Claude Code transcript - page 1/1

[
  {
    "type": "text",
    "text": "{\"id\":3147518772,\"number\":3034,\"state\":\"open\",\"locked\":false,\"title\":\"create modules to move logic into, then publish modules separately\",\"body\":\"## Description \\u0026amp; Impact\\n\\n### :notebook: Context\\n\\n\\n\\n### :file_folder: Affected Workspaces\\n\\n- [ ] Backbone\\n- [ ] User\\n- [ ] Services, please specify: \\n\\n### :gear: Affected Resources\\n\\nIf there are new resources introduced, please make sure you\\u0026#39;ve added comments to explain why we need it.\\n\\n- [ ] IAM \\n- [ ] Secrete Manager \\n- [ ] RDS \\n- [ ] DDB \\n- [ ] S3 \\n\\n### :arrow_heading_up: Outputs\\n\\n- [ ] Policy\\n- [ ] ARNs, please specify: \\n\\nJustifications:\\n\\n\\n\\n\\n\",\"created_at\":\"2026-01-05T21:29:00Z\",\"updated_at\":\"2026-01-06T00:15:40Z\",\"user\":{\"login\":\"danielrothimprint\",\"id\":175045566,\"node_id\":\"U_kgDOCm77vg\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/175045566?v=4\",\"html_url\":\"https://github.com/danielrothimprint\",\"gravatar_id\":\"\",\"type\":\"User\",\"site_admin\":false,\"url\":\"https://api.github.com/users/danielrothimprint\",\"events_url\":\"https://api.github.com/users/danielrothimprint/events{/privacy}\",\"following_url\":\"https://api.github.com/users/danielrothimprint/following{/other_user}\",\"followers_url\":\"https://api.github.com/users/danielrothimprint/followers\",\"gists_url\":\"https://api.github.com/users/danielrothimprint/gists{/gist_id}\",\"organizations_url\":\"https://api.github.com/users/danielrothimprint/orgs\",\"received_events_url\":\"https://api.github.com/users/danielrothimprint/received_events\",\"repos_url\":\"https://api.github.com/users/danielrothimprint/repos\",\"starred_url\":\"https://api.github.com/users/danielrothimprint/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/danielrothimprint/subscriptions\"},\"draft\":false,\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/pulls/3034\",\"html_url\":\"https://github.com/Imprint-Tech/infrastructure/pull/3034\",\"issue_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/issues/3034\",\"statuses_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"diff_url\":\"https://github.com/Imprint-Tech/infrastructure/pull/3034.diff\",\"patch_url\":\"https://github.com/Imprint-Tech/infrastructure/pull/3034.patch\",\"commits_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/pulls/3034/commits\",\"comments_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/issues/3034/comments\",\"review_comments_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/pulls/3034/comments\",\"review_comment_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/pulls/comments{/number}\",\"author_association\":\"MEMBER\",\"node_id\":\"PR_kwDOEz1ECM67m1M0\",\"merged\":false,\"mergeable\":true,\"mergeable_state\":\"behind\",\"rebaseable\":true,\"merge_commit_sha\":\"cfc2941ccf9a141cdcf672ae4bbcaf3c2672cd02\",\"comments\":2,\"commits\":4,\"additions\":2786,\"deletions\":0,\"changed_files\":47,\"maintainer_can_modify\":false,\"review_comments\":1,\"requested_teams\":[{\"id\":5179526,\"node_id\":\"T_kwDOBItRHs4ATwiG\",\"name\":\"Sysops\",\"description\":\"\",\"url\":\"https://api.github.com/organizations/76239134/team/5179526\",\"slug\":\"sysops\",\"permission\":\"pull\",\"privacy\":\"closed\",\"notification_setting\":\"notifications_enabled\",\"html_url\":\"https://github.com/orgs/Imprint-Tech/teams/sysops\",\"members_url\":\"https://api.github.com/organizations/76239134/team/5179526/members{/member}\",\"repositories_url\":\"https://api.github.com/organizations/76239134/team/5179526/repos\"}],\"_links\":{\"self\":{\"href\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/pulls/3034\"},\"html\":{\"href\":\"https://github.com/Imprint-Tech/infrastructure/pull/3034\"},\"issue\":{\"href\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/issues/3034\"},\"comments\":{\"href\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/issues/3034/comments\"},\"review_comments\":{\"href\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/pulls/3034/comments\"},\"review_comment\":{\"href\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/pulls/comments{/number}\"},\"commits\":{\"href\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/pulls/3034/commits\"},\"statuses\":{\"href\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\"}},\"head\":{\"label\":\"Imprint-Tech:feature/phase1-module-extraction\",\"ref\":\"feature/phase1-module-extraction\",\"sha\":\"574ead47c35f954317b9cd09ac660f1c033533df\",\"repo\":{\"id\":322782216,\"node_id\":\"MDEwOlJlcG9zaXRvcnkzMjI3ODIyMTY=\",\"owner\":{\"login\":\"Imprint-Tech\",\"id\":76239134,\"node_id\":\"MDEyOk9yZ2FuaXphdGlvbjc2MjM5MTM0\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/76239134?v=4\",\"html_url\":\"https://github.com/Imprint-Tech\",\"gravatar_id\":\"\",\"type\":\"Organization\",\"site_admin\":false,\"url\":\"https://api.github.com/users/Imprint-Tech\",\"events_url\":\"https://api.github.com/users/Imprint-Tech/events{/privacy}\",\"following_url\":\"https://api.github.com/users/Imprint-Tech/following{/other_user}\",\"followers_url\":\"https://api.github.com/users/Imprint-Tech/followers\",\"gists_url\":\"https://api.github.com/users/Imprint-Tech/gists{/gist_id}\",\"organizations_url\":\"https://api.github.com/users/Imprint-Tech/orgs\",\"received_events_url\":\"https://api.github.com/users/Imprint-Tech/received_events\",\"repos_url\":\"https://api.github.com/users/Imprint-Tech/repos\",\"starred_url\":\"https://api.github.com/users/Imprint-Tech/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/Imprint-Tech/subscriptions\"},\"name\":\"infrastructure\",\"full_name\":\"Imprint-Tech/infrastructure\",\"description\":\"Infrastructure as Code\",\"default_branch\":\"main\",\"created_at\":\"2020-12-19T06:24:12Z\",\"pushed_at\":\"2026-01-08T17:36:22Z\",\"updated_at\":\"2026-01-08T17:36:25Z\",\"html_url\":\"https://github.com/Imprint-Tech/infrastructure\",\"clone_url\":\"https://github.com/Imprint-Tech/infrastructure.git\",\"git_url\":\"git://github.com/Imprint-Tech/infrastructure.git\",\"ssh_url\":\"git@github.com:Imprint-Tech/infrastructure.git\",\"svn_url\":\"https://github.com/Imprint-Tech/infrastructure\",\"language\":\"HCL\",\"fork\":false,\"forks_count\":0,\"open_issues_count\":20,\"open_issues\":20,\"stargazers_count\":1,\"watchers_count\":1,\"watchers\":1,\"size\":4917,\"allow_forking\":false,\"web_commit_signoff_required\":false,\"archived\":false,\"disabled\":false,\"private\":true,\"has_issues\":true,\"has_wiki\":true,\"has_pages\":false,\"has_projects\":true,\"has_downloads\":true,\"has_discussions\":false,\"is_template\":false,\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure\",\"archive_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/{archive_format}{/ref}\",\"assignees_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/assignees{/user}\",\"blobs_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/git/blobs{/sha}\",\"branches_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/branches{/branch}\",\"collaborators_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/collaborators{/collaborator}\",\"comments_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/comments{/number}\",\"commits_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/commits{/sha}\",\"compare_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/compare/{base}...{head}\",\"contents_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/{+path}\",\"contributors_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/contributors\",\"deployments_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/deployments\",\"downloads_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/downloads\",\"events_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/events\",\"forks_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/forks\",\"git_commits_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/git/commits{/sha}\",\"git_refs_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/git/refs{/sha}\",\"git_tags_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/git/tags{/sha}\",\"hooks_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/hooks\",\"issue_comment_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/issues/comments{/number}\",\"issue_events_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/issues/events{/number}\",\"issues_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/issues{/number}\",\"keys_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/keys{/key_id}\",\"labels_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/labels{/name}\",\"languages_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/languages\",\"merges_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/merges\",\"milestones_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/milestones{/number}\",\"notifications_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/notifications{?since,all,participating}\",\"pulls_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/pulls{/number}\",\"releases_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/releases{/id}\",\"stargazers_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/stargazers\",\"statuses_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/{sha}\",\"subscribers_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/subscribers\",\"subscription_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/subscription\",\"tags_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/tags\",\"trees_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/git/trees{/sha}\",\"teams_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/teams\",\"visibility\":\"private\"},\"user\":{\"login\":\"Imprint-Tech\",\"id\":76239134,\"node_id\":\"MDEyOk9yZ2FuaXphdGlvbjc2MjM5MTM0\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/76239134?v=4\",\"html_url\":\"https://github.com/Imprint-Tech\",\"gravatar_id\":\"\",\"type\":\"Organization\",\"site_admin\":false,\"url\":\"https://api.github.com/users/Imprint-Tech\",\"events_url\":\"https://api.github.com/users/Imprint-Tech/events{/privacy}\",\"following_url\":\"https://api.github.com/users/Imprint-Tech/following{/other_user}\",\"followers_url\":\"https://api.github.com/users/Imprint-Tech/followers\",\"gists_url\":\"https://api.github.com/users/Imprint-Tech/gists{/gist_id}\",\"organizations_url\":\"https://api.github.com/users/Imprint-Tech/orgs\",\"received_events_url\":\"https://api.github.com/users/Imprint-Tech/received_events\",\"repos_url\":\"https://api.github.com/users/Imprint-Tech/repos\",\"starred_url\":\"https://api.github.com/users/Imprint-Tech/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/Imprint-Tech/subscriptions\"}},\"base\":{\"label\":\"Imprint-Tech:main\",\"ref\":\"main\",\"sha\":\"ee5eaed670decc1e9244742c34f5f29a3e374358\",\"repo\":{\"id\":322782216,\"node_id\":\"MDEwOlJlcG9zaXRvcnkzMjI3ODIyMTY=\",\"owner\":{\"login\":\"Imprint-Tech\",\"id\":76239134,\"node_id\":\"MDEyOk9yZ2FuaXphdGlvbjc2MjM5MTM0\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/76239134?v=4\",\"html_url\":\"https://github.com/Imprint-Tech\",\"gravatar_id\":\"\",\"type\":\"Organization\",\"site_admin\":false,\"url\":\"https://api.github.com/users/Imprint-Tech\",\"events_url\":\"https://api.github.com/users/Imprint-Tech/events{/privacy}\",\"following_url\":\"https://api.github.com/users/Imprint-Tech/following{/other_user}\",\"followers_url\":\"https://api.github.com/users/Imprint-Tech/followers\",\"gists_url\":\"https://api.github.com/users/Imprint-Tech/gists{/gist_id}\",\"organizations_url\":\"https://api.github.com/users/Imprint-Tech/orgs\",\"received_events_url\":\"https://api.github.com/users/Imprint-Tech/received_events\",\"repos_url\":\"https://api.github.com/users/Imprint-Tech/repos\",\"starred_url\":\"https://api.github.com/users/Imprint-Tech/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/Imprint-Tech/subscriptions\"},\"name\":\"infrastructure\",\"full_name\":\"Imprint-Tech/infrastructure\",\"description\":\"Infrastructure as Code\",\"default_branch\":\"main\",\"created_at\":\"2020-12-19T06:24:12Z\",\"pushed_at\":\"2026-01-08T17:36:22Z\",\"updated_at\":\"2026-01-08T17:36:25Z\",\"html_url\":\"https://github.com/Imprint-Tech/infrastructure\",\"clone_url\":\"https://github.com/Imprint-Tech/infrastructure.git\",\"git_url\":\"git://github.com/Imprint-Tech/infrastructure.git\",\"ssh_url\":\"git@github.com:Imprint-Tech/infrastructure.git\",\"svn_url\":\"https://github.com/Imprint-Tech/infrastructure\",\"language\":\"HCL\",\"fork\":false,\"forks_count\":0,\"open_issues_count\":20,\"open_issues\":20,\"stargazers_count\":1,\"watchers_count\":1,\"watchers\":1,\"size\":4917,\"allow_forking\":false,\"web_commit_signoff_required\":false,\"archived\":false,\"disabled\":false,\"private\":true,\"has_issues\":true,\"has_wiki\":true,\"has_pages\":false,\"has_projects\":true,\"has_downloads\":true,\"has_discussions\":false,\"is_template\":false,\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure\",\"archive_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/{archive_format}{/ref}\",\"assignees_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/assignees{/user}\",\"blobs_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/git/blobs{/sha}\",\"branches_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/branches{/branch}\",\"collaborators_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/collaborators{/collaborator}\",\"comments_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/comments{/number}\",\"commits_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/commits{/sha}\",\"compare_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/compare/{base}...{head}\",\"contents_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/{+path}\",\"contributors_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/contributors\",\"deployments_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/deployments\",\"downloads_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/downloads\",\"events_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/events\",\"forks_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/forks\",\"git_commits_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/git/commits{/sha}\",\"git_refs_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/git/refs{/sha}\",\"git_tags_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/git/tags{/sha}\",\"hooks_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/hooks\",\"issue_comment_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/issues/comments{/number}\",\"issue_events_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/issues/events{/number}\",\"issues_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/issues{/number}\",\"keys_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/keys{/key_id}\",\"labels_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/labels{/name}\",\"languages_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/languages\",\"merges_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/merges\",\"milestones_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/milestones{/number}\",\"notifications_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/notifications{?since,all,participating}\",\"pulls_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/pulls{/number}\",\"releases_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/releases{/id}\",\"stargazers_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/stargazers\",\"statuses_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/{sha}\",\"subscribers_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/subscribers\",\"subscription_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/subscription\",\"tags_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/tags\",\"trees_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/git/trees{/sha}\",\"teams_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/teams\",\"visibility\":\"private\"},\"user\":{\"login\":\"Imprint-Tech\",\"id\":76239134,\"node_id\":\"MDEyOk9yZ2FuaXphdGlvbjc2MjM5MTM0\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/76239134?v=4\",\"html_url\":\"https://github.com/Imprint-Tech\",\"gravatar_id\":\"\",\"type\":\"Organization\",\"site_admin\":false,\"url\":\"https://api.github.com/users/Imprint-Tech\",\"events_url\":\"https://api.github.com/users/Imprint-Tech/events{/privacy}\",\"following_url\":\"https://api.github.com/users/Imprint-Tech/following{/other_user}\",\"followers_url\":\"https://api.github.com/users/Imprint-Tech/followers\",\"gists_url\":\"https://api.github.com/users/Imprint-Tech/gists{/gist_id}\",\"organizations_url\":\"https://api.github.com/users/Imprint-Tech/orgs\",\"received_events_url\":\"https://api.github.com/users/Imprint-Tech/received_events\",\"repos_url\":\"https://api.github.com/users/Imprint-Tech/repos\",\"starred_url\":\"https://api.github.com/users/Imprint-Tech/starred{/owner}{/repo}\",\"subscriptions_url\":\"https://api.github.com/users/Imprint-Tech/subscriptions\"}}}"
  }
]

Error: result (90,720 characters) exceeds maximum allowed tokens. Output has been saved to /Users/danielroth/.claude/projects/-Users-danielroth-dev-infrastructure-modules-dev/5f2d0a22-b7b9-43b6-b7f8-66cb6f630ad8/tool-results/mcp-github-pull_request_read-1767896365382.txt.
Format: JSON array with schema: [{type: string, text: string}]
Use offset and limit parameters to read specific portions of the file, the Grep tool to search for specific content, and jq to make structured queries.
REQUIREMENTS FOR SUMMARIZATION/ANALYSIS/REVIEW:
- You MUST read the content from the file at /Users/danielroth/.claude/projects/-Users-danielroth-dev-infrastructure-modules-dev/5f2d0a22-b7b9-43b6-b7f8-66cb6f630ad8/tool-results/mcp-github-pull_request_read-1767896365382.txt in sequential chunks until 100% of the content has been read.
- If you receive truncation warnings when reading the file, reduce the chunk size until you have read 100% of the content without truncation.
- Before producing ANY summary or analysis, you MUST explicitly describe what portion of the content you have read. ***If you did not read the entire content, you MUST explicitly state this.***

[
  {
    "type": "text",
    "text": "{\"state\":\"success\",\"sha\":\"574ead47c35f954317b9cd09ac660f1c033533df\",\"total_count\":160,\"statuses\":[{\"id\":42228889416,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm3SA\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-rewards\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889530,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm3ug\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-api-zero\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889547,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm3yw\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-frontend\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889548,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm3zA\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-banking-backbone-us-west-2\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889549,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm3zQ\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-banking-us-west-2\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889553,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm30Q\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-cupid\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889560,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm32A\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-onboard-us-west-2\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889561,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm32Q\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-impulse\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889562,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm32g\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-messenger\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889568,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm34A\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-frontend\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889575,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm35w\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-rewards\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889580,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm37A\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-api-backbone\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889595,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm3-w\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-banking-backbone\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889600,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4AA\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-abacus\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889601,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4AQ\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-sprinkler\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889602,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4Ag\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-onboard\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889615,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4Dw\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-scaling\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889622,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4Fg\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-avatar\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889681,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4UQ\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-teller\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889682,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4Ug\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-ledger-us-west-2\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889683,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4Uw\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-passport\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889687,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4Vw\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-teller-us-west-2\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889689,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4WQ\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-messenger\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889690,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4Wg\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-scaling\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889701,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4ZQ\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-passport\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889706,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4ag\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/sbx-partnermetadata\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889707,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4aw\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-users\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889713,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4cQ\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/prd-ledger\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889715,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4cw\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-onboard\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"},{\"id\":42228889721,\"node_id\":\"SC_kwDOEz1ECM8AAAAJ1Qm4eQ\",\"url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/statuses/574ead47c35f954317b9cd09ac660f1c033533df\",\"state\":\"success\",\"description\":\"Run not triggered: Terraform working directories did not change.\",\"context\":\"Terraform Cloud/Imprint/stg-banking\",\"avatar_url\":\"https://avatars.githubusercontent.com/in/39328?v=4\",\"created_at\":\"2026-01-06T00:14:03Z\",\"updated_at\":\"2026-01-06T00:14:03Z\"}],\"commit_url\":\"https://api.github.com/repos/Imprint-Tech/infrastructure/commits/574ead47c35f954317b9cd09ac660f1c033533df\"}"
  }
]

