Skip to content

fix(iac,indexer): provision AzureWebJobsStorage for the dev indexer#83

Merged
christopherhouse merged 3 commits into
mainfrom
fix/indexer-azurewebjobsstorage
Jun 17, 2026
Merged

fix(iac,indexer): provision AzureWebJobsStorage for the dev indexer#83
christopherhouse merged 3 commits into
mainfrom
fix/indexer-azurewebjobsstorage

Conversation

@christopherhouse

@christopherhouse christopherhouse commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Dev indexer container has been continuously reporting:

azure.functions.webjobs.storage: Unhealthy
  description: Unable to create client for AzureWebJobsStorage

Root cause: there's no storage account in rg-bt-dev and the Functions runtime expects AzureWebJobsStorage to be configured at startup. The indexer's only trigger is the Cosmos change-feed (which uses Cosmos's own lease container for state), so functionally it kept working — Container Apps itself reported the revision Healthy and the listener IS running:

Listener successfully started for function 'Functions.RegistryEntityIndexer' after 14 retries.

…but the log floor was an Unhealthy line every 30s, and the runtime health surface stayed red.

The user's hypothesis ("could be a network access issue") was reasonable but ruled out: az storage account list -g rg-bt-dev returned []. The fix is to actually create the storage account.

Changes

New resource in iac/environments/dev/main.tf:

resource "azurerm_storage_account" "indexer_webjobs" {
  name                          = "stbtdev${var.unique_suffix}"
  account_tier                  = "Standard"
  account_replication_type      = "LRS"
  account_kind                  = "StorageV2"
  shared_access_key_enabled     = false                                          # AAD-only
  public_network_access_enabled = var.data_services_public_access_enabled        # tracks Cosmos/Search toggle
  min_tls_version               = "TLS1_2"
  blob_properties { delete_retention_policy { days = 7 } }
  tags                          = local.shared_tags
}

resource "azurerm_role_assignment" "workload_uami_indexer_webjobs_blob_owner" {
  scope                = azurerm_storage_account.indexer_webjobs.id
  role_definition_name = "Storage Blob Data Owner"
  principal_id         = module.workload_identity.principal_id
}

functions-container-app module gains one new variable azure_webjobs_storage_account_name and three new env vars on the indexer container:

AzureWebJobsStorage__accountName = <storage account name>
AzureWebJobsStorage__credential  = managedidentity
AzureWebJobsStorage__clientId    = <workload UAMI client id>

No shared keys, no connection strings — same managed-identity stance as Cosmos / KV / ACR / Search across the dev composition.

Indexer module call in dev gains depends_on the role assignment so the data-plane role propagates via AAD before the Functions runtime first connects.

Files

  • iac/environments/dev/main.tf (+ storage + role + module var + depends_on)
  • iac/modules/functions-container-app/variables.tf (+ new variable)
  • iac/modules/functions-container-app/main.tf (+ 3 env vars)
  • iac/modules/functions-container-app/README.md (terraform-docs regen)

Test plan

  • tofu validate clean in environments/dev
  • terraform-docs regenerated for the module
  • After CD-dev applies: az containerapp logs show -g rg-bt-dev --name ca-bt-dev-indexer --tail 30 --type console | grep healthy shows no more webjobs.storage: Unhealthy
  • Indexer still processes Cosmos change feed (no regression on the Search indexing path)

Risks / out of scope

  • Test/prod compositions don't yet wire the indexer module — no change needed in those env files. When they do, the same variable shape passes through.
  • Doesn't address the broader "CAE isn't vnet-integrated" architecture gap. Storage goes via public endpoint same as Cosmos / Search.

🤖 Generated with Claude Code

christopherhouse and others added 3 commits June 16, 2026 20:18
@christopherhouse @claude
fix(iac,indexer): provision AzureWebJobsStorage for the dev indexer
bb58338 
The dev indexer container reported 'azure.functions.webjobs.storage:
Unhealthy — Unable to create client for AzureWebJobsStorage' every
30s because there was no storage account at all in rg-bt-dev and the
Functions runtime expects AzureWebJobsStorage at startup. Container
Apps itself reported the revision Healthy (the Cosmos change-feed
trigger uses Cosmos's own lease container for state, not Azure
Storage), so functionally the indexer was still working — but the
log noise was constant and the runtime health surface stayed red.

