Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] feat: Rplt 728 cdk output review #11498

Closed
wants to merge 28 commits into from
Closed

[WIP] feat: Rplt 728 cdk output review #11498

wants to merge 28 commits into from

Conversation

bashleigh
Copy link
Contributor

Pull request checklist

Detail as per issue below (required):

fixes: #

@github-actions github-actions bot closed this Jan 14, 2025
github-actions[bot]
github-actions bot reviewed Jan 14, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Closing this pull request since the title does not match ^(?:(?:[WIP] ?)?(?:build|ci|chore|docs|task|feat|fix|perf|refactor|revert|style|test):(?:\ +?#\d+?\ +?)?.)|(?:[Snyk].) pattern. Please fix the title and re-open the pull request.

@bashleigh bashleigh reopened this Jan 14, 2025
@github-actions github-actions bot closed this Jan 14, 2025
github-actions[bot]
github-actions bot reviewed Jan 14, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Closing this pull request since the title does not match ^(?:(?:[WIP] ?)?(?:build|ci|chore|docs|task|feat|fix|perf|refactor|revert|style|test):(?:\ +?#\d+?\ +?)?.)|(?:[Snyk].) pattern. Please fix the title and re-open the pull request.

github-actions[bot]
github-actions bot reviewed Jan 14, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Closing this pull request since the title does not match ^(?:(?:[WIP] ?)?(?:build|ci|chore|docs|task|feat|fix|perf|refactor|revert|style|test):(?:\ +?#\d+?\ +?)?.)|(?:[Snyk].) pattern. Please fix the title and re-open the pull request.

@bashleigh bashleigh changed the title [WIP] Rplt 728 cdk output review [WIP] feat: Rplt 728 cdk output review Jan 14, 2025
@bashleigh bashleigh reopened this Jan 14, 2025
@codacy-production Codacy Production
Copy link

codacy-production bot commented Jan 14, 2025
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
Report missing for 2ca2ebe1
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (2ca2ebe) Report Missing Report Missing Report Missing
Head commit (b3d6c8e) 1314 872 66.36%

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#11498) 0 0 ∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more

Footnotes

  1. Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.

@github-actions GitHub Actions
Copy link
Contributor

Synth changes have been committed

undefined

@github-actions GitHub Actions
Copy link
Contributor

Synth changes have been committed

�[94m➤�[39m �[90mYN0000�[39m: ┌ Resolution step
::group::Resolution step
�[94m➤�[39m YN0085: │ �[38;5;70m+�[39m �[38;5;173mts-node�[39m�[38;5;111m@�[39m�[38;5;111mnpm:10.9.2�[39m, �[38;5;166m@cspotcode/�[39m�[38;5;173msource-map-support�[39m�[38;5;111m@�[39m�[38;5;111mnpm:0.8.1�[39m, �[38;5;166m@jridgewell/�[39m�[38;5;173mresolve-uri�[39m�[38;5;111m@�[39m�[38;5;111mnpm:3.1.2�[39m, �[38;5;166m@jridgewell/�[39m�[38;5;173msourcemap-codec�[39m�[38;5;111m@�[39m�[38;5;111mnpm:1.5.0�[39m, and �[38;5;220m13�[39m more.
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed in 0s 336ms
�[94m➤�[39m �[90mYN0000�[39m: ┌ Post-resolution validation
::group::Post-resolution validation
�[93m➤�[39m YN0002: │ �[38;5;173mroot-workspace-0b6124�[39m�[38;5;111m@�[39m�[38;5;111mworkspace:.�[39m doesn't provide �[38;5;166m@types/�[39m�[38;5;173mnode�[39m (�[38;5;111mpe6119�[39m), requested by �[38;5;173mts-node�[39m.
�[93m➤�[39m YN0002: │ �[38;5;173mroot-workspace-0b6124�[39m�[38;5;111m@�[39m�[38;5;111mworkspace:.�[39m doesn't provide �[38;5;173mtypescript�[39m (�[38;5;111mp924b5�[39m), requested by �[38;5;173mts-node�[39m.
�[93m➤�[39m YN0086: │ Some peer dependencies are incorrectly met; run �[38;5;111myarn explain peer-requirements <hash>�[39m for details, where �[38;5;111m<hash>�[39m is the six-letter p-prefixed code.
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[94m➤�[39m �[90mYN0000�[39m: ┌ Fetch step
::group::Fetch step
�[94m➤�[39m YN0013: │ �[38;5;220m17�[39m packages were added to the project (�[38;5;160m+ 639.89 KiB�[39m).
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed in 0s 281ms
�[94m➤�[39m �[90mYN0000�[39m: ┌ Link step
::group::Link step
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[93m➤�[39m YN0000: · Done with warnings in 0s 762ms

�[34mCLI�[39m Building entry: {"authorizer/index":"../utils-authorizer/src/handler.ts"}
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 1128ms
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 6028ms
�[94m➤�[39m YN0000: · Yarn 4.0.1
�[94m➤�[39m �[90mYN0000�[39m: ┌ Resolution step
::group::Resolution step
�[94m➤�[39m YN0085: │ �[38;5;70m+�[39m �[38;5;173mts-node�[39m�[38;5;111m@�[39m�[38;5;111mnpm:10.9.2�[39m, �[38;5;166m@cspotcode/�[39m�[38;5;173msource-map-support�[39m�[38;5;111m@�[39m�[38;5;111mnpm:0.8.1�[39m, �[38;5;166m@jridgewell/�[39m�[38;5;173mresolve-uri�[39m�[38;5;111m@�[39m�[38;5;111mnpm:3.1.2�[39m, �[38;5;166m@jridgewell/�[39m�[38;5;173msourcemap-codec�[39m�[38;5;111m@�[39m�[38;5;111mnpm:1.5.0�[39m, and �[38;5;220m13�[39m more.
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[94m➤�[39m �[90mYN0000�[39m: ┌ Post-resolution validation
::group::Post-resolution validation
�[93m➤�[39m YN0002: │ �[38;5;173mroot-workspace-0b6124�[39m�[38;5;111m@�[39m�[38;5;111mworkspace:.�[39m doesn't provide �[38;5;166m@types/�[39m�[38;5;173mnode�[39m (�[38;5;111mpe6119�[39m), requested by �[38;5;173mts-node�[39m.
�[93m➤�[39m YN0002: │ �[38;5;173mroot-workspace-0b6124�[39m�[38;5;111m@�[39m�[38;5;111mworkspace:.�[39m doesn't provide �[38;5;173mtypescript�[39m (�[38;5;111mp924b5�[39m), requested by �[38;5;173mts-node�[39m.
�[93m➤�[39m YN0086: │ Some peer dependencies are incorrectly met; run �[38;5;111myarn explain peer-requirements <hash>�[39m for details, where �[38;5;111m<hash>�[39m is the six-letter p-prefixed code.
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[94m➤�[39m �[90mYN0000�[39m: ┌ Fetch step
::group::Fetch step
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[94m➤�[39m �[90mYN0000�[39m: ┌ Link step
::group::Link step
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[93m➤�[39m YN0000: · Done with warnings in 0s 325ms

�[34mCLI�[39m Building entry: {"authorizer/index":"../utils-authorizer/src/handler.ts"}
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 1070ms
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 5715ms
start: Building a5d478c5a903aff747c37393a3c384387653fed5fca0e783aa9474a55e79f1f9:028446965111-eu-west-2
success: Built a5d478c5a903aff747c37393a3c384387653fed5fca0e783aa9474a55e79f1f9:028446965111-eu-west-2
start: Publishing a5d478c5a903aff747c37393a3c384387653fed5fca0e783aa9474a55e79f1f9:028446965111-eu-west-2
success: Published a5d478c5a903aff747c37393a3c384387653fed5fca0e783aa9474a55e79f1f9:028446965111-eu-west-2
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
Stack cloud-deployment-service
IAM Statement Changes
┌───┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬──────────────────────────────────┬───────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                                                                                                                     │ Effect │ Action                           │ Principal                                     │ Condition                                                                                                                           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${sns.Arn}                                                                                                                   │ Allow  │ lambda:InvokeFunction            │ Service:sns.amazonaws.com                     │ "ArnLike": {                                                                                                                        │
│   │                                                                                                                              │        │                                  │                                               │   "AWS:SourceArn": "arn:${AWS::Partition}:sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158" │
│   │                                                                                                                              │        │                                  │                                               │ }                                                                                                                                   │
│ - │ ${sns.Arn}                                                                                                                   │ Allow  │ lambda:InvokeFunction            │ Service:sns.amazonaws.com                     │ "ArnLike": {                                                                                                                        │
│   │                                                                                                                              │        │                                  │                                               │   "AWS:SourceArn": "arn:${AWS::Partition}:sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39" │
│   │                                                                                                                              │        │                                  │                                               │ }                                                                                                                                   │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:${AWS::Partition}:codebuild:eu-west-2:362630019454:project/cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d │ Allow  │ codebuild:StartBuild             │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:${AWS::Partition}:codebuild:eu-west-2:727646485319:project/cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93 │ Allow  │ codebuild:StartBuild             │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sqs/ServiceRole}                        │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${appEvents/ServiceRole}                  │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sns/ServiceRole}                        │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${httpApi/ServiceRole}                    │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${http/ServiceRole}                       │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sqs/ServiceRole}                        │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${appEvents/ServiceRole}                  │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sns/ServiceRole}                        │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${httpApi/ServiceRole}                    │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${http/ServiceRole}                       │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${sqs/ServiceRole}                        │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${appEvents/ServiceRole}                  │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${httpApi/ServiceRole}                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${http/ServiceRole}                       │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${sqs/ServiceRole}                        │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${appEvents/ServiceRole}                  │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${httpApi/ServiceRole}                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${http/ServiceRole}                       │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
└───┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴──────────────────────────────────┴───────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[~] AWS::IAM::Policy sqs/ServiceRole/DefaultPolicy sqsServiceRoleDefaultPolicy6C36BFC1 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,7 +152,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": "cloudfront:ListOriginAccessControls",
[~] AWS::Lambda::Function sqs sqs1386CA46 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] eda1374a3451843ed5c0702217c8fdf261bfcd8550f8ac6748712a1239cc6fbb.zip
 │       └─ [+] 61bf1947990bb35c8231b679be385ee93a7db4046e8e63b0fadc54f686e3fe03.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [-] Removed: .TEMPORARY_CLUSTER_SECRET_ARN
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy appEvents/ServiceRole/DefaultPolicy appEventsServiceRoleDefaultPolicy8F8F9E18 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,7 +152,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": [
[~] AWS::Lambda::Function appEvents appEventsB07C8627 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] eda1374a3451843ed5c0702217c8fdf261bfcd8550f8ac6748712a1239cc6fbb.zip
 │       └─ [+] 61bf1947990bb35c8231b679be385ee93a7db4046e8e63b0fadc54f686e3fe03.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [-] Removed: .TEMPORARY_CLUSTER_SECRET_ARN
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy sns/ServiceRole/DefaultPolicy snsServiceRoleDefaultPolicy369F17E6 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
[~] AWS::Lambda::Function sns sns78FA588D 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] eda1374a3451843ed5c0702217c8fdf261bfcd8550f8ac6748712a1239cc6fbb.zip
 │       └─ [+] 61bf1947990bb35c8231b679be385ee93a7db4046e8e63b0fadc54f686e3fe03.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [-] Removed: .TEMPORARY_CLUSTER_SECRET_ARN
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::Lambda::Permission sns/AllowInvoke:clouddeploymentusercodedevcodebuildsnstopicdevEA93C2F5 snsAllowInvokeclouddeploymentusercodedevcodebuildsnstopicdevEA93C2F5BD70496D replace
 └─ [~] SourceArn (requires replacement)
     └─ [~] .Fn::Join:
         └─ @@ -5,6 +5,6 @@
            [ ]     {
            [ ]       "Ref": "AWS::Partition"
            [ ]     },
            [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
            [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
            [ ]   ]
            [ ] ]
[~] AWS::SNS::Subscription sns/codebuild-sns-topic-dev snscodebuildsnstopicdev38EBA9E4 replace
 └─ [~] TopicArn (requires replacement)
     └─ [~] .Fn::Join:
         └─ @@ -5,6 +5,6 @@
            [ ]     {
            [ ]       "Ref": "AWS::Partition"
            [ ]     },
            [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
            [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
            [ ]   ]
            [ ] ]
[~] AWS::IAM::Policy httpApi/ServiceRole/DefaultPolicy httpApiServiceRoleDefaultPolicy553EAA67 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,6 +152,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function httpApi httpApiC9FAD708 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 77d0e7a75defa19238501856a6f945c5f0978a4e21f198afdfc4e1a82504ed4a.zip
 │       └─ [+] 100e39b56cb50ceab1a8ef89f1261f07e3903ad17cb2d8d9b5a69d0a0b40d35c.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [-] Removed: .TEMPORARY_CLUSTER_SECRET_ARN
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy http/ServiceRole/DefaultPolicy httpServiceRoleDefaultPolicy27B3FF2D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,6 +152,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function http httpD8F39B44 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 77d0e7a75defa19238501856a6f945c5f0978a4e21f198afdfc4e1a82504ed4a.zip
 │       └─ [+] 100e39b56cb50ceab1a8ef89f1261f07e3903ad17cb2d8d9b5a69d0a0b40d35c.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [-] Removed: .TEMPORARY_CLUSTER_SECRET_ARN
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy cloud-deployment-migration/ServiceRole/DefaultPolicy clouddeploymentmigrationServiceRoleDefaultPolicy145F9A22 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -144,7 +144,7 @@
            [ ]       {
            [ ]         "Ref": "AWS::Partition"
            [ ]       },
            [-]       ":codebuild:eu-west-2:727646485319:project/cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93"
            [+]       ":codebuild:eu-west-2:362630019454:project/cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d"
            [ ]     ]
            [ ]   ]
            [ ] }
            @@ -173,6 +173,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function cloud-deployment-migration clouddeploymentmigration9A43D76C 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] eda1374a3451843ed5c0702217c8fdf261bfcd8550f8ac6748712a1239cc6fbb.zip
 │       └─ [+] 61bf1947990bb35c8231b679be385ee93a7db4046e8e63b0fadc54f686e3fe03.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [-] Removed: .TEMPORARY_CLUSTER_SECRET_ARN
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID

start: Building 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
success: Built 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
start: Publishing 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
success: Published 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
Could not create a change set, will base the diff on template differences (run again with -v to see the reason)
Stack cloud-deployment-usercode-dev
IAM Statement Changes
┌───┬─────────────────────────────────────────────┬────────┬─────────────────────────────────────┬──────────────────────────────────┬───────────┐
│   │ Resource                                    │ Effect │ Action                              │ Principal                        │ Condition │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ *                                           │ Allow  │ cloudfront:ListOriginAccessControls │ AWS:${UsercodeStackRole}         │           │
└───┴─────────────────────────────────────────────┴────────┴─────────────────────────────────────┴──────────────────────────────────┴───────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[+] AWS::CloudFront::OriginAccessControl s3-origin s3origin 
[~] AWS::S3::BucketPolicy v2-cloud-deployment-live-dev/Policy v2clouddeploymentlivedevPolicy0BF1B47D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,10 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:List*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,14 +25,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:List*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -44,5 +44,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentlivedev087DF299",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-log-dev/Policy v2clouddeploymentlogdevPolicyEFAC9DC1 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,6 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": "s3:Put*",
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,10 +21,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": "s3:Put*",
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -40,5 +40,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentlogdev6B52B6BD",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-repo-cache-dev/Policy v2clouddeploymentrepocachedevPolicyB12C7ECB 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,9 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,13 +24,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -43,5 +43,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentrepocachedev6F523868",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-version-dev/Policy v2clouddeploymentversiondevPolicy45297030 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,10 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:List*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,14 +25,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:List*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -44,5 +44,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentversiondevCDDC2B37",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::IAM::Policy UsercodePolicy UsercodePolicy590B208D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -147,5 +147,10 @@
            [ ]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Resource": "*"
            [+]   },
            [+]   {
            [+]     "Action": "cloudfront:ListOriginAccessControls",
            [+]     "Effect": "Allow",
            [+]     "Resource": "*"
            [ ]   }
            [ ] ]


✨  Number of stacks with differences: 2

NOTICES         (What's this? https://github.com/aws/aws-cdk/wiki/CLI-Notices)

31885	(cli): Bootstrap stack outdated

	Overview: The bootstrap stack in aws://362630019454/eu-west-2 is outdated.
	          We recommend at least version 21, distributed with CDK CLI
	          2.149.0 or higher. Please rebootstrap your environment by
	          runing 'cdk bootstrap aws://362630019454/eu-west-2'

	Affected versions: bootstrap: <21

	More information at: https://github.com/aws/aws-cdk/issues/31885


If you don’t want to see a notice anymore, use "cdk acknowledge <id>". For example, "cdk acknowledge 31885".```

@github-actions GitHub Actions
Copy link
Contributor

Synth changes have been committed

�[94m➤�[39m �[90mYN0000�[39m: ┌ Resolution step
::group::Resolution step
�[94m➤�[39m YN0085: │ �[38;5;70m+�[39m �[38;5;173mts-node�[39m�[38;5;111m@�[39m�[38;5;111mnpm:10.9.2�[39m, �[38;5;166m@cspotcode/�[39m�[38;5;173msource-map-support�[39m�[38;5;111m@�[39m�[38;5;111mnpm:0.8.1�[39m, �[38;5;166m@jridgewell/�[39m�[38;5;173mresolve-uri�[39m�[38;5;111m@�[39m�[38;5;111mnpm:3.1.2�[39m, �[38;5;166m@jridgewell/�[39m�[38;5;173msourcemap-codec�[39m�[38;5;111m@�[39m�[38;5;111mnpm:1.5.0�[39m, and �[38;5;220m13�[39m more.
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[94m➤�[39m �[90mYN0000�[39m: ┌ Post-resolution validation
::group::Post-resolution validation
�[93m➤�[39m YN0002: │ �[38;5;173mroot-workspace-0b6124�[39m�[38;5;111m@�[39m�[38;5;111mworkspace:.�[39m doesn't provide �[38;5;166m@types/�[39m�[38;5;173mnode�[39m (�[38;5;111mpe6119�[39m), requested by �[38;5;173mts-node�[39m.
�[93m➤�[39m YN0002: │ �[38;5;173mroot-workspace-0b6124�[39m�[38;5;111m@�[39m�[38;5;111mworkspace:.�[39m doesn't provide �[38;5;173mtypescript�[39m (�[38;5;111mp924b5�[39m), requested by �[38;5;173mts-node�[39m.
�[93m➤�[39m YN0086: │ Some peer dependencies are incorrectly met; run �[38;5;111myarn explain peer-requirements <hash>�[39m for details, where �[38;5;111m<hash>�[39m is the six-letter p-prefixed code.
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[94m➤�[39m �[90mYN0000�[39m: ┌ Fetch step
::group::Fetch step
�[94m➤�[39m YN0013: │ �[38;5;220m17�[39m packages were added to the project (�[38;5;160m+ 639.89 KiB�[39m).
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed in 0s 267ms
�[94m➤�[39m �[90mYN0000�[39m: ┌ Link step
::group::Link step
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[93m➤�[39m YN0000: · Done with warnings in 0s 535ms

�[34mCLI�[39m Building entry: {"authorizer/index":"../utils-authorizer/src/handler.ts"}
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 1084ms
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 6066ms
�[94m➤�[39m YN0000: · Yarn 4.0.1
�[94m➤�[39m �[90mYN0000�[39m: ┌ Resolution step
::group::Resolution step
�[94m➤�[39m YN0085: │ �[38;5;70m+�[39m �[38;5;173mts-node�[39m�[38;5;111m@�[39m�[38;5;111mnpm:10.9.2�[39m, �[38;5;166m@cspotcode/�[39m�[38;5;173msource-map-support�[39m�[38;5;111m@�[39m�[38;5;111mnpm:0.8.1�[39m, �[38;5;166m@jridgewell/�[39m�[38;5;173mresolve-uri�[39m�[38;5;111m@�[39m�[38;5;111mnpm:3.1.2�[39m, �[38;5;166m@jridgewell/�[39m�[38;5;173msourcemap-codec�[39m�[38;5;111m@�[39m�[38;5;111mnpm:1.5.0�[39m, and �[38;5;220m13�[39m more.
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[94m➤�[39m �[90mYN0000�[39m: ┌ Post-resolution validation
::group::Post-resolution validation
�[93m➤�[39m YN0002: │ �[38;5;173mroot-workspace-0b6124�[39m�[38;5;111m@�[39m�[38;5;111mworkspace:.�[39m doesn't provide �[38;5;166m@types/�[39m�[38;5;173mnode�[39m (�[38;5;111mpe6119�[39m), requested by �[38;5;173mts-node�[39m.
�[93m➤�[39m YN0002: │ �[38;5;173mroot-workspace-0b6124�[39m�[38;5;111m@�[39m�[38;5;111mworkspace:.�[39m doesn't provide �[38;5;173mtypescript�[39m (�[38;5;111mp924b5�[39m), requested by �[38;5;173mts-node�[39m.
�[93m➤�[39m YN0086: │ Some peer dependencies are incorrectly met; run �[38;5;111myarn explain peer-requirements <hash>�[39m for details, where �[38;5;111m<hash>�[39m is the six-letter p-prefixed code.
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[94m➤�[39m �[90mYN0000�[39m: ┌ Fetch step
::group::Fetch step
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[94m➤�[39m �[90mYN0000�[39m: ┌ Link step
::group::Link step
::endgroup::
�[94m➤�[39m �[90mYN0000�[39m: └ Completed
�[93m➤�[39m YN0000: · Done with warnings in 0s 293ms

