Skip to content

feat: Added exporter ephemeral service. #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 3, 2025
Merged

feat: Added exporter ephemeral service. #31

merged 5 commits into from
Oct 3, 2025

Conversation

@jamesiarmes
Copy link
Member

@jamesiarmes jamesiarmes commented Oct 3, 2025

No description provided.

@github-actions
Copy link

github-actions bot commented Oct 3, 2025
edited
Loading

Plan output for service config


Note: Objects have changed outside of OpenTofu

OpenTofu detected the following changes made outside of OpenTofu since the
last "tofu apply" which may have affected this plan:

  # module.system.module.tools.docker_image.container has been deleted
  - resource "docker_image" "container" {
      - id       = "sha256:6f1e1d864c0146dfc68e1fc5a06c1eda37be60df30f80407a4e916faff1600fa207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-development-tools:9a3a4b6bcc087f40beccfe078c6c30784c0b5faa" -> null
      - name     = "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-development-tools:9a3a4b6bcc087f40beccfe078c6c30784c0b5faa" -> null
        # (2 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.system.module.consumer.module.task.docker_image.container has been deleted
  - resource "docker_image" "container" {
      - id       = "sha256:6742365ba182c1c65232b8d9b413a8395918080ffa32e726328a36e78d3d4ef6207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-dev-consumer:9a3a4b6bcc087f40beccfe078c6c30784c0b5faa" -> null
      - name     = "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-dev-consumer:9a3a4b6bcc087f40beccfe078c6c30784c0b5faa" -> null
        # (2 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
+/- create replacement and then destroy
 <= read (data resources)

OpenTofu will perform the following actions:

  # module.system.aws_iam_policy.exports will be created
  + resource "aws_iam_policy" "exports" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Allow access to the S3 bucket for Senzing exports."
      + id               = (known after apply)
      + name             = (known after apply)
      + name_prefix      = "sqs-senzing-development-exports-access-"
      + path             = "/"
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "kms:Decrypt",
                          + "kms:GenerateDataKey",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:kms:us-west-1:207495628382:key/a7e04278-b830-4097-84f5-823173e80116",
                        ]
                      + Sid      = "KeyAccess"
                    },
                  + {
                      + Action   = [
                          + "s3:PutObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::sqs-senzing-development-exports/*",
                        ]
                      + Sid      = "S3Access"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = (known after apply)
      + tags             = {
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
      + tags_all         = {
          + "application"    = "sqs-senzing-development"
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
          + "environment"    = "development"
          + "program"        = "safety-net"
          + "project"        = "sqs-senzing"
        }
    }

  # module.system.module.exporter.data.aws_caller_identity.identity will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "identity" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.system.module.exporter.data.aws_ecr_authorization_token.token will be read during apply
  # (config refers to values not yet known)
 <= data "aws_ecr_authorization_token" "token" {
      + authorization_token = (sensitive value)
      + expires_at          = (known after apply)
      + id                  = (known after apply)
      + password            = (sensitive value)
      + proxy_endpoint      = (known after apply)
      + region              = (known after apply)
      + registry_id         = (known after apply)
      + user_name           = (known after apply)
    }

  # module.system.module.exporter.data.aws_partition.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_partition" "current" {
      + dns_suffix         = (known after apply)
      + id                 = (known after apply)
      + partition          = (known after apply)
      + reverse_dns_prefix = (known after apply)
    }

  # module.system.module.exporter.data.aws_region.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_region" "current" {
      + description = (known after apply)
      + endpoint    = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + region      = (known after apply)
    }

  # module.system.module.exporter.aws_cloudwatch_log_group.service will be created
  + resource "aws_cloudwatch_log_group" "service" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + kms_key_id        = "arn:aws:kms:us-west-1:207495628382:key/65d4906b-6d37-4615-bca4-436c63faef80"
      + log_group_class   = (known after apply)
      + name              = "/aws/ecs/sqs-senzing/development/exporter"
      + name_prefix       = (known after apply)
      + region            = "us-west-1"
      + retention_in_days = 30
      + skip_destroy      = false
      + tags              = {
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
      + tags_all          = {
          + "application"    = "sqs-senzing-development"
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
          + "environment"    = "development"
          + "program"        = "safety-net"
          + "project"        = "sqs-senzing"
        }
    }

