fix(iac): pin Cosmos ip_range_filter to allow Azure-datacenter traffic by christopherhouse · Pull Request #85 · Stonefly-Labs/BusTerminal

christopherhouse · 2026-06-17T19:26:12Z

Summary

Indexer's Cosmos change-feed listener has been getting reset every CD-dev run:

Request originated from IP 4.153.180.100 through public internet.
This is blocked by your Cosmos DB account firewall settings.

I'd been hand-patching this via az cosmosdb update --ip-range-filter "0.0.0.0" (the Azure-datacenters magic value), but every subsequent tofu apply reverted it because the IaC didn't declare an ip_range_filter — so each apply emitted an empty ipRules set, which Cosmos treats as "no allowed IPs" when a private endpoint is also configured.

Fix

Thread ip_range_filter through iac/modules/cosmos-account/ so the dev composition can pin the rule.

File	Change
`iac/modules/cosmos-account/variables.tf`	New `ip_range_filter` variable (`set(string)`, default empty). Docstring explains the magic value + the dependency on CAE vnet-integration that would let us remove it later.
`iac/modules/cosmos-account/main.tf`	Threads `var.ip_range_filter` into `azurerm_cosmosdb_account.ip_range_filter`.
`iac/environments/dev/main.tf`	Passes `ip_range_filter = ["0.0.0.0"]` to the cosmos-account module.
`iac/modules/cosmos-account/README.md`	terraform-docs regen for the new variable.

Security posture

AAD-only auth stays in force (local_authentication_disabled = true)
0.0.0.0 is Cosmos's magic value for "Allow Azure datacenters", narrower than 0.0.0.0/0 (entire internet)
Every Cosmos call still needs a valid AAD token + Cosmos data-plane RBAC role — the IP rule only opens which source IPs can reach the endpoint, not what they can do once connected
When the CAE becomes vnet-integrated by a future spec, this entry can be removed and Cosmos can go back to PE-only

Test plan

tofu validate clean in environments/dev
terraform-docs regenerated for the module
After CD-dev applies: az cosmosdb show -g rg-bt-dev -n cosmos-bt-dev-chdev01 --query ipRules shows [{0.0.0.0}] (persisted across apply); indexer's RegistryEntityIndexer listener starts cleanly without 403s

🤖 Generated with Claude Code

Each tofu apply during CD-dev was reverting the manual Cosmos firewall fix I'd been setting via az (ipRules = [{0.0.0.0}]). The indexer's change-feed listener kept 403'ing with: Request originated from IP 4.153.180.100 through public internet. This is blocked by your Cosmos DB account firewall settings. Root cause: the cosmos-account module never declared an ip_range_filter, so every apply emitted an empty ipRules set. When a Cosmos account has a private endpoint configured AND public_network_access_enabled = true, it enters a default 'restricted public' mode that drops public traffic unless explicitly allowed. Fix: - New cosmos-account module variable ip_range_filter (set of strings, default empty). When set, threads through to azurerm_cosmosdb_account. Docstring explains the magic value, the AAD-still-gates note, and the dependency on CAE vnet-integration that would let us remove the rule in a future spec. - dev composition passes ip_range_filter = ['0.0.0.0'] — Cosmos's magic value for 'Allow access from public Azure datacenters'. Narrower than '0.0.0.0/0' (the entire internet) and AAD/RBAC still gates every connection regardless of source IP. - terraform-docs regenerated for the module. No data plane impact. AAD-only auth remains in force (local_authentication_disabled = true). Only the network ACL changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