�[34mCLI�[39m Building entry: {"authorizer/index":"../utils-authorizer/src/handler.ts"}
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 1095ms
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 5579ms
start: Building 7bd0d0aa6a11dfdec72f45b5fc44f78b86a30f7819bacf5825375d0f38038afb:028446965111-eu-west-2
success: Built 7bd0d0aa6a11dfdec72f45b5fc44f78b86a30f7819bacf5825375d0f38038afb:028446965111-eu-west-2
start: Publishing 7bd0d0aa6a11dfdec72f45b5fc44f78b86a30f7819bacf5825375d0f38038afb:028446965111-eu-west-2
success: Published 7bd0d0aa6a11dfdec72f45b5fc44f78b86a30f7819bacf5825375d0f38038afb:028446965111-eu-west-2
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
Stack cloud-deployment-service
IAM Statement Changes
┌───┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬──────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                                                                                                                     │ Effect │ Action                           │ Principal                                                                          │ Condition                                                                                                                           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${cloud-deployment-service-database-secret/Attachment}                                                                       │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${resolve-production-database-custom-resource-lambda/ServiceRole}              │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda.Arn}                                                                    │ Allow  │ lambda:InvokeFunction            │ AWS:${resolve-production-database-resource-provider/framework-onEvent/ServiceRole} │                                                                                                                                     │
│   │ ${resolve-production-database-custom-resource-lambda.Arn}:*                                                                  │        │                                  │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda/ServiceRole.Arn}                                                        │ Allow  │ sts:AssumeRole                   │ Service:lambda.amazonaws.com                                                       │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-resource-provider/framework-onEvent/ServiceRole.Arn}                                           │ Allow  │ sts:AssumeRole                   │ Service:lambda.amazonaws.com                                                       │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${sns.Arn}                                                                                                                   │ Allow  │ lambda:InvokeFunction            │ Service:sns.amazonaws.com                                                          │ "ArnLike": {                                                                                                                        │
│   │                                                                                                                              │        │                                  │                                                                                    │   "AWS:SourceArn": "arn:${AWS::Partition}:sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158" │
│   │                                                                                                                              │        │                                  │                                                                                    │ }                                                                                                                                   │
│ - │ ${sns.Arn}                                                                                                                   │ Allow  │ lambda:InvokeFunction            │ Service:sns.amazonaws.com                                                          │ "ArnLike": {                                                                                                                        │
│   │                                                                                                                              │        │                                  │                                                                                    │   "AWS:SourceArn": "arn:${AWS::Partition}:sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39" │
│   │                                                                                                                              │        │                                  │                                                                                    │ }                                                                                                                                   │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ *                                                                                                                            │ Allow  │ rds:CreateDBClusterSnapshot      │ AWS:${resolve-production-database-custom-resource-lambda/ServiceRole}              │                                                                                                                                     │
│   │                                                                                                                              │        │ rds:CreateDBSnapshot             │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ rds:DescribeDBSnapshots          │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ rds:ListTagsForResource          │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:${AWS::Partition}:codebuild:eu-west-2:362630019454:project/cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d │ Allow  │ codebuild:StartBuild             │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:${AWS::Partition}:codebuild:eu-west-2:727646485319:project/cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93 │ Allow  │ codebuild:StartBuild             │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:secretsmanager:eu-west-2:028446965111:secret:tempdatabaseclusterSecret78-yVZFtGSRaBqc-h2JpsK                         │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${resolve-production-database-custom-resource-lambda/ServiceRole}              │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
└───┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴──────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
IAM Policy Changes
┌───┬────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                                                                       │ Managed Policy ARN                                                                 │
├───┼────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda/ServiceRole}              │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole     │
│ - │ ${resolve-production-database-custom-resource-lambda/ServiceRole}              │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole │
├───┼────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-resource-provider/framework-onEvent/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole     │
└───┴────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘
Security Group Changes
┌───┬─────────────────────────────────────────────────────────────────────────────┬─────┬────────────┬─────────────────┐
│   │ Group                                                                       │ Dir │ Protocol   │ Peer            │
├───┼─────────────────────────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
└───┴─────────────────────────────────────────────────────────────────────────────┴─────┴────────────┴─────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[-] AWS::SecretsManager::Secret cloud-deployment-service-database-secret clouddeploymentservicedatabasesecret8A2F741C destroy
[-] AWS::SecretsManager::SecretTargetAttachment cloud-deployment-service-database-secret/Attachment clouddeploymentservicedatabasesecretAttachmentEFE1DB42 destroy
[-] AWS::IAM::Role resolve-production-database-custom-resource-lambda/ServiceRole resolveproductiondatabasecustomresourcelambdaServiceRole9BB5730C destroy
[-] AWS::IAM::Policy resolve-production-database-custom-resource-lambda/ServiceRole/DefaultPolicy resolveproductiondatabasecustomresourcelambdaServiceRoleDefaultPolicy7110EB16 destroy
[-] AWS::EC2::SecurityGroup resolve-production-database-custom-resource-lambda/SecurityGroup resolveproductiondatabasecustomresourcelambdaSecurityGroupFB53B404 destroy
[-] AWS::Lambda::Function resolve-production-database-custom-resource-lambda resolveproductiondatabasecustomresourcelambda50A7B07C destroy
[-] AWS::IAM::Role resolve-production-database-resource-provider/framework-onEvent/ServiceRole resolveproductiondatabaseresourceproviderframeworkonEventServiceRole5047AD61 destroy
[-] AWS::IAM::Policy resolve-production-database-resource-provider/framework-onEvent/ServiceRole/DefaultPolicy resolveproductiondatabaseresourceproviderframeworkonEventServiceRoleDefaultPolicyA9E1EBF8 destroy
[-] AWS::Lambda::Function resolve-production-database-resource-provider/framework-onEvent resolveproductiondatabaseresourceproviderframeworkonEventD4310A50 destroy
[-] Custom::LogRetention resolve-production-database-resource-provider/framework-onEvent/LogRetention resolveproductiondatabaseresourceproviderframeworkonEventLogRetention8EBE7449 destroy
[-] AWS::CloudFormation::CustomResource resolve-production-database-custom-resource resolveproductiondatabasecustomresource destroy
[+] AWS::SecretsManager::Secret database/Secret databaseSecret87F1207C 
[+] AWS::SecretsManager::SecretTargetAttachment database/Secret/Attachment databaseSecretAttachment5618DFB3 
[~] AWS::RDS::DBCluster database databaseEBDE4557 may be replaced
 ├─ [~] MasterUserPassword
 │   └─ [~] .Fn::Join:
 │       └─ @@ -3,7 +3,7 @@
 │          [ ] [
 │          [ ]   "{{resolve:secretsmanager:",
 │          [ ]   {
 │          [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
 │          [+]     "Ref": "databaseSecret87F1207C"
 │          [ ]   },
 │          [ ]   ":SecretString:password::}}"
 │          [ ] ]
 └─ [~] MasterUsername (may cause replacement)
     └─ [~] .Fn::Join:
         └─ @@ -3,7 +3,7 @@
            [ ] [
            [ ]   "{{resolve:secretsmanager:",
            [ ]   {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecret87F1207C"
            [ ]   },
            [ ]   ":SecretString:username::}}"
            [ ] ]
[~] AWS::IAM::Policy sqs/ServiceRole/DefaultPolicy sqsServiceRoleDefaultPolicy6C36BFC1 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,7 +152,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": "cloudfront:ListOriginAccessControls",
[~] AWS::Lambda::Function sqs sqs1386CA46 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] dd87739aa9cfea52de0926f534bbabd2d55639b62793ad9301734209f103fda0.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy appEvents/ServiceRole/DefaultPolicy appEventsServiceRoleDefaultPolicy8F8F9E18 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,7 +152,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": [
[~] AWS::Lambda::Function appEvents appEventsB07C8627 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] dd87739aa9cfea52de0926f534bbabd2d55639b62793ad9301734209f103fda0.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy sns/ServiceRole/DefaultPolicy snsServiceRoleDefaultPolicy369F17E6 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
[~] AWS::Lambda::Function sns sns78FA588D 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] dd87739aa9cfea52de0926f534bbabd2d55639b62793ad9301734209f103fda0.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::Lambda::Permission sns/AllowInvoke:clouddeploymentusercodedevcodebuildsnstopicdevEA93C2F5 snsAllowInvokeclouddeploymentusercodedevcodebuildsnstopicdevEA93C2F5BD70496D replace
 └─ [~] SourceArn (requires replacement)
     └─ [~] .Fn::Join:
         └─ @@ -5,6 +5,6 @@
            [ ]     {
            [ ]       "Ref": "AWS::Partition"
            [ ]     },
            [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
            [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
            [ ]   ]
            [ ] ]
[~] AWS::SNS::Subscription sns/codebuild-sns-topic-dev snscodebuildsnstopicdev38EBA9E4 replace
 └─ [~] TopicArn (requires replacement)
     └─ [~] .Fn::Join:
         └─ @@ -5,6 +5,6 @@
            [ ]     {
            [ ]       "Ref": "AWS::Partition"
            [ ]     },
            [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
            [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
            [ ]   ]
            [ ] ]
[~] AWS::IAM::Policy httpApi/ServiceRole/DefaultPolicy httpApiServiceRoleDefaultPolicy553EAA67 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,6 +152,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function httpApi httpApiC9FAD708 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] e57afde775ccc550a9637146b2fd6d2f11115eec991cdd57bec66edcb54c600f.zip
 │       └─ [+] e7a8c6152690444053f726e8cced1b3dcf7cc8d21b7feef4db250b0b7b9be0c6.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy http/ServiceRole/DefaultPolicy httpServiceRoleDefaultPolicy27B3FF2D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,6 +152,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function http httpD8F39B44 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] e57afde775ccc550a9637146b2fd6d2f11115eec991cdd57bec66edcb54c600f.zip
 │       └─ [+] e7a8c6152690444053f726e8cced1b3dcf7cc8d21b7feef4db250b0b7b9be0c6.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy cloud-deployment-migration/ServiceRole/DefaultPolicy clouddeploymentmigrationServiceRoleDefaultPolicy145F9A22 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -144,7 +144,7 @@
            [ ]       {
            [ ]         "Ref": "AWS::Partition"
            [ ]       },
            [-]       ":codebuild:eu-west-2:727646485319:project/cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93"
            [+]       ":codebuild:eu-west-2:362630019454:project/cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d"
            [ ]     ]
            [ ]   ]
            [ ] }
            @@ -173,6 +173,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function cloud-deployment-migration clouddeploymentmigration9A43D76C 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] dd87739aa9cfea52de0926f534bbabd2d55639b62793ad9301734209f103fda0.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID

start: Building 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
success: Built 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
start: Publishing 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
success: Published 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
Could not create a change set, will base the diff on template differences (run again with -v to see the reason)
Stack cloud-deployment-usercode-dev
IAM Statement Changes
┌───┬─────────────────────────────────────────────┬────────┬─────────────────────────────────────┬──────────────────────────────────┬───────────┐
│   │ Resource                                    │ Effect │ Action                              │ Principal                        │ Condition │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ *                                           │ Allow  │ cloudfront:ListOriginAccessControls │ AWS:${UsercodeStackRole}         │           │
└───┴─────────────────────────────────────────────┴────────┴─────────────────────────────────────┴──────────────────────────────────┴───────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[+] AWS::CloudFront::OriginAccessControl s3-origin s3origin 
[~] AWS::S3::BucketPolicy v2-cloud-deployment-live-dev/Policy v2clouddeploymentlivedevPolicy0BF1B47D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,10 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:List*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,14 +25,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:List*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -44,5 +44,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentlivedev087DF299",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-log-dev/Policy v2clouddeploymentlogdevPolicyEFAC9DC1 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,6 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": "s3:Put*",
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,10 +21,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": "s3:Put*",
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -40,5 +40,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentlogdev6B52B6BD",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-repo-cache-dev/Policy v2clouddeploymentrepocachedevPolicyB12C7ECB 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,9 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,13 +24,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -43,5 +43,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentrepocachedev6F523868",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-version-dev/Policy v2clouddeploymentversiondevPolicy45297030 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,10 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:List*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,14 +25,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:List*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -44,5 +44,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentversiondevCDDC2B37",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::IAM::Policy UsercodePolicy UsercodePolicy590B208D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -147,5 +147,10 @@
            [ ]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Resource": "*"
            [+]   },
            [+]   {
            [+]     "Action": "cloudfront:ListOriginAccessControls",
            [+]     "Effect": "Allow",
            [+]     "Resource": "*"
            [ ]   }
            [ ] ]