[
  {
    "type": "text",
    "text": "diff --git a/.github/workflows/terraform-module-publish.yml b/.github/workflows/terraform-module-publish.yml\nnew file mode 100644\nindex 000000000..6e7faabe3\n--- /dev/null\n+++ b/.github/workflows/terraform-module-publish.yml\n@@ -0,0 +1,160 @@\n+name: Terraform Module CI/CD\n+\n+on:\n+  push:\n+    branches:\n+      - main\n+    tags:\n+      - 'v*'\n+  pull_request:\n+    branches:\n+      - main\n+\n+env:\n+  TF_VERSION: \"1.5.0\"\n+\n+jobs:\n+  validate:\n+    name: Validate Modules\n+    runs-on: ubuntu-latest\n+    strategy:\n+      fail-fast: false\n+      matrix:\n+        module:\n+          - s3\n+          - secret\n+          - ddb\n+          - kinesis\n+          - static_web\n+          - sftp\n+\n+    steps:\n+      - name: Checkout\n+        uses: actions/checkout@v4\n+\n+      - name: Setup Terraform\n+        uses: hashicorp/setup-terraform@v3\n+        with:\n+          terraform_version: ${{ env.TF_VERSION }}\n+\n+      - name: Terraform Format Check\n+        working-directory: modules/${{ matrix.module }}\n+        run: terraform fmt -check -recursive\n+\n+      - name: Terraform Init\n+        working-directory: modules/${{ matrix.module }}\n+        run: terraform init -backend=false\n+\n+      - name: Terraform Validate\n+        working-directory: modules/${{ matrix.module }}\n+        run: terraform validate\n+\n+  docs:\n+    name: Generate Documentation\n+    runs-on: ubuntu-latest\n+    needs: validate\n+    if: github.event_name == 'pull_request'\n+\n+    steps:\n+      - name: Checkout\n+        uses: actions/checkout@v4\n+        with:\n+          ref: ${{ github.event.pull_request.head.ref }}\n+          token: ${{ secrets.GITHUB_TOKEN }}\n+\n+      - name: Render terraform docs\n+        uses: terraform-docs/gh-actions@v1.2.0\n+        with:\n+          working-dir: modules/s3,modules/secret,modules/ddb,modules/kinesis,modules/static_web,modules/sftp\n+          output-file: README.md\n+          output-method: inject\n+          git-push: \"true\"\n+          git-commit-message: \"docs: auto-generate terraform-docs README\"\n+\n+  # Publish to Terraform Cloud Private Registry on version tags\n+  publish:\n+    name: Publish to Terraform Cloud\n+    runs-on: ubuntu-latest\n+    needs: validate\n+    if: startsWith(github.ref, 'refs/tags/v')\n+\n+    steps:\n+      - name: Checkout\n+        uses: actions/checkout@v4\n+\n+      - name: Extract version from tag\n+        id: version\n+        run: |\n+          VERSION=${GITHUB_REF#refs/tags/v}\n+          echo \"version=$VERSION\" >> $GITHUB_OUTPUT\n+          echo \"Publishing version: $VERSION\"\n+\n+      - name: Setup Terraform\n+        uses: hashicorp/setup-terraform@v3\n+        with:\n+          terraform_version: ${{ env.TF_VERSION }}\n+          cli_config_credentials_token: ${{ secrets.TFC_API_TOKEN }}\n+\n+      # Note: Terraform Cloud private registry modules are published via VCS integration\n+      # This step creates a GitHub release which TFC can consume\n+      - name: Create GitHub Release\n+        uses: softprops/action-gh-release@v1\n+        with:\n+          tag_name: ${{ github.ref_name }}\n+          name: Release ${{ steps.version.outputs.version }}\n+          body: |\n+            ## Terraform Modules Release ${{ steps.version.outputs.version }}\n+\n+            ### Modules Included:\n+            - `s3` - S3 bucket with policies and access management\n+            - `secret` - Secrets Manager with multi-region replication\n+            - `ddb` - DynamoDB table with KMS encryption and CDC\n+            - `kinesis` - Kinesis Data Stream with KMS encryption\n+            - `static_web` - Static website with S3 + CloudFront\n+            - `sftp` - SFTP Transfer Family with S3 backend\n+\n+            ### Usage\n+            ```hcl\n+            module \"example\" {\n+              source  = \"app.terraform.io/Imprint/<module>/aws\"\n+              version = \"${{ steps.version.outputs.version }}\"\n+\n+              # ... module inputs\n+            }\n+            ```\n+          draft: false\n+          prerelease: ${{ contains(steps.version.outputs.version, '-') }}\n+        env:\n+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n+\n+  # Security scanning\n+  security:\n+    name: Security Scan\n+    runs-on: ubuntu-latest\n+    needs: validate\n+    if: github.event_name == 'pull_request'\n+\n+    steps:\n+      - name: Checkout\n+        uses: actions/checkout@v4\n+\n+      - name: tfsec\n+        uses: aquasecurity/tfsec-action@v1.0.3\n+        with:\n+          working_directory: modules\n+          soft_fail: true\n+\n+      - name: Checkov\n+        uses: bridgecrewio/checkov-action@v12\n+        with:\n+          directory: modules\n+          framework: terraform\n+          soft_fail: true\n+          output_format: sarif\n+          output_file_path: checkov-results.sarif\n+\n+      - name: Upload SARIF file\n+        uses: github/codeql-action/upload-sarif@v3\n+        if: ${{ always() && hashFiles('checkov-results.sarif') != '' }}\n+        with:\n+          sarif_file: checkov-results.sarif\ndiff --git a/modules/README.md b/modules/README.md\nnew file mode 100644\nindex 000000000..27f80b687\n--- /dev/null\n+++ b/modules/README.md\n@@ -0,0 +1,105 @@\n+# Terraform Modules\n+\n+This directory contains versioned Terraform modules for infrastructure deployment.\n+\n+## Phase 1 Modules (v0.1.0)\n+\n+These modules mirror existing stacks 1:1 to enable no-op migrations using `moved` blocks and `terraform state mv`.\n+\n+| Module | Description | Key Features |\n+|--------|-------------|--------------|\n+| `s3` | S3 bucket with policies | Versioning, encryption, bucket policies, CloudFront OAI support |\n+| `secret` | Secrets Manager | Multi-region replication (us-west-2), read-only IAM policy |\n+| `ddb` | DynamoDB table | KMS encryption, multi-region replicas, GSI/LSI, CDC to Kinesis |\n+| `kinesis` | Kinesis Data Stream | KMS encryption, on-demand mode, consumer IAM policies |\n+| `static_web` | Static website hosting | S3 + CloudFront with OAI, custom cache behaviors |\n+| `sftp` | SFTP Transfer Family | S3 backend, per-user IAM roles, CloudTrail audit logging |\n+\n+## Usage\n+\n+### From Terraform Cloud Private Registry\n+\n+```hcl\n+module \"example_s3\" {\n+  source  = \"app.terraform.io/Imprint/s3/aws\"\n+  version = \"0.1.0\"\n+\n+  environment = \"stg\"\n+  bucket_name = \"my-bucket\"\n+}\n+```\n+\n+### Local Development\n+\n+```hcl\n+module \"example_s3\" {\n+  source = \"../modules/s3\"\n+\n+  environment = \"dev\"\n+  bucket_name = \"my-bucket\"\n+}\n+```\n+\n+## Migration Guide\n+\n+To migrate existing infrastructure to use these modules with no-op:\n+\n+1. **Add module block** referencing the new module\n+2. **Use `moved` blocks** to map existing resources to module resources\n+3. **Run `terraform plan`** to verify no changes\n+4. **Apply** to update state without infrastructure changes\n+\n+Example migration:\n+\n+```hcl\n+# New module usage\n+module \"my_bucket\" {\n+  source  = \"app.terraform.io/Imprint/s3/aws\"\n+  version = \"0.1.0\"\n+\n+  environment = \"prd\"\n+  bucket_name = \"my-existing-bucket\"\n+}\n+\n+# Moved blocks for state migration\n+moved {\n+  from = aws_s3_bucket.my_bucket\n+  to   = module.my_bucket.aws_s3_bucket.bucket\n+}\n+\n+moved {\n+  from = aws_s3_bucket_versioning.my_bucket\n+  to   = module.my_bucket.aws_s3_bucket_versioning.bucket\n+}\n+```\n+\n+## Remote State Dependencies\n+\n+Modules that previously used `terraform_remote_state` have been converted to use input variables:\n+\n+| Module | Original Remote State | New Input Variable |\n+|--------|----------------------|-------------------|\n+| `ddb` | `terraform_remote_state.users.outputs.terraform_cloud_role_arn` | `kms_key_administrator_arn` |\n+| `ddb` | `terraform_remote_state.global.outputs.ddb_hevo_kinesis_stream.arn` | `hevo_kinesis_stream_arn` |\n+| `kinesis` | `terraform_remote_state.users.outputs.group_sre_iam_arns` | `sre_group_iam_arns` |\n+| `sftp` | `terraform_remote_state.census.outputs.census_role_arn` | `census_role_arn` |\n+\n+## Provider Requirements\n+\n+All modules require:\n+- Terraform >= 1.0\n+- AWS Provider >= 3.75.0\n+\n+The `ddb` module requires provider aliases for multi-region replicas:\n+- `aws.default`\n+- `aws.replica-us-west-2`\n+- `aws.replica-us-east-2`\n+\n+## Versioning\n+\n+Modules follow [Semantic Versioning](https://semver.org/):\n+- **Major** (X.0.0): Breaking changes\n+- **Minor** (0.X.0): New features, backwards compatible\n+- **Patch** (0.0.X): Bug fixes, backwards compatible\n+\n+Phase 1 releases start at v0.1.0.\ndiff --git a/modules/ddb/cdc.tf b/modules/ddb/cdc.tf\nnew file mode 100644\nindex 000000000..d0cd86be7\n--- /dev/null\n+++ b/modules/ddb/cdc.tf\n@@ -0,0 +1,6 @@\n+resource \"aws_dynamodb_kinesis_streaming_destination\" \"this\" {\n+  count = local.hevo_count\n+\n+  stream_arn = var.hevo_kinesis_stream_arn\n+  table_name = aws_dynamodb_table.dynamodb_table[0].name\n+}\ndiff --git a/modules/ddb/data.tf b/modules/ddb/data.tf\nnew file mode 100644\nindex 000000000..8fc4b38cc\n--- /dev/null\n+++ b/modules/ddb/data.tf\n@@ -0,0 +1 @@\n+data \"aws_caller_identity\" \"current\" {}\ndiff --git a/modules/ddb/kms.tf b/modules/ddb/kms.tf\nnew file mode 100644\nindex 000000000..91340bbf0\n--- /dev/null\n+++ b/modules/ddb/kms.tf\n@@ -0,0 +1,27 @@\n+resource \"aws_kms_key\" \"customer_managed_key\" {\n+  count               = var.resource_count\n+  description         = \"ddb/${local.table_name}\"\n+  enable_key_rotation = true\n+  is_enabled          = true\n+  policy              = data.aws_iam_policy_document.kms_key_policy[0].json\n+  multi_region        = length(var.replica_regions) > 0\n+}\n+\n+resource \"aws_kms_alias\" \"key_alias\" {\n+  count         = var.resource_count\n+  target_key_id = aws_kms_key.customer_managed_key[0].key_id\n+  name          = \"alias/ddb/${local.table_name}\"\n+}\n+\n+resource \"aws_kms_replica_key\" \"us-west-2_replica\" {\n+  count           = local.us-west-2_replica_enabled ? var.resource_count : 0\n+  provider        = aws.replica-us-west-2\n+  primary_key_arn = aws_kms_key.customer_managed_key[0].arn\n+}\n+\n+resource \"aws_kms_replica_key\" \"us-east-2_replica\" {\n+  count = local.us-east-2_replica_enabled ? var.resource_count : 0\n+\n+  provider        = aws.replica-us-east-2\n+  primary_key_arn = aws_kms_key.customer_managed_key[0].arn\n+}\ndiff --git a/modules/ddb/locals.tf b/modules/ddb/locals.tf\nnew file mode 100644\nindex 000000000..beb07bfc5\n--- /dev/null\n+++ b/modules/ddb/locals.tf\n@@ -0,0 +1,22 @@\n+locals {\n+  default_region           = \"us-east-1\"\n+  us-west-2_region         = \"us-west-2\"\n+  us-east-2_region         = \"us-east-2\"\n+  default_billing_mode     = \"PAY_PER_REQUEST\"\n+  default_stream_view_type = \"NEW_AND_OLD_IMAGES\"\n+  default_ttl_attribute    = \"ttl\"\n+\n+  us-west-2_replica_enabled = contains(var.replica_regions, local.us-west-2_region)\n+  us-east-2_replica_enabled = contains(var.replica_regions, local.us-east-2_region)\n+\n+  env_name       = \"${var.environment}_${var.name}\"\n+  table_name     = var.env_in_name ? local.env_name : var.name\n+  stream_enabled = var.hevo_replication_enabled ? true : var.stream_enabled\n+  stream_view_type = var.stream_enabled && var.stream_view_type == null ? local.default_stream_view_type : (\n+    var.hevo_replication_enabled ? local.default_stream_view_type : var.stream_view_type\n+  )\n+  policy_title = var.policy_title == null ? title(var.policy_name) : var.policy_title\n+  account_id   = data.aws_caller_identity.current.account_id\n+\n+  hevo_count = var.hevo_replication_enabled ? var.resource_count : 0\n+}\ndiff --git a/modules/ddb/main.tf b/modules/ddb/main.tf\nnew file mode 100644\nindex 000000000..f9748980b\n--- /dev/null\n+++ b/modules/ddb/main.tf\n@@ -0,0 +1,88 @@\n+resource \"aws_dynamodb_table\" \"dynamodb_table\" {\n+  count            = var.resource_count\n+  name             = local.table_name\n+  billing_mode     = local.default_billing_mode\n+  hash_key         = var.hash_key\n+  range_key        = var.range_key\n+  stream_enabled   = local.stream_enabled\n+  stream_view_type = local.stream_view_type\n+  read_capacity    = var.read_capacity\n+  write_capacity   = var.write_capacity\n+\n+\n+  dynamic \"attribute\" {\n+    for_each = var.attributes\n+    content {\n+      name = attribute.value[\"name\"]\n+      type = attribute.value[\"type\"]\n+    }\n+  }\n+\n+  dynamic \"local_secondary_index\" {\n+    for_each = var.local_secondary_indexes\n+    content {\n+      name            = local_secondary_index.value[\"name\"]\n+      projection_type = local_secondary_index.value[\"projection_type\"]\n+      range_key       = local_secondary_index.value[\"range_key\"]\n+    }\n+  }\n+\n+  dynamic \"global_secondary_index\" {\n+    for_each = var.global_secondary_indexes\n+\n+    content {\n+      name               = global_secondary_index.value[\"name\"]\n+      hash_key           = global_secondary_index.value[\"hash_key\"]\n+      projection_type    = global_secondary_index.value[\"projection_type\"]\n+      range_key          = lookup(global_secondary_index.value, \"range_key\", null)\n+      read_capacity      = lookup(global_secondary_index.value, \"read_capacity\", null)\n+      write_capacity     = lookup(global_secondary_index.value, \"write_capacity\", null)\n+      non_key_attributes = global_secondary_index.value[\"projection_type\"] == \"INCLUDE\" ? global_secondary_index.value[\"non_key_attributes\"] : null\n+    }\n+  }\n+\n+  dynamic \"replica\" {\n+    for_each = local.us-west-2_replica_enabled ? [1] : []\n+    content {\n+      region_name = local.us-west-2_region\n+      kms_key_arn = aws_kms_replica_key.us-west-2_replica[0].arn\n+    }\n+  }\n+\n+  dynamic \"replica\" {\n+    for_each = local.us-east-2_replica_enabled ? [1] : []\n+    content {\n+      region_name = local.us-east-2_region\n+      kms_key_arn = aws_kms_replica_key.us-east-2_replica[0].arn\n+    }\n+  }\n+\n+  dynamic \"ttl\" {\n+    for_each = var.ttl ? [1] : []\n+    content {\n+      attribute_name = local.default_ttl_attribute\n+      enabled        = true\n+    }\n+  }\n+\n+  point_in_time_recovery {\n+    enabled = var.point_in_time_recovery_enabled\n+  }\n+\n+  server_side_encryption {\n+    enabled     = true\n+    kms_key_arn = aws_kms_key.customer_managed_key[0].arn\n+  }\n+\n+  tags = merge(\n+    var.default_tags,\n+    {\n+      Name        = local.table_name\n+      Environment = var.environment\n+    }\n+  )\n+\n+  lifecycle {\n+    prevent_destroy = true\n+  }\n+}\ndiff --git a/modules/ddb/outputs.tf b/modules/ddb/outputs.tf\nnew file mode 100644\nindex 000000000..131ebba52\n--- /dev/null\n+++ b/modules/ddb/outputs.tf\n@@ -0,0 +1,24 @@\n+output \"ddb_policy_read_only\" {\n+  description = \"DDB Policy Read Only\"\n+  value       = var.resource_count == 1 ? aws_iam_policy.ddb_policy_read_only[0] : null\n+}\n+\n+output \"ddb_policy_full_access\" {\n+  description = \"DDB Policy Full Access\"\n+  value       = var.resource_count == 1 ? aws_iam_policy.ddb_policy_full_access[0] : null\n+}\n+\n+output \"table_name\" {\n+  description = \"Name of the DynamoDB table\"\n+  value       = var.resource_count == 1 ? aws_dynamodb_table.dynamodb_table[0].name : null\n+}\n+\n+output \"table_arn\" {\n+  description = \"ARN of the DynamoDB table\"\n+  value       = var.resource_count == 1 ? aws_dynamodb_table.dynamodb_table[0].arn : null\n+}\n+\n+output \"kms_key_arn\" {\n+  description = \"ARN of the KMS key used for table encryption\"\n+  value       = var.resource_count == 1 ? aws_kms_key.customer_managed_key[0].arn : null\n+}\ndiff --git a/modules/ddb/policy.tf b/modules/ddb/policy.tf\nnew file mode 100644\nindex 000000000..794787a47\n--- /dev/null\n+++ b/modules/ddb/policy.tf\n@@ -0,0 +1,100 @@\n+resource \"aws_iam_policy\" \"ddb_policy_read_only\" {\n+  count       = var.resource_count\n+  name        = \"${var.environment}_${var.policy_name}_ddb_policy_read_only\"\n+  path        = \"/services/${var.service}/\"\n+  description = \"${local.policy_title} DDB Access Policy Read Only\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Statement = [\n+      {\n+        Sid : \"ListAndDescribe\",\n+        Effect : \"Allow\",\n+        Action : [\n+          \"dynamodb:List*\",\n+          \"dynamodb:DescribeReservedCapacity*\",\n+          \"dynamodb:DescribeLimits\",\n+          \"dynamodb:DescribeTimeToLive\"\n+        ],\n+        Resource : \"*\"\n+      },\n+      {\n+        Sid    = \"SpecificTable\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"dynamodb:BatchGet*\",\n+          \"dynamodb:DescribeStream\",\n+          \"dynamodb:DescribeTable\",\n+          \"dynamodb:Get*\",\n+          \"dynamodb:Query\",\n+          \"dynamodb:Scan\",\n+        ],\n+        Resource = (\n+          length(var.local_secondary_indexes) > 0 || length(var.global_secondary_indexes) > 0 ?\n+          [aws_dynamodb_table.dynamodb_table[0].arn, \"${aws_dynamodb_table.dynamodb_table[0].arn}/*\"] :\n+          [aws_dynamodb_table.dynamodb_table[0].arn]\n+        )\n+      }\n+    ]\n+  })\n+}\n+\n+resource \"aws_iam_policy\" \"ddb_policy_full_access\" {\n+  count       = var.resource_count\n+  name        = \"${var.environment}_${var.policy_name}_ddb_policy_full_access\"\n+  path        = \"/services/${var.service}/\"\n+  description = \"${local.policy_title} DDB Access Policy Full Access\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Statement = [\n+      {\n+        Sid : \"ListAndDescribe\",\n+        Effect : \"Allow\",\n+        Action : [\n+          \"dynamodb:List*\",\n+          \"dynamodb:DescribeReservedCapacity*\",\n+          \"dynamodb:DescribeLimits\",\n+          \"dynamodb:DescribeTimeToLive\"\n+        ],\n+        Resource : \"*\"\n+      },\n+      {\n+        Sid : \"AllowDynamoDBExportAction\",\n+        Effect : \"Allow\",\n+        Action : [\n+          \"dynamodb:ExportTableToPointInTime\",\n+          \"dynamodb:DescribeExport\",\n+          \"dynamodb:ListExports\"\n+        ],\n+        Resource = (\n+          length(var.local_secondary_indexes) > 0 || length(var.global_secondary_indexes) > 0 ?\n+          [aws_dynamodb_table.dynamodb_table[0].arn, \"${aws_dynamodb_table.dynamodb_table[0].arn}/*\"] :\n+          [aws_dynamodb_table.dynamodb_table[0].arn]\n+        )\n+      },\n+      {\n+        Sid    = \"SpecificTable\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"dynamodb:BatchGet*\",\n+          \"dynamodb:DescribeStream\",\n+          \"dynamodb:DescribeTable\",\n+          \"dynamodb:Get*\",\n+          \"dynamodb:Query\",\n+          \"dynamodb:Scan\",\n+          \"dynamodb:BatchWrite*\",\n+          \"dynamodb:CreateTable\",\n+          \"dynamodb:Delete*\",\n+          \"dynamodb:Update*\",\n+          \"dynamodb:PutItem\"\n+        ],\n+        Resource = (\n+          length(var.local_secondary_indexes) > 0 || length(var.global_secondary_indexes) > 0 ?\n+          [aws_dynamodb_table.dynamodb_table[0].arn, \"${aws_dynamodb_table.dynamodb_table[0].arn}/*\"] :\n+          [aws_dynamodb_table.dynamodb_table[0].arn]\n+        )\n+      }\n+    ]\n+  })\n+}\ndiff --git a/modules/ddb/policy_doc.tf b/modules/ddb/policy_doc.tf\nnew file mode 100644\nindex 000000000..a27484629\n--- /dev/null\n+++ b/modules/ddb/policy_doc.tf\n@@ -0,0 +1,120 @@\n+data \"aws_iam_policy_document\" \"kms_key_policy\" {\n+  count = var.resource_count\n+\n+  statement {\n+    sid    = \"DDB Table Accessor Policy\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [\"*\"]\n+    }\n+\n+    actions = [\n+      \"kms:Encrypt\",\n+      \"kms:Decrypt\",\n+      \"kms:ReEncrypt*\",\n+      \"kms:GenerateDataKey*\",\n+      \"kms:CreateGrant\",\n+      \"kms:DescribeKey\",\n+    ]\n+\n+    resources = [\"arn:aws:kms:*:${local.account_id}:key/*\"]\n+\n+    condition {\n+      test     = \"StringEquals\"\n+      variable = \"kms:CallerAccount\"\n+      values   = [local.account_id]\n+    }\n+\n+    condition {\n+      test     = \"StringLike\"\n+      variable = \"kms:ViaService\"\n+      values   = [\"dynamodb.*.amazonaws.com\"]\n+    }\n+  }\n+\n+  statement {\n+    sid    = \"KeyAdministratorPolicy\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [var.kms_key_administrator_arn]\n+    }\n+\n+    actions = [\n+      \"kms:Create*\",\n+      \"kms:Describe*\",\n+      \"kms:Enable*\",\n+      \"kms:List*\",\n+      \"kms:Put*\",\n+      \"kms:Update*\",\n+      \"kms:Revoke*\",\n+      \"kms:Disable*\",\n+      \"kms:Get*\",\n+      \"kms:Delete*\",\n+      \"kms:TagResource\",\n+      \"kms:UntagResource\",\n+      \"kms:ScheduleKeyDeletion\",\n+      \"kms:CancelKeyDeletion\",\n+      \"kms:Replicate*\",\n+    ]\n+\n+    resources = [\"arn:aws:kms:*:${local.account_id}:key/*\"]\n+  }\n+\n+  statement {\n+    sid    = \"AllowAccountToManageKeyPolicy\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [\"arn:aws:iam::${local.account_id}:root\"]\n+    }\n+\n+    actions = [\n+      \"kms:PutKeyPolicy\",\n+      \"kms:GetKeyPolicy\",\n+    ]\n+\n+    resources = [\"arn:aws:kms:*:${local.account_id}:key/*\"]\n+  }\n+\n+  statement {\n+    sid    = \"AllowDirectAccessToKeyMetadata\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [\"arn:aws:iam::${local.account_id}:root\"]\n+    }\n+\n+    actions = [\n+      \"kms:Describe*\",\n+      \"kms:Get*\",\n+      \"kms:List*\",\n+      \"kms:RevokeGrant\",\n+    ]\n+\n+    resources = [\"arn:aws:kms:*:${local.account_id}:key/*\"]\n+  }\n+\n+  statement {\n+    sid    = \"AllowDynamoDBDescribe\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"dynamodb.amazonaws.com\"]\n+    }\n+\n+    actions = [\n+      \"kms:Describe*\",\n+      \"kms:Get*\",\n+      \"kms:List*\",\n+    ]\n+\n+    resources = [\"arn:aws:kms:*:${local.account_id}:key/*\"]\n+  }\n+}\ndiff --git a/modules/ddb/variables.tf b/modules/ddb/variables.tf\nnew file mode 100644\nindex 000000000..b1f5fa047\n--- /dev/null\n+++ b/modules/ddb/variables.tf\n@@ -0,0 +1,138 @@\n+variable \"environment\" {\n+  description = \"Environment name (e.g., prd, stg, sbx)\"\n+  type        = string\n+}\n+\n+variable \"service\" {\n+  description = \"Name of the calling workspace. Used for IAM path.\"\n+  type        = string\n+}\n+\n+variable \"name\" {\n+  description = \"Name of the DynamoDB table\"\n+  type        = string\n+}\n+\n+variable \"env_in_name\" {\n+  description = \"Whether to include environment prefix in table name\"\n+  type        = bool\n+  default     = true\n+}\n+\n+variable \"policy_name\" {\n+  description = \"Name used for IAM policy naming\"\n+  type        = string\n+}\n+\n+variable \"policy_title\" {\n+  description = \"Title used in IAM policy description\"\n+  type        = string\n+  default     = null\n+}\n+\n+variable \"hash_key\" {\n+  description = \"The attribute to use as the hash (partition) key\"\n+  type        = string\n+}\n+\n+variable \"range_key\" {\n+  description = \"The attribute to use as the range (sort) key\"\n+  type        = string\n+  default     = null\n+}\n+\n+variable \"stream_enabled\" {\n+  description = \"Enable DynamoDB streams\"\n+  type        = bool\n+}\n+\n+variable \"stream_view_type\" {\n+  description = \"When an item is modified, what data to capture: KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES\"\n+  type        = string\n+  default     = null\n+}\n+\n+variable \"resource_count\" {\n+  description = \"A replacement for count, because this is a legacy module that can't use count directly. Can be 1 or 0.\"\n+  type        = number\n+  default     = 1\n+}\n+\n+variable \"attributes\" {\n+  description = \"List of attribute definitions for the table\"\n+  type        = list(map(string))\n+  default = [{\n+    \"name\" = \"key\"\n+    \"type\" = \"S\"\n+  }]\n+}\n+\n+variable \"global_secondary_indexes\" {\n+  description = \"List of GSI definitions. Must follow AWS documentation format.\"\n+  type        = list(map(string))\n+  default     = []\n+}\n+\n+variable \"local_secondary_indexes\" {\n+  description = \"List of LSI definitions. Must follow AWS documentation format.\"\n+  type        = list(map(string))\n+  default     = []\n+}\n+\n+variable \"ttl\" {\n+  description = \"Enable TTL on the table\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"replica_regions\" {\n+  description = \"A list of regions for creating replicas. Only us-east-2 and us-west-2 are supported currently.\"\n+  type        = list(string)\n+  default     = []\n+}\n+\n+variable \"point_in_time_recovery_enabled\" {\n+  description = \"Enable point-in-time recovery\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"default_tags\" {\n+  description = \"Tags to apply to resources\"\n+  type        = map(string)\n+  default = {\n+    Owner     = \"service\"\n+    Terraform = \"true\"\n+    Version   = \"20210414\"\n+  }\n+}\n+\n+variable \"read_capacity\" {\n+  description = \"The number of read capacity units (only for PROVISIONED billing mode)\"\n+  type        = string\n+  default     = null\n+}\n+\n+variable \"write_capacity\" {\n+  description = \"The number of write capacity units (only for PROVISIONED billing mode)\"\n+  type        = string\n+  default     = null\n+}\n+\n+variable \"hevo_replication_enabled\" {\n+  description = \"Whether to enable Hevo DynamoDB connector resources\"\n+  type        = bool\n+  default     = false\n+}\n+\n+# Module inputs replacing terraform_remote_state dependencies\n+variable \"kms_key_administrator_arn\" {\n+  description = \"ARN of the IAM role/user for KMS key administration (replaces terraform_remote_state.users.outputs.terraform_cloud_role_arn)\"\n+  type        = string\n+}\n+\n+variable \"hevo_kinesis_stream_arn\" {\n+  description = \"ARN of the Kinesis stream for Hevo CDC (replaces terraform_remote_state.global.outputs.ddb_hevo_kinesis_stream.arn)\"\n+  type        = string\n+  default     = \"\"\n+}\ndiff --git a/modules/ddb/versions.tf b/modules/ddb/versions.tf\nnew file mode 100644\nindex 000000000..c77a152fc\n--- /dev/null\n+++ b/modules/ddb/versions.tf\n@@ -0,0 +1,15 @@\n+terraform {\n+  required_version = \">= 1.0\"\n+\n+  required_providers {\n+    aws = {\n+      source  = \"hashicorp/aws\"\n+      version = \">= 3.75.0\"\n+      configuration_aliases = [\n+        aws.default,\n+        aws.replica-us-west-2,\n+        aws.replica-us-east-2,\n+      ]\n+    }\n+  }\n+}\ndiff --git a/modules/kinesis/data.tf b/modules/kinesis/data.tf\nnew file mode 100644\nindex 000000000..a84fed797\n--- /dev/null\n+++ b/modules/kinesis/data.tf\n@@ -0,0 +1,23 @@\n+data \"aws_caller_identity\" \"current\" {}\n+\n+data \"aws_iam_policy_document\" \"assume_role_policy\" {\n+  count = local.count\n+  statement {\n+    sid    = \"KinesisAssumeRolePolicy\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = formatlist(\"arn:aws:iam::%s:root\", var.external_accounts)\n+    }\n+\n+    actions = [\"sts:AssumeRole\"]\n+\n+    condition {\n+      test     = \"StringEquals\"\n+      variable = \"sts:ExternalId\"\n+      values   = [local.external_id]\n+\n+    }\n+  }\n+}\ndiff --git a/modules/kinesis/iam.tf b/modules/kinesis/iam.tf\nnew file mode 100644\nindex 000000000..643878a6c\n--- /dev/null\n+++ b/modules/kinesis/iam.tf\n@@ -0,0 +1,19 @@\n+resource \"aws_iam_role\" \"connector_role\" {\n+  count = local.count\n+\n+  name                 = \"${local.env_name}_connector_role\"\n+  assume_role_policy   = data.aws_iam_policy_document.assume_role_policy[0].json\n+  max_session_duration = 12 * 60 * 60 // 12 hours in seconds\n+}\n+\n+resource \"aws_iam_role_policy_attachment\" \"kinesis_consumer_access\" {\n+  count      = local.count\n+  role       = aws_iam_role.connector_role[0].name\n+  policy_arn = aws_iam_policy.kinesis_consumer_access[0].arn\n+}\n+\n+resource \"aws_iam_role_policy_attachment\" \"ddb_connector_policy\" {\n+  count      = local.count\n+  role       = aws_iam_role.connector_role[0].name\n+  policy_arn = aws_iam_policy.ddb_connector_policy[0].arn\n+}\ndiff --git a/modules/kinesis/kms.tf b/modules/kinesis/kms.tf\nnew file mode 100644\nindex 000000000..cd0da5277\n--- /dev/null\n+++ b/modules/kinesis/kms.tf\n@@ -0,0 +1,108 @@\n+resource \"aws_kms_key\" \"customer_managed_key\" {\n+  count = local.count\n+\n+  description         = \"kinesis/${local.env_name}\"\n+  enable_key_rotation = true\n+  is_enabled          = true\n+  policy              = data.aws_iam_policy_document.kms_key_policy[0].json\n+}\n+\n+data \"aws_iam_policy_document\" \"kms_key_policy\" {\n+  count = local.count\n+\n+  statement {\n+    sid    = \"Kinesis Accessor Policy\"\n+    effect = \"Allow\"\n+    principals {\n+      identifiers = [\"*\"]\n+      type        = \"AWS\"\n+    }\n+    actions = [\n+      \"kms:Encrypt\",\n+      \"kms:Decrypt\",\n+      \"kms:ReEncrypt*\",\n+      \"kms:GenerateDataKey*\",\n+      \"kms:DescribeKey\",\n+    ]\n+    resources = [\"arn:aws:kms:${var.region}:${local.aws_account_id}:key/*\"]\n+    condition {\n+      test     = \"StringEquals\"\n+      values   = [local.aws_account_id]\n+      variable = \"kms:CallerAccount\"\n+    }\n+    condition {\n+      test     = \"StringEquals\"\n+      values   = [\"kinesis.${var.region}.amazonaws.com\"]\n+      variable = \"kms:ViaService\"\n+    }\n+  }\n+\n+  statement {\n+    sid    = \"Allow direct access to key metadata to the account\"\n+    effect = \"Allow\"\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [\"arn:aws:iam::${local.aws_account_id}:root\"]\n+

