Skip to content

fix(iac): wire pipeline MI for AAD storage data-plane on indexer_webjobs#84

Merged
christopherhouse merged 1 commit into
mainfrom
fix/indexer-storage-bootstrap-rbac
Jun 17, 2026
Merged

fix(iac): wire pipeline MI for AAD storage data-plane on indexer_webjobs#84
christopherhouse merged 1 commit into
mainfrom
fix/indexer-storage-bootstrap-rbac

Conversation

@christopherhouse

@christopherhouse christopherhouse commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Follow-up to PR #83 which merged before CD-dev could prove it out. CD-dev on main is now failing at tofu apply — infra-only with:

Error: waiting for the Data Plane for Storage Account "stbtdevchdev01"
  to become available: waiting for the Blob Service to become available:
  polling failed: 403 Key based authentication is not permitted on this
  storage account.

Root cause chain:

  1. PR fix(iac,indexer): provision AzureWebJobsStorage for the dev indexer #83's indexer storage account has shared_access_key_enabled = false
  2. azurerm provider's post-create blob data-plane wait uses key auth by default → 403
  3. (fix A) provider config adds storage_use_azuread = true to switch to AAD
  4. But the pipeline MI has no Storage Blob Data role on the new account, so AAD also 403s
  5. (fix B) Grant pipeline MI Storage Blob Data Owner at RG scope (inline IAM, lint-allowlisted)
  6. But Storage Blob Data Owner isn't in the bootstrap RBAC-Admin condition allowlist, so the pipeline can't assign it
  7. (fix C) Add Storage Blob Data Owner GUID to iac/platform-bootstrap/main.tf pipeline_role_admin condition

What ships

A. iac/environments/dev/providers.tfstorage_use_azuread = true on the azurerm provider so data-plane ops use AAD across the dev composition.

B. iac/environments/dev/main.tf:

  • Inline pipeline self-grant for Storage Blob Data Owner at RG scope (mirrors the pipeline_kv_secrets_officer shape).
  • 60s time_sleep.wait_for_storage_rbac_propagation matching the existing KV propagation sleep.
  • Storage account depends_on the sleep so creation only proceeds after the role has propagated.

C. iac/platform-bootstrap/main.tf:

  • Adds Storage Blob Data Owner GUID (b7e6dc6d-f1e8-4753-8033-0f276bb0955b) to the pipeline_role_admin condition allowlist.
  • Documented inline next to the existing role allowlist entries.

D. scripts/lint-iac-inline-iam.sh — allowlists pipeline_storage_blob_data_owner (per-env pipeline grant, can't be folded into the workload-identity module).

Operator action required after merge

The platform-bootstrap state is operator-held (per iac/platform-bootstrap/README.md), not CI-applied. After this PR merges, the bootstrap allowlist update must be applied manually before CD-dev will succeed:

cd iac/platform-bootstrap
tofu init -backend=false
tofu apply -var subscription_id=08b37dc0-... -var github_org_repo=Stonefly-Labs/BusTerminal \\
  -var tfstate_storage_account_name=btstatech0001 -var 'environments=["dev"]'

After that, re-run CD-dev (or just let the next merge trigger it) — it should pass tofu apply — infra-only cleanly.

Test plan

  • tofu validate clean in environments/dev
  • scripts/lint-iac-inline-iam.sh passes locally
  • After bootstrap re-apply + CD-dev re-run: storage account creates without 403, role assignments propagate, indexer reports Healthy
  • azure.functions.webjobs.storage: Healthy in indexer logs (replaces the Unhealthy noise)

🤖 Generated with Claude Code

@christopherhouse @claude
fix(iac): wire pipeline MI for AAD storage data-plane on indexer_webjobs
18967ea 
CD-dev was failing on 'tofu apply — infra-only' with:
  KeyBasedAuthenticationNotPermitted: Key based authentication is
  not permitted on this storage account.

Root cause chain:
  1. Indexer storage account has shared_access_key_enabled = false
  2. azurerm provider's post-create blob data-plane wait uses key
     auth by default → 403s
  3. provider config adds storage_use_azuread = true to switch to AAD
  4. But the pipeline MI has no Storage Blob Data role on the new
     account, so AAD also 403s
  5. To grant the role, Storage Blob Data Owner must be in the
     bootstrap pipeline-RBAC-Admin condition allowlist

This change ships all four pieces:

A. iac/platform-bootstrap/main.tf — adds Storage Blob Data Owner
   role GUID (b7e6dc6d-f1e8-4753-8033-0f276bb0955b) to the
   pipeline_role_admin condition allowlist. After merge an operator
   must run 'tofu apply' against the bootstrap module before CD-dev
   can succeed (bootstrap state is operator-held per the module's
   README, not CI-applied).

B. iac/environments/dev/providers.tf — adds storage_use_azuread =
   true to the azurerm provider so data-plane wait + future ops use
   AAD across the dev composition.

C. iac/environments/dev/main.tf — adds inline pipeline self-grant
   for Storage Blob Data Owner at RG scope, with a 60s time_sleep
   for AAD propagation matching the existing
   wait_for_kv_rbac_propagation pattern. Storage account depends_on
   the sleep so creation only proceeds after the role has propagated.

D. scripts/lint-iac-inline-iam.sh — allowlists the new inline IAM
   resource (pipeline self-grant scope is the env RG, not foldable
   into the workload-identity module).

The workload UAMI's grant for runtime AAD usage continues to flow
through workload-identity module's assigned_azure_rbac map.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown

OpenTofu plan — dev

⚠️ REQUIRES MANUAL APPROVAL — BT-IAC-007 detected a stateful destroy. The iac-stateful-change-approval job is failing intentionally; a maintainer must re-run it after reviewing the destroy.

module.monitoring.module.application_insights.data.azapi_client_config.telemetry[0]: Reading...
module.ai_search_registry_index.azapi_data_plane_resource.registry_index: Refreshing state... [id=srch-bt-dev-chdev01.search.windows.net/indexes('registry-entities-v1')]
module.monitoring.module.log_analytics.data.modtm_module_source.telemetry[0]: Reading...
module.monitoring.module.application_insights.data.modtm_module_source.telemetry[0]: Reading...
module.frontend_app.module.app.data.modtm_module_source.telemetry[0]: Reading...
module.monitoring.module.log_analytics.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.workload_identity.module.identity.data.modtm_module_source.telemetry[0]: Reading...
module.frontend_app.module.app.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.monitoring.module.application_insights.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.container_registry.module.registry.data.modtm_module_source.telemetry[0]: Reading...
module.keyvault.module.keyvault.data.modtm_module_source.telemetry[0]: Reading...
module.workload_identity.module.identity.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.keyvault.module.keyvault.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.container_registry.module.registry.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.backend_app.module.app.data.modtm_module_source.telemetry[0]: Reading...
module.backend_app.module.app.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.monitoring.module.application_insights.data.azapi_client_config.telemetry[0]: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.networking.terraform_data.subnet_validation: Refreshing state... [id=bafb4aeb-4601-d7de-1d39-435373831dae]
module.container_registry.terraform_data.pe_validation: Refreshing state... [id=59b8b38d-5830-a0e1-b6dc-64fb640e916c]
data.azuread_application.api: Reading...
module.graph_permissions.data.azuread_application_published_app_ids.well_known: Reading...
data.azuread_service_principal.api: Reading...
module.graph_permissions.data.azuread_application_published_app_ids.well_known: Read complete after 0s [id=appIds]
module.backend_app.module.app.random_uuid.telemetry[0]: Refreshing state... [id=d9467e1e-bf93-1796-d73e-a433c8a23c00]
module.frontend_app.module.app.random_uuid.telemetry[0]: Refreshing state... [id=58ec47a1-e381-20a9-50f8-955c7075627f]
module.monitoring.module.log_analytics.random_uuid.telemetry[0]: Refreshing state... [id=72611db9-a40a-4707-b14b-9d2ef97fbac7]
module.container_registry.module.registry.random_uuid.telemetry[0]: Refreshing state... [id=c6f5b17e-2074-606f-e63a-057c1312a588]
module.monitoring.module.application_insights.random_uuid.telemetry[0]: Refreshing state... [id=87555d31-bbc0-19bf-eefc-67cc1728f2a3]
module.workload_identity.module.identity.random_uuid.telemetry[0]: Refreshing state... [id=a377cd57-eb48-5e72-7cca-48438dd998e7]
module.keyvault.module.keyvault.random_uuid.telemetry[0]: Refreshing state... [id=3d6dd258-c9d8-bf47-779e-a38f7a84ac3b]
data.azuread_service_principal.api: Read complete after 0s [id=/servicePrincipals/980501a2-67f1-44c3-9ba2-03220f4dc403]
data.azuread_application.api: Read complete after 0s [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e]
module.graph_permissions.azuread_application_api_access.graph: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/apiAccess/00000003-0000-0000-c000-000000000000]
module.app_registration_roles.azuread_application_app_role.this["namespace-administrator"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a05]
module.app_registration_roles.azuread_application_app_role.this["developer"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a04]
module.app_registration_roles.azuread_application_app_role.this["admin"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a01]
module.app_registration_roles.azuread_application_app_role.this["reader"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a03]
module.app_registration_roles.azuread_application_app_role.this["operator"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a02]
module.keyvault.module.keyvault.data.azurerm_client_config.telemetry[0]: Reading...
module.keyvault.data.azurerm_client_config.current: Reading...
data.azurerm_client_config.current: Reading...
azurerm_resource_group.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev]
module.frontend_app.module.app.data.azurerm_client_config.telemetry[0]: Reading...
module.keyvault.module.keyvault.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.backend_app.module.app.data.azurerm_client_config.telemetry[0]: Reading...
module.workload_identity.module.identity.data.azurerm_client_config.telemetry[0]: Reading...
module.keyvault.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.monitoring.module.log_analytics.data.azurerm_client_config.telemetry[0]: Reading...
module.container_registry.module.registry.data.azurerm_client_config.telemetry[0]: Reading...
module.frontend_app.module.app.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.workload_identity.module.identity.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.backend_app.module.app.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.monitoring.module.log_analytics.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.keyvault.module.keyvault.modtm_telemetry.telemetry[0]: Refreshing state... [id=5be61e47-e1c7-4237-b980-0dbad3ab1696]
module.container_registry.module.registry.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.backend_app.module.app.modtm_telemetry.telemetry[0]: Refreshing state... [id=a5817680-737d-467b-b21e-94cb2d790d10]
module.container_registry.module.registry.modtm_telemetry.telemetry[0]: Refreshing state... [id=79393eca-d738-4979-bcf1-253496ddd7dc]
module.frontend_app.module.app.modtm_telemetry.telemetry[0]: Refreshing state... [id=238f1d08-0f10-4a6d-9e0c-99a2168deded]
module.workload_identity.module.identity.modtm_telemetry.telemetry[0]: Refreshing state... [id=02ee63ca-284e-4335-bcd1-53976789a560]
module.monitoring.module.log_analytics.modtm_telemetry.telemetry[0]: Refreshing state... [id=1d6d2ddf-1bf9-4f89-b1bb-da7d683f7daf]
module.networking.data.azurerm_resource_group.this: Reading...
azurerm_role_assignment.pipeline_kv_secrets_officer: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Authorization/roleAssignments/f10f1114-20a9-3799-0208-8170b0f3e326]
module.monitoring.module.log_analytics.azurerm_log_analytics_workspace.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.OperationalInsights/workspaces/log-bt-dev]
module.monitoring.module.application_insights.modtm_telemetry.telemetry[0]: Refreshing state... [id=069dfaa0-3f60-4938-81c7-af165fc5758c]
module.cosmos_account.azurerm_cosmosdb_account.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01]
module.workload_identity.module.identity.azurerm_user_assigned_identity.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-bt-dev-workload]
module.service_bus.module.namespace.azurerm_servicebus_namespace.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01]
module.keyvault.module.keyvault.azurerm_key_vault.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01]
module.container_registry.module.registry.azurerm_container_registry.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01]
module.ai_search.module.search.azurerm_search_service.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01]
azurerm_storage_account.indexer_webjobs: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Storage/storageAccounts/stbtdevchdev01]
module.workload_identity.azuread_app_role_assignment.api_roles["reader"]: Refreshing state... [id=/servicePrincipals/980501a2-67f1-44c3-9ba2-03220f4dc403/appRoleAssignedTo/Jz9qIST__EaBPGEzvAd2cpcVv4b_R2NBu5u1qRbW9gU]
module.workload_federation_environment.azurerm_federated_identity_credential.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-bt-dev-workload/federatedIdentityCredentials/github-environment-dev-workload]
module.networking.data.azurerm_resource_group.this: Read complete after 1s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev]
module.networking.module.vnet.azapi_resource.vnet: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev]
module.networking.module.private_dns_zones["privatelink.azurecr.io"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io]
module.networking.module.private_dns_zones["privatelink.search.windows.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net]
module.networking.module.private_dns_zones["privatelink.servicebus.windows.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net]
module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net]
module.networking.module.private_dns_zones["privatelink.documents.azure.com"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com]
azurerm_role_assignment.operator_kv_secrets_officer["62936c0c-a840-43e8-a24e-22304b7d7c89"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/4ad74ab3-17f2-0dbd-e364-e8a71260bbfc]
module.networking.module.vnet.module.subnet["private_endpoints"].azapi_resource.subnet[0]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev/subnets/snet-private-endpoints]
module.networking.module.vnet.module.subnet["integration"].azapi_resource.subnet[0]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev/subnets/snet-cae-integration]
module.monitoring.module.application_insights.azurerm_application_insights.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev]
module.keyvault.module.keyvault.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01|kv-audit]
module.container_registry.module.registry.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01|acr-diagnostics]
module.networking.module.private_dns_zones["privatelink.servicebus.windows.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net/virtualNetworkLinks/vnet-link-privatelink-servicebus-windows-net]
module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/vnet-link-privatelink-vaultcore-azure-net]
module.networking.module.private_dns_zones["privatelink.azurecr.io"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io/virtualNetworkLinks/vnet-link-privatelink-azurecr-io]
module.networking.module.private_dns_zones["privatelink.search.windows.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net/virtualNetworkLinks/vnet-link-privatelink-search-windows-net]
module.networking.module.private_dns_zones["privatelink.documents.azure.com"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com/virtualNetworkLinks/vnet-link-privatelink-documents-azure-com]
module.cosmos_account.module.diagnostics[0].azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01|cosmos-bt-dev-chdev01-diagnostics]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_database.canonical: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical]
module.service_bus.azurerm_role_assignment.workload_sb_data_sender: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/2edae188-abbf-c156-ef38-d7f4df9793bb]
module.service_bus.azurerm_role_assignment.workload_sb_data_receiver: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/ff5aa6d6-1e6d-d8c2-e6d9-ad82a5f43916]
module.ai_search.azurerm_role_assignment.workload_search_index_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/60115be9-6fcc-4d0e-50e9-9186fe1518ed]
module.ai_search.module.diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01|srch-bt-dev-chdev01-diagnostics]
module.service_bus.module.diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01|sbns-bt-dev-chdev01-diagnostics]
time_sleep.wait_for_kv_rbac_propagation: Refreshing state... [id=2026-05-20T01:06:50Z]
module.ai_search.terraform_data.sku_validation: Refreshing state... [id=ba2da3a0-64d4-347e-3d16-6904a1669658]
module.service_bus.terraform_data.sku_validation: Refreshing state... [id=3fb0fc5a-15ee-8cdd-7933-3179d5a890fc]
module.cosmos_account.terraform_data.pe_validation[0]: Refreshing state... [id=efbbaabe-f245-fa8f-45da-481d747941fd]
module.ai_search.terraform_data.pe_inputs_validation[0]: Refreshing state... [id=f5294495-8898-f048-e11c-c0e0fba80c44]
module.keyvault.terraform_data.pe_validation[0]: Refreshing state... [id=201c9137-ee34-a35d-5335-c8021ca74754]
module.cosmos_account.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-cosmos-bt-dev-chdev01]
module.ai_search.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-srch-bt-dev-chdev01]
module.keyvault.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-kv-bt-dev-chdev01]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.change_events: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/change-events]
azurerm_cosmosdb_sql_role_assignment.workload_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlRoleAssignments/23f26ba2-552f-5ca8-d96d-d99b333ad35c]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.resources: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/resources]
azurerm_cosmosdb_sql_role_assignment.developer_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlRoleAssignments/3bfd366d-31e6-77e6-fe99-6b0b1763206d]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_audit: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-audit]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_entities: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-entities]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.namespace_validation_runs: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/namespace-validation-runs]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_entities_leases: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-entities-leases]
module.cosmos_account.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.cosmos_account.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 1s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-cosmos-bt-dev-chdev01.nic.81c6eb89-c005-41ee-b680-b56f0690b42c]
module.ai_search.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.keyvault.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.ai_search.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-srch-bt-dev-chdev01.nic.0718500b-0b1d-4a1e-ac31-fe22720170e4]
module.keyvault.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-kv-bt-dev-chdev01.nic.312de6d8-b5a7-487b-97ed-07cc5c931b11]
module.application_insights_diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev|appi-diagnostics]
azurerm_key_vault_secret.app_insights_connection_string: Refreshing state... [id=https://kv-bt-dev-chdev01.vault.azure.net/secrets/ApplicationInsightsConnectionString/f83feb2a94b74578939a61c4df54f1f5]
module.workload_identity.azurerm_role_assignment.this["kv-secrets-user"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/798da788-01e1-37ab-17f3-c47a9d2d1c6a]
module.workload_identity.azurerm_role_assignment.this["monitoring-metrics-publisher"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev/providers/Microsoft.Authorization/roleAssignments/4219f119-f9dc-d5ec-27cd-658ab78c33db]
module.workload_identity.azurerm_role_assignment.this["acr-pull"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01/providers/Microsoft.Authorization/roleAssignments/f282f44f-f04d-5041-0f2f-1eee86c775c3]
module.container_apps_env.module.environment.data.azapi_client_config.current: Reading...
module.container_apps_env.data.azurerm_log_analytics_workspace.this: Reading...
module.container_apps_env.module.environment.data.azapi_client_config.telemetry[0]: Reading...
module.container_apps_env.module.environment.data.modtm_module_source.telemetry[0]: Reading...
module.container_apps_env.module.environment.data.azapi_client_config.telemetry[0]: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.container_apps_env.module.environment.random_uuid.telemetry[0]: Refreshing state... [id=a840f803-8d8c-a73e-252d-bfa39f829b92]
module.container_apps_env.module.environment.data.azapi_client_config.current: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.container_apps_env.module.environment.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.container_apps_env.module.environment.modtm_telemetry.telemetry[0]: Refreshing state... [id=1a8fc817-4e60-4b70-b5d3-2c124cd439a0]
module.container_apps_env.data.azurerm_log_analytics_workspace.this: Read complete after 1s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.OperationalInsights/workspaces/log-bt-dev]
module.container_apps_env.module.environment.azapi_resource.this_environment: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev]
module.container_apps_env.module.environment.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev|cae-diagnostics]
module.indexer_container_app.azurerm_container_app.indexer: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-indexer]
module.backend_app.module.app.azurerm_container_app.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-api]
module.frontend_app.module.app.azurerm_container_app.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-web]