  # module.system.module.exporter.aws_iam_policy.execution will be created
  + resource "aws_iam_policy" "execution" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Senzing task execution policy."
      + id               = (known after apply)
      + name             = "sqs-senzing-development-exporter-execution"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags             = {
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
      + tags_all         = {
          + "application"    = "sqs-senzing-development"
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
          + "environment"    = "development"
          + "program"        = "safety-net"
          + "project"        = "sqs-senzing"
        }
    }

  # module.system.module.exporter.aws_iam_policy.task will be created
  + resource "aws_iam_policy" "task" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Senzing task policy."
      + id               = (known after apply)
      + name             = "sqs-senzing-development-exporter-task"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags             = {
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
      + tags_all         = {
          + "application"    = "sqs-senzing-development"
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
          + "environment"    = "development"
          + "program"        = "safety-net"
          + "project"        = "sqs-senzing"
        }
    }

  # module.system.module.exporter.aws_iam_role.execution will be created
  + resource "aws_iam_role" "execution" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ecs-tasks.amazonaws.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + description           = "Senzing task execution role."
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "sqs-senzing-development-exporter-execution"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
      + tags_all              = {
          + "application"    = "sqs-senzing-development"
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
          + "environment"    = "development"
          + "program"        = "safety-net"
          + "project"        = "sqs-senzing"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # module.system.module.exporter.aws_iam_role.task will be created
  + resource "aws_iam_role" "task" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ecs-tasks.amazonaws.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + description           = "Senzing task role."
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "sqs-senzing-development-exporter-task"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
      + tags_all              = {
          + "application"    = "sqs-senzing-development"
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
          + "environment"    = "development"
          + "program"        = "safety-net"
          + "project"        = "sqs-senzing"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # module.system.module.exporter.aws_iam_role_policy_attachments_exclusive.execution will be created
  + resource "aws_iam_role_policy_attachments_exclusive" "execution" {
      + policy_arns = [
          + "arn:aws:iam::207495628382:policy/sqs-senzing-development-secrets-access-20250925044353478800000003",
          + (known after apply),
        ]
      + role_name   = "sqs-senzing-development-exporter-execution"
    }

  # module.system.module.exporter.aws_iam_role_policy_attachments_exclusive.task will be created
  + resource "aws_iam_role_policy_attachments_exclusive" "task" {
      + policy_arns = [
          + (known after apply),
          + (known after apply),
        ]
      + role_name   = "sqs-senzing-development-exporter-task"
    }

  # module.system.module.exporter.docker_image.container will be created
  + resource "docker_image" "container" {
      + id          = (known after apply)
      + image_id    = (known after apply)
      + name        = (known after apply)
      + repo_digest = (known after apply)
      + triggers    = {
          + "image_tage" = "f4b657f6c440df1301786d932527041a583d098f"
        }

      + build {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
    }

  # module.system.module.exporter.docker_registry_image.container will be created
  + resource "docker_registry_image" "container" {
      + id                   = (known after apply)
      + insecure_skip_verify = false
      + keep_remotely        = true
      + name                 = (known after apply)
      + sha256_digest        = (known after apply)
      + triggers             = (known after apply)

      + auth_config {
          + address  = (known after apply)
          + password = (sensitive value)
          + username = (known after apply)
        }
    }

  # module.system.module.tools.docker_image.container will be created
  + resource "docker_image" "container" {
      + id          = (known after apply)
      + image_id    = (known after apply)
      + name        = "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-development-tools:f4b657f6c440df1301786d932527041a583d098f"
      + repo_digest = (known after apply)
      + triggers    = {
          + "image_tage" = "f4b657f6c440df1301786d932527041a583d098f"
        }

      + build {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
    }

  # module.system.module.tools.docker_registry_image.container must be replaced
+/- resource "docker_registry_image" "container" {
      ~ id                   = "sha256:c710c8666bef24d5f1b378d7791700080679c2d38769abcf887aea9903ca0012" -> (known after apply)
      ~ name                 = "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-development-tools:9a3a4b6bcc087f40beccfe078c6c30784c0b5faa" -> "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-development-tools:f4b657f6c440df1301786d932527041a583d098f" # forces replacement
      ~ sha256_digest        = "sha256:c710c8666bef24d5f1b378d7791700080679c2d38769abcf887aea9903ca0012" -> (known after apply)
      ~ triggers             = { # forces replacement
          - "sha" = "sha256:6f1e1d864c0146dfc68e1fc5a06c1eda37be60df30f80407a4e916faff1600fa207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-development-tools:9a3a4b6bcc087f40beccfe078c6c30784c0b5faa"
        } -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)