✨  Number of stacks with differences: 2

NOTICES         (What's this? https://github.com/aws/aws-cdk/wiki/CLI-Notices)

31885	(cli): Bootstrap stack outdated

	Overview: The bootstrap stack in aws://362630019454/eu-west-2 is outdated.
	          We recommend at least version 21, distributed with CDK CLI
	          2.149.0 or higher. Please rebootstrap your environment by
	          runing 'cdk bootstrap aws://362630019454/eu-west-2'

	Affected versions: bootstrap: <21

	More information at: https://github.com/aws/aws-cdk/issues/31885


If you don’t want to see a notice anymore, use "cdk acknowledge <id>". For example, "cdk acknowledge 31885".```

@github-actions GitHub Actions
Copy link
Contributor

Synth changes have been committed

�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 1133ms
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 5974ms
�[34mCLI�[39m Building entry: {"authorizer/index":"../utils-authorizer/src/handler.ts"}
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 1057ms
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 5619ms
start: Building 1efe6144e56620c3302569517eefb8811b19bd172a39910eddac4056e57dc988:028446965111-eu-west-2
success: Built 1efe6144e56620c3302569517eefb8811b19bd172a39910eddac4056e57dc988:028446965111-eu-west-2
start: Publishing 1efe6144e56620c3302569517eefb8811b19bd172a39910eddac4056e57dc988:028446965111-eu-west-2
success: Published 1efe6144e56620c3302569517eefb8811b19bd172a39910eddac4056e57dc988:028446965111-eu-west-2
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
Stack cloud-deployment-service
IAM Statement Changes
┌───┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬──────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                                                                                                                     │ Effect │ Action                           │ Principal                                                                          │ Condition                                                                                                                           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${cloud-deployment-service-database-secret/Attachment}                                                                       │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${resolve-production-database-custom-resource-lambda/ServiceRole}              │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda.Arn}                                                                    │ Allow  │ lambda:InvokeFunction            │ AWS:${resolve-production-database-resource-provider/framework-onEvent/ServiceRole} │                                                                                                                                     │
│   │ ${resolve-production-database-custom-resource-lambda.Arn}:*                                                                  │        │                                  │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda/ServiceRole.Arn}                                                        │ Allow  │ sts:AssumeRole                   │ Service:lambda.amazonaws.com                                                       │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-resource-provider/framework-onEvent/ServiceRole.Arn}                                           │ Allow  │ sts:AssumeRole                   │ Service:lambda.amazonaws.com                                                       │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${sns.Arn}                                                                                                                   │ Allow  │ lambda:InvokeFunction            │ Service:sns.amazonaws.com                                                          │ "ArnLike": {                                                                                                                        │
│   │                                                                                                                              │        │                                  │                                                                                    │   "AWS:SourceArn": "arn:${AWS::Partition}:sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158" │
│   │                                                                                                                              │        │                                  │                                                                                    │ }                                                                                                                                   │
│ - │ ${sns.Arn}                                                                                                                   │ Allow  │ lambda:InvokeFunction            │ Service:sns.amazonaws.com                                                          │ "ArnLike": {                                                                                                                        │
│   │                                                                                                                              │        │                                  │                                                                                    │   "AWS:SourceArn": "arn:${AWS::Partition}:sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39" │
│   │                                                                                                                              │        │                                  │                                                                                    │ }                                                                                                                                   │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ *                                                                                                                            │ Allow  │ rds:CreateDBClusterSnapshot      │ AWS:${resolve-production-database-custom-resource-lambda/ServiceRole}              │                                                                                                                                     │
│   │                                                                                                                              │        │ rds:CreateDBSnapshot             │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ rds:DescribeDBSnapshots          │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ rds:ListTagsForResource          │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:${AWS::Partition}:codebuild:eu-west-2:362630019454:project/cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d │ Allow  │ codebuild:StartBuild             │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:${AWS::Partition}:codebuild:eu-west-2:727646485319:project/cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93 │ Allow  │ codebuild:StartBuild             │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:secretsmanager:eu-west-2:028446965111:secret:tempdatabaseclusterSecret78-yVZFtGSRaBqc-h2JpsK                         │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${resolve-production-database-custom-resource-lambda/ServiceRole}              │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
└───┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴──────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
IAM Policy Changes
┌───┬────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                                                                       │ Managed Policy ARN                                                                 │
├───┼────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda/ServiceRole}              │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole     │
│ - │ ${resolve-production-database-custom-resource-lambda/ServiceRole}              │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole │
├───┼────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-resource-provider/framework-onEvent/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole     │
└───┴────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘
Security Group Changes
┌───┬─────────────────────────────────────────────────────────────────────────────┬─────┬────────────┬─────────────────┐
│   │ Group                                                                       │ Dir │ Protocol   │ Peer            │
├───┼─────────────────────────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
└───┴─────────────────────────────────────────────────────────────────────────────┴─────┴────────────┴─────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[-] AWS::SecretsManager::Secret cloud-deployment-service-database-secret clouddeploymentservicedatabasesecret8A2F741C destroy
[-] AWS::SecretsManager::SecretTargetAttachment cloud-deployment-service-database-secret/Attachment clouddeploymentservicedatabasesecretAttachmentEFE1DB42 destroy
[-] AWS::IAM::Role resolve-production-database-custom-resource-lambda/ServiceRole resolveproductiondatabasecustomresourcelambdaServiceRole9BB5730C destroy
[-] AWS::IAM::Policy resolve-production-database-custom-resource-lambda/ServiceRole/DefaultPolicy resolveproductiondatabasecustomresourcelambdaServiceRoleDefaultPolicy7110EB16 destroy
[-] AWS::EC2::SecurityGroup resolve-production-database-custom-resource-lambda/SecurityGroup resolveproductiondatabasecustomresourcelambdaSecurityGroupFB53B404 destroy
[-] AWS::Lambda::Function resolve-production-database-custom-resource-lambda resolveproductiondatabasecustomresourcelambda50A7B07C destroy
[-] AWS::IAM::Role resolve-production-database-resource-provider/framework-onEvent/ServiceRole resolveproductiondatabaseresourceproviderframeworkonEventServiceRole5047AD61 destroy
[-] AWS::IAM::Policy resolve-production-database-resource-provider/framework-onEvent/ServiceRole/DefaultPolicy resolveproductiondatabaseresourceproviderframeworkonEventServiceRoleDefaultPolicyA9E1EBF8 destroy
[-] AWS::Lambda::Function resolve-production-database-resource-provider/framework-onEvent resolveproductiondatabaseresourceproviderframeworkonEventD4310A50 destroy
[-] Custom::LogRetention resolve-production-database-resource-provider/framework-onEvent/LogRetention resolveproductiondatabaseresourceproviderframeworkonEventLogRetention8EBE7449 destroy
[-] AWS::CloudFormation::CustomResource resolve-production-database-custom-resource resolveproductiondatabasecustomresource destroy
[+] AWS::SecretsManager::Secret database/Secret databaseSecret87F1207C 
[+] AWS::SecretsManager::SecretTargetAttachment database/Secret/Attachment databaseSecretAttachment5618DFB3 
[~] AWS::RDS::DBCluster database databaseEBDE4557 may be replaced
 ├─ [~] MasterUserPassword
 │   └─ [~] .Fn::Join:
 │       └─ @@ -3,7 +3,7 @@
 │          [ ] [
 │          [ ]   "{{resolve:secretsmanager:",
 │          [ ]   {
 │          [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
 │          [+]     "Ref": "databaseSecret87F1207C"
 │          [ ]   },
 │          [ ]   ":SecretString:password::}}"
 │          [ ] ]
 └─ [~] MasterUsername (may cause replacement)
     └─ [~] .Fn::Join:
         └─ @@ -3,7 +3,7 @@
            [ ] [
            [ ]   "{{resolve:secretsmanager:",
            [ ]   {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecret87F1207C"
            [ ]   },
            [ ]   ":SecretString:username::}}"
            [ ] ]
[~] AWS::IAM::Policy sqs/ServiceRole/DefaultPolicy sqsServiceRoleDefaultPolicy6C36BFC1 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,7 +152,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": "cloudfront:ListOriginAccessControls",
[~] AWS::Lambda::Function sqs sqs1386CA46 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] c1c26d1d3bcbf9b2b060c63b6860774ed440232f3fdac29248ca35655a7b65d1.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy appEvents/ServiceRole/DefaultPolicy appEventsServiceRoleDefaultPolicy8F8F9E18 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,7 +152,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": [
[~] AWS::Lambda::Function appEvents appEventsB07C8627 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] c1c26d1d3bcbf9b2b060c63b6860774ed440232f3fdac29248ca35655a7b65d1.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy sns/ServiceRole/DefaultPolicy snsServiceRoleDefaultPolicy369F17E6 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
[~] AWS::Lambda::Function sns sns78FA588D 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] c1c26d1d3bcbf9b2b060c63b6860774ed440232f3fdac29248ca35655a7b65d1.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::Lambda::Permission sns/AllowInvoke:clouddeploymentusercodedevcodebuildsnstopicdevEA93C2F5 snsAllowInvokeclouddeploymentusercodedevcodebuildsnstopicdevEA93C2F5BD70496D replace
 └─ [~] SourceArn (requires replacement)
     └─ [~] .Fn::Join:
         └─ @@ -5,6 +5,6 @@
            [ ]     {
            [ ]       "Ref": "AWS::Partition"
            [ ]     },
            [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
            [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
            [ ]   ]
            [ ] ]
[~] AWS::SNS::Subscription sns/codebuild-sns-topic-dev snscodebuildsnstopicdev38EBA9E4 replace
 └─ [~] TopicArn (requires replacement)
     └─ [~] .Fn::Join:
         └─ @@ -5,6 +5,6 @@
            [ ]     {
            [ ]       "Ref": "AWS::Partition"
            [ ]     },
            [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
            [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
            [ ]   ]
            [ ] ]
[~] AWS::IAM::Policy httpApi/ServiceRole/DefaultPolicy httpApiServiceRoleDefaultPolicy553EAA67 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,6 +152,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function httpApi httpApiC9FAD708 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] e57afde775ccc550a9637146b2fd6d2f11115eec991cdd57bec66edcb54c600f.zip
 │       └─ [+] 6420efeaeae38375a08898a9a2c1274f694818724051190f351801989e0f74bd.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy http/ServiceRole/DefaultPolicy httpServiceRoleDefaultPolicy27B3FF2D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,6 +152,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function http httpD8F39B44 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] e57afde775ccc550a9637146b2fd6d2f11115eec991cdd57bec66edcb54c600f.zip
 │       └─ [+] 6420efeaeae38375a08898a9a2c1274f694818724051190f351801989e0f74bd.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy cloud-deployment-migration/ServiceRole/DefaultPolicy clouddeploymentmigrationServiceRoleDefaultPolicy145F9A22 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -144,7 +144,7 @@
            [ ]       {
            [ ]         "Ref": "AWS::Partition"
            [ ]       },
            [-]       ":codebuild:eu-west-2:727646485319:project/cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93"
            [+]       ":codebuild:eu-west-2:362630019454:project/cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d"
            [ ]     ]
            [ ]   ]
            [ ] }
            @@ -173,6 +173,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function cloud-deployment-migration clouddeploymentmigration9A43D76C 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] c1c26d1d3bcbf9b2b060c63b6860774ed440232f3fdac29248ca35655a7b65d1.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID

start: Building 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
success: Built 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
start: Publishing 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
success: Published 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
Could not create a change set, will base the diff on template differences (run again with -v to see the reason)
Stack cloud-deployment-usercode-dev
IAM Statement Changes
┌───┬─────────────────────────────────────────────┬────────┬─────────────────────────────────────┬──────────────────────────────────┬───────────┐
│   │ Resource                                    │ Effect │ Action                              │ Principal                        │ Condition │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ *                                           │ Allow  │ cloudfront:ListOriginAccessControls │ AWS:${UsercodeStackRole}         │           │
└───┴─────────────────────────────────────────────┴────────┴─────────────────────────────────────┴──────────────────────────────────┴───────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[+] AWS::CloudFront::OriginAccessControl s3-origin s3origin 
[~] AWS::S3::BucketPolicy v2-cloud-deployment-live-dev/Policy v2clouddeploymentlivedevPolicy0BF1B47D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,10 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:List*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,14 +25,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:List*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -44,5 +44,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentlivedev087DF299",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-log-dev/Policy v2clouddeploymentlogdevPolicyEFAC9DC1 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,6 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": "s3:Put*",
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,10 +21,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": "s3:Put*",
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -40,5 +40,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentlogdev6B52B6BD",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-repo-cache-dev/Policy v2clouddeploymentrepocachedevPolicyB12C7ECB 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,9 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,13 +24,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -43,5 +43,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentrepocachedev6F523868",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-version-dev/Policy v2clouddeploymentversiondevPolicy45297030 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,10 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:List*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,14 +25,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:List*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -44,5 +44,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentversiondevCDDC2B37",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::IAM::Policy UsercodePolicy UsercodePolicy590B208D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -147,5 +147,10 @@
            [ ]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Resource": "*"
            [+]   },
            [+]   {
            [+]     "Action": "cloudfront:ListOriginAccessControls",
            [+]     "Effect": "Allow",
            [+]     "Resource": "*"
            [ ]   }
            [ ] ]


✨  Number of stacks with differences: 2

NOTICES         (What's this? https://github.com/aws/aws-cdk/wiki/CLI-Notices)

31885	(cli): Bootstrap stack outdated

	Overview: The bootstrap stack in aws://362630019454/eu-west-2 is outdated.
	          We recommend at least version 21, distributed with CDK CLI
	          2.149.0 or higher. Please rebootstrap your environment by
	          runing 'cdk bootstrap aws://362630019454/eu-west-2'

	Affected versions: bootstrap: <21

	More information at: https://github.com/aws/aws-cdk/issues/31885


If you don’t want to see a notice anymore, use "cdk acknowledge <id>". For example, "cdk acknowledge 31885".```

@github-actions GitHub Actions
Copy link
Contributor

Synth changes have been committed

�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 1134ms
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 5731ms
�[34mCLI�[39m Building entry: {"authorizer/index":"../utils-authorizer/src/handler.ts"}
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 942ms
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 5649ms
start: Building 1951b46630500d0b7fa2e0f10b3d9edb37369c55ed0a0e44641923b0bca250d5:028446965111-eu-west-2
success: Built 1951b46630500d0b7fa2e0f10b3d9edb37369c55ed0a0e44641923b0bca250d5:028446965111-eu-west-2
start: Publishing 1951b46630500d0b7fa2e0f10b3d9edb37369c55ed0a0e44641923b0bca250d5:028446965111-eu-west-2
success: Published 1951b46630500d0b7fa2e0f10b3d9edb37369c55ed0a0e44641923b0bca250d5:028446965111-eu-west-2
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
Stack cloud-deployment-service
IAM Statement Changes
┌───┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬──────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                                                                                                                     │ Effect │ Action                           │ Principal                                                                          │ Condition                                                                                                                           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ - │ ${cloud-deployment-service-database-secret}                                                                                  │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${cloud-deployment-service-database-secret/Attachment}                                                                       │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${resolve-production-database-custom-resource-lambda/ServiceRole}              │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
│ + │ ${database/Secret/Attachment}                                                                                                │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda.Arn}                                                                    │ Allow  │ lambda:InvokeFunction            │ AWS:${resolve-production-database-resource-provider/framework-onEvent/ServiceRole} │                                                                                                                                     │
│   │ ${resolve-production-database-custom-resource-lambda.Arn}:*                                                                  │        │                                  │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda/ServiceRole.Arn}                                                        │ Allow  │ sts:AssumeRole                   │ Service:lambda.amazonaws.com                                                       │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-resource-provider/framework-onEvent/ServiceRole.Arn}                                           │ Allow  │ sts:AssumeRole                   │ Service:lambda.amazonaws.com                                                       │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${sns.Arn}                                                                                                                   │ Allow  │ lambda:InvokeFunction            │ Service:sns.amazonaws.com                                                          │ "ArnLike": {                                                                                                                        │
│   │                                                                                                                              │        │                                  │                                                                                    │   "AWS:SourceArn": "arn:${AWS::Partition}:sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158" │
│   │                                                                                                                              │        │                                  │                                                                                    │ }                                                                                                                                   │
│ - │ ${sns.Arn}                                                                                                                   │ Allow  │ lambda:InvokeFunction            │ Service:sns.amazonaws.com                                                          │ "ArnLike": {                                                                                                                        │
│   │                                                                                                                              │        │                                  │                                                                                    │   "AWS:SourceArn": "arn:${AWS::Partition}:sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39" │
│   │                                                                                                                              │        │                                  │                                                                                    │ }                                                                                                                                   │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ *                                                                                                                            │ Allow  │ rds:CreateDBClusterSnapshot      │ AWS:${resolve-production-database-custom-resource-lambda/ServiceRole}              │                                                                                                                                     │
│   │                                                                                                                              │        │ rds:CreateDBSnapshot             │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ rds:DescribeDBSnapshots          │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ rds:ListTagsForResource          │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:${AWS::Partition}:codebuild:eu-west-2:362630019454:project/cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d │ Allow  │ codebuild:StartBuild             │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:${AWS::Partition}:codebuild:eu-west-2:727646485319:project/cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93 │ Allow  │ codebuild:StartBuild             │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sns/ServiceRole}                                                             │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${sqs/ServiceRole}                                                             │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${appEvents/ServiceRole}                                                       │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${httpApi/ServiceRole}                                                         │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${http/ServiceRole}                                                            │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${cloud-deployment-migration/ServiceRole}                                      │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                                                                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                                                                    │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:secretsmanager:eu-west-2:028446965111:secret:tempdatabaseclusterSecret78-yVZFtGSRaBqc-h2JpsK                         │ Allow  │ secretsmanager:DescribeSecret    │ AWS:${resolve-production-database-custom-resource-lambda/ServiceRole}              │                                                                                                                                     │
│   │                                                                                                                              │        │ secretsmanager:GetSecretValue    │                                                                                    │                                                                                                                                     │
└───┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴──────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
IAM Policy Changes
┌───┬────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                                                                       │ Managed Policy ARN                                                                 │
├───┼────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda/ServiceRole}              │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole     │
│ - │ ${resolve-production-database-custom-resource-lambda/ServiceRole}              │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole │
├───┼────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ - │ ${resolve-production-database-resource-provider/framework-onEvent/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole     │
└───┴────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────┘
Security Group Changes
┌───┬─────────────────────────────────────────────────────────────────────────────┬─────┬────────────┬─────────────────┐
│   │ Group                                                                       │ Dir │ Protocol   │ Peer            │
├───┼─────────────────────────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────┤
│ - │ ${resolve-production-database-custom-resource-lambda/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
└───┴─────────────────────────────────────────────────────────────────────────────┴─────┴────────────┴─────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[-] AWS::SecretsManager::Secret cloud-deployment-service-database-secret clouddeploymentservicedatabasesecret8A2F741C destroy
[-] AWS::SecretsManager::SecretTargetAttachment cloud-deployment-service-database-secret/Attachment clouddeploymentservicedatabasesecretAttachmentEFE1DB42 destroy
[-] AWS::IAM::Role resolve-production-database-custom-resource-lambda/ServiceRole resolveproductiondatabasecustomresourcelambdaServiceRole9BB5730C destroy
[-] AWS::IAM::Policy resolve-production-database-custom-resource-lambda/ServiceRole/DefaultPolicy resolveproductiondatabasecustomresourcelambdaServiceRoleDefaultPolicy7110EB16 destroy
[-] AWS::EC2::SecurityGroup resolve-production-database-custom-resource-lambda/SecurityGroup resolveproductiondatabasecustomresourcelambdaSecurityGroupFB53B404 destroy
[-] AWS::Lambda::Function resolve-production-database-custom-resource-lambda resolveproductiondatabasecustomresourcelambda50A7B07C destroy
[-] AWS::IAM::Role resolve-production-database-resource-provider/framework-onEvent/ServiceRole resolveproductiondatabaseresourceproviderframeworkonEventServiceRole5047AD61 destroy
[-] AWS::IAM::Policy resolve-production-database-resource-provider/framework-onEvent/ServiceRole/DefaultPolicy resolveproductiondatabaseresourceproviderframeworkonEventServiceRoleDefaultPolicyA9E1EBF8 destroy
[-] AWS::Lambda::Function resolve-production-database-resource-provider/framework-onEvent resolveproductiondatabaseresourceproviderframeworkonEventD4310A50 destroy
[-] Custom::LogRetention resolve-production-database-resource-provider/framework-onEvent/LogRetention resolveproductiondatabaseresourceproviderframeworkonEventLogRetention8EBE7449 destroy
[-] AWS::CloudFormation::CustomResource resolve-production-database-custom-resource resolveproductiondatabasecustomresource destroy
[+] AWS::SecretsManager::Secret database/Secret databaseSecret87F1207C 
[+] AWS::SecretsManager::SecretTargetAttachment database/Secret/Attachment databaseSecretAttachment5618DFB3 
[~] AWS::RDS::DBCluster database databaseEBDE4557 may be replaced
 ├─ [~] MasterUserPassword
 │   └─ [~] .Fn::Join:
 │       └─ @@ -3,7 +3,7 @@
 │          [ ] [
 │          [ ]   "{{resolve:secretsmanager:",
 │          [ ]   {
 │          [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
 │          [+]     "Ref": "databaseSecret87F1207C"
 │          [ ]   },
 │          [ ]   ":SecretString:password::}}"
 │          [ ] ]
 └─ [~] MasterUsername (may cause replacement)
     └─ [~] .Fn::Join:
         └─ @@ -3,7 +3,7 @@
            [ ] [
            [ ]   "{{resolve:secretsmanager:",
            [ ]   {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecret87F1207C"
            [ ]   },
            [ ]   ":SecretString:username::}}"
            [ ] ]
[~] AWS::IAM::Policy sqs/ServiceRole/DefaultPolicy sqsServiceRoleDefaultPolicy6C36BFC1 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,7 +152,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": "cloudfront:ListOriginAccessControls",
[~] AWS::Lambda::Function sqs sqs1386CA46 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] 4943f2604a738222a48ad5e5001503c7f2353a024a5f3b52ca91e0808d225533.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy appEvents/ServiceRole/DefaultPolicy appEventsServiceRoleDefaultPolicy8F8F9E18 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,7 +152,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": [
[~] AWS::Lambda::Function appEvents appEventsB07C8627 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] 4943f2604a738222a48ad5e5001503c7f2353a024a5f3b52ca91e0808d225533.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy sns/ServiceRole/DefaultPolicy snsServiceRoleDefaultPolicy369F17E6 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
[~] AWS::Lambda::Function sns sns78FA588D 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] 4943f2604a738222a48ad5e5001503c7f2353a024a5f3b52ca91e0808d225533.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::Lambda::Permission sns/AllowInvoke:clouddeploymentusercodedevcodebuildsnstopicdevEA93C2F5 snsAllowInvokeclouddeploymentusercodedevcodebuildsnstopicdevEA93C2F5BD70496D replace
 └─ [~] SourceArn (requires replacement)
     └─ [~] .Fn::Join:
         └─ @@ -5,6 +5,6 @@
            [ ]     {
            [ ]       "Ref": "AWS::Partition"
            [ ]     },
            [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
            [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
            [ ]   ]
            [ ] ]
[~] AWS::SNS::Subscription sns/codebuild-sns-topic-dev snscodebuildsnstopicdev38EBA9E4 replace
 └─ [~] TopicArn (requires replacement)
     └─ [~] .Fn::Join:
         └─ @@ -5,6 +5,6 @@
            [ ]     {
            [ ]       "Ref": "AWS::Partition"
            [ ]     },
            [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
            [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
            [ ]   ]
            [ ] ]
[~] AWS::IAM::Policy httpApi/ServiceRole/DefaultPolicy httpApiServiceRoleDefaultPolicy553EAA67 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,6 +152,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function httpApi httpApiC9FAD708 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] e57afde775ccc550a9637146b2fd6d2f11115eec991cdd57bec66edcb54c600f.zip
 │       └─ [+] 84d324d4657171daa59ac57db4dbcf2d781029cb8496271d73003fc21119c40e.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy http/ServiceRole/DefaultPolicy httpServiceRoleDefaultPolicy27B3FF2D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,6 +152,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function http httpD8F39B44 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] e57afde775ccc550a9637146b2fd6d2f11115eec991cdd57bec66edcb54c600f.zip
 │       └─ [+] 84d324d4657171daa59ac57db4dbcf2d781029cb8496271d73003fc21119c40e.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID
[~] AWS::IAM::Policy cloud-deployment-migration/ServiceRole/DefaultPolicy clouddeploymentmigrationServiceRoleDefaultPolicy145F9A22 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -11,7 +11,7 @@
            [ ]   ],
            [ ]   "Effect": "Allow",
            [ ]   "Resource": {
            [-]     "Ref": "clouddeploymentservicedatabasesecret8A2F741C"
            [+]     "Ref": "databaseSecretAttachment5618DFB3"
            [ ]   }
            [ ] },
            [ ] {
            @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -144,7 +144,7 @@
            [ ]       {
            [ ]         "Ref": "AWS::Partition"
            [ ]       },
            [-]       ":codebuild:eu-west-2:727646485319:project/cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93"
            [+]       ":codebuild:eu-west-2:362630019454:project/cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d"
            [ ]     ]
            [ ]   ]
            [ ] }
            @@ -173,6 +173,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function cloud-deployment-migration clouddeploymentmigration9A43D76C 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] a566eedf58c2973a5784c3dcda1f8d2e82e1ec5f47c045bf783aca976aedf3c6.zip
 │       └─ [+] 4943f2604a738222a48ad5e5001503c7f2353a024a5f3b52ca91e0808d225533.zip
 └─ [~] Environment
     └─ [~] .Variables:
         ├─ [~] .CERT_ARN:
         │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
         │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
         ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
         │   └─ [~] .Fn::Join:
         │       └─ @@ -5,6 +5,6 @@
         │          [ ]     {
         │          [ ]       "Ref": "AWS::Partition"
         │          [ ]     },
         │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
         │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
         │          [ ]   ]
         │          [ ] ]
         ├─ [~] .CODE_BUILD_PROJECT_NAME:
         │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
         │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
         ├─ [~] .DATABASE_SECRET_ARN:
         │   └─ [~] .Ref:
         │       ├─ [-] clouddeploymentservicedatabasesecret8A2F741C
         │       └─ [+] databaseSecretAttachment5618DFB3
         ├─ [~] .HOSTED_ZONE_ID:
         │   ├─ [-] Z0848069B8MAW5QKQS6H
         │   └─ [+] Z0984639I4QETVUJB1YD
         ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
         ├─ [~] .USERCODE_ACCOUNT_ID:
         │   ├─ [-] 727646485319
         │   └─ [+] 362630019454
         ├─ [~] .USERCODE_ROLE_ARN:
         │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
         │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
         └─ [-] Removed: .VPC_ID