Fix:
- New azurerm_storage_account.indexer_webjobs in the dev composition
  (Standard_LRS, StorageV2, shared_access_key_enabled = false,
  public_network_access_enabled gated on the existing
  data_services_public_access_enabled variable so it tracks the same
  toggle as Cosmos / Search / KV).
- Workload UAMI granted Storage Blob Data Owner on the new account —
  covers the runtime's blob-container-create needs.
- functions-container-app module gains a new variable
  azure_webjobs_storage_account_name and injects three env vars on
  the container:
    AzureWebJobsStorage__accountName = <storage account name>
    AzureWebJobsStorage__credential  = managedidentity
    AzureWebJobsStorage__clientId    = <workload UAMI client id>
- Indexer module call depends_on the role assignment so the data-plane
  role propagates via AAD before the Functions runtime first connects.

No shared keys, no connection strings — matches the project's
managed-identity-only stance.

Test/prod compositions don't yet wire the indexer module, so no
changes needed there. When they do, they'll pass the same variable
shape.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@christopherhouse @claude
fix(iac): tighten + allowlist checkov rules for the new indexer stora…
7f930af 
…ge account

CI's checkov scan tripped four rules on azurerm_storage_account.indexer_webjobs:

  CKV_AZURE_190    Ensure that Storage blobs restrict public access
  CKV2_AZURE_47    Ensure storage account is configured without blob
                   anonymous access
  CKV2_AZURE_33    Ensure storage account is configured with private
                   endpoint
  CKV2_AZURE_1     Ensure storage for critical data are encrypted with
                   Customer Managed Key

Fix:
- Two of them (190 + 47) are real and cheap to satisfy — set
  `allow_nested_items_to_be_public = false` on the account so anonymous
  blob access is blocked at the account level. The Functions runtime
  never needs anonymous reads.
- CKV2_AZURE_33 (private endpoint) is allowlisted with justification:
  the Container Apps Environment hosting the indexer has
  `vnetConfig: null`, so even if a private endpoint existed the indexer
  couldn't reach it. Same architectural posture as Cosmos / AI Search
  in dev. Allowlist entry calls out the dependency on a future CAE
  vnet integration so the rule gets re-evaluated when that happens.
- CKV2_AZURE_1 (CMK) is allowlisted with justification: the account
  holds only Functions runtime internal state — no operator data, no
  audit log, no registry payload (those live in Cosmos). Azure-managed
  keys are the documented posture for AzureWebJobsStorage.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@christopherhouse @claude
fix(iac): wire indexer storage role via workload-identity module
d7b7b76 
The project's 'no inline IAM in env compositions' lint
(scripts/lint-iac-inline-iam.sh) rejected the inline
azurerm_role_assignment.workload_uami_indexer_webjobs_blob_owner in
iac/environments/dev/main.tf. The conventional path is to add the role
to the workload-identity module's assigned_azure_rbac input map.

Fix:
- Add a new 'indexer-webjobs-blob-owner' entry to the existing
  assigned_azure_rbac map (Storage Blob Data Owner on the new storage
  account) — same pattern as acr-pull, kv-secrets-user, and
  monitoring-metrics-publisher.
- Drop the inline azurerm_role_assignment resource block.
- Indexer module depends_on the workload_identity module (covers the
  new role assignment + the existing ones).

Behavior identical to the previous attempt; this is purely a project-
convention cleanup so the lint passes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown

OpenTofu plan — dev

data.azuread_service_principal.api: Reading...
data.azuread_application.api: Reading...
module.graph_permissions.data.azuread_application_published_app_ids.well_known: Reading...
module.graph_permissions.data.azuread_application_published_app_ids.well_known: Read complete after 0s [id=appIds]
module.monitoring.module.log_analytics.data.modtm_module_source.telemetry[0]: Reading...
module.container_registry.module.registry.data.modtm_module_source.telemetry[0]: Reading...
module.workload_identity.module.identity.data.modtm_module_source.telemetry[0]: Reading...
module.container_registry.module.registry.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.monitoring.module.log_analytics.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.workload_identity.module.identity.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.keyvault.module.keyvault.data.modtm_module_source.telemetry[0]: Reading...
module.backend_app.module.app.data.modtm_module_source.telemetry[0]: Reading...
module.monitoring.module.application_insights.data.modtm_module_source.telemetry[0]: Reading...
module.backend_app.module.app.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.keyvault.module.keyvault.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.frontend_app.module.app.data.modtm_module_source.telemetry[0]: Reading...
module.monitoring.module.application_insights.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.frontend_app.module.app.data.modtm_module_source.telemetry[0]: Read complete after 0s
data.azuread_service_principal.api: Read complete after 0s [id=/servicePrincipals/980501a2-67f1-44c3-9ba2-03220f4dc403]
data.azuread_application.api: Read complete after 0s [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e]
module.app_registration_roles.azuread_application_app_role.this["admin"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a01]
module.app_registration_roles.azuread_application_app_role.this["operator"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a02]
module.app_registration_roles.azuread_application_app_role.this["reader"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a03]
module.graph_permissions.azuread_application_api_access.graph: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/apiAccess/00000003-0000-0000-c000-000000000000]
module.app_registration_roles.azuread_application_app_role.this["namespace-administrator"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a05]
module.networking.terraform_data.subnet_validation: Refreshing state... [id=bafb4aeb-4601-d7de-1d39-435373831dae]
module.app_registration_roles.azuread_application_app_role.this["developer"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a04]
module.ai_search_registry_index.azapi_data_plane_resource.registry_index: Refreshing state... [id=srch-bt-dev-chdev01.search.windows.net/indexes('registry-entities-v1')]
module.container_registry.terraform_data.pe_validation: Refreshing state... [id=59b8b38d-5830-a0e1-b6dc-64fb640e916c]
module.monitoring.module.application_insights.data.azapi_client_config.telemetry[0]: Reading...
module.monitoring.module.log_analytics.random_uuid.telemetry[0]: Refreshing state... [id=72611db9-a40a-4707-b14b-9d2ef97fbac7]
module.workload_identity.module.identity.random_uuid.telemetry[0]: Refreshing state... [id=a377cd57-eb48-5e72-7cca-48438dd998e7]
module.keyvault.module.keyvault.random_uuid.telemetry[0]: Refreshing state... [id=3d6dd258-c9d8-bf47-779e-a38f7a84ac3b]
module.container_registry.module.registry.random_uuid.telemetry[0]: Refreshing state... [id=c6f5b17e-2074-606f-e63a-057c1312a588]
module.frontend_app.module.app.random_uuid.telemetry[0]: Refreshing state... [id=58ec47a1-e381-20a9-50f8-955c7075627f]
module.backend_app.module.app.random_uuid.telemetry[0]: Refreshing state... [id=d9467e1e-bf93-1796-d73e-a433c8a23c00]
module.monitoring.module.application_insights.random_uuid.telemetry[0]: Refreshing state... [id=87555d31-bbc0-19bf-eefc-67cc1728f2a3]
module.monitoring.module.application_insights.data.azapi_client_config.telemetry[0]: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.keyvault.module.keyvault.data.azurerm_client_config.telemetry[0]: Reading...
module.frontend_app.module.app.data.azurerm_client_config.telemetry[0]: Reading...
module.workload_identity.module.identity.data.azurerm_client_config.telemetry[0]: Reading...
module.container_registry.module.registry.data.azurerm_client_config.telemetry[0]: Reading...
module.monitoring.module.log_analytics.data.azurerm_client_config.telemetry[0]: Reading...
azurerm_resource_group.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev]
data.azurerm_client_config.current: Reading...
module.keyvault.module.keyvault.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.keyvault.data.azurerm_client_config.current: Reading...
module.container_registry.module.registry.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.monitoring.module.log_analytics.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.frontend_app.module.app.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.backend_app.module.app.data.azurerm_client_config.telemetry[0]: Reading...
module.keyvault.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.workload_identity.module.identity.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.keyvault.module.keyvault.modtm_telemetry.telemetry[0]: Refreshing state... [id=5be61e47-e1c7-4237-b980-0dbad3ab1696]
module.backend_app.module.app.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.container_registry.module.registry.modtm_telemetry.telemetry[0]: Refreshing state... [id=79393eca-d738-4979-bcf1-253496ddd7dc]