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place (current -> planned)
-/+ destroy and then create replacement

OpenTofu will perform the following actions:

  # azurerm_role_assignment.pipeline_storage_blob_data_owner will be created
  + resource "azurerm_role_assignment" "pipeline_storage_blob_data_owner" {
      + condition_version                = (known after apply)
      + description                      = "Pipeline MI manages `azurerm_storage_account.indexer_webjobs` data-plane wait via AAD (shared keys disabled on the account)."
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "26697310-619e-4304-a4a0-e1d239e9fd92"
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Storage Blob Data Owner"
      + scope                            = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev"
      + skip_service_principal_aad_check = (known after apply)
    }

  # azurerm_storage_account.indexer_webjobs is tainted, so it must be replaced
-/+ resource "azurerm_storage_account" "indexer_webjobs" {
      ~ access_tier                        = "Hot" -> (known after apply)
      ~ id                                 = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Storage/storageAccounts/stbtdevchdev01" -> (known after apply)
      ~ large_file_share_enabled           = false -> (known after apply)
        name                               = "stbtdevchdev01"
      ~ primary_access_key                 = (sensitive value)
      ~ primary_blob_connection_string     = (sensitive value)
      ~ primary_blob_endpoint              = "https://stbtdevchdev01.blob.core.windows.net/" -> (known after apply)
      ~ primary_blob_host                  = "stbtdevchdev01.blob.core.windows.net" -> (known after apply)
      + primary_blob_internet_endpoint     = (known after apply)
      + primary_blob_internet_host         = (known after apply)
      + primary_blob_microsoft_endpoint    = (known after apply)
      + primary_blob_microsoft_host        = (known after apply)
      ~ primary_connection_string          = (sensitive value)
      ~ primary_dfs_endpoint               = "https://stbtdevchdev01.dfs.core.windows.net/" -> (known after apply)
      ~ primary_dfs_host                   = "stbtdevchdev01.dfs.core.windows.net" -> (known after apply)
      + primary_dfs_internet_endpoint      = (known after apply)
      + primary_dfs_internet_host          = (known after apply)
      + primary_dfs_microsoft_endpoint     = (known after apply)
      + primary_dfs_microsoft_host         = (known after apply)
      ~ primary_file_endpoint              = "https://stbtdevchdev01.file.core.windows.net/" -> (known after apply)
      ~ primary_file_host                  = "stbtdevchdev01.file.core.windows.net" -> (known after apply)
      + primary_file_internet_endpoint     = (known after apply)
      + primary_file_internet_host         = (known after apply)
      + primary_file_microsoft_endpoint    = (known after apply)
      + primary_file_microsoft_host        = (known after apply)
      ~ primary_location                   = "eastus2" -> (known after apply)
      ~ primary_queue_endpoint             = "https://stbtdevchdev01.queue.core.windows.net/" -> (known after apply)
      ~ primary_queue_host                 = "stbtdevchdev01.queue.core.windows.net" -> (known after apply)
      + primary_queue_microsoft_endpoint   = (known after apply)
      + primary_queue_microsoft_host       = (known after apply)
      ~ primary_table_endpoint             = "https://stbtdevchdev01.table.core.windows.net/" -> (known after apply)
      ~ primary_table_host                 = "stbtdevchdev01.table.core.windows.net" -> (known after apply)
      + primary_table_microsoft_endpoint   = (known after apply)
      + primary_table_microsoft_host       = (known after apply)
      ~ primary_web_endpoint               = "https://stbtdevchdev01.z20.web.core.windows.net/" -> (known after apply)
      ~ primary_web_host                   = "stbtdevchdev01.z20.web.core.windows.net" -> (known after apply)
      + primary_web_internet_endpoint      = (known after apply)
      + primary_web_internet_host          = (known after apply)
      + primary_web_microsoft_endpoint     = (known after apply)
      + primary_web_microsoft_host         = (known after apply)
      ~ secondary_access_key               = (sensitive value)
      + secondary_blob_connection_string   = (sensitive value)
      + secondary_blob_endpoint            = (known after apply)
      + secondary_blob_host                = (known after apply)
      + secondary_blob_internet_endpoint   = (known after apply)
      + secondary_blob_internet_host       = (known after apply)
      + secondary_blob_microsoft_endpoint  = (known after apply)
      + secondary_blob_microsoft_host      = (known after apply)
      ~ secondary_connection_string        = (sensitive value)
      + secondary_dfs_endpoint             = (known after apply)
      + secondary_dfs_host                 = (known after apply)
      + secondary_dfs_internet_endpoint    = (known after apply)
      + secondary_dfs_internet_host        = (known after apply)
      + secondary_dfs_microsoft_endpoint   = (known after apply)
      + secondary_dfs_microsoft_host       = (known after apply)
      + secondary_file_endpoint            = (known after apply)
      + secondary_file_host                = (known after apply)
      + secondary_file_internet_endpoint   = (known after apply)
      + secondary_file_internet_host       = (known after apply)
      + secondary_file_microsoft_endpoint  = (known after apply)
      + secondary_file_microsoft_host      = (known after apply)
      + secondary_location                 = (known after apply)
      + secondary_queue_endpoint           = (known after apply)
      + secondary_queue_host               = (known after apply)
      + secondary_queue_microsoft_endpoint = (known after apply)
      + secondary_queue_microsoft_host     = (known after apply)
      + secondary_table_endpoint           = (known after apply)
      + secondary_table_host               = (known after apply)
      + secondary_table_microsoft_endpoint = (known after apply)
      + secondary_table_microsoft_host     = (known after apply)
      + secondary_web_endpoint             = (known after apply)
      + secondary_web_host                 = (known after apply)
      + secondary_web_internet_endpoint    = (known after apply)
      + secondary_web_internet_host        = (known after apply)
      + secondary_web_microsoft_endpoint   = (known after apply)
      + secondary_web_microsoft_host       = (known after apply)
        tags                               = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (20 unchanged attributes hidden)

      ~ blob_properties {
          - change_feed_retention_in_days = 0 -> null
          + default_service_version       = (known after apply)
            # (3 unchanged attributes hidden)

          + delete_retention_policy {
              + days                     = 7
              + permanent_delete_enabled = false
            }
        }