start: Building 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
success: Built 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
start: Publishing 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
success: Published 0b7c25e83bac6d75293ba0fb8f70f844b99f1cb55d005f6c0ca010d036248ac2:362630019454-eu-west-2
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
Could not create a change set, will base the diff on template differences (run again with -v to see the reason)
Stack cloud-deployment-usercode-dev
IAM Statement Changes
┌───┬─────────────────────────────────────────────┬────────┬─────────────────────────────────────┬──────────────────────────────────┬───────────┐
│   │ Resource                                    │ Effect │ Action                              │ Principal                        │ Condition │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-live-dev.Arn}/*       │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-log-dev.Arn}/*        │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-repo-cache-dev.Arn}/* │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:Get*                             │ Service:cloudfront.amazonaws.com │           │
│ + │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:Get*                             │ Service:codebuild.amazonaws.com  │           │
│ - │ ${v2-cloud-deployment-version-dev.Arn}/*    │ Allow  │ s3:GetObject                        │ AWS:*                            │           │
├───┼─────────────────────────────────────────────┼────────┼─────────────────────────────────────┼──────────────────────────────────┼───────────┤
│ + │ *                                           │ Allow  │ cloudfront:ListOriginAccessControls │ AWS:${UsercodeStackRole}         │           │
└───┴─────────────────────────────────────────────┴────────┴─────────────────────────────────────┴──────────────────────────────────┴───────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[+] AWS::CloudFront::OriginAccessControl s3-origin s3origin 
[~] AWS::S3::BucketPolicy v2-cloud-deployment-live-dev/Policy v2clouddeploymentlivedevPolicy0BF1B47D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,10 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:List*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,14 +25,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:List*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -44,5 +44,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentlivedev087DF299",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-log-dev/Policy v2clouddeploymentlogdevPolicyEFAC9DC1 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,6 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": "s3:Put*",
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,10 +21,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": "s3:Put*",
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -40,5 +40,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentlogdev6B52B6BD",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-repo-cache-dev/Policy v2clouddeploymentrepocachedevPolicyB12C7ECB 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,9 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,13 +24,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -43,5 +43,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentrepocachedev6F523868",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::S3::BucketPolicy v2-cloud-deployment-version-dev/Policy v2clouddeploymentversiondevPolicy45297030 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -1,6 +1,10 @@
            [ ] [
            [ ]   {
            [-]     "Action": "s3:GetObject",
            [+]     "Action": [
            [+]       "s3:Get*",
            [+]       "s3:List*",
            [+]       "s3:Put*"
            [+]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Principal": {
            [ ]       "AWS": "*"
            @@ -21,14 +25,10 @@
            [ ]   }
            [ ] },
            [ ] {
            [-]   "Action": [
            [-]     "s3:Get*",
            [-]     "s3:List*",
            [-]     "s3:Put*"
            [-]   ],
            [+]   "Action": "s3:Get*",
            [ ]   "Effect": "Allow",
            [ ]   "Principal": {
            [-]     "AWS": "*"
            [+]     "Service": "cloudfront.amazonaws.com"
            [ ]   },
            [ ]   "Resource": {
            [ ]     "Fn::Join": [
            @@ -44,5 +44,26 @@
            [ ]         ]
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "s3:Get*",
            [+]     "Effect": "Allow",
            [+]     "Principal": {
            [+]       "Service": "codebuild.amazonaws.com"
            [+]     },
            [+]     "Resource": {
            [+]       "Fn::Join": [
            [+]         "",
            [+]         [
            [+]           {
            [+]             "Fn::GetAtt": [
            [+]               "v2clouddeploymentversiondevCDDC2B37",
            [+]               "Arn"
            [+]             ]
            [+]           },
            [+]           "/*"
            [+]         ]
            [+]       ]
            [+]     }
            [ ]   }
            [ ] ]
[~] AWS::IAM::Policy UsercodePolicy UsercodePolicy590B208D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -147,5 +147,10 @@
            [ ]     ],
            [ ]     "Effect": "Allow",
            [ ]     "Resource": "*"
            [+]   },
            [+]   {
            [+]     "Action": "cloudfront:ListOriginAccessControls",
            [+]     "Effect": "Allow",
            [+]     "Resource": "*"
            [ ]   }
            [ ] ]


✨  Number of stacks with differences: 2

NOTICES         (What's this? https://github.com/aws/aws-cdk/wiki/CLI-Notices)

31885	(cli): Bootstrap stack outdated

	Overview: The bootstrap stack in aws://362630019454/eu-west-2 is outdated.
	          We recommend at least version 21, distributed with CDK CLI
	          2.149.0 or higher. Please rebootstrap your environment by
	          runing 'cdk bootstrap aws://362630019454/eu-west-2'

	Affected versions: bootstrap: <21

	More information at: https://github.com/aws/aws-cdk/issues/31885


If you don’t want to see a notice anymore, use "cdk acknowledge <id>". For example, "cdk acknowledge 31885".```

@codacy-production Codacy Production
Copy link

codacy-production bot commented Jan 15, 2025
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
Report missing for 2ca2ebe1
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (2ca2ebe) Report Missing Report Missing Report Missing
Head commit (2f6eb1f) 1314 872 66.36%

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#11498) 0 0 ∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more

Footnotes

  1. Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.