Error: result (72,169 characters) exceeds maximum allowed tokens. Output has been saved to /Users/danielroth/.claude/projects/-Users-danielroth-dev-infrastructure-modules-dev/5f2d0a22-b7b9-43b6-b7f8-66cb6f630ad8/tool-results/mcp-github-pull_request_read-1767896413233.txt.
Format: JSON array with schema: [{type: string, text: string}]
Use offset and limit parameters to read specific portions of the file, the Grep tool to search for specific content, and jq to make structured queries.
REQUIREMENTS FOR SUMMARIZATION/ANALYSIS/REVIEW:
- You MUST read the content from the file at /Users/danielroth/.claude/projects/-Users-danielroth-dev-infrastructure-modules-dev/5f2d0a22-b7b9-43b6-b7f8-66cb6f630ad8/tool-results/mcp-github-pull_request_read-1767896413233.txt in sequential chunks until 100% of the content has been read.
- If you receive truncation warnings when reading the file, reduce the chunk size until you have read 100% of the content without truncation.
- Before producing ANY summary or analysis, you MUST explicitly describe what portion of the content you have read. ***If you did not read the entire content, you MUST explicitly state this.***

  }\n+    actions = [\n+      \"kms:Describe*\",\n+      \"kms:Get*\",\n+      \"kms:List*\"\n+    ]\n+    resources = [\"arn:aws:kms:${var.region}:${local.aws_account_id}:key/*\"]\n+  }\n+\n+  statement {\n+    sid    = \"Key Administrator Policy\"\n+    effect = \"Allow\"\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = var.environment == \"prd\" ? [\"arn:aws:iam::${local.aws_account_id}:user/${var.environment}-tf\"] : [\"arn:aws:iam::${local.aws_account_id}:user/stg-tf\"]\n+\n+    }\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = var.sre_group_iam_arns\n+    }\n+\n+    actions = [\n+      \"kms:Create*\",\n+      \"kms:Describe*\",\n+      \"kms:Enable*\",\n+      \"kms:List*\",\n+      \"kms:Put*\",\n+      \"kms:Update*\",\n+      \"kms:Revoke*\",\n+      \"kms:Disable*\",\n+      \"kms:Get*\",\n+      \"kms:Delete*\",\n+      \"kms:TagResource\",\n+      \"kms:UntagResource\",\n+      \"kms:ScheduleKeyDeletion\",\n+      \"kms:CancelKeyDeletion\",\n+      \"kms:Replicate*\"\n+    ]\n+\n+    resources = [\"arn:aws:kms:${var.region}:${local.aws_account_id}:key/*\"]\n+  }\n+\n+  dynamic \"statement\" {\n+    for_each = var.external_accounts\n+    content {\n+      sid    = \"External ${statement.value} Accessor Policy\"\n+      effect = \"Allow\"\n+      principals {\n+        identifiers = [\"arn:aws:iam::${statement.value}:root\"]\n+        type        = \"AWS\"\n+      }\n+      actions = [\n+        \"kms:Encrypt\",\n+        \"kms:Decrypt\",\n+        \"kms:ReEncrypt*\",\n+        \"kms:GenerateDataKey*\",\n+        \"kms:DescribeKey\"\n+      ]\n+      resources = [\"arn:aws:kms:${var.region}:${local.aws_account_id}:key/*\"]\n+    }\n+  }\n+}\ndiff --git a/modules/kinesis/locals.tf b/modules/kinesis/locals.tf\nnew file mode 100644\nindex 000000000..40f83a3d8\n--- /dev/null\n+++ b/modules/kinesis/locals.tf\n@@ -0,0 +1,16 @@\n+locals {\n+  encryption_type = \"KMS\"\n+  stream_mode     = \"ON_DEMAND\"\n+\n+  env_name       = \"${var.environment}_${var.name}\"\n+  aws_account_id = data.aws_caller_identity.current.account_id\n+  region         = \"us-east-1\"\n+\n+  count = var.create ? 1 : 0\n+\n+  external_ids = {\n+    \"stg\" : \"00b1fd646b0cde66a\",\n+    \"prd\" : \"fe59fc39d8b19ff52\",\n+  }\n+  external_id = \"${var.environment}_hevo_ddb_connector_${lookup(local.external_ids, var.environment, local.external_ids[\"stg\"])}\"\n+}\ndiff --git a/modules/kinesis/main.tf b/modules/kinesis/main.tf\nnew file mode 100644\nindex 000000000..e8dfef395\n--- /dev/null\n+++ b/modules/kinesis/main.tf\n@@ -0,0 +1,12 @@\n+resource \"aws_kinesis_stream\" \"this\" {\n+  count = local.count\n+\n+  name             = local.env_name\n+  retention_period = var.retention_period_hours\n+  encryption_type  = local.encryption_type\n+  kms_key_id       = aws_kms_key.customer_managed_key[0].key_id\n+\n+  stream_mode_details {\n+    stream_mode = local.stream_mode\n+  }\n+}\ndiff --git a/modules/kinesis/outputs.tf b/modules/kinesis/outputs.tf\nnew file mode 100644\nindex 000000000..f1b802749\n--- /dev/null\n+++ b/modules/kinesis/outputs.tf\n@@ -0,0 +1,19 @@\n+output \"arn\" {\n+  description = \"ARN of the Kinesis stream\"\n+  value       = local.count > 0 ? aws_kinesis_stream.this[0].arn : null\n+}\n+\n+output \"consumer_access_policy_arn\" {\n+  description = \"ARN of the Kinesis consumer access policy\"\n+  value       = local.count > 0 ? aws_iam_policy.kinesis_consumer_access[0].arn : null\n+}\n+\n+output \"kms_key_arn\" {\n+  description = \"ARN of the KMS key used for stream encryption\"\n+  value       = local.count > 0 ? aws_kms_key.customer_managed_key[0].arn : null\n+}\n+\n+output \"connector_role_arn\" {\n+  description = \"ARN of the connector IAM role\"\n+  value       = local.count > 0 ? aws_iam_role.connector_role[0].arn : null\n+}\ndiff --git a/modules/kinesis/policy.tf b/modules/kinesis/policy.tf\nnew file mode 100644\nindex 000000000..4a0d8e960\n--- /dev/null\n+++ b/modules/kinesis/policy.tf\n@@ -0,0 +1,82 @@\n+resource \"aws_iam_policy\" \"kinesis_consumer_access\" {\n+  count = local.count\n+\n+  name        = \"${local.env_name}_kinesis_consumer_access_policy\"\n+  path        = \"/policy/\"\n+  description = \"${local.env_name} Kinesis Consumer Access Policy\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Statement = [\n+      {\n+        Sid    = \"KinesisStreamAccess\",\n+        Effect = \"Allow\"\n+        Action = [\n+          \"kinesis:DescribeStream\",\n+          \"kinesis:GetShardIterator\",\n+          \"kinesis:GetRecords\",\n+          \"kinesis:ListShards\",\n+          \"kinesis:DescribeStreamSummary\",\n+          \"kinesis:RegisterStreamConsumer\"\n+        ],\n+        Resource = [aws_kinesis_stream.this[0].arn]\n+      },\n+      {\n+        Sid    = \"KinesisStreamConsume\",\n+        Effect = \"Allow\"\n+        Action = [\n+          \"kinesis:SubscribeToShard\",\n+          \"kinesis:DescribeStreamConsumer\"\n+        ],\n+        Resource = [\"${aws_kinesis_stream.this[0].arn}/*\"]\n+      },\n+      {\n+        Sid    = \"KinesisKMSKeyAccess\"\n+        Effect = \"Allow\"\n+        Action = [\n+          \"kms:Encrypt\",\n+          \"kms:Decrypt\",\n+          \"kms:ReEncrypt*\",\n+          \"kms:GenerateDataKey*\",\n+          \"kms:DescribeKey\"\n+        ],\n+        Resource = [aws_kms_key.customer_managed_key[0].arn]\n+      }\n+    ]\n+  })\n+}\n+\n+resource \"aws_iam_policy\" \"ddb_connector_policy\" {\n+  count = local.count\n+\n+  name        = \"${local.env_name}_ddb_connector_access_policy\"\n+  path        = \"/policy/\"\n+  description = \"${local.env_name} DDB Connector Access Policy\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Statement = [\n+      {\n+        Sid    = \"DynamoDBAccess\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"dynamodb:Scan\",\n+          \"dynamodb:GetRecords\",\n+          \"dynamodb:ListTables\",\n+          \"dynamodb:ListStreams\",\n+          \"dynamodb:DescribeTable\",\n+          \"dynamodb:DescribeStream\",\n+          \"dynamodb:GetShardIterator\"\n+        ]\n+        Resource = [\"arn:aws:dynamodb:${local.region}:${local.aws_account_id}:table/*\"]\n+        }, {\n+        Sid    = \"DynamoDBCreateTableAccess\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"dynamodb:CreateTable\",\n+        ]\n+        Resource = [\"arn:aws:dynamodb:${local.region}:${local.aws_account_id}:table/hevo_kcl*\"]\n+      }\n+    ]\n+  })\n+}\ndiff --git a/modules/kinesis/variables.tf b/modules/kinesis/variables.tf\nnew file mode 100644\nindex 000000000..30325bb40\n--- /dev/null\n+++ b/modules/kinesis/variables.tf\n@@ -0,0 +1,39 @@\n+variable \"create\" {\n+  description = \"Whether to create the kinesis stream and associated resources\"\n+  type        = bool\n+  default     = true\n+}\n+\n+variable \"environment\" {\n+  description = \"Environment name (e.g., prd, stg, sbx)\"\n+  type        = string\n+}\n+\n+variable \"name\" {\n+  description = \"Name of the Kinesis stream\"\n+  type        = string\n+}\n+\n+variable \"region\" {\n+  description = \"AWS region\"\n+  type        = string\n+  default     = \"us-east-1\"\n+}\n+\n+variable \"retention_period_hours\" {\n+  description = \"The number of hours for data records to remain accessible\"\n+  type        = number\n+  default     = 7 * 24\n+}\n+\n+variable \"external_accounts\" {\n+  description = \"The AWS account IDs of any external AWS account that needs to use the key\"\n+  type        = list(string)\n+  default     = []\n+}\n+\n+# Module inputs replacing terraform_remote_state dependencies\n+variable \"sre_group_iam_arns\" {\n+  description = \"List of IAM ARNs for SRE group members (replaces terraform_remote_state.users.outputs.group_sre_iam_arns)\"\n+  type        = list(string)\n+}\ndiff --git a/modules/kinesis/versions.tf b/modules/kinesis/versions.tf\nnew file mode 100644\nindex 000000000..2eb3bfd21\n--- /dev/null\n+++ b/modules/kinesis/versions.tf\n@@ -0,0 +1,10 @@\n+terraform {\n+  required_version = \">= 1.0\"\n+\n+  required_providers {\n+    aws = {\n+      source  = \"hashicorp/aws\"\n+      version = \">= 3.75.0\"\n+    }\n+  }\n+}\ndiff --git a/modules/s3/data.tf b/modules/s3/data.tf\nnew file mode 100644\nindex 000000000..1881340bc\n--- /dev/null\n+++ b/modules/s3/data.tf\n@@ -0,0 +1,5 @@\n+data \"aws_region\" \"current\" {}\n+\n+data \"aws_caller_identity\" \"current\" {}\n+\n+data \"aws_elb_service_account\" \"main\" {}\ndiff --git a/modules/s3/main.tf b/modules/s3/main.tf\nnew file mode 100644\nindex 000000000..7d5bf18bf\n--- /dev/null\n+++ b/modules/s3/main.tf\n@@ -0,0 +1,78 @@\n+locals {\n+  # Respect user-specified logging_target_bucket_name, otherwise use pre-defined value based on region\n+  logging_target_bucket_name = var.logging_target_bucket_name != \"\" ? var.logging_target_bucket_name : data.aws_region.current.name == \"us-east-1\" ? \"imprint-s3-access-log\" : \"imprint-s3-access-log-${data.aws_region.current.name}\"\n+\n+  logging_target_bucket = {\n+    prd    = \"${var.environment}-${local.logging_target_bucket_name}\"\n+    stg    = \"stg-${local.logging_target_bucket_name}\"\n+    sbx    = \"stg-${local.logging_target_bucket_name}\"\n+    preprd = \"${var.environment}-${local.logging_target_bucket_name}\"\n+  }\n+}\n+\n+resource \"aws_s3_bucket\" \"bucket\" {\n+  bucket = var.bucket_name\n+  acl    = var.acl\n+\n+  logging {\n+    target_bucket = lookup(\n+      local.logging_target_bucket,\n+      var.environment,\n+      \"\"\n+    )\n+    target_prefix = \"${var.bucket_name}/\"\n+  }\n+\n+  server_side_encryption_configuration {\n+    rule {\n+      apply_server_side_encryption_by_default {\n+        sse_algorithm = \"AES256\"\n+      }\n+    }\n+  }\n+\n+  versioning {\n+    # Force bucket versioning on prd according to SOC2 compliance\n+    enabled    = var.enable_versioning || var.environment == \"prd\"\n+    mfa_delete = var.mfa_delete\n+  }\n+\n+  dynamic \"website\" {\n+    for_each = length(keys(var.website)) == 0 ? [] : [var.website]\n+\n+    content {\n+      index_document           = lookup(website.value, \"index_document\", null)\n+      error_document           = lookup(website.value, \"error_document\", null)\n+      redirect_all_requests_to = lookup(website.value, \"redirect_all_requests_to\", null)\n+      routing_rules            = lookup(website.value, \"routing_rules\", null)\n+    }\n+  }\n+\n+  dynamic \"cors_rule\" {\n+    for_each = var.cors_rule\n+\n+    content {\n+      allowed_methods = cors_rule.value.allowed_methods\n+      allowed_origins = cors_rule.value.allowed_origins\n+      allowed_headers = lookup(cors_rule.value, \"allowed_headers\", null)\n+      expose_headers  = lookup(cors_rule.value, \"expose_headers\", null)\n+      max_age_seconds = lookup(cors_rule.value, \"max_age_seconds\", null)\n+    }\n+  }\n+\n+  tags = merge(\n+    var.default_tags,\n+    {\n+      Environment = var.environment\n+    }\n+  )\n+}\n+\n+resource \"aws_s3_bucket_public_access_block\" \"bucket_public_access_block\" {\n+  bucket = aws_s3_bucket.bucket.id\n+\n+  block_public_acls       = true\n+  block_public_policy     = true\n+  ignore_public_acls      = true\n+  restrict_public_buckets = true\n+}\ndiff --git a/modules/s3/outputs.tf b/modules/s3/outputs.tf\nnew file mode 100644\nindex 000000000..b2b9d236b\n--- /dev/null\n+++ b/modules/s3/outputs.tf\n@@ -0,0 +1,24 @@\n+output \"bucket_id\" {\n+  description = \"The ID of the S3 bucket\"\n+  value       = aws_s3_bucket.bucket.id\n+}\n+\n+output \"bucket_arn\" {\n+  description = \"The ARN of the S3 bucket\"\n+  value       = aws_s3_bucket.bucket.arn\n+}\n+\n+output \"bucket_regional_domain_name\" {\n+  description = \"The regional domain name of the S3 bucket\"\n+  value       = aws_s3_bucket.bucket.bucket_regional_domain_name\n+}\n+\n+output \"s3_policy_read_only\" {\n+  description = \"The read-only IAM policy for the S3 bucket\"\n+  value       = aws_iam_policy.s3_policy_read_only\n+}\n+\n+output \"s3_policy_full_access\" {\n+  description = \"The full access IAM policy for the S3 bucket\"\n+  value       = aws_iam_policy.s3_policy_full_access\n+}\ndiff --git a/modules/s3/policy.tf b/modules/s3/policy.tf\nnew file mode 100644\nindex 000000000..abc30fcd3\n--- /dev/null\n+++ b/modules/s3/policy.tf\n@@ -0,0 +1,83 @@\n+resource \"aws_s3_bucket_policy\" \"bucket_policy\" {\n+  bucket = aws_s3_bucket.bucket.id\n+  policy = data.aws_iam_policy_document.combined.json\n+}\n+\n+data \"aws_iam_policy_document\" \"combined\" {\n+  source_policy_documents = compact([\n+    var.attach_lb_log_delivery_policy ? data.aws_iam_policy_document.lb_log_delivery[0].json : \"\",\n+    data.aws_iam_policy_document.deny_insecure_transport.json,\n+    var.attach_cloudfront_oai_policy ? data.aws_iam_policy_document.cloudfront_oai[0].json : \"\",\n+    var.attach_bucket_owner_full_control_policy ? data.aws_iam_policy_document.bucket_owner_full_control[0].json : \"\",\n+    var.attach_cloudtrail_policy ? data.aws_iam_policy_document.allow_cloudtrail_access[0].json : \"\",\n+    var.additional_policy\n+  ])\n+}\n+\n+resource \"aws_iam_policy\" \"s3_policy_read_only\" {\n+  name        = \"${var.bucket_name}_s3_policy_read_only\"\n+  path        = length(var.service) > 0 ? \"/services/${var.service}/\" : \"/services/\"\n+  description = \"${var.bucket_name} S3 Access Policy Read Only\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Statement = [\n+      {\n+        Sid    = \"List\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"s3:ListBucket\",\n+          \"s3:GetBucketLocation\",\n+        ],\n+        Resource = [\n+          aws_s3_bucket.bucket.arn\n+        ]\n+      },\n+      {\n+        Sid    = \"ReadBucket\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"s3:GetObject*\",\n+        ],\n+        Resource = [\n+          aws_s3_bucket.bucket.arn,\n+          \"${aws_s3_bucket.bucket.arn}/*\",\n+        ]\n+      },\n+    ]\n+  })\n+}\n+\n+resource \"aws_iam_policy\" \"s3_policy_full_access\" {\n+  name        = \"${var.bucket_name}_s3_policy_full_access\"\n+  path        = length(var.service) > 0 ? \"/services/${var.service}/\" : \"/services/\"\n+  description = \"${var.bucket_name} S3 Access Policy Full Access\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Statement = [\n+      {\n+        Sid    = \"List\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"s3:ListBucket\",\n+          \"s3:GetBucketLocation\",\n+        ],\n+        Resource = [\n+          aws_s3_bucket.bucket.arn\n+        ]\n+      },\n+      {\n+        Sid    = \"ReadWriteBucket\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"s3:*Object*\",\n+        ],\n+        Resource = [\n+          aws_s3_bucket.bucket.arn,\n+          \"${aws_s3_bucket.bucket.arn}/*\",\n+        ]\n+      },\n+    ]\n+  })\n+}\ndiff --git a/modules/s3/policy_doc.tf b/modules/s3/policy_doc.tf\nnew file mode 100644\nindex 000000000..8f4794991\n--- /dev/null\n+++ b/modules/s3/policy_doc.tf\n@@ -0,0 +1,215 @@\n+data \"aws_elb_service_account\" \"this\" {\n+  count = var.attach_lb_log_delivery_policy ? 1 : 0\n+}\n+\n+data \"aws_iam_policy_document\" \"lb_log_delivery\" {\n+  count = var.attach_lb_log_delivery_policy ? 1 : 0\n+\n+  statement {\n+    sid = \"AWSLogDeliveryAccess\"\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = data.aws_elb_service_account.this.*.arn\n+    }\n+\n+    effect = \"Allow\"\n+\n+    actions = [\n+      \"s3:PutObject\",\n+    ]\n+\n+    resources = [\n+      \"${aws_s3_bucket.bucket.arn}/*\",\n+    ]\n+  }\n+\n+  statement {\n+    sid = \"AWSLogDeliveryWrite\"\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"delivery.logs.amazonaws.com\"]\n+    }\n+\n+    effect = \"Allow\"\n+\n+    actions = [\n+      \"s3:PutObject\",\n+    ]\n+\n+    resources = [\n+      \"${aws_s3_bucket.bucket.arn}/*\",\n+    ]\n+\n+    condition {\n+      test     = \"StringEquals\"\n+      variable = \"s3:x-amz-acl\"\n+      values   = [\"bucket-owner-full-control\"]\n+    }\n+  }\n+\n+  statement {\n+    sid = \"AWSLogDeliveryAclCheck\"\n+\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"delivery.logs.amazonaws.com\"]\n+    }\n+\n+    actions = [\n+      \"s3:GetBucketAcl\",\n+    ]\n+\n+    resources = [\n+      aws_s3_bucket.bucket.arn,\n+    ]\n+  }\n+}\n+\n+data \"aws_iam_policy_document\" \"deny_insecure_transport\" {\n+  statement {\n+    sid    = \"denyInsecureTransport\"\n+    effect = \"Deny\"\n+\n+    actions = [\n+      \"s3:*\",\n+    ]\n+\n+    resources = [\n+      aws_s3_bucket.bucket.arn,\n+      \"${aws_s3_bucket.bucket.arn}/*\",\n+    ]\n+\n+    principals {\n+      type        = \"*\"\n+      identifiers = [\"*\"]\n+    }\n+\n+    condition {\n+      test     = \"Bool\"\n+      variable = \"aws:SecureTransport\"\n+      values = [\n+        \"false\"\n+      ]\n+    }\n+  }\n+}\n+\n+data \"aws_iam_policy_document\" \"cloudfront_oai\" {\n+  count = var.attach_cloudfront_oai_policy ? 1 : 0\n+\n+  statement {\n+    sid = \"cdnOrignAccess\"\n+\n+    effect = \"Allow\"\n+    actions = [\n+      \"s3:GetObject\"\n+    ]\n+\n+    resources = [\n+      \"${aws_s3_bucket.bucket.arn}/*\",\n+    ]\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [var.cloudfront_oai_iam_arn]\n+    }\n+  }\n+}\n+\n+data \"aws_iam_policy_document\" \"bucket_owner_full_control\" {\n+  count = var.attach_bucket_owner_full_control_policy ? 1 : 0\n+\n+  statement {\n+    sid    = \"InventoryAndAnalyticsExamplePolicy\"\n+    effect = \"Allow\"\n+\n+    actions = [\n+      \"s3:PutObject\",\n+    ]\n+\n+    resources = [\n+      \"${aws_s3_bucket.bucket.arn}/*\",\n+    ]\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"s3.amazonaws.com\"]\n+    }\n+\n+    condition {\n+      test     = \"StringEquals\"\n+      variable = \"aws:SourceAccount\"\n+      values = [\n+        data.aws_caller_identity.current.account_id\n+      ]\n+    }\n+\n+    condition {\n+      test     = \"StringEquals\"\n+      variable = \"s3:x-amz-acl\"\n+      values = [\n+        \"bucket-owner-full-control\"\n+      ]\n+    }\n+\n+    condition {\n+      test     = \"ArnLike\"\n+      variable = \"aws:SourceArn\"\n+      values = [\n+        aws_s3_bucket.bucket.arn\n+      ]\n+    }\n+  }\n+}\n+\n+data \"aws_iam_policy_document\" \"allow_cloudtrail_access\" {\n+  count = var.attach_cloudtrail_policy ? 1 : 0\n+\n+  statement {\n+    sid = \"CloudtrailGetAcl\"\n+\n+    effect = \"Allow\"\n+\n+    actions = [\n+      \"s3:GetBucketAcl\",\n+    ]\n+\n+    resources = [\n+      aws_s3_bucket.bucket.arn,\n+    ]\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"cloudtrail.amazonaws.com\"]\n+    }\n+  }\n+\n+  statement {\n+    sid = \"CloudtrailPutObject\"\n+\n+    effect = \"Allow\"\n+\n+    actions = [\n+      \"s3:PutObject\",\n+    ]\n+\n+    resources = [\n+      \"${aws_s3_bucket.bucket.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*\",\n+    ]\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"cloudtrail.amazonaws.com\"]\n+    }\n+\n+    condition {\n+      test     = \"StringEquals\"\n+      variable = \"s3:x-amz-acl\"\n+      values   = [\"bucket-owner-full-control\"]\n+    }\n+  }\n+}\ndiff --git a/modules/s3/variables.tf b/modules/s3/variables.tf\nnew file mode 100644\nindex 000000000..e0482b8a8\n--- /dev/null\n+++ b/modules/s3/variables.tf\n@@ -0,0 +1,97 @@\n+variable \"environment\" {\n+  description = \"Environment name (e.g., prd, stg, sbx)\"\n+  type        = string\n+}\n+\n+variable \"bucket_name\" {\n+  description = \"Name of the S3 bucket\"\n+  type        = string\n+}\n+\n+variable \"logging_target_bucket_name\" {\n+  description = \"Target bucket for access logging. If empty, uses environment-based default.\"\n+  type        = string\n+  default     = \"\"\n+}\n+\n+variable \"acl\" {\n+  description = \"Canned ACL to apply to the bucket\"\n+  type        = string\n+  default     = \"private\"\n+}\n+\n+variable \"mfa_delete\" {\n+  description = \"Enable MFA delete for bucket versioning\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"enable_versioning\" {\n+  description = \"Enable bucket versioning. Refer to https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"service\" {\n+  description = \"Name of the calling workspace. Used for resource naming, IAM path, etc.\"\n+  type        = string\n+  default     = \"\"\n+}\n+\n+variable \"website\" {\n+  description = \"Map containing static web-site hosting or redirect configuration.\"\n+  type        = map(string)\n+  default     = {}\n+}\n+\n+variable \"cors_rule\" {\n+  description = \"List of maps containing rules for Cross-Origin Resource Sharing.\"\n+  type        = any\n+  default     = []\n+}\n+\n+variable \"default_tags\" {\n+  description = \"Tags to apply to resources created by module\"\n+  type        = map(string)\n+  default = {\n+    Owner     = \"devops\"\n+    Terraform = \"true\"\n+    Version   = \"20210414\"\n+  }\n+}\n+\n+variable \"attach_lb_log_delivery_policy\" {\n+  description = \"Controls if S3 bucket should have ALB/NLB log delivery policy attached\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"attach_cloudfront_oai_policy\" {\n+  description = \"Controls if S3 bucket should allow CDN access\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"attach_bucket_owner_full_control_policy\" {\n+  description = \"Controls if S3 bucket should have bucket owner full control\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"cloudfront_oai_iam_arn\" {\n+  description = \"IAM ARN for CDN origin access identity, specify only when attach_cloudfront_oai_policy is true\"\n+  type        = string\n+  default     = \"\"\n+}\n+\n+variable \"attach_cloudtrail_policy\" {\n+  description = \"Determine whether cloudtrail should be able to write to this bucket\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"additional_policy\" {\n+  description = \"Additional policy JSON the S3 bucket should attach\"\n+  type        = string\n+  default     = \"\"\n+}\ndiff --git a/modules/s3/versions.tf b/modules/s3/versions.tf\nnew file mode 100644\nindex 000000000..2eb3bfd21\n--- /dev/null\n+++ b/modules/s3/versions.tf\n@@ -0,0 +1,10 @@\n+terraform {\n+  required_version = \">= 1.0\"\n+\n+  required_providers {\n+    aws = {\n+      source  = \"hashicorp/aws\"\n+      version = \">= 3.75.0\"\n+    }\n+  }\n+}\ndiff --git a/modules/secret/iam.tf b/modules/secret/iam.tf\nnew file mode 100644\nindex 000000000..9220c3656\n--- /dev/null\n+++ b/modules/secret/iam.tf\n@@ -0,0 +1,26 @@\n+resource \"aws_iam_policy\" \"secret_read_only_access_policy\" {\n+  name        = \"${var.environment}_${var.name}_secret_read_only_access_policy\"\n+  path        = \"/services/${var.service}/\"\n+  description = \"${var.name} Secret Read Only Access Policy\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Id      = \"${var.name}_secret_read_only_access_policy\"\n+    Statement = [\n+      {\n+        Sid    = \"SecretsManagerOperations\",\n+        Effect = \"Allow\",\n+        Action : [\n+          \"secretsmanager:GetResourcePolicy\",\n+          \"secretsmanager:GetSecretValue\",\n+          \"secretsmanager:DescribeSecret\",\n+          \"secretsmanager:ListSecretVersionIds\",\n+          \"secretsmanager:ListSecrets\"\n+        ],\n+        Resource : [\n+          aws_secretsmanager_secret.secret.arn,\n+        ]\n+      },\n+    ]\n+  })\n+}\ndiff --git a/modules/secret/main.tf b/modules/secret/main.tf\nnew file mode 100644\nindex 000000000..97c895c5e\n--- /dev/null\n+++ b/modules/secret/main.tf\n@@ -0,0 +1,7 @@\n+resource \"aws_secretsmanager_secret\" \"secret\" {\n+  name = \"${var.environment}${var.separator}${var.name}\"\n+\n+  replica {\n+    region = \"us-west-2\"\n+  }\n+}\ndiff --git a/modules/secret/outputs.tf b/modules/secret/outputs.tf\nnew file mode 100644\nindex 000000000..369852b8c\n--- /dev/null\n+++ b/modules/secret/outputs.tf\n@@ -0,0 +1,9 @@\n+output \"secret_read_only_access_policy\" {\n+  description = \"Read-only access policy for secret\"\n+  value       = aws_iam_policy.secret_read_only_access_policy\n+}\n+\n+output \"arn\" {\n+  description = \"ARN of the secret\"\n+  value       = aws_secretsmanager_secret.secret.arn\n+}\ndiff --git a/modules/secret/variables.tf b/modules/secret/variables.tf\nnew file mode 100644\nindex 000000000..718e1c0fe\n--- /dev/null\n+++ b/modules/secret/variables.tf\n@@ -0,0 +1,20 @@\n+variable \"environment\" {\n+  description = \"Environment name (e.g., prd, stg, sbx)\"\n+  type        = string\n+}\n+\n+variable \"service\" {\n+  description = \"Name of the calling workspace. Used for IAM path.\"\n+  type        = string\n+}\n+\n+variable \"name\" {\n+  description = \"Name of the secret (combined with environment and separator)\"\n+  type        = string\n+}\n+\n+variable \"separator\" {\n+  description = \"The character that separates environment from name in the secret name. Defaults to '_'\"\n+  type        = string\n+  default     = \"_\"\n+}\ndiff --git a/modules/secret/versions.tf b/modules/secret/versions.tf\nnew file mode 100644\nindex 000000000..2eb3bfd21\n--- /dev/null\n+++ b/modules/secret/versions.tf\n@@ -0,0 +1,10 @@\n+terraform {\n+  required_version = \">= 1.0\"\n+\n+  required_providers {\n+    aws = {\n+      source  = \"hashicorp/aws\"\n+      version = \">= 3.75.0\"\n+    }\n+  }\n+}\ndiff --git a/modules/sftp/data.tf b/modules/sftp/data.tf\nnew file mode 100644\nindex 000000000..2562753cb\n--- /dev/null\n+++ b/modules/sftp/data.tf\n@@ -0,0 +1,20 @@\n+data \"aws_region\" \"current\" {}\n+\n+data \"aws_caller_identity\" \"current\" {}\n+\n+data \"aws_iam_policy_document\" \"sftp_assume_role_policy\" {\n+  statement {\n+    actions = [\"sts:AssumeRole\"]\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"transfer.amazonaws.com\"]\n+    }\n+\n+    condition {\n+      test     = \"StringEqualsIfExists\"\n+      values   = [data.aws_caller_identity.current.account_id]\n+      variable = \"aws:SourceAccount\"\n+    }\n+  }\n+}\ndiff --git a/modules/sftp/iam.tf b/modules/sftp/iam.tf\nnew file mode 100644\nindex 000000000..4cf2bc503\n--- /dev/null\n+++ b/modules/sftp/iam.tf\n@@ -0,0 +1,103 @@\n+# IAM role for each SFTP user\n+resource \"aws_iam_role\" \"sftp_user_iam_role\" {\n+  for_each = toset(var.usernames)\n+\n+  name               = \"${var.environment}-sftp-${each.value}-role\"\n+  assume_role_policy = data.aws_iam_policy_document.sftp_assume_role_policy.json\n+}\n+\n+# IAM policy for each SFTP user\n+resource \"aws_iam_policy\" \"sftp_policy\" {\n+  for_each = toset(var.usernames)\n+\n+  name        = \"${var.environment}_sftp_access_policy_${each.value}\"\n+  description = \"SFTP Bucket Access Policy\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Id      = \"sftp_user_bucket_role\"\n+    Statement = [\n+      {\n+        Sid    = \"AllowListingOfUserFolder\",\n+        Effect = \"Allow\",\n+        Action : [\n+          \"s3:ListBucket\",\n+          \"s3:GetBucketLocation\"\n+        ]\n+        Resource = [\n+          aws_s3_bucket.sftp_bucket.arn\n+        ]\n+        Condition = {\n+          StringLike = {\n+            \"s3:prefix\" = [\n+              \"${each.value}/*\"\n+            ]\n+          }\n+        }\n+      },\n+      {\n+        Sid    = \"HomeDirObjectAccess\",\n+        Effect = \"Allow\",\n+        Action : [\n+          \"s3:PutObject\",\n+          \"s3:GetObject\",\n+          \"s3:DeleteObject\",\n+          \"s3:DeleteObjectVersion\",\n+          \"s3:GetObjectVersion\",\n+          \"s3:GetObjectACL\",\n+          \"s3:PutObjectACL\",\n+          \"s3:ListMultipartUploadParts\"\n+        ]\n+        Resource = [\n+          \"${aws_s3_bucket.sftp_bucket.arn}/${each.value}/uploads/*\"\n+        ]\n+      },\n+      {\n+        Sid    = \"HomeDirReadOnlyAccess\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"s3:GetObject\",\n+          \"s3:GetObjectVersion\"\n+        ],\n+        Resource = [\n+          \"${aws_s3_bucket.sftp_bucket.arn}/${each.value}/downloads/*\"\n+        ]\n+      },\n+      {\n+        Sid    = \"TestDirAccess\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"s3:PutObject\",\n+          \"s3:GetObject\",\n+          \"s3:DeleteObject\",\n+          \"s3:DeleteObjectVersion\",\n+          \"s3:GetObjectVersion\",\n+          \"s3:GetObjectACL\",\n+          \"s3:PutObjectACL\",\n+          \"s3:ListMultipartUploadParts\"\n+        ],\n+        Resource = [\n+          \"${aws_s3_bucket.sftp_bucket.arn}/${each.value}/test/*\"\n+        ]\n+      },\n+      {\n+        Sid    = \"ListFilesInSFTPClient\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"s3:GetObject\"\n+        ],\n+        Resource = [\n+          \"${aws_s3_bucket.sftp_bucket.arn}/${each.value}/*\"\n+        ]\n+      }\n+    ]\n+  })\n+}\n+\n+# Attach policy to role for each user\n+resource \"aws_iam_role_policy_attachment\" \"sftp_s3_policy_attachment\" {\n+  for_each = toset(var.usernames)\n+\n+  role       = aws_iam_role.sftp_user_iam_role[each.value].name\n+  policy_arn = aws_iam_policy.sftp_policy[each.value].arn\n+}\ndiff --git a/modules/sftp/locals.tf b/modules/sftp/locals.tf\nnew file mode 100644\nindex 000000000..22be7aa08\n--- /dev/null\n+++ b/modules/sftp/locals.tf\n@@ -0,0 +1,4 @@\n+locals {\n+  bucket_name            = \"${var.environment}-sftp-data-storage\"\n+  cloudtrail_bucket_name = \"${local.bucket_

[{"sha":"6e7faabe356942363d66c383599348b386f72fcb","filename":".github/workflows/terraform-module-publish.yml","additions":160,"deletions":0,"changes":160,"status":"added","patch":"@@ -0,0 +1,160 @@\n+name: Terraform Module CI/CD\n+\n+on:\n+  push:\n+    branches:\n+      - main\n+    tags:\n+      - 'v*'\n+  pull_request:\n+    branches:\n+      - main\n+\n+env:\n+  TF_VERSION: \"1.5.0\"\n+\n+jobs:\n+  validate:\n+    name: Validate Modules\n+    runs-on: ubuntu-latest\n+    strategy:\n+      fail-fast: false\n+      matrix:\n+        module:\n+          - s3\n+          - secret\n+          - ddb\n+          - kinesis\n+          - static_web\n+          - sftp\n+\n+    steps:\n+      - name: Checkout\n+        uses: actions/checkout@v4\n+\n+      - name: Setup Terraform\n+        uses: hashicorp/setup-terraform@v3\n+        with:\n+          terraform_version: ${{ env.TF_VERSION }}\n+\n+      - name: Terraform Format Check\n+        working-directory: modules/${{ matrix.module }}\n+        run: terraform fmt -check -recursive\n+\n+      - name: Terraform Init\n+        working-directory: modules/${{ matrix.module }}\n+        run: terraform init -backend=false\n+\n+      - name: Terraform Validate\n+        working-directory: modules/${{ matrix.module }}\n+        run: terraform validate\n+\n+  docs:\n+    name: Generate Documentation\n+    runs-on: ubuntu-latest\n+    needs: validate\n+    if: github.event_name == 'pull_request'\n+\n+    steps:\n+      - name: Checkout\n+        uses: actions/checkout@v4\n+        with:\n+          ref: ${{ github.event.pull_request.head.ref }}\n+          token: ${{ secrets.GITHUB_TOKEN }}\n+\n+      - name: Render terraform docs\n+        uses: terraform-docs/gh-actions@v1.2.0\n+        with:\n+          working-dir: modules/s3,modules/secret,modules/ddb,modules/kinesis,modules/static_web,modules/sftp\n+          output-file: README.md\n+          output-method: inject\n+          git-push: \"true\"\n+          git-commit-message: \"docs: auto-generate terraform-docs README\"\n+\n+  # Publish to Terraform Cloud Private Registry on version tags\n+  publish:\n+    name: Publish to Terraform Cloud\n+    runs-on: ubuntu-latest\n+    needs: validate\n+    if: startsWith(github.ref, 'refs/tags/v')\n+\n+    steps:\n+      - name: Checkout\n+        uses: actions/checkout@v4\n+\n+      - name: Extract version from tag\n+        id: version\n+        run: |\n+          VERSION=${GITHUB_REF#refs/tags/v}\n+          echo \"version=$VERSION\" \u003e\u003e $GITHUB_OUTPUT\n+          echo \"Publishing version: $VERSION\"\n+\n+      - name: Setup Terraform\n+        uses: hashicorp/setup-terraform@v3\n+        with:\n+          terraform_version: ${{ env.TF_VERSION }}\n+          cli_config_credentials_token: ${{ secrets.TFC_API_TOKEN }}\n+\n+      # Note: Terraform Cloud private registry modules are published via VCS integration\n+      # This step creates a GitHub release which TFC can consume\n+      - name: Create GitHub Release\n+        uses: softprops/action-gh-release@v1\n+        with:\n+          tag_name: ${{ github.ref_name }}\n+          name: Release ${{ steps.version.outputs.version }}\n+          body: |\n+            ## Terraform Modules Release ${{ steps.version.outputs.version }}\n+\n+            ### Modules Included:\n+            - `s3` - S3 bucket with policies and access management\n+            - `secret` - Secrets Manager with multi-region replication\n+            - `ddb` - DynamoDB table with KMS encryption and CDC\n+            - `kinesis` - Kinesis Data Stream with KMS encryption\n+            - `static_web` - Static website with S3 + CloudFront\n+            - `sftp` - SFTP Transfer Family with S3 backend\n+\n+            ### Usage\n+            ```hcl\n+            module \"example\" {\n+              source  = \"app.terraform.io/Imprint/\u003cmodule\u003e/aws\"\n+              version = \"${{ steps.version.outputs.version }}\"\n+\n+              # ... module inputs\n+            }\n+            ```\n+          draft: false\n+          prerelease: ${{ contains(steps.version.outputs.version, '-') }}\n+        env:\n+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n+\n+  # Security scanning\n+  security:\n+    name: Security Scan\n+    runs-on: ubuntu-latest\n+    needs: validate\n+    if: github.event_name == 'pull_request'\n+\n+    steps:\n+      - name: Checkout\n+        uses: actions/checkout@v4\n+\n+      - name: tfsec\n+        uses: aquasecurity/tfsec-action@v1.0.3\n+        with:\n+          working_directory: modules\n+          soft_fail: true\n+\n+      - name: Checkov\n+        uses: bridgecrewio/checkov-action@v12\n+        with:\n+          directory: modules\n+          framework: terraform\n+          soft_fail: true\n+          output_format: sarif\n+          output_file_path: checkov-results.sarif\n+\n+      - name: Upload SARIF file\n+        uses: github/codeql-action/upload-sarif@v3\n+        if: ${{ always() \u0026\u0026 hashFiles('checkov-results.sarif') != '' }}\n+        with:\n+          sarif_file: checkov-results.sarif","blob_url":"https://github.com/Imprint-Tech/infrastructure/blob/574ead47c35f954317b9cd09ac660f1c033533df/.github%2Fworkflows%2Fterraform-module-publish.yml","raw_url":"https://github.com/Imprint-Tech/infrastructure/raw/574ead47c35f954317b9cd09ac660f1c033533df/.github%2Fworkflows%2Fterraform-module-publish.yml","contents_url":"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/.github%2Fworkflows%2Fterraform-module-publish.yml?ref=574ead47c35f954317b9cd09ac660f1c033533df"},{"sha":"27f80b68781cc3c1599462279594dce4237a4193","filename":"modules/README.md","additions":105,"deletions":0,"changes":105,"status":"added","patch":"@@ -0,0 +1,105 @@\n+# Terraform Modules\n+\n+This directory contains versioned Terraform modules for infrastructure deployment.\n+\n+## Phase 1 Modules (v0.1.0)\n+\n+These modules mirror existing stacks 1:1 to enable no-op migrations using `moved` blocks and `terraform state mv`.\n+\n+| Module | Description | Key Features |\n+|--------|-------------|--------------|\n+| `s3` | S3 bucket with policies | Versioning, encryption, bucket policies, CloudFront OAI support |\n+| `secret` | Secrets Manager | Multi-region replication (us-west-2), read-only IAM policy |\n+| `ddb` | DynamoDB table | KMS encryption, multi-region replicas, GSI/LSI, CDC to Kinesis |\n+| `kinesis` | Kinesis Data Stream | KMS encryption, on-demand mode, consumer IAM policies |\n+| `static_web` | Static website hosting | S3 + CloudFront with OAI, custom cache behaviors |\n+| `sftp` | SFTP Transfer Family | S3 backend, per-user IAM roles, CloudTrail audit logging |\n+\n+## Usage\n+\n+### From Terraform Cloud Private Registry\n+\n+```hcl\n+module \"example_s3\" {\n+  source  = \"app.terraform.io/Imprint/s3/aws\"\n+  version = \"0.1.0\"\n+\n+  environment = \"stg\"\n+  bucket_name = \"my-bucket\"\n+}\n+```\n+\n+### Local Development\n+\n+```hcl\n+module \"example_s3\" {\n+  source = \"../modules/s3\"\n+\n+  environment = \"dev\"\n+  bucket_name = \"my-bucket\"\n+}\n+```\n+\n+## Migration Guide\n+\n+To migrate existing infrastructure to use these modules with no-op:\n+\n+1. **Add module block** referencing the new module\n+2. **Use `moved` blocks** to map existing resources to module resources\n+3. **Run `terraform plan`** to verify no changes\n+4. **Apply** to update state without infrastructure changes\n+\n+Example migration:\n+\n+```hcl\n+# New module usage\n+module \"my_bucket\" {\n+  source  = \"app.terraform.io/Imprint/s3/aws\"\n+  version = \"0.1.0\"\n+\n+  environment = \"prd\"\n+  bucket_name = \"my-existing-bucket\"\n+}\n+\n+# Moved blocks for state migration\n+moved {\n+  from = aws_s3_bucket.my_bucket\n+  to   = module.my_bucket.aws_s3_bucket.bucket\n+}\n+\n+moved {\n+  from = aws_s3_bucket_versioning.my_bucket\n+  to   = module.my_bucket.aws_s3_bucket_versioning.bucket\n+}\n+```\n+\n+## Remote State Dependencies\n+\n+Modules that previously used `terraform_remote_state` have been converted to use input variables:\n+\n+| Module | Original Remote State | New Input Variable |\n+|--------|----------------------|-------------------|\n+| `ddb` | `terraform_remote_state.users.outputs.terraform_cloud_role_arn` | `kms_key_administrator_arn` |\n+| `ddb` | `terraform_remote_state.global.outputs.ddb_hevo_kinesis_stream.arn` | `hevo_kinesis_stream_arn` |\n+| `kinesis` | `terraform_remote_state.users.outputs.group_sre_iam_arns` | `sre_group_iam_arns` |\n+| `sftp` | `terraform_remote_state.census.outputs.census_role_arn` | `census_role_arn` |\n+\n+## Provider Requirements\n+\n+All modules require:\n+- Terraform \u003e= 1.0\n+- AWS Provider \u003e= 3.75.0\n+\n+The `ddb` module requires provider aliases for multi-region replicas:\n+- `aws.default`\n+- `aws.replica-us-west-2`\n+- `aws.replica-us-east-2`\n+\n+## Versioning\n+\n+Modules follow [Semantic Versioning](https://semver.org/):\n+- **Major** (X.0.0): Breaking changes\n+- **Minor** (0.X.0): New features, backwards compatible\n+- **Patch** (0.0.X): Bug fixes, backwards compatible\n+\n+Phase 1 releases start at v0.1.0.","blob_url":"https://github.com/Imprint-Tech/infrastructure/blob/574ead47c35f954317b9cd09ac660f1c033533df/modules%2FREADME.md","raw_url":"https://github.com/Imprint-Tech/infrastructure/raw/574ead47c35f954317b9cd09ac660f1c033533df/modules%2FREADME.md","contents_url":"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/modules%2FREADME.md?ref=574ead47c35f954317b9cd09ac660f1c033533df"},{"sha":"d0cd86be7dd75b31f2f037a1cf89a7088dd8abb6","filename":"modules/ddb/cdc.tf","additions":6,"deletions":0,"changes":6,"status":"added","patch":"@@ -0,0 +1,6 @@\n+resource \"aws_dynamodb_kinesis_streaming_destination\" \"this\" {\n+  count = local.hevo_count\n+\n+  stream_arn = var.hevo_kinesis_stream_arn\n+  table_name = aws_dynamodb_table.dynamodb_table[0].name\n+}","blob_url":"https://github.com/Imprint-Tech/infrastructure/blob/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fcdc.tf","raw_url":"https://github.com/Imprint-Tech/infrastructure/raw/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fcdc.tf","contents_url":"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/modules%2Fddb%2Fcdc.tf?ref=574ead47c35f954317b9cd09ac660f1c033533df"},{"sha":"8fc4b38cc5cd0ebc632906796b4e3d9980ca2ffb","filename":"modules/ddb/data.tf","additions":1,"deletions":0,"changes":1,"status":"added","patch":"@@ -0,0 +1 @@\n+data \"aws_caller_identity\" \"current\" {}","blob_url":"https://github.com/Imprint-Tech/infrastructure/blob/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fdata.tf","raw_url":"https://github.com/Imprint-Tech/infrastructure/raw/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fdata.tf","contents_url":"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/modules%2Fddb%2Fdata.tf?ref=574ead47c35f954317b9cd09ac660f1c033533df"},{"sha":"91340bbf080c1560fc9cfad058892ef210c228ee","filename":"modules/ddb/kms.tf","additions":27,"deletions":0,"changes":27,"status":"added","patch":"@@ -0,0 +1,27 @@\n+resource \"aws_kms_key\" \"customer_managed_key\" {\n+  count               = var.resource_count\n+  description         = \"ddb/${local.table_name}\"\n+  enable_key_rotation = true\n+  is_enabled          = true\n+  policy              = data.aws_iam_policy_document.kms_key_policy[0].json\n+  multi_region        = length(var.replica_regions) \u003e 0\n+}\n+\n+resource \"aws_kms_alias\" \"key_alias\" {\n+  count         = var.resource_count\n+  target_key_id = aws_kms_key.customer_managed_key[0].key_id\n+  name          = \"alias/ddb/${local.table_name}\"\n+}\n+\n+resource \"aws_kms_replica_key\" \"us-west-2_replica\" {\n+  count           = local.us-west-2_replica_enabled ? var.resource_count : 0\n+  provider        = aws.replica-us-west-2\n+  primary_key_arn = aws_kms_key.customer_managed_key[0].arn\n+}\n+\n+resource \"aws_kms_replica_key\" \"us-east-2_replica\" {\n+  count = local.us-east-2_replica_enabled ? var.resource_count : 0\n+\n+  provider        = aws.replica-us-east-2\n+  primary_key_arn = aws_kms_key.customer_managed_key[0].arn\n+}","blob_url":"https://github.com/Imprint-Tech/infrastructure/blob/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fkms.tf","raw_url":"https://github.com/Imprint-Tech/infrastructure/raw/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fkms.tf","contents_url":"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/modules%2Fddb%2Fkms.tf?ref=574ead47c35f954317b9cd09ac660f1c033533df"},{"sha":"beb07bfc5327312e444fdecca8ed762323c50cca","filename":"modules/ddb/locals.tf","additions":22,"deletions":0,"changes":22,"status":"added","patch":"@@ -0,0 +1,22 @@\n+locals {\n+  default_region           = \"us-east-1\"\n+  us-west-2_region         = \"us-west-2\"\n+  us-east-2_region         = \"us-east-2\"\n+  default_billing_mode     = \"PAY_PER_REQUEST\"\n+  default_stream_view_type = \"NEW_AND_OLD_IMAGES\"\n+  default_ttl_attribute    = \"ttl\"\n+\n+  us-west-2_replica_enabled = contains(var.replica_regions, local.us-west-2_region)\n+  us-east-2_replica_enabled = contains(var.replica_regions, local.us-east-2_region)\n+\n+  env_name       = \"${var.environment}_${var.name}\"\n+  table_name     = var.env_in_name ? local.env_name : var.name\n+  stream_enabled = var.hevo_replication_enabled ? true : var.stream_enabled\n+  stream_view_type = var.stream_enabled \u0026\u0026 var.stream_view_type == null ? local.default_stream_view_type : (\n+    var.hevo_replication_enabled ? local.default_stream_view_type : var.stream_view_type\n+  )\n+  policy_title = var.policy_title == null ? title(var.policy_name) : var.policy_title\n+  account_id   = data.aws_caller_identity.current.account_id\n+\n+  hevo_count = var.hevo_replication_enabled ? var.resource_count : 0\n+}","blob_url":"https://github.com/Imprint-Tech/infrastructure/blob/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Flocals.tf","raw_url":"https://github.com/Imprint-Tech/infrastructure/raw/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Flocals.tf","contents_url":"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/modules%2Fddb%2Flocals.tf?ref=574ead47c35f954317b9cd09ac660f1c033533df"},{"sha":"f9748980ba7b655b9f101f3cdc9316260def94e0","filename":"modules/ddb/main.tf","additions":88,"deletions":0,"changes":88,"status":"added","patch":"@@ -0,0 +1,88 @@\n+resource \"aws_dynamodb_table\" \"dynamodb_table\" {\n+  count            = var.resource_count\n+  name             = local.table_name\n+  billing_mode     = local.default_billing_mode\n+  hash_key         = var.hash_key\n+  range_key        = var.range_key\n+  stream_enabled   = local.stream_enabled\n+  stream_view_type = local.stream_view_type\n+  read_capacity    = var.read_capacity\n+  write_capacity   = var.write_capacity\n+\n+\n+  dynamic \"attribute\" {\n+    for_each = var.attributes\n+    content {\n+      name = attribute.value[\"name\"]\n+      type = attribute.value[\"type\"]\n+    }\n+  }\n+\n+  dynamic \"local_secondary_index\" {\n+    for_each = var.local_secondary_indexes\n+    content {\n+      name            = local_secondary_index.value[\"name\"]\n+      projection_type = local_secondary_index.value[\"projection_type\"]\n+      range_key       = local_secondary_index.value[\"range_key\"]\n+    }\n+  }\n+\n+  dynamic \"global_secondary_index\" {\n+    for_each = var.global_secondary_indexes\n+\n+    content {\n+      name               = global_secondary_index.value[\"name\"]\n+      hash_key           = global_secondary_index.value[\"hash_key\"]\n+      projection_type    = global_secondary_index.value[\"projection_type\"]\n+      range_key          = lookup(global_secondary_index.value, \"range_key\", null)\n+      read_capacity      = lookup(global_secondary_index.value, \"read_capacity\", null)\n+      write_capacity     = lookup(global_secondary_index.value, \"write_capacity\", null)\n+      non_key_attributes = global_secondary_index.value[\"projection_type\"] == \"INCLUDE\" ? global_secondary_index.value[\"non_key_attributes\"] : null\n+    }\n+  }\n+\n+  dynamic \"replica\" {\n+    for_each = local.us-west-2_replica_enabled ? [1] : []\n+    content {\n+      region_name = local.us-west-2_region\n+      kms_key_arn = aws_kms_replica_key.us-west-2_replica[0].arn\n+    }\n+  }\n+\n+  dynamic \"replica\" {\n+    for_each = local.us-east-2_replica_enabled ? [1] : []\n+    content {\n+      region_name = local.us-east-2_region\n+      kms_key_arn = aws_kms_replica_key.us-east-2_replica[0].arn\n+    }\n+  }\n+\n+  dynamic \"ttl\" {\n+    for_each = var.ttl ? [1] : []\n+    content {\n+      attribute_name = local.default_ttl_attribute\n+      enabled        = true\n+    }\n+  }\n+\n+  point_in_time_recovery {\n+    enabled = var.point_in_time_recovery_enabled\n+  }\n+\n+  server_side_encryption {\n+    enabled     = true\n+    kms_key_arn = aws_kms_key.customer_managed_key[0].arn\n+  }\n+\n+  tags = merge(\n+    var.default_tags,\n+    {\n+      Name        = local.table_name\n+      Environment = var.environment\n+    }\n+  )\n+\n+  lifecycle {\n+    prevent_destroy = true\n+  }\n+}","blob_url":"https://github.com/Imprint-Tech/infrastructure/blob/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fmain.tf","raw_url":"https://github.com/Imprint-Tech/infrastructure/raw/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fmain.tf","contents_url":"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/modules%2Fddb%2Fmain.tf?ref=574ead47c35f954317b9cd09ac660f1c033533df"},{"sha":"131ebba52ab6685dac791d55153d8ddd9796aa08","filename":"modules/ddb/outputs.tf","additions":24,"deletions":0,"changes":24,"status":"added","patch":"@@ -0,0 +1,24 @@\n+output \"ddb_policy_read_only\" {\n+  description = \"DDB Policy Read Only\"\n+  value       = var.resource_count == 1 ? aws_iam_policy.ddb_policy_read_only[0] : null\n+}\n+\n+output \"ddb_policy_full_access\" {\n+  description = \"DDB Policy Full Access\"\n+  value       = var.resource_count == 1 ? aws_iam_policy.ddb_policy_full_access[0] : null\n+}\n+\n+output \"table_name\" {\n+  description = \"Name of the DynamoDB table\"\n+  value       = var.resource_count == 1 ? aws_dynamodb_table.dynamodb_table[0].name : null\n+}\n+\n+output \"table_arn\" {\n+  description = \"ARN of the DynamoDB table\"\n+  value       = var.resource_count == 1 ? aws_dynamodb_table.dynamodb_table[0].arn : null\n+}\n+\n+output \"kms_key_arn\" {\n+  description = \"ARN of the KMS key used for table encryption\"\n+  value       = var.resource_count == 1 ? aws_kms_key.customer_managed_key[0].arn : null\n+}","blob_url":"https://github.com/Imprint-Tech/infrastructure/blob/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Foutputs.tf","raw_url":"https://github.com/Imprint-Tech/infrastructure/raw/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Foutputs.tf","contents_url":"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/modules%2Fddb%2Foutputs.tf?ref=574ead47c35f954317b9cd09ac660f1c033533df"},{"sha":"794787a471b41f70b4b5c3d81dde35f656b2401c","filename":"modules/ddb/policy.tf","additions":100,"deletions":0,"changes":100,"status":"added","patch":"@@ -0,0 +1,100 @@\n+resource \"aws_iam_policy\" \"ddb_policy_read_only\" {\n+  count       = var.resource_count\n+  name        = \"${var.environment}_${var.policy_name}_ddb_policy_read_only\"\n+  path        = \"/services/${var.service}/\"\n+  description = \"${local.policy_title} DDB Access Policy Read Only\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Statement = [\n+      {\n+        Sid : \"ListAndDescribe\",\n+        Effect : \"Allow\",\n+        Action : [\n+          \"dynamodb:List*\",\n+          \"dynamodb:DescribeReservedCapacity*\",\n+          \"dynamodb:DescribeLimits\",\n+          \"dynamodb:DescribeTimeToLive\"\n+        ],\n+        Resource : \"*\"\n+      },\n+      {\n+        Sid    = \"SpecificTable\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"dynamodb:BatchGet*\",\n+          \"dynamodb:DescribeStream\",\n+          \"dynamodb:DescribeTable\",\n+          \"dynamodb:Get*\",\n+          \"dynamodb:Query\",\n+          \"dynamodb:Scan\",\n+        ],\n+        Resource = (\n+          length(var.local_secondary_indexes) \u003e 0 || length(var.global_secondary_indexes) \u003e 0 ?\n+          [aws_dynamodb_table.dynamodb_table[0].arn, \"${aws_dynamodb_table.dynamodb_table[0].arn}/*\"] :\n+          [aws_dynamodb_table.dynamodb_table[0].arn]\n+        )\n+      }\n+    ]\n+  })\n+}\n+\n+resource \"aws_iam_policy\" \"ddb_policy_full_access\" {\n+  count       = var.resource_count\n+  name        = \"${var.environment}_${var.policy_name}_ddb_policy_full_access\"\n+  path        = \"/services/${var.service}/\"\n+  description = \"${local.policy_title} DDB Access Policy Full Access\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Statement = [\n+      {\n+        Sid : \"ListAndDescribe\",\n+        Effect : \"Allow\",\n+        Action : [\n+          \"dynamodb:List*\",\n+          \"dynamodb:DescribeReservedCapacity*\",\n+          \"dynamodb:DescribeLimits\",\n+          \"dynamodb:DescribeTimeToLive\"\n+        ],\n+        Resource : \"*\"\n+      },\n+      {\n+        Sid : \"AllowDynamoDBExportAction\",\n+        Effect : \"Allow\",\n+        Action : [\n+          \"dynamodb:ExportTableToPointInTime\",\n+          \"dynamodb:DescribeExport\",\n+          \"dynamodb:ListExports\"\n+        ],\n+        Resource = (\n+          length(var.local_secondary_indexes) \u003e 0 || length(var.global_secondary_indexes) \u003e 0 ?\n+          [aws_dynamodb_table.dynamodb_table[0].arn, \"${aws_dynamodb_table.dynamodb_table[0].arn}/*\"] :\n+          [aws_dynamodb_table.dynamodb_table[0].arn]\n+        )\n+      },\n+      {\n+        Sid    = \"SpecificTable\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"dynamodb:BatchGet*\",\n+          \"dynamodb:DescribeStream\",\n+          \"dynamodb:DescribeTable\",\n+          \"dynamodb:Get*\",\n+          \"dynamodb:Query\",\n+          \"dynamodb:Scan\",\n+          \"dynamodb:BatchWrite*\",\n+          \"dynamodb:CreateTable\",\n+          \"dynamodb:Delete*\",\n+          \"dynamodb:Update*\",\n+          \"dynamodb:PutItem\"\n+        ],\n+        Resource = (\n+          length(var.local_secondary_indexes) \u003e 0 || length(var.global_secondary_indexes) \u003e 0 ?\n+          [aws_dynamodb_table.dynamodb_table[0].arn, \"${aws_dynamodb_table.dynamodb_table[0].arn}/*\"] :\n+          [aws_dynamodb_table.dynamodb_table[0].arn]\n+        )\n+      }\n+    ]\n+  })\n+}","blob_url":"https://github.com/Imprint-Tech/infrastructure/blob/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fpolicy.tf","raw_url":"https://github.com/Imprint-Tech/infrastructure/raw/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fpolicy.tf","contents_url":"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/modules%2Fddb%2Fpolicy.tf?ref=574ead47c35f954317b9cd09ac660f1c033533df"},{"sha":"a274846298adf03936a8fe7f0ec2c5110b8297db","filename":"modules/ddb/policy_doc.tf","additions":120,"deletions":0,"changes":120,"status":"added","patch":"@@ -0,0 +1,120 @@\n+data \"aws_iam_policy_document\" \"kms_key_policy\" {\n+  count = var.resource_count\n+\n+  statement {\n+    sid    = \"DDB Table Accessor Policy\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [\"*\"]\n+    }\n+\n+    actions = [\n+      \"kms:Encrypt\",\n+      \"kms:Decrypt\",\n+      \"kms:ReEncrypt*\",\n+      \"kms:GenerateDataKey*\",\n+      \"kms:CreateGrant\",\n+      \"kms:DescribeKey\",\n+    ]\n+\n+    resources = [\"arn:aws:kms:*:${local.account_id}:key/*\"]\n+\n+    condition {\n+      test     = \"StringEquals\"\n+      variable = \"kms:CallerAccount\"\n+      values   = [local.account_id]\n+    }\n+\n+    condition {\n+      test     = \"StringLike\"\n+      variable = \"kms:ViaService\"\n+      values   = [\"dynamodb.*.amazonaws.com\"]\n+    }\n+  }\n+\n+  statement {\n+    sid    = \"KeyAdministratorPolicy\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [var.kms_key_administrator_arn]\n+    }\n+\n+    actions = [\n+      \"kms:Create*\",\n+      \"kms:Describe*\",\n+      \"kms:Enable*\",\n+      \"kms:List*\",\n+      \"kms:Put*\",\n+      \"kms:Update*\",\n+      \"kms:Revoke*\",\n+      \"kms:Disable*\",\n+      \"kms:Get*\",\n+      \"kms:Delete*\",\n+      \"kms:TagResource\",\n+      \"kms:UntagResource\",\n+      \"kms:ScheduleKeyDeletion\",\n+      \"kms:CancelKeyDeletion\",\n+      \"kms:Replicate*\",\n+    ]\n+\n+    resources = [\"arn:aws:kms:*:${local.account_id}:key/*\"]\n+  }\n+\n+  statement {\n+    sid    = \"AllowAccountToManageKeyPolicy\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [\"arn:aws:iam::${local.account_id}:root\"]\n+    }\n+\n+    actions = [\n+      \"kms:PutKeyPolicy\",\n+      \"kms:GetKeyPolicy\",\n+    ]\n+\n+    resources = [\"arn:aws:kms:*:${local.account_id}:key/*\"]\n+  }\n+\n+  statement {\n+    sid    = \"AllowDirectAccessToKeyMetadata\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [\"arn:aws:iam::${local.account_id}:root\"]\n+    }\n+\n+    actions = [\n+      \"kms:Describe*\",\n+      \"kms:Get*\",\n+      \"kms:List*\",\n+      \"kms:RevokeGrant\",\n+    ]\n+\n+    resources = [\"arn:aws:kms:*:${local.account_id}:key/*\"]\n+  }\n+\n+  statement {\n+    sid    = \"AllowDynamoDBDescribe\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"dynamodb.amazonaws.com\"]\n+    }\n+\n+    actions = [\n+      \"kms:Describe*\",\n+      \"kms:Get*\",\n+      \"kms:List*\",\n+    ]\n+\n+    resources = [\"arn:aws:kms:*:${local.account_id}:key/*\"]\n+  }\n+}","blob_url":"https://github.com/Imprint-Tech/infrastructure/blob/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fpolicy_doc.tf","raw_url":"https://github.com/Imprint-Tech/infrastructure/raw/574ead47c35f954317b9cd09ac660f1c033533df/modules%2Fddb%2Fpolicy_doc.tf","contents_url":"https://api.github.com/repos/Imprint-Tech/infrastructure/contents/modules%2Fddb%2Fpolicy_doc.tf?ref=574ead47c35f954317b9cd09ac660f1c033533df"},{"sha":"b1f5fa047cfdd994d7d67a650094734ce6196124","filename":"modules/ddb/variables.tf","additions":138,"deletions":0,"changes":138,"status":"added","patch":"@@ -0,0 +1,138 @@\n+variable \"environment\" {\n+  description = \"Environment name (e.g., prd, stg, sbx)\"\n+  type        = string\n+}\n+\n+variable \"service\" {\n+  description = \"Name of the calling workspace. Used for IAM path.\"\n+  type        = string\n+}\n+\n+variable \"name\" {\n+  description = \"Name of the DynamoDB table\"\n+  type        = string\n+}\n+\n+variable \"env_in_name\" {\n+  description = \"Whether to include environment prefix in table name\"\n+  type        = bool\n+  default     = true\n+}\n+\n+variable \"policy_name\" {\n+  description = \"Name used for IAM policy naming\"\n+  type        = string\n+}\n+\n+variable \"policy_title\" {\n+  description = \"Title used in IAM policy description\"\n+  type        = string\n+  default     = null\n+}\n+\n+variable \"hash_key\" {\n+  description = \"The attribute to use as the hash (partition) key\"\n+  type        = string\n+}\n+\n+variable \"range_key\" {\n+  description = \"The attribute to use as the range (sort) key\"\n+  type        = string\n+  default     = null\n+}\n+\n+variable \"stream_enabled\" {\n+  description = \"Enable DynamoDB streams\"\n+  type        = bool\n+}\n+\n+variable \"stream_view_type\" {\n+  description = \"When an item is modified, what data to capture: KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES\"\n+  type        = string\n+  default     = null\n+}\n+\n+variable \"resource_count\" {\n+  description = \"A replacement for count, because this is a legacy module that can't use count directly. Can be 1 or 0.\"\n+  type        = number\n+  default     = 1\n+}\n+\n+variable \"attributes\" {\n+  description = \"List of attribute definitions for the table\"\n+  type        = list(map(string))\n+  default = [{\n+    \"name\" = \"key\"\n+    \"type\" = \"S\"\n+  }]\n+}\n+\n+variable \"global_secondary_indexes\" {\n+  description = \"List of GSI definitions. Must follow AWS documentation format.\"\n+  type        = list(map(string))\n+  default     = []\n+}\n+\n+variable \"local_secondary_indexes\" {\n+  description = \"List of LSI definitions. Must follow AWS documentation format.\"\n+  type        = list(map(string))\n+  default     = []\n+}\n+\n+variable \"ttl\" {\n+  description = \"Enable TTL on the table\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"replica_regions\" {\n+  description = \"A list of regions for creating replicas. Only us-east-2 and us-west-2 are supported currently.\"\n+  type        = list(string)\n+  default     = []\n+}\n+\n+variable \"point_in_time_recovery_enabled\" {\n+  description = \"Enable point-in-time recovery\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"default_tags\" {\n+  description = \"Tags to apply to resources\"\n+  type        = map(string)\n+  default = {\n+    Owner     = \"service\"\n+    Terraform = \"true\"\n+    Version   = \"20210414\"\n+  }\n+}\n+\n+variable \"read_capacity\" {\n+  description = \"The number of read capacity units (only for PROVISIONED billing mode)\"\n+  type        = string\n+  default     = null\n+}\n+\n+variable \"write_capacity\" {\n+  description = \"The number of write capacity units (only for PROVISIONED billing mode)\"\n+  type        = string\n+  default     = null\n+}\n+\n+variable \"hevo_replication_enabled\" {\n+  description = \"Whether to enable Hevo DynamoDB connector resources\"

... [1 lines truncated] ...

[
  {
    "type": "text",
    "text": "{\"pageInfo\":{\"endCursor\":\"Y3Vyc29yOnYyOpK0MjAyNi0wMS0wNVQyMTozMTowOVrOaBjXUg==\",\"hasNextPage\":false,\"hasPreviousPage\":false,\"startCursor\":\"Y3Vyc29yOnYyOpK0MjAyNi0wMS0wNVQyMTozMTowOVrOaBjXUg==\"},\"reviewThreads\":[{\"ID\":\"PRRT_kwDOEz1ECM5oGNdS\",\"IsResolved\":true,\"IsOutdated\":true,\"IsCollapsed\":true,\"Comments\":{\"Nodes\":[{\"ID\":\"PRRC_kwDOEz1ECM6euAvj\",\"Body\":\"Suggestion: Some workflow steps/jobs run unconditionally and fail when required files or permissions aren’t present. Add `if` guards so they only run when inputs exist or the run has write access.\\n\\n```suggestion\\n        if: ${{ always() \\u0026\\u0026 hashFiles('checkov-results.sarif') != '' }}\\n```\\n\\u003e 🚀 **Want me to fix this? Reply ex: _\\\"fix it for me\\\"_.**\",\"Path\":\".github/workflows/terraform-module-publish.yml\",\"Line\":null,\"Author\":{\"Login\":\"macroscopeapp\"},\"CreatedAt\":\"2026-01-05T21:31:09Z\",\"UpdatedAt\":\"2026-01-05T21:31:10Z\",\"URL\":\"https://github.com/Imprint-Tech/infrastructure/pull/3034#discussion_r2662861795\"}],\"TotalCount\":1}}],\"totalCount\":1}"
  }
]