      ~ network_rules {
          + access_tier                        = (known after apply)
          + account_kind                       = (known after apply)
          + account_replication_type           = (known after apply)
          + account_tier                       = (known after apply)
          + allow_nested_items_to_be_public    = (known after apply)
          + allowed_copy_scope                 = (known after apply)
          + cross_tenant_replication_enabled   = (known after apply)
          + default_to_oauth_authentication    = (known after apply)
          + dns_endpoint_type                  = (known after apply)
          + edge_zone                          = (known after apply)
          + https_traffic_only_enabled         = (known after apply)
          + id                                 = (known after apply)
          + infrastructure_encryption_enabled  = (known after apply)
          + is_hns_enabled                     = (known after apply)
          + large_file_share_enabled           = (known after apply)
          + local_user_enabled                 = (known after apply)
          + location                           = (known after apply)
          + min_tls_version                    = (known after apply)
          + name                               = (known after apply)
          + nfsv3_enabled                      = (known after apply)
          + primary_access_key                 = (known after apply)
          + primary_blob_connection_string     = (known after apply)
          + primary_blob_endpoint              = (known after apply)
          + primary_blob_host                  = (known after apply)
          + primary_blob_internet_endpoint     = (known after apply)
          + primary_blob_internet_host         = (known after apply)
          + primary_blob_microsoft_endpoint    = (known after apply)
          + primary_blob_microsoft_host        = (known after apply)
          + primary_connection_string          = (known after apply)
          + primary_dfs_endpoint               = (known after apply)
          + primary_dfs_host                   = (known after apply)
          + primary_dfs_internet_endpoint      = (known after apply)
          + primary_dfs_internet_host          = (known after apply)
          + primary_dfs_microsoft_endpoint     = (known after apply)
          + primary_dfs_microsoft_host         = (known after apply)
          + primary_file_endpoint              = (known after apply)
          + primary_file_host                  = (known after apply)
          + primary_file_internet_endpoint     = (known after apply)
          + primary_file_internet_host         = (known after apply)
          + primary_file_microsoft_endpoint    = (known after apply)
          + primary_file_microsoft_host        = (known after apply)
          + primary_location                   = (known after apply)
          + primary_queue_endpoint             = (known after apply)
          + primary_queue_host                 = (known after apply)
          + primary_queue_microsoft_endpoint   = (known after apply)
          + primary_queue_microsoft_host       = (known after apply)
          + primary_table_endpoint             = (known after apply)
          + primary_table_host                 = (known after apply)
          + primary_table_microsoft_endpoint   = (known after apply)
          + primary_table_microsoft_host       = (known after apply)
          + primary_web_endpoint               = (known after apply)
          + primary_web_host                   = (known after apply)
          + primary_web_internet_endpoint      = (known after apply)
          + primary_web_internet_host          = (known after apply)
          + primary_web_microsoft_endpoint     = (known after apply)
          + primary_web_microsoft_host         = (known after apply)
          + provisioned_billing_model_version  = (known after apply)
          + public_network_access_enabled      = (known after apply)
          + queue_encryption_key_type          = (known after apply)
          + resource_group_name                = (known after apply)
          + secondary_access_key               = (known after apply)
          + secondary_blob_connection_string   = (known after apply)
          + secondary_blob_endpoint            = (known after apply)
          + secondary_blob_host                = (known after apply)
          + secondary_blob_internet_endpoint   = (known after apply)
          + secondary_blob_internet_host       = (known after apply)
          + secondary_blob_microsoft_endpoint  = (known after apply)
          + secondary_blob_microsoft_host      = (known after apply)
          + secondary_connection_string        = (known after apply)
          + secondary_dfs_endpoint             = (known after apply)
          + secondary_dfs_host                 = (known after apply)
          + secondary_dfs_internet_endpoint    = (known after apply)
          + secondary_dfs_internet_host        = (known after apply)
          + secondary_dfs_microsoft_endpoint   = (known after apply)
          + secondary_dfs_microsoft_host       = (known after apply)
          + secondary_file_endpoint            = (known after apply)
          + secondary_file_host                = (known after apply)
          + secondary_file_internet_endpoint   = (known after apply)
          + secondary_file_internet_host       = (known after apply)
          + secondary_file_microsoft_endpoint  = (known after apply)
          + secondary_file_microsoft_host      = (known after apply)
          + secondary_location                 = (known after apply)
          + secondary_queue_endpoint           = (known after apply)
          + secondary_queue_host               = (known after apply)
          + secondary_queue_microsoft_endpoint = (known after apply)
          + secondary_queue_microsoft_host     = (known after apply)
          + secondary_table_endpoint           = (known after apply)
          + secondary_table_host               = (known after apply)
          + secondary_table_microsoft_endpoint = (known after apply)
          + secondary_table_microsoft_host     = (known after apply)
          + secondary_web_endpoint             = (known after apply)
          + secondary_web_host                 = (known after apply)
          + secondary_web_internet_endpoint    = (known after apply)
          + secondary_web_internet_host        = (known after apply)
          + secondary_web_microsoft_endpoint   = (known after apply)
          + secondary_web_microsoft_host       = (known after apply)
          + sftp_enabled                       = (known after apply)
          + shared_access_key_enabled          = (known after apply)
          + table_encryption_key_type          = (known after apply)
          + tags                               = (known after apply)
        } -> (known after apply)

      ~ queue_properties {
          + access_tier                        = (known after apply)
          + account_kind                       = (known after apply)
          + account_replication_type           = (known after apply)
          + account_tier                       = (known after apply)
          + allow_nested_items_to_be_public    = (known after apply)
          + allowed_copy_scope                 = (known after apply)
          + cross_tenant_replication_enabled   = (known after apply)
          + default_to_oauth_authentication    = (known after apply)
          + dns_endpoint_type                  = (known after apply)
          + edge_zone                          = (known after apply)
          + https_traffic_only_enabled         = (known after apply)
          + id                                 = (known after apply)
          + infrastructure_encryption_enabled  = (known after apply)
          + is_hns_enabled                     = (known after apply)
          + large_file_share_enabled           = (known after apply)
          + local_user_enabled                 = (known after apply)
          + location                           = (known after apply)
          + min_tls_version                    = (known after apply)
          + name                               = (known after apply)
          + nfsv3_enabled                      = (known after apply)
          + primary_access_key                 = (known after apply)
          + primary_blob_connection_string     = (known after apply)
          + primary_blob_endpoint              = (known after apply)
          + primary_blob_host                  = (known after apply)
          + primary_blob_internet_endpoint     = (known after apply)
          + primary_blob_internet_host         = (known after apply)
          + primary_blob_microsoft_endpoint    = (known after apply)
          + primary_blob_microsoft_host        = (known after apply)
          + primary_connection_string          = (known after apply)
          + primary_dfs_endpoint               = (known after apply)
          + primary_dfs_host                   = (known after apply)
          + primary_dfs_internet_endpoint      = (known after apply)
          + primary_dfs_internet_host          = (known after apply)
          + primary_dfs_microsoft_endpoint     = (known after apply)
          + primary_dfs_microsoft_host         = (known after apply)
          + primary_file_endpoint              = (known after apply)
          + primary_file_host                  = (known after apply)
          + primary_file_internet_endpoint     = (known after apply)
          + primary_file_internet_host         = (known after apply)
          + primary_file_microsoft_endpoint    = (known after apply)
          + primary_file_microsoft_host        = (known after apply)
          + primary_location                   = (known after apply)
          + primary_queue_endpoint             = (known after apply)
          + primary_queue_host                 = (known after apply)
          + primary_queue_microsoft_endpoint   = (known after apply)
          + primary_queue_microsoft_host       = (known after apply)
          + primary_table_endpoint             = (known after apply)
          + primary_table_host                 = (known after apply)
          + primary_table_microsoft_endpoint   = (known after apply)
          + primary_table_microsoft_host       = (known after apply)
          + primary_web_endpoint               = (known after apply)
          + primary_web_host                   = (known after apply)
          + primary_web_internet_endpoint      = (known after apply)
          + primary_web_internet_host          = (known after apply)
          + primary_web_microsoft_endpoint     = (known after apply)
          + primary_web_microsoft_host         = (known after apply)
          + provisioned_billing_model_version  = (known after apply)
          + public_network_access_enabled      = (known after apply)
          + queue_encryption_key_type          = (known after apply)
          + resource_group_name                = (known after apply)
          + secondary_access_key               = (known after apply)
          + secondary_blob_connection_string   = (known after apply)
          + secondary_blob_endpoint            = (known after apply)
          + secondary_blob_host                = (known after apply)
          + secondary_blob_internet_endpoint   = (known after apply)
          + secondary_blob_internet_host       = (known after apply)
          + secondary_blob_microsoft_endpoint  = (known after apply)
          + secondary_blob_microsoft_host      = (known after apply)
          + secondary_connection_string        = (known after apply)
          + secondary_dfs_endpoint             = (known after apply)
          + secondary_dfs_host                 = (known after apply)
          + secondary_dfs_internet_endpoint    = (known after apply)
          + secondary_dfs_internet_host        = (known after apply)
          + secondary_dfs_microsoft_endpoint   = (known after apply)
          + secondary_dfs_microsoft_host       = (known after apply)
          + secondary_file_endpoint            = (known after apply)
          + secondary_file_host                = (known after apply)
          + secondary_file_internet_endpoint   = (known after apply)
          + secondary_file_internet_host       = (known after apply)
          + secondary_file_microsoft_endpoint  = (known after apply)
          + secondary_file_microsoft_host      = (known after apply)
          + secondary_location                 = (known after apply)
          + secondary_queue_endpoint           = (known after apply)
          + secondary_queue_host               = (known after apply)
          + secondary_queue_microsoft_endpoint = (known after apply)
          + secondary_queue_microsoft_host     = (known after apply)
          + secondary_table_endpoint           = (known after apply)
          + secondary_table_host               = (known after apply)
          + secondary_table_microsoft_endpoint = (known after apply)
          + secondary_table_microsoft_host     = (known after apply)
          + secondary_web_endpoint             = (known after apply)
          + secondary_web_host                 = (known after apply)
          + secondary_web_internet_endpoint    = (known after apply)
          + secondary_web_internet_host        = (known after apply)
          + secondary_web_microsoft_endpoint   = (known after apply)
          + secondary_web_microsoft_host       = (known after apply)
          + sftp_enabled                       = (known after apply)
          + shared_access_key_enabled          = (known after apply)
          + table_encryption_key_type          = (known after apply)
          + tags                               = (known after apply)
        } -> (known after apply)

      ~ routing {
          + access_tier                        = (known after apply)
          + account_kind                       = (known after apply)
          + account_replication_type           = (known after apply)
          + account_tier                       = (known after apply)
          + allow_nested_items_to_be_public    = (known after apply)
          + allowed_copy_scope                 = (known after apply)
          + cross_tenant_replication_enabled   = (known after apply)
          + default_to_oauth_authentication    = (known after apply)
          + dns_endpoint_type                  = (known after apply)
          + edge_zone                          = (known after apply)
          + https_traffic_only_enabled         = (known after apply)
          + id                                 = (known after apply)
          + infrastructure_encryption_enabled  = (known after apply)
          + is_hns_enabled                     = (known after apply)
          + large_file_share_enabled           = (known after apply)
          + local_user_enabled                 = (known after apply)
          + location                           = (known after apply)
          + min_tls_version                    = (known after apply)
          + name                               = (known after apply)
          + nfsv3_enabled                      = (known after apply)
          + primary_access_key                 = (known after apply)
          + primary_blob_connection_string     = (known after apply)
          + primary_blob_endpoint              = (known after apply)
          + primary_blob_host                  = (known after apply)
          + primary_blob_internet_endpoint     = (known after apply)
          + primary_blob_internet_host         = (known after apply)
          + primary_blob_microsoft_endpoint    = (known after apply)
          + primary_blob_microsoft_host        = (known after apply)
          + primary_connection_string          = (known after apply)
          + primary_dfs_endpoint               = (known after apply)
          + primary_dfs_host                   = (known after apply)
          + primary_dfs_internet_endpoint      = (known after apply)
          + primary_dfs_internet_host          = (known after apply)
          + primary_dfs_microsoft_endpoint     = (known after apply)
          + primary_dfs_microsoft_host         = (known after apply)
          + primary_file_endpoint              = (known after apply)
          + primary_file_host                  = (known after apply)
          + primary_file_internet_endpoint     = (known after apply)
          + primary_file_internet_host         = (known after apply)
          + primary_file_microsoft_endpoint    = (known after apply)
          + primary_file_microsoft_host        = (known after apply)
          + primary_location                   = (known after apply)
          + primary_queue_endpoint             = (known after apply)
          + primary_queue_host                 = (known after apply)
          + primary_queue_microsoft_endpoint   = (known after apply)
          + primary_queue_microsoft_host       = (known after apply)
          + primary_table_endpoint             = (known after apply)
          + primary_table_host                 = (known after apply)
          + primary_table_microsoft_endpoint   = (known after apply)
          + primary_table_microsoft_host       = (known after apply)
          + primary_web_endpoint               = (known after apply)
          + primary_web_host                   = (known after apply)
          + primary_web_internet_endpoint      = (known after apply)
          + primary_web_internet_host          = (known after apply)
          + primary_web_microsoft_endpoint     = (known after apply)
          + primary_web_microsoft_host         = (known after apply)
          + provisioned_billing_model_version  = (known after apply)
          + public_network_access_enabled      = (known after apply)
          + queue_encryption_key_type          = (known after apply)
          + resource_group_name                = (known after apply)
          + secondary_access_key               = (known after apply)
          + secondary_blob_connection_string   = (known after apply)
          + secondary_blob_endpoint            = (known after apply)
          + secondary_blob_host                = (known after apply)
          + secondary_blob_internet_endpoint   = (known after apply)
          + secondary_blob_internet_host       = (known after apply)
          + secondary_blob_microsoft_endpoint  = (known after apply)
          + secondary_blob_microsoft_host      = (known after apply)
          + secondary_connection_string        = (known after apply)
          + secondary_dfs_endpoint             = (known after apply)
          + secondary_dfs_host                 = (known after apply)
          + secondary_dfs_internet_endpoint    = (known after apply)
          + secondary_dfs_internet_host        = (known after apply)
          + secondary_dfs_microsoft_endpoint   = (known after apply)
          + secondary_dfs_microsoft_host       = (known after apply)
          + secondary_file_endpoint            = (known after apply)
          + secondary_file_host                = (known after apply)
          + secondary_file_internet_endpoint   = (known after apply)
          + secondary_file_internet_host       = (known after apply)
          + secondary_file_microsoft_endpoint  = (known after apply)
          + secondary_file_microsoft_host      = (known after apply)
          + secondary_location                 = (known after apply)
          + secondary_queue_endpoint           = (known after apply)
          + secondary_queue_host               = (known after apply)
          + secondary_queue_microsoft_endpoint = (known after apply)
          + secondary_queue_microsoft_host     = (known after apply)
          + secondary_table_endpoint           = (known after apply)
          + secondary_table_host               = (known after apply)
          + secondary_table_microsoft_endpoint = (known after apply)
          + secondary_table_microsoft_host     = (known after apply)
          + secondary_web_endpoint             = (known after apply)
          + secondary_web_host                 = (known after apply)
          + secondary_web_internet_endpoint    = (known after apply)
          + secondary_web_internet_host        = (known after apply)
          + secondary_web_microsoft_endpoint   = (known after apply)
          + secondary_web_microsoft_host       = (known after apply)
          + sftp_enabled                       = (known after apply)
          + shared_access_key_enabled          = (known after apply)
          + table_encryption_key_type          = (known after apply)
          + tags                               = (known after apply)
        } -> (known after apply)