github-actions · 2026-06-17T19:29:50Z

OpenTofu plan — `dev`

module.backend_app.module.app.random_uuid.telemetry[0]: Refreshing state... [id=d9467e1e-bf93-1796-d73e-a433c8a23c00]
module.monitoring.module.application_insights.random_uuid.telemetry[0]: Refreshing state... [id=87555d31-bbc0-19bf-eefc-67cc1728f2a3]
module.keyvault.module.keyvault.random_uuid.telemetry[0]: Refreshing state... [id=3d6dd258-c9d8-bf47-779e-a38f7a84ac3b]
module.container_registry.module.registry.random_uuid.telemetry[0]: Refreshing state... [id=c6f5b17e-2074-606f-e63a-057c1312a588]
module.monitoring.module.log_analytics.random_uuid.telemetry[0]: Refreshing state... [id=72611db9-a40a-4707-b14b-9d2ef97fbac7]
module.workload_identity.module.identity.random_uuid.telemetry[0]: Refreshing state... [id=a377cd57-eb48-5e72-7cca-48438dd998e7]
module.frontend_app.module.app.random_uuid.telemetry[0]: Refreshing state... [id=58ec47a1-e381-20a9-50f8-955c7075627f]
module.keyvault.module.keyvault.data.modtm_module_source.telemetry[0]: Reading...
module.container_registry.module.registry.data.modtm_module_source.telemetry[0]: Reading...
module.workload_identity.module.identity.data.modtm_module_source.telemetry[0]: Reading...
module.backend_app.module.app.data.modtm_module_source.telemetry[0]: Reading...
module.monitoring.module.log_analytics.data.modtm_module_source.telemetry[0]: Reading...
module.workload_identity.module.identity.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.keyvault.module.keyvault.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.monitoring.module.log_analytics.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.container_registry.module.registry.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.monitoring.module.application_insights.data.modtm_module_source.telemetry[0]: Reading...
module.frontend_app.module.app.data.modtm_module_source.telemetry[0]: Reading...
module.backend_app.module.app.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.monitoring.module.application_insights.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.frontend_app.module.app.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.networking.terraform_data.subnet_validation: Refreshing state... [id=bafb4aeb-4601-d7de-1d39-435373831dae]
module.container_registry.terraform_data.pe_validation: Refreshing state... [id=59b8b38d-5830-a0e1-b6dc-64fb640e916c]
module.monitoring.module.application_insights.data.azapi_client_config.telemetry[0]: Reading...
module.ai_search_registry_index.azapi_data_plane_resource.registry_index: Refreshing state... [id=srch-bt-dev-chdev01.search.windows.net/indexes('registry-entities-v1')]
data.azuread_application.api: Reading...
module.graph_permissions.data.azuread_application_published_app_ids.well_known: Reading...
data.azuread_service_principal.api: Reading...
module.graph_permissions.data.azuread_application_published_app_ids.well_known: Read complete after 0s [id=appIds]
data.azuread_service_principal.api: Read complete after 0s [id=/servicePrincipals/980501a2-67f1-44c3-9ba2-03220f4dc403]
data.azuread_application.api: Read complete after 1s [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e]
module.graph_permissions.azuread_application_api_access.graph: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/apiAccess/00000003-0000-0000-c000-000000000000]
module.app_registration_roles.azuread_application_app_role.this["developer"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a04]
module.app_registration_roles.azuread_application_app_role.this["namespace-administrator"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a05]
module.app_registration_roles.azuread_application_app_role.this["admin"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a01]
module.app_registration_roles.azuread_application_app_role.this["operator"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a02]
module.app_registration_roles.azuread_application_app_role.this["reader"]: Refreshing state... [id=/applications/5e175fab-012f-4408-b238-8d3f071e0b9e/appRoles/9c1f0c4d-3a4b-4c5e-9f01-72fcb8b51a03]
module.monitoring.module.application_insights.data.azapi_client_config.telemetry[0]: Read complete after 1s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.frontend_app.module.app.data.azurerm_client_config.telemetry[0]: Reading...
module.keyvault.data.azurerm_client_config.current: Reading...
module.monitoring.module.log_analytics.data.azurerm_client_config.telemetry[0]: Reading...
module.backend_app.module.app.data.azurerm_client_config.telemetry[0]: Reading...
module.container_registry.module.registry.data.azurerm_client_config.telemetry[0]: Reading...