n = \">= 1.0\"\n+\n+  required_providers {\n+    aws = {\n+      source  = \"hashicorp/aws\"\n+      version = \">= 3.75.0\"\n+    }\n+  }\n+}\ndiff --git a/modules/sftp/data.tf b/modules/sftp/data.tf\nnew file mode 100644\nindex 000000000..2562753cb\n--- /dev/null\n+++ b/modules/sftp/data.tf\n@@ -0,0 +1,20 @@\n+data \"aws_region\" \"current\" {}\n+\n+data \"aws_caller_identity\" \"current\" {}\n+\n+data \"aws_iam_policy_document\" \"sftp_assume_role_policy\" {\n+  statement {\n+    actions = [\"sts:AssumeRole\"]\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"transfer.amazonaws.com\"]\n+    }\n+\n+    condition {\n+      test     = \"StringEqualsIfExists\"\n+      values   = [data.aws_caller_identity.current.account_id]\n+      variable = \"aws:SourceAccount\"\n+    }\n+  }\n+}\ndiff --git a/modules/sftp/iam.tf b/modules/sftp/iam.tf\nnew file mode 100644\nindex 000000000..4cf2bc503\n--- /dev/null\n+++ b/modules/sftp/iam.tf\n@@ -0,0 +1,103 @@\n+# IAM role for each SFTP user\n+resource \"aws_iam_role\" \"sftp_user_iam_role\" {\n+  for_each = toset(var.usernames)\n+\n+  name               = \"${var.environment}-sftp-${each.value}-role\"\n+  assume_role_policy = data.aws_iam_policy_document.sftp_assume_role_policy.json\n+}\n+\n+# IAM policy for each SFTP user\n+resource \"aws_iam_policy\" \"sftp_policy\" {\n+  for_each = toset(var.usernames)\n+\n+  name        = \"${var.environment}_sftp_access_policy_${each.value}\"\n+  description = \"SFTP Bucket Access Policy\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Id      = \"sftp_user_bucket_role\"\n+    Statement = [\n+      {\n+        Sid    = \"AllowListingOfUserFolder\",\n+        Effect = \"Allow\",\n+        Action : [\n+          \"s3:ListBucket\",\n+          \"s3:GetBucketLocation\"\n+        ]\n+        Resource = [\n+          aws_s3_bucket.sftp_bucket.arn\n+        ]\n+        Condition = {\n+          StringLike = {\n+            \"s3:prefix\" = [\n+              \"${each.value}/*\"\n+            ]\n+          }\n+        }\n+      },\n+      {\n+        Sid    = \"HomeDirObjectAccess\",\n+        Effect = \"Allow\",\n+        Action : [\n+          \"s3:PutObject\",\n+          \"s3:GetObject\",\n+          \"s3:DeleteObject\",\n+          \"s3:DeleteObjectVersion\",\n+          \"s3:GetObjectVersion\",\n+          \"s3:GetObjectACL\",\n+          \"s3:PutObjectACL\",\n+          \"s3:ListMultipartUploadParts\"\n+        ]\n+        Resource = [\n+          \"${aws_s3_bucket.sftp_bucket.arn}/${each.value}/uploads/*\"\n+        ]\n+      },\n+      {\n+        Sid    = \"HomeDirReadOnlyAccess\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"s3:GetObject\",\n+          \"s3:GetObjectVersion\"\n+        ],\n+        Resource = [\n+          \"${aws_s3_bucket.sftp_bucket.arn}/${each.value}/downloads/*\"\n+        ]\n+      },\n+      {\n+        Sid    = \"TestDirAccess\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"s3:PutObject\",\n+          \"s3:GetObject\",\n+          \"s3:DeleteObject\",\n+          \"s3:DeleteObjectVersion\",\n+          \"s3:GetObjectVersion\",\n+          \"s3:GetObjectACL\",\n+          \"s3:PutObjectACL\",\n+          \"s3:ListMultipartUploadParts\"\n+        ],\n+        Resource = [\n+          \"${aws_s3_bucket.sftp_bucket.arn}/${each.value}/test/*\"\n+        ]\n+      },\n+      {\n+        Sid    = \"ListFilesInSFTPClient\",\n+        Effect = \"Allow\",\n+        Action = [\n+          \"s3:GetObject\"\n+        ],\n+        Resource = [\n+          \"${aws_s3_bucket.sftp_bucket.arn}/${each.value}/*\"\n+        ]\n+      }\n+    ]\n+  })\n+}\n+\n+# Attach policy to role for each user\n+resource \"aws_iam_role_policy_attachment\" \"sftp_s3_policy_attachment\" {\n+  for_each = toset(var.usernames)\n+\n+  role       = aws_iam_role.sftp_user_iam_role[each.value].name\n+  policy_arn = aws_iam_policy.sftp_policy[each.value].arn\n+}\ndiff --git a/modules/sftp/locals.tf b/modules/sftp/locals.tf\nnew file mode 100644\nindex 000000000..22be7aa08\n--- /dev/null\n+++ b/modules/sftp/locals.tf\n@@ -0,0 +1,4 @@\n+locals {\n+  bucket_name            = \"${var.environment}-sftp-data-storage\"\n+  cloudtrail_bucket_name = \"${local.bucket_name}-events-cloudtrail\"\n+}\ndiff --git a/modules/sftp/outputs.tf b/modules/sftp/outputs.tf\nnew file mode 100644\nindex 000000000..e49a0a49b\n--- /dev/null\n+++ b/modules/sftp/outputs.tf\n@@ -0,0 +1,44 @@\n+output \"role_names\" {\n+  description = \"List of IAM role names created for SFTP users\"\n+  value       = [for k, v in aws_iam_role.sftp_user_iam_role : v.name]\n+}\n+\n+output \"role_arns\" {\n+  description = \"Map of username to IAM role ARN\"\n+  value       = { for k, v in aws_iam_role.sftp_user_iam_role : k => v.arn }\n+}\n+\n+output \"policy_arns\" {\n+  description = \"List of IAM policy ARNs created for SFTP users\"\n+  value       = [for k, v in aws_iam_policy.sftp_policy : v.arn]\n+}\n+\n+output \"secret_arn\" {\n+  description = \"ARN of the Secrets Manager secret for SFTP credentials\"\n+  value       = aws_secretsmanager_secret.sftp_credentials.arn\n+}\n+\n+output \"secret_read_only_policy_arn\" {\n+  description = \"ARN of the read-only IAM policy for the SFTP credentials secret\"\n+  value       = aws_iam_policy.sftp_secret_read_only.arn\n+}\n+\n+output \"bucket_id\" {\n+  description = \"ID of the SFTP S3 bucket\"\n+  value       = aws_s3_bucket.sftp_bucket.id\n+}\n+\n+output \"bucket_arn\" {\n+  description = \"ARN of the SFTP S3 bucket\"\n+  value       = aws_s3_bucket.sftp_bucket.arn\n+}\n+\n+output \"cloudtrail_bucket_id\" {\n+  description = \"ID of the CloudTrail S3 bucket (if enabled)\"\n+  value       = var.enable_cloudtrail ? aws_s3_bucket.sftp_cloudtrail[0].id : null\n+}\n+\n+output \"cloudtrail_bucket_arn\" {\n+  description = \"ARN of the CloudTrail S3 bucket (if enabled)\"\n+  value       = var.enable_cloudtrail ? aws_s3_bucket.sftp_cloudtrail[0].arn : null\n+}\ndiff --git a/modules/sftp/s3.tf b/modules/sftp/s3.tf\nnew file mode 100644\nindex 000000000..37fa3cec4\n--- /dev/null\n+++ b/modules/sftp/s3.tf\n@@ -0,0 +1,326 @@\n+# Main SFTP data storage bucket\n+resource \"aws_s3_bucket\" \"sftp_bucket\" {\n+  bucket = local.bucket_name\n+\n+  tags = merge(\n+    var.default_tags,\n+    {\n+      Name        = local.bucket_name\n+      Environment = var.environment\n+    }\n+  )\n+}\n+\n+resource \"aws_s3_bucket_public_access_block\" \"sftp_bucket\" {\n+  bucket = aws_s3_bucket.sftp_bucket.id\n+\n+  block_public_acls       = true\n+  block_public_policy     = true\n+  ignore_public_acls      = true\n+  restrict_public_buckets = true\n+}\n+\n+resource \"aws_s3_bucket_versioning\" \"sftp_bucket\" {\n+  bucket = aws_s3_bucket.sftp_bucket.id\n+\n+  versioning_configuration {\n+    status = \"Enabled\"\n+  }\n+}\n+\n+resource \"aws_s3_bucket_server_side_encryption_configuration\" \"sftp_bucket\" {\n+  bucket = aws_s3_bucket.sftp_bucket.id\n+\n+  rule {\n+    apply_server_side_encryption_by_default {\n+      sse_algorithm = \"AES256\"\n+    }\n+  }\n+}\n+\n+resource \"aws_s3_bucket_policy\" \"sftp_bucket\" {\n+  bucket = aws_s3_bucket.sftp_bucket.id\n+  policy = data.aws_iam_policy_document.combined_sftp_bucket_policy.json\n+\n+  depends_on = [aws_s3_bucket_public_access_block.sftp_bucket]\n+}\n+\n+data \"aws_iam_policy_document\" \"combined_sftp_bucket_policy\" {\n+  source_policy_documents = [\n+    data.aws_iam_policy_document.sftp_bucket_deny_insecure.json,\n+    data.aws_iam_policy_document.airflow_to_fiserv_sftp.json,\n+    data.aws_iam_policy_document.census_to_sftp.json\n+  ]\n+}\n+\n+data \"aws_iam_policy_document\" \"sftp_bucket_deny_insecure\" {\n+  statement {\n+    sid    = \"DenyInsecureTransport\"\n+    effect = \"Deny\"\n+\n+    principals {\n+      type        = \"*\"\n+      identifiers = [\"*\"]\n+    }\n+\n+    actions = [\"s3:*\"]\n+\n+    resources = [\n+      aws_s3_bucket.sftp_bucket.arn,\n+      \"${aws_s3_bucket.sftp_bucket.arn}/*\"\n+    ]\n+\n+    condition {\n+      test     = \"Bool\"\n+      variable = \"aws:SecureTransport\"\n+      values   = [\"false\"]\n+    }\n+  }\n+}\n+\n+# MWAA (Airflow) access policy\n+data \"aws_iam_policy_document\" \"airflow_to_fiserv_sftp\" {\n+  statement {\n+    sid    = \"MWAAAAirflowBucketAccess\"\n+    effect = \"Allow\"\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [\"arn:aws:iam::${var.mwaa_account_id}:role/mwaa/${var.environment}_mwaa_execution_role\"]\n+    }\n+    actions   = [\"s3:ListBucket\"]\n+    resources = [aws_s3_bucket.sftp_bucket.arn]\n+  }\n+\n+  statement {\n+    sid    = \"MWAAAirflowBucketPrefixAccess\"\n+    effect = \"Allow\"\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [\"arn:aws:iam::${var.mwaa_account_id}:role/mwaa/${var.environment}_mwaa_execution_role\"]\n+    }\n+    actions   = [\"s3:*\"]\n+    resources = [for prefix in var.mwaa_sftp_prefixes : \"${aws_s3_bucket.sftp_bucket.arn}/${prefix}\"]\n+  }\n+}\n+\n+# Census access policy\n+data \"aws_iam_policy_document\" \"census_to_sftp\" {\n+  statement {\n+    sid    = \"CensusListBucket\"\n+    effect = \"Allow\"\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [var.census_role_arn]\n+    }\n+    actions = [\n+      \"s3:ListBucket\",\n+      \"s3:GetBucketLocation\"\n+    ]\n+    resources = [aws_s3_bucket.sftp_bucket.arn]\n+  }\n+\n+  statement {\n+    sid    = \"CensusReadWriteObjects\"\n+    effect = \"Allow\"\n+    principals {\n+      type        = \"AWS\"\n+      identifiers = [var.census_role_arn]\n+    }\n+    actions = [\n+      \"s3:GetObject\",\n+      \"s3:GetObjectVersion\",\n+      \"s3:PutObject\",\n+      \"s3:DeleteObject\",\n+      \"s3:DeleteObjectVersion\",\n+      \"s3:AbortMultipartUpload\",\n+      \"s3:ListMultipartUploadParts\"\n+    ]\n+    resources = [\"${aws_s3_bucket.sftp_bucket.arn}/*\"]\n+  }\n+}\n+\n+# CloudTrail bucket for SFTP events\n+resource \"aws_s3_bucket\" \"sftp_cloudtrail\" {\n+  count  = var.enable_cloudtrail ? 1 : 0\n+  bucket = local.cloudtrail_bucket_name\n+\n+  tags = merge(\n+    var.default_tags,\n+    {\n+      Name        = local.cloudtrail_bucket_name\n+      Environment = var.environment\n+    }\n+  )\n+}\n+\n+resource \"aws_s3_bucket_public_access_block\" \"sftp_cloudtrail\" {\n+  count  = var.enable_cloudtrail ? 1 : 0\n+  bucket = aws_s3_bucket.sftp_cloudtrail[0].id\n+\n+  block_public_acls       = true\n+  block_public_policy     = true\n+  ignore_public_acls      = true\n+  restrict_public_buckets = true\n+}\n+\n+resource \"aws_s3_bucket_versioning\" \"sftp_cloudtrail\" {\n+  count  = var.enable_cloudtrail ? 1 : 0\n+  bucket = aws_s3_bucket.sftp_cloudtrail[0].id\n+\n+  versioning_configuration {\n+    status     = \"Enabled\"\n+    mfa_delete = var.mfa_delete ? \"Enabled\" : \"Disabled\"\n+  }\n+}\n+\n+resource \"aws_s3_bucket_server_side_encryption_configuration\" \"sftp_cloudtrail\" {\n+  count  = var.enable_cloudtrail ? 1 : 0\n+  bucket = aws_s3_bucket.sftp_cloudtrail[0].id\n+\n+  rule {\n+    apply_server_side_encryption_by_default {\n+      sse_algorithm = \"AES256\"\n+    }\n+  }\n+}\n+\n+resource \"aws_s3_bucket_policy\" \"sftp_cloudtrail\" {\n+  count  = var.enable_cloudtrail ? 1 : 0\n+  bucket = aws_s3_bucket.sftp_cloudtrail[0].id\n+  policy = data.aws_iam_policy_document.cloudtrail_bucket_policy[0].json\n+\n+  depends_on = [aws_s3_bucket_public_access_block.sftp_cloudtrail]\n+}\n+\n+data \"aws_iam_policy_document\" \"cloudtrail_bucket_policy\" {\n+  count = var.enable_cloudtrail ? 1 : 0\n+\n+  statement {\n+    sid    = \"AWSCloudTrailAclCheck\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"cloudtrail.amazonaws.com\"]\n+    }\n+\n+    actions   = [\"s3:GetBucketAcl\"]\n+    resources = [aws_s3_bucket.sftp_cloudtrail[0].arn]\n+  }\n+\n+  statement {\n+    sid    = \"AWSCloudTrailWrite\"\n+    effect = \"Allow\"\n+\n+    principals {\n+      type        = \"Service\"\n+      identifiers = [\"cloudtrail.amazonaws.com\"]\n+    }\n+\n+    actions   = [\"s3:PutObject\"]\n+    resources = [\"${aws_s3_bucket.sftp_cloudtrail[0].arn}/*\"]\n+\n+    condition {\n+      test     = \"StringEquals\"\n+      variable = \"s3:x-amz-acl\"\n+      values   = [\"bucket-owner-full-control\"]\n+    }\n+  }\n+\n+  statement {\n+    sid    = \"DenyInsecureTransport\"\n+    effect = \"Deny\"\n+\n+    principals {\n+      type        = \"*\"\n+      identifiers = [\"*\"]\n+    }\n+\n+    actions = [\"s3:*\"]\n+\n+    resources = [\n+      aws_s3_bucket.sftp_cloudtrail[0].arn,\n+      \"${aws_s3_bucket.sftp_cloudtrail[0].arn}/*\"\n+    ]\n+\n+    condition {\n+      test     = \"Bool\"\n+      variable = \"aws:SecureTransport\"\n+      values   = [\"false\"]\n+    }\n+  }\n+}\n+\n+# CloudTrail for SFTP bucket events\n+resource \"aws_cloudtrail\" \"sftp_bucket_events\" {\n+  count = var.enable_cloudtrail ? 1 : 0\n+\n+  name           = \"${aws_s3_bucket.sftp_bucket.id}-events\"\n+  s3_bucket_name = aws_s3_bucket.sftp_cloudtrail[0].id\n+\n+  cloud_watch_logs_group_arn = var.cloudtrail_cloudwatch_logs_group_arn != \"\" ? var.cloudtrail_cloudwatch_logs_group_arn : null\n+  cloud_watch_logs_role_arn  = var.cloudtrail_cloudwatch_logs_role_arn != \"\" ? var.cloudtrail_cloudwatch_logs_role_arn : null\n+  enable_log_file_validation = var.enable_cloudtrail_log_file_validation\n+  kms_key_id                 = var.cloudtrail_kms_key_id != \"\" ? var.cloudtrail_kms_key_id : null\n+\n+  event_selector {\n+    include_management_events = false\n+    data_resource {\n+      type   = \"AWS::S3::Object\"\n+      values = [\"${aws_s3_bucket.sftp_bucket.arn}/\"]\n+    }\n+  }\n+\n+  depends_on = [aws_s3_bucket_policy.sftp_cloudtrail]\n+}\n+\n+# Create user folders in S3\n+resource \"aws_s3_object\" \"sftp_user_folders\" {\n+  for_each = toset(var.usernames)\n+\n+  bucket                 = aws_s3_bucket.sftp_bucket.id\n+  key                    = \"${each.value}/\"\n+  server_side_encryption = \"AES256\"\n+}\n+\n+# Create download folders for each user\n+resource \"aws_s3_object\" \"sftp_user_download_folders\" {\n+  for_each = toset(var.usernames)\n+\n+  bucket                 = aws_s3_bucket.sftp_bucket.id\n+  key                    = \"${each.value}/downloads/\"\n+  server_side_encryption = \"AES256\"\n+\n+  depends_on = [aws_s3_object.sftp_user_folders]\n+}\n+\n+resource \"aws_s3_object\" \"sftp_user_test_download_folders\" {\n+  for_each = toset(var.usernames)\n+\n+  bucket                 = aws_s3_bucket.sftp_bucket.id\n+  key                    = \"${each.value}/test/downloads/\"\n+  server_side_encryption = \"AES256\"\n+\n+  depends_on = [aws_s3_object.sftp_user_folders]\n+}\n+\n+# Create upload folders for each user\n+resource \"aws_s3_object\" \"sftp_user_upload_folders\" {\n+  for_each = toset(var.usernames)\n+\n+  bucket                 = aws_s3_bucket.sftp_bucket.id\n+  key                    = \"${each.value}/uploads/\"\n+  server_side_encryption = \"AES256\"\n+\n+  depends_on = [aws_s3_object.sftp_user_folders]\n+}\n+\n+resource \"aws_s3_object\" \"sftp_user_test_upload_folders\" {\n+  for_each = toset(var.usernames)\n+\n+  bucket                 = aws_s3_bucket.sftp_bucket.id\n+  key                    = \"${each.value}/test/uploads/\"\n+  server_side_encryption = \"AES256\"\n+\n+  depends_on = [aws_s3_object.sftp_user_folders]\n+}\ndiff --git a/modules/sftp/secrets.tf b/modules/sftp/secrets.tf\nnew file mode 100644\nindex 000000000..38864acc5\n--- /dev/null\n+++ b/modules/sftp/secrets.tf\n@@ -0,0 +1,40 @@\n+# Secrets Manager secret for SFTP credentials\n+resource \"aws_secretsmanager_secret\" \"sftp_credentials\" {\n+  name = \"${var.environment}-${var.service}-sftp-credentials\"\n+\n+  replica {\n+    region = \"us-west-2\"\n+  }\n+\n+  tags = merge(\n+    var.default_tags,\n+    {\n+      Name        = \"${var.environment}-${var.service}-sftp-credentials\"\n+      Environment = var.environment\n+      Service     = var.service\n+    }\n+  )\n+}\n+\n+# Read-only IAM policy for SFTP credentials secret\n+resource \"aws_iam_policy\" \"sftp_secret_read_only\" {\n+  name        = \"${var.environment}_${var.service}_sftp_credentials_read_only\"\n+  description = \"${var.environment} ${var.service} SFTP Credentials Secret Read Only Policy\"\n+\n+  policy = jsonencode({\n+    Version = \"2012-10-17\"\n+    Statement = [\n+      {\n+        Sid    = \"SecretsManagerAccess\"\n+        Effect = \"Allow\"\n+        Action = [\n+          \"secretsmanager:GetResourcePolicy\",\n+          \"secretsmanager:GetSecretValue\",\n+          \"secretsmanager:DescribeSecret\",\n+          \"secretsmanager:ListSecretVersionIds\"\n+        ]\n+        Resource = [aws_secretsmanager_secret.sftp_credentials.arn]\n+      }\n+    ]\n+  })\n+}\ndiff --git a/modules/sftp/variables.tf b/modules/sftp/variables.tf\nnew file mode 100644\nindex 000000000..770475d56\n--- /dev/null\n+++ b/modules/sftp/variables.tf\n@@ -0,0 +1,76 @@\n+variable \"environment\" {\n+  description = \"Environment name (e.g., prd, stg, dev)\"\n+  type        = string\n+}\n+\n+variable \"service\" {\n+  description = \"Service name for resource naming\"\n+  type        = string\n+}\n+\n+variable \"usernames\" {\n+  description = \"A list of user identifiers for which IAM roles will be created. Used for AWS Transfer Family\"\n+  type        = list(string)\n+  default     = []\n+}\n+\n+variable \"mwaa_account_id\" {\n+  description = \"AWS Account ID where MWAA (Airflow) is deployed (replaces hardcoded account ID lookup)\"\n+  type        = string\n+}\n+\n+variable \"census_role_arn\" {\n+  description = \"ARN of the Census IAM role for S3 access (replaces terraform_remote_state.census.outputs.census_role_arn)\"\n+  type        = string\n+}\n+\n+variable \"enable_cloudtrail\" {\n+  description = \"Enable CloudTrail logging for SFTP bucket events\"\n+  type        = bool\n+  default     = true\n+}\n+\n+variable \"cloudtrail_cloudwatch_logs_group_arn\" {\n+  description = \"ARN of the CloudWatch Logs group for CloudTrail (optional, production only)\"\n+  type        = string\n+  default     = \"\"\n+}\n+\n+variable \"cloudtrail_cloudwatch_logs_role_arn\" {\n+  description = \"ARN of the IAM role for CloudTrail to write to CloudWatch Logs (optional, production only)\"\n+  type        = string\n+  default     = \"\"\n+}\n+\n+variable \"cloudtrail_kms_key_id\" {\n+  description = \"ARN of the KMS key for CloudTrail encryption (optional, production only)\"\n+  type        = string\n+  default     = \"\"\n+}\n+\n+variable \"enable_cloudtrail_log_file_validation\" {\n+  description = \"Enable CloudTrail log file validation\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"mfa_delete\" {\n+  description = \"Enable MFA delete for the CloudTrail S3 bucket\"\n+  type        = bool\n+  default     = false\n+}\n+\n+variable \"default_tags\" {\n+  description = \"Tags to apply to resources created by module\"\n+  type        = map(string)\n+  default = {\n+    Owner     = \"devops\"\n+    Terraform = \"true\"\n+  }\n+}\n+\n+variable \"mwaa_sftp_prefixes\" {\n+  description = \"List of S3 prefixes that MWAA should have access to (e.g., ['fiserv/*', 'crate_and_barrel/*', 'syf/*'])\"\n+  type        = list(string)\n+  default     = [\"fiserv/*\", \"crate_and_barrel/*\", \"syf/*\"]\n+}\ndiff --git a/modules/sftp/versions.tf b/modules/sftp/versions.tf\nnew file mode 100644\nindex 000000000..2eb3bfd21\n--- /dev/null\n+++ b/modules/sftp/versions.tf\n@@ -0,0 +1,10 @@\n+terraform {\n+  required_version = \">= 1.0\"\n+\n+  required_providers {\n+    aws = {\n+      source  = \"hashicorp/aws\"\n+      version = \">= 3.75.0\"\n+    }\n+  }\n+}\ndiff --git a/modules/static_web/cloudfront.tf b/modules/static_web/cloudfront.tf\nnew file mode 100644\nindex 000000000..b29bcb5e9\n--- /dev/null\n+++ b/modules/static_web/cloudfront.tf\n@@ -0,0 +1,145 @@\n+resource \"aws_cloudfront_origin_access_identity\" \"website_oai\" {\n+  comment = \"Origin Access Identity for ${var.website_name}\"\n+}\n+\n+resource \"aws_cloudfront_distribution\" \"website_cdn\" {\n+  origin {\n+    domain_name = aws_s3_bucket.website.bucket_regional_domain_name\n+    origin_id   = var.origin_id\n+\n+    s3_origin_config {\n+      origin_access_identity = aws_cloudfront_origin_access_identity.website_oai.cloudfront_access_identity_path\n+    }\n+  }\n+\n+  # CDN access logging configuration\n+  dynamic \"logging_config\" {\n+    for_each = var.enable_cdn_logging && var.cdn_logging_bucket != \"\" ? [\"true\"] : []\n+\n+    content {\n+      bucket = var.cdn_logging_bucket\n+      prefix = var.cdn_logging_prefix == \"\" ? var.website_name : var.cdn_logging_prefix\n+    }\n+  }\n+\n+  dynamic \"custom_error_response\" {\n+    for_each = length(keys(var.custom_error_response)) == 0 ? [] : [var.custom_error_response]\n+\n+    content {\n+      error_code = custom_error_response.value[\"error_code\"]\n+\n+      error_caching_min_ttl = lookup(custom_error_response.value, \"error_caching_min_ttl\", null)\n+      response_code         = lookup(custom_error_response.value, \"response_code\", null)\n+      response_page_path    = lookup(custom_error_response.value, \"response_page_path\", null)\n+    }\n+  }\n+\n+  enabled             = true\n+  is_ipv6_enabled     = true\n+  comment             = \"Cloudfront backed with S3 bucket ${var.website_name}\"\n+  default_root_object = var.default_root_object\n+\n+  aliases = var.website_alias\n+\n+  web_acl_id = var.web_acl_id\n+\n+  dynamic \"default_cache_behavior\" {\n+    for_each = length(keys(var.default_cache_behavior)) == 0 ? [] : [var.default_cache_behavior]\n+\n+    content {\n+      allowed_methods            = lookup(default_cache_behavior.value, \"allowed_methods\", [\"GET\", \"HEAD\", \"OPTIONS\"])\n+      cached_methods             = lookup(default_cache_behavior.value, \"cached_methods\", [\"GET\", \"HEAD\"])\n+      target_origin_id           = default_cache_behavior.value[\"target_origin_id\"]\n+      response_headers_policy_id = lookup(default_cache_behavior.value, \"response_headers_policy_id\", \"\")\n+\n+      viewer_protocol_policy = default_cache_behavior.value[\"viewer_protocol_policy\"]\n+      min_ttl                = lookup(default_cache_behavior.value, \"min_ttl\", null)\n+      default_ttl            = lookup(default_cache_behavior.value, \"default_ttl\", null)\n+      max_ttl                = lookup(default_cache_behavior.value, \"max_ttl\", null)\n+\n+      dynamic \"forwarded_values\" {\n+        for_each = [1]\n+\n+        content {\n+          query_string = lookup(default_cache_behavior.value, \"query_string\", false)\n+          headers      = lookup(default_cache_behavior.value, \"headers\", [])\n+\n+          cookies {\n+            forward = lookup(default_cache_behavior.value, \"cookies_forward\", \"none\")\n+          }\n+        }\n+      }\n+\n+      dynamic \"lambda_function_association\" {\n+        for_each = lookup(default_cache_behavior.value, \"lambda_function_association\", [])\n+\n+        content {\n+          event_type   = lambda_function_association.key\n+          lambda_arn   = lambda_function_association.value.lambda_arn\n+          include_body = lookup(lambda_function_association.value, \"include_body\", null)\n+        }\n+      }\n+    }\n+  }\n+\n+  dynamic \"ordered_cache_behavior\" {\n+    for_each = var.ordered_cache_behavior\n+\n+    content {\n+      path_pattern     = ordered_cache_behavior.value[\"path_pattern\"]\n+      allowed_methods  = lookup(ordered_cache_behavior.value, \"allowed_methods\", [\"GET\", \"HEAD\", \"OPTIONS\"])\n+      cached_methods   = lookup(ordered_cache_behavior.value, \"cached_methods\", [\"GET\", \"HEAD\"])\n+      target_origin_id = ordered_cache_behavior.value[\"target_origin_id\"]\n+\n+      min_ttl                = lookup(ordered_cache_behavior.value, \"min_ttl\", null)\n+      default_ttl            = lookup(ordered_cache_behavior.value, \"default_ttl\", null)\n+      max_ttl                = lookup(ordered_cache_behavior.value, \"max_ttl\", null)\n+      compress               = lookup(ordered_cache_behavior.value, \"compress\", null)\n+      viewer_protocol_policy = ordered_cache_behavior.value[\"viewer_protocol_policy\"]\n+\n+      dynamic \"forwarded_values\" {\n+        for_each = [1]\n+\n+        content {\n+          query_string = lookup(ordered_cache_behavior.value, \"query_string\", false)\n+          headers      = lookup(ordered_cache_behavior.value, \"headers\", [])\n+\n+          cookies {\n+            forward = lookup(ordered_cache_behavior.value, \"cookies_forward\", \"none\")\n+          }\n+        }\n+      }\n+\n+      dynamic \"lambda_function_association\" {\n+        for_each = lookup(ordered_cache_behavior.value, \"lambda_function_association\", [])\n+\n+        content {\n+          event_type   = lambda_function_association.key\n+          lambda_arn   = lambda_function_association.value.lambda_arn\n+          include_body = lookup(lambda_function_association.value, \"include_body\", null)\n+        }\n+      }\n+    }\n+  }\n+\n+  price_class = var.price_class\n+\n+  restrictions {\n+    geo_restriction {\n+      restriction_type = \"none\"\n+    }\n+  }\n+\n+  tags = merge(\n+    var.default_tags,\n+    {\n+      Environment = var.environment\n+    }\n+  )\n+\n+  viewer_certificate {\n+    acm_certificate_arn      = var.acm_certificate_arn\n+    ssl_support_method       = \"sni-only\"\n+    minimum_protocol_version = var.minimum_protocol_version\n+  }\n+}\ndiff --git a/modules/static_web/locals.tf b/modules/static_web/locals.tf\nnew file mode 100644\nindex 000000000..bf404793c\n--- /dev/null\n+++ b/modules/static_web/locals.tf\n@@ -0,0 +1,3 @@\n+locals {\n+  bucket_name = \"${var.website_name}-${var.environment}\"\n+}\ndiff --git a/modules/static_web/outputs.tf b/modules/static_web/outputs.tf\nnew file mode 100644\nindex 000000000..f4de07f1d\n--- /dev/null\n+++ b/modules/static_web/outputs.tf\n@@ -0,0 +1,39 @@\n+output \"website_bucket_id\" {\n+  description = \"ID of the S3 bucket\"\n+  value       = aws_s3_bucket.website.id\n+}\n+\n+output \"website_bucket_arn\" {\n+  description = \"ARN of the S3 bucket\"\n+  value       = aws_s3_bucket.website.arn\n+}\n+\n+output \"website_bucket_regional_domain_name\" {\n+  description = \"Regional domain name of the S3 bucket\"\n+  value       = aws_s3_bucket.website.bucket_regional_domain_name\n+}\n+\n+output \"website_cdn_id\" {\n+  description = \"ID of the CloudFront distribution\"\n+  value       = aws_cloudfront_distribution.website_cdn.id\n+}\n+\n+output \"website_cdn_arn\" {\n+  description = \"ARN of the CloudFront distribution\"\n+  value       = aws_cloudfront_distribution.website_cdn.arn\n+}\n+\n+output \"website_cdn_domain_name\" {\n+  description = \"Domain name of the CloudFront distribution\"\n+  value       = aws_cloudfront_distribution.website_cdn.domain_name\n+}\n+\n+output \"website_cdn_hosted_zone_id\" {\n+  description = \"Route 53 zone ID for the CloudFront distribution (for alias records)\"\n+  value       = aws_cloudfront_distribution.website_cdn.hosted_zone_id\n+}\n+\n+output \"cloudfront_oai_iam_arn\" {\n+  description = \"IAM ARN of the CloudFront Origin Access Identity\"\n+  value       = aws_cloudfront_origin_access_identity.website_oai.iam_arn\n+}\ndiff --git a/modules/static_web/s3.tf b/modules/static_web/s3.tf\nnew file mode 100644\nindex 000000000..a1d5128a6\n--- /dev/null\n+++ b/modules/static_web/s3.tf\n@@ -0,0 +1,136 @@\n+# S3 Bucket for static website hosting\n+resource \"aws_s3_bucket\" \"website\" {\n+  bucket = local.bucket_name\n+\n+  tags = merge(\n+    var.default_tags,\n+    {\n+      Name        = local.bucket_name\n+      Environment = var.environment\n+    }\n+  )\n+}\n+\n+resource \"aws_s3_bucket_public_access_block\" \"website\" {\n+  bucket = aws_s3_bucket.website.id\n+\n+  block_public_acls       = true\n+  block_public_policy     = true\n+  ignore_public_acls      = true\n+  restrict_public_buckets = true\n+}\n+\n+resource \"aws_s3_bucket_versioning\" \"website\" {\n+  bucket = aws_s3_bucket.website.id\n+\n+  versioning_configuration {\n+    status = var.enable_versioning ? \"Enabled\" : \"Suspended\"\n+  }\n+}\n+\n+resource \"aws_s3_bucket_server_side_encryption_configuration\" \"website\" {\n+  bucket = aws_s3_bucket.website.id\n+\n+  rule {\n+    apply_server_side_encryption_by_default {\n+      sse_algorithm = \"AES256\"\n+    }\n+  }\n+}\n+\n+# Website configuration (optional)\n+resource \"aws_s3_bucket_website_configuration\" \"website\" {\n+  count  = length(keys(var.website)) > 0 ? 1 : 0\n+  bucket = aws_s3_bucket.website.id\n+\n+  dynamic \"index_document\" {\n+    for_each = lookup(var.website, \"index_document\", null) != null ? [1] : []\n+    content {\n+      suffix = var.website[\"index_document\"]\n+    }\n+  }\n+\n+  dynamic \"error_document\" {\n+    for_each = lookup(var.website, \"error_document\", null) != null ? [1] : []\n+    content {\n+      key = var.website[\"error_document\"]\n+    }\n+  }\n+\n+  dynamic \"redirect_all_requests_to\" {\n+    for_each = lookup(var.website, \"redirect_all_requests_to\", null) != null ? [1] : []\n+    content {\n+      host_name = var.website[\"redirect_all_requests_to\"]\n+    }\n+  }\n+}\n+\n+# CORS configuration (optional)\n+resource \"aws_s3_bucket_cors_configuration\" \"website\" {\n+  count  = length(var.cors_rule) > 0 ? 1 : 0\n+  bucket = aws_s3_bucket.website.id\n+\n+  dynamic \"cors_rule\" {\n+    for_each = var.cors_rule\n+    content {\n+      allowed_headers = lookup(cors_rule.value, \"allowed_headers\", null)\n+      allowed_methods = cors_rule.value.allowed_methods\n+      allowed_origins = cors_rule.value.allowed_origins\n+      expose_headers  = lookup(cors_rule.value, \"expose_headers\", null)\n+      max_age_seconds = lookup(cors_rule.value, \"max_age_seconds\", n

... [3 lines truncated] ...

File created successfully at: /Users/danielroth/.claude/plans/cheeky-wobbling-metcalfe.md

User has approved your plan. You can now start coding. Start with updating your todo list if applicable

Your plan has been saved to: /Users/danielroth/.claude/plans/cheeky-wobbling-metcalfe.md
You can refer back to it if needed during implementation.

## Approved Plan:
# PR #3034 Review: Phase 1 Module Extraction

## Overview
This PR introduces 6 Terraform modules for Phase 1 of a module extraction initiative, along with a CI/CD workflow for validation, documentation generation, and publishing.

**Branch**: `feature/phase1-module-extraction`
**Stats**: +2786 lines, 47 files
**Status**: All checks passing

## Modules Introduced
| Module | Purpose |
|--------|---------|
| `s3` | S3 bucket with policies, versioning, encryption, CloudFront OAI support |
| `secret` | Secrets Manager with multi-region replication (us-west-2) |
| `ddb` | DynamoDB with KMS encryption, multi-region replicas, GSI/LSI, CDC |
| `kinesis` | Kinesis Data Stream with KMS encryption, on-demand mode |
| `static_web` | Static website hosting (S3 + CloudFront) |
| `sftp` | SFTP Transfer Family with S3 backend, per-user IAM roles |

---

## Review Findings

### High Priority Issues

#### 1. S3 Module Uses Deprecated Resource Arguments
**File**: `modules/s3/main.tf`

The S3 module uses deprecated inline arguments (`acl`, `logging`, `server_side_encryption_configuration`, `versioning`, `website`, `cors_rule`) directly on `aws_s3_bucket`. These have been deprecated since AWS Provider 4.0 and will be removed in a future version.

```hcl
# Current (deprecated)
resource "aws_s3_bucket" "bucket" {
  bucket = var.bucket_name
  acl    = var.acl  # DEPRECATED

  logging { ... }                                # DEPRECATED
  server_side_encryption_configuration { ... }  # DEPRECATED
  versioning { ... }                            # DEPRECATED
  website { ... }                               # DEPRECATED
  cors_rule { ... }                             # DEPRECATED
}
```

**Recommendation**: Use separate resources like `aws_s3_bucket_versioning`, `aws_s3_bucket_logging`, etc. (as done in `static_web` and `sftp` modules).

#### 2. Hardcoded External IDs in Kinesis Module
**File**: `modules/kinesis/locals.tf:10-13`

```hcl
local.external_ids = {
  "stg" : "00b1fd646b0cde66a",
  "prd" : "fe59fc39d8b19ff52",
}
```

Hardcoded secrets in code should be avoided. Consider moving these to variables or using Secrets Manager.

#### 3. KMS Key Policy Uses Principal `"*"`
**Files**: `modules/ddb/policy_doc.tf`, `modules/kinesis/kms.tf`

Both modules have KMS key policies with `principals { identifiers = ["*"] }` which is overly permissive, even with conditions. While conditions limit this, it's a security concern that security scanners will flag.

```hcl
principals {
  type        = "AWS"
  identifiers = ["*"]  # Overly permissive
}
```

---

### Medium Priority Issues

#### 4. Inconsistent Variable Naming
- `ddb` module uses `resource_count` (1 or 0) as a count replacement
- `kinesis` module uses `create` (bool)
- `s3` module has no enable/disable mechanism

**Recommendation**: Standardize on one pattern across all modules.

#### 5. Missing KMS Key Permissions for Cross-Region Replication
**File**: `modules/ddb/policy_doc.tf`

The DynamoDB KMS key policy includes `kms:Replicate*` but doesn't explicitly grant the necessary permissions for the DynamoDB service to use replica keys during global table operations.

#### 6. Duplicate Data Source
**File**: `modules/s3/data.tf` and `modules/s3/policy_doc.tf`

Two separate `aws_elb_service_account` data sources:
```hcl
# data.tf
data "aws_elb_service_account" "main" {}

# policy_doc.tf
data "aws_elb_service_account" "this" {
  count = var.attach_lb_log_delivery_policy ? 1 : 0
}
```

Only one is used (`this`). Remove the unused `main` data source.

#### 7. SFTP Module Missing `prevent_destroy` Lifecycle
**File**: `modules/sftp/s3.tf`

The DDB module has `prevent_destroy = true` but the SFTP S3 buckets don't, even though they store important data.

---

### Low Priority / Suggestions

#### 8. Provider Version Constraint Is Loose
All modules specify `version = ">= 3.75.0"` which is quite old. The S3 module uses deprecated patterns that require AWS Provider < 4.0, creating a conflict.

**Recommendation**: Either update S3 to use new patterns OR pin provider to `>= 3.75, < 4.0` to be explicit.

#### 9. Missing Variable Validation
Several variables would benefit from validation blocks:
- `environment` should validate against allowed values (prd, stg, sbx, preprd)
- `replica_regions` in ddb should validate against supported regions

#### 10. Documentation Missing in Individual Modules
While `modules/README.md` is comprehensive, individual module directories don't have README files. The workflow generates them with terraform-docs but they start empty.

#### 11. Workflow Needs Write Permissions for Docs Job
**File**: `.github/workflows/terraform-module-publish.yml`

The docs job tries to push commits but doesn't explicitly request write permissions:
```yaml
docs:
  # Missing: permissions: contents: write
```

---

## Summary

| Priority | Count | Items |
|----------|-------|-------|
| High | 3 | Deprecated S3 patterns, hardcoded secrets, permissive KMS policies |
| Medium | 4 | Inconsistent naming, duplicate data source, missing lifecycle protection |
| Low | 4 | Provider version, validation, docs, workflow permissions |

## Recommendation
The PR is a solid foundation for module extraction. Address the **High Priority** issues before merging:
1. Update S3 module to use non-deprecated resource patterns
2. Move hardcoded external IDs to variables with sensitive flag
3. Tighten KMS key policies or add explicit documentation about the conditions

The Medium/Low items can be addressed in follow-up PRs if needed.

Todos have been modified successfully. Ensure that you continue to use the todo list to track your progress. Please proceed with the current tasks if applicable

     1→locals {
     2→  # Respect user-specified logging_target_bucket_name, otherwise use pre-defined value based on region
     3→  logging_target_bucket_name = var.logging_target_bucket_name != "" ? var.logging_target_bucket_name : data.aws_region.current.name == "us-east-1" ? "imprint-s3-access-log" : "imprint-s3-access-log-${data.aws_region.current.name}"
     4→
     5→  logging_target_bucket = {
     6→    prd    = "${var.environment}-${local.logging_target_bucket_name}"
     7→    stg    = "stg-${local.logging_target_bucket_name}"
     8→    sbx    = "stg-${local.logging_target_bucket_name}"
     9→    preprd = "${var.environment}-${local.logging_target_bucket_name}"
    10→  }
    11→}
    12→
    13→resource "aws_s3_bucket" "bucket" {
    14→  bucket = var.bucket_name
    15→  acl    = var.acl
    16→
    17→  logging {
    18→    target_bucket = lookup(
    19→      local.logging_target_bucket,
    20→      var.environment,
    21→      ""
    22→    )
    23→    target_prefix = "${var.bucket_name}/"
    24→  }
    25→
    26→  server_side_encryption_configuration {
    27→    rule {
    28→      apply_server_side_encryption_by_default {
    29→        sse_algorithm = "AES256"
    30→      }
    31→    }
    32→  }
    33→
    34→  versioning {
    35→    # Force bucket versioning on prd according to SOC2 compliance
    36→    enabled    = var.enable_versioning || var.environment == "prd"
    37→    mfa_delete = var.mfa_delete
    38→  }
    39→
    40→  dynamic "website" {
    41→    for_each = length(keys(var.website)) == 0 ? [] : [var.website]
    42→
    43→    content {
    44→      index_document           = lookup(website.value, "index_document", null)
    45→      error_document           = lookup(website.value, "error_document", null)
    46→      redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
    47→      routing_rules            = lookup(website.value, "routing_rules", null)
    48→    }
    49→  }
    50→
    51→  dynamic "cors_rule" {
    52→    for_each = var.cors_rule
    53→
    54→    content {
    55→      allowed_methods = cors_rule.value.allowed_methods
    56→      allowed_origins = cors_rule.value.allowed_origins
    57→      allowed_headers = lookup(cors_rule.value, "allowed_headers", null)
    58→      expose_headers  = lookup(cors_rule.value, "expose_headers", null)
    59→      max_age_seconds = lookup(cors_rule.value, "max_age_seconds", null)
    60→    }
    61→  }
    62→
    63→  tags = merge(
    64→    var.default_tags,
    65→    {
    66→      Environment = var.environment
    67→    }
    68→  )
    69→}
    70→
    71→resource "aws_s3_bucket_public_access_block" "bucket_public_access_block" {
    72→  bucket = aws_s3_bucket.bucket.id
    73→
    74→  block_public_acls       = true
    75→  block_public_policy     = true
    76→  ignore_public_acls      = true
    77→  restrict_public_buckets = true
    78→}
    79→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

     1→variable "environment" {
     2→  description = "Environment name (e.g., prd, stg, sbx)"
     3→  type        = string
     4→}
     5→
     6→variable "bucket_name" {
     7→  description = "Name of the S3 bucket"
     8→  type        = string
     9→}
    10→
    11→variable "logging_target_bucket_name" {
    12→  description = "Target bucket for access logging. If empty, uses environment-based default."
    13→  type        = string
    14→  default     = ""
    15→}
    16→
    17→variable "acl" {
    18→  description = "Canned ACL to apply to the bucket"
    19→  type        = string
    20→  default     = "private"
    21→}
    22→
    23→variable "mfa_delete" {
    24→  description = "Enable MFA delete for bucket versioning"
    25→  type        = bool
    26→  default     = false
    27→}
    28→
    29→variable "enable_versioning" {
    30→  description = "Enable bucket versioning. Refer to https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html"
    31→  type        = bool
    32→  default     = false
    33→}
    34→
    35→variable "service" {
    36→  description = "Name of the calling workspace. Used for resource naming, IAM path, etc."
    37→  type        = string
    38→  default     = ""
    39→}
    40→
    41→variable "website" {
    42→  description = "Map containing static web-site hosting or redirect configuration."
    43→  type        = map(string)
    44→  default     = {}
    45→}
    46→
    47→variable "cors_rule" {
    48→  description = "List of maps containing rules for Cross-Origin Resource Sharing."
    49→  type        = any
    50→  default     = []
    51→}
    52→
    53→variable "default_tags" {
    54→  description = "Tags to apply to resources created by module"
    55→  type        = map(string)
    56→  default = {
    57→    Owner     = "devops"
    58→    Terraform = "true"
    59→    Version   = "20210414"
    60→  }
    61→}
    62→
    63→variable "attach_lb_log_delivery_policy" {
    64→  description = "Controls if S3 bucket should have ALB/NLB log delivery policy attached"
    65→  type        = bool
    66→  default     = false
    67→}
    68→
    69→variable "attach_cloudfront_oai_policy" {
    70→  description = "Controls if S3 bucket should allow CDN access"
    71→  type        = bool
    72→  default     = false
    73→}
    74→
    75→variable "attach_bucket_owner_full_control_policy" {
    76→  description = "Controls if S3 bucket should have bucket owner full control"
    77→  type        = bool
    78→  default     = false
    79→}
    80→
    81→variable "cloudfront_oai_iam_arn" {
    82→  description = "IAM ARN for CDN origin access identity, specify only when attach_cloudfront_oai_policy is true"
    83→  type        = string
    84→  default     = ""
    85→}
    86→
    87→variable "attach_cloudtrail_policy" {
    88→  description = "Determine whether cloudtrail should be able to write to this bucket"
    89→  type        = bool
    90→  default     = false
    91→}
    92→
    93→variable "additional_policy" {
    94→  description = "Additional policy JSON the S3 bucket should attach"
    95→  type        = string
    96→  default     = ""
    97→}
    98→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

     1→data "aws_region" "current" {}
     2→
     3→data "aws_caller_identity" "current" {}
     4→
     5→data "aws_elb_service_account" "main" {}
     6→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

     1→data "aws_elb_service_account" "this" {
     2→  count = var.attach_lb_log_delivery_policy ? 1 : 0
     3→}
     4→
     5→data "aws_iam_policy_document" "lb_log_delivery" {
     6→  count = var.attach_lb_log_delivery_policy ? 1 : 0
     7→
     8→  statement {
     9→    sid = "AWSLogDeliveryAccess"
    10→
    11→    principals {
    12→      type        = "AWS"
    13→      identifiers = data.aws_elb_service_account.this.*.arn
    14→    }
    15→
    16→    effect = "Allow"
    17→
    18→    actions = [
    19→      "s3:PutObject",
    20→    ]
    21→
    22→    resources = [
    23→      "${aws_s3_bucket.bucket.arn}/*",
    24→    ]
    25→  }
    26→
    27→  statement {
    28→    sid = "AWSLogDeliveryWrite"
    29→
    30→    principals {
    31→      type        = "Service"
    32→      identifiers = ["delivery.logs.amazonaws.com"]
    33→    }
    34→
    35→    effect = "Allow"
    36→
    37→    actions = [
    38→      "s3:PutObject",
    39→    ]
    40→
    41→    resources = [
    42→      "${aws_s3_bucket.bucket.arn}/*",
    43→    ]
    44→
    45→    condition {
    46→      test     = "StringEquals"
    47→      variable = "s3:x-amz-acl"
    48→      values   = ["bucket-owner-full-control"]
    49→    }
    50→  }
    51→
    52→  statement {
    53→    sid = "AWSLogDeliveryAclCheck"
    54→
    55→    effect = "Allow"
    56→
    57→    principals {
    58→      type        = "Service"
    59→      identifiers = ["delivery.logs.amazonaws.com"]
    60→    }
    61→
    62→    actions = [
    63→      "s3:GetBucketAcl",
    64→    ]
    65→
    66→    resources = [
    67→      aws_s3_bucket.bucket.arn,
    68→    ]
    69→  }
    70→}
    71→
    72→data "aws_iam_policy_document" "deny_insecure_transport" {
    73→  statement {
    74→    sid    = "denyInsecureTransport"
    75→    effect = "Deny"
    76→
    77→    actions = [
    78→      "s3:*",
    79→    ]
    80→
    81→    resources = [
    82→      aws_s3_bucket.bucket.arn,
    83→      "${aws_s3_bucket.bucket.arn}/*",
    84→    ]
    85→
    86→    principals {
    87→      type        = "*"
    88→      identifiers = ["*"]
    89→    }
    90→
    91→    condition {
    92→      test     = "Bool"
    93→      variable = "aws:SecureTransport"
    94→      values = [
    95→        "false"
    96→      ]
    97→    }
    98→  }
    99→}
   100→
   101→data "aws_iam_policy_document" "cloudfront_oai" {
   102→  count = var.attach_cloudfront_oai_policy ? 1 : 0
   103→
   104→  statement {
   105→    sid = "cdnOrignAccess"
   106→
   107→    effect = "Allow"
   108→    actions = [
   109→      "s3:GetObject"
   110→    ]
   111→
   112→    resources = [
   113→      "${aws_s3_bucket.bucket.arn}/*",
   114→    ]
   115→
   116→    principals {
   117→      type        = "AWS"
   118→      identifiers = [var.cloudfront_oai_iam_arn]
   119→    }
   120→  }
   121→}
   122→
   123→data "aws_iam_policy_document" "bucket_owner_full_control" {
   124→  count = var.attach_bucket_owner_full_control_policy ? 1 : 0
   125→
   126→  statement {
   127→    sid    = "InventoryAndAnalyticsExamplePolicy"
   128→    effect = "Allow"
   129→
   130→    actions = [
   131→      "s3:PutObject",
   132→    ]
   133→
   134→    resources = [
   135→      "${aws_s3_bucket.bucket.arn}/*",
   136→    ]
   137→
   138→    principals {
   139→      type        = "Service"
   140→      identifiers = ["s3.amazonaws.com"]
   141→    }
   142→
   143→    condition {
   144→      test     = "StringEquals"
   145→      variable = "aws:SourceAccount"
   146→      values = [
   147→        data.aws_caller_identity.current.account_id
   148→      ]
   149→    }
   150→
   151→    condition {
   152→      test     = "StringEquals"
   153→      variable = "s3:x-amz-acl"
   154→      values = [
   155→        "bucket-owner-full-control"
   156→      ]
   157→    }
   158→
   159→    condition {
   160→      test     = "ArnLike"
   161→      variable = "aws:SourceArn"
   162→      values = [
   163→        aws_s3_bucket.bucket.arn
   164→      ]
   165→    }
   166→  }
   167→}
   168→
   169→data "aws_iam_policy_document" "allow_cloudtrail_access" {
   170→  count = var.attach_cloudtrail_policy ? 1 : 0
   171→
   172→  statement {
   173→    sid = "CloudtrailGetAcl"
   174→
   175→    effect = "Allow"
   176→
   177→    actions = [
   178→      "s3:GetBucketAcl",
   179→    ]
   180→
   181→    resources = [
   182→      aws_s3_bucket.bucket.arn,
   183→    ]
   184→
   185→    principals {
   186→      type        = "Service"
   187→      identifiers = ["cloudtrail.amazonaws.com"]
   188→    }
   189→  }
   190→
   191→  statement {
   192→    sid = "CloudtrailPutObject"
   193→
   194→    effect = "Allow"
   195→
   196→    actions = [
   197→      "s3:PutObject",
   198→    ]
   199→
   200→    resources = [
   201→      "${aws_s3_bucket.bucket.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
   202→    ]
   203→
   204→    principals {
   205→      type        = "Service"
   206→      identifiers = ["cloudtrail.amazonaws.com"]
   207→    }
   208→
   209→    condition {
   210→      test     = "StringEquals"
   211→      variable = "s3:x-amz-acl"
   212→      values   = ["bucket-owner-full-control"]
   213→    }
   214→  }
   215→}
   216→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

The file /Users/danielroth/dev/infrastructure-modules-dev/modules/s3/main.tf has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
     1→locals {
     2→  # Respect user-specified logging_target_bucket_name, otherwise use pre-defined value based on region
     3→  logging_target_bucket_name = var.logging_target_bucket_name != "" ? var.logging_target_bucket_name : data.aws_region.current.name == "us-east-1" ? "imprint-s3-access-log" : "imprint-s3-access-log-${data.aws_region.current.name}"
     4→
     5→  logging_target_bucket = {
     6→    prd    = "${var.environment}-${local.logging_target_bucket_name}"
     7→    stg    = "stg-${local.logging_target_bucket_name}"
     8→    sbx    = "stg-${local.logging_target_bucket_name}"
     9→    preprd = "${var.environment}-${local.logging_target_bucket_name}"
    10→  }
    11→}
    12→
    13→resource "aws_s3_bucket" "bucket" {
    14→  bucket = var.bucket_name
    15→
    16→  tags = merge(
    17→    var.default_tags,
    18→    {
    19→      Environment = var.environment
    20→    }
    21→  )
    22→}
    23→
    24→resource "aws_s3_bucket_ownership_controls" "bucket" {
    25→  bucket = aws_s3_bucket.bucket.id
    26→
    27→  rule {
    28→    object_ownership = var.acl == "private" ? "BucketOwnerEnforced" : "BucketOwnerPreferred"
    29→  }
    30→}
    31→
    32→resource "aws_s3_bucket_acl" "bucket" {
    33→  count = var.acl != "private" ? 1 : 0
    34→
    35→  bucket = aws_s3_bucket.bucket.id
    36→  acl    = var.acl
    37→
    38→  depends_on = [aws_s3_bucket_ownership_controls.bucket]
    39→}
    40→
    41→resource "aws_s3_bucket_logging" "bucket" {
    42→  bucket = aws_s3_bucket.bucket.id
    43→
    44→  target_bucket = lookup(
    45→    local.logging_target_bucket,
    46→    var.environment,
    47→    ""
    48→  )
    49→  target_prefix = "${var.bucket_name}/"
    50→}
    51→
    52→resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
    53→  bucket = aws_s3_bucket.bucket.id
    54→
    55→  rule {
    56→    apply_server_side_encryption_by_default {
    57→      sse_algorithm = "AES256"
    58→    }
    59→  }
    60→}
    61→
    62→resource "aws_s3_bucket_versioning" "bucket" {
    63→  bucket = aws_s3_bucket.bucket.id
    64→
    65→  versioning_configuration {
    66→    # Force bucket versioning on prd according to SOC2 compliance
    67→    status     = var.enable_versioning || var.environment == "prd" ? "Enabled" : "Suspended"
    68→    mfa_delete = var.mfa_delete ? "Enabled" : "Disabled"
    69→  }
    70→}
    71→
    72→resource "aws_s3_bucket_website_configuration" "bucket" {
    73→  count  = length(keys(var.website)) > 0 ? 1 : 0
    74→  bucket = aws_s3_bucket.bucket.id
    75→
    76→  dynamic "index_document" {
    77→    for_each = lookup(var.website, "index_document", null) != null ? [1] : []
    78→    content {
    79→      suffix = var.website["index_document"]
    80→    }
    81→  }
    82→
    83→  dynamic "error_document" {
    84→    for_each = lookup(var.website, "error_document", null) != null ? [1] : []
    85→    content {
    86→      key = var.website["error_document"]
    87→    }
    88→  }
    89→
    90→  dynamic "redirect_all_requests_to" {
    91→    for_each = lookup(var.website, "redirect_all_requests_to", null) != null ? [1] : []
    92→    content {
    93→      host_name = var.website["redirect_all_requests_to"]
    94→    }
    95→  }
    96→}
    97→
    98→resource "aws_s3_bucket_cors_configuration" "bucket" {
    99→  count  = length(var.cors_rule) > 0 ? 1 : 0
   100→  bucket = aws_s3_bucket.bucket.id
   101→
   102→  dynamic "cors_rule" {
   103→    for_each = var.cors_rule
   104→
   105→    content {
   106→      allowed_methods = cors_rule.value.allowed_methods
   107→      allowed_origins = cors_rule.value.allowed_origins
   108→      allowed_headers = lookup(cors_rule.value, "allowed_headers", null)
   109→      expose_headers  = lookup(cors_rule.value, "expose_headers", null)
   110→      max_age_seconds = lookup(cors_rule.value, "max_age_seconds", null)
   111→    }
   112→  }
   113→}
   114→
   115→resource "aws_s3_bucket_public_access_block" "bucket_public_access_block" {
   116→  bucket = aws_s3_bucket.bucket.id
   117→
   118→  block_public_acls       = true
   119→  block_public_policy     = true
   120→  ignore_public_acls      = true
   121→  restrict_public_buckets = true
   122→}
   123→

The file /Users/danielroth/dev/infrastructure-modules-dev/modules/s3/data.tf has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
     1→data "aws_region" "current" {}
     2→
     3→data "aws_caller_identity" "current" {}
     4→

     1→terraform {
     2→  required_version = ">= 1.0"
     3→
     4→  required_providers {
     5→    aws = {
     6→      source  = "hashicorp/aws"
     7→      version = ">= 3.75.0"
     8→    }
     9→  }
    10→}
    11→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

The file /Users/danielroth/dev/infrastructure-modules-dev/modules/s3/versions.tf has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
     1→terraform {
     2→  required_version = ">= 1.0"
     3→
     4→  required_providers {
     5→    aws = {
     6→      source  = "hashicorp/aws"
     7→      version = ">= 4.0"
     8→    }
     9→  }
    10→}
    11→

Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 4.0.0"...
- Installing hashicorp/aws v6.28.0...
- Installed hashicorp/aws v6.28.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

╷
│ Warning: Deprecated attribute
│ 
│   on main.tf line 3, in locals:
│    3:   logging_target_bucket_name = var.logging_target_bucket_name != "" ? var.logging_target_bucket_name : data.aws_region.current.name == "us-east-1" ? "imprint-s3-access-log" : "imprint-s3-access-log-${data.aws_region.current.name}"
│ 
│ The attribute "name" is deprecated. Refer to the provider documentation for
│ details.
│ 
│ (and one more similar warning elsewhere)
╵
Success! The configuration is valid, but there were some
validation warnings as shown above.


Todos have been modified successfully. Ensure that you continue to use the todo list to track your progress. Please proceed with the current tasks if applicable

     1→locals {
     2→  encryption_type = "KMS"
     3→  stream_mode     = "ON_DEMAND"
     4→
     5→  env_name       = "${var.environment}_${var.name}"
     6→  aws_account_id = data.aws_caller_identity.current.account_id
     7→  region         = "us-east-1"
     8→
     9→  count = var.create ? 1 : 0
    10→
    11→  external_ids = {
    12→    "stg" : "00b1fd646b0cde66a",
    13→    "prd" : "fe59fc39d8b19ff52",
    14→  }
    15→  external_id = "${var.environment}_hevo_ddb_connector_${lookup(local.external_ids, var.environment, local.external_ids["stg"])}"
    16→}
    17→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

     1→variable "create" {
     2→  description = "Whether to create the kinesis stream and associated resources"
     3→  type        = bool
     4→  default     = true
     5→}
     6→
     7→variable "environment" {
     8→  description = "Environment name (e.g., prd, stg, sbx)"
     9→  type        = string
    10→}
    11→
    12→variable "name" {
    13→  description = "Name of the Kinesis stream"
    14→  type        = string
    15→}
    16→
    17→variable "region" {
    18→  description = "AWS region"
    19→  type        = string
    20→  default     = "us-east-1"
    21→}
    22→
    23→variable "retention_period_hours" {
    24→  description = "The number of hours for data records to remain accessible"
    25→  type        = number
    26→  default     = 7 * 24
    27→}
    28→
    29→variable "external_accounts" {
    30→  description = "The AWS account IDs of any external AWS account that needs to use the key"
    31→  type        = list(string)
    32→  default     = []
    33→}
    34→
    35→# Module inputs replacing terraform_remote_state dependencies
    36→variable "sre_group_iam_arns" {
    37→  description = "List of IAM ARNs for SRE group members (replaces terraform_remote_state.users.outputs.group_sre_iam_arns)"
    38→  type        = list(string)
    39→}
    40→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

The file /Users/danielroth/dev/infrastructure-modules-dev/modules/kinesis/variables.tf has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
    31→  type        = list(string)
    32→  default     = []
    33→}
    34→
    35→# Module inputs replacing terraform_remote_state dependencies
    36→variable "sre_group_iam_arns" {
    37→  description = "List of IAM ARNs for SRE group members (replaces terraform_remote_state.users.outputs.group_sre_iam_arns)"
    38→  type        = list(string)
    39→}
    40→
    41→variable "hevo_connector_external_id" {
    42→  description = "External ID for Hevo DDB connector assume role policy. This is a secret value provided by Hevo."
    43→  type        = string
    44→  sensitive   = true
    45→}
    46→

The file /Users/danielroth/dev/infrastructure-modules-dev/modules/kinesis/locals.tf has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
     1→locals {
     2→  encryption_type = "KMS"
     3→  stream_mode     = "ON_DEMAND"
     4→
     5→  env_name       = "${var.environment}_${var.name}"
     6→  aws_account_id = data.aws_caller_identity.current.account_id
     7→  region         = "us-east-1"
     8→
     9→  count = var.create ? 1 : 0
    10→
    11→  # External ID now provided via variable (sensitive) instead of hardcoded values
    12→  external_id = "${var.environment}_hevo_ddb_connector_${var.hevo_connector_external_id}"
    13→}
    14→

should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
Success! The configuration is valid.


     1→resource "aws_kms_key" "customer_managed_key" {
     2→  count = local.count
     3→
     4→  description         = "kinesis/${local.env_name}"
     5→  enable_key_rotation = true
     6→  is_enabled          = true
     7→  policy              = data.aws_iam_policy_document.kms_key_policy[0].json
     8→}
     9→
    10→data "aws_iam_policy_document" "kms_key_policy" {
    11→  count = local.count
    12→
    13→  statement {
    14→    sid    = "Kinesis Accessor Policy"
    15→    effect = "Allow"
    16→    principals {
    17→      identifiers = ["*"]
    18→      type        = "AWS"
    19→    }
    20→    actions = [
    21→      "kms:Encrypt",
    22→      "kms:Decrypt",
    23→      "kms:ReEncrypt*",
    24→      "kms:GenerateDataKey*",
    25→      "kms:DescribeKey",
    26→    ]
    27→    resources = ["arn:aws:kms:${var.region}:${local.aws_account_id}:key/*"]
    28→    condition {
    29→      test     = "StringEquals"
    30→      values   = [local.aws_account_id]
    31→      variable = "kms:CallerAccount"
    32→    }
    33→    condition {
    34→      test     = "StringEquals"
    35→      values   = ["kinesis.${var.region}.amazonaws.com"]
    36→      variable = "kms:ViaService"
    37→    }
    38→  }
    39→
    40→  statement {
    41→    sid    = "Allow direct access to key metadata to the account"
    42→    effect = "Allow"
    43→    principals {
    44→      type        = "AWS"
    45→      identifiers = ["arn:aws:iam::${local.aws_account_id}:root"]
    46→    }
    47→    actions = [
    48→      "kms:Describe*",
    49→      "kms:Get*",
    50→      "kms:List*"
    51→    ]
    52→    resources = ["arn:aws:kms:${var.region}:${local.aws_account_id}:key/*"]
    53→  }
    54→
    55→  statement {
    56→    sid    = "Key Administrator Policy"
    57→    effect = "Allow"
    58→    principals {
    59→      type        = "AWS"
    60→      identifiers = var.environment == "prd" ? ["arn:aws:iam::${local.aws_account_id}:user/${var.environment}-tf"] : ["arn:aws:iam::${local.aws_account_id}:user/stg-tf"]
    61→
    62→    }
    63→    principals {
    64→      type        = "AWS"
    65→      identifiers = var.sre_group_iam_arns
    66→    }
    67→
    68→    actions = [
    69→      "kms:Create*",
    70→      "kms:Describe*",
    71→      "kms:Enable*",
    72→      "kms:List*",
    73→      "kms:Put*",
    74→      "kms:Update*",
    75→      "kms:Revoke*",
    76→      "kms:Disable*",
    77→      "kms:Get*",
    78→      "kms:Delete*",
    79→      "kms:TagResource",
    80→      "kms:UntagResource",
    81→      "kms:ScheduleKeyDeletion",
    82→      "kms:CancelKeyDeletion",
    83→      "kms:Replicate*"
    84→    ]
    85→
    86→    resources = ["arn:aws:kms:${var.region}:${local.aws_account_id}:key/*"]
    87→  }
    88→
    89→  dynamic "statement" {
    90→    for_each = var.external_accounts
    91→    content {
    92→      sid    = "External ${statement.value} Accessor Policy"
    93→      effect = "Allow"
    94→      principals {
    95→        identifiers = ["arn:aws:iam::${statement.value}:root"]
    96→        type        = "AWS"
    97→      }
    98→      actions = [
    99→        "kms:Encrypt",
   100→        "kms:Decrypt",
   101→        "kms:ReEncrypt*",
   102→        "kms:GenerateDataKey*",
   103→        "kms:DescribeKey"
   104→      ]
   105→      resources = ["arn:aws:kms:${var.region}:${local.aws_account_id}:key/*"]
   106→    }
   107→  }
   108→}
   109→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

     1→data "aws_iam_policy_document" "kms_key_policy" {
     2→  count = var.resource_count
     3→
     4→  statement {
     5→    sid    = "DDB Table Accessor Policy"
     6→    effect = "Allow"
     7→
     8→    principals {
     9→      type        = "AWS"
    10→      identifiers = ["*"]
    11→    }
    12→
    13→    actions = [
    14→      "kms:Encrypt",
    15→      "kms:Decrypt",
    16→      "kms:ReEncrypt*",
    17→      "kms:GenerateDataKey*",
    18→      "kms:CreateGrant",
    19→      "kms:DescribeKey",
    20→    ]
    21→
    22→    resources = ["arn:aws:kms:*:${local.account_id}:key/*"]
    23→
    24→    condition {
    25→      test     = "StringEquals"
    26→      variable = "kms:CallerAccount"
    27→      values   = [local.account_id]
    28→    }
    29→
    30→    condition {
    31→      test     = "StringLike"
    32→      variable = "kms:ViaService"
    33→      values   = ["dynamodb.*.amazonaws.com"]
    34→    }
    35→  }
    36→
    37→  statement {
    38→    sid    = "KeyAdministratorPolicy"
    39→    effect = "Allow"
    40→
    41→    principals {
    42→      type        = "AWS"
    43→      identifiers = [var.kms_key_administrator_arn]
    44→    }
    45→
    46→    actions = [
    47→      "kms:Create*",
    48→      "kms:Describe*",
    49→      "kms:Enable*",
    50→      "kms:List*",
    51→      "kms:Put*",
    52→      "kms:Update*",
    53→      "kms:Revoke*",
    54→      "kms:Disable*",
    55→      "kms:Get*",
    56→      "kms:Delete*",
    57→      "kms:TagResource",
    58→      "kms:UntagResource",
    59→      "kms:ScheduleKeyDeletion",
    60→      "kms:CancelKeyDeletion",
    61→      "kms:Replicate*",
    62→    ]
    63→
    64→    resources = ["arn:aws:kms:*:${local.account_id}:key/*"]
    65→  }
    66→
    67→  statement {
    68→    sid    = "AllowAccountToManageKeyPolicy"
    69→    effect = "Allow"
    70→
    71→    principals {
    72→      type        = "AWS"
    73→      identifiers = ["arn:aws:iam::${local.account_id}:root"]
    74→    }
    75→
    76→    actions = [
    77→      "kms:PutKeyPolicy",
    78→      "kms:GetKeyPolicy",
    79→    ]
    80→
    81→    resources = ["arn:aws:kms:*:${local.account_id}:key/*"]
    82→  }
    83→
    84→  statement {
    85→    sid    = "AllowDirectAccessToKeyMetadata"
    86→    effect = "Allow"
    87→
    88→    principals {
    89→      type        = "AWS"
    90→      identifiers = ["arn:aws:iam::${local.account_id}:root"]
    91→    }
    92→
    93→    actions = [
    94→      "kms:Describe*",
    95→      "kms:Get*",
    96→      "kms:List*",
    97→      "kms:RevokeGrant",
    98→    ]
    99→
   100→    resources = ["arn:aws:kms:*:${local.account_id}:key/*"]
   101→  }
   102→
   103→  statement {
   104→    sid    = "AllowDynamoDBDescribe"
   105→    effect = "Allow"
   106→
   107→    principals {
   108→      type        = "Service"
   109→      identifiers = ["dynamodb.amazonaws.com"]
   110→    }
   111→
   112→    actions = [
   113→      "kms:Describe*",
   114→      "kms:Get*",
   115→      "kms:List*",
   116→    ]
   117→
   118→    resources = ["arn:aws:kms:*:${local.account_id}:key/*"]
   119→  }
   120→}
   121→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

Todos have been modified successfully. Ensure that you continue to use the todo list to track your progress. Please proceed with the current tasks if applicable

The file /Users/danielroth/dev/infrastructure-modules-dev/modules/kinesis/kms.tf has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
     9→
    10→data "aws_iam_policy_document" "kms_key_policy" {
    11→  count = local.count
    12→
    13→  # Allow Kinesis service to use this key for encryption/decryption
    14→  # Using account root with kms:ViaService condition restricts usage to Kinesis service calls
    15→  # from principals within this account only
    16→  statement {
    17→    sid    = "Kinesis Accessor Policy"
    18→    effect = "Allow"
    19→    principals {
    20→      identifiers = ["arn:aws:iam::${local.aws_account_id}:root"]
    21→      type        = "AWS"
    22→    }
    23→    actions = [
    24→      "kms:Encrypt",
    25→      "kms:Decrypt",
    26→      "kms:ReEncrypt*",
    27→      "kms:GenerateDataKey*",
    28→      "kms:DescribeKey",
    29→    ]
    30→    resources = ["arn:aws:kms:${var.region}:${local.aws_account_id}:key/*"]
    31→    condition {
    32→      test     = "StringEquals"
    33→      values   = ["kinesis.${var.region}.amazonaws.com"]
    34→      variable = "kms:ViaService"
    35→    }
    36→  }
    37→
    38→  statement {
    39→    sid    = "Allow direct access to key metadata to the account"
    40→    effect = "Allow"

The file /Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/policy_doc.tf has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
     1→data "aws_iam_policy_document" "kms_key_policy" {
     2→  count = var.resource_count
     3→
     4→  # Allow DynamoDB service to use this key for encryption/decryption
     5→  # Using account root with kms:ViaService condition restricts usage to DynamoDB service calls
     6→  # from principals within this account only. Supports multi-region (global tables) via wildcard.
     7→  statement {
     8→    sid    = "DDB Table Accessor Policy"
     9→    effect = "Allow"
    10→
    11→    principals {
    12→      type        = "AWS"
    13→      identifiers = ["arn:aws:iam::${local.account_id}:root"]
    14→    }
    15→
    16→    actions = [
    17→      "kms:Encrypt",
    18→      "kms:Decrypt",
    19→      "kms:ReEncrypt*",
    20→      "kms:GenerateDataKey*",
    21→      "kms:CreateGrant",
    22→      "kms:DescribeKey",
    23→    ]
    24→
    25→    resources = ["arn:aws:kms:*:${local.account_id}:key/*"]
    26→
    27→    condition {
    28→      test     = "StringLike"
    29→      variable = "kms:ViaService"
    30→      values   = ["dynamodb.*.amazonaws.com"]
    31→    }
    32→  }
    33→
    34→  statement {
    35→    sid    = "KeyAdministratorPolicy"
    36→    effect = "Allow"

Success! The configuration is valid.


/Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/versions.tf
/Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/variables.tf
/Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/locals.tf
/Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/data.tf
/Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/main.tf
/Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/kms.tf
/Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/policy.tf
/Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/cdc.tf
/Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/outputs.tf
/Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/policy_doc.tf

     1→terraform {
     2→  required_version = ">= 1.0"
     3→
     4→  required_providers {
     5→    aws = {
     6→      source  = "hashicorp/aws"
     7→      version = ">= 3.75.0"
     8→      configuration_aliases = [
     9→        aws.default,
    10→        aws.replica-us-west-2,
    11→        aws.replica-us-east-2,
    12→      ]
    13→    }
    14→  }
    15→}
    16→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

╷
│ Warning: Deprecated attribute
│ 
│   on main.tf line 3, in locals:
│    3:   logging_target_bucket_name = var.logging_target_bucket_name != "" ? var.logging_target_bucket_name : data.aws_region.current.name == "us-east-1" ? "imprint-s3-access-log" : "imprint-s3-access-log-${data.aws_region.current.name}"
│ 
│ The attribute "name" is deprecated. Refer to the provider documentation for
│ details.
│ 
│ (and one more similar warning elsewhere)
╵
Success! The configuration is valid, but there were some
validation warnings as shown above.

Success! The configuration is valid.


Todos have been modified successfully. Ensure that you continue to use the todo list to track your progress. Please proceed with the current tasks if applicable

     1→name: Terraform Module CI/CD
     2→
     3→on:
     4→  push:
     5→    branches:
     6→      - main
     7→    tags:
     8→      - 'v*'
     9→  pull_request:
    10→    branches:
    11→      - main
    12→
    13→env:
    14→  TF_VERSION: "1.5.0"
    15→
    16→jobs:
    17→  validate:
    18→    name: Validate Modules
    19→    runs-on: ubuntu-latest
    20→    strategy:
    21→      fail-fast: false
    22→      matrix:
    23→        module:
    24→          - s3
    25→          - secret
    26→          - ddb
    27→          - kinesis
    28→          - static_web
    29→          - sftp
    30→
    31→    steps:
    32→      - name: Checkout
    33→        uses: actions/checkout@v4
    34→
    35→      - name: Setup Terraform
    36→        uses: hashicorp/setup-terraform@v3
    37→        with:
    38→          terraform_version: ${{ env.TF_VERSION }}
    39→
    40→      - name: Terraform Format Check
    41→        working-directory: modules/${{ matrix.module }}
    42→        run: terraform fmt -check -recursive
    43→
    44→      - name: Terraform Init
    45→        working-directory: modules/${{ matrix.module }}
    46→        run: terraform init -backend=false
    47→
    48→      - name: Terraform Validate
    49→        working-directory: modules/${{ matrix.module }}
    50→        run: terraform validate
    51→
    52→  docs:
    53→    name: Generate Documentation
    54→    runs-on: ubuntu-latest
    55→    needs: validate
    56→    if: github.event_name == 'pull_request'
    57→
    58→    steps:
    59→      - name: Checkout
    60→        uses: actions/checkout@v4
    61→        with:
    62→          ref: ${{ github.event.pull_request.head.ref }}
    63→          token: ${{ secrets.GITHUB_TOKEN }}
    64→
    65→      - name: Render terraform docs
    66→        uses: terraform-docs/gh-actions@v1.2.0
    67→        with:
    68→          working-dir: modules/s3,modules/secret,modules/ddb,modules/kinesis,modules/static_web,modules/sftp
    69→          output-file: README.md
    70→          output-method: inject
    71→          git-push: "true"
    72→          git-commit-message: "docs: auto-generate terraform-docs README"
    73→
    74→  # Publish to Terraform Cloud Private Registry on version tags
    75→  publish:
    76→    name: Publish to Terraform Cloud
    77→    runs-on: ubuntu-latest
    78→    needs: validate
    79→    if: startsWith(github.ref, 'refs/tags/v')
    80→
    81→    steps:
    82→      - name: Checkout
    83→        uses: actions/checkout@v4
    84→
    85→      - name: Extract version from tag
    86→        id: version
    87→        run: |
    88→          VERSION=${GITHUB_REF#refs/tags/v}
    89→          echo "version=$VERSION" >> $GITHUB_OUTPUT
    90→          echo "Publishing version: $VERSION"
    91→
    92→      - name: Setup Terraform
    93→        uses: hashicorp/setup-terraform@v3
    94→        with:
    95→          terraform_version: ${{ env.TF_VERSION }}
    96→          cli_config_credentials_token: ${{ secrets.TFC_API_TOKEN }}
    97→
    98→      # Note: Terraform Cloud private registry modules are published via VCS integration
    99→      # This step creates a GitHub release which TFC can consume
   100→      - name: Create GitHub Release
   101→        uses: softprops/action-gh-release@v1
   102→        with:
   103→          tag_name: ${{ github.ref_name }}
   104→          name: Release ${{ steps.version.outputs.version }}
   105→          body: |
   106→            ## Terraform Modules Release ${{ steps.version.outputs.version }}
   107→
   108→            ### Modules Included:
   109→            - `s3` - S3 bucket with policies and access management
   110→            - `secret` - Secrets Manager with multi-region replication
   111→            - `ddb` - DynamoDB table with KMS encryption and CDC
   112→            - `kinesis` - Kinesis Data Stream with KMS encryption
   113→            - `static_web` - Static website with S3 + CloudFront
   114→            - `sftp` - SFTP Transfer Family with S3 backend
   115→
   116→            ### Usage
   117→            ```hcl
   118→            module "example" {
   119→              source  = "app.terraform.io/Imprint/<module>/aws"
   120→              version = "${{ steps.version.outputs.version }}"
   121→
   122→              # ... module inputs
   123→            }
   124→            ```
   125→          draft: false
   126→          prerelease: ${{ contains(steps.version.outputs.version, '-') }}
   127→        env:
   128→          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   129→
   130→  # Security scanning
   131→  security:
   132→    name: Security Scan
   133→    runs-on: ubuntu-latest
   134→    needs: validate
   135→    if: github.event_name == 'pull_request'
   136→
   137→    steps:
   138→      - name: Checkout
   139→        uses: actions/checkout@v4
   140→
   141→      - name: tfsec
   142→        uses: aquasecurity/tfsec-action@v1.0.3
   143→        with:
   144→          working_directory: modules
   145→          soft_fail: true
   146→
   147→      - name: Checkov
   148→        uses: bridgecrewio/checkov-action@v12
   149→        with:
   150→          directory: modules
   151→          framework: terraform
   152→          soft_fail: true
   153→          output_format: sarif
   154→          output_file_path: checkov-results.sarif
   155→
   156→      - name: Upload SARIF file
   157→        uses: github/codeql-action/upload-sarif@v3
   158→        if: ${{ always() && hashFiles('checkov-results.sarif') != '' }}
   159→        with:
   160→          sarif_file: checkov-results.sarif
   161→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

File created successfully at: /Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/tests/validate.tf

The file /Users/danielroth/dev/infrastructure-modules-dev/.github/workflows/terraform-module-publish.yml has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
    40→      - name: Terraform Format Check
    41→        working-directory: modules/${{ matrix.module }}
    42→        run: terraform fmt -check -recursive
    43→
    44→      - name: Terraform Init
    45→        working-directory: modules/${{ matrix.module }}
    46→        run: |
    47→          # Modules with provider aliases need to be validated through test fixtures
    48→          if [ -d "tests" ]; then
    49→            cd tests && terraform init -backend=false
    50→          else
    51→            terraform init -backend=false
    52→          fi
    53→
    54→      - name: Terraform Validate
    55→        working-directory: modules/${{ matrix.module }}
    56→        run: |
    57→          # Modules with provider aliases need to be validated through test fixtures
    58→          if [ -d "tests" ]; then
    59→            cd tests && terraform validate
    60→          else
    61→            terraform validate
    62→          fi
    63→
    64→  docs:
    65→    name: Generate Documentation
    66→    runs-on: ubuntu-latest

     1→variable "environment" {
     2→  description = "Environment name (e.g., prd, stg, sbx)"
     3→  type        = string
     4→}
     5→
     6→variable "service" {
     7→  description = "Name of the calling workspace. Used for IAM path."
     8→  type        = string
     9→}
    10→
    11→variable "name" {
    12→  description = "Name of the DynamoDB table"
    13→  type        = string
    14→}
    15→
    16→variable "env_in_name" {
    17→  description = "Whether to include environment prefix in table name"
    18→  type        = bool
    19→  default     = true
    20→}
    21→
    22→variable "policy_name" {
    23→  description = "Name used for IAM policy naming"
    24→  type        = string
    25→}
    26→
    27→variable "policy_title" {
    28→  description = "Title used in IAM policy description"
    29→  type        = string
    30→  default     = null
    31→}
    32→
    33→variable "hash_key" {
    34→  description = "The attribute to use as the hash (partition) key"
    35→  type        = string
    36→}
    37→
    38→variable "range_key" {
    39→  description = "The attribute to use as the range (sort) key"
    40→  type        = string
    41→  default     = null
    42→}
    43→
    44→variable "stream_enabled" {
    45→  description = "Enable DynamoDB streams"
    46→  type        = bool
    47→}
    48→
    49→variable "stream_view_type" {
    50→  description = "When an item is modified, what data to capture: KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES"
    51→  type        = string
    52→  default     = null
    53→}
    54→
    55→variable "resource_count" {
    56→  description = "A replacement for count, because this is a legacy module that can't use count directly. Can be 1 or 0."
    57→  type        = number
    58→  default     = 1
    59→}
    60→
    61→variable "attributes" {
    62→  description = "List of attribute definitions for the table"
    63→  type        = list(map(string))
    64→  default = [{
    65→    "name" = "key"
    66→    "type" = "S"
    67→  }]
    68→}
    69→
    70→variable "global_secondary_indexes" {
    71→  description = "List of GSI definitions. Must follow AWS documentation format."
    72→  type        = list(map(string))
    73→  default     = []
    74→}
    75→
    76→variable "local_secondary_indexes" {
    77→  description = "List of LSI definitions. Must follow AWS documentation format."
    78→  type        = list(map(string))
    79→  default     = []
    80→}
    81→
    82→variable "ttl" {
    83→  description = "Enable TTL on the table"
    84→  type        = bool
    85→  default     = false
    86→}
    87→
    88→variable "replica_regions" {
    89→  description = "A list of regions for creating replicas. Only us-east-2 and us-west-2 are supported currently."
    90→  type        = list(string)
    91→  default     = []
    92→}
    93→
    94→variable "point_in_time_recovery_enabled" {
    95→  description = "Enable point-in-time recovery"
    96→  type        = bool
    97→  default     = false
    98→}
    99→
   100→variable "default_tags" {
   101→  description = "Tags to apply to resources"
   102→  type        = map(string)
   103→  default = {
   104→    Owner     = "service"
   105→    Terraform = "true"
   106→    Version   = "20210414"
   107→  }
   108→}
   109→
   110→variable "read_capacity" {
   111→  description = "The number of read capacity units (only for PROVISIONED billing mode)"
   112→  type        = string
   113→  default     = null
   114→}
   115→
   116→variable "write_capacity" {
   117→  description = "The number of write capacity units (only for PROVISIONED billing mode)"
   118→  type        = string
   119→  default     = null
   120→}
   121→
   122→variable "hevo_replication_enabled" {
   123→  description = "Whether to enable Hevo DynamoDB connector resources"
   124→  type        = bool
   125→  default     = false
   126→}
   127→
   128→# Module inputs replacing terraform_remote_state dependencies
   129→variable "kms_key_administrator_arn" {
   130→  description = "ARN of the IAM role/user for KMS key administration (replaces terraform_remote_state.users.outputs.terraform_cloud_role_arn)"
   131→  type        = string
   132→}
   133→
   134→variable "hevo_kinesis_stream_arn" {
   135→  description = "ARN of the Kinesis stream for Hevo CDC (replaces terraform_remote_state.global.outputs.ddb_hevo_kinesis_stream.arn)"
   136→  type        = string
   137→  default     = ""
   138→}
   139→

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

The file /Users/danielroth/dev/infrastructure-modules-dev/modules/ddb/tests/validate.tf has been updated. Here's the result of running `cat -n` on a snippet of the edited file:
     1→# Test fixture for validating the ddb module
     2→# This provides the required provider aliases for terraform validate to succeed
     3→
     4→terraform {
     5→  required_version = ">= 1.0"
     6→
     7→  required_providers {
     8→    aws = {
     9→      source  = "hashicorp/aws"
    10→      version = ">= 3.75.0"
    11→    }
    12→  }
    13→}
    14→
    15→# Provider aliases required by the ddb module for multi-region KMS replicas
    16→provider "aws" {
    17→  alias  = "default"
    18→  region = "us-east-1"
    19→
    20→  # Skip credential validation for CI validation
    21→  skip_credentials_validation = true
    22→  skip_metadata_api_check     = true
    23→  skip_requesting_account_id  = true
    24→}
    25→
    26→provider "aws" {
    27→  alias  = "replica-us-west-2"
    28→  region = "us-west-2"
    29→
    30→  skip_credentials_validation = true
    31→  skip_metadata_api_check     = true
    32→  skip_requesting_account_id  = true
    33→}
    34→
    35→provider "aws" {
    36→  alias  = "replica-us-east-2"
    37→  region = "us-east-2"
    38→
    39→  skip_credentials_validation = true
    40→  skip_metadata_api_check     = true
    41→  skip_requesting_account_id  = true
    42→}
    43→
    44→module "ddb" {
    45→  source = "../"
    46→
    47→  providers = {
    48→    aws.default           = aws.default
    49→    aws.replica-us-west-2 = aws.replica-us-west-2
    50→    aws.replica-us-east-2 = aws.replica-us-east-2
    51→  }
    52→
    53→  # Required variables with test values
    54→  name                      = "test-table"
    55→  environment               = "sbx"
    56→  service                   = "test-service"
    57→  policy_name               = "test-policy"
    58→  hash_key                  = "pk"
    59→  stream_enabled            = false
    60→  kms_key_administrator_arn = "arn:aws:iam::123456789012:role/test-admin"
    61→}
    62→

should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
Success! The configuration is valid.


Cleaned up test artifacts