      ~ auth_config {
          ~ password = (sensitive value)
            # (2 unchanged attributes hidden)
        }
    }

  # module.system.module.consumer.module.service.aws_ecs_service.main[0] will be updated in-place
  ~ resource "aws_ecs_service" "main" {
        id                                 = "arn:aws:ecs:us-west-1:207495628382:service/sqs-senzing-development/sqs-senzing-development-consumer"
        name                               = "sqs-senzing-development-consumer"
        tags                               = {
            "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
      ~ task_definition                    = "arn:aws:ecs:us-west-1:207495628382:task-definition/sqs-senzing-dev-consumer:27" -> (known after apply)
        # (19 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.system.module.consumer.module.task.docker_image.container will be created
  + resource "docker_image" "container" {
      + id          = (known after apply)
      + image_id    = (known after apply)
      + name        = "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-dev-consumer:f4b657f6c440df1301786d932527041a583d098f"
      + repo_digest = (known after apply)
      + triggers    = {
          + "image_tage" = "f4b657f6c440df1301786d932527041a583d098f"
        }

      + build {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
    }

  # module.system.module.consumer.module.task.docker_registry_image.container must be replaced
+/- resource "docker_registry_image" "container" {
      ~ id                   = "sha256:bf29bbdca85e70eca23c0661d4eaeaad795cddadab3502a569018481f156bfa0" -> (known after apply)
      ~ name                 = "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-dev-consumer:9a3a4b6bcc087f40beccfe078c6c30784c0b5faa" -> "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-dev-consumer:f4b657f6c440df1301786d932527041a583d098f" # forces replacement
      ~ sha256_digest        = "sha256:bf29bbdca85e70eca23c0661d4eaeaad795cddadab3502a569018481f156bfa0" -> (known after apply)
      ~ triggers             = { # forces replacement
          - "sha" = "sha256:6742365ba182c1c65232b8d9b413a8395918080ffa32e726328a36e78d3d4ef6207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-dev-consumer:9a3a4b6bcc087f40beccfe078c6c30784c0b5faa"
        } -> (known after apply) # forces replacement
        # (2 unchanged attributes hidden)

      ~ auth_config {
          ~ password = (sensitive value)
            # (2 unchanged attributes hidden)
        }
    }

  # module.system.module.exporter.module.ecr.data.aws_caller_identity.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_caller_identity" "current" {
      + account_id = (known after apply)
      + arn        = (known after apply)
      + id         = (known after apply)
      + user_id    = (known after apply)
    }

  # module.system.module.exporter.module.ecr.data.aws_iam_policy_document.repository[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "repository" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions = [
              + "ecr:BatchCheckLayerAvailability",
              + "ecr:BatchGetImage",
              + "ecr:DescribeImageScanFindings",
              + "ecr:DescribeImages",
              + "ecr:DescribeRepositories",
              + "ecr:GetAuthorizationToken",
              + "ecr:GetDownloadUrlForLayer",
              + "ecr:GetLifecyclePolicy",
              + "ecr:GetLifecyclePolicyPreview",
              + "ecr:GetRepositoryPolicy",
              + "ecr:ListImages",
              + "ecr:ListTagsForResource",
            ]
          + sid     = "PrivateReadOnly"

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "AWS"
            }
        }
    }

  # module.system.module.exporter.module.ecr.data.aws_partition.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_partition" "current" {
      + dns_suffix         = (known after apply)
      + id                 = (known after apply)
      + partition          = (known after apply)
      + reverse_dns_prefix = (known after apply)
    }

  # module.system.module.exporter.module.ecr.aws_ecr_lifecycle_policy.this[0] will be created
  + resource "aws_ecr_lifecycle_policy" "this" {
      + id          = (known after apply)
      + policy      = jsonencode(
            {
              + rules = [
                  + {
                      + action       = {
                          + type = "expire"
                        }
                      + description  = "Expire untagged images older than 14 days"
                      + rulePriority = 1
                      + selection    = {
                          + countNumber = 14
                          + countType   = "sinceImagePushed"
                          + countUnit   = "days"
                          + tagStatus   = "untagged"
                        }
                    },
                ]
            }
        )
      + region      = "us-west-1"
      + registry_id = (known after apply)
      + repository  = "sqs-senzing-development-exporter"
    }