@github-actions GitHub Actions
Copy link
Contributor

Synth changes have been committed

�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 1072ms
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 6015ms
�[34mCLI�[39m Building entry: {"authorizer/index":"../utils-authorizer/src/handler.ts"}
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 1133ms
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 5628ms
IAM Statement Changes
┌───┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬──────────────────────────────────┬───────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                                                                                                                     │ Effect │ Action                           │ Principal                                     │ Condition                                                                                                                           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${sns.Arn}                                                                                                                   │ Allow  │ lambda:InvokeFunction            │ Service:sns.amazonaws.com                     │ "ArnLike": {                                                                                                                        │
│   │                                                                                                                              │        │                                  │                                               │   "AWS:SourceArn": "arn:${AWS::Partition}:sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158" │
│   │                                                                                                                              │        │                                  │                                               │ }                                                                                                                                   │
│ - │ ${sns.Arn}                                                                                                                   │ Allow  │ lambda:InvokeFunction            │ Service:sns.amazonaws.com                     │ "ArnLike": {                                                                                                                        │
│   │                                                                                                                              │        │                                  │                                               │   "AWS:SourceArn": "arn:${AWS::Partition}:sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39" │
│   │                                                                                                                              │        │                                  │                                               │ }                                                                                                                                   │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:${AWS::Partition}:codebuild:eu-west-2:362630019454:project/cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d │ Allow  │ codebuild:StartBuild             │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:${AWS::Partition}:codebuild:eu-west-2:727646485319:project/cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93 │ Allow  │ codebuild:StartBuild             │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sqs/ServiceRole}                        │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${appEvents/ServiceRole}                  │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sns/ServiceRole}                        │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${httpApi/ServiceRole}                    │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${http/ServiceRole}                       │                                                                                                                                     │
│ + │ arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sqs/ServiceRole}                        │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${appEvents/ServiceRole}                  │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${sns/ServiceRole}                        │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${httpApi/ServiceRole}                    │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${http/ServiceRole}                       │                                                                                                                                     │
│ - │ arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole                                               │ Allow  │ sts:AssumeRole                   │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${sqs/ServiceRole}                        │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${appEvents/ServiceRole}                  │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${httpApi/ServiceRole}                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${http/ServiceRole}                       │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼───────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${sqs/ServiceRole}                        │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${appEvents/ServiceRole}                  │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${httpApi/ServiceRole}                    │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${http/ServiceRole}                       │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                                            │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${cloud-deployment-migration/ServiceRole} │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetChange                │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:GetHostedZone            │                                               │                                                                                                                                     │
│   │                                                                                                                              │        │ route53:ListResourceRecordSets   │                                               │                                                                                                                                     │
└───┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴──────────────────────────────────┴───────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[~] AWS::IAM::Policy sqs/ServiceRole/DefaultPolicy sqsServiceRoleDefaultPolicy6C36BFC1 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,7 +152,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": "cloudfront:ListOriginAccessControls",
[~] AWS::Lambda::Function sqs sqs1386CA46 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
 │       └─ [+] b2f7d975d45a42731548636ddc1a679401c2880ac31c709e6f3b0d15b0b7deb5.zip
 ├─ [~] Environment
 │   └─ [~] .Variables:
 │       ├─ [~] .CERT_ARN:
 │       │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
 │       │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
 │       ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
 │       │   └─ [~] .Fn::Join:
 │       │       └─ @@ -5,6 +5,6 @@
 │       │          [ ]     {
 │       │          [ ]       "Ref": "AWS::Partition"
 │       │          [ ]     },
 │       │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
 │       │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
 │       │          [ ]   ]
 │       │          [ ] ]
 │       ├─ [~] .CODE_BUILD_PROJECT_NAME:
 │       │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
 │       │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
 │       ├─ [~] .HOSTED_ZONE_ID:
 │       │   ├─ [-] Z0848069B8MAW5QKQS6H
 │       │   └─ [+] Z0984639I4QETVUJB1YD
 │       ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
 │       ├─ [~] .USERCODE_ACCOUNT_ID:
 │       │   ├─ [-] 727646485319
 │       │   └─ [+] 362630019454
 │       ├─ [~] .USERCODE_ROLE_ARN:
 │       │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       └─ [-] Removed: .VPC_ID
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
         └─ [+] asset.b2f7d975d45a42731548636ddc1a679401c2880ac31c709e6f3b0d15b0b7deb5.zip
[~] AWS::IAM::Policy appEvents/ServiceRole/DefaultPolicy appEventsServiceRoleDefaultPolicy8F8F9E18 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,7 +152,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": [
[~] AWS::Lambda::Function appEvents appEventsB07C8627 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
 │       └─ [+] b2f7d975d45a42731548636ddc1a679401c2880ac31c709e6f3b0d15b0b7deb5.zip
 ├─ [~] Environment
 │   └─ [~] .Variables:
 │       ├─ [~] .CERT_ARN:
 │       │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
 │       │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
 │       ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
 │       │   └─ [~] .Fn::Join:
 │       │       └─ @@ -5,6 +5,6 @@
 │       │          [ ]     {
 │       │          [ ]       "Ref": "AWS::Partition"
 │       │          [ ]     },
 │       │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
 │       │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
 │       │          [ ]   ]
 │       │          [ ] ]
 │       ├─ [~] .CODE_BUILD_PROJECT_NAME:
 │       │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
 │       │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
 │       ├─ [~] .HOSTED_ZONE_ID:
 │       │   ├─ [-] Z0848069B8MAW5QKQS6H
 │       │   └─ [+] Z0984639I4QETVUJB1YD
 │       ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
 │       ├─ [~] .USERCODE_ACCOUNT_ID:
 │       │   ├─ [-] 727646485319
 │       │   └─ [+] 362630019454
 │       ├─ [~] .USERCODE_ROLE_ARN:
 │       │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       └─ [-] Removed: .VPC_ID
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
         └─ [+] asset.b2f7d975d45a42731548636ddc1a679401c2880ac31c709e6f3b0d15b0b7deb5.zip
[~] AWS::IAM::Policy sns/ServiceRole/DefaultPolicy snsServiceRoleDefaultPolicy369F17E6 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
[~] AWS::Lambda::Function sns sns78FA588D 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
 │       └─ [+] b2f7d975d45a42731548636ddc1a679401c2880ac31c709e6f3b0d15b0b7deb5.zip
 ├─ [~] Environment
 │   └─ [~] .Variables:
 │       ├─ [~] .CERT_ARN:
 │       │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
 │       │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
 │       ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
 │       │   └─ [~] .Fn::Join:
 │       │       └─ @@ -5,6 +5,6 @@
 │       │          [ ]     {
 │       │          [ ]       "Ref": "AWS::Partition"
 │       │          [ ]     },
 │       │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
 │       │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
 │       │          [ ]   ]
 │       │          [ ] ]
 │       ├─ [~] .CODE_BUILD_PROJECT_NAME:
 │       │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
 │       │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
 │       ├─ [~] .HOSTED_ZONE_ID:
 │       │   ├─ [-] Z0848069B8MAW5QKQS6H
 │       │   └─ [+] Z0984639I4QETVUJB1YD
 │       ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
 │       ├─ [~] .USERCODE_ACCOUNT_ID:
 │       │   ├─ [-] 727646485319
 │       │   └─ [+] 362630019454
 │       ├─ [~] .USERCODE_ROLE_ARN:
 │       │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       └─ [-] Removed: .VPC_ID
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
         └─ [+] asset.b2f7d975d45a42731548636ddc1a679401c2880ac31c709e6f3b0d15b0b7deb5.zip
[~] AWS::Lambda::Permission sns/AllowInvoke:clouddeploymentusercodedevcodebuildsnstopicdevEA93C2F5 snsAllowInvokeclouddeploymentusercodedevcodebuildsnstopicdevEA93C2F5BD70496D replace
 └─ [~] SourceArn (requires replacement)
     └─ [~] .Fn::Join:
         └─ @@ -5,6 +5,6 @@
            [ ]     {
            [ ]       "Ref": "AWS::Partition"
            [ ]     },
            [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
            [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
            [ ]   ]
            [ ] ]
[~] AWS::SNS::Subscription sns/codebuild-sns-topic-dev snscodebuildsnstopicdev38EBA9E4 replace
 └─ [~] TopicArn (requires replacement)
     └─ [~] .Fn::Join:
         └─ @@ -5,6 +5,6 @@
            [ ]     {
            [ ]       "Ref": "AWS::Partition"
            [ ]     },
            [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
            [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
            [ ]   ]
            [ ] ]
[~] AWS::IAM::Policy httpApi/ServiceRole/DefaultPolicy httpApiServiceRoleDefaultPolicy553EAA67 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,6 +152,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function httpApi httpApiC9FAD708 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
 │       └─ [+] a79e6cf331f598a828123c99201846a90906a71aa81c63ed7349c07b4304be42.zip
 ├─ [~] Environment
 │   └─ [~] .Variables:
 │       ├─ [~] .CERT_ARN:
 │       │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
 │       │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
 │       ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
 │       │   └─ [~] .Fn::Join:
 │       │       └─ @@ -5,6 +5,6 @@
 │       │          [ ]     {
 │       │          [ ]       "Ref": "AWS::Partition"
 │       │          [ ]     },
 │       │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
 │       │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
 │       │          [ ]   ]
 │       │          [ ] ]
 │       ├─ [~] .CODE_BUILD_PROJECT_NAME:
 │       │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
 │       │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
 │       ├─ [~] .HOSTED_ZONE_ID:
 │       │   ├─ [-] Z0848069B8MAW5QKQS6H
 │       │   └─ [+] Z0984639I4QETVUJB1YD
 │       ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
 │       ├─ [~] .USERCODE_ACCOUNT_ID:
 │       │   ├─ [-] 727646485319
 │       │   └─ [+] 362630019454
 │       ├─ [~] .USERCODE_ROLE_ARN:
 │       │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       └─ [-] Removed: .VPC_ID
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
         └─ [+] asset.a79e6cf331f598a828123c99201846a90906a71aa81c63ed7349c07b4304be42.zip
[~] AWS::IAM::Policy http/ServiceRole/DefaultPolicy httpServiceRoleDefaultPolicy27B3FF2D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -152,6 +152,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function http httpD8F39B44 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
 │       └─ [+] a79e6cf331f598a828123c99201846a90906a71aa81c63ed7349c07b4304be42.zip
 ├─ [~] Environment
 │   └─ [~] .Variables:
 │       ├─ [~] .CERT_ARN:
 │       │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
 │       │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
 │       ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
 │       │   └─ [~] .Fn::Join:
 │       │       └─ @@ -5,6 +5,6 @@
 │       │          [ ]     {
 │       │          [ ]       "Ref": "AWS::Partition"
 │       │          [ ]     },
 │       │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
 │       │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
 │       │          [ ]   ]
 │       │          [ ] ]
 │       ├─ [~] .CODE_BUILD_PROJECT_NAME:
 │       │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
 │       │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
 │       ├─ [~] .HOSTED_ZONE_ID:
 │       │   ├─ [-] Z0848069B8MAW5QKQS6H
 │       │   └─ [+] Z0984639I4QETVUJB1YD
 │       ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
 │       ├─ [~] .USERCODE_ACCOUNT_ID:
 │       │   ├─ [-] 727646485319
 │       │   └─ [+] 362630019454
 │       ├─ [~] .USERCODE_ROLE_ARN:
 │       │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       └─ [-] Removed: .VPC_ID
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
         └─ [+] asset.a79e6cf331f598a828123c99201846a90906a71aa81c63ed7349c07b4304be42.zip
[~] AWS::IAM::Policy cloud-deployment-migration/ServiceRole/DefaultPolicy clouddeploymentmigrationServiceRoleDefaultPolicy145F9A22 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -124,7 +124,7 @@
            [ ] {
            [ ]   "Action": "sts:AssumeRole",
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [+]   "Resource": "arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole"
            [ ] },
            [ ] {
            [ ]   "Action": "secretsmanager:GetSecretValue",
            @@ -144,7 +144,7 @@
            [ ]       {
            [ ]         "Ref": "AWS::Partition"
            [ ]       },
            [-]       ":codebuild:eu-west-2:727646485319:project/cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93"
            [+]       ":codebuild:eu-west-2:362630019454:project/cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d"
            [ ]     ]
            [ ]   ]
            [ ] }
            @@ -173,6 +173,6 @@
            [ ]       "route53:ListResourceRecordSets"
            [ ]     ],
            [ ]     "Effect": "Allow",
            [-]     "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]     "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ]   }
            [ ] ]
[~] AWS::Lambda::Function cloud-deployment-migration clouddeploymentmigration9A43D76C 
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
 │       └─ [+] b2f7d975d45a42731548636ddc1a679401c2880ac31c709e6f3b0d15b0b7deb5.zip
 ├─ [~] Environment
 │   └─ [~] .Variables:
 │       ├─ [~] .CERT_ARN:
 │       │   ├─ [-] arn:aws:acm:us-east-1:727646485319:certificate/f8914c81-9df0-417f-a95b-ae0a6a346454
 │       │   └─ [+] arn:aws:acm:us-east-1:362630019454:certificate/2ca1ea33-30cc-4ddd-b796-cd47dffd50d8
 │       ├─ [~] .CODEBUILD_PIPELINE_UPDATE_TOPIC_ARN:
 │       │   └─ [~] .Fn::Join:
 │       │       └─ @@ -5,6 +5,6 @@
 │       │          [ ]     {
 │       │          [ ]       "Ref": "AWS::Partition"
 │       │          [ ]     },
 │       │          [-]     ":sns:eu-west-2:727646485319:cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39"
 │       │          [+]     ":sns:eu-west-2:362630019454:cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158"
 │       │          [ ]   ]
 │       │          [ ] ]
 │       ├─ [~] .CODE_BUILD_PROJECT_NAME:
 │       │   ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
 │       │   └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
 │       ├─ [~] .HOSTED_ZONE_ID:
 │       │   ├─ [-] Z0848069B8MAW5QKQS6H
 │       │   └─ [+] Z0984639I4QETVUJB1YD
 │       ├─ [-] Removed: .TEMPORARY_CLUSTER_ID
 │       ├─ [~] .USERCODE_ACCOUNT_ID:
 │       │   ├─ [-] 727646485319
 │       │   └─ [+] 362630019454
 │       ├─ [~] .USERCODE_ROLE_ARN:
 │       │   ├─ [-] arn:aws:iam::727646485319:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       │   └─ [+] arn:aws:iam::362630019454:role/cloud-deployment-usercode-dev-UsercodeStackRole
 │       └─ [-] Removed: .VPC_ID
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.51a24b86ef7885b0cfa6ef6c821c990004f3347921f340a04723e0b7b44b50bd.zip
         └─ [+] asset.b2f7d975d45a42731548636ddc1a679401c2880ac31c709e6f3b0d15b0b7deb5.zip


✨  Number of stacks with differences: 1�[34mCLI�[39m Building entry: {"authorizer/index":"../utils-authorizer/src/handler.ts"}
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Building entry: src/http.ts, src/sqs.ts, src/sns.ts, src/migration-run.ts
�[34mCLI�[39m Using tsconfig: tsconfig.json
�[34mCLI�[39m tsup v6.7.0
�[34mCLI�[39m Using tsup config: /home/runner/work/foundations/foundations/packages/deployment-service/tsup.config.js
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Target: node18
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[34mCLI�[39m Cleaning output folder
�[34mCJS�[39m Build start
�[32mCJS�[39m �[1mdist/authorizer/index.js �[22m�[32m183.92 KB�[39m
�[32mCJS�[39m ⚡️ Build success in 1123ms
�[32mCJS�[39m �[1mdist/sqs.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/http.js          �[22m�[32m35.88 MB�[39m
�[32mCJS�[39m �[1mdist/sns.js           �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m �[1mdist/migration-run.js �[22m�[32m35.86 MB�[39m
�[32mCJS�[39m ⚡️ Build success in 5696ms
IAM Statement Changes
┌───┬──────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬──────────────────────────────────┬──────────────────────────────────────────────────┬───────────┐
│   │ Resource                                                                                             │ Effect │ Action                           │ Principal                                        │ Condition │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼──────────────────────────────────────────────────┼───────────┤
│ + │ ${UsercodeStackRole.Arn}                                                                             │ Allow  │ sts:AssumeRole                   │ AWS:arn:${AWS::Partition}:iam::362630019454:root │           │
│ - │ ${UsercodeStackRole.Arn}                                                                             │ Allow  │ sts:AssumeRole                   │ AWS:arn:${AWS::Partition}:iam::727646485319:root │           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼──────────────────────────────────────────────────┼───────────┤
│ + │ arn:${AWS::Partition}:codebuild:eu-west-2:362630019454:report-group/${codebuilddev5662E660}-*        │ Allow  │ codebuild:BatchPutCodeCoverages  │ AWS:${codebuild-dev/Role}                        │           │
│   │                                                                                                      │        │ codebuild:BatchPutTestCases      │                                                  │           │
│   │                                                                                                      │        │ codebuild:CreateReport           │                                                  │           │
│   │                                                                                                      │        │ codebuild:CreateReportGroup      │                                                  │           │
│   │                                                                                                      │        │ codebuild:UpdateReport           │                                                  │           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼──────────────────────────────────────────────────┼───────────┤
│ - │ arn:${AWS::Partition}:codebuild:eu-west-2:727646485319:report-group/${codebuilddev5662E660}-*        │ Allow  │ codebuild:BatchPutCodeCoverages  │ AWS:${codebuild-dev/Role}                        │           │
│   │                                                                                                      │        │ codebuild:BatchPutTestCases      │                                                  │           │
│   │                                                                                                      │        │ codebuild:CreateReport           │                                                  │           │
│   │                                                                                                      │        │ codebuild:CreateReportGroup      │                                                  │           │
│   │                                                                                                      │        │ codebuild:UpdateReport           │                                                  │           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼──────────────────────────────────────────────────┼───────────┤
│ + │ arn:${AWS::Partition}:logs:eu-west-2:362630019454:log-group:/aws/codebuild/${codebuilddev5662E660}   │ Allow  │ logs:CreateLogGroup              │ AWS:${codebuild-dev/Role}                        │           │
│   │ arn:${AWS::Partition}:logs:eu-west-2:362630019454:log-group:/aws/codebuild/${codebuilddev5662E660}:* │        │ logs:CreateLogStream             │                                                  │           │
│   │                                                                                                      │        │ logs:PutLogEvents                │                                                  │           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼──────────────────────────────────────────────────┼───────────┤
│ - │ arn:${AWS::Partition}:logs:eu-west-2:727646485319:log-group:/aws/codebuild/${codebuilddev5662E660}   │ Allow  │ logs:CreateLogGroup              │ AWS:${codebuild-dev/Role}                        │           │
│   │ arn:${AWS::Partition}:logs:eu-west-2:727646485319:log-group:/aws/codebuild/${codebuilddev5662E660}:* │        │ logs:CreateLogStream             │                                                  │           │
│   │                                                                                                      │        │ logs:PutLogEvents                │                                                  │           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼──────────────────────────────────────────────────┼───────────┤
│ - │ arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H                                                    │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${UsercodeStackRole}                         │           │
│   │                                                                                                      │        │ route53:GetChange                │                                                  │           │
│   │                                                                                                      │        │ route53:GetHostedZone            │                                                  │           │
│   │                                                                                                      │        │ route53:ListResourceRecordSets   │                                                  │           │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────┼──────────────────────────────────────────────────┼───────────┤
│ + │ arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD                                                    │ Allow  │ route53:ChangeResourceRecordSets │ AWS:${UsercodeStackRole}                         │           │
│   │                                                                                                      │        │ route53:GetChange                │                                                  │           │
│   │                                                                                                      │        │ route53:GetHostedZone            │                                                  │           │
│   │                                                                                                      │        │ route53:ListResourceRecordSets   │                                                  │           │
└───┴──────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴──────────────────────────────────┴──────────────────────────────────────────────────┴───────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[~] AWS::IAM::Policy codebuild-dev/Role/DefaultPolicy codebuilddevRoleDefaultPolicyBDB5BA5E 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -15,7 +15,7 @@
            [ ] {
            [ ]   "Ref": "AWS::Partition"
            [ ] },
            [-] ":logs:eu-west-2:727646485319:log-group:/aws/codebuild/",
            [+] ":logs:eu-west-2:362630019454:log-group:/aws/codebuild/",
            [ ] {
            [ ]   "Ref": "codebuilddev5662E660"
            [ ] }
            @@ -30,7 +30,7 @@
            [ ] {
            [ ]   "Ref": "AWS::Partition"
            [ ] },
            [-] ":logs:eu-west-2:727646485319:log-group:/aws/codebuild/",
            [+] ":logs:eu-west-2:362630019454:log-group:/aws/codebuild/",
            [ ] {
            [ ]   "Ref": "codebuilddev5662E660"
            [ ] },
            @@ -57,7 +57,7 @@
            [ ] {
            [ ]   "Ref": "AWS::Partition"
            [ ] },
            [-] ":codebuild:eu-west-2:727646485319:report-group/",
            [+] ":codebuild:eu-west-2:362630019454:report-group/",
            [ ] {
            [ ]   "Ref": "codebuilddev5662E660"
            [ ] },
[~] AWS::CodeBuild::Project codebuild-dev codebuilddev5662E660 replace
 └─ [~] Name (requires replacement)
     ├─ [-] cloud-deployment-usercodeedevcodebuilddeve392e6a95eacb8ae1c93
     └─ [+] cloud-deployment-usercodeedevcodebuilddeve392e6a940b784b8197d
[~] AWS::SNS::Topic codebuild-sns-topic-dev codebuildsnstopicdev55AC73B5 replace
 └─ [~] TopicName (requires replacement)
     ├─ [-] cloud-deployment-usercodebuildsnstopicdevea93c2f5a2ee4c1b5c39
     └─ [+] cloud-deployment-usercodebuildsnstopicdevea93c2f5f8b110a34158
[~] AWS::IAM::Policy UsercodePolicy UsercodePolicy590B208D 
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -105,7 +105,7 @@
            [ ]     "route53:ListResourceRecordSets"
            [ ]   ],
            [ ]   "Effect": "Allow",
            [-]   "Resource": "arn:aws:route53:::hostedzone/Z0848069B8MAW5QKQS6H"
            [+]   "Resource": "arn:aws:route53:::hostedzone/Z0984639I4QETVUJB1YD"
            [ ] },
            [ ] {
            [ ]   "Action": [
[~] AWS::IAM::Role UsercodeStackRole UsercodeStackRoleC1FD22AF 
 └─ [~] AssumeRolePolicyDocument
     └─ [~] .Statement:
         └─ @@ -29,7 +29,7 @@
            [ ]       {
            [ ]         "Ref": "AWS::Partition"
            [ ]       },
            [-]       ":iam::727646485319:root"
            [+]       ":iam::362630019454:root"
            [ ]     ]
            [ ]   ]
            [ ] }


✨  Number of stacks with differences: 1```

@bashleigh bashleigh closed this Jan 16, 2025
@bashleigh bashleigh deleted the RPLT-728-CDK-output-review branch January 16, 2025 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
admin-portal app-marketplace-cms deployment-service developer-portal graphql-server infra marketplace Relates to the Marketplace
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bashleigh