module.frontend_app.module.app.modtm_telemetry.telemetry[0]: Refreshing state... [id=238f1d08-0f10-4a6d-9e0c-99a2168deded]
module.workload_identity.module.identity.modtm_telemetry.telemetry[0]: Refreshing state... [id=02ee63ca-284e-4335-bcd1-53976789a560]
module.backend_app.module.app.modtm_telemetry.telemetry[0]: Refreshing state... [id=a5817680-737d-467b-b21e-94cb2d790d10]
module.monitoring.module.log_analytics.modtm_telemetry.telemetry[0]: Refreshing state... [id=1d6d2ddf-1bf9-4f89-b1bb-da7d683f7daf]
azurerm_role_assignment.pipeline_kv_secrets_officer: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Authorization/roleAssignments/f10f1114-20a9-3799-0208-8170b0f3e326]
module.workload_identity.module.identity.azurerm_user_assigned_identity.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-bt-dev-workload]
module.networking.data.azurerm_resource_group.this: Reading...
module.keyvault.module.keyvault.azurerm_key_vault.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01]
module.ai_search.module.search.azurerm_search_service.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01]
module.monitoring.module.log_analytics.azurerm_log_analytics_workspace.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.OperationalInsights/workspaces/log-bt-dev]
module.service_bus.module.namespace.azurerm_servicebus_namespace.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01]
module.cosmos_account.azurerm_cosmosdb_account.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01]
module.container_registry.module.registry.azurerm_container_registry.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01]
module.monitoring.module.application_insights.modtm_telemetry.telemetry[0]: Refreshing state... [id=069dfaa0-3f60-4938-81c7-af165fc5758c]
module.networking.data.azurerm_resource_group.this: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev]
module.networking.module.vnet.azapi_resource.vnet: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev]
module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net]
module.networking.module.private_dns_zones["privatelink.documents.azure.com"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com]
module.networking.module.private_dns_zones["privatelink.search.windows.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net]
module.networking.module.private_dns_zones["privatelink.servicebus.windows.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net]
module.networking.module.private_dns_zones["privatelink.azurecr.io"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io]
module.workload_identity.azuread_app_role_assignment.api_roles["reader"]: Refreshing state... [id=/servicePrincipals/980501a2-67f1-44c3-9ba2-03220f4dc403/appRoleAssignedTo/Jz9qIST__EaBPGEzvAd2cpcVv4b_R2NBu5u1qRbW9gU]
module.networking.module.vnet.module.subnet["integration"].azapi_resource.subnet[0]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev/subnets/snet-cae-integration]
module.networking.module.vnet.module.subnet["private_endpoints"].azapi_resource.subnet[0]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev/subnets/snet-private-endpoints]
azurerm_role_assignment.operator_kv_secrets_officer["62936c0c-a840-43e8-a24e-22304b7d7c89"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/4ad74ab3-17f2-0dbd-e364-e8a71260bbfc]
module.monitoring.module.application_insights.azurerm_application_insights.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev]
module.workload_federation_environment.azurerm_federated_identity_credential.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-bt-dev-workload/federatedIdentityCredentials/github-environment-dev-workload]
module.keyvault.module.keyvault.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01|kv-audit]
module.container_registry.module.registry.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01|acr-diagnostics]
module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/vnet-link-privatelink-vaultcore-azure-net]
module.networking.module.private_dns_zones["privatelink.servicebus.windows.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net/virtualNetworkLinks/vnet-link-privatelink-servicebus-windows-net]
module.networking.module.private_dns_zones["privatelink.documents.azure.com"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com/virtualNetworkLinks/vnet-link-privatelink-documents-azure-com]
module.networking.module.private_dns_zones["privatelink.azurecr.io"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io/virtualNetworkLinks/vnet-link-privatelink-azurecr-io]
module.networking.module.private_dns_zones["privatelink.search.windows.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net/virtualNetworkLinks/vnet-link-privatelink-search-windows-net]
time_sleep.wait_for_kv_rbac_propagation: Refreshing state... [id=2026-05-20T01:06:50Z]
module.cosmos_account.module.diagnostics[0].azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01|cosmos-bt-dev-chdev01-diagnostics]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_database.canonical: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical]
module.ai_search.azurerm_role_assignment.workload_search_index_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/60115be9-6fcc-4d0e-50e9-9186fe1518ed]
module.ai_search.module.diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01|srch-bt-dev-chdev01-diagnostics]
module.service_bus.azurerm_role_assignment.workload_sb_data_sender: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/2edae188-abbf-c156-ef38-d7f4df9793bb]
