      - tags_all                 = {
          - "CreatedBy"   = "end-of-transfer-service"
          - "Environment" = "dev"
          - "Name"        = "dev-invalid-suspension-kms-key"
        } -> null
        # (2 unchanged attributes hidden)
    }

  # aws_kms_key.invalid_suspension_audit will be destroyed
  - resource "aws_kms_key" "invalid_suspension_audit" {
      - arn                      = "arn:aws:kms:eu-west-2:[REDACTED_AWS_ACCOUNT_ID]:key/532c023d-babd-429f-acf7-d29b54722f54" -> null
      - customer_master_key_spec = "SYMMETRIC_DEFAULT" -> null
      - description              = "Custom KMS Key to enable server side encryption for invalid suspension audit topic" -> null
      - enable_key_rotation      = true -> null
      - id                       = "532c023d-babd-429f-acf7-d29b54722f54" -> null
      - is_enabled               = true -> null
      - key_id                   = "532c023d-babd-429f-acf7-d29b54722f54" -> null
      - key_usage                = "ENCRYPT_DECRYPT" -> null
      - multi_region             = false -> null
      - policy                   = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "kms:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::[REDACTED_AWS_ACCOUNT_ID]:root"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                          - "kms:Decrypt",
                        ]
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "sns.amazonaws.com"
                        }
                      - Resource  = "*"
                      - Sid       = ""
                    },
                  - {
                      - Action    = [
                          - "kms:GenerateDataKey*",
                          - "kms:Decrypt",

(truncated - see workflow logs for full output)

github-actions · 2026-02-26T15:23:02Z

Checkov issues found

View full details here.

sonarqubecloud · 2026-02-26T15:23:09Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

oliverbeumkes-nhs added 4 commits February 26, 2026 15:05

[PRM-726] Reverted end-of-transfer to a point it will run against its…

3b0c0c1

…elf on a destroy

[PRM-726] Reverted end-of-transfer to a point it will run against its…

a266cb0

…elf on a destroy

[PRM-726] Override for deploy stack and automated deploy stack to pla…

dbb12ff

…n a destroy on end-of-transfer-service

[PRM-726] Reintroduced workflow call for deploy stack

f71aad6

oliverbeumkes-nhs temporarily deployed to dev February 26, 2026 15:22 — with GitHub Actions Inactive

oliverbeumkes-nhs added 6 commits March 5, 2026 10:36

Removed un used tfvars files and updated plan to use env var

8a2728e

Renamed deploy-stack to destroy-stack

9ae4aec

Renamed deploy-stack to destroy-stack

58df7ca

Renamed deploy-stack to destroy-stack

0c204de

Renamed destroy-stack to deploy-stack

b403679

Renamed destroy-stack to deploy-stack

94bcb02

oliverbeumkes-nhs temporarily deployed to dev March 5, 2026 10:45 — with GitHub Actions Inactive

oliverbeumkes-nhs had a problem deploying to dev March 5, 2026 10:50 — with GitHub Actions Failure

oliverbeumkes-nhs had a problem deploying to dev March 5, 2026 11:01 — with GitHub Actions Failure

oliverbeumkes-nhs had a problem deploying to dev March 5, 2026 11:03 — with GitHub Actions Failure

oliverbeumkes-nhs had a problem deploying to dev March 5, 2026 11:05 — with GitHub Actions Failure

oliverbeumkes-nhs had a problem deploying to dev March 5, 2026 11:09 — with GitHub Actions Failure

Updated deny_http to use sns_base_arns

b73c25c

oliverbeumkes-nhs had a problem deploying to dev March 5, 2026 11:12 — with GitHub Actions Failure

Changing references to sns_arns just to get the destroy working

c971cc1

oliverbeumkes-nhs had a problem deploying to dev March 5, 2026 11:52 — with GitHub Actions Failure

oliverbeumkes-nhs temporarily deployed to dev March 5, 2026 11:59 — with GitHub Actions Inactive

AndyFlintAnswerDigital had a problem deploying to pre-prod March 5, 2026 12:02 — with GitHub Actions Failure

AndyFlintAnswerDigital had a problem deploying to pre-prod March 5, 2026 12:05 — with GitHub Actions Failure

AndyFlintAnswerDigital had a problem deploying to pre-prod March 5, 2026 13:07 — with GitHub Actions Failure

AndyFlintAnswerDigital deployed to pre-prod March 5, 2026 16:20 — with GitHub Actions Active

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[PRM-726] Removal of end-of-transfer-service via terraform destroy#204

[PRM-726] Removal of end-of-transfer-service via terraform destroy#204
oliverbeumkes-nhs wants to merge 12 commits intomainfrom
PRM-726

oliverbeumkes-nhs commented Feb 26, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 26, 2026

Uh oh!

github-actions bot commented Feb 26, 2026

Uh oh!

sonarqubecloud bot commented Feb 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

oliverbeumkes-nhs commented Feb 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 26, 2026

Report for suspension-service

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Uh oh!

github-actions bot commented Feb 26, 2026

Checkov issues found

Uh oh!

sonarqubecloud bot commented Feb 26, 2026

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

oliverbeumkes-nhs commented Feb 26, 2026 •

edited

Loading

Terraform Initialization ⚙️`success`

Terraform Validation 🤖`success`

Terraform Plan 📖`success`