module.frontend_app.module.app.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.workload_identity.module.identity.data.azurerm_client_config.telemetry[0]: Reading...
module.keyvault.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
azurerm_resource_group.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev]
data.azurerm_client_config.current: Reading...
module.keyvault.module.keyvault.data.azurerm_client_config.telemetry[0]: Reading...
module.frontend_app.module.app.modtm_telemetry.telemetry[0]: Refreshing state... [id=238f1d08-0f10-4a6d-9e0c-99a2168deded]
module.container_registry.module.registry.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.backend_app.module.app.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.keyvault.module.keyvault.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.monitoring.module.log_analytics.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.workload_identity.module.identity.data.azurerm_client_config.telemetry[0]: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD0xYWQxYTcxMi0wMWQwLTQyNTUtODNlYi1jNjczYzA4ZGM5N2U7b2JqZWN0SWQ9MjY2OTczMTAtNjE5ZS00MzA0LWE0YTAtZTFkMjM5ZTlmZDkyO3N1YnNjcmlwdGlvbklkPTA4YjM3ZGMwLTAwMTEtNDg0MS04NGMwLTAzNDlhNWM2NTg4Mzt0ZW5hbnRJZD01OTZjMTU2NC02ZTk1LTRjMzUtYTgwYi0yZGJlNDVhMTYyZjM=]
module.workload_identity.module.identity.modtm_telemetry.telemetry[0]: Refreshing state... [id=02ee63ca-284e-4335-bcd1-53976789a560]
module.monitoring.module.log_analytics.modtm_telemetry.telemetry[0]: Refreshing state... [id=1d6d2ddf-1bf9-4f89-b1bb-da7d683f7daf]
module.container_registry.module.registry.modtm_telemetry.telemetry[0]: Refreshing state... [id=79393eca-d738-4979-bcf1-253496ddd7dc]
module.backend_app.module.app.modtm_telemetry.telemetry[0]: Refreshing state... [id=a5817680-737d-467b-b21e-94cb2d790d10]
module.keyvault.module.keyvault.modtm_telemetry.telemetry[0]: Refreshing state... [id=5be61e47-e1c7-4237-b980-0dbad3ab1696]
azurerm_role_assignment.pipeline_storage_blob_data_owner: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Authorization/roleAssignments/7068b575-1b60-0d47-5245-6251bf826556]
azurerm_role_assignment.pipeline_kv_secrets_officer: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Authorization/roleAssignments/f10f1114-20a9-3799-0208-8170b0f3e326]
module.networking.data.azurerm_resource_group.this: Reading...
module.workload_identity.module.identity.azurerm_user_assigned_identity.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-bt-dev-workload]
module.keyvault.module.keyvault.azurerm_key_vault.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01]
module.container_registry.module.registry.azurerm_container_registry.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01]
module.monitoring.module.application_insights.modtm_telemetry.telemetry[0]: Refreshing state... [id=069dfaa0-3f60-4938-81c7-af165fc5758c]
module.monitoring.module.log_analytics.azurerm_log_analytics_workspace.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.OperationalInsights/workspaces/log-bt-dev]
module.cosmos_account.azurerm_cosmosdb_account.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01]
module.ai_search.module.search.azurerm_search_service.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01]
module.service_bus.module.namespace.azurerm_servicebus_namespace.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01]
module.workload_identity.azuread_app_role_assignment.api_roles["reader"]: Refreshing state... [id=/servicePrincipals/980501a2-67f1-44c3-9ba2-03220f4dc403/appRoleAssignedTo/Jz9qIST__EaBPGEzvAd2cpcVv4b_R2NBu5u1qRbW9gU]
module.networking.data.azurerm_resource_group.this: Read complete after 1s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev]
module.networking.module.vnet.azapi_resource.vnet: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev]
module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net]
module.networking.module.private_dns_zones["privatelink.azurecr.io"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io]
module.networking.module.private_dns_zones["privatelink.documents.azure.com"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com]
module.networking.module.private_dns_zones["privatelink.search.windows.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net]
module.networking.module.private_dns_zones["privatelink.servicebus.windows.net"].azapi_resource.private_dns_zone: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net]
module.workload_federation_environment.azurerm_federated_identity_credential.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-bt-dev-workload/federatedIdentityCredentials/github-environment-dev-workload]