      ~ share_properties {
          + access_tier                        = (known after apply)
          + account_kind                       = (known after apply)
          + account_replication_type           = (known after apply)
          + account_tier                       = (known after apply)
          + allow_nested_items_to_be_public    = (known after apply)
          + allowed_copy_scope                 = (known after apply)
          + cross_tenant_replication_enabled   = (known after apply)
          + default_to_oauth_authentication    = (known after apply)
          + dns_endpoint_type                  = (known after apply)
          + edge_zone                          = (known after apply)
          + https_traffic_only_enabled         = (known after apply)
          + id                                 = (known after apply)
          + infrastructure_encryption_enabled  = (known after apply)
          + is_hns_enabled                     = (known after apply)
          + large_file_share_enabled           = (known after apply)
          + local_user_enabled                 = (known after apply)
          + location                           = (known after apply)
          + min_tls_version                    = (known after apply)
          + name                               = (known after apply)
          + nfsv3_enabled                      = (known after apply)
          + primary_access_key                 = (known after apply)
          + primary_blob_connection_string     = (known after apply)
          + primary_blob_endpoint              = (known after apply)
          + primary_blob_host                  = (known after apply)
          + primary_blob_internet_endpoint     = (known after apply)
          + primary_blob_internet_host         = (known after apply)
          + primary_blob_microsoft_endpoint    = (known after apply)
          + primary_blob_microsoft_host        = (known after apply)
          + primary_connection_string          = (known after apply)
          + primary_dfs_endpoint               = (known after apply)
          + primary_dfs_host                   = (known after apply)
          + primary_dfs_internet_endpoint      = (known after apply)
          + primary_dfs_internet_host          = (known after apply)
          + primary_dfs_microsoft_endpoint     = (known after apply)
          + primary_dfs_microsoft_host         = (known after apply)
          + primary_file_endpoint              = (known after apply)
          + primary_file_host                  = (known after apply)
          + primary_file_internet_endpoint     = (known after apply)
          + primary_file_internet_host         = (known after apply)
          + primary_file_microsoft_endpoint    = (known after apply)
          + primary_file_microsoft_host        = (known after apply)

BusTerminal IaC policy gate — env dev

Rule Status Detail
BT-IAC-001 PASS BT-IAC-001: PASS
BT-IAC-002 SKIP (env 'dev' is non-prod; rule is prod-only per Q2c) BT-IAC-002: SKIP (env 'dev' is non-prod; rule is prod-only per Q2c)
BT-IAC-003 PASS BT-IAC-003: PASS
BT-IAC-004 PASS BT-IAC-004: PASS
BT-IAC-005 PASS BT-IAC-005: PASS
BT-IAC-006 PASS BT-IAC-006: PASS
BT-IAC-007 FAIL BT-IAC-007 FAIL: plan would delete+create stateful resource azurerm_storage_account.indexer_webjobs (state would be lost). Manual reviewer approval required.

Totals: 6 pass · 1 fail · 0 setup error(s)

⚠️ REQUIRES MANUAL APPROVAL — BT-IAC-007 detected a stateful destroy. CI must pause for reviewer sign-off before apply.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown

OpenTofu plan — dev

⚠️ REQUIRES MANUAL APPROVAL — BT-IAC-007 detected a stateful destroy. The iac-stateful-change-approval job is failing intentionally; a maintainer must re-run it after reviewing the destroy.

module.frontend_app.module.app.data.modtm_module_source.telemetry[0]: Reading...
module.keyvault.module.keyvault.data.modtm_module_source.telemetry[0]: Reading...
module.backend_app.module.app.data.modtm_module_source.telemetry[0]: Reading...
module.workload_identity.module.identity.data.modtm_module_source.telemetry[0]: Reading...
module.workload_identity.module.identity.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.frontend_app.module.app.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.backend_app.module.app.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.keyvault.module.keyvault.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.monitoring.module.log_analytics.data.modtm_module_source.telemetry[0]: Reading...
module.monitoring.module.application_insights.data.modtm_module_source.telemetry[0]: Reading...
module.monitoring.module.application_insights.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.monitoring.module.log_analytics.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.container_registry.module.registry.data.modtm_module_source.telemetry[0]: Reading...
module.container_registry.module.registry.data.modtm_module_source.telemetry[0]: Read complete after 0s
data.azuread_application.api: Reading...
data.azuread_service_principal.api: Reading...
module.graph_permissions.data.azuread_application_published_app_ids.well_known: Reading...
module.graph_permissions.data.azuread_application_published_app_ids.well_known: Read complete after 0s [id=appIds]
data.azuread_service_principal.api: Read complete after 0s [id=/servicePrincipals/980501a2-67f1-44c3-9ba2-03220f4dc403]
module.networking.terraform_data.subnet_validation: Refreshing state... [id=bafb4aeb-4601-d7de-1d39-435373831dae]
module.container_registry.terraform_data.pe_validation: Refreshing state... [id=59b8b38d-5830-a0e1-b6dc-64fb640e916c]
module.monitoring.module.application_insights.data.azapi_client_config.telemetry[0]: Reading...
module.ai_search_registry_index.azapi_data_plane_resource.registry_index: Refreshing state... [id=srch-bt-dev-chdev01.search.windows.net/indexes('registry-entities-v1')]
data.azuread_application.api: Read complete after 0s [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e]
module.app_registration_roles.azuread_application_app_role.this["reader"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a03]
module.app_registration_roles.azuread_application_app_role.this["operator"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a02]
module.app_registration_roles.azuread_application_app_role.this["namespace-administrator"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a05]
module.app_registration_roles.azuread_application_app_role.this["admin"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a01]
module.app_registration_roles.azuread_application_app_role.this["developer"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a04]
module.graph_permissions.azuread_application_api_access.graph: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/apiAccess/00000003-0000-0000-c000-000000000000]
module.monitoring.module.application_insights.data.azapi_client_config.telemetry[0]: Read complete after 1s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.monitoring.module.log_analytics.data.azurerm_client_config.telemetry[0]: Reading...
module.keyvault.module.keyvault.data.azurerm_client_config.telemetry[0]: Reading...
module.container_registry.module.registry.data.azurerm_client_config.telemetry[0]: Reading...
module.keyvault.data.azurerm_client_config.current: Reading...
module.frontend_app.module.app.data.azurerm_client_config.telemetry[0]: Reading...
data.azurerm_client_config.current: Reading...
module.workload_identity.module.identity.data.azurerm_client_config.telemetry[0]: Reading...
module.backend_app.module.app.data.azurerm_client_config.telemetry[0]: Reading...
azurerm_resource_group.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev]
module.backend_app.module.app.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.workload_identity.module.identity.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.container_registry.module.registry.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.keyvault.module.keyvault.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.frontend_app.module.app.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.keyvault.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.monitoring.module.log_analytics.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.container_registry.module.registry.random_uuid.telemetry[0]: Refreshing state... [id=c6f5b17e-2074-606f-e63a-057c1312a588]
module.backend_app.module.app.random_uuid.telemetry[0]: Refreshing state... [id=d9467e1e-bf93-1796-d73e-a433c8a23c00]
module.workload_identity.module.identity.random_uuid.telemetry[0]: Refreshing state... [id=a377cd57-eb48-5e72-7cca-48438dd998e7]
module.monitoring.module.application_insights.random_uuid.telemetry[0]: Refreshing state... [id=87555d31-bbc0-19bf-eefc-67cc1728f2a3]
module.frontend_app.module.app.random_uuid.telemetry[0]: Refreshing state... [id=58ec47a1-e381-20a9-50f8-955c7075627f]
module.keyvault.module.keyvault.random_uuid.telemetry[0]: Refreshing state... [id=3d6dd258-c9d8-bf47-779e-a38f7a84ac3b]
module.monitoring.module.log_analytics.random_uuid.telemetry[0]: Refreshing state... [id=72611db9-a40a-4707-b14b-9d2ef97fbac7]
module.container_registry.module.registry.modtm_telemetry.telemetry[0]: Refreshing state... [id=79393eca-d738-4979-bcf1-253496ddd7dc]
module.keyvault.module.keyvault.modtm_telemetry.telemetry[0]: Refreshing state... [id=5be61e47-e1c7-4237-b980-0dbad3ab1696]
module.workload_identity.module.identity.modtm_telemetry.telemetry[0]: Refreshing state... [id=02ee63ca-284e-4335-bcd1-53976789a560]
module.frontend_app.module.app.modtm_telemetry.telemetry[0]: Refreshing state... [id=238f1d08-0f10-4a6d-9e0c-99a2168deded]
module.monitoring.module.log_analytics.modtm_telemetry.telemetry[0]: Refreshing state... [id=1d6d2ddf-1bf9-4f89-b1bb-da7d683f7daf]
module.backend_app.module.app.modtm_telemetry.telemetry[0]: Refreshing state... [id=a5817680-737d-467b-b21e-94cb2d790d10]
azurerm_role_assignment.pipeline_kv_secrets_officer: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Authorization/roleAssignments/f10f1114-20a9-3799-0208-8170b0f3e326]
module.networking.data.azurerm_resource_group.this: Reading...
module.workload_identity.module.identity.azurerm_user_assigned_identity.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-bt-dev-workload]
module.ai_search.module.search.azurerm_search_service.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01]
module.container_registry.module.registry.azurerm_container_registry.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01]
module.cosmos_account.azurerm_cosmosdb_account.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01]
module.monitoring.module.application_insights.modtm_telemetry.telemetry[0]: Refreshing state... [id=069dfaa0-3f60-4938-81c7-af165fc5758c]
module.keyvault.module.keyvault.azurerm_key_vault.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01]
module.monitoring.module.log_analytics.azurerm_log_analytics_workspace.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.OperationalInsights/workspaces/log-bt-dev]
module.service_bus.module.namespace.azurerm_servicebus_namespace.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01]
azurerm_storage_account.indexer_webjobs: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Storage/storageAccounts/stbtdevchdev01]
module.workload_identity.azuread_app_role_assignment.api_roles["reader"]: Refreshing state... [id=/servicePrincipals/980501a2-67f1-44c3-9ba2-03220f4dc403/appRoleAssignedTo/Jz9qIST__EaBPGEzvAd2cpcVv4b_R2NBu5u1qRbW9gU]
module.workload_federation_environment.azurerm_federated_identity_credential.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-bt-dev-workload/federatedIdentityCredentials/github-environment-dev-workload]
module.networking.data.azurerm_resource_group.this: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev]
module.networking.module.vnet.azapi_resource.vnet: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev]
module.networking.module.private_dns_zones["privatelink.azurecr.io"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io]
module.networking.module.private_dns_zones["privatelink.documents.azure.com"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com]
module.networking.module.private_dns_zones["privatelink.servicebus.windows.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net]
module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net]
module.networking.module.private_dns_zones["privatelink.search.windows.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net]
azurerm_role_assignment.operator_kv_secrets_officer["62936c0c-a840-43e8-a24e-22304b7d7c89"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/4ad74ab3-17f2-0dbd-e364-e8a71260bbfc]
module.networking.module.vnet.module.subnet["private_endpoints"].azapi_resource.subnet[0]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev/subnets/snet-private-endpoints]
module.networking.module.vnet.module.subnet["integration"].azapi_resource.subnet[0]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev/subnets/snet-cae-integration]
module.monitoring.module.application_insights.azurerm_application_insights.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_database.canonical: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical]
module.keyvault.module.keyvault.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01|kv-audit]
module.container_registry.module.registry.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01|acr-diagnostics]
module.cosmos_account.module.diagnostics[0].azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01|cosmos-bt-dev-chdev01-diagnostics]
module.ai_search.azurerm_role_assignment.workload_search_index_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/60115be9-6fcc-4d0e-50e9-9186fe1518ed]
module.networking.module.private_dns_zones["privatelink.azurecr.io"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io/virtualNetworkLinks/vnet-link-privatelink-azurecr-io]
module.networking.module.private_dns_zones["privatelink.servicebus.windows.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net/virtualNetworkLinks/vnet-link-privatelink-servicebus-windows-net]
module.networking.module.private_dns_zones["privatelink.documents.azure.com"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com/virtualNetworkLinks/vnet-link-privatelink-documents-azure-com]
module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/vnet-link-privatelink-vaultcore-azure-net]
module.networking.module.private_dns_zones["privatelink.search.windows.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net/virtualNetworkLinks/vnet-link-privatelink-search-windows-net]
module.ai_search.module.diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01|srch-bt-dev-chdev01-diagnostics]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.resources: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/resources]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.change_events: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/change-events]
azurerm_cosmosdb_sql_role_assignment.developer_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlRoleAssignments/3bfd366d-31e6-77e6-fe99-6b0b1763206d]
azurerm_cosmosdb_sql_role_assignment.workload_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlRoleAssignments/23f26ba2-552f-5ca8-d96d-d99b333ad35c]
time_sleep.wait_for_kv_rbac_propagation: Refreshing state... [id=2026-05-20T01:06:50Z]
module.service_bus.azurerm_role_assignment.workload_sb_data_sender: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/2edae188-abbf-c156-ef38-d7f4df9793bb]
module.service_bus.azurerm_role_assignment.workload_sb_data_receiver: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/ff5aa6d6-1e6d-d8c2-e6d9-ad82a5f43916]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_audit: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-audit]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_entities: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-entities]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_entities_leases: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-entities-leases]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.namespace_validation_runs: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/namespace-validation-runs]
module.service_bus.module.diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01|sbns-bt-dev-chdev01-diagnostics]
azurerm_key_vault_secret.app_insights_connection_string: Refreshing state... [id=https://kv-bt-dev-chdev01.vault.azure.net/secrets/ApplicationInsightsConnectionString/f83feb2a94b74578939a61c4df54f1f5]
module.application_insights_diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev|appi-diagnostics]
module.workload_identity.azurerm_role_assignment.this["kv-secrets-user"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/798da788-01e1-37ab-17f3-c47a9d2d1c6a]
module.workload_identity.azurerm_role_assignment.this["acr-pull"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01/providers/Microsoft.Authorization/roleAssignments/f282f44f-f04d-5041-0f2f-1eee86c775c3]
module.workload_identity.azurerm_role_assignment.this["monitoring-metrics-publisher"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev/providers/Microsoft.Authorization/roleAssignments/4219f119-f9dc-d5ec-27cd-658ab78c33db]
module.container_apps_env.module.environment.data.azapi_client_config.current: Reading...
module.container_apps_env.module.environment.data.azapi_client_config.current: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.container_apps_env.data.azurerm_log_analytics_workspace.this: Reading...
module.container_apps_env.module.environment.random_uuid.telemetry[0]: Refreshing state... [id=a840f803-8d8c-a73e-252d-bfa39f829b92]
module.container_apps_env.module.environment.data.modtm_module_source.telemetry[0]: Reading...
module.container_apps_env.module.environment.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.container_apps_env.module.environment.data.azapi_client_config.telemetry[0]: Reading...
module.container_apps_env.module.environment.data.azapi_client_config.telemetry[0]: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.service_bus.terraform_data.sku_validation: Refreshing state... [id=3fb0fc5a-15ee-8cdd-7933-3179d5a890fc]
module.cosmos_account.terraform_data.pe_validation[0]: Refreshing state... [id=efbbaabe-f245-fa8f-45da-481d747941fd]
module.ai_search.terraform_data.pe_inputs_validation[0]: Refreshing state... [id=f5294495-8898-f048-e11c-c0e0fba80c44]
module.ai_search.terraform_data.sku_validation: Refreshing state... [id=ba2da3a0-64d4-347e-3d16-6904a1669658]
module.keyvault.terraform_data.pe_validation[0]: Refreshing state... [id=201c9137-ee34-a35d-5335-c8021ca74754]
module.ai_search.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-srch-bt-dev-chdev01]
module.container_apps_env.module.environment.modtm_telemetry.telemetry[0]: Refreshing state... [id=1a8fc817-4e60-4b70-b5d3-2c124cd439a0]
module.cosmos_account.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-cosmos-bt-dev-chdev01]
module.keyvault.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-kv-bt-dev-chdev01]
module.container_apps_env.data.azurerm_log_analytics_workspace.this: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.OperationalInsights/workspaces/log-bt-dev]
module.container_apps_env.module.environment.azapi_resource.this_environment: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev]
module.container_apps_env.module.environment.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev|cae-diagnostics]
module.indexer_container_app.azurerm_container_app.indexer: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-indexer]
module.backend_app.module.app.azurerm_container_app.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-api]
module.ai_search.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.ai_search.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-srch-bt-dev-chdev01.nic.0718500b-0b1d-4a1e-ac31-fe22720170e4]
module.keyvault.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.cosmos_account.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.cosmos_account.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-cosmos-bt-dev-chdev01.nic.81c6eb89-c005-41ee-b680-b56f0690b42c]
module.keyvault.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-kv-bt-dev-chdev01.nic.312de6d8-b5a7-487b-97ed-07cc5c931b11]
module.frontend_app.module.app.azurerm_container_app.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-web]

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place (current -> planned)
-/+ destroy and then create replacement

OpenTofu will perform the following actions:

  # azurerm_role_assignment.pipeline_storage_blob_data_owner will be created
  + resource "azurerm_role_assignment" "pipeline_storage_blob_data_owner" {
      + condition_version                = (known after apply)
      + description                      = "Pipeline MI manages `azurerm_storage_account.indexer_webjobs` data-plane wait via AAD (shared keys disabled on the account)."
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "26697310-619e-4304-a4a0-e1d239e9fd92"
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Storage Blob Data Owner"
      + scope                            = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev"
      + skip_service_principal_aad_check = (known after apply)
    }

  # azurerm_storage_account.indexer_webjobs is tainted, so it must be replaced
-/+ resource "azurerm_storage_account" "indexer_webjobs" {
      ~ access_tier                        = "Hot" -> (known after apply)
      ~ id                                 = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Storage/storageAccounts/stbtdevchdev01" -> (known after apply)
      ~ large_file_share_enabled           = false -> (known after apply)
        name                               = "stbtdevchdev01"
      ~ primary_access_key                 = (sensitive value)
      ~ primary_blob_connection_string     = (sensitive value)
      ~ primary_blob_endpoint              = "https://stbtdevchdev01.blob.core.windows.net/" -> (known after apply)
      ~ primary_blob_host                  = "stbtdevchdev01.blob.core.windows.net" -> (known after apply)
      + primary_blob_internet_endpoint     = (known after apply)
      + primary_blob_internet_host         = (known after apply)
      + primary_blob_microsoft_endpoint    = (known after apply)
      + primary_blob_microsoft_host        = (known after apply)
      ~ primary_connection_string          = (sensitive value)
      ~ primary_dfs_endpoint               = "https://stbtdevchdev01.dfs.core.windows.net/" -> (known after apply)
      ~ primary_dfs_host                   = "stbtdevchdev01.dfs.core.windows.net" -> (known after apply)
      + primary_dfs_internet_endpoint      = (known after apply)
      + primary_dfs_internet_host          = (known after apply)
      + primary_dfs_microsoft_endpoint     = (known after apply)
      + primary_dfs_microsoft_host         = (known after apply)
      ~ primary_file_endpoint              = "https://stbtdevchdev01.file.core.windows.net/" -> (known after apply)
      ~ primary_file_host                  = "stbtdevchdev01.file.core.windows.net" -> (known after apply)
      + primary_file_internet_endpoint     = (known after apply)
      + primary_file_internet_host         = (known after apply)
      + primary_file_microsoft_endpoint    = (known after apply)
      + primary_file_microsoft_host        = (known after apply)
      ~ primary_location                   = "eastus2" -> (known after apply)
      ~ primary_queue_endpoint             = "https://stbtdevchdev01.queue.core.windows.net/" -> (known after apply)
      ~ primary_queue_host                 = "stbtdevchdev01.queue.core.windows.net" -> (known after apply)
      + primary_queue_microsoft_endpoint   = (known after apply)
      + primary_queue_microsoft_host       = (known after apply)
      ~ primary_table_endpoint             = "https://stbtdevchdev01.table.core.windows.net/" -> (known after apply)
      ~ primary_table_host                 = "stbtdevchdev01.table.core.windows.net" -> (known after apply)
      + primary_table_microsoft_endpoint   = (known after apply)
      + primary_table_microsoft_host       = (known after apply)
      ~ primary_web_endpoint               = "https://stbtdevchdev01.z20.web.core.windows.net/" -> (known after apply)
      ~ primary_web_host                   = "stbtdevchdev01.z20.web.core.windows.net" -> (known after apply)
      + primary_web_internet_endpoint      = (known after apply)
      + primary_web_internet_host          = (known after apply)
      + primary_web_microsoft_endpoint     = (known after apply)
      + primary_web_microsoft_host         = (known after apply)
      ~ secondary_access_key               = (sensitive value)
      + secondary_blob_connection_string   = (sensitive value)
      + secondary_blob_endpoint            = (known after apply)
      + secondary_blob_host                = (known after apply)
      + secondary_blob_internet_endpoint   = (known after apply)
      + secondary_blob_internet_host       = (known after apply)
      + secondary_blob_microsoft_endpoint  = (known after apply)
      + secondary_blob_microsoft_host      = (known after apply)
      ~ secondary_connection_string        = (sensitive value)
      + secondary_dfs_endpoint             = (known after apply)
      + secondary_dfs_host                 = (known after apply)
      + secondary_dfs_internet_endpoint    = (known after apply)
      + secondary_dfs_internet_host        = (known after apply)
      + secondary_dfs_microsoft_endpoint   = (known after apply)
      + secondary_dfs_microsoft_host       = (known after apply)
      + secondary_file_endpoint            = (known after apply)
      + secondary_file_host                = (known after apply)
      + secondary_file_internet_endpoint   = (known after apply)
      + secondary_file_internet_host       = (known after apply)
      + secondary_file_microsoft_endpoint  = (known after apply)
      + secondary_file_microsoft_host      = (known after apply)
      + secondary_location                 = (known after apply)
      + secondary_queue_endpoint           = (known after apply)
      + secondary_queue_host               = (known after apply)
      + secondary_queue_microsoft_endpoint = (known after apply)
      + secondary_queue_microsoft_host     = (known after apply)
      + secondary_table_endpoint           = (known after apply)
      + secondary_table_host               = (known after apply)
      + secondary_table_microsoft_endpoint = (known after apply)
      + secondary_table_microsoft_host     = (known after apply)
      + secondary_web_endpoint             = (known after apply)
      + secondary_web_host                 = (known after apply)
      + secondary_web_internet_endpoint    = (known after apply)
      + secondary_web_internet_host        = (known after apply)
      + secondary_web_microsoft_endpoint   = (known after apply)
      + secondary_web_microsoft_host       = (known after apply)
        tags                               = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (20 unchanged attributes hidden)

      ~ blob_properties {
          - change_feed_retention_in_days = 0 -> null
          + default_service_version       = (known after apply)
            # (3 unchanged attributes hidden)

          + delete_retention_policy {
              + days                     = 7
              + permanent_delete_enabled = false
            }
        }

      ~ network_rules {
          + access_tier                        = (known after apply)
          + account_kind                       = (known after apply)
          + account_replication_type           = (known after apply)
          + account_tier                       = (known after apply)
          + allow_nested_items_to_be_public    = (known after apply)
          + allowed_copy_scope                 = (known after apply)
          + cross_tenant_replication_enabled   = (known after apply)
          + default_to_oauth_authentication    = (known after apply)
          + dns_endpoint_type                  = (known after apply)
          + edge_zone                          = (known after apply)
          + https_traffic_only_enabled         = (known after apply)
          + id                                 = (known after apply)
          + infrastructure_encryption_enabled  = (known after apply)
          + is_hns_enabled                     = (known after apply)
          + large_file_share_enabled           = (known after apply)
          + local_user_enabled                 = (known after apply)
          + location                           = (known after apply)
          + min_tls_version                    = (known after apply)
          + name                               = (known after apply)
          + nfsv3_enabled                      = (known after apply)
          + primary_access_key                 = (known after apply)
          + primary_blob_connection_string     = (known after apply)
          + primary_blob_endpoint              = (known after apply)
          + primary_blob_host                  = (known after apply)
          + primary_blob_internet_endpoint     = (known after apply)
          + primary_blob_internet_host         = (known after apply)
          + primary_blob_microsoft_endpoint    = (known after apply)
          + primary_blob_microsoft_host        = (known after apply)
          + primary_connection_string          = (known after apply)
          + primary_dfs_endpoint               = (known after apply)
          + primary_dfs_host                   = (known after apply)
          + primary_dfs_internet_endpoint      = (known after apply)
          + primary_dfs_internet_host          = (known after apply)
          + primary_dfs_microsoft_endpoint     = (known after apply)
          + primary_dfs_microsoft_host         = (known after apply)
          + primary_file_endpoint              = (known after apply)
          + primary_file_host                  = (known after apply)
          + primary_file_internet_endpoint     = (known after apply)
          + primary_file_internet_host         = (known after apply)
          + primary_file_microsoft_endpoint    = (known after apply)
          + primary_file_microsoft_host        = (known after apply)
          + primary_location                   = (known after apply)
          + primary_queue_endpoint             = (known after apply)
          + primary_queue_host                 = (known after apply)
          + primary_queue_microsoft_endpoint   = (known after apply)
          + primary_queue_microsoft_host       = (known after apply)
          + primary_table_endpoint             = (known after apply)
          + primary_table_host                 = (known after apply)
          + primary_table_microsoft_endpoint   = (known after apply)
          + primary_table_microsoft_host       = (known after apply)
          + primary_web_endpoint               = (known after apply)
          + primary_web_host                   = (known after apply)
          + primary_web_internet_endpoint      = (known after apply)
          + primary_web_internet_host          = (known after apply)
          + primary_web_microsoft_endpoint     = (known after apply)
          + primary_web_microsoft_host         = (known after apply)
          + provisioned_billing_model_version  = (known after apply)
          + public_network_access_enabled      = (known after apply)
          + queue_encryption_key_type          = (known after apply)
          + resource_group_name                = (known after apply)
          + secondary_access_key               = (known after apply)
          + secondary_blob_connection_string   = (known after apply)
          + secondary_blob_endpoint            = (known after apply)
          + secondary_blob_host                = (known after apply)
          + secondary_blob_internet_endpoint   = (known after apply)
          + secondary_blob_internet_host       = (known after apply)
          + secondary_blob_microsoft_endpoint  = (known after apply)
          + secondary_blob_microsoft_host      = (known after apply)
          + secondary_connection_string        = (known after apply)
          + secondary_dfs_endpoint             = (known after apply)
          + secondary_dfs_host                 = (known after apply)
          + secondary_dfs_internet_endpoint    = (known after apply)
          + secondary_dfs_internet_host        = (known after apply)
          + secondary_dfs_microsoft_endpoint   = (known after apply)
          + secondary_dfs_microsoft_host       = (known after apply)
          + secondary_file_endpoint            = (known after apply)
          + secondary_file_host                = (known after apply)
          + secondary_file_internet_endpoint   = (known after apply)
          + secondary_file_internet_host       = (known after apply)
          + secondary_file_microsoft_endpoint  = (known after apply)
          + secondary_file_microsoft_host      = (known after apply)
          + secondary_location                 = (known after apply)
          + secondary_queue_endpoint           = (known after apply)
          + secondary_queue_host               = (known after apply)
          + secondary_queue_microsoft_endpoint = (known after apply)
          + secondary_queue_microsoft_host     = (known after apply)
          + secondary_table_endpoint           = (known after apply)
          + secondary_table_host               = (known after apply)
          + secondary_table_microsoft_endpoint = (known after apply)
          + secondary_table_microsoft_host     = (known after apply)
          + secondary_web_endpoint             = (known after apply)
          + secondary_web_host                 = (known after apply)
          + secondary_web_internet_endpoint    = (known after apply)
          + secondary_web_internet_host        = (known after apply)
          + secondary_web_microsoft_endpoint   = (known after apply)
          + secondary_web_microsoft_host       = (known after apply)
          + sftp_enabled                       = (known after apply)
          + shared_access_key_enabled          = (known after apply)
          + table_encryption_key_type          = (known after apply)
          + tags                               = (known after apply)
        } -> (known after apply)

      ~ queue_properties {
          + access_tier                        = (known after apply)
          + account_kind                       = (known after apply)
          + account_replication_type           = (known after apply)
          + account_tier                       = (known after apply)
          + allow_nested_items_to_be_public    = (known after apply)
          + allowed_copy_scope                 = (known after apply)
          + cross_tenant_replication_enabled   = (known after apply)
          + default_to_oauth_authentication    = (known after apply)
          + dns_endpoint_type                  = (known after apply)
          + edge_zone                          = (known after apply)
          + https_traffic_only_enabled         = (known after apply)
          + id                                 = (known after apply)
          + infrastructure_encryption_enabled  = (known after apply)
          + is_hns_enabled                     = (known after apply)
          + large_file_share_enabled           = (known after apply)
          + local_user_enabled                 = (known after apply)
          + location                           = (known after apply)
          + min_tls_version                    = (known after apply)
          + name                               = (known after apply)
          + nfsv3_enabled                      = (known after apply)
          + primary_access_key                 = (known after apply)
          + primary_blob_connection_string     = (known after apply)
          + primary_blob_endpoint              = (known after apply)
          + primary_blob_host                  = (known after apply)
          + primary_blob_internet_endpoint     = (known after apply)
          + primary_blob_internet_host         = (known after apply)
          + primary_blob_microsoft_endpoint    = (known after apply)
          + primary_blob_microsoft_host        = (known after apply)
          + primary_connection_string          = (known after apply)
          + primary_dfs_endpoint               = (known after apply)
          + primary_dfs_host                   = (known after apply)
          + primary_dfs_internet_endpoint      = (known after apply)
          + primary_dfs_internet_host          = (known after apply)
          + primary_dfs_microsoft_endpoint     = (known after apply)
          + primary_dfs_microsoft_host         = (known after apply)
          + primary_file_endpoint              = (known after apply)
          + primary_file_host                  = (known after apply)
          + primary_file_internet_endpoint     = (known after apply)
          + primary_file_internet_host         = (known after apply)
          + primary_file_microsoft_endpoint    = (known after apply)
          + primary_file_microsoft_host        = (known after apply)
          + primary_location                   = (known after apply)
          + primary_queue_endpoint             = (known after apply)
          + primary_queue_host                 = (known after apply)
          + primary_queue_microsoft_endpoint   = (known after apply)
          + primary_queue_microsoft_host       = (known after apply)
          + primary_table_endpoint             = (known after apply)
          + primary_table_host                 = (known after apply)
          + primary_table_microsoft_endpoint   = (known after apply)
          + primary_table_microsoft_host       = (known after apply)
          + primary_web_endpoint               = (known after apply)
          + primary_web_host                   = (known after apply)
          + primary_web_internet_endpoint      = (known after apply)
          + primary_web_internet_host          = (known after apply)
          + primary_web_microsoft_endpoint     = (known after apply)
          + primary_web_microsoft_host         = (known after apply)
          + provisioned_billing_model_version  = (known after apply)
          + public_network_access_enabled      = (known after apply)
          + queue_encryption_key_type          = (known after apply)
          + resource_group_name                = (known after apply)
          + secondary_access_key               = (known after apply)
          + secondary_blob_connection_string   = (known after apply)
          + secondary_blob_endpoint            = (known after apply)
          + secondary_blob_host                = (known after apply)
          + secondary_blob_internet_endpoint   = (known after apply)
          + secondary_blob_internet_host       = (known after apply)
          + secondary_blob_microsoft_endpoint  = (known after apply)
          + secondary_blob_microsoft_host      = (known after apply)
          + secondary_connection_string        = (known after apply)
          + secondary_dfs_endpoint             = (known after apply)
          + secondary_dfs_host                 = (known after apply)
          + secondary_dfs_internet_endpoint    = (known after apply)
          + secondary_dfs_internet_host        = (known after apply)
          + secondary_dfs_microsoft_endpoint   = (known after apply)
          + secondary_dfs_microsoft_host       = (known after apply)
          + secondary_file_endpoint            = (known after apply)
          + secondary_file_host                = (known after apply)
          + secondary_file_internet_endpoint   = (known after apply)
          + secondary_file_internet_host       = (known after apply)
          + secondary_file_microsoft_endpoint  = (known after apply)
          + secondary_file_microsoft_host      = (known after apply)
          + secondary_location                 = (known after apply)
          + secondary_queue_endpoint           = (known after apply)
          + secondary_queue_host               = (known after apply)
          + secondary_queue_microsoft_endpoint = (known after apply)
          + secondary_queue_microsoft_host     = (known after apply)
          + secondary_table_endpoint           = (known after apply)
          + secondary_table_host               = (known after apply)
          + secondary_table_microsoft_endpoint = (known after apply)
          + secondary_table_microsoft_host     = (known after apply)
          + secondary_web_endpoint             = (known after apply)
          + secondary_web_host                 = (known after apply)
          + secondary_web_internet_endpoint    = (known after apply)
          + secondary_web_internet_host        = (known after apply)
          + secondary_web_microsoft_endpoint   = (known after apply)
          + secondary_web_microsoft_host       = (known after apply)
          + sftp_enabled                       = (known after apply)
          + shared_access_key_enabled          = (known after apply)
          + table_encryption_key_type          = (known after apply)
          + tags                               = (known after apply)
        } -> (known after apply)

      ~ routing {
          + access_tier                        = (known after apply)
          + account_kind                       = (known after apply)
          + account_replication_type           = (known after apply)
          + account_tier                       = (known after apply)
          + allow_nested_items_to_be_public    = (known after apply)
          + allowed_copy_scope                 = (known after apply)
          + cross_tenant_replication_enabled   = (known after apply)
          + default_to_oauth_authentication    = (known after apply)
          + dns_endpoint_type                  = (known after apply)
          + edge_zone                          = (known after apply)
          + https_traffic_only_enabled         = (known after apply)
          + id                                 = (known after apply)
          + infrastructure_encryption_enabled  = (known after apply)
          + is_hns_enabled                     = (known after apply)
          + large_file_share_enabled           = (known after apply)
          + local_user_enabled                 = (known after apply)
          + location                           = (known after apply)
          + min_tls_version                    = (known after apply)
          + name                               = (known after apply)
          + nfsv3_enabled                      = (known after apply)
          + primary_access_key                 = (known after apply)
          + primary_blob_connection_string     = (known after apply)
          + primary_blob_endpoint              = (known after apply)
          + primary_blob_host                  = (known after apply)
          + primary_blob_internet_endpoint     = (known after apply)
          + primary_blob_internet_host         = (known after apply)
          + primary_blob_microsoft_endpoint    = (known after apply)
          + primary_blob_microsoft_host        = (known after apply)
          + primary_connection_string          = (known after apply)
          + primary_dfs_endpoint               = (known after apply)
          + primary_dfs_host                   = (known after apply)
          + primary_dfs_internet_endpoint      = (known after apply)
          + primary_dfs_internet_host          = (known after apply)
          + primary_dfs_microsoft_endpoint     = (known after apply)
          + primary_dfs_microsoft_host         = (known after apply)
          + primary_file_endpoint              = (known after apply)
          + primary_file_host                  = (known after apply)
          + primary_file_internet_endpoint     = (known after apply)
          + primary_file_internet_host         = (known after apply)
          + primary_file_microsoft_endpoint    = (known after apply)
          + primary_file_microsoft_host        = (known after apply)
          + primary_location                   = (known after apply)
          + primary_queue_endpoint             = (known after apply)
          + primary_queue_host                 = (known after apply)
          + primary_queue_microsoft_endpoint   = (known after apply)
          + primary_queue_microsoft_host       = (known after apply)
          + primary_table_endpoint             = (known after apply)
          + primary_table_host                 = (known after apply)
          + primary_table_microsoft_endpoint   = (known after apply)
          + primary_table_microsoft_host       = (known after apply)
          + primary_web_endpoint               = (known after apply)
          + primary_web_host                   = (known after apply)
          + primary_web_internet_endpoint      = (known after apply)
          + primary_web_internet_host          = (known after apply)
          + primary_web_microsoft_endpoint     = (known after apply)
          + primary_web_microsoft_host         = (known after apply)
          + provisioned_billing_model_version  = (known after apply)
          + public_network_access_enabled      = (known after apply)
          + queue_encryption_key_type          = (known after apply)
          + resource_group_name                = (known after apply)
          + secondary_access_key               = (known after apply)
          + secondary_blob_connection_string   = (known after apply)
          + secondary_blob_endpoint            = (known after apply)
          + secondary_blob_host                = (known after apply)
          + secondary_blob_internet_endpoint   = (known after apply)
          + secondary_blob_internet_host       = (known after apply)
          + secondary_blob_microsoft_endpoint  = (known after apply)
          + secondary_blob_microsoft_host      = (known after apply)
          + secondary_connection_string        = (known after apply)
          + secondary_dfs_endpoint             = (known after apply)
          + secondary_dfs_host                 = (known after apply)
          + secondary_dfs_internet_endpoint    = (known after apply)
          + secondary_dfs_internet_host        = (known after apply)
          + secondary_dfs_microsoft_endpoint   = (known after apply)
          + secondary_dfs_microsoft_host       = (known after apply)
          + secondary_file_endpoint            = (known after apply)
          + secondary_file_host                = (known after apply)
          + secondary_file_internet_endpoint   = (known after apply)
          + secondary_file_internet_host       = (known after apply)
          + secondary_file_microsoft_endpoint  = (known after apply)
          + secondary_file_microsoft_host      = (known after apply)
          + secondary_location                 = (known after apply)
          + secondary_queue_endpoint           = (known after apply)
          + secondary_queue_host               = (known after apply)
          + secondary_queue_microsoft_endpoint = (known after apply)
          + secondary_queue_microsoft_host     = (known after apply)
          + secondary_table_endpoint           = (known after apply)
          + secondary_table_host               = (known after apply)
          + secondary_table_microsoft_endpoint = (known after apply)
          + secondary_table_microsoft_host     = (known after apply)
          + secondary_web_endpoint             = (known after apply)
          + secondary_web_host                 = (known after apply)
          + secondary_web_internet_endpoint    = (known after apply)
          + secondary_web_internet_host        = (known after apply)
          + secondary_web_microsoft_endpoint   = (known after apply)
          + secondary_web_microsoft_host       = (known after apply)
          + sftp_enabled                       = (known after apply)
          + shared_access_key_enabled          = (known after apply)
          + table_encryption_key_type          = (known after apply)
          + tags                               = (known after apply)
        } -> (known after apply)

      ~ share_properties {
          + access_tier                        = (known after apply)
          + account_kind                       = (known after apply)
          + account_replication_type           = (known after apply)
          + account_tier                       = (known after apply)
          + allow_nested_items_to_be_public    = (known after apply)
          + allowed_copy_scope                 = (known after apply)
          + cross_tenant_replication_enabled   = (known after apply)
          + default_to_oauth_authentication    = (known after apply)
          + dns_endpoint_type                  = (known after apply)
          + edge_zone                          = (known after apply)
          + https_traffic_only_enabled         = (known after apply)
          + id                                 = (known after apply)
          + infrastructure_encryption_enabled  = (known after apply)
          + is_hns_enabled                     = (known after apply)
          + large_file_share_enabled           = (known after apply)
          + local_user_enabled                 = (known after apply)
          + location                           = (known after apply)
          + min_tls_version                    = (known after apply)
          + name                               = (known after apply)
          + nfsv3_enabled                      = (known after apply)
          + primary_access_key                 = (known after apply)
          + primary_blob_connection_string     = (known after apply)
          + primary_blob_endpoint              = (known after apply)
          + primary_blob_host                  = (known after apply)
          + primary_blob_internet_endpoint     = (known after apply)
          + primary_blob_internet_host         = (known after apply)
          + primary_blob_microsoft_endpoint    = (known after apply)
          + primary_blob_microsoft_host        = (known after apply)
          + primary_connection_string          = (known after apply)
          + primary_dfs_endpoint               = (known after apply)
          + primary_dfs_host                   = (known after apply)
          + primary_dfs_internet_endpoint      = (known after apply)
          + primary_dfs_internet_host          = (known after apply)
          + primary_dfs_microsoft_endpoint     = (known after apply)
          + primary_dfs_microsoft_host         = (known after apply)
          + primary_file_endpoint              = (known after apply)
          + primary_file_host                  = (known after apply)
          + primary_file_internet_endpoint     = (known after apply)
          + primary_file_internet_host         = (known after apply)
          + primary_file_microsoft_endpoint    = (known after apply)
          + primary_file_microsoft_host        = (known after apply)

BusTerminal IaC policy gate — env dev

Rule Status Detail
BT-IAC-001 PASS BT-IAC-001: PASS
BT-IAC-002 SKIP (env 'dev' is non-prod; rule is prod-only per Q2c) BT-IAC-002: SKIP (env 'dev' is non-prod; rule is prod-only per Q2c)
BT-IAC-003 PASS BT-IAC-003: PASS
BT-IAC-004 PASS BT-IAC-004: PASS
BT-IAC-005 PASS BT-IAC-005: PASS
BT-IAC-006 PASS BT-IAC-006: PASS
BT-IAC-007 FAIL BT-IAC-007 FAIL: plan would delete+create stateful resource azurerm_storage_account.indexer_webjobs (state would be lost). Manual reviewer approval required.