module.service_bus.azurerm_role_assignment.workload_sb_data_receiver: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/ff5aa6d6-1e6d-d8c2-e6d9-ad82a5f43916]
module.service_bus.module.diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01|sbns-bt-dev-chdev01-diagnostics]
module.ai_search.terraform_data.sku_validation: Refreshing state... [id=ba2da3a0-64d4-347e-3d16-6904a1669658]
module.keyvault.terraform_data.pe_validation[0]: Refreshing state... [id=201c9137-ee34-a35d-5335-c8021ca74754]
module.cosmos_account.terraform_data.pe_validation[0]: Refreshing state... [id=efbbaabe-f245-fa8f-45da-481d747941fd]
module.ai_search.terraform_data.pe_inputs_validation[0]: Refreshing state... [id=f5294495-8898-f048-e11c-c0e0fba80c44]
module.service_bus.terraform_data.sku_validation: Refreshing state... [id=3fb0fc5a-15ee-8cdd-7933-3179d5a890fc]
module.cosmos_account.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-cosmos-bt-dev-chdev01]
module.ai_search.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-srch-bt-dev-chdev01]
module.keyvault.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-kv-bt-dev-chdev01]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.resources: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/resources]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.change_events: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/change-events]
azurerm_cosmosdb_sql_role_assignment.developer_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlRoleAssignments/3bfd366d-31e6-77e6-fe99-6b0b1763206d]
azurerm_cosmosdb_sql_role_assignment.workload_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlRoleAssignments/23f26ba2-552f-5ca8-d96d-d99b333ad35c]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.namespace_validation_runs: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/namespace-validation-runs]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_entities_leases: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-entities-leases]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_entities: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-entities]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_audit: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-audit]
module.ai_search.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.cosmos_account.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.ai_search.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-srch-bt-dev-chdev01.nic.0718500b-0b1d-4a1e-ac31-fe22720170e4]
module.cosmos_account.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-cosmos-bt-dev-chdev01.nic.81c6eb89-c005-41ee-b680-b56f0690b42c]
module.keyvault.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.keyvault.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-kv-bt-dev-chdev01.nic.312de6d8-b5a7-487b-97ed-07cc5c931b11]
azurerm_key_vault_secret.app_insights_connection_string: Refreshing state... [id=https://kv-bt-dev-chdev01.vault.azure.net/secrets/ApplicationInsightsConnectionString/f83feb2a94b74578939a61c4df54f1f5]
module.application_insights_diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev|appi-diagnostics]
module.workload_identity.azurerm_role_assignment.this["kv-secrets-user"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/798da788-01e1-37ab-17f3-c47a9d2d1c6a]
module.workload_identity.azurerm_role_assignment.this["acr-pull"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01/providers/Microsoft.Authorization/roleAssignments/f282f44f-f04d-5041-0f2f-1eee86c775c3]
module.workload_identity.azurerm_role_assignment.this["monitoring-metrics-publisher"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev/providers/Microsoft.Authorization/roleAssignments/4219f119-f9dc-d5ec-27cd-658ab78c33db]
module.container_apps_env.module.environment.data.azapi_client_config.current: Reading...
module.container_apps_env.module.environment.data.modtm_module_source.telemetry[0]: Reading...
module.container_apps_env.module.environment.random_uuid.telemetry[0]: Refreshing state... [id=a840f803-8d8c-a73e-252d-bfa39f829b92]
module.container_apps_env.data.azurerm_log_analytics_workspace.this: Reading...
module.container_apps_env.module.environment.data.azapi_client_config.telemetry[0]: Reading...
module.container_apps_env.module.environment.data.azapi_client_config.current: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.container_apps_env.module.environment.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.container_apps_env.module.environment.data.azapi_client_config.telemetry[0]: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.container_apps_env.module.environment.modtm_telemetry.telemetry[0]: Refreshing state... [id=1a8fc817-4e60-4b70-b5d3-2c124cd439a0]
module.container_apps_env.data.azurerm_log_analytics_workspace.this: Read complete after 2s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.OperationalInsights/workspaces/log-bt-dev]
module.container_apps_env.module.environment.azapi_resource.this_environment: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev]
module.container_apps_env.module.environment.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev|cae-diagnostics]
module.indexer_container_app.azurerm_container_app.indexer: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-indexer]
module.backend_app.module.app.azurerm_container_app.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-api]
module.frontend_app.module.app.azurerm_container_app.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-web]

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place (current -> planned)

OpenTofu will perform the following actions:

  # azurerm_storage_account.indexer_webjobs will be created
  + resource "azurerm_storage_account" "indexer_webjobs" {
      + access_tier                        = (known after apply)
      + account_kind                       = "StorageV2"
      + account_replication_type           = "LRS"
      + account_tier                       = "Standard"
      + allow_nested_items_to_be_public    = false
      + cross_tenant_replication_enabled   = false
      + default_to_oauth_authentication    = false
      + dns_endpoint_type                  = "Standard"
      + https_traffic_only_enabled         = true
      + id                                 = (known after apply)
      + infrastructure_encryption_enabled  = false
      + is_hns_enabled                     = false
      + large_file_share_enabled           = (known after apply)
      + local_user_enabled                 = true
      + location                           = "eastus2"
      + min_tls_version                    = "TLS1_2"
      + name                               = "stbtdevchdev01"
      + nfsv3_enabled                      = false
      + primary_access_key                 = (sensitive value)
      + primary_blob_connection_string     = (sensitive value)
      + primary_blob_endpoint              = (known after apply)
      + primary_blob_host                  = (known after apply)
      + primary_blob_internet_endpoint     = (known after apply)
      + primary_blob_internet_host         = (known after apply)
      + primary_blob_microsoft_endpoint    = (known after apply)
      + primary_blob_microsoft_host        = (known after apply)
      + primary_connection_string          = (sensitive value)
      + primary_dfs_endpoint               = (known after apply)
      + primary_dfs_host                   = (known after apply)
      + primary_dfs_internet_endpoint      = (known after apply)
      + primary_dfs_internet_host          = (known after apply)
      + primary_dfs_microsoft_endpoint     = (known after apply)
      + primary_dfs_microsoft_host         = (known after apply)
      + primary_file_endpoint              = (known after apply)
      + primary_file_host                  = (known after apply)
      + primary_file_internet_endpoint     = (known after apply)
      + primary_file_internet_host         = (known after apply)
      + primary_file_microsoft_endpoint    = (known after apply)
      + primary_file_microsoft_host        = (known after apply)
      + primary_location                   = (known after apply)
      + primary_queue_endpoint             = (known after apply)
      + primary_queue_host                 = (known after apply)
      + primary_queue_microsoft_endpoint   = (known after apply)
      + primary_queue_microsoft_host       = (known after apply)
      + primary_table_endpoint             = (known after apply)
      + primary_table_host                 = (known after apply)
      + primary_table_microsoft_endpoint   = (known after apply)
      + primary_table_microsoft_host       = (known after apply)
      + primary_web_endpoint               = (known after apply)
      + primary_web_host                   = (known after apply)
      + primary_web_internet_endpoint      = (known after apply)
      + primary_web_internet_host          = (known after apply)
      + primary_web_microsoft_endpoint     = (known after apply)
      + primary_web_microsoft_host         = (known after apply)
      + public_network_access_enabled      = true
      + queue_encryption_key_type          = "Service"
      + resource_group_name                = "rg-bt-dev"
      + secondary_access_key               = (sensitive value)
      + secondary_blob_connection_string   = (sensitive value)
      + secondary_blob_endpoint            = (known after apply)
      + secondary_blob_host                = (known after apply)
      + secondary_blob_internet_endpoint   = (known after apply)
      + secondary_blob_internet_host       = (known after apply)
      + secondary_blob_microsoft_endpoint  = (known after apply)
      + secondary_blob_microsoft_host      = (known after apply)
      + secondary_connection_string        = (sensitive value)
      + secondary_dfs_endpoint             = (known after apply)
      + secondary_dfs_host                 = (known after apply)
      + secondary_dfs_internet_endpoint    = (known after apply)
      + secondary_dfs_internet_host        = (known after apply)
      + secondary_dfs_microsoft_endpoint   = (known after apply)
      + secondary_dfs_microsoft_host       = (known after apply)
      + secondary_file_endpoint            = (known after apply)
      + secondary_file_host                = (known after apply)
      + secondary_file_internet_endpoint   = (known after apply)
      + secondary_file_internet_host       = (known after apply)
      + secondary_file_microsoft_endpoint  = (known after apply)
      + secondary_file_microsoft_host      = (known after apply)
      + secondary_location                 = (known after apply)
      + secondary_queue_endpoint           = (known after apply)
      + secondary_queue_host               = (known after apply)
      + secondary_queue_microsoft_endpoint = (known after apply)
      + secondary_queue_microsoft_host     = (known after apply)
      + secondary_table_endpoint           = (known after apply)
      + secondary_table_host               = (known after apply)
      + secondary_table_microsoft_endpoint = (known after apply)
      + secondary_table_microsoft_host     = (known after apply)
      + secondary_web_endpoint             = (known after apply)
      + secondary_web_host                 = (known after apply)
      + secondary_web_internet_endpoint    = (known after apply)
      + secondary_web_internet_host        = (known after apply)
      + secondary_web_microsoft_endpoint   = (known after apply)
      + secondary_web_microsoft_host       = (known after apply)
      + sftp_enabled                       = false
      + shared_access_key_enabled          = false
      + table_encryption_key_type          = "Service"
      + tags                               = {
          + "application" = "BusTerminal"
          + "cost-center" = "platform"
          + "environment" = "dev"
          + "managed-by"  = "opentofu"
          + "owner"       = "platform-team"
          + "slice"       = "002-solution-foundation"
        }

      + blob_properties {
          + change_feed_enabled      = false
          + default_service_version  = (known after apply)
          + last_access_time_enabled = false
          + versioning_enabled       = false

          + delete_retention_policy {
              + days                     = 7
              + permanent_delete_enabled = false
            }
        }

      + network_rules (known after apply)

      + queue_properties (known after apply)

      + routing (known after apply)

      + share_properties (known after apply)

      + static_website (known after apply)
    }

  # module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.resources will be updated in-place
  ~ resource "azurerm_cosmosdb_sql_container" "resources" {
        id                     = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/resources"
        name                   = "resources"
        # (8 unchanged attributes hidden)

      ~ indexing_policy {
            # (1 unchanged attribute hidden)

          + excluded_path {
              + path = "/\"_etag\"/?"
            }

            # (3 unchanged blocks hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.indexer_container_app.azurerm_container_app.indexer will be updated in-place
  ~ resource "azurerm_container_app" "indexer" {
        id                            = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-indexer"
        name                          = "ca-bt-dev-indexer"
        tags                          = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (8 unchanged attributes hidden)

      ~ template {
            # (5 unchanged attributes hidden)

          ~ container {
              ~ image             = "acrbtdevchdev01.azurecr.io/busterminal/indexer:0b3e5ec50e2d5ec6f568f458c6651f7d72840375" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
                name              = "ca-bt-dev-indexer"
                # (5 unchanged attributes hidden)

              + env {
                  + name  = "AzureWebJobsStorage__accountName"
                  + value = "stbtdevchdev01"
                }
              + env {
                  + name  = "AzureWebJobsStorage__credential"
                  + value = "managedidentity"
                }
              + env {
                  + name  = "AzureWebJobsStorage__clientId"
                  + value = "524977ab-0fcd-4c58-a2ff-78f164f20d7d"
                }

                # (12 unchanged blocks hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.workload_identity.azurerm_role_assignment.this["indexer-webjobs-blob-owner"] will be created
  + resource "azurerm_role_assignment" "this" {
      + condition_version                = (known after apply)
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "216a3f27-ff24-46fc-813c-6133bc077672"
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Storage Blob Data Owner"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.backend_app.module.app.azurerm_container_app.this will be updated in-place
  ~ resource "azurerm_container_app" "this" {
        id                            = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-api"
        name                          = "ca-bt-dev-api"
        tags                          = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (9 unchanged attributes hidden)

      ~ template {
            # (5 unchanged attributes hidden)

          ~ container {
              ~ image             = "acrbtdevchdev01.azurecr.io/busterminal/api:0b3e5ec50e2d5ec6f568f458c6651f7d72840375" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
                name              = "ca-bt-dev-api"
                # (5 unchanged attributes hidden)

                # (15 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (4 unchanged blocks hidden)
    }

  # module.container_apps_env.module.environment.azurerm_monitor_diagnostic_setting.this["audit"] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev|cae-diagnostics"
      + log_analytics_destination_type = "Dedicated"
        name                           = "cae-diagnostics"
        # (2 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.container_registry.module.registry.azurerm_monitor_diagnostic_setting.this["audit"] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01|acr-diagnostics"
      + log_analytics_destination_type = "Dedicated"
        name                           = "acr-diagnostics"
        # (2 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.cosmos_account.module.diagnostics[0].azurerm_monitor_diagnostic_setting.this will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01|cosmos-bt-dev-chdev01-diagnostics"
        name                           = "cosmos-bt-dev-chdev01-diagnostics"
        # (3 unchanged attributes hidden)

      - metric {
          - category = "Requests" -> null
          - enabled  = false -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }
      - metric {
          - category = "SLI" -> null
          - enabled  = false -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }
      + metric {
          + category = "AllMetrics"
          + enabled  = false
        }

        # (1 unchanged block hidden)
    }

  # module.frontend_app.module.app.azurerm_container_app.this will be updated in-place
  ~ resource "azurerm_container_app" "this" {
        id                            = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-web"
        name                          = "ca-bt-dev-web"
        tags                          = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (9 unchanged attributes hidden)

      ~ template {
            # (5 unchanged attributes hidden)

          ~ container {
              ~ image             = "acrbtdevchdev01.azurecr.io/busterminal/web:0b3e5ec50e2d5ec6f568f458c6651f7d72840375" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
                name              = "ca-bt-dev-web"
                # (5 unchanged attributes hidden)

                # (12 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (4 unchanged blocks hidden)
    }

Plan: 2 to add, 7 to change, 0 to destroy.