module.networking.module.vnet.module.subnet["private_endpoints"].azapi_resource.subnet[0]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev/subnets/snet-private-endpoints]
module.networking.module.vnet.module.subnet["integration"].azapi_resource.subnet[0]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/virtualNetworks/vnet-bt-dev/subnets/snet-cae-integration]
azurerm_role_assignment.operator_kv_secrets_officer["62936c0c-a840-43e8-a24e-22304b7d7c89"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/4ad74ab3-17f2-0dbd-e364-e8a71260bbfc]
time_sleep.wait_for_storage_rbac_propagation: Refreshing state... [id=2026-06-17T02:35:42Z]
module.monitoring.module.application_insights.azurerm_application_insights.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev]
azurerm_storage_account.indexer_webjobs: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Storage/storageAccounts/stbtdevchdev01]
module.ai_search.azurerm_role_assignment.workload_search_index_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/60115be9-6fcc-4d0e-50e9-9186fe1518ed]
module.keyvault.module.keyvault.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01|kv-audit]
module.container_registry.module.registry.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01|acr-diagnostics]
module.cosmos_account.module.diagnostics[0].azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01|cosmos-bt-dev-chdev01-diagnostics]
module.ai_search.module.diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Search/searchServices/srch-bt-dev-chdev01|srch-bt-dev-chdev01-diagnostics]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_database.canonical: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical]
module.service_bus.azurerm_role_assignment.workload_sb_data_sender: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/2edae188-abbf-c156-ef38-d7f4df9793bb]
module.service_bus.azurerm_role_assignment.workload_sb_data_receiver: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/ff5aa6d6-1e6d-d8c2-e6d9-ad82a5f43916]
module.networking.module.private_dns_zones["privatelink.azurecr.io"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io/virtualNetworkLinks/vnet-link-privatelink-azurecr-io]
module.networking.module.private_dns_zones["privatelink.documents.azure.com"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com/virtualNetworkLinks/vnet-link-privatelink-documents-azure-com]
module.networking.module.private_dns_zones["privatelink.search.windows.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.search.windows.net/virtualNetworkLinks/vnet-link-privatelink-search-windows-net]
module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net/virtualNetworkLinks/vnet-link-privatelink-vaultcore-azure-net]
module.networking.module.private_dns_zones["privatelink.servicebus.windows.net"].module.virtual_network_links["env_vnet"].azapi_resource.private_dns_zone_network_link: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net/virtualNetworkLinks/vnet-link-privatelink-servicebus-windows-net]
time_sleep.wait_for_kv_rbac_propagation: Refreshing state... [id=2026-05-20T01:06:50Z]
module.service_bus.module.diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ServiceBus/namespaces/sbns-bt-dev-chdev01|sbns-bt-dev-chdev01-diagnostics]
module.service_bus.terraform_data.sku_validation: Refreshing state... [id=3fb0fc5a-15ee-8cdd-7933-3179d5a890fc]
module.keyvault.terraform_data.pe_validation[0]: Refreshing state... [id=201c9137-ee34-a35d-5335-c8021ca74754]
module.ai_search.terraform_data.pe_inputs_validation[0]: Refreshing state... [id=f5294495-8898-f048-e11c-c0e0fba80c44]
module.ai_search.terraform_data.sku_validation: Refreshing state... [id=ba2da3a0-64d4-347e-3d16-6904a1669658]
module.ai_search.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-srch-bt-dev-chdev01]
module.cosmos_account.terraform_data.pe_validation[0]: Refreshing state... [id=efbbaabe-f245-fa8f-45da-481d747941fd]
module.keyvault.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-kv-bt-dev-chdev01]
module.cosmos_account.module.private_endpoint[0].azurerm_private_endpoint.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/privateEndpoints/pe-cosmos-bt-dev-chdev01]
azurerm_cosmosdb_sql_role_assignment.workload_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlRoleAssignments/23f26ba2-552f-5ca8-d96d-d99b333ad35c]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.change_events: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/change-events]
module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.resources: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/resources]
azurerm_cosmosdb_sql_role_assignment.developer_data_contributor: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlRoleAssignments/3bfd366d-31e6-77e6-fe99-6b0b1763206d]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_audit: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-audit]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_entities_leases: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-entities-leases]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.namespace_validation_runs: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/namespace-validation-runs]
module.cosmos_registry_store.azurerm_cosmosdb_sql_container.registry_entities: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/registry-entities]
module.ai_search.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.keyvault.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.cosmos_account.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Reading...
module.keyvault.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-kv-bt-dev-chdev01.nic.312de6d8-b5a7-487b-97ed-07cc5c931b11]
module.cosmos_account.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-cosmos-bt-dev-chdev01.nic.81c6eb89-c005-41ee-b680-b56f0690b42c]
module.ai_search.module.private_endpoint[0].data.azurerm_network_interface.pe_nic: Read complete after 0s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Network/networkInterfaces/pe-srch-bt-dev-chdev01.nic.0718500b-0b1d-4a1e-ac31-fe22720170e4]
module.workload_identity.azurerm_role_assignment.this["acr-pull"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01/providers/Microsoft.Authorization/roleAssignments/f282f44f-f04d-5041-0f2f-1eee86c775c3]
azurerm_key_vault_secret.app_insights_connection_string: Refreshing state... [id=https://kv-bt-dev-chdev01.vault.azure.net/secrets/ApplicationInsightsConnectionString/f83feb2a94b74578939a61c4df54f1f5]
module.application_insights_diagnostics.azurerm_monitor_diagnostic_setting.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev|appi-diagnostics]
module.workload_identity.azurerm_role_assignment.this["monitoring-metrics-publisher"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Insights/components/appi-bt-dev/providers/Microsoft.Authorization/roleAssignments/4219f119-f9dc-d5ec-27cd-658ab78c33db]
module.workload_identity.azurerm_role_assignment.this["kv-secrets-user"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.KeyVault/vaults/kv-bt-dev-chdev01/providers/Microsoft.Authorization/roleAssignments/798da788-01e1-37ab-17f3-c47a9d2d1c6a]
module.workload_identity.azurerm_role_assignment.this["indexer-webjobs-blob-owner"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.Storage/storageAccounts/stbtdevchdev01/providers/Microsoft.Authorization/roleAssignments/14bdc479-b5a2-ac16-f72b-c07d328633fc]
module.container_apps_env.module.environment.data.modtm_module_source.telemetry[0]: Reading...
module.container_apps_env.module.environment.data.azapi_client_config.current: Reading...
module.container_apps_env.module.environment.data.azapi_client_config.telemetry[0]: Reading...
module.container_apps_env.data.azurerm_log_analytics_workspace.this: Reading...
module.container_apps_env.module.environment.data.modtm_module_source.telemetry[0]: Read complete after 0s
module.container_apps_env.module.environment.data.azapi_client_config.telemetry[0]: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.container_apps_env.module.environment.data.azapi_client_config.current: Read complete after 0s [id=clientConfigs/subscriptionId=08b37dc0-0011-4841-84c0-0349a5c65883;tenantId=596c1564-6e95-4c35-a80b-2dbe45a162f3]
module.container_apps_env.module.environment.random_uuid.telemetry[0]: Refreshing state... [id=a840f803-8d8c-a73e-252d-bfa39f829b92]
module.container_apps_env.module.environment.modtm_telemetry.telemetry[0]: Refreshing state... [id=1a8fc817-4e60-4b70-b5d3-2c124cd439a0]
module.container_apps_env.data.azurerm_log_analytics_workspace.this: Read complete after 1s [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.OperationalInsights/workspaces/log-bt-dev]
module.container_apps_env.module.environment.azapi_resource.this_environment: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev]
module.container_apps_env.module.environment.azurerm_monitor_diagnostic_setting.this["audit"]: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev|cae-diagnostics]
module.indexer_container_app.azurerm_container_app.indexer: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-indexer]
module.backend_app.module.app.azurerm_container_app.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-api]
module.frontend_app.module.app.azurerm_container_app.this: Refreshing state... [id=/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-web]

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place (current -> planned)

OpenTofu will perform the following actions:

  # module.cosmos_account.azurerm_cosmosdb_account.this will be updated in-place
  ~ resource "azurerm_cosmosdb_account" "this" {
        id                                       = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01"
      ~ ip_range_filter                          = [
          + "0.0.0.0",
        ]
        name                                     = "cosmos-bt-dev-chdev01"
        tags                                     = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (30 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

  # module.cosmos_canonical_store.azurerm_cosmosdb_sql_container.resources will be updated in-place
  ~ resource "azurerm_cosmosdb_sql_container" "resources" {
        id                     = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01/sqlDatabases/busterminal-canonical/containers/resources"
        name                   = "resources"
        # (8 unchanged attributes hidden)

      ~ indexing_policy {
            # (1 unchanged attribute hidden)

          + excluded_path {
              + path = "/\"_etag\"/?"
            }

            # (3 unchanged blocks hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.indexer_container_app.azurerm_container_app.indexer will be updated in-place
  ~ resource "azurerm_container_app" "indexer" {
        id                            = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-indexer"
        name                          = "ca-bt-dev-indexer"
        tags                          = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (8 unchanged attributes hidden)

      ~ template {
            # (5 unchanged attributes hidden)

          ~ container {
              ~ image             = "acrbtdevchdev01.azurecr.io/busterminal/indexer:3042fa9deca73a26e2ae6c6a7794754b7800edcf" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
                name              = "ca-bt-dev-indexer"
                # (5 unchanged attributes hidden)

                # (15 unchanged blocks hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.backend_app.module.app.azurerm_container_app.this will be updated in-place
  ~ resource "azurerm_container_app" "this" {
        id                            = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-api"
        name                          = "ca-bt-dev-api"
        tags                          = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (9 unchanged attributes hidden)

      ~ template {
            # (5 unchanged attributes hidden)

          ~ container {
              ~ image             = "acrbtdevchdev01.azurecr.io/busterminal/api:3042fa9deca73a26e2ae6c6a7794754b7800edcf" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
                name              = "ca-bt-dev-api"
                # (5 unchanged attributes hidden)

                # (15 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (4 unchanged blocks hidden)
    }

  # module.container_apps_env.module.environment.azurerm_monitor_diagnostic_setting.this["audit"] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/managedEnvironments/cae-bt-dev|cae-diagnostics"
      + log_analytics_destination_type = "Dedicated"
        name                           = "cae-diagnostics"
        # (2 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.container_registry.module.registry.azurerm_monitor_diagnostic_setting.this["audit"] will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.ContainerRegistry/registries/acrbtdevchdev01|acr-diagnostics"
      + log_analytics_destination_type = "Dedicated"
        name                           = "acr-diagnostics"
        # (2 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.cosmos_account.module.diagnostics[0].azurerm_monitor_diagnostic_setting.this will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "this" {
        id                             = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.DocumentDB/databaseAccounts/cosmos-bt-dev-chdev01|cosmos-bt-dev-chdev01-diagnostics"
        name                           = "cosmos-bt-dev-chdev01-diagnostics"
        # (3 unchanged attributes hidden)

      - metric {
          - category = "Requests" -> null
          - enabled  = false -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }
      - metric {
          - category = "SLI" -> null
          - enabled  = false -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }
      + metric {
          + category = "AllMetrics"
          + enabled  = false
        }

        # (1 unchanged block hidden)
    }

  # module.frontend_app.module.app.azurerm_container_app.this will be updated in-place
  ~ resource "azurerm_container_app" "this" {
        id                            = "/subscriptions/08b37dc0-0011-4841-84c0-0349a5c65883/resourceGroups/rg-bt-dev/providers/Microsoft.App/containerApps/ca-bt-dev-web"
        name                          = "ca-bt-dev-web"
        tags                          = {
            "application" = "BusTerminal"
            "cost-center" = "platform"
            "environment" = "dev"
            "managed-by"  = "opentofu"
            "owner"       = "platform-team"
            "slice"       = "002-solution-foundation"
        }
        # (9 unchanged attributes hidden)

      ~ template {
            # (5 unchanged attributes hidden)

          ~ container {
              ~ image             = "acrbtdevchdev01.azurecr.io/busterminal/web:3042fa9deca73a26e2ae6c6a7794754b7800edcf" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
                name              = "ca-bt-dev-web"
                # (5 unchanged attributes hidden)

                # (12 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 8 to change, 0 to destroy.

Changes to Outputs:
  ~ backend_image_in_use                              = "acrbtdevchdev01.azurecr.io/busterminal/api:3042fa9deca73a26e2ae6c6a7794754b7800edcf" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
  ~ frontend_image_in_use                             = "acrbtdevchdev01.azurecr.io/busterminal/web:3042fa9deca73a26e2ae6c6a7794754b7800edcf" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
  ~ indexer_image_in_use                              = "acrbtdevchdev01.azurecr.io/busterminal/indexer:3042fa9deca73a26e2ae6c6a7794754b7800edcf" -> "mcr.microsoft.com/azuredocs/aci-helloworld:latest"

Warning: Argument is deprecated

  with module.keyvault.module.keyvault.azurerm_key_vault.this,
  on .terraform/modules/keyvault.keyvault/main.tf line 7, in resource "azurerm_key_vault" "this":
   7:   enable_rbac_authorization       = !var.legacy_access_policies_enabled

This property has been renamed to `rbac_authorization_enabled` and will be
removed in v5.0 of the provider

(and 6 more similar warnings elsewhere)

Warning: Value derived from a deprecated source

  on .terraform/modules/monitoring.log_analytics/outputs.tf line 16, in output "resource":
  16:   value       = azurerm_log_analytics_workspace.this

This value's attribute local_authentication_disabled is derived from
azurerm_log_analytics_workspace.this.local_authentication_disabled, which is
deprecated.

Warning: Attribute Deprecated

  with module.networking.module.private_dns_zones["privatelink.vaultcore.azure.net"].azapi_resource.private_dns_zone,
  on .terraform/modules/networking.private_dns_zones/main.tf line 1, in resource "azapi_resource" "private_dns_zone":
   1: resource "azapi_resource" "private_dns_zone" {

The `randomization_factor` attribute is deprecated and will be removed in a
future version.

(and 19 more similar warnings elsewhere)

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/outputs.tf line 22, in output "resource":
  22:   value       = azapi_resource.vnet

This value's attribute retry.multiplier is derived from
azapi_resource.vnet.retry.multiplier, which is deprecated.

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/outputs.tf line 22, in output "resource":
  22:   value       = azapi_resource.vnet

This value's attribute retry.randomization_factor is derived from
azapi_resource.vnet.retry.randomization_factor, which is deprecated.

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/modules/subnet/outputs.tf line 18, in output "resource":
  18:   value       = local.ipam_enabled ? azapi_resource.subnet_ipam[0] : azapi_resource.subnet[0]

This value's attribute retry.multiplier is derived from
azapi_resource.subnet.retry.multiplier, which is deprecated.

Warning: Value derived from a deprecated source

  on .terraform/modules/networking.vnet/modules/subnet/outputs.tf line 18, in output "resource":
  18:   value       = local.ipam_enabled ? azapi_resource.subnet_ipam[0] : azapi_resource.subnet[0]

This value's attribute retry.randomization_factor is derived from
azapi_resource.subnet.retry.randomization_factor, which is deprecated.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    tofu apply "tfplan"

BusTerminal IaC policy gate — env `dev`

Rule	Status	Detail
BT-IAC-001	PASS	BT-IAC-001: PASS
BT-IAC-002	SKIP (env 'dev' is non-prod; rule is prod-only per Q2c)	BT-IAC-002: SKIP (env 'dev' is non-prod; rule is prod-only per Q2c)
BT-IAC-003	PASS	BT-IAC-003: PASS
BT-IAC-004	PASS	BT-IAC-004: PASS
BT-IAC-005	PASS	BT-IAC-005: PASS
BT-IAC-006	PASS	BT-IAC-006: PASS
BT-IAC-007	PASS	BT-IAC-007: PASS

Totals: 7 pass · 0 fail · 0 setup error(s)

christopherhouse temporarily deployed to dev June 17, 2026 19:28 — with GitHub Actions Inactive

christopherhouse merged commit ab57444 into main Jun 17, 2026
8 of 9 checks passed

christopherhouse deleted the fix/cosmos-allow-azure-datacenters branch June 17, 2026 19:30

christopherhouse mentioned this pull request Jun 17, 2026

fix(api): deterministic correlationId fallback in audit factory #86

Open

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(iac): pin Cosmos ip_range_filter to allow Azure-datacenter traffic#85

fix(iac): pin Cosmos ip_range_filter to allow Azure-datacenter traffic#85
christopherhouse merged 1 commit into
mainfrom
fix/cosmos-allow-azure-datacenters

christopherhouse commented Jun 17, 2026

Uh oh!

github-actions Bot commented Jun 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

christopherhouse commented Jun 17, 2026

Summary

Fix

Security posture

Test plan

Uh oh!

github-actions Bot commented Jun 17, 2026

OpenTofu plan — dev

BusTerminal IaC policy gate — env dev

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

OpenTofu plan — `dev`

BusTerminal IaC policy gate — env `dev`