Totals: 6 pass · 1 fail · 0 setup error(s)

⚠️ REQUIRES MANUAL APPROVAL — BT-IAC-007 detected a stateful destroy. CI must pause for reviewer sign-off before apply.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown

OpenTofu plan — dev

module.workload_identity.module.identity.random_uuid.telemetry[0]: Refreshing state... [id=a377cd57-eb48-5e72-7cca-48438dd998e7]
module.backend_app.module.app.random_uuid.telemetry[0]: Refreshing state... [id=d9467e1e-bf93-1796-d73e-a433c8a23c00]
module.monitoring.module.log_analytics.random_uuid.telemetry[0]: Refreshing state... [id=72611db9-a40a-4707-b14b-9d2ef97fbac7]
module.frontend_app.module.app.random_uuid.telemetry[0]: Refreshing state... [id=58ec47a1-e381-20a9-50f8-955c7075627f]
module.keyvault.module.keyvault.random_uuid.telemetry[0]: Refreshing state... [id=3d6dd258-c9d8-bf47-779e-a38f7a84ac3b]
module.container_registry.module.registry.random_uuid.telemetry[0]: Refreshing state... [id=c6f5b17e-2074-606f-e63a-057c1312a588]
module.monitoring.module.application_insights.random_uuid.telemetry[0]: Refreshing state... [id=87555d31-bbc0-19bf-eefc-67cc1728f2a3]
data.azuread_service_principal.api: Reading...
data.azuread_application.api: Reading...
module.graph_permissions.data.azuread_application_published_app_ids.well_known: Reading...
module.graph_permissions.data.azuread_application_published_app_ids.well_known: Read complete after 0s [id=appIds]
module.container_registry.module.registry.data.modtm_module_source.telemetry[0]: Reading...
module.frontend_app.module.app.data.modtm_module_source.telemetry[0]: Reading...
module.backend_app.module.app.data.modtm_module_source.telemetry[0]: Reading...
module.backend_app.module.app.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.workload_identity.module.identity.data.modtm_module_source.telemetry[0]: Reading...
module.frontend_app.module.app.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.container_registry.module.registry.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.workload_identity.module.identity.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.monitoring.module.log_analytics.data.modtm_module_source.telemetry[0]: Reading...
module.monitoring.module.application_insights.data.modtm_module_source.telemetry[0]: Reading...
module.keyvault.module.keyvault.data.modtm_module_source.telemetry[0]: Reading...
module.monitoring.module.log_analytics.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.monitoring.module.application_insights.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.keyvault.module.keyvault.data.modtm_module_source.telemetry[0]: Read complete after 0s
data.azuread_service_principal.api: Read complete after 0s [id=/servicePrincipals/980501a2-67f1-44c3-9ba2-03220f4dc403]
data.azuread_application.api: Read complete after 0s [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e]
module.app_registration_roles.azuread_application_app_role.this["namespace-administrator"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a05]
module.app_registration_roles.azuread_application_app_role.this["reader"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a03]
module.app_registration_roles.azuread_application_app_role.this["developer"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a04]
module.app_registration_roles.azuread_application_app_role.this["admin"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a01]
module.graph_permissions.azuread_application_api_access.graph: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/apiAccess/00000003-0000-0000-c000-000000000000]
module.app_registration_roles.azuread_application_app_role.this["operator"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a02]
module.keyvault.module.keyvault.data.azurerm_client_config.telemetry[0]: Reading...
module.workload_identity.module.identity.data.azurerm_client_config.telemetry[0]: Reading...
module.keyvault.data.azurerm_client_config.current: Reading...
azurerm_resource_group.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev]
module.keyvault.module.keyvault.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.backend_app.module.app.data.azurerm_client_config.telemetry[0]: Reading...
module.frontend_app.module.app.data.azurerm_client_config.telemetry[0]: Reading...
module.workload_identity.module.identity.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.container_registry.module.registry.data.azurerm_client_config.telemetry[0]: Reading...
module.backend_app.module.app.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.keyvault.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.container_registry.module.registry.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.keyvault.module.keyvault.modtm_telemetry.telemetry[0]: Refreshing state... [id=5be61e47-e1c7-4237-b980-0dbad3ab1696]
module.backend_app.module.app.modtm_telemetry.telemetry[0]: Refreshing state... [id=a5817680-737d-467b-b21e-94cb2d790d10]
module.monitoring.module.log_analytics.data.azurerm_client_config.telemetry[0]: Reading...
module.frontend_app.module.app.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
data.azurerm_client_config.current: Reading...
module.workload_identity.module.identity.modtm_telemetry.telemetry[0]: Refreshing state... [id=02ee63ca-284e-4335-bcd1-53976789a560]
module.monitoring.module.log_analytics.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.container_registry.module.registry.modtm_telemetry.telemetry[0]: Refreshing state... [id=79393eca-d738-4979-bcf1-253496ddd7dc]
module.frontend_app.module.app.modtm_telemetry.telemetry[0]: Refreshing state... [id=238f1d08-0f10-4a6d-9e0c-99a2168deded]
module.monitoring.module.log_analytics.modtm_telemetry.telemetry[0]: Refreshing state... [id=1d6d2ddf-1bf9-4f89-b1bb-da7d683f7daf]
module.container_registry.terraform_data.pe_validation: Refreshing state... [id=59b8b38d-5830-a0e1-b6dc-64fb640e916c]
module.networking.terraform_data.subnet_validation: Refreshing state... [id=bafb4aeb-4601-d7de-1d39-435373831dae]
module.monitoring.module.application_insights.data.azapi_client_config.telemetry[0]: Reading...
module.ai_search_registry_index.azapi_data_plane_resource.registry_index: Refreshing state... [id=srch-bt-dev-chdev01.search.windows.net/indexes('registry-entities-v1')]
azurerm_role_assignment.pipeline_kv_secrets_officer: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Authorization/roleAssignments/f10f1114-20a9-3799-0208-8170b0f3e326]
module.networking.data.azurerm_resource_group.this: Reading...
module.cosmos_account.azurerm_cosmosdb_account.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01]
module.keyvault.module.keyvault.azurerm_key_vault.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01]
module.workload_identity.module.identity.azurerm_user_assigned_identity.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-bt-dev-workload]
module.service_bus.module.namespace.azurerm_servicebus_namespace.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01]
module.ai_search.module.search.azurerm_search_service.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01]
module.container_registry.module.registry.azurerm_container_registry.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01]
module.monitoring.module.application_insights.data.azapi_client_config.telemetry[0]: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.monitoring.module.log_analytics.azurerm_log_analytics_workspace.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.OperationalInsights/workspaces/log-bt-dev]
module.monitoring.module.application_insights.modtm_telemetry.telemetry[0]: Refreshing state... [id=069dfaa0-3f60-4938-81c7-af165fc5758c]
azurerm_storage_account.indexer_webjobs: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Storage/storageAccounts/stbtdevchdev01]
module.networking.data.azurerm_resource_group.this: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev]
module.workload_identity.azuread_app_role_assignment.api_roles["reader"]: Refreshing state... [id=/servicePrincipals/980501a2-67f1-44c3-9ba2-03220f4dc403/appRoleAssignedTo/Jz9qIST__EaBPGEzvAd2cpcVv4b_R2NBu5u1qRbW9gU]
module.networking.module.vnet.azapi_resource.vnet: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev]
module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net]
module.networking.module.private_dns_zones["privatelink.azurecr.io"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io]
module.networking.module.private_dns_zones["privatelink.documents.azure.com"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com]
module.networking.module.private_dns_zones["privatelink.search.windows.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net]
module.networking.module.private_dns_zones["privatelink.servicebus.windows.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net]
module.workload_federation_environment.azurerm_federated_identity_credential.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-bt-dev-workload/federatedIdentityCredentials/github-environment-dev-workload]
azurerm_role_assignment.operator_kv_secrets_officer["62936c0c-a840-43e8-a24e-22304b7d7c89"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/4ad74ab3-17f2-0dbd-e364-e8a71260bbfc]
module.monitoring.module.application_insights.azurerm_application_insights.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_database.canonical: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical]
module.networking.module.vnet.module.subnet["private_endpoints"].azapi_resource.subnet[0]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev/subnets/snet-private-endpoints]
module.networking.module.vnet.module.subnet["integration"].azapi_resource.subnet[0]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev/subnets/snet-cae-integration]
module.keyvault.module.keyvault.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01|kv-audit]
module.cosmos_account.module.diagnostics[0].azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01|cosmos-bt-dev-chdev01-diagnostics]
module.container_registry.module.registry.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01|acr-diagnostics]
module.ai_search.azurerm_role_assignment.workload_search_index_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/60115be9-6fcc-4d0e-50e9-9186fe1518ed]
module.ai_search.module.diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01|srch-bt-dev-chdev01-diagnostics]
time_sleep.wait_for_kv_rbac_propagation: Refreshing state... [id=2026-05-20T01:06:50Z]
module.networking.module.private_dns_zones["privatelink.documents.azure.com"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com/virtualNetworkLinks/vnet-link-privatelink-documents-azure-com]
module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/vnet-link-privatelink-vaultcore-azure-net]
module.networking.module.private_dns_zones["privatelink.servicebus.windows.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net/virtualNetworkLinks/vnet-link-privatelink-servicebus-windows-net]
module.networking.module.private_dns_zones["privatelink.azurecr.io"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io/virtualNetworkLinks/vnet-link-privatelink-azurecr-io]
module.networking.module.private_dns_zones["privatelink.search.windows.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net/virtualNetworkLinks/vnet-link-privatelink-search-windows-net]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.change_events: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/change-events]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.resources: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/resources]
azurerm_cosmosdb_sql_role_assignment.workload_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlRoleAssignments/23f26ba2-552f-5ca8-d96d-d99b333ad35c]
azurerm_cosmosdb_sql_role_assignment.developer_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlRoleAssignments/3bfd366d-31e6-77e6-fe99-6b0b1763206d]
module.service_bus.azurerm_role_assignment.workload_sb_data_receiver: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/ff5aa6d6-1e6d-d8c2-e6d9-ad82a5f43916]
module.service_bus.azurerm_role_assignment.workload_sb_data_sender: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/2edae188-abbf-c156-ef38-d7f4df9793bb]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_entities: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-entities]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_audit: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-audit]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.namespace_validation_runs: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/namespace-validation-runs]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_entities_leases: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-entities-leases]
module.service_bus.module.diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01|sbns-bt-dev-chdev01-diagnostics]
module.ai_search.terraform_data.sku_validation: Refreshing state... [id=ba2da3a0-64d4-347e-3d16-6904a1669658]
module.cosmos_account.terraform_data.pe_validation[0]: Refreshing state... [id=efbbaabe-f245-fa8f-45da-481d747941fd]
module.service_bus.terraform_data.sku_validation: Refreshing state... [id=3fb0fc5a-15ee-8cdd-7933-3179d5a890fc]
module.ai_search.terraform_data.pe_inputs_validation[0]: Refreshing state... [id=f5294495-8898-f048-e11c-c0e0fba80c44]
module.keyvault.terraform_data.pe_validation[0]: Refreshing state... [id=201c9137-ee34-a35d-5335-c8021ca74754]
module.cosmos_account.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-cosmos-bt-dev-chdev01]
module.ai_search.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-srch-bt-dev-chdev01]
module.keyvault.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-kv-bt-dev-chdev01]
module.cosmos_account.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.ai_search.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.ai_search.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-srch-bt-dev-chdev01.nic.0718500b-0b1d-4a1e-ac31-fe22720170e4]
module.cosmos_account.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 1s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-cosmos-bt-dev-chdev01.nic.81c6eb89-c005-41ee-b680-b56f0690b42c]
module.keyvault.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.keyvault.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-kv-bt-dev-chdev01.nic.312de6d8-b5a7-487b-97ed-07cc5c931b11]
azurerm_key_vault_secret.app_insights_connection_string: Refreshing state... [id=https://kv-bt-dev-chdev01.vault.azure.net/secrets/ApplicationInsightsConnectionString/f83feb2a94b74578939a61c4df54f1f5]
module.workload_identity.azurerm_role_assignment.this["acr-pull"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01/providers/Microsoft.Authorization/roleAssignments/f282f44f-f04d-5041-0f2f-1eee86c775c3]
module.application_insights_diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev|appi-diagnostics]
module.workload_identity.azurerm_role_assignment.this["kv-secrets-user"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/798da788-01e1-37ab-17f3-c47a9d2d1c6a]
module.workload_identity.azurerm_role_assignment.this["monitoring-metrics-publisher"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev/providers/Microsoft.Authorization/roleAssignments/4219f119-f9dc-d5ec-27cd-658ab78c33db]
module.container_apps_env.module.environment.data.azapi_client_config.current: Reading...
module.container_apps_env.module.environment.data.modtm_module_source.telemetry[0]: Reading...
module.container_apps_env.module.environment.data.azapi_client_config.current: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.container_apps_env.module.environment.random_uuid.telemetry[0]: Refreshing state... [id=a840f803-8d8c-a73e-252d-bfa39f829b92]
module.container_apps_env.module.environment.data.azapi_client_config.telemetry[0]: Reading...
module.container_apps_env.data.azurerm_log_analytics_workspace.this: Reading...
module.container_apps_env.module.environment.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.container_apps_env.module.environment.data.azapi_client_config.telemetry[0]: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.container_apps_env.module.environment.modtm_telemetry.telemetry[0]: Refreshing state... [id=1a8fc817-4e60-4b70-b5d3-2c124cd439a0]
module.container_apps_env.data.azurerm_log_analytics_workspace.this: Read complete after 1s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.OperationalInsights/workspaces/log-bt-dev]
module.container_apps_env.module.environment.azapi_resource.this_environment: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev]
module.container_apps_env.module.environment.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev|cae-diagnostics]
module.indexer_container_app.azurerm_container_app.indexer: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-indexer]
module.backend_app.module.app.azurerm_container_app.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-api]
module.frontend_app.module.app.azurerm_container_app.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-web]

Note: Objects have changed outside of OpenTofu

OpenTofu detected the following changes made outside of OpenTofu since the
last "tofu apply" which may have affected this plan:

  # azurerm_storage_account.indexer_webjobs has been deleted
  - resource "azurerm_storage_account" "indexer_webjobs" {
      - id                                = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Storage/storageAccounts/stbtdevchdev01" -> null
      - name                              = "stbtdevchdev01" -> null
        tags                              = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (20 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place (current -> planned)

OpenTofu will perform the following actions:

  # azurerm_role_assignment.pipeline_storage_blob_data_owner will be created
  + resource "azurerm_role_assignment" "pipeline_storage_blob_data_owner" {
      + condition_version                = (known after apply)
      + description                      = "Pipeline MI manages `azurerm_storage_account.indexer_webjobs` data-plane wait via AAD (shared keys disabled on the account)."
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "26697310-619e-4304-a4a0-e1d239e9fd92"
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Storage Blob Data Owner"
      + scope                            = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev"
      + skip_service_principal_aad_check = (known after apply)
    }

  # azurerm_storage_account.indexer_webjobs will be created
  + resource "azurerm_storage_account" "indexer_webjobs" {
      + access_tier                        = (known after apply)
      + account_kind                       = "StorageV2"
      + account_replication_type           = "LRS"
      + account_tier                       = "Standard"
      + allow_nested_items_to_be_public    = false
      + cross_tenant_replication_enabled   = false
      + default_to_oauth_authentication    = false
      + dns_endpoint_type                  = "Standard"
      + https_traffic_only_enabled         = true
      + id                                 = (known after apply)
      + infrastructure_encryption_enabled  = false
      + is_hns_enabled                     = false
      + large_file_share_enabled           = (known after apply)
      + local_user_enabled                 = true
      + location                           = "eastus2"
      + min_tls_version                    = "TLS1_2"
      + name                               = "stbtdevchdev01"
      + nfsv3_enabled                      = false
      + primary_access_key                 = (sensitive value)
      + primary_blob_connection_string     = (sensitive value)
      + primary_blob_endpoint              = (known after apply)
      + primary_blob_host                  = (known after apply)
      + primary_blob_internet_endpoint     = (known after apply)
      + primary_blob_internet_host         = (known after apply)
      + primary_blob_microsoft_endpoint    = (known after apply)
      + primary_blob_microsoft_host        = (known after apply)
      + primary_connection_string          = (sensitive value)
      + primary_dfs_endpoint               = (known after apply)
      + primary_dfs_host                   = (known after apply)
      + primary_dfs_internet_endpoint      = (known after apply)
      + primary_dfs_internet_host          = (known after apply)
      + primary_dfs_microsoft_endpoint     = (known after apply)
      + primary_dfs_microsoft_host         = (known after apply)
      + primary_file_endpoint              = (known after apply)
      + primary_file_host                  = (known after apply)
      + primary_file_internet_endpoint     = (known after apply)
      + primary_file_internet_host         = (known after apply)
      + primary_file_microsoft_endpoint    = (known after apply)
      + primary_file_microsoft_host        = (known after apply)
      + primary_location                   = (known after apply)
      + primary_queue_endpoint             = (known after apply)
      + primary_queue_host                 = (known after apply)
      + primary_queue_microsoft_endpoint   = (known after apply)
      + primary_queue_microsoft_host       = (known after apply)
      + primary_table_endpoint             = (known after apply)
      + primary_table_host                 = (known after apply)
      + primary_table_microsoft_endpoint   = (known after apply)
      + primary_table_microsoft_host       = (known after apply)
      + primary_web_endpoint               = (known after apply)
      + primary_web_host                   = (known after apply)
      + primary_web_internet_endpoint      = (known after apply)
      + primary_web_internet_host          = (known after apply)
      + primary_web_microsoft_endpoint     = (known after apply)
      + primary_web_microsoft_host         = (known after apply)
      + public_network_access_enabled      = true
      + queue_encryption_key_type          = "Service"
      + resource_group_name                = "rg-bt-dev"
      + secondary_access_key               = (sensitive value)
      + secondary_blob_connection_string   = (sensitive value)
      + secondary_blob_endpoint            = (known after apply)
      + secondary_blob_host                = (known after apply)
      + secondary_blob_internet_endpoint   = (known after apply)
      + secondary_blob_internet_host       = (known after apply)
      + secondary_blob_microsoft_endpoint  = (known after apply)
      + secondary_blob_microsoft_host      = (known after apply)
      + secondary_connection_string        = (sensitive value)
      + secondary_dfs_endpoint             = (known after apply)
      + secondary_dfs_host                 = (known after apply)
      + secondary_dfs_internet_endpoint    = (known after apply)
      + secondary_dfs_internet_host        = (known after apply)
      + secondary_dfs_microsoft_endpoint   = (known after apply)
      + secondary_dfs_microsoft_host       = (known after apply)
      + secondary_file_endpoint            = (known after apply)
      + secondary_file_host                = (known after apply)
      + secondary_file_internet_endpoint   = (known after apply)
      + secondary_file_internet_host       = (known after apply)
      + secondary_file_microsoft_endpoint  = (known after apply)
      + secondary_file_microsoft_host      = (known after apply)
      + secondary_location                 = (known after apply)
      + secondary_queue_endpoint           = (known after apply)
      + secondary_queue_host               = (known after apply)
      + secondary_queue_microsoft_endpoint = (known after apply)
      + secondary_queue_microsoft_host     = (known after apply)
      + secondary_table_endpoint           = (known after apply)
      + secondary_table_host               = (known after apply)
      + secondary_table_microsoft_endpoint = (known after apply)
      + secondary_table_microsoft_host     = (known after apply)
      + secondary_web_endpoint             = (known after apply)
      + secondary_web_host                 = (known after apply)
      + secondary_web_internet_endpoint    = (known after apply)
      + secondary_web_internet_host        = (known after apply)
      + secondary_web_microsoft_endpoint   = (known after apply)
      + secondary_web_microsoft_host       = (known after apply)
      + sftp_enabled                       = false
      + shared_access_key_enabled          = false
      + table_encryption_key_type          = "Service"
      + tags                               = {
          + "application" = "BusTerminal"
          + "cost-center" = "platform"
          + "environment" = "dev"
          + "managed-by"  = "opentofu"
          + "owner"       = "platform-team"
          + "slice"       = "002-solution-foundation"
        }

      + blob_properties {
          + change_feed_enabled      = false
          + default_service_version  = (known after apply)
          + last_access_time_enabled = false
          + versioning_enabled       = false

          + delete_retention_policy {
              + days                     = 7
              + permanent_delete_enabled = false
            }
        }

      + network_rules (known after apply)

      + queue_properties (known after apply)

      + routing (known after apply)

      + share_properties (known after apply)

      + static_website (known after apply)
    }

  # time_sleep.wait_for_storage_rbac_propagation will be created
  + resource "time_sleep" "wait_for_storage_rbac_propagation" {
      + create_duration = "60s"
      + id              = (known after apply)
    }

  # module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.resources will be updated in-place
  ~ resource "azurerm_cosmosdb_sql_container" "resources" {
        id                     = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/resources"
        name                   = "resources"
        # (8 unchanged attributes hidden)

      ~ indexing_policy {
            # (1 unchanged attribute hidden)

          + excluded_path {
              + path = "/\"_etag\"/?"
            }

            # (3 unchanged blocks hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.indexer_container_app.azurerm_container_app.indexer will be updated in-place
  ~ resource "azurerm_container_app" "indexer" {
        id                            = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-indexer"
        name                          = "ca-bt-dev-indexer"
        tags                          = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (8 unchanged attributes hidden)

      ~ template {
            # (5 unchanged attributes hidden)

          ~ container {
              ~ image             = "acrbtdevchdev01.azurecr.io/busterminal/indexer:0b3e5ec50e2d5ec6f568f458c6651f7d72840375" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
                name              = "ca-bt-dev-indexer"
                # (5 unchanged attributes hidden)

              + env {
                  + name  = "AzureWebJobsStorage__accountName"
                  + value = "stbtdevchdev01"
                }
              + env {
                  + name  = "AzureWebJobsStorage__credential"
                  + value = "managedidentity"
                }
              + env {
                  + name  = "AzureWebJobsStorage__clientId"
                  + value = "524977ab-0fcd-4c58-a2ff-78f164f20d7d"
                }

                # (12 unchanged blocks hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.workload_identity.azurerm_role_assignment.this["indexer-webjobs-blob-owner"] will be created
  + resource "azurerm_role_assignment" "this" {
      + condition_version                = (known after apply)
      + id                               = (known after apply)
      + name                             = (known after apply)
      + principal_id                     = "216a3f27-ff24-46fc-813c-6133bc077672"
      + principal_type                   = (known after apply)
      + role_definition_id               = (known after apply)
      + role_definition_name             = "Storage Blob Data Owner"
      + scope                            = (known after apply)
      + skip_service_principal_aad_check = (known after apply)
    }

  # module.container_apps_env.module.environment.azurerm_monitor_diagnostic_setting.this["audit"] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev|cae-diagnostics"
      + log_analytics_destination_type = "Dedicated"
        name                           = "cae-diagnostics"
        # (2 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.container_registry.module.registry.azurerm_monitor_diagnostic_setting.this["audit"] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01|acr-diagnostics"
      + log_analytics_destination_type = "Dedicated"
        name                           = "acr-diagnostics"
        # (2 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.cosmos_account.module.diagnostics[0].azurerm_monitor_diagnostic_setting.this will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01|cosmos-bt-dev-chdev01-diagnostics"
        name                           = "cosmos-bt-dev-chdev01-diagnostics"
        # (3 unchanged attributes hidden)

      - metric {
          - category = "Requests" -> null
          - enabled  = false -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }
      - metric {
          - category = "SLI" -> null
          - enabled  = false -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }
      + metric {
          + category = "AllMetrics"
          + enabled  = false
        }

        # (1 unchanged block hidden)
    }

Plan: 4 to add, 5 to change, 0 to destroy.

Warning: Argument is deprecated

  with module.keyvault.module.keyvault.azurerm_key_vault.this,
  on .terraform/modules/keyvault.keyvault/main.tf line 7, in resource "azurerm_key_vault" "this":
   7:   enable_rbac_authorization       = !var.legacy_access_policies_enabled

This property has been renamed to `rbac_authorization_enabled` and will be
removed in v5.0 of the provider

(and 6 more similar warnings elsewhere)

Warning: Value derived from a deprecated source

  on .terraform/modules/monitoring.log_analytics/outputs.tf line 16, in output "resource":
  16:   value       = azurerm_log_analytics_workspace.this

This value's attribute local_authentication_disabled is derived from
azurerm_log_analytics_workspace.this.local_authentication_disabled, which is
deprecated.

Warning: Attribute Deprecated

  with module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].azapi_resource.private_dns_zone,
  on .terraform/modules/networking.private_dns_zones/main.tf line 1, in resource "azapi_resource" "private_dns_zone":
   1: resource "azapi_resource" "private_dns_zone" {

The `randomization_factor` attribute is deprecated and will be removed in a
future version.

(and 19 more similar warnings elsewhere)

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/outputs.tf line 22, in output "resource":
  22:   value       = azapi_resource.vnet

This value's attribute retry.multiplier is derived from
azapi_resource.vnet.retry.multiplier, which is deprecated.

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/outputs.tf line 22, in output "resource":
  22:   value       = azapi_resource.vnet

This value's attribute retry.randomization_factor is derived from
azapi_resource.vnet.retry.randomization_factor, which is deprecated.

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/modules/subnet/outputs.tf line 18, in output "resource":
  18:   value       = local.ipam_enabled ? azapi_resource.subnet_ipam[0] : azapi_resource.subnet[0]

This value's attribute retry.multiplier is derived from
azapi_resource.subnet.retry.multiplier, which is deprecated.

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/modules/subnet/outputs.tf line 18, in output "resource":
  18:   value       = local.ipam_enabled ? azapi_resource.subnet_ipam[0] : azapi_resource.subnet[0]

This value's attribute retry.randomization_factor is derived from
azapi_resource.subnet.retry.randomization_factor, which is deprecated.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    tofu apply "tfplan"

BusTerminal IaC policy gate — env dev

Rule Status Detail
BT-IAC-001 PASS BT-IAC-001: PASS
BT-IAC-002 SKIP (env 'dev' is non-prod; rule is prod-only per Q2c) BT-IAC-002: SKIP (env 'dev' is non-prod; rule is prod-only per Q2c)
BT-IAC-003 PASS BT-IAC-003: PASS
BT-IAC-004 PASS BT-IAC-004: PASS
BT-IAC-005 PASS BT-IAC-005: PASS
BT-IAC-006 PASS BT-IAC-006: PASS
BT-IAC-007 PASS BT-IAC-007: PASS

Totals: 7 pass · 0 fail · 0 setup error(s)

@christopherhouse christopherhouse merged commit 3042fa9 into main Jun 17, 2026
15 of 18 checks passed
@christopherhouse christopherhouse deleted the fix/indexer-storage-bootstrap-rbac branch June 17, 2026 02:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@christopherhouse