Changes to Outputs:
  ~ backend_image_in_use                              = "acrbtdevchdev01.azurecr.io/busterminal/api:0b3e5ec50e2d5ec6f568f458c6651f7d72840375" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
  ~ frontend_image_in_use                             = "acrbtdevchdev01.azurecr.io/busterminal/web:0b3e5ec50e2d5ec6f568f458c6651f7d72840375" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
  ~ indexer_image_in_use                              = "acrbtdevchdev01.azurecr.io/busterminal/indexer:0b3e5ec50e2d5ec6f568f458c6651f7d72840375" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"

Warning: Argument is deprecated

  with module.keyvault.module.keyvault.azurerm_key_vault.this,
  on .terraform/modules/keyvault.keyvault/main.tf line 7, in resource "azurerm_key_vault" "this":
   7:   enable_rbac_authorization       = !var.legacy_access_policies_enabled

This property has been renamed to `rbac_authorization_enabled` and will be
removed in v5.0 of the provider

(and 6 more similar warnings elsewhere)

Warning: Value derived from a deprecated source

  on .terraform/modules/monitoring.log_analytics/outputs.tf line 16, in output "resource":
  16:   value       = azurerm_log_analytics_workspace.this

This value's attribute local_authentication_disabled is derived from
azurerm_log_analytics_workspace.this.local_authentication_disabled, which is
deprecated.

Warning: Attribute Deprecated

  with module.networking.module.private_dns_zones["privatelink.documents.azure.com"].azapi_resource.private_dns_zone,
  on .terraform/modules/networking.private_dns_zones/main.tf line 1, in resource "azapi_resource" "private_dns_zone":
   1: resource "azapi_resource" "private_dns_zone" {

The `multiplier` attribute is deprecated and will be removed in a future
version.

(and 19 more similar warnings elsewhere)

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/outputs.tf line 22, in output "resource":
  22:   value       = azapi_resource.vnet

This value's attribute retry.multiplier is derived from
azapi_resource.vnet.retry.multiplier, which is deprecated.

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/outputs.tf line 22, in output "resource":
  22:   value       = azapi_resource.vnet

This value's attribute retry.randomization_factor is derived from
azapi_resource.vnet.retry.randomization_factor, which is deprecated.

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/modules/subnet/outputs.tf line 18, in output "resource":
  18:   value       = local.ipam_enabled ? azapi_resource.subnet_ipam[0] : azapi_resource.subnet[0]

This value's attribute retry.multiplier is derived from
azapi_resource.subnet.retry.multiplier, which is deprecated.

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/modules/subnet/outputs.tf line 18, in output "resource":
  18:   value       = local.ipam_enabled ? azapi_resource.subnet_ipam[0] : azapi_resource.subnet[0]

This value's attribute retry.randomization_factor is derived from
azapi_resource.subnet.retry.randomization_factor, which is deprecated.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    tofu apply "tfplan"

BusTerminal IaC policy gate — env dev

Rule Status Detail
BT-IAC-001 PASS BT-IAC-001: PASS
BT-IAC-002 SKIP (env 'dev' is non-prod; rule is prod-only per Q2c) BT-IAC-002: SKIP (env 'dev' is non-prod; rule is prod-only per Q2c)
BT-IAC-003 PASS BT-IAC-003: PASS
BT-IAC-004 PASS BT-IAC-004: PASS
BT-IAC-005 PASS BT-IAC-005: PASS
BT-IAC-006 PASS BT-IAC-006: PASS
BT-IAC-007 PASS BT-IAC-007: PASS

Totals: 7 pass · 0 fail · 0 setup error(s)

@christopherhouse christopherhouse merged commit 6a420a2 into main Jun 17, 2026
9 checks passed
@christopherhouse christopherhouse deleted the fix/indexer-azurewebjobsstorage branch June 17, 2026 01:55
@christopherhouse christopherhouse mentioned this pull request Jun 17, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@christopherhouse