  # module.system.module.exporter.module.ecr.aws_ecr_repository.this[0] will be created
  + resource "aws_ecr_repository" "this" {
      + arn                  = (known after apply)
      + force_delete         = true
      + id                   = (known after apply)
      + image_tag_mutability = "MUTABLE"
      + name                 = "sqs-senzing-development-exporter"
      + region               = "us-west-1"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags                 = {
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
      + tags_all             = {
          + "application"    = "sqs-senzing-development"
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
          + "environment"    = "development"
          + "program"        = "safety-net"
          + "project"        = "sqs-senzing"
        }

      + encryption_configuration {
          + encryption_type = "KMS"
          + kms_key         = "arn:aws:kms:us-west-1:207495628382:key/0fccf5d7-ff29-4e29-bbc8-fbf8c1dcd853"
        }

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # module.system.module.exporter.module.ecr.aws_ecr_repository_policy.this[0] will be created
  + resource "aws_ecr_repository_policy" "this" {
      + id          = (known after apply)
      + policy      = (known after apply)
      + region      = "us-west-1"
      + registry_id = (known after apply)
      + repository  = "sqs-senzing-development-exporter"
    }

  # module.system.module.exporter.module.ecs_task.aws_ecs_task_definition.main[0] will be created
  + resource "aws_ecs_task_definition" "main" {
      + arn                      = (known after apply)
      + arn_without_revision     = (known after apply)
      + container_definitions    = (known after apply)
      + cpu                      = "1024"
      + enable_fault_injection   = false
      + execution_role_arn       = (known after apply)
      + family                   = "sqs-senzing-development-exporter"
      + id                       = (known after apply)
      + memory                   = "4096"
      + network_mode             = "awsvpc"
      + region                   = "us-west-1"
      + requires_compatibilities = [
          + "FARGATE",
        ]
      + revision                 = (known after apply)
      + skip_destroy             = false
      + tags                     = {
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
      + tags_all                 = {
          + "application"    = "sqs-senzing-development"
          + "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
          + "environment"    = "development"
          + "program"        = "safety-net"
          + "project"        = "sqs-senzing"
        }
      + task_role_arn            = (known after apply)
      + track_latest             = false

      + volume {
          + configure_at_launch = (known after apply)
          + name                = "logs"
        }
      + volume {
          + configure_at_launch = (known after apply)
          + name                = "senzing-home"
        }
    }

  # module.system.module.tools.module.ecs_task.aws_ecs_task_definition.main[0] must be replaced
+/- resource "aws_ecs_task_definition" "main" {
      ~ arn                      = "arn:aws:ecs:us-west-1:207495628382:task-definition/sqs-senzing-development-tools:52" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-west-1:207495628382:task-definition/sqs-senzing-development-tools" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [
              ~ {
                  - mountPoints            = []
                    name                   = "otel-collector"
                  - portMappings           = []
                  - systemControls         = []
                  - volumesFrom            = []
                    # (7 unchanged attributes hidden)
                },
              ~ {
                  ~ environment            = [
                      + {
                          + name  = "LOG_LEVEL"
                          + value = "INFO"
                        },
                        {
                            name  = "PGHOST"
                            value = "sqs-senzing-development-senzing.cluster-c7qqmqeoy39j.us-west-1.rds.amazonaws.com"
                        },
                        # (3 unchanged elements hidden)
                    ]
                  ~ image                  = "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-development-tools:9a3a4b6bcc087f40beccfe078c6c30784c0b5faa" -> "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-development-tools:f4b657f6c440df1301786d932527041a583d098f"
                    name                   = "sqs-senzing-development-tools"
                  ~ portMappings           = [
                      ~ {
                          - hostPort      = 80
                          - protocol      = "tcp"
                            # (1 unchanged attribute hidden)
                        },
                    ]
                  - systemControls         = []
                  - volumesFrom            = []
                    # (9 unchanged attributes hidden)
                },
            ] # forces replacement
        )
      ~ id                       = "sqs-senzing-development-tools" -> (known after apply)
      ~ revision                 = 52 -> (known after apply)
        tags                     = {
            "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
        # (12 unchanged attributes hidden)

      - volume {
          - configure_at_launch = false -> null
          - name                = "aws-lib" -> null
        }
      - volume {
          - configure_at_launch = false -> null
          - name                = "logs" -> null
        }
      - volume {
          - configure_at_launch = false -> null
          - name                = "senzing-home" -> null
        }
      + volume {
          + configure_at_launch = (known after apply)
          + name                = "aws-lib"
        }
      + volume {
          + configure_at_launch = (known after apply)
          + name                = "logs"
        }
      + volume {
          + configure_at_launch = (known after apply)
          + name                = "senzing-home"
        }
    }

  # module.system.module.consumer.module.task.module.ecs_task.aws_ecs_task_definition.main[0] must be replaced
+/- resource "aws_ecs_task_definition" "main" {
      ~ arn                      = "arn:aws:ecs:us-west-1:207495628382:task-definition/sqs-senzing-dev-consumer:27" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-west-1:207495628382:task-definition/sqs-senzing-dev-consumer" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [
              ~ {
                  - mountPoints            = []
                    name                   = "otel-collector"
                  - portMappings           = []
                  - systemControls         = []
                  - volumesFrom            = []
                    # (7 unchanged attributes hidden)
                },
              ~ {
                  ~ environment            = [
                      + {
                          + name  = "LOG_LEVEL"
                          + value = "INFO"
                        },
                        {
                            name  = "Q_URL"
                            value = "https://sqs.us-west-1.amazonaws.com/207495628382/sqs-senzing-development-queue"
                        },
                    ]
                  ~ image                  = "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-dev-consumer:9a3a4b6bcc087f40beccfe078c6c30784c0b5faa" -> "207495628382.dkr.ecr.us-west-1.amazonaws.com/sqs-senzing-dev-consumer:f4b657f6c440df1301786d932527041a583d098f"
                    name                   = "sqs-senzing-dev-consumer"
                  ~ portMappings           = [
                      ~ {
                          - hostPort      = 80
                          - protocol      = "tcp"
                            # (1 unchanged attribute hidden)
                        },
                    ]
                  - systemControls         = []
                  - volumesFrom            = []
                    # (9 unchanged attributes hidden)
                },
            ] # forces replacement
        )
      ~ id                       = "sqs-senzing-dev-consumer" -> (known after apply)
      ~ revision                 = 27 -> (known after apply)
        tags                     = {
            "awsApplication" = "arn:aws:resource-groups:us-west-1:207495628382:group/sqs-senzing-development/0949oli7hmptcuydpbudaxsl9k"
        }
        # (12 unchanged attributes hidden)

      - volume {
          - configure_at_launch = false -> null
          - name                = "logs" -> null
        }
      - volume {
          - configure_at_launch = false -> null
          - name                = "senzing-home" -> null
        }
      + volume {
          + configure_at_launch = (known after apply)
          + name                = "logs"
        }
      + volume {
          + configure_at_launch = (known after apply)
          + name                = "senzing-home"
        }
    }

Plan: 20 to add, 1 to change, 4 to destroy.

Changes to Outputs:
  ~ image_tag              = "9a3a4b6bcc087f40beccfe078c6c30784c0b5faa" -> "f4b657f6c440df1301786d932527041a583d098f"

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    tofu apply "tfplan"

@jamesiarmes jamesiarmes requested a review from Copilot October 3, 2025 19:31
Copilot AI reviewed Oct 3, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds an ephemeral exporter service to enable data exports from Senzing to S3, along with configurable log levels for all containers. The exporter runs as an on-demand ECS task that can be triggered via GitHub Actions.

  • Added exporter ephemeral service with S3 export capabilities
  • Introduced configurable log levels for all containers with validation
  • Created GitHub Actions workflow to trigger exports on-demand

Reviewed Changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tofu/modules/system/variables.tf Added log_level variable with validation for container logging
tofu/modules/system/templates/exports-access-policy.yaml.tftpl Created IAM policy template for S3 and KMS access
tofu/modules/system/iam.tf Added IAM policy for exporter S3 access
tofu/modules/system/ecs.tf Added exporter module and reorganized service configurations
tofu/config/service/variables.tf Added log_level variable to service configuration
tofu/config/service/main.tf Passed log_level to system module
Dockerfile.exporter Added volume definitions for read-only filesystem support
.trivyignore.yaml Updated comment and paths for ephemeral container healthcheck exemption
.github/workflows/*.yaml Added log_level environment variable and new export workflow
.github/actions/setup-opentofu/action.yaml Added log_level to variable handling

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@jamesiarmes jamesiarmes marked this pull request as ready for review October 3, 2025 19:58
@jamesiarmes jamesiarmes requested a review from a team as a code owner October 3, 2025 19:58
@jamesiarmes jamesiarmes merged commit 221ed45 into main Oct 3, 2025
10 checks passed
@jamesiarmes jamesiarmes deleted the export-service branch October 3, 2025 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